CN111770092B - Numerical control system network security architecture and secure communication method and system - Google Patents

Numerical control system network security architecture and secure communication method and system Download PDF

Info

Publication number
CN111770092B
CN111770092B CN202010604468.7A CN202010604468A CN111770092B CN 111770092 B CN111770092 B CN 111770092B CN 202010604468 A CN202010604468 A CN 202010604468A CN 111770092 B CN111770092 B CN 111770092B
Authority
CN
China
Prior art keywords
host
application communication
communication host
application
registration server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010604468.7A
Other languages
Chinese (zh)
Other versions
CN111770092A (en
Inventor
路松峰
潘国阳
汤学明
吴俊军
崔永泉
朱建新
向文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN202010604468.7A priority Critical patent/CN111770092B/en
Publication of CN111770092A publication Critical patent/CN111770092A/en
Application granted granted Critical
Publication of CN111770092B publication Critical patent/CN111770092B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Abstract

The invention belongs to the technical field of numerical control automation systems and network information security, and discloses a numerical control system network security architecture and a security communication method and system, wherein an application communication host applies for registration, and a registration server authenticates the host applying for registration; the method comprises the steps that an application communication host locally generates a public key and a private key which are asymmetrically encrypted; the host locally stores the private key; the server obtains the identity of the target host according to the host name, and dynamically determines the currently available IP address according to the host identity; the server and the application communication host determine the legality of both communication parties, and negotiate to generate a secure session encryption key parameter; the system and the application communication host carry out symmetric encryption and encapsulation based on the generated security session encryption key, and carry out information interaction; and simultaneously, the two parties decrypt and decapsulate the received data to realize data transmission. Under the invention, the numerical control system can also ensure the confidentiality, consistency and integrity of the communication data under the public network environment.

Description

Numerical control system network security architecture and secure communication method and system
Technical Field
The invention belongs to the technical field of numerical control automation systems and network information security, and particularly relates to a numerical control system network security architecture and a security communication method and system.
Background
At present, in the industry, a numerical control machine tool is a high-precision and high-efficiency automatic machine tool, is provided with a multi-station tool turret or a power tool turret, has wide processing technological performance, and plays a good economic effect in the batch production of complex parts. The numerical control system as the brain of the machine tool becomes an important component of an industrial control system, is under attack of industrial viruses and networks, has increasingly serious information security problems, can be paralyzed even causes information leakage once the numerical control system is attacked, and directly influences the security of national military industry. At present, China urgently needs resume numerical control machine tool information safety countermeasures, transformation and upgrading are reluctant to be carried out on a new generation of intelligent numerical control system, autonomous knowledge industry is vigorously developed, and core competitiveness, risk prevention capability and sustainable development capability are improved in a home-made alternative mode.
The numerical control system is used as the core of the numerical control machine tool, and the development trend mainly comprises the development towards high speed, high precision and high reliability; the development is towards the direction of multi-axis linkage and compositing; the development is towards intellectualization, flexibility and networking; development towards an open numerical control system and the like.
As an important component of the manufacturing industry of China, the military manufacturing industry plays a vital role in the field of national defense industry. At present, industrial control systems such as DCS, PCS, PLC, IED, numerical control machine tools, flexible manufacturing units and the like are applied to military manufacturing enterprises in a large quantity, and the military manufacturing enterprises have a large quantity of national secrets, so that the military manufacturing enterprises need to pay more attention to the network security problem of the industrial control systems.
The military industry and manufacturing industry information safety directly influences the safety of national infrastructure, and the tampering of key information and instructions in the production process not only influences the normal production process, but also causes harm to the machine operation, thereby causing the production safety harm. The information security of the numerical control system, on one hand, the influence on the numerical control system caused by interference and illegal penetration is prevented; on the other hand, protection of a large amount of sensitive information contained in the production process is required. Due to the continuous development of the two-way integration, the originally independent and closed numerical control production network is accessed to the enterprise management network and the internet, and the danger from the network level is also brought.
Import equipment in the field of numerical control occupies a dominant position. Most of core systems of the currently used mainstream numerical control equipment are foreign products, and particularly a high-end CNC numerical control machine control system and a DNC numerical control integral networking solution, so that the safety of the numerical control system is difficult to guarantee, the magnitude of software codes contained in a complex numerical control system is huge, and potential safety hazards such as system design bugs and reserved backdoors may exist.
In the aspect of numerical control protocol security, most numerical control machine control systems transmit and manage machining codes in a plaintext mode, so that unencrypted machining codes are easily obtained illegally, and manufactured data are leaked due to the fact that machined articles are restored through special software.
Similarly, upgrading and maintenance of numerical control equipment seriously depend on production and suppliers, many equipment allows remote control through a network, a system lacks effective security mechanisms such as user identity authentication and access control, the behavior of the equipment in the upgrading and maintenance process is uncontrollable, and huge security risks such as man-in-the-middle attack exist.
The boundary expansion of the numerical control system network can cause more network attacks. The continuous development of the two-way fusion enables the originally independent closed numerical control production network to be accessed to an enterprise management network and the Internet, and the network boundary expansion inevitably leads to the continuous occurrence of network attack events.
From the current situation of the military industry, each group enterprise basically has the capabilities of single-network protection, static protection and local protection, can prevent known network attacks, but has low overall level of information security, is not coordinated with the accelerated development of information-based construction, has incomplete security consideration of the enterprise industrial control system, and also meets the performance quality and operation aspects.
According to the technical requirements for numerical control network security of information security technology, the technical requirements for security are divided into the technical requirements for network security, the technical requirements for equipment security, the technical requirements for application security, the technical requirements for data security and the technical requirements for centralized management and control.
The network security technology requires network regulations in terms of network architecture, boundary protection between the numerical control network and the management network and between different safety areas inside the numerical control network, access control, intrusion prevention, security audit, use control of the wireless network in the numerical control network and the like.
The equipment security technology requires that provisions are made for an operating system on a control computer in a numerical control network, an operating system on a server, a database system, an operating system of a numerical control system on numerical control equipment and network equipment in the numerical control network from the aspects of identity authentication, access control, intrusion prevention, resource control, malicious code prevention, security audit and the like.
In the face of new information technology environment and domestic and foreign security environment, according to the current situation of the domestic defense industry, the construction of an autonomous and controllable domestic defense industry information security guarantee system needs to be accelerated, a main approach based on technical means construction and mainly based on reinforced grade protection is formed, and a system architecture which is guaranteed by domestic software and hardware scale application and regulatory standard construction is formed as a key.
One of the purposes of the intelligent numerical control system is to process and manufacture national defense military equipment, so that the research on the numerical control system network communication technology meeting the national defense industrial information safety requirements is very necessary.
Through the above analysis, the problems and defects of the prior art are as follows: the existing numerical control system and application terminal can not ensure the safety of information transmission in the public network environment. The traditional safety protection measures are usually only single authentication and do not have double authentication of a numerical control system and a host, and various safety protection measures can also influence the interaction between the numerical control network and an external network and even influence the normal use of the numerical control system.
The significance of solving the problems and the defects is as follows: the numerical control system has different execution functions due to different application scenes, and has great difference. Especially, national defense industrial control systems in China are mostly equipment manufacturing equipment and have the characteristics of diversity, fineness, complex structure and the like, so that information communication systems are built on different numerical control systems, information safety transmission between the equipment and a host needs to be realized, the system is more complex and changeable, more field numerical control system environments are adapted, and the national defense industrial requirements are met.
The first difficulty of the communication technology in the numerical control system is to meet the requirement of high confidentiality of data. Once a hacker contacts with an external public network, the hacker can attack the numerical control system by various means, so that system failure and paralysis are caused, and even production data of the numerical control system can be stolen. Any machine engineer with certain capabilities, once having data interactive in the numerical control system, can restore the parts it has machined. The existing mainstream information communication technology has certain safety risk, so a new data communication protocol scheme of the numerical control system needs to be designed.
The next difficulty with communication technology is meeting availability and low latency. The information communication systems on different numerical control systems can clear the boundary of the combination of the informatization process and the industrialization process, and the safety isolation between the numerical control machine and the control host is realized. The use of the internet is in information communication, and the internet has a certain delay for information transmission, which affects the performance of the system. Moreover, in the defense industry, high confidentiality of data needs to be met, interactive data can be encrypted and decrypted continuously, the problem of information delay is increased, the production efficiency of a remote control machine tool is influenced, and the numerical control system is unstable, so that the delay problem caused by data encryption needs to be maintained within an acceptable range.
The important significance of guaranteeing safe transmission of numerical control system information in a public network is to realize remote control production of the numerical control machine tool and improve the production efficiency of the numerical control machine tool. The producer can realize remote operation and monitoring of the numerical control machine tool at any time and any place by means of an information network in the numerical control system, the producer is helped to master the running state of all the numerical control machine tools, particularly machine tool workshops with severe production environments, and technicians can use a remote communication technology to finish various dangerous operations in a central control room with good environment. Professionals can realize high-level control of the numerical control machine tool without contacting the numerical control machine tool, including starting, stopping, maintaining and the like of production. The numerical control machine tool can reduce the on-site attendance of workers and reduce the production cost of a numerical control workshop. The central control room collects and analyzes various parameters of the operation of the numerical control machine tool by using a remote communication technology, so that the numerical control machine tool with problems is early discovered and maintained, the failure rate of the numerical control machine tool is reduced, and the utilization rate of the numerical control machine tool is improved.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a numerical control system network security architecture and a secure communication method and system.
The invention is realized in such a way, and provides a network security architecture and a security communication method of a numerical control system, wherein the network security architecture and the security communication method of the numerical control system comprise the following steps:
firstly, applying a communication host to apply for registration, and authenticating the host applying for registration by a registration server; the method comprises the steps that an application communication host locally generates a public key and a private key which are asymmetrically encrypted; the host locally stores the private key; the server obtains the identity of the target host according to the host name, and dynamically determines the currently available IP address according to the host identity;
step two, the server and the application communication host determine the legality of both communication parties through host registration check, identity signature confirmation and double-end authentication, and negotiate to generate a security session encryption key parameter;
thirdly, the system and the application communication host carry out symmetric encryption and encapsulation based on the generated security session encryption key, and carry out information interaction; meanwhile, the two parties decrypt and decapsulate the received data to realize data transmission;
step four, the server regularly scans the registered host and acquires the survival state, the communication service quality, the application security loophole and other related information; the server logs out the host computer for the host computer which does not have feedback information for a long time or feedback error information for many times, disconnects the communication between all the servers and the host computer, stops the maintenance of the host computer and releases all the resources related to the host computer.
Further, in the first step, the applying the application communication host to apply for registration, and the authenticating, by the registration server, the host applying for registration includes:
(1) the application communication host generates a public key of the application communication host and sends host information to the registration server;
(2) the register server receives the host information and then carries out anti-spoofing analysis, verifies the correctness of the address and the port of the host packet and carries out reverse verification at the same time;
(3) after receiving the verification information, the host replies the verification information to the server and sends a public key of the host;
(4) after the anti-spoofing verification is passed, the registration server records the user information and the user public key and sends a digital certificate of the registration server, and the host computer authenticates the digital certificate after receiving the digital certificate;
(5) the host computer confirms that the digital certificate of the server is decoded, integrity verification is carried out to obtain an information abstract, and the information abstract is compared with the information abstract obtained after the digital signature is decoded;
(6) after the digest verification is passed, the host decodes the digital certificate to obtain the public key of the server.
Further, in step two, the secure session encryption key parameter negotiation generation method includes:
1) the application communication host acquires a public key of a registration server based on first registration, and the registration server acquires relevant host information and a corresponding host public key;
2) the host generates a random number R1, and asymmetric encryption is carried out through the own private key of the host to obtain R11; adding host information UD, and uploading the encrypted UD + R11 to a server after the encrypted UD + R11 is encrypted by using a server public key;
3) the server obtains the host information UD and the ciphertext R11 of the random number R1 after decrypting by using a private key; inquiring a host public key through the host information UD, and decrypting the ciphertext of the R1 through the public key to obtain a plaintext of the random number R1;
4) the server generates a random number R2, and the random number R1 and the random number R2 are respectively encrypted through the own private key of the server to obtain R12 and R22; the additional server related information SD, SD + R12+ R22 is transmitted back to the host after being asymmetrically encrypted by using the host public key;
5) the host obtains server information SD, a ciphertext R12 of a random number R1 and a ciphertext R22 of a random number R2 after being decrypted by a private key; decrypting R12 and R22 through the public key of the server to obtain the plaintext of the random number R1 and the plaintext of the random number R2; comparing the random number R1 with the random number R1 generated before to verify the correctness of the transmission of the server and the intermediate network information;
6) the host encrypts the random number R2 again by using the private key of the host to obtain R21; r21 is encrypted by using a server public key and then uploaded to the server;
7) the server obtains a ciphertext R21 of the random number after decrypting by using a private key; decrypting the encrypted file again through the host public key to obtain a plaintext of the random number R2; comparing the random number R2 at the moment with the random number R2 generated by the previous server to verify the correctness of the host and the intermediate network information transmission;
8) based on the steps 1) to 7), the host and the server negotiate session KEY parameters, and XOR is carried out on the hash value of the random number R1 and the hash value of the random number R2 to generate a final symmetric encryption KEY KEY;
further, the symmetric encryption KEY calculation formula is as follows:
key ═ H (R1) | H (R2), where H () represents a hash operation.
Further, the network security architecture and the secure communication method of the numerical control system further include:
generating an encryption key, establishing and maintaining a VPN tunnel and performing ESP (electronic stability program) encapsulation on data sent by an application layer according to a random number R1 and a random number R2 of a security session parameter generated in the networking authentication process; decapsulating the received data; and end-to-end data transmission safety guarantee is provided.
Another object of the present invention is to provide a network security architecture and a secure communication system of a numerical control system implementing the network security architecture and the secure communication method of the numerical control system, the network security architecture and the secure communication system of the numerical control system including:
the system comprises a data application layer, a data proxy layer and a data adapter layer;
the data application layer comprises a data storage module, a data processing module, a data analysis module and a data consumption module; used for storing, processing, analyzing and consuming data;
the data agent layer is used for carrying out data collection, caching, transfer and access isolation on a numerical control processing field;
the data adaptation layer comprises various machine tool data adapters; for utilizing a unified data access interface;
the numerical control system is logically isolated among layers from a data application layer to a physical layer of the numerical control machine, communication and network routing forwarding are realized through an application agent, and a numerical control system safety communication protocol is adopted between the agent and the server and between the agent and the server to ensure end-to-end communication safety.
Further, the network security architecture and the secure communication system of the numerical control system further include:
the digital signature certificate issuing organization CA is a service platform and is used for generating a digital signature certificate for the registration server, providing a private key for the registration server and providing a public key for an application communication host of each application terminal; meanwhile, the method is used for safely distributing, managing and canceling the certificate;
the registration server is used for authenticating the application communication host applying for registration; regularly scanning the registered host computer, acquiring the survival state, the communication service quality, the application security loopholes and other information, and renegotiating a new session key with the host computer at intervals; meanwhile, the system is used for regularly sending information to confirm the state of the host, and forcibly disconnecting the host which does not reply or replies the error verification information for three times continuously;
the application terminal is used for locally generating a public key and a private key which are asymmetrically encrypted; and at the same time, for locally saving the private key;
and the public key replaces the traditional IP address to be used as the identity of the application communication host.
Another object of the present invention is to provide a program storage medium for receiving a user input, the stored computer program causing an electronic device to execute the numerical control system network security architecture and the secure communication method.
Another object of the present invention is to provide a computer program product stored on a computer readable medium, comprising a computer readable program for providing a user input interface to implement the numerical control system network security architecture and secure communication method when executed on an electronic device.
By combining all the technical schemes, the invention has the advantages and positive effects that:
the invention constructs a high-efficiency and safe numerical control network security architecture under the network environment of the numerical control system and provides a safe communication protocol thereof. The invention improves the traditional numerical control network system, adds the double-end authentication technology and improves the host identity authentication protocol. Under the invention, the numerical control system can also ensure the confidentiality, consistency and integrity of the communication data under the public network environment.
According to the invention, a depth defense strategy is implemented from an application end to a lower-layer numerical control system, network control is implemented layer by layer, interlayer logic isolation is realized, and cross-layer direct communication is not allowed; data stream between layers does not provide direct forwarding of network routing, and an application agent or a service server is required to take charge of the data stream, and an end-to-end communication safety guarantee is provided between the agents or the servers by adopting a numerical control system safety communication protocol, so that the safety of information interaction and data transmission is ensured.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained from the drawings without creative efforts.
Fig. 1 is a flow chart of a network security architecture and a secure communication method of a numerical control system according to an embodiment of the present invention.
Fig. 2 is a flowchart of a method for authenticating a communication host according to an embodiment of the present invention.
Fig. 3 is a flowchart of a secure session encryption key parameter negotiation generation method according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of an overall architecture of a numerical control system network according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of a network entity architecture of a numerical control system according to an embodiment of the present invention.
Fig. 6 is a schematic diagram of a network security communication technology architecture of the numerical control system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Aiming at the problems in the prior art, the invention provides a network security architecture of a numerical control system and a safe double-end verification communication method. The double-end authentication communication method is different from the traditional single-item authentication communication interaction, but the safety of the opposite party must be authenticated once by both communication parties, so that the validity of the identities of both parties is ensured.
The present invention will be described in detail below with reference to the accompanying drawings.
As shown in fig. 1, a network security architecture and a secure communication method of a numerical control system provided in an embodiment of the present invention include:
s101, applying a communication host to apply for registration, and authenticating the host applying for registration by a registration server; the method comprises the steps that an application communication host locally generates a public key and a private key which are asymmetrically encrypted; the host locally stores the private key; the server obtains the identity of the target host according to the host name, and dynamically determines the currently available IP address according to the host identity;
s102, the server and the application communication host determine the legality of both communication parties through host registration check, identity signature confirmation and double-end authentication, and negotiate to generate a security session encryption key parameter;
s103, the system and the application communication host carry out symmetric encryption and encapsulation based on the generated security session encryption key, and carry out information interaction; meanwhile, the two parties decrypt and decapsulate the received data to realize data transmission;
s104, the server scans the registered host at regular time and acquires the survival state, the communication service quality, the application security vulnerability and other related information; the server logs out the host computer for the host computer which does not have feedback information for a long time or feedback error information for many times, disconnects the communication between all the servers and the host computer, stops the maintenance of the host computer and releases all the resources related to the host computer.
As shown in fig. 2, in step S101, the application communication host applying for registration according to the embodiment of the present invention, the authenticating, by the registration server, the host applying for registration includes:
s201, the application communication host generates a public key of the application communication host and sends host information to a registration server;
s202, the register server receives the host information and then carries out anti-spoofing analysis, verifies the correctness of the address and the port of the host packet and carries out reverse verification at the same time;
s203, after receiving the verification information, the host replies the verification information to the server and sends the public key of the host;
s204, after the anti-spoofing verification is passed, the registration server records the user information and the user public key and sends a digital certificate of the registration server, and the host computer authenticates the digital certificate after receiving the digital certificate;
s205, the host computer confirms that the digital certificate of the server is decoded, integrity verification is carried out to obtain an information abstract, and the information abstract is compared with the information abstract obtained after digital signature decoding;
and S206, after the digest verification is passed, the host decodes the digital certificate to obtain the public key of the server.
As shown in fig. 3, in step S102, the secure session encryption key parameter negotiation generation method provided in the embodiment of the present invention includes:
s301, the application communication host acquires a public key of a registration server based on first registration, and the registration server acquires relevant host information and a corresponding host public key;
s302, the host generates a random number R1, and asymmetric encryption is carried out through a private key of the host to obtain R11; adding host information UD, and uploading the encrypted UD + R11 to a server after the encrypted UD + R11 is encrypted by using a server public key;
s303, the server obtains the host information UD and a ciphertext R11 of the random number R1 after decrypting by using a private key; inquiring a host public key through the host information UD, and decrypting the ciphertext of the R1 through the public key to obtain a plaintext of the random number R1;
s304, the server generates a random number R2, and the random number R1 and the random number R2 are respectively encrypted through the own private key of the server to obtain R12 and R22; the additional server related information SD, SD + R12+ R22 is transmitted back to the host after being asymmetrically encrypted by using the host public key;
s305, the host decrypts the data by using the private key to obtain the server information SD, the ciphertext R12 of the random number R1 and the ciphertext R22 of the random number R2; decrypting R12 and R22 through the public key of the server to obtain the plaintext of the random number R1 and the plaintext of the random number R2; comparing the random number R1 with the random number R1 generated before to verify the correctness of the transmission of the server and the intermediate network information;
s306, the host encrypts the random number R2 again by using the private key of the host to obtain R21; r21 is encrypted by using a server public key and then uploaded to the server;
s307, the server decrypts the data by using a private key to obtain a ciphertext R21 of the random number; decrypting the encrypted file again through the host public key to obtain a plaintext of the random number R2; comparing the random number R2 at the moment with the random number R2 generated by the previous server to verify the correctness of the host and the intermediate network information transmission;
s308, the host and the server negotiate session KEY parameters based on the steps S301 to S307, and XOR is performed between the hash value of the random number R1 and the hash value of the random number R2 to generate the final symmetric encryption KEY KEY.
The symmetric encryption KEY KEY provided by the embodiment of the invention has the following calculation formula:
key ═ H (R1) | H (R2), where H () represents a hash operation.
The numerical control system network security architecture and the secure communication method provided by the embodiment of the invention further comprise the following steps:
generating an encryption key, establishing and maintaining a VPN tunnel and performing ESP (electronic stability program) encapsulation on data sent by an application layer according to a random number R1 and a random number R2 of a security session parameter generated in the networking authentication process; decapsulating the received data; and end-to-end data transmission safety guarantee is provided.
As shown in fig. 4 to fig. 6, a network security architecture and a secure communication system of a numerical control system according to an embodiment of the present invention include:
the system comprises a data application layer, a data proxy layer and a data adapter layer;
the data application layer comprises a data storage module, a data processing module, a data analysis module and a data consumption module; used for storing, processing, analyzing and consuming data;
the data agent layer is used for carrying out data collection, caching, transfer and access isolation on a numerical control processing field;
the data adaptation layer comprises various machine tool data adapters; for utilizing a unified data access interface;
the numerical control system is logically isolated among layers from a data application layer to a physical layer of the numerical control machine, communication and network routing forwarding are realized through an application agent, and a numerical control system safety communication protocol is adopted between the agent and the server and between the agent and the server to ensure end-to-end communication safety.
The numerical control system network security architecture and the secure communication system provided by the embodiment of the invention further comprise:
the digital signature certificate issuing organization CA is a service platform and is used for generating a digital signature certificate for the registration server, providing a private key for the registration server and providing a public key for an application communication host of each application terminal; meanwhile, the method is used for safely distributing, managing and canceling the certificate;
the registration server is used for authenticating the application communication host applying for registration; regularly scanning the registered host computer, acquiring the survival state, the communication service quality, the application security loopholes and other information, and renegotiating a new session key with the host computer at intervals; meanwhile, the system is used for regularly sending information to confirm the state of the host, and forcibly disconnecting the host which does not reply or replies the error verification information for three times continuously;
the application terminal is used for locally generating a public key and a private key which are asymmetrically encrypted; and at the same time, for locally saving the private key;
and the public key replaces the traditional IP address to be used as the identity of the application communication host.
The technical solution of the present invention is further illustrated by the following specific examples.
Example (b):
firstly, a network architecture model suitable for a numerical control system is constructed, and the networking requirements such as national defense industrial numerical control networking communication safety requirements, service requirements of big data, high frequency and soft real-time data acquisition, dynamic equipment management, realization of data format unification and support of mobile equipment safety interconnection are met. And a multi-layer architecture model is adopted, and the data is divided into a data application layer, a data agent layer and a data adapter layer according to the born service functions. A data application layer: the method covers a plurality of applications such as data storage, data processing, data analysis, data consumption and the like. A data agent layer: the data agent equipment is used as a middle layer of the networking, and the purposes of data collection, caching, transfer, access control isolation and the like are achieved in a processing site. A data adaptation layer: the numerical control system data access interface is composed of various machine tool data adapters and is used for unifying numerical control system data access interfaces. The numerical control system manufacturer must develop a corresponding data acquisition unit and a data format conversion module according to the condition of the equipment of the numerical control system manufacturer. Implementing a depth defense strategy between an application end and a lower-layer numerical control system, implementing network control layer by layer, realizing interlayer logic isolation, and not allowing cross-layer direct communication; data stream between layers does not provide direct forwarding of network routing, and an application agent or a service server is required to take charge of the data stream, and an end-to-end communication safety guarantee is provided between the agents or the servers by adopting a numerical control system safety communication protocol.
The host computer initiates networking to a numerical control system server for the first time:
1) the numerical control system provides a service platform as a digital signature Certificate Authority (CA).
2) And the CA generates a digital signature certificate for the registration server of the numerical control system, wherein a private key is provided for the registration server, and a public key is provided for each application communication host. Certificate authorities are mainly used for secure distribution, management and revocation of certificates.
3) Registration of the application communication host is automatically performed during environment initialization, and the registration server authenticates the host applying for registration. Other servers in the numerical control system can refuse the networking application of all unregistered hosts.
4) The application communication host locally generates a public key and a private key of asymmetric encryption. The host locally stores the private key, adopts the public key as a host identity, and replaces the traditional IP address with the host identity.
5) The server obtains the identity of the target host according to the host name, dynamically determines the current available IP address according to the host identity, and provides support for network layer communication addressing.
6) The server and the application communication host in the numerical control network must pass through a host registration check, an identity signature confirmation, a double-end authentication and other multiple passes, finally the legality of the two communication parties is determined, and a secure session encryption key parameter is generated through negotiation.
5) The interactive information of the numerical control system and the application communication host computer is symmetrically encrypted and encapsulated by using the secure session key, and the received data is decrypted and decapsulated. And the information security of end-to-end data transmission is ensured.
6) A registration server in the numerical control network integrates a network registration function and a security detection function, and the server scans registered hosts at regular time and acquires information such as survival states, communication service quality, application security vulnerabilities and the like.
7) The server performs host logout operation on the host which does not have feedback information for a long time or feedback error information for many times, disconnects the communication between all servers and the host, and does not maintain and release all resources related to the host any more.
The application communication host and the server negotiate the security session key parameter:
1) the application communication host generates a public key of the application communication host and sends host information UD to the registration server.
2) The register server receives the host information and then carries out anti-spoofing analysis, verifies the correctness of the address and the port of the host packet and carries out reverse verification at the same time.
3) And after receiving the verification information, the host replies the verification information to the server and sends the public key of the host.
4) After the anti-spoofing verification is passed, the registration server records the user information and the user public key and sends the digital certificate of the registration server, and the host computer receives the digital certificate and then authenticates the digital certificate to a digital authentication center CA.
5) And the host computer confirms that the digital certificate of the server is decoded, performs integrity verification to obtain the information abstract, and compares the information abstract with the information abstract obtained after the digital signature is decoded.
6) After the digest verification is passed, the host decodes the digital certificate to obtain the public key of the server.
7) The host initiates a networking request, and the server discovers the request and replies to the request.
8) The host generates a random number R1, and asymmetric encryption is performed through the own private key of the host to obtain R11. Plus host information UD. (UD + R11) is encrypted using the server public key and then uploaded to the server.
9) The server obtains the host information UD and the ciphertext R11 of the random number R1 after decryption by the private key. And inquiring a host public key through the host information UD, and decrypting the ciphertext of the R1 through the public key to obtain the plaintext of the random number R1.
10) The server generates a random number R2, and encrypts the random number R1 and the random number R2, respectively, by its own private key, resulting in R12 and R22. The server related information SD is appended. (SD + R12+ R22) is asymmetrically encrypted using the host public key and then transmitted back to the host.
11) The host obtains server information SD, a ciphertext R12 of a random number R1 and a ciphertext R22 of a random number R2 after decryption by using a private key. The plaintext of the random number R1 and the plaintext of the random number R2 are obtained by decrypting R12 and R22 with the public key of the server. The random number R1 at this time and the previously generated random number R1 are compared to verify the correctness of the server and the intermediate network information transmission.
12) The host again encrypts the random number R2 with its own private key, resulting in R21. (R21) the encrypted data is uploaded to the server using the server public key.
13) The server decrypts the data with the private key to obtain ciphertext R21 of the random number. The plaintext of the random number R2 is obtained after decryption again by the host public key. The random number R2 at this time and the random number R2 generated by the previous server are compared to verify the correctness of the host and the intermediate network information transmission.
14) After the above steps, the host and the server have negotiated session KEY parameters, and the hash value of the random number R1 and the hash value of the random number R2 are xored to generate the final symmetric encryption KEY.
Key ═ H (R1) | H (R2), where H () represents a hash operation.
Generating an encryption key, establishing and maintaining a VPN tunnel and performing ESP (electronic stability program) encapsulation on data sent by an application layer according to a random number R1 and a random number R2 of a security session parameter generated in the networking authentication process; and decapsulating the received data. And end-to-end data transmission safety guarantee is provided.
Meanwhile, the registration server integrates a network management function and a security detection function, and regularly scans registered hosts to acquire information such as survival states, communication service quality, application security vulnerabilities and the like. The server will renegotiate new session keys with the host at intervals. The server sends a message periodically to confirm the status of the host, which will force a disconnection for the host that did not reply or reply with an error verification message three consecutive times.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by software plus a necessary hardware platform, and may also be implemented by hardware entirely. With this understanding in mind, all or part of the technical solutions of the present invention that contribute to the background can be embodied in the form of a software product, which can be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes instructions for causing a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods according to the embodiments or some parts of the embodiments of the present invention.
The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.

Claims (6)

1. A communication method of a numerical control system network security architecture is characterized by comprising the following steps:
firstly, an application communication host applies for registration, and a registration server authenticates the application communication host applying for registration; the method comprises the steps that an application communication host locally generates a public key and a private key which are asymmetrically encrypted; the application communication host locally stores the private key; the registration server obtains the identity of the target host according to the name of the application communication host, and dynamically determines the currently available IP address according to the identity of the application communication host;
step two, the registration server and the application communication host determine the legality of both communication parties through registration check, identity signature confirmation and double-end authentication of the application communication host, and negotiate to generate a security session encryption key parameter;
thirdly, the system and the application communication host carry out symmetric encryption and encapsulation based on the generated security session encryption key, and carry out information interaction; meanwhile, the two parties decrypt and decapsulate the received data to realize data transmission;
step four, the registered server regularly scans the registered application communication host and obtains the survival state, the communication service quality and the application security loopholes; the registration server performs application communication host logout on the application communication hosts which do not have feedback information for a long time or feedback error information for multiple times, disconnects the communication between all the registration servers and the application communication hosts, stops the maintenance of the application communication hosts and releases all resources related to the application communication hosts;
in the first step, the application communication host applies for registration, and the authentication of the application communication host applying for registration by the registration server includes:
(1) the application communication host generates a public key of the application communication host and sends the information of the application communication host to the registration server;
(2) the registration server carries out anti-spoofing analysis after receiving the information of the application communication host, verifies the correctness of the address and the port of the data packet sent by the application communication host and carries out reverse verification at the same time;
(3) after receiving the verification information, the application communication host replies the verification information to the registration server and sends a public key of the application communication host;
(4) after the anti-spoofing verification is passed, the registration server records the user information and the user public key, sends the digital certificate of the registration server, and authenticates the application communication host to the digital authentication center after receiving the digital certificate;
(5) the application communication host computer confirms that the digital certificate of the registration server is decoded, integrity verification is carried out to obtain an information abstract, and the information abstract is compared with the information abstract obtained after digital signature decoding;
(6) after the digest is verified, the digital certificate is decoded by the communication host to obtain a public key of the registration server;
in step two, the secure session encryption key parameter negotiation generation method includes:
1) the application communication host acquires a public key of a registration server based on first registration, and the registration server acquires relevant application communication host information and a corresponding application communication host public key;
2) the application communication host generates a random number R1, and asymmetric encryption is carried out through the own private key of the application communication host to obtain R11; adding application communication host information UD, and uploading the information to a registration server after the UD + R11 uses a public key of the registration server for encryption;
3) the registration server obtains the host information UD and a ciphertext R11 of a random number R1 after decryption by using a private key; inquiring an application communication host public key through the application communication host information UD, and decrypting a ciphertext of the R1 through the public key to obtain a plaintext of the random number R1;
4) the registration server generates a random number R2, and the random number R1 and the random number R2 are respectively encrypted through the own private key of the registration server to obtain R12 and R22; adding relevant information SD of the registration server, and returning the relevant information SD, SD + R12+ R22 to the host after asymmetric encryption is carried out by using the public key of the application communication host;
5) the application communication host obtains the registration server information SD, the ciphertext R12 of the random number R1 and the ciphertext R22 of the random number R2 after decrypting by using a private key; decrypting R12 and R22 through the public key of the registration server to obtain the plaintext of the random number R1 and the plaintext of the random number R2; comparing the random number R1 with the random number R1 generated before to verify the correctness of the information transmission between the registration server and the intermediate network;
6) the application communication host encrypts the random number R2 by using the private key of the application communication host again to obtain R21; r21 is encrypted by using a public key of the registration server and then uploaded to the registration server;
7) the registration server obtains a cipher text R21 of a random number after decrypting by using a private key; decrypting again by using the public key of the communication host to obtain the plaintext of the random number R2; comparing the random number R2 at the moment with the random number R2 generated by the previous registration server to verify the correctness of the information transmission between the application communication host and the intermediate network;
8) based on the steps 1) to 7), the application communication host and the registration server negotiate the session KEY parameters, and the hash value of the random number R1 and the hash value of the random number R2 are subjected to exclusive or to generate the final symmetric encryption KEY.
2. The communication method of the network security architecture of the numerical control system as claimed in claim 1, wherein the symmetric encryption KEY is calculated as follows:
key ═ H (R1) | H (R2), where H () represents a hash operation.
3. The communication method of the network security architecture of the numerical control system according to claim 1, wherein the communication method of the network security architecture of the numerical control system further comprises:
generating an encryption key, establishing and maintaining a VPN tunnel and performing ESP (electronic stability program) encapsulation on data sent by an application layer according to a random number R1 and a random number R2 of a security session parameter generated in the networking authentication process; decapsulating the received data; and end-to-end data transmission safety guarantee is provided.
4. A communication system of a network security architecture of a numerical control system for implementing the communication method of the network security architecture of the numerical control system according to any one of claims 1 to 3, wherein the communication system of the network security architecture of the numerical control system comprises:
the system comprises a data application layer, a data proxy layer and a data adapter layer;
the data application layer comprises a data storage module, a data processing module, a data analysis module and a data consumption module; used for storing, processing, analyzing and consuming data;
the data agent layer is used for carrying out data collection, caching, transfer and access isolation on a numerical control processing field;
the data adaptation layer comprises various machine tool data adapters; for utilizing a unified data access interface.
5. The communication system of the NC system network security architecture of claim 4, wherein the NC system is logically isolated from a data application layer to a NC physical layer, communication and network routing forwarding are implemented through application agents, and NC system security communication protocols are used between the agents and the registration server for ensuring end-to-end communication security.
6. The numerical control system network security architecture communication system of claim 4, wherein the numerical control system network security architecture communication system further comprises:
the digital signature certificate issuing organization CA is a service platform and is used for generating a digital signature certificate for the registration server, providing a private key for the registration server and providing a public key for an application communication host of each application terminal; meanwhile, the method is used for safely distributing, managing and canceling the certificate;
the registration server is used for authenticating the application communication host applying for registration; scanning the registered application communication host at regular time to obtain the survival state, the communication service quality and the application security loophole, and renegotiating a new session key with the application communication host at intervals; meanwhile, the method is used for logging off the application communication host which does not have feedback information for a long time or feeds back error information for multiple times, and disconnecting the communication between all the registration servers and the application communication host;
the application terminal is used for locally generating a public key and a private key which are asymmetrically encrypted; and at the same time, for locally saving the private key;
and the public key replaces the traditional IP address to be used as the identity of the application communication host.
CN202010604468.7A 2020-06-29 2020-06-29 Numerical control system network security architecture and secure communication method and system Active CN111770092B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010604468.7A CN111770092B (en) 2020-06-29 2020-06-29 Numerical control system network security architecture and secure communication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010604468.7A CN111770092B (en) 2020-06-29 2020-06-29 Numerical control system network security architecture and secure communication method and system

Publications (2)

Publication Number Publication Date
CN111770092A CN111770092A (en) 2020-10-13
CN111770092B true CN111770092B (en) 2021-06-29

Family

ID=72723025

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010604468.7A Active CN111770092B (en) 2020-06-29 2020-06-29 Numerical control system network security architecture and secure communication method and system

Country Status (1)

Country Link
CN (1) CN111770092B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112394683B (en) * 2020-11-24 2022-03-11 桂林电子科技大学 File transmission method using industrial control system
CN112637128B (en) * 2020-11-25 2022-07-08 四川新网银行股份有限公司 Identity mutual trust method and system for data center host
CN112615935B (en) * 2020-12-25 2022-08-05 武汉华中数控股份有限公司 Terminal equipment networking reference system and interaction method thereof
CN113411190B (en) * 2021-08-20 2021-11-09 北京数业专攻科技有限公司 Key deployment, data communication, key exchange and security reinforcement method and system
CN114726652B (en) * 2022-05-20 2022-08-30 北京网藤科技有限公司 Security equipment management method and system based on L7 proxy
CN115296934B (en) * 2022-10-08 2023-01-24 北京安帝科技有限公司 Information transmission method and device based on industrial control network intrusion and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101685301A (en) * 2009-07-29 2010-03-31 东华大学 Embedded type state monitoring information adaptor capable of operating under complex working conditions of numerically-controlled machine tool and method thereof
CN102404347A (en) * 2011-12-28 2012-04-04 南京邮电大学 Mobile internet access authentication method based on public key infrastructure
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN103905435A (en) * 2014-03-14 2014-07-02 北京六间房科技有限公司 Communication method of front end page and rear end server
CN105337977A (en) * 2015-11-16 2016-02-17 苏州通付盾信息技术有限公司 Secure mobile communication architecture with dynamic two-way authentication and implementation method thereof
CN107919956A (en) * 2018-01-04 2018-04-17 重庆邮电大学 End-to-end method for protecting under a kind of internet of things oriented cloud environment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105323062B (en) * 2014-06-03 2018-04-20 收付宝科技有限公司 Movable terminal digital certificates electric endorsement method
CN109861813B (en) * 2019-01-11 2021-08-10 如般量子科技有限公司 Anti-quantum computing HTTPS communication method and system based on asymmetric key pool

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101685301A (en) * 2009-07-29 2010-03-31 东华大学 Embedded type state monitoring information adaptor capable of operating under complex working conditions of numerically-controlled machine tool and method thereof
CN102404347A (en) * 2011-12-28 2012-04-04 南京邮电大学 Mobile internet access authentication method based on public key infrastructure
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN103905435A (en) * 2014-03-14 2014-07-02 北京六间房科技有限公司 Communication method of front end page and rear end server
CN105337977A (en) * 2015-11-16 2016-02-17 苏州通付盾信息技术有限公司 Secure mobile communication architecture with dynamic two-way authentication and implementation method thereof
CN107919956A (en) * 2018-01-04 2018-04-17 重庆邮电大学 End-to-end method for protecting under a kind of internet of things oriented cloud environment

Also Published As

Publication number Publication date
CN111770092A (en) 2020-10-13

Similar Documents

Publication Publication Date Title
CN111770092B (en) Numerical control system network security architecture and secure communication method and system
CN100581102C (en) Data safety transmission method for wireless sensor network
Bird et al. The kryptoknight family of light-weight protocols for authentication and key distribution
CN105873031B (en) Distributed unmanned plane cryptographic key negotiation method based on credible platform
Dahlmanns et al. Transparent end-to-end security for publish/subscribe communication in cyber-physical systems
Musa et al. Secure security model implementation for security services and related attacks base on end-to-end, application layer and data link layer security
Fang et al. A secure and fine-grained scheme for data security in industrial IoT platforms for smart city
CN110855707A (en) Internet of things communication pipeline safety control system and method
Müller et al. Challenges and prospects of communication security in real-time ethernet automation systems
Watson et al. Interoperability and security challenges of industry 4.0
Akerberg et al. Exploring security in PROFINET IO
Niemann IT security extensions for PROFINET
CN100349448C (en) EPA network safety management entity ad safety processing method
CN107493294A (en) A kind of secure accessing and management control method of the OCF equipment based on rivest, shamir, adelman
Wanying et al. The study of security issues for the industrial control systems communication protocols
CN111245604B (en) Server data security interaction system
CN100364305C (en) Information security method of industrial control network and security function block
CN116633576A (en) Safe and reliable NC-Link agent, control method, equipment and terminal
CN112906032B (en) File secure transmission method, system and medium based on CP-ABE and block chain
Weith DLMS/COSEM protocol security evaluation
Saxena et al. Public key cryptography based approach for securing SCADA communications
Glanzer et al. Increasing security and availability in KNX networks
KR20020083551A (en) Development and Operation Method of Multiagent Based Multipass User Authentication Systems
Zhu ALGORITHM DESIGN OF SECURE DATA MESSAGE TRANSMISSION BASED ON OPENSSL AND VPN.
Åkerberg et al. Introducing security modules in profinet io

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant