CN112468493A - Data transmission method, identity recognition method and system based on field bus - Google Patents
Data transmission method, identity recognition method and system based on field bus Download PDFInfo
- Publication number
- CN112468493A CN112468493A CN202011342897.8A CN202011342897A CN112468493A CN 112468493 A CN112468493 A CN 112468493A CN 202011342897 A CN202011342897 A CN 202011342897A CN 112468493 A CN112468493 A CN 112468493A
- Authority
- CN
- China
- Prior art keywords
- identity
- data
- master station
- station
- slave station
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 124
- 230000005540 biological transmission Effects 0.000 title claims abstract description 91
- 238000012795 verification Methods 0.000 claims abstract description 87
- 238000012545 processing Methods 0.000 claims description 33
- 238000013524 data verification Methods 0.000 claims description 28
- 238000004590 computer program Methods 0.000 claims description 7
- 238000003860 storage Methods 0.000 claims description 7
- 230000006854 communication Effects 0.000 abstract description 60
- 238000004891 communication Methods 0.000 abstract description 54
- 230000008569 process Effects 0.000 description 34
- 238000004422 calculation algorithm Methods 0.000 description 23
- 238000004364 calculation method Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 10
- 238000012986 modification Methods 0.000 description 9
- 230000004048 modification Effects 0.000 description 9
- 230000001965 increasing effect Effects 0.000 description 6
- 238000012544 monitoring process Methods 0.000 description 5
- 238000013478 data encryption standard Methods 0.000 description 4
- 230000007547 defect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40221—Profibus
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The invention discloses a data transmission method, an identity recognition method, a system, equipment and a medium based on a field bus, wherein the data transmission method comprises the following steps: generating plaintext data of the identity of the master station; encrypting master station identity plaintext data to generate master station identity ciphertext data; and sending the master station identity ciphertext data to the slave station. In the invention, on the basis of original communication data of the master station and the slave station, master station identity plaintext data is independently generated and encrypted for identity verification between the master station and the slave station, after the slave station receives the encrypted data sent by the master station, the master station can obtain the authority of normal communication with the slave station only after the data is successfully decrypted and the data is successfully verified, and the independently generated master station identity plaintext data occupies a small space for the working data, so that the safety of data transmission between the master station and the slave station is greatly improved on the premise of not influencing the normal communication efficiency between the master station and the slave station.
Description
Technical Field
The invention relates to the technical field of digital security, in particular to a data transmission method, an identity recognition method, a system, equipment and a medium based on a field bus.
Background
The fieldbus is widely applied to an industrial control system in terms of distribution, openness, interconnection, high reliability and low cost, for example, in a wind farm control system, the fieldbus is generally used for realizing control, monitoring and communication functions among components in the industrial control system and between a field station level monitoring center and a fan unit. In a general industrial control system based on a field bus, the system has the characteristics of low data processing speed and high real-time requirement.
Fig. 1 shows a schematic diagram of a (Supervisory Control And Data Acquisition) system architecture, where an SCADA system is a distributed remote computer Control system, And is mainly used to measure And Control devices with a wide distribution range And monitor their production processes. As shown in fig. 1, the wind farm and the station level centralized monitoring center, the station level centralized monitoring center and the headquarters level remote monitoring center can communicate with each other through the field bus for transmitting data,
however, the protocol standard of the field bus is public, and the master station and the slave station are in plaintext communication, so that the identity of the master station and the slave station can be disguised, and further, the situations of data stealing, tampering, disguising into legal information and the like can occur, and great threat is caused to the safe operation of the fan system. Fig. 2 is a schematic diagram of a field bus system architecture of an industrial control system, in which a monitor/destructor may pretend to be a slave node or a master station to destroy normal transmission between the master station and the slave station, and it is difficult for a conventional data transmission method to ensure safe data transmission between the master station and the slave station.
Disclosure of Invention
The technical problem to be solved by the invention is to overcome the defect that the safety of data transmission between a master station and a slave station is difficult to guarantee when data transmission is carried out through a field bus in the prior art, and provide an identity identification method, a data transmission method, a system, equipment and a medium based on the field bus, which can improve the safety of data transmission between the master station and the slave station.
The invention solves the technical problems through the following technical scheme:
the invention provides a data transmission method based on a field bus, which is applied to a master station and comprises the following steps:
generating plaintext data of the identity of the master station;
encrypting the master station identity plaintext data to generate master station identity ciphertext data, wherein the master station identity ciphertext data is used for a slave station to perform identity verification on the master station;
and sending the master station identity ciphertext data to the slave station.
Preferably, in the step of encrypting the master station identity plaintext data to generate master station identity ciphertext data, positions of characters in the master station identity plaintext data are rearranged by a preset encoding rule to generate master station identity ciphertext data.
Preferably, the clear text data of the master station identity comprises an identifier of the target master station.
Preferably, after the step of sending the master station identity ciphertext data to the slave station, the method further includes:
receiving slave station identity ciphertext data sent by the slave station;
decrypting the slave station identity ciphertext data to generate slave station identity plaintext data;
judging whether the identity plaintext data of the slave station conforms to preset slave station plaintext data or not, and if so, confirming that the identity verification of the slave station is successful;
the master station identity plaintext data comprises a master station random code, the slave station identity plaintext data comprises a target master station identifier and the master station random code, and the preset slave station plaintext data comprises a preset master station identifier and the target master station identifier sent in the step of sending the master station identity ciphertext data to the slave station;
and when the target master station identifier is consistent with a preset master station identifier and the master station random code is consistent with the target master station identifier sent in the step of sending the master station identity ciphertext data to the slave station, judging that the slave station identity plaintext data is consistent with preset slave station plaintext data.
Preferably, the plaintext data of the master station identity further includes an identifier of a target slave station, and the plaintext data of the preset slave station further includes an identifier of the preset slave station;
the step of judging that the plaintext data of the identity of the slave station conforms to the plaintext data of the preset slave station further comprises the following steps: the target slave station identifier corresponds to the preset slave station identifier.
Preferably, the target slave station identifier is also used for the slave station to authenticate the master station.
Preferably, before the step of generating the plaintext data of the identity of the master station, the method further includes: and randomly generating a target slave station identifier, wherein the target slave station identifier updated in the slave station is used for the master station to authenticate the slave station.
Preferably, the step of sending the master station identity ciphertext data to the slave station is performed multiple times.
Preferably, the step of receiving the slave identity cryptogram data transmitted by the slave station includes: receiving the slave station identity ciphertext data sent by the slave station for multiple times, counting the times of data inconsistency in the data received for multiple times, judging whether the times are greater than a first preset time, if so, generating slave station identity error information, and if not, executing the step of decrypting the slave station identity ciphertext data to obtain slave station identity plaintext data.
Preferably, the step of receiving the slave identity cryptogram data sent by the slave station comprises:
and judging whether the slave station identity ciphertext data sent by the slave station is received within a first time threshold range, if not, generating slave station processing overtime information, and if so, decrypting the slave station identity ciphertext data to generate slave station identity plaintext data.
Preferably, the steps of generating master station identity plaintext data, encrypting the master station identity plaintext data to generate master station identity ciphertext data, and transmitting the master station identity ciphertext data to the slave station are periodically performed.
Preferably, the receiving of the slave station identity ciphertext data sent by the slave station, the decrypting of the slave station identity ciphertext data to generate the slave station identity plaintext data, and the performing of the determination of whether the target master station identifier matches a preset master station identifier are performed periodically, and after the step of determining that the identity verification of the slave station is successful for the first time, if the step of determining whether the slave station identity plaintext data matches the preset slave station identity data is performed, and if the determination result is negative, it is determined that the identity verification of the slave station fails.
Preferably, the master station includes a master station permission token, when the master station permission token is a first identifier, the master station has a permission to execute the data transmission method, and when the master station permission token is a second identifier, the master station does not have the permission to execute the data transmission method;
the method for generating the master station identity plaintext data comprises the following steps: setting the master station permission token as a first identifier;
after the step of sending the master station identity ciphertext data to the slave station, the method further comprises the following steps: and setting the master station permission token as a second identifier.
The invention also provides an identity recognition method based on the field bus, which is applied to the slave station and comprises the following steps:
receiving master station identity ciphertext data sent by a master station;
decrypting the master station identity ciphertext data to obtain master station identity plaintext data;
and judging whether the plaintext data of the master station identity is consistent with preset master station identity data, and if so, confirming that the identity verification of the master station is successful.
Preferably, in the step of decrypting the identity ciphertext data, the position of each character in the master station identity ciphertext data is restored by a preset anti-coding rule corresponding to a preset coding rule to generate master station identity plaintext data.
Preferably, the plaintext data of master station identity includes an identifier of a target master station, the plaintext data of master station identity includes a preset master station identifier, and when the plaintext data of master station identity matches the preset master station identity data, it is determined that the identifier of the target master station matches the preset master station identifier.
Preferably, the plaintext data of the master station identity further includes a master station random code, the master station random code is used for the master station to perform identity authentication on the slave station, and after the step of confirming that the identity authentication of the master station is successful, the method further includes:
generating slave station identity plaintext data according to the target master station identifier and the master station random code, wherein the slave station identity plaintext data is used for the master station to perform identity verification on the slave station;
encrypting the slave station identity plaintext data to generate slave station identity ciphertext data;
and sending the identity ciphertext data of the slave station to the master station.
Preferably, the master station identity plaintext data further includes an identifier of a target slave station, and in the step of generating the slave station identity plaintext data according to the identifier of the target master station and the master station random code: and generating slave station identity plaintext data according to the target master station identifier, the target slave station identifier and the master station random code.
Preferably, the preset slave station identity data further includes a preset slave station identifier, and the determining that the target master station identifier matches the preset master station identifier further includes:
and judging that the target slave station identifier is consistent with the preset slave station identifier.
Preferably, before the step of generating the plaintext data of the slave station identity, the step further includes updating the identifier of the target slave station according to the identifier of the slave station, where the updated identifier of the target slave station is used by the master station to authenticate the slave station identity.
Preferably, the step of receiving master station identity ciphertext data sent by the master station includes: and receiving the master station identity ciphertext data sent by the master station for multiple times, judging whether the data received for multiple times are inconsistent with other data or not, if so, generating master station identity error information, and if not, executing the step of decrypting the master station identity ciphertext data to obtain master station identity plaintext data.
Preferably, in the step of sending the slave identity ciphertext data to the master station: and sending the identity ciphertext data of the slave station to the master station for multiple times.
Preferably, the step of sending the slave identity ciphertext data to the master station includes:
and judging whether master station identity ciphertext data sent by the master station is received within a second time threshold range, and if not, generating master station processing timeout information.
Preferably, the steps of receiving master station identity ciphertext data sent by a master station, decrypting the master station identity ciphertext data to obtain master station identity plaintext data, and determining whether the master station identity plaintext data is consistent with preset plaintext data are periodically executed, after the step of determining that the master station identity authentication is successful for the first time, the step of allowing to receive and process working data sent by the master station is allowed, and after the step of determining that the master station identity authentication is successful for the first time, if the step of determining whether the master station identity plaintext data is consistent with the preset master station identity data is executed, if the determination result is negative, the master station identity authentication is determined to be failed.
Preferably, the steps of generating slave station identity plaintext data, encrypting the slave station identity plaintext data to generate slave station identity ciphertext data, and transmitting the slave station identity ciphertext data to a master station are performed periodically.
Preferably, the slave station comprises a slave station authority token, when the slave station authority token is the second identifier, the slave station has the authority to execute the identity recognition method, and when the slave station authority token is the first identifier, the slave station does not have the authority to execute the identity recognition method;
the step of generating the plaintext data of the slave station identity further comprises the following steps: setting the slave station permission token to a second identifier;
after the step of sending the slave station identity ciphertext data to the slave station, the method further comprises: setting the slave station permission token to be a first identifier.
The invention also provides a data transmission system based on the field bus, which is applied to the master station and comprises: the system comprises a master station identity data generation module, a master station identity data encryption module and a master station identity data sending module;
the master station identity data generation module is used for generating master station identity plaintext data;
the master station identity data encryption module is used for encrypting the master station identity plaintext data to generate master station identity ciphertext data, and the master station identity ciphertext data is used for a slave station to perform identity verification on the master station;
and the master station identity data sending module is used for sending the master station identity ciphertext data to the slave station.
The invention also provides an identity recognition system based on the field bus, which is applied to the slave station, and comprises: the system comprises a master station identity data receiving module, a master station identity data decrypting module and a master station identity data judging module;
the master station identity data receiving module is used for receiving master station identity ciphertext data sent by the master station;
the master station identity data decryption module is used for decrypting the master station identity ciphertext data to obtain master station identity plaintext data;
the master station identity data verification module is used for judging whether the master station identity plaintext data is consistent with preset master station identity data or not, and if yes, the master station identity data verification module confirms that the master station identity verification is successful.
The invention also provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the data transmission method and the identification method as described above.
The positive progress effects of the invention are as follows: in the invention, on the basis of original communication data of the master station and the slave station, master station identity plaintext data is independently generated and encrypted for identity verification between the master station and the slave station, after the slave station receives the encrypted data sent by the master station, the master station can obtain the authority of normal communication with the slave station only after the data is successfully decrypted and the data is successfully verified, and the independently generated master station identity plaintext data occupies a small space for the working data, so that the safety of data transmission between the master station and the slave station is greatly improved on the premise of not influencing the normal communication efficiency between the master station and the slave station.
Drawings
Fig. 1 is a system architecture diagram of a SCADA system.
FIG. 2 is a field bus system architecture schematic of an industrial control system.
Fig. 3 is a flowchart of an identity recognition method based on a fieldbus according to embodiment 1 of the present invention.
Fig. 4 is a schematic diagram of the format of plaintext data of the primary station identity in embodiment 1.
Fig. 5 is a flowchart of an implementation of step 104 in embodiment 1.
Fig. 6 is a flowchart of an identity recognition method based on a fieldbus according to embodiment 2 of the present invention.
Fig. 7 is a flowchart illustrating an identity recognition method based on a fieldbus in a specific scenario of embodiment 2.
Fig. 8 is a block diagram of a fieldbus-based identification system according to embodiment 3 of the present invention.
Fig. 9 is a block diagram of a fieldbus-based identification system according to embodiment 4 of the present invention.
Fig. 10 is a block diagram of an electronic device according to embodiment 5 of the present invention.
Detailed Description
The invention is further illustrated by the following examples, which are not intended to limit the scope of the invention.
Example 1
The embodiment provides a data transmission method based on a field bus, which is applied to a master station, and as shown in fig. 3, the data transmission method includes:
and 101, generating plaintext data of the identity of the master station.
The master station identity plaintext data is data different from other data (referred to as working data for short), and the master station identity plaintext data is independently extracted independent data used for the slave station to perform identity verification on the master station.
In this embodiment, the plaintext data of the master station identity has multiple implementation manners, in one implementation manner, the plaintext data of the master station identity includes an identifier of a target master station, in another implementation manner, the plaintext data of the master station identity includes an identifier of a target master station and an identifier of a target slave station, in one implementation manner, the plaintext data of the master station identity includes an identifier of a target master station, an identifier of a target slave station and a random code of a master station, in one implementation manner, the plaintext data of the master station identity includes an identifier of a target slave station, and in one implementation manner, the plaintext data of the master station identity includes a random code of a master station.
For convenience of describing the present embodiment, the following description will be given by taking a manner that the plaintext data of the master station identity includes the target master station identifier, the target slave station identifier, and the master station random code as an example. Fig. 4 shows a format diagram of clear text data of the master station identity, in particular, the clear text data of the master station identity contains a target master station identifier B01, and the data length is X bit (bits); a target slave station identifier B02, the data length being Y bit; and the master station random code B03 has a data length of Z bit. According to the requirements of the field bus on the number of the master station and the slave station and different application occasions, the data lengths of X, Y and Z can be set reasonably, for example, X is 4 bits, Y is 4 bits, Z is 8 bits, and the length of the identity plaintext data of the master station is X + Y + Z (4+4+8) bit-16 bit.
The target master station identifier B01 is data agreed by the master station and the slave station, and the master station random code B03 is randomly generated data. In the first scenario, the target slave station identifier B02 is data agreed by the master station and the slave station, and is stored in the master station and the slave station; in the second scenario, the target is randomly generated data from station identifier B02.
It should be understood that the implementation manner of the plaintext data of the primary station identity is not limited to the above manner, and can be selected according to actual situations.
In this embodiment, a plurality of implementation manners of the master station identity plaintext data are provided, which can be selected according to actual conditions in actual operation, and the setting manner of the master station plaintext data in this embodiment has wide applicability.
In this embodiment, the master station may randomly generate the identifier of the target slave station, so as to increase the generation speed of the identity plaintext data, and further increase the efficiency of the data transmission method in this embodiment.
And 102, encrypting the master station identity plaintext data to generate master station identity ciphertext data.
The plaintext data of the primary station identity may be encrypted by various ways, for example, the plaintext data of the primary station may be encrypted by an encryption algorithm in the prior art, such as a symmetric encryption algorithm like DES (data encryption standard algorithm), 3DES (triple data encryption standard algorithm), IDEA (international data encryption algorithm), AES (auxiliary encoder system algorithm), RC (Rivest Code encryption algorithm), or an asymmetric encryption algorithm like RSA (public key cryptographic algorithm), DSA (digital signature algorithm), Diffie-Hellman (a method for ensuring that a shared key safely passes through an insecure network).
However, processors of the master station and the slave station are mostly embedded chips with dominant frequencies at the hundred megahertz level, the operation processing capacity of the embedded chips is limited, the execution period of all tasks is generally about 1-20 milliseconds, the embedded chips comprise complex work of processing data acquisition, data calculation, data communication, time sequence logic, control algorithm, fault protection and the like, and the embedded chips have high real-time requirements. The communication speed of the field bus equipment of the industrial control system is generally 100kbit/s (kilobits per second) to 12Mbit/s, and the processing of communication data between the master station and the slave station is generally required to be completed in one task period.
The communication data encryption algorithm with higher confidentiality, namely the symmetric encryption algorithm or the asymmetric encryption algorithm, has very large calculation amount, and is mainly used for occasions with low real-time requirement on communication data at present. If the encryption algorithm is used for completing data encryption and decryption work of communication identity verification in a task period of 1-20 milliseconds of the embedded chip, a great deal of time resources of the embedded chip are occupied, so that execution of all tasks cannot be completed in an execution period, the real-time performance of task processing such as communication, monitoring, sequential logic and control between a master station and a slave station based on a field bus of an industrial control system is seriously affected, and the control requirement of a fan unit cannot be met.
Therefore, in this embodiment, the preset encoding rule with a relatively simple calculation amount is preferentially selected to encrypt the master station plaintext data to overcome the defects of large calculation amount and time consumption in calculation, and the real-time property of data transmission is ensured while the data transmission security is improved, wherein the preset encoding rule is used for rearranging the positions of the characters in the master station identity plaintext data to generate the master station identity ciphertext data. Such as: each character in the master station random code can be respectively inserted into each character of the target master station identifier and the target slave station identifier so as to change the position relation among the characters in the master station identity plaintext data. For another example, the sequence of individual characters in the target master station identifier, the target slave station identifier and the master station random code may be scrambled. It should be understood that the preset encoding rule is only used for illustration and should not be a limitation to the embodiment, and in fact, there may be other ways to rearrange the positions of the characters in the plaintext data of the primary station identity to generate the ciphertext data of the primary station identity.
In the prior art, plaintext communication is adopted between the master station and the slave station, so that a destructor can easily disguise the slave station which needs to communicate with the master station to receive data sent by the master station, and thus illegal actions such as monitoring, stealing and the like are carried out on the data. In the embodiment, by setting the independent master station identity plaintext data and encrypting the identity plaintext data, the slave station can continue to receive and analyze the working data sent by the master station only after decrypting the master station identity ciphertext data and successfully decrypting the master station identity ciphertext data, so that the safety of communication between the master station and the slave station is improved.
In the embodiment, the plaintext data of the master station identity can be encrypted through a simple preset encoding rule, so that the safety of the communication process between the master station and the slave station is improved, and the real-time performance of the communication process between the master station and the slave station is also ensured. In addition, in the embodiment, the master station identity plaintext data is simple in setting rule, small in data length and limited in required resources, so that the processing of the working data is not influenced while the safety of the master station and the slave station in the communication process is ensured.
And 103, sending the master station identity ciphertext data to the slave station.
The master station can broadcast the master station identity ciphertext data to all the slave stations in a broadcasting mode, and can also send the master station identity ciphertext data to the corresponding slave stations in a one-to-one on-demand mode.
In a specific implementation manner, in order to avoid a situation that the sending of the master station identity ciphertext data fails due to objective reasons such as a communication failure, network congestion, and the like, in this embodiment, the step 103 includes sending the master station identity ciphertext data to the slave station multiple times, where the sending times may be set according to actual needs, for example, 10 times.
In this embodiment, on the basis of original communication data of the master station and the slave station, master station identity plaintext data is generated independently and encrypted to be used for identity verification between the master station and the slave station, after the slave station receives the encrypted data sent by the master station, the master station can obtain the authority of normal communication with the slave station only after the data is decrypted successfully and the data is verified successfully, and since the independently generated master station identity plaintext data occupies a small space for the working data, the safety of data transmission between the master station and the slave station is greatly improved on the premise that the normal communication efficiency between the master station and the slave station is not affected.
In the embodiment, the master station identity ciphertext data can be sent to the slave stations for multiple times, so that the failure of identity verification between the master station and the slave station due to network reasons is avoided, and the safety of data communication between the master station and the slave station is further enhanced.
Since data communication is a mutual process, in a specific embodiment, the primary station may further receive identity ciphertext data sent by the secondary station to authenticate the identity of the secondary station, specifically, as shown in fig. 2, after step 103, the method may further include:
and step 104, receiving the slave station identity ciphertext data sent by the slave station.
The receiving manner of the slave station identity ciphertext data may refer to the manner of receiving the master station identity ciphertext data sent by the master station in step 201 in embodiment 2, which is not described herein again.
And step 105, decrypting the slave station identity plaintext data to generate slave station identity plaintext data.
The manner in which the slave station decrypts the slave station identity ciphertext data may refer to the manner in which the master station identity ciphertext data is decrypted in step 202 in embodiment 2, and details are not repeated here.
And step 106, judging whether the slave station identity plaintext data is consistent with preset slave station identity data, if so, executing step 107, and if not, executing step 108.
And step 107, confirming that the identity verification of the slave station is successful.
And step 108, confirming that the identity verification of the slave station fails.
Specifically, when the master ciphertext data sent by the master to the slave in step 103 only includes the encrypted target master identity identifier, the specific verification method in step 106 is to determine whether the target master identity identifier is consistent with the preset master identity data, if so, step 107 is executed, and if not, step 108 is executed.
When the master ciphertext data sent by the master to the slave in step 103 includes the encrypted target master identity identifier and the encrypted target slave identifier, the specific verification method in step 106 is to determine whether the target master identifier is consistent with the preset master identity data, and determine whether the target slave identifier is consistent with the preset slave identity data, if both determination results are yes, step 107 is executed, and if not, step 108 is executed.
When the master station ciphertext data sent by the master station to the slave station in step 103 includes the encrypted target master station identity identifier and the master station random code, the specific verification method in step 106 is to determine whether the target master station identifier is consistent with the preset master station identity data and to determine whether the master station random code obtained after decryption is consistent with the master station random code generated in step 101, if both the determination results are yes, step 107 is executed, and if not, step 108 is executed.
When the master station ciphertext data sent by the master station to the slave station in step 103 includes the encrypted target master station identity identifier, the encrypted target slave station identifier, and the master station random code, the specific verification method in step 106 is to determine whether the target master station identifier is consistent with the preset master station identity data, determine whether the target slave station identifier is consistent with the preset slave station identity data, and determine whether the master station random code obtained after decryption is consistent with the master station random code generated in step 101, if all three determination results are yes, step 107 is executed, and if not, step 108 is executed.
In this embodiment, if the decryption is not successful in step 105, or the plaintext data of the identity of the slave station in step 106 is inconsistent with the preset identity data of the slave station, the slave station is regarded as an insecure master station, communication between the master station and the slave station is prohibited, and further, slave station identity verification error information can be generated to prompt related personnel to process the information.
In this embodiment, the master station may verify the slave station only by the target master station identifier obtained after decryption, so that the security of data transmission between the master station and the slave station is enhanced while the verification speed is increased. In this embodiment, the master station may further verify the slave station by using the target slave station identifier obtained after decryption, thereby further improving the security of data transmission between the master station and the slave station. In this embodiment, the master station may further verify the slave station by using a randomly generated master station random code previously sent by the master station, thereby further increasing reliability and security of data transmission between the master station and the slave station.
In a specific embodiment, as shown in fig. 5, in order to improve the efficiency of the identity authentication between the primary station and the secondary station, step 104 may specifically include:
And step 1042, generating slave station processing timeout information.
In this embodiment, if the master station does not receive the slave station identity ciphertext data sent by the slave station within the first time threshold range, the slave station processing timeout information is generated, and related personnel can be reminded to process through the information, so that the efficiency of identity verification between the master station and the slave station is ensured while the communication security is enhanced.
In a specific implementation manner, a master station permission token may be preset in the master station, when the master station permission token is a first identifier, the master station has permission to perform the data transmission method, when the master station permission token is a second identifier, the master station does not have permission to perform the data transmission method, and a step of setting the master station permission token as the first identifier may be further included while or before generating the master station identity plaintext data in step 101.
Similarly, the step of setting the master authority token to be the second identifier may be further included at the same time or before the step 103 of transmitting the plaintext data of the master identity.
Similarly, the step of setting the master authority token to the first identifier may be further included when receiving the slave identity ciphertext data in the step 104.
In this embodiment, the operation permission of the master station can be modified by modifying the master station permission token, and it should be understood that only one of the master station and the slave station has the operation permission at the same time, and by modifying the permission token, the master station and the slave station can be prevented from processing the identity data of the master station and the slave station at the same time, so that the synchronism of the data related to the identities in the master station and the slave station is ensured, and the identity identification process between the master station and the slave station is further ensured to be effectively performed.
In a specific embodiment, in order to continuously ensure the security of data transmission between the master station and the slave station, steps 101 to 108 may be performed periodically, and after the verification in step 106 is performed for the first time to confirm that the authentication of the slave station is successful within a preset time range, such as 24 hours, 48 hours, and the like, the data transmission authority of the slave station is turned on, that is, the master station is allowed to receive the working data sent by the corresponding slave station and to further process the working data sent by the slave station.
When the steps 101 to 108 are executed in the following cycle, if the authentication of the slave station fails in the authentication process of the step 106, the data transmission authority of the slave station is turned off, that is, the master station is prohibited from receiving and processing the working data sent by the slave station.
It should be understood that, in this embodiment, the slave station ciphertext data may be decrypted in multiple cycles in the following cycles, for example, only 10 percent of the slave station ciphertext data may be decrypted in the second cycle, 20 percent of the slave station ciphertext data may be decrypted in the third cycle, and 20 percent of the slave station ciphertext data may be decrypted in the fourth cycle, during the process of decrypting the data, normal data processing between the master station and the slave station may still be maintained, in one scenario, the slave station plaintext data decrypted after the slave station ciphertext data is decrypted in its entirety, and in another scenario, the slave station ciphertext data may also be verified in segments during the process of decrypting the slave station ciphertext data, for example, 10 percent of the slave station ciphertext data is verified by 10. In the first scenario, if the whole verification of the plaintext data of the slave station fails, the identity verification of the slave station is considered to fail, and in the second scenario, when the verification of the decrypted partial data fails, the identity verification of the slave station is considered to fail.
In this embodiment, after the authentication of the slave station is successful for the first time, the data transmission permission of the slave station is opened, and after the data transmission permission of the slave station to the master station is opened, the slave station can continuously transmit the working data to the master station.
Example 2
The embodiment provides an identity recognition method based on a field bus, which is applied to a slave station, as shown in fig. 6, and the identity recognition method includes:
The master station identity ciphertext data received in step 201 is the data sent by the master station in step 103 in embodiment 1.
In a specific embodiment, in step 201, the master identity ciphertext data sent by the master station may be received multiple times, and it is determined whether there is a case where the data of the first preset number of times is inconsistent with other data in the data received multiple times, if yes, the master identity error information is generated, and if not, step 202 is executed. After the identity error information is generated, related personnel can be reminded to check the network condition through the information, so that the influence on the identity verification between the master station and the slave station due to network reasons is avoided.
The first preset number of times may be set according to an actual situation, specifically, the first preset number of times may be set in proportion to the number of times of sending in step 103 in embodiment 1, for example, the first preset number of times may be set to 1 to 0.7 × the number of times of sending, where the coefficient 0.7 is merely an example, and the coefficient may be arbitrarily selected according to the actual situation when specifically setting, such as 0.6, 0.8, 0.9, and the like.
In the embodiment, the master station identity ciphertext data is received for multiple times, and whether the identity ciphertext data received for multiple times are consistent or not is judged, so that the failure of identity verification between the master station and the slave station caused by network reasons is avoided, and the safety of data communication between the master station and the slave station is further enhanced.
And 202, decrypting the master station identity plaintext data to obtain master station identity plaintext data.
The master station identity ciphertext data is decrypted by adopting a decryption method corresponding to the encryption method in step 102 in embodiment 1. If the preset encoding rule is adopted in step 102 to rearrange the positions of the characters in the master station identity plaintext data to generate the master station identity ciphertext data, step 202 restores the positions of the characters in the master station identity ciphertext data to generate the master station identity plaintext data by adopting the preset anti-encoding rule corresponding to the preset encoding rule.
The master station identity plaintext data may refer to the master station identity plaintext data generated in step 101 in embodiment 1, and is not described herein again.
And step 204, confirming that the authentication of the master station is successful.
And step 205, confirming that the authentication of the master station fails, and ending the process.
In this embodiment, after confirming that the master station identity authentication is successful in step 204, the slave station may allow to receive and analyze the working data sent by the corresponding master station, in other words, the corresponding master station thereby obtains the authority for data communication with the slave station.
In this embodiment, if the decryption is not successful in step 202, or the plaintext data of the master station identity is inconsistent with the preset master station identity data in step 203, the master station is considered to be an insecure master station, and communication between the master station and the slave station is prohibited, and further master station identity authentication error information can be generated to prompt relevant personnel to process the information.
Specifically, in this embodiment, when the target slave station identifier B02 is randomly generated data, step 203 may specifically determine whether the target master station identifier is consistent with the preset master station identity data, if so, step 204 is executed, and if not, step 205 is executed.
When the target slave station identifier B02 is data agreed by the master station and the slave station, step 203 may specifically determine whether the target master station identifier is consistent with the preset master station identity data, and determine whether the target slave station identifier is consistent with the preset slave station identity data, if the determination results are both yes, step 204 is executed, and if any determination result is no, step 205 is executed.
In this embodiment, the slave station may verify the master station only by the target master station identifier obtained after decryption, so that the security of data transmission between the master station and the slave station is enhanced while the verification speed is increased. In this embodiment, the slave station may further verify the master station by using the target slave station identifier obtained after decryption, thereby further improving the security of data transmission between the master station and the slave station.
Since data communication is a mutual process, in a specific embodiment, the slave station may generate a slave station identity ciphertext data for the master station to authenticate the slave station, specifically, after steps 204 and 205, the method may further include:
and step 206, generating slave station identity plaintext data.
The identity plaintext data of the slave station is data different from other data (referred to as working data for short), and the identity plaintext data of the slave station is independent data which is extracted independently and used for the master station to authenticate the identity of the slave station.
The slave station identity plaintext data has multiple implementation manners, and the specific implementation manner may refer to the implementation manner of the master station plaintext data in embodiment 1, which is not described herein again.
For convenience of description of the present embodiment, the following description will be given by taking as an example a case where slave station identification plaintext data includes a target master station identifier, a target slave station identifier, and a master station random code.
In a specific implementation manner, when the target slave station identifier in the master station identity plaintext data in embodiment 1 is a target slave station identifier agreed with the slave station in advance, the slave station identity plaintext data may be generated according to the target slave station identifier received from the master station.
In another specific implementation manner, when the target slave station identifier in the master station identity plaintext data is a randomly generated target slave station identifier in embodiment 1, the target slave station identifier is updated by the slave station identifier itself, and the slave station identity plaintext data is generated according to the updated target slave station identifier.
In this embodiment, according to different master station identity plaintext data sent by the master station, multiple implementation manners of slave station identity plaintext data are provided, and in actual operation, selection may be performed according to actual conditions.
In the embodiment, the slave station plaintext data used for verifying the identity of the slave station can be generated under the condition that the target slave station identifier is randomly generated and the target slave station identifier is generated according to the convention in advance, so that the applicability of the identity identification method in the embodiment is improved, and the safety of data transmission between the master station and the slave station is improved.
And step 207, encrypting the slave station identity plaintext data to generate the slave station identity ciphertext data.
The method for encrypting the plaintext data of the slave station identity refers to the method for encrypting the plaintext data of the master station identity in step 102 in embodiment 1, and details are not repeated here.
And step 208, sending the slave station identity ciphertext data to the master station.
For the method for sending the slave station identity ciphertext data, reference may be made to the method for sending the master station identity ciphertext data in step 103 in embodiment 1, which is not described herein again.
In a specific embodiment, a slave station authority token may be preset in the slave station, when the slave station authority token is the second identifier, the slave station has an authority to execute the identity recognition method, when the slave station authority token is the first identifier, the slave station does not have the authority to execute the identity recognition method, and a step of setting the slave station authority token to be the second identifier may be further included while or before receiving the master station identity plaintext data in step 201.
Similarly, the step of setting the slave authority token to the second identifier may be further included when receiving the master identity ciphertext data in the step 208.
In the embodiment, the operation authority of the slave station can be modified by modifying the authority token of the slave station, only one of the master station and the slave station has the operation authority at the same time, and the master station and the slave station can be prevented from simultaneously processing the identity data of the master station and the slave station by modifying the authority token, so that the synchronism of the data related to the identity in the master station and the slave station is ensured, and the identity identification process between the master station and the slave station is further ensured to be effectively carried out.
In a specific embodiment, in order to ensure the security of data transmission between the master station and the slave station, steps 201 to 208 may be performed periodically, and after the authentication of step 203 is confirmed to be successful within a preset time range, such as 24 hours, 48 hours, and the like, the data transmission authority of the master station is turned on, that is, the slave station is allowed to receive the working data sent by the corresponding master station and is allowed to perform further processing on the working data sent by the master station.
When the steps 201 to 208 are executed in the following period, if it is determined that the authentication of the master station fails in the authentication process of the step 203, the data transmission authority of the slave station is turned off, that is, the slave station is prohibited from receiving and processing the working data transmitted by the master station.
It should be understood that, in this embodiment, the master station ciphertext data may be decrypted in multiple cycles in a subsequent cycle, for example, only 10 percent of the master station ciphertext data may be decrypted in the second cycle, 20 percent of the master station ciphertext data may be decrypted in the third cycle, and 20 percent of the master station ciphertext data may be decrypted in the fourth cycle, during the process of decrypting the data, normal data processing between the master station and the slave station may still be maintained, in one scenario, the decrypted master station plaintext data may be verified after the master station ciphertext data is completely decrypted, and in another scenario, the master station ciphertext data may be verified in segments during the process of decrypting the master station ciphertext data, for example, 10 percent of the master station ciphertext data may be verified by 10. In the first scenario, if the whole verification of the plaintext data of the master station fails, the authentication of the master station is considered to fail, and in the second scenario, when the verification of the decrypted partial data fails, the authentication of the master station is considered to fail.
In this embodiment, after the authentication of the master station is successful for the first time, the data transmission permission of the master station is turned on, after the data transmission permission of the master station is turned on for the slave station, the master station can continuously send the working data to the slave station, during this period, only after the authentication of the master station fails in the authentication process of the subsequent period, the data transmission permission of the master station is turned off, and in this way, it can be ensured that the normal data transmission between the master station and the slave station is not affected after the authentication of the master station is successful for the first time, that is, the efficiency of the normal data transmission is not affected while the security of the data transmission is ensured.
In order to better understand the identity recognition method in this embodiment, the following describes this embodiment through a specific scenario:
as shown in fig. 7, after the hardware of the master station and the slave station is built and the master station and the slave station successfully establish communication, the identity of the master station is verified through steps 201 to 205, within a preset time range, if the judgment result of whether the first authentication is valid is yes, then the authentication timer +1 is used, it should be understood that the default value of the authentication timer can be preset according to the actual requirement, if the judgment result of the first authentication is not valid, then the primary and secondary authentication operations are performed, specifically, steps 202 and 203 are executed, and then the result of the first authentication operation is determined, if the result is yes, further judging whether the first authentication passes, if the judgment result of the first authentication operation is negative, the process ends and there may be a network or other failure, at which point the relevant personnel may be notified to proceed with the process.
If the result that whether the first authentication passes is yes, the authentication timer is cleared, and the first authentication flag is set to 1, and then other tasks can be executed, such as receiving and analyzing the working data transmitted by the master station.
After the authentication timer +1 is finished, whether the authentication timer reaches the upper limit value or not can be further judged, if not, the result of the authentication is considered to be continuously valid, other tasks can be further executed, if the judgment result of whether the authentication timer reaches the upper limit value is yes, the steps 201 to 205 can be executed again to execute authentication operation on the master station and the slave station, the embodiment specifically is that the slave station authenticates the identity of the master station, it should be understood that, because the first authentication is passed at this time, in the process of authenticating the identity of the master station in a later period (namely, when the judgment result of whether the authentication operation is finished is no), the slave station can still execute other tasks to perform normal data communication, and when the judgment result of whether the authentication operation is finished is yes, whether the authentication which is not finished for the first time is passed or not is further judged, if the master station passes the identity authentication, the identity authentication timer is reset, the slave station can execute other tasks, and if the result that whether the first identity authentication passes is negative, an identity authentication error is reported and the communication is interrupted.
It should be understood that the authentication procedure of the master station to the slave station may refer to the above authentication procedure of the slave station to the master station, and will not be described herein again.
Example 3
The present embodiment provides a data transmission system based on a fieldbus, which is applied to a master station, and as shown in fig. 8, the data transmission system includes: a master station identity data generating module 301, a master station identity data encrypting module 302 and a master station identity data transmitting module 303.
The master station identity data generation module 301 is configured to generate master station identity plaintext data.
The master station identity plaintext data is data different from other data (referred to as working data for short), and the master station identity plaintext data is independently extracted independent data used for the slave station to perform identity verification on the master station.
In this embodiment, the plaintext data of the master station identity has multiple implementation manners, in one implementation manner, the plaintext data of the master station identity includes an identifier of a target master station, in another implementation manner, the plaintext data of the master station identity includes an identifier of a target master station and an identifier of a target slave station, in one implementation manner, the plaintext data of the master station identity includes an identifier of a target master station, an identifier of a target slave station and a random code of a master station, in one implementation manner, the plaintext data of the master station identity includes an identifier of a target slave station, and in one implementation manner, the plaintext data of the master station identity includes a random code of a master station.
For convenience of describing the present embodiment, the following description will be given by taking a manner that the plaintext data of the master station identity includes the target master station identifier, the target slave station identifier, and the master station random code as an example. Fig. 4 shows a format diagram of the master station identity plaintext data in a specific implementation manner, and in particular, the format of the master station identity plaintext data in the specific implementation manner may refer to the format of the master station identity plaintext data in embodiment 1, which is not described herein again.
The target master station identifier B01 is data agreed by the master station and the slave station, and the master station random code B03 is randomly generated data. In the first scenario, the target slave station identifier B02 is data agreed by the master station and the slave station, and is stored in the master station and the slave station; in the second scenario, the target is randomly generated data from station identifier B02.
It should be understood that the implementation manner of the plaintext data of the primary station identity is not limited to the above manner, and can be selected according to actual situations.
In this embodiment, a plurality of implementation manners of the master station identity plaintext data are provided, which can be selected according to actual conditions in actual operation, and the setting manner of the master station plaintext data in this embodiment has wide applicability.
In this embodiment, the master station identity data generation module 301 may randomly generate the identifier of the target slave station, so as to increase the generation speed of the identity plaintext data, and further increase the efficiency of the data transmission system in this embodiment.
The master station identity data encryption module 302 is configured to encrypt master station identity plaintext data to generate master station identity ciphertext data.
The master station identity data encryption module 302 may encrypt the master station identity plaintext data in various ways, for example, an encryption algorithm in the prior art may be used to encrypt the master station identity plaintext data, such as a symmetric encryption algorithm like DES, 3DES, IDEA, AES, and RC, or an asymmetric encryption algorithm like RSA, DSA, Diffie-Hellman.
However, processors of the master station and the slave station are mostly embedded chips with dominant frequencies at the hundred megahertz level, the operation processing capacity of the embedded chips is limited, the execution period of all tasks is generally about 1-20 milliseconds, the embedded chips comprise complex work of processing data acquisition, data calculation, data communication, time sequence logic, control algorithm, fault protection and the like, and the embedded chips have high real-time requirements. The communication speed of the field bus equipment of the industrial control system is generally 100kbit/s (kilobits per second) to 12Mbit/s, and the processing of communication data between the master station and the slave station is generally required to be completed in one task period.
The communication data encryption algorithm with higher confidentiality, namely the symmetric encryption algorithm or the asymmetric encryption algorithm, has very large calculation amount, and is mainly used for occasions with low real-time requirement on communication data at present. If the encryption algorithm is used for completing data encryption and decryption work of communication identity verification in a task period of 1-20 milliseconds of the embedded chip, a great deal of time resources of the embedded chip are occupied, so that execution of all tasks cannot be completed in an execution period, the real-time performance of task processing such as communication, monitoring, sequential logic and control between a master station and a slave station based on a field bus of an industrial control system is seriously affected, and the control requirement of a fan unit cannot be met.
Therefore, in this embodiment, the master station identity data encryption module 302 preferentially selects the preset coding rule with a relatively simple calculation amount to encrypt the master station plaintext data to overcome the defects of large calculation amount and time consumption in calculation, and improves the data transmission security while ensuring the real-time performance of data transmission, wherein the preset coding rule is used for rearranging the positions of the characters in the master station identity plaintext data to generate the master station identity ciphertext data. Such as: each character in the master station random code can be respectively inserted into each character of the target master station identifier and the target slave station identifier so as to change the position relation among the characters in the master station identity plaintext data. For another example, the sequence of individual characters in the target master station identifier, the target slave station identifier and the master station random code may be scrambled. It should be understood that the preset encoding rule is only used for illustration and should not be a limitation to the embodiment, and in fact, there may be other ways to rearrange the positions of the characters in the plaintext data of the primary station identity to generate the ciphertext data of the primary station identity.
In the prior art, plaintext communication is adopted between the master station and the slave station, so that a destructor can easily disguise the slave station which needs to communicate with the master station to receive data sent by the master station, and thus illegal actions such as monitoring, stealing and the like are carried out on the data. In this embodiment, the master station plaintext data generation module sets the sole master station identity plaintext data, and the master station identity data encryption module 302 encrypts the identity plaintext data, so that the slave station can continue to receive and analyze the working data sent by the master station only after decrypting the master station identity ciphertext data and successfully decrypting the master station identity ciphertext data, thereby improving the security of communication between the master station and the slave station.
In this embodiment, the master station identity data encryption module 302 can encrypt the master station identity plaintext data through a simple preset encoding rule, so that not only is the security of the communication process between the master station and the slave station improved, but also the real-time performance of the communication process between the master station and the slave station is ensured. In this embodiment, the master station identity data generation module 301 has a simple rule for setting the master station identity plaintext data, has a small data length, and requires limited resources, so that the processing of the working data is not affected while the security of the master and slave station communication processes is ensured.
The master station identity data sending module 303 is configured to send master station identity ciphertext data to the slave station.
The master station identity data sending module 303 may broadcast the master station identity ciphertext data to all slave stations in a broadcast manner, or may send the master station identity ciphertext data to the corresponding slave stations in a one-to-one on-demand manner.
In a specific implementation manner, in order to avoid a situation that the sending of the master station identity ciphertext data fails due to objective reasons such as a communication failure and network congestion, in this embodiment, the master station identity data sending module 303 is configured to send the master station identity ciphertext data to the slave station multiple times, where the sending times may be set according to actual needs, for example, 10 times.
In this embodiment, on the basis of the original communication data of the master station and the slave station, the master station identity data generation module 301 generates master station identity plaintext data separately and encrypts the data through the master station identity data encryption module 302 for identity verification between the master station and the slave station, after the slave station receives the encrypted data sent by the master station, the master station can obtain the authority of normal communication with the slave station only after the data is decrypted successfully and the data is verified successfully, and since the separately generated master station identity plaintext data occupies a small space for the working data, the security of data transmission between the master station and the slave station is greatly increased on the premise that the normal communication efficiency between the master station and the slave station is not affected.
In this embodiment, the master station identity data sending module 303 may send master station identity ciphertext data to the slave stations for multiple times, thereby avoiding an authentication failure between the master station and the slave station due to a network, and further enhancing security of data communication between the master station and the slave station.
Since data communication is a mutual process, in a specific embodiment, the master station may further receive identity ciphertext data sent by the slave station to verify the identity of the slave station, specifically, the data transmission system further includes a slave station identity data receiving module 305, a slave station identity data decrypting module 306, and a slave station identity data verifying module 307, and the master station identity data sending module 303 is further configured to send the master station identity ciphertext data to the slave station and then call the slave station identity data receiving module 305.
The slave station identity data receiving module 305 is configured to receive the slave station identity ciphertext data sent by the slave station, where a manner in which the slave station identity data receiving module 305 receives the slave station identity ciphertext data may refer to a manner in which the master station identity data receiving module 405 receives the master station identity ciphertext data sent by the master station in embodiment 4 below, and details are not repeated here.
The slave station identity data decryption module 306 is configured to decrypt the slave station identity ciphertext data to generate slave station identity plaintext data, where a manner of decrypting the slave station identity ciphertext data by the slave station identity data decryption module 306 may refer to a manner of decrypting the master station identity ciphertext data in the master station identity data decryption module 406 in embodiment 4, and details are not repeated here.
The slave station identity data verification module 307 is configured to determine whether the slave station identity plaintext data matches preset slave station plaintext data, determine that the identity verification of the slave station is successful if the slave station identity plaintext data matches the preset slave station plaintext data, and determine that the identity verification of the slave station fails if the slave station identity data does not match the preset slave station plaintext data.
Specifically, when the master ciphertext data sent by the master identity data sending module 303 to the slave station only includes the encrypted target master identity identifier, the slave identity data verification module 307 determines whether the target master identity identifier is consistent with preset master identity data, if so, it is determined that the identity verification of the slave station is successful, and if not, it is determined that the identity verification of the slave station is failed.
When the master station ciphertext data sent to the slave station by the master station identity data sending module 303 includes the encrypted target master station identity identifier and the encrypted target slave station identifier, the slave station identity data verifying module 307 specifically verifies whether the target master station identifier is consistent with the preset master station identity data, and whether the target slave station identifier is consistent with the preset slave station identity data, if both the results of the verification are yes, it is determined that the identity verification of the slave station is successful, and if not, it is determined that the identity verification of the slave station is failed.
When the master station ciphertext data sent to the slave station by the master station identity data sending module 303 includes the encrypted target master station identity identifier, the target slave station identifier, and the master station random code, the slave station identity data verifying module 307 specifically verifies whether the target master station identifier is consistent with the preset master station identity data, whether the target slave station identifier is consistent with the preset slave station identity data, and whether the master station random code obtained after decryption is consistent with the master station random code generated by the master station identity data generating module 301, if yes, it is determined that the identity verification of the slave station is successful, and if not, it is determined that the identity verification of the slave station is failed.
In this embodiment, if the slave station identity data decryption module 306 fails to decrypt the data successfully, or the slave station identity data verification module 307 determines that the slave station identity plaintext data is inconsistent with the preset slave station identity data, the slave station is considered to be an unsafe master station, communication between the master station and the slave station is prohibited, and further, slave station identity verification error information can be generated to prompt related personnel to process the information.
In this embodiment, the slave station identity data decryption module 306 may verify the slave station only by using the target master station identifier obtained after decryption, so that the security of data transmission between the master station and the slave station is enhanced while the verification speed is increased. In this embodiment, the slave station identity data decryption module 306 may further verify the slave station through the target slave station identifier obtained after decryption, so as to further improve the security of data transmission between the master station and the slave station. In this embodiment, the slave station identity data decryption module 306 may further verify the slave station by using a randomly generated master station random code sent by the master station before, so as to further increase the reliability and security of data transmission between the master station and the slave station.
In a specific embodiment, in order to improve the efficiency of identity verification between the master station and the slave station, the slave station identity data receiving module 305 is further configured to determine whether the slave station identity ciphertext data sent by the slave station is received within a first time threshold range, if not, generate the slave station processing timeout information, and if so, invoke the slave station identity data decrypting module 306.
In this embodiment, if the slave station identity data receiving module does not receive the slave station identity ciphertext data sent by the slave station within the first time threshold range, the slave station processing timeout information is generated, and related personnel can be reminded to perform processing through the information, so that the efficiency of identity verification between the master station and the slave station is ensured while the communication security is enhanced.
In a specific implementation manner, a master authority token may be further preset in the master station, when the master authority token is a first identifier, the master station has an authority to execute the data transmission system, and when the master authority token is a second identifier, the master station does not have the authority to execute the data transmission system, the data transmission system further includes a master authority modification module 308, and the master authority modification module 308 may be further invoked to set the master authority token as the first identifier while or before the master identity data generation module 301 generates master identity plaintext data.
Similarly, the master authority modification module 308 may be further invoked to set the master authority token to the second identifier at the same time as or before the master identity data transmission module 303 transmits the plaintext data of the master identity.
Similarly, the slave identity data receiving module 305 may further invoke the master authority modification module 308 to set the master authority token to the first identifier when receiving the slave identity ciphertext data.
In this embodiment, the master authority modification module 308 can modify the operation authority of the master station by modifying the master authority token, and it should be understood that, at the same time, only one of the master station and the slave station has the operation authority, and by modifying the authority token, the master station and the slave station can be prevented from processing the master station identity data and the slave station identity data at the same time, so that the synchronism of the data related to the identities in the master station and the slave station is ensured, and the identity identification process between the master station and the slave station is further ensured to be effectively performed.
In a specific embodiment, in order to continuously ensure the security of data transmission between a master station and a slave station, a master station identity data generating module 301, a master station identity data encrypting module 302, a master station identity data transmitting module 303, a master station identity data judging module 304, a slave station identity data receiving module 305, a slave station identity data decrypting module 306, a slave station identity data verifying module 307, and a master station permission modifying module 308 may be periodically called. And in a preset time range, such as 24 hours, 48 hours, etc., after the slave station identity data verification module 307 verifies that the identity verification of the slave station is successful for the first time, the data transmission permission of the slave station is opened, that is, the master station is allowed to receive the working data sent by the corresponding slave station and further process the working data sent by the slave station.
And in the later period, if the identity authentication of the slave station fails in the authentication process of the slave station identity authentication module, closing the data transmission permission of the slave station, namely forbidding the master station to receive and process the working data sent by the slave station.
It should be understood that in this embodiment, the slave identity data decryption module 306 may decrypt the slave ciphertext data in a plurality of cycles in a subsequent cycle, such as decrypting only 10 percent of the data in the second cycle, re-decrypt 20 percent of the data in the third cycle, re-decrypt 20 percent of the data in the fourth cycle, in the process of decrypting the data, normal data processing between the master station and the slave station is still maintained, in a scene, after the slave station identity data decryption module 306 integrally decrypts the slave station ciphertext data, the slave station identity data verification module 307 verifies the decrypted slave station plaintext data, in another scenario, the slave identity data verification module 307 may perform segment verification during the slave identity data decryption module 306 decrypts the slave ciphertext data, for example, 10 percent of decryption is 10 percent of verification. In the first scenario, if the slave station identity data verification module 307 fails to verify the whole plaintext data of the slave station, it is determined that the identity verification of the slave station fails, and in the second scenario, when the slave station identity data verification module 307 fails to verify the decrypted partial plaintext data, it is determined that the identity verification of the slave station fails.
In this embodiment, after the slave station identity data verification module 307 successfully verifies the identity of the slave station for the first time, the data transmission permission of the slave station is opened, and after the data transmission permission of the slave station to the master station is opened, the slave station can continuously send the working data to the master station.
Example 4
The present embodiment provides a fieldbus-based identification system, which is applied to a slave station, and as shown in fig. 9, the identification system includes: a master station identity data receiving module 405, a master station identity data decrypting module 406, and a master station identity data determining module 304.
The master station identity data receiving module 405 is configured to receive master station identity ciphertext data sent by the master station.
The master station identity ciphertext data received by the master station identity data receiving module 405 is the data sent by the master station identity data sending module 303 in embodiment 3.
In a specific implementation manner, the master station identity data receiving module 405 may receive master station identity ciphertext data sent by the master station for multiple times, and the identity identification system may further include a master station identity data determining module 304, configured to determine whether the data received multiple times is inconsistent with other data for the first preset number of times, if yes, generate master station identity error information, and if not, invoke the master station identity data decrypting module 406. The master station identity data receiving module 405 can remind related personnel to check the network condition through the information after generating the identity error information, so that the influence on the identity verification between the master station and the slave station due to network reasons is avoided.
The first preset number of times may be set according to an actual situation, specifically, the first preset number of times may be set in proportion to the number of times that the master station identity data sending module 303 sends in embodiment 3, for example, the first preset number of times may be set to 1 to 0.7 × the number of times of the foregoing sending, where the coefficient 0.7 is merely used for illustration, and the coefficient may be arbitrarily selected according to an actual situation when specifically setting, such as 0.6, 0.8, 0.9, and the like.
In this embodiment, the master station identity data receiving module 405 receives master station identity ciphertext data for multiple times and determines whether the identity ciphertext data received for multiple times are consistent, so that failure of identity verification between the master station and the slave station due to network reasons is avoided, and the security of data communication between the master station and the slave station is further enhanced.
The master station identity data decryption module 406 is configured to decrypt the master station identity ciphertext data to obtain master station identity plaintext data.
The master station identity data decryption module 406 decrypts the master station identity ciphertext data by using a decryption method corresponding to the encryption method used by the master station identity data encryption module 302 in embodiment 3. If the master station identity data encryption module 302 rearranges the positions of the characters in the master station identity plaintext data by using the preset coding rule to generate the master station identity ciphertext data, the master station identity data decryption module 406 restores the positions of the characters in the master station identity ciphertext data by using the preset anti-coding rule corresponding to the preset coding rule to generate the master station identity plaintext data.
The master station identity plaintext data may refer to the master station identity plaintext data generated by the master station identity data generation module 301 in embodiment 3, which is not described herein again.
The master station identity data verification module 407 is configured to determine whether the master station identity plaintext data is consistent with preset master station identity data, determine that the master station identity verification is successful if the master station identity plaintext data is consistent with the preset master station identity data, and determine that the master station identity verification fails if the master station identity data is not consistent with the preset master station identity data.
In this embodiment, after the master station identity data verification module 407 determines that the master station identity verification is successful, the slave station may allow to receive and analyze the working data sent by the corresponding master station, in other words, the corresponding master station obtains the permission for data communication with the slave station.
In this embodiment, if the master station identity data decryption module 406 fails to decrypt the data successfully, or the master station identity data verification module 407 determines that the master station identity plaintext data is inconsistent with the preset master station identity data, the master station is considered to be an insecure master station, and communication between the master station and the slave stations is prohibited, and the master station identity data verification module 407 may further generate master station identity verification error information to prompt related personnel to process the master station identity verification error information.
Specifically, in this embodiment, when the target slave station identifier B02 is randomly generated data, the master station identity data verification module 407 may specifically determine whether the target master station identifier is consistent with preset master station identity data, if so, confirm that the master station identity verification is successful, and if not, confirm that the master station identity verification is failed.
When the target slave station identifier B02 is data agreed by the master station and the slave station, the master station identity data verification module 407 may specifically determine whether the target slave station identifier is consistent with the preset master station identity data while determining whether the target master station identifier is consistent with the preset slave station identity data, if the determination results are yes, it is determined that the master station identity verification is successful, and if any determination result is that it is determined that the master station identity verification is failed.
In this embodiment, the master station identity data verification module 407 may verify the master station only by using the decrypted target master station identifier, so that the security of data transmission between the master station and the slave station is enhanced while the verification speed is increased. In this embodiment, the master station identity data verification module 407 may further verify the master station through the target slave station identifier obtained after decryption, so as to further improve the security of data transmission between the master station and the slave station.
Since data communication is a mutual process, in a specific embodiment, the slave station may generate the slave station identity ciphertext data for the master station to authenticate the slave station, and specifically, the identity recognition system may further include: the system comprises a slave station identity data generation module 401, a slave station identity data encryption module 402 and a slave station identity data sending module 403, wherein the master station identity data verification module 407 is further configured to call the slave station identity data generation module 401 after the master station identity verification is successful.
The slave station identity data generating module 401 is configured to generate slave station identity plaintext data.
The identity plaintext data of the slave station is data different from other data (referred to as working data for short), and the identity plaintext data of the slave station is independent data which is extracted independently and used for the master station to authenticate the identity of the slave station.
The slave station identity plaintext data has multiple implementation manners, and the specific implementation manner may refer to the implementation manner of the master station plaintext data in embodiment 3, which is not described herein again.
To facilitate description of the present embodiment, a manner in which the slave identity plaintext data includes the target master station identifier, the target slave station identifier, and the master station random code is described as an example, specifically, in the present embodiment, the slave identity data generation module 401 generates the slave identity plaintext data from the target master station identifier received from the master station, the target slave station identifier, and the master station random code received from the master station.
In a specific implementation manner, when the target slave identifier in the master station identity plaintext data generated by the master station identity data generation module 301 in embodiment 3 is a target slave identifier agreed with the slave station in advance, the slave station identity data generation module 401 may generate slave station identity plaintext data according to the target slave identifier received from the master station.
In another specific implementation manner, when the target slave station identifier in the master station identity plaintext data generated by the master station identity data generation module 301 in embodiment 3 is a target slave station identifier generated at random, the slave station identity data generation module 401 updates the target slave station identifier by using the own identifier of the slave station, and generates slave station identity plaintext data according to the updated target slave station identifier.
In this embodiment, according to the difference of the encrypted master station identity plaintext data sent by the master station identity data sending module 303, multiple implementations of the slave station identity plaintext data are provided, which can be selected according to actual conditions in actual operations.
In this embodiment, the slave station identity data generation module 401 can generate the slave station plaintext data for verifying the identity of the slave station under the condition that the master station identity data generation module 301 randomly generates the target slave station identifier and generates the target slave station identifier according to the pre-agreed rule, so that the applicability of the identity recognition system in this embodiment is improved, and the security of data transmission between the master station and the slave station is improved.
The slave station identity data encryption module 402 is configured to encrypt the slave station identity plaintext data to generate slave station identity ciphertext data, where the slave station identity data encryption system of the slave station identity plaintext data by the slave station identity data encryption module 402 refers to the encryption system of the master station identity plaintext data by the master station identity data encryption module 302 in embodiment 3, and details are not repeated here.
The slave station identity data sending module 403 is configured to send the slave station identity ciphertext data to the master station, where a manner in which the slave station identity data sending module 403 sends the slave station identity ciphertext data may refer to the system in embodiment 3 in which the master station identity ciphertext data is sent by the master station identity data sending module, and details thereof are omitted here.
In a specific embodiment, the slave station may further have a slave station permission token preset therein, when the slave station permission token is the second identifier, the slave station has a permission to execute the identity recognition system, and when the slave station permission token is the first identifier, the slave station does not have the permission to execute the identity recognition system, and the identity recognition system further includes a slave station permission modification module 408
The slave station identity data generating module 401 is further configured to invoke the slave station permission modifying module 408 to set the slave station permission token to the second identifier, and similarly, the slave station identity data transmitting module 403 is further configured to invoke the slave station permission modifying module 408 to set the slave station permission token to the first identifier.
In this embodiment, the slave permission modification module 408 can modify the operation permission of the slave by modifying the slave permission token, and it should be understood that only one of the master and the slave has the operation permission at the same time, and by modifying the permission token, the master and the slave can be prevented from processing the master identity data and the slave identity data at the same time, so as to ensure the synchronism of the data related to the identities in the master and the slave, and further ensure that the identity identification process between the master and the slave can be effectively performed.
In a specific embodiment, in order to ensure the security of data transmission between the master station and the slave station, the slave station identity data generating module 401, the slave station identity data encrypting module 402, the slave station identity data transmitting module 403, the slave station identity data judging module 404, the master station identity data receiving module 405, the master station identity data decrypting module 406, the master station identity data verifying module 407, and the slave station permission modifying module 408 may be called periodically. In a preset time range, such as 24 hours, 48 hours, and the like, the master station identity data verification module 407, during the verification process, after confirming that the identity verification of the master station is successful for the first time, starts the data transmission permission of the master station, that is, allows the slave station to receive the work data sent by the corresponding master station and allows the slave station to further process the work data sent by the master station.
When the master station identity data verification module 407 is called for verification in the following period, if the identity verification of the master station fails, the data transmission permission of the slave station is closed, that is, the slave station is prohibited from receiving and processing the working data sent by the master station.
It should be understood that in this embodiment, the master station identity data verification module 407 may decrypt the master station ciphertext data in multiple cycles in the subsequent cycle, for example, only decrypt 10 percent of the master station ciphertext data in the second cycle, decrypt 20 percent of the master station ciphertext data in the third cycle, decrypt 20 percent of the master station ciphertext data in the fourth cycle, and during the process of decrypting the data, still maintain normal data processing between the master station and the slave station, in one scenario, the master station identity data verification module 407 verifies the decrypted master station plaintext data after the master station identity data decryption module 406 completes decryption of the master station ciphertext data in its entirety, and in another scenario, may perform the segment verification during the process of decrypting the master station ciphertext data by the master station identity data decryption module 406, for example, 10 percent of the decrypted master station ciphertext data is verified by 10 percent. In the first scenario, if the whole verification of the plaintext data of the master station fails, the master station identity data verification module 407 considers that the identity verification of the master station fails, and in the second scenario, when the verification of the decrypted partial data fails, the master station identity data verification module 407 considers that the identity verification of the master station fails.
In this embodiment, after the primary station successfully authenticates the primary station for the first time, the primary station may continuously transmit the working data to the secondary station, during this period, only when the primary station fails to authenticate the primary station in the subsequent period, the primary station may close the data transmission permission of the primary station.
Example 5
An embodiment of the present invention provides an electronic device, which may be represented in a form of a computing device (for example, may be a server device), and includes a memory, a processor, and a computer program stored in the memory and running on the processor, where when the processor executes the computer program, the fieldbus-based data transmission method in embodiment 1 or the fieldbus-based identity recognition method in embodiment 2 of the present invention may be implemented.
Fig. 10 shows a schematic diagram of a hardware structure of the present embodiment, and as shown in fig. 10, the electronic device 9 specifically includes:
at least one processor 91, at least one memory 92, and a bus 93 for connecting the various system components (including the processor 91 and the memory 92), wherein:
the bus 93 includes a data bus, an address bus, and a control bus.
The processor 91 executes various functional applications and data processing, such as a fieldbus based data transmission method in embodiment 1 or a fieldbus based identification method in embodiment 2 of the present invention, by executing a computer program stored in the memory 92.
The electronic device 9 may further communicate with one or more external devices 94 (e.g., a keyboard, a pointing device, etc.). Such communication may be through an input/output (I/O) interface 95. Also, the electronic device 9 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 96. The network adapter 96 communicates with the other modules of the electronic device 9 via the bus 93. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 9, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID (disk array) systems, tape drives, and data backup storage systems, etc.
It should be noted that although in the above detailed description several units/modules or sub-units/modules of the electronic device are mentioned, such a division is merely exemplary and not mandatory. Indeed, the features and functionality of two or more of the units/modules described above may be embodied in one unit/module, according to embodiments of the application. Conversely, the features and functions of one unit/module described above may be further divided into embodiments by a plurality of units/modules.
Example 6
An embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the fieldbus-based data transmission method in embodiment 1 or the fieldbus-based identity recognition method in embodiment 2 of the present invention.
More specific examples, among others, that the readable storage medium may employ may include, but are not limited to: a portable disk, a hard disk, random access memory, read only memory, erasable programmable read only memory, optical storage device, magnetic storage device, or any suitable combination of the foregoing.
In a possible embodiment, the invention can also be implemented in the form of a program product, which comprises program code means for causing a terminal device to carry out the steps of implementing the method for data transmission based on a field bus according to embodiment 1 or the method for identification based on a field bus according to embodiment 2 of the invention, when the program product is run on the terminal device.
Where program code for carrying out the invention is written in any combination of one or more programming languages, the program code may be executed entirely on the user device, partly on the user device, as a stand-alone software package, partly on the user device and partly on a remote device or entirely on the remote device.
While specific embodiments of the invention have been described above, it will be appreciated by those skilled in the art that this is by way of example only, and that the scope of the invention is defined by the appended claims. Various changes and modifications to these embodiments may be made by those skilled in the art without departing from the spirit and scope of the invention, and these changes and modifications are within the scope of the invention.
Claims (17)
1. A data transmission method based on a field bus is characterized in that the data transmission method is applied to a main station, and comprises the following steps:
generating plaintext data of the identity of the master station;
encrypting the master station identity plaintext data to generate master station identity ciphertext data, wherein the master station identity ciphertext data is used for a slave station to perform identity verification on the master station;
and sending the master station identity ciphertext data to the slave station.
2. The fieldbus-based data transmission method of claim 1, wherein the master identity plaintext data comprises a destination master identifier.
3. The fieldbus-based data transmission method of claim 2, wherein the step of sending the master station identity cryptogram data to the slave station further comprises:
receiving slave station identity ciphertext data sent by the slave station;
decrypting the slave station identity ciphertext data to generate slave station identity plaintext data;
judging whether the identity plaintext data of the slave station conforms to preset slave station plaintext data or not, and if so, confirming that the identity verification of the slave station is successful;
the master station identity plaintext data comprises a master station random code, the slave station identity plaintext data comprises a target master station identifier and the master station random code, and the preset slave station plaintext data comprises a preset master station identifier and the target master station identifier sent in the step of sending the master station identity ciphertext data to the slave station;
and when the target master station identifier is consistent with a preset master station identifier and the master station random code is consistent with the target master station identifier sent in the step of sending the master station identity ciphertext data to the slave station, judging that the slave station identity plaintext data is consistent with preset slave station plaintext data.
4. The fieldbus-based data transmission method of claim 3, wherein the master identity plaintext data further comprises a target slave station identifier, and the preset slave station plaintext data further comprises a preset slave station identifier;
the step of judging that the plaintext data of the identity of the slave station conforms to the plaintext data of the preset slave station further comprises the following steps: the target slave station identifier corresponds to the preset slave station identifier.
5. The fieldbus-based data transmission method of claim 4, wherein the target slave station identifier is also used by the slave station to authenticate the master station
And/or the presence of a gas in the gas,
the step of generating the plaintext data of the master station identity further comprises the following steps: randomly generating a target slave station identifier, wherein the target slave station identifier updated in the slave station is used for the master station to authenticate the slave station;
and/or the presence of a gas in the gas,
and executing the step of sending the master station identity ciphertext data to the slave station for multiple times.
6. The fieldbus-based data transmission method of claim 3, wherein the step of receiving the slave-station-identity ciphertext data transmitted from the slave station comprises: receiving the slave station identity ciphertext data sent by the slave station for multiple times, counting the times of data inconsistency in the data received for multiple times, judging whether the times are greater than a first preset time, if so, generating slave station identity error information, and if not, executing the step of decrypting the slave station identity ciphertext data to obtain slave station identity plaintext data;
and/or the presence of a gas in the gas,
the step of receiving the slave station identity ciphertext data sent by the slave station comprises:
judging whether slave station identity ciphertext data sent by the slave station is received within a first time threshold range, if not, generating slave station processing overtime information, and if so, decrypting the slave station identity ciphertext data to generate slave station identity plaintext data;
and/or the presence of a gas in the gas,
and after the step of determining whether the identity verification of the slave station is successful for the first time, if the step of determining whether the identity plaintext data of the slave station conforms to the identity data of the preset slave station is performed, and if the determination result is negative, the identity verification of the slave station is determined to be failed.
7. Fieldbus-based data transmission method according to one of claims 1 to 6,
periodically executing the steps of generating master station identity plaintext data, encrypting the master station identity plaintext data to generate master station identity ciphertext data and sending the master station identity ciphertext data to a slave station;
and/or the presence of a gas in the gas,
in the step of encrypting the master station identity plaintext data to generate master station identity ciphertext data, the positions of the characters in the master station identity plaintext data are rearranged through a preset encoding rule to generate master station identity ciphertext data;
and/or the presence of a gas in the gas,
the master station comprises a master station authority token, when the master station authority token is a first identifier, the master station has the authority to execute the data transmission method, and when the master station authority token is a second identifier, the master station does not have the authority to execute the data transmission method;
the method for generating the master station identity plaintext data comprises the following steps: setting the master station permission token to the first identifier;
after the step of sending the master station identity ciphertext data to the slave station, the method further comprises the following steps: setting the master authority token to the second identifier.
8. An identity recognition method based on a field bus is applied to a slave station, and comprises the following steps:
receiving master station identity ciphertext data sent by a master station;
decrypting the master station identity ciphertext data to obtain master station identity plaintext data;
and judging whether the plaintext data of the master station identity is consistent with preset master station identity data, and if so, confirming that the identity verification of the master station is successful.
9. The fieldbus-based identity recognition method of claim 8, wherein the plaintext data of master identity comprises an identifier of a target master, the plaintext data of preset master identity comprises a preset master identifier, and when the plaintext data of master identity matches the preset master identity data, it is determined that the identifier of the target master matches the preset master identifier.
10. The fieldbus-based identity recognition method of claim 9, wherein the plaintext data of the master station identity further includes a master station random code, the master station random code is used for the master station to authenticate the slave station, and the step of confirming that the master station successfully authenticates further includes:
generating slave station identity plaintext data according to the target master station identifier and the master station random code, wherein the slave station identity plaintext data is used for the master station to perform identity verification on the slave station;
encrypting the slave station identity plaintext data to generate slave station identity ciphertext data;
and sending the identity ciphertext data of the slave station to the master station.
11. The fieldbus-based identity recognition method of claim 10, wherein the master station identity plaintext data further comprises a target slave station identifier, and the step of generating the slave station identity plaintext data from the target master station identifier and the master station random code comprises: and generating slave station identity plaintext data according to the target master station identifier, the target slave station identifier and the master station random code.
12. The fieldbus-based identity recognition method of claim 11, wherein the preset slave identity data further comprises a preset slave identifier, and the step of determining that the target master identifier matches the preset master identifier further comprises:
judging that the target slave station identifier is consistent with the preset slave station identifier;
and/or the presence of a gas in the gas,
before the step of generating the slave station identity plaintext data, the method further comprises the step of updating the target slave station identifier according to the identifier of the slave station, wherein the updated target slave station identifier is used for the master station to authenticate the slave station identity;
and/or the presence of a gas in the gas,
the step of receiving master station identity ciphertext data sent by the master station comprises the following steps: and receiving the master station identity ciphertext data sent by the master station for multiple times, judging whether the data received for multiple times are inconsistent with other data or not, if so, generating master station identity error information, and if not, executing the step of decrypting the master station identity ciphertext data to obtain master station identity plaintext data.
13. The fieldbus-based identification method of claim 10,
the step of sending the slave station identity ciphertext data to the master station comprises: sending the identity ciphertext data of the slave station to the master station for multiple times;
and/or the presence of a gas in the gas,
the step of sending the identity ciphertext data of the slave station to the master station comprises the following steps:
judging whether master station identity ciphertext data sent by the master station is received within a second time threshold range, and if not, generating master station processing timeout information;
and/or the presence of a gas in the gas,
and periodically executing the steps of generating slave station identity plaintext data, encrypting the slave station identity plaintext data to generate slave station identity ciphertext data and transmitting the slave station identity ciphertext data to the master station.
14. The fieldbus-based identity recognition method of any one of claims 8 to 13, wherein the steps of receiving master station identity ciphertext data sent by a master station, decrypting the master station identity ciphertext data to obtain master station identity plaintext data, and determining whether the master station identity plaintext data is consistent with preset plaintext data are periodically performed, and after the step of first determining that the identity verification of the master station is successful, the working data sent by the master station is allowed to be received and processed, and after the step of first determining that the identity verification of the master station is successful, if the step of determining whether the master station identity plaintext data is consistent with the preset master station identity data is performed, if the determination result is negative, the identity verification of the master station is determined to be failed;
and/or the presence of a gas in the gas,
in the step of decrypting the identity ciphertext data, restoring the position of each character in the master station identity ciphertext data through a preset anti-coding rule corresponding to a preset coding rule to generate master station identity plaintext data;
and/or the presence of a gas in the gas,
the slave station comprises a slave station authority token, when the slave station authority token is a second identifier, the slave station has the authority to execute the identity recognition method, and when the slave station authority token is a first identifier, the slave station does not have the authority to execute the identity recognition method;
the step of generating the plaintext data of the slave station identity further comprises the following steps: setting the slave station permission token to the second identifier;
after the step of sending the slave station identity ciphertext data to the slave station, the method further comprises: setting the slave station permission token to the first identifier.
15. A data transmission system based on a field bus, wherein the data transmission system is applied in a master station, and the data transmission system comprises: the system comprises a master station identity data generation module, a master station identity data encryption module and a master station identity data sending module;
the master station identity data generation module is used for generating master station identity plaintext data;
the master station identity data encryption module is used for encrypting the master station identity plaintext data to generate master station identity ciphertext data, and the master station identity ciphertext data is used for a slave station to perform identity verification on the master station;
and the master station identity data sending module is used for sending the master station identity ciphertext data to the slave station.
16. An identity recognition system based on a field bus, wherein the identity recognition system is applied to a slave station, and the identity recognition system comprises: the system comprises a master station identity data receiving module, a master station identity data decrypting module and a master station identity data judging module;
the master station identity data receiving module is used for receiving master station identity ciphertext data sent by the master station;
the master station identity data decryption module is used for decrypting the master station identity ciphertext data to obtain master station identity plaintext data;
the master station identity data verification module is used for judging whether the master station identity plaintext data is consistent with preset master station identity data or not, and if yes, the master station identity data verification module confirms that the master station identity verification is successful.
17. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the data transmission method according to any one of claims 1 to 7 and the identification method according to any one of claims 8 to 14.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011342897.8A CN112468493A (en) | 2020-11-25 | 2020-11-25 | Data transmission method, identity recognition method and system based on field bus |
| PCT/CN2021/094641 WO2022110688A1 (en) | 2020-11-25 | 2021-05-19 | Field bus-based data transmission method and system, and field bus-based identity verification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011342897.8A CN112468493A (en) | 2020-11-25 | 2020-11-25 | Data transmission method, identity recognition method and system based on field bus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112468493A true CN112468493A (en) | 2021-03-09 |
Family
ID=74809677
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011342897.8A Pending CN112468493A (en) | 2020-11-25 | 2020-11-25 | Data transmission method, identity recognition method and system based on field bus |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112468493A (en) |
| WO (1) | WO2022110688A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022110688A1 (en) * | 2020-11-25 | 2022-06-02 | 上海电气风电集团股份有限公司 | Field bus-based data transmission method and system, and field bus-based identity verification method and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1925392A (en) * | 2006-09-08 | 2007-03-07 | 四川长虹电器股份有限公司 | Method for identification of equipment validity |
| CN105610837A (en) * | 2015-12-31 | 2016-05-25 | 上海交通大学 | Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system |
| CN110300108A (en) * | 2019-06-26 | 2019-10-01 | 国网山东省电力公司临朐县供电公司 | A kind of power distribution automation message encryption transmission method, system, terminal and storage medium |
| CN110971610A (en) * | 2019-12-12 | 2020-04-07 | 广东电网有限责任公司电力调度控制中心 | Control system identity verification method and device, computer equipment and storage medium |
| CN110995729A (en) * | 2019-12-12 | 2020-04-10 | 广东电网有限责任公司电力调度控制中心 | Control system communication method and device based on asymmetric encryption and computer equipment |
| WO2020192773A1 (en) * | 2019-03-27 | 2020-10-01 | 深圳市网心科技有限公司 | Digital identity authentication method, device, apparatus and system, and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102010038323B4 (en) * | 2010-07-23 | 2014-09-04 | Siemens Aktiengesellschaft | Device identification procedure of a slave within a fieldbus system designed according to the AS-Interface standard |
| CN106790173B (en) * | 2016-12-29 | 2019-10-18 | 浙江中控技术股份有限公司 | A kind of method and system of SCADA system and its RTU controller bidirectional identity authentication |
| CN112311553B (en) * | 2020-08-24 | 2022-11-08 | 山东卓文信息科技有限公司 | Equipment authentication method based on challenge response |
| CN112468493A (en) * | 2020-11-25 | 2021-03-09 | 上海电气风电集团股份有限公司 | Data transmission method, identity recognition method and system based on field bus |
-
2020
- 2020-11-25 CN CN202011342897.8A patent/CN112468493A/en active Pending
-
2021
- 2021-05-19 WO PCT/CN2021/094641 patent/WO2022110688A1/en unknown
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1925392A (en) * | 2006-09-08 | 2007-03-07 | 四川长虹电器股份有限公司 | Method for identification of equipment validity |
| CN105610837A (en) * | 2015-12-31 | 2016-05-25 | 上海交通大学 | Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system |
| WO2020192773A1 (en) * | 2019-03-27 | 2020-10-01 | 深圳市网心科技有限公司 | Digital identity authentication method, device, apparatus and system, and storage medium |
| CN110300108A (en) * | 2019-06-26 | 2019-10-01 | 国网山东省电力公司临朐县供电公司 | A kind of power distribution automation message encryption transmission method, system, terminal and storage medium |
| CN110971610A (en) * | 2019-12-12 | 2020-04-07 | 广东电网有限责任公司电力调度控制中心 | Control system identity verification method and device, computer equipment and storage medium |
| CN110995729A (en) * | 2019-12-12 | 2020-04-10 | 广东电网有限责任公司电力调度控制中心 | Control system communication method and device based on asymmetric encryption and computer equipment |
Non-Patent Citations (1)
| Title |
|---|
| 王雷等, 北京理工大学出版社 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022110688A1 (en) * | 2020-11-25 | 2022-06-02 | 上海电气风电集团股份有限公司 | Field bus-based data transmission method and system, and field bus-based identity verification method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022110688A1 (en) | 2022-06-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110784491B (en) | Internet of things safety management system | |
| CN107070657B (en) | Secure chip and application processor and operating method thereof | |
| JP5815294B2 (en) | Secure field programmable gate array (FPGA) architecture | |
| EP1387236B1 (en) | Key management system and method for secure data transmission | |
| EP3247087B1 (en) | User-initiated migration of encryption keys | |
| US10680816B2 (en) | Method and system for improving the data security during a communication process | |
| US20100037069A1 (en) | Integrated Cryptographic Security Module for a Network Node | |
| CN104657630A (en) | Integrated circuit provisioning using physical unclonable function | |
| CN111614621B (en) | Internet of things communication method and system | |
| KR101608815B1 (en) | Method and system for providing service encryption in closed type network | |
| CN115065472B (en) | Security chip encryption and decryption method and device based on multi-key encryption and decryption | |
| Kukkala et al. | SEDAN: Security-aware design of time-critical automotive networks | |
| CN113591109B (en) | Method and system for communication between trusted execution environment and cloud | |
| US20230269078A1 (en) | Key sharing method, key sharing system, authenticating device, authentication target device, recording medium, and authentication method | |
| CN109194467A (en) | A kind of safe transmission method and system of encryption data | |
| CN112468493A (en) | Data transmission method, identity recognition method and system based on field bus | |
| CN109902481B (en) | Encryption lock authentication method for encryption equipment and encryption equipment | |
| CN111147247A (en) | Key updating method, key updating device, computer equipment and storage medium | |
| CN112182551B (en) | PLC equipment identity authentication system and PLC equipment identity authentication method | |
| CN114745114A (en) | Key agreement method, device, equipment and medium based on password derivation | |
| CN114500064A (en) | Communication security verification method and device, storage medium and electronic equipment | |
| KR102523416B1 (en) | Security Device providing Security function for image, Camera Device having the same and System on Chip controlling Camera Device | |
| CN113111371A (en) | Data transmission method and system based on block chain | |
| CN108184230B (en) | System and method for realizing encryption of soft SIM | |
| US7290135B2 (en) | Method and arrangement for data communication in a cryptographic system containing a plurality of entities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210309 |
|
| RJ01 | Rejection of invention patent application after publication |