CN112565260B - Uplink and downlink data security isolation system and method based on edge computing gateway - Google Patents

Uplink and downlink data security isolation system and method based on edge computing gateway Download PDF

Info

Publication number
CN112565260B
CN112565260B CN202011410021.2A CN202011410021A CN112565260B CN 112565260 B CN112565260 B CN 112565260B CN 202011410021 A CN202011410021 A CN 202011410021A CN 112565260 B CN112565260 B CN 112565260B
Authority
CN
China
Prior art keywords
equipment
data
request
user
sdk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011410021.2A
Other languages
Chinese (zh)
Other versions
CN112565260A (en
Inventor
周显敬
刘虎
沈人杰
程莎锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Zhuoer Information Technology Co ltd
Original Assignee
Wuhan Zhuoer Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Zhuoer Information Technology Co ltd filed Critical Wuhan Zhuoer Information Technology Co ltd
Priority to CN202011410021.2A priority Critical patent/CN112565260B/en
Publication of CN112565260A publication Critical patent/CN112565260A/en
Application granted granted Critical
Publication of CN112565260B publication Critical patent/CN112565260B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/26Special purpose or proprietary protocols or architectures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses an uplink and downlink data security isolation system and method based on an edge computing gateway. The invention realizes the isolation of uplink and downlink data based on identity, controls the authority through the technology of a private encryption channel, simplifies the equipment access, simplifies the application development and reduces the system complexity in the form of an interface.

Description

Uplink and downlink data security isolation system and method based on edge computing gateway
Technical Field
The invention belongs to the technical field of industrial internet data security, and particularly relates to an uplink and downlink data security isolation system and method based on an edge computing gateway.
Background
The industrial internet is increasingly becoming a key support for new industrialization as a product of deep integration of new generation information technology and manufacturing industry. With breakthrough of key technology of the industrial internet core, the innovative development of the industrial internet platform is promoted. The edge computing is an important component of the industrial internet platform, and bears a series of important functions and innovations of the industrial internet platform from device connection to edge intelligence. By adopting the edge computing technology, the edge computing gateway carries out local computing analysis on one side close to the data source, thereby obtaining higher computing real-time.
In the prior art, the traditional communication method is still used among the application system, the edge computing gateway and the data source equipment, and the problems of low interaction efficiency and high potential safety hazard exist. The method has the following defects:
in the architecture application field, the traditional advantages of various enterprises are different, the technology stacks are different, the overall architecture is different, the interoperability and interoperability between the current edge computing software are not strong, and the modules such as data acquisition, protocol conversion, industrial mechanism, intelligent algorithm and the like are difficult to multiplex. When facing different field environments, the data organization difficulty is high, the adaptation is difficult, the development difficulty on the implementation system architecture is high, and the industrial application and popularization are difficult to fall to the ground;
in the aspect of secure communication, the prior art mostly adopts a traditional SSL PKI-based key exchange mechanism, that is, after a negotiation key is exchanged, a public key encryption mechanism and a private key decryption mechanism can ensure encryption and decryption in the aspect of data transmission. But the authentication of the user and the communication encryption of the data cannot be effectively combined;
on the aspect of data isolation, the prior art is rarely provided with an effective uplink and downlink data isolation method in an industrial environment, and the safety risk of the data plane exists in the aspects of preventing malicious instruction invasion, wrong issuing of non-permission instructions and access interference of unknown equipment.
Disclosure of Invention
In view of this, the present invention provides a method for safely isolating uplink and downlink data based on an edge computing gateway, which is used to solve the problems that the uplink and downlink data cannot be effectively isolated, and the authentication and the communication encryption of the data cannot be effectively combined.
The invention provides an uplink and downlink data safety isolation method based on an edge computing gateway, which plays a role in preventing industrial control system faults and even paralysis caused by invasion of malicious instructions, unauthorized instruction issuing, data input interference from unknown equipment and other reasons in the industrial control field by carrying out safety isolation and identity verification on an industrial field uplink and downlink data source and application, and ensures the normal operation of the industrial control system.
The invention discloses an uplink and downlink data security isolation system based on an edge computing gateway, which comprises a special private protocol SDK, a user access security control module, an uplink and downlink data isolation exchange module and a device access security control module;
private proprietary protocol SDK: the edge computing gateway is used for providing an external interface for the edge computing gateway by adopting a special private protocol, establishing a private encryption channel based on authority control and realizing encryption communication between the edge computing gateway and an application layer and an equipment layer;
the user access security control module: the application system data access/operation security policy is used for constructing the edge computing gateway; for the request passing the authentication of the data access/operation security policy of the application system, issuing the request to the uplink and downlink data isolation exchange module; receiving reported data of an uplink and downlink data isolation switching module, and reporting equipment state data to a special private protocol SDK;
the uplink and downlink data isolation and exchange module: the device uplink data channel and the device downlink data channel are respectively constructed for the device which is accessed to the safety control module for identity authentication; receiving an issuing request of a user access security control module, indexing a device downlink data channel, and directionally issuing the request to the device access security control module; receiving the directional data report of the device access safety control module and indexing the device uplink data channel, and reporting the data to the user access safety control module;
the equipment is accessed to the safety control module: the data source equipment access security policy is used for constructing the edge computing gateway; receiving a directional issuing request of an uplink and downlink data isolation exchange module, and sending a device command to a special private protocol SDK; and receiving the equipment state report fed back by the special private protocol SDK, and performing directional data report on the uplink and downlink data isolation switching module.
Preferably, in the user access security control module, the application system data access/operation security policy of the edge computing gateway includes: establishing a user authority control database, and constructing a registered user list, wherein the registered user list comprises users authorized by each device and corresponding authority of each authorized user; the response application layer sends a data access/operation request to the edge computing microservice through a special private protocol (SDK), and verifies the authorization information of the request;
in the device access security control module, the data source device access security policy of the edge computing gateway includes: establishing a data source equipment authentication information database, and constructing a registered equipment list, wherein the registered equipment list comprises registered equipment and a corresponding equipment unique identifier; and the response equipment layer carries out identity authentication on the equipment through an authentication request sent by the special private protocol SDK.
Preferably, the special private protocol SDK includes a device side SDK and a user side SDK, where the device side SDK is configured to establish a private encryption channel based on authority control, so as to implement encrypted communication between a device access security control module of the edge computing gateway and a device in the device layer; and the SDK at the user end is used for establishing a private encryption channel based on authority control to realize the encryption communication between the user access security control module of the edge computing gateway and the application system of the application layer.
Preferably, when the application system issues the industrial downlink data, the edge computing gateway forwards the downlink data to the corresponding device through the device downlink data channel:
when receiving an industrial control issuing command sent by an application system of a user layer, an SDK (software development kit) of a user end establishes communication with a user access security control module through a private encryption channel based on authority control, performs data access/operation authentication on a user through the user access security control module, if the user request passes authorization, issues the request to an uplink and downlink data isolation exchange module, the uplink and downlink data isolation exchange module indexes a downlink data channel of equipment, directionally issues the request to the equipment access security control module, and the equipment access security control module sends an equipment command to equipment corresponding to the equipment layer through the SDK of the equipment end.
Preferably, when the application system subscribes to the industrial uplink data, the edge computing gateway notifies the corresponding device to report data through the device downlink data channel, and directionally forwards the uplink data to the corresponding application system through the device uplink data channel;
the directionally forwarding the uplink data to the corresponding application system through the uplink data channel specifically includes: the SDK at the equipment end receives the equipment state report of the equipment layer and forwards the equipment state report to the equipment access safety control module, the equipment access safety control module carries out directional data report to the uplink and downlink data isolation switching module, the uplink and downlink data isolation switching module indexes an equipment uplink data channel to report data to the user access safety control module, and the user access safety control module reports the equipment state data to a corresponding application system through the SDK at the user end.
Preferably, the specific way for the device side SDK to implement the encrypted communication between the device access security control module of the edge computing gateway and the device on the device layer is as follows:
the SDK at the device end receives a device access request sent by a device of a device layer through an adapter, and randomly generates an SM2 key pair;
the device access security control module receives a public key in an SM2 key pair sent by the device side SDK, establishes a session and generates an SM9 master key pair;
encrypting the SM9 master key pair by using a public key in an SM2 key pair to obtain an SM9 master key pair ciphertext and sending the SM9 master key pair ciphertext to an equipment side SDK;
receiving an equipment request ciphertext sent by an equipment end SDK, indexing to a corresponding session, and decrypting the equipment request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to an equipment request; the device request ciphertext is obtained by encrypting the device request by the device side SDK according to the public key in the SM9 master key pair and the resource unique identifier corresponding to the device request;
after the corresponding session is indexed according to the session ID, decrypting the equipment request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to the equipment request;
the equipment is subjected to identity authentication through the equipment unique identifier, the resource unique identifier and the decrypted data request corresponding to the equipment request and in combination with the registered equipment list, the authority of the equipment request is verified, and if the equipment request is not authorized, the operation unauthorized is directly used as a request result; if the device request passes the authorization, the device request is executed.
Preferably, the specific way for the SDK at the user side to implement the encrypted communication between the user access security control module of the edge computing gateway and the application system at the application layer is as follows:
when receiving an industrial control issuing instruction or subscribing the state of industrial equipment sent by an application system of a user layer, the SDK of a user side randomly generates an SM2 key pair;
the user access security control module receives a public key in an SM2 key pair sent by the SDK of the user side, establishes a session and generates an SM9 master key pair;
encrypting the SM9 master key pair by using a public key in an SM2 key pair to obtain an SM9 master key pair ciphertext and sending the SM9 master key pair ciphertext to a user side SDK;
receiving a user request ciphertext sent by a user side SDK, indexing to a corresponding session, and decrypting the data request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to a user request; the user request ciphertext is obtained by encrypting the data request by the application system by using a public key in the SM9 master key pair and a resource unique identifier corresponding to the data request;
after the corresponding session is indexed according to the session ID, the user request ciphertext is decrypted by a private key in an SM9 master key pair and a resource unique identifier corresponding to the user request;
performing data access/operation authentication on the user by combining the user unique identifier corresponding to the user request, the resource unique identifier and the decrypted user request with the registered user list, and directly using operation unauthorized as a request result if the user request is not authorized; if the user request passes the authorization, the user request is executed.
In a second aspect of the present invention, a method for safely isolating uplink and downlink data based on an edge computing gateway is disclosed, the method comprising:
establishing a data source device access security policy of an edge computing gateway, accessing the data source device to the edge computing gateway through a special private protocol SDK, accessing the device of the edge computing gateway to a security control module for device identity authentication, and establishing a device uplink and downlink data channel through an uplink and downlink data isolation exchange module for a device which is successfully authenticated;
establishing an application system data access/operation security policy of the edge computing gateway, accessing the application system to the edge computing gateway through a special private protocol (SDK), and performing data access/operation request authority authentication through a user access security control module of the edge computing gateway;
when the application system issues industrial downlink data, the edge computing gateway forwards the downlink data with successfully authenticated data access/operation request authority to corresponding equipment through the equipment downlink data channel;
when the application system subscribes industrial uplink data, the edge computing gateway forwards the subscribed data successfully authenticated by the data access/operation request authority to the corresponding equipment through the equipment downlink data channel, informs the corresponding equipment to report the data, and directionally forwards the uplink data to the corresponding application system through the equipment uplink data channel.
Preferably, the special private protocol SDK includes a device side SDK and a user side SDK, where the device side SDK is configured to establish a private encryption channel based on authority control, so as to implement encrypted communication between a device access security control module of the edge computing gateway and a device in the device layer; the SDK at the user end is used for establishing a private encryption channel based on authority control to realize the encryption communication between a user access security control module of the edge computing gateway and an application system of an application layer; the establishment of the private encryption channel based on the authority control specifically comprises the following steps:
when the special private protocol SDK receives an access request or an instruction, randomly generating an SM2 key pair;
the edge computing gateway receives a public key in an SM2 key pair sent by a special private protocol SDK, establishes a session and generates an SM9 master key pair;
encrypting the SM9 master key pair by using a public key in an SM2 key pair to obtain an SM9 master key pair ciphertext and sending the SM9 master key pair ciphertext to a special private protocol (SDK);
receiving a data request ciphertext sent by a special private protocol SDK, indexing to a corresponding session, and decrypting the data request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to a data request; the data request ciphertext is obtained by encrypting the data request by using a public key in an SM9 master key pair and a resource unique identifier corresponding to the data request by using a special private protocol SDK;
after indexing the corresponding session according to the session ID, decrypting the data request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to the data request;
performing identity authentication/authority verification on the equipment/user by combining the equipment unique identifier, the resource unique identifier and the decrypted data request corresponding to the data request with the registered equipment/user list, and directly using operation unauthorized as a request result if the data request is not authorized; if the data request passes the authorization, the data request is executed.
Preferably, the forwarding, by the edge computing gateway, the downlink data successfully authenticated by the data access/operation request authority to the corresponding device through the device downlink data channel specifically includes:
when receiving an industrial control issuing command sent by an application system of a user layer, an SDK (software development kit) of a user end establishes communication with a user access security control module through a private encryption channel based on authority control, performs data access/operation authentication on a user through the user access security control module, if the user request passes authorization, issues the request to an uplink and downlink data isolation exchange module, the uplink and downlink data isolation exchange module indexes a downlink data channel of equipment, directionally issues the request to the equipment access security control module, and the equipment access security control module sends an equipment command to equipment corresponding to the equipment layer through the SDK of the equipment end.
The edge computing gateway directionally forwarding the uplink data to the corresponding application system through the device uplink data channel specifically includes:
the SDK at the device end receives the device state report of the device layer and forwards the device state report to the device access safety control module, the device access safety control module carries out directional data report to the uplink and downlink data isolation switching module, the uplink and downlink data isolation switching module indexes the uplink data channel of the index device to report data to the user access safety control module, and the user access safety control module reports the device state data to the corresponding application system through the SDK at the user end. Compared with the prior art, the invention has the following beneficial effects:
1) the invention provides an identity-based uplink and downlink data isolation mechanism, wherein the identity of a user is used for scheduling and separating uplink data and downlink data, the uplink data is accessed to a security policy by using equipment and is subjected to data security guarantee and communication transmission in an interface subscription mode, and the downlink data is customized and accessed by using a special protocol to realize the data security guarantee and the communication transmission;
2) the invention is based on the technology of the private encryption channel of the authority control, combines the authentication of the user and the communication encryption of the data, and controls and isolates the illegal request of the upper application on the transmission layer on the premise of ensuring the data safety, thereby simplifying handshake interaction and reducing the communication overhead;
3) the invention designs a special private protocol which is suitable for industrial field and has light weight, high performance and data safety under the technology of a private encryption channel based on authority control. The protocol constructs a high-speed channel among a slave application system, an edge computing gateway and data source equipment under the condition of ensuring the safe isolation of uplink and downlink data. The invention provides a set of customized access strategy based on a special protocol by encapsulating the internal interactive process of the edge computing gateway, simplifies the equipment access, simplifies the application development, reduces the system complexity and realizes the interconnection and intercommunication of heterogeneous industrial equipment, modules, systems and platforms in the form of an SDK interface based on the special private protocol.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of an architecture of an upstream and downstream data security isolation system based on an edge computing gateway according to the present invention;
FIG. 2 is a timing diagram illustrating data interaction between private encryption channels based on authority control according to the present invention;
fig. 3 is a timing diagram illustrating uplink and downlink data isolation based on an edge computing gateway according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
As shown in fig. 1, the present invention provides an uplink and downlink data security isolation system for an edge computing gateway, which is divided into an application layer, an edge computing layer, and a device layer, wherein a device in the device layer is accessed to the edge computing layer in the form of a dedicated private protocol SDK interface through an adapter, the edge computing layer implements uplink and downlink data isolation based on the edge gateway through an edge computing microservice, and the application layer manages various application systems and is also accessed to the edge computing layer in the form of a dedicated private protocol SDK interface. The system specifically comprises a special private protocol SDK100 (an SDK interface 100 in fig. 1), a user access security control module 200, an uplink and downlink data isolation exchange module 300, and a device access security control module 400;
the special private protocol SDK100 is used for providing an external interface for the edge computing gateway by adopting a special private protocol, establishing a private encryption channel based on authority control and realizing encryption communication between the edge computing gateway and an application layer and an equipment layer;
the special private protocol SDK comprises a device side SDK and a user side SDK, wherein the device side SDK is used for establishing a private encryption channel based on authority control to realize encrypted communication between a device access security control module of the edge computing gateway and devices of a device layer; and the SDK at the user end is used for establishing a private encryption channel based on authority control to realize the encryption communication between the user access security control module of the edge computing gateway and the application system of the application layer. Please refer to fig. 2 for a flowchart of establishing a private encryption channel based on the authority control.
Referring to fig. 2, a sequence diagram of data interaction of a private encryption channel based on authority control, where a specific manner for the device side SDK to implement encrypted communication between the device access security control module of the edge computing gateway and the device in the device layer is as follows:
1.1) the SDK at the device end receives the device access request sent by the device of the device layer through the adapter, and randomly generates an SM2 key pair;
1.2) the device access security control module receives a public key in an SM2 key pair sent by the device side SDK, establishes a session and generates an SM9 master key pair;
1.3) encrypting the SM9 master key pair by using a public key in an SM2 key pair to obtain an SM9 master key pair ciphertext and sending the SM9 master key pair ciphertext to an equipment side SDK;
1.4) receiving an equipment request ciphertext sent by an equipment end SDK, indexing to a corresponding session, and decrypting the equipment request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to the equipment request; the device request ciphertext is obtained by encrypting the device request by the device side SDK according to the public key in the SM9 master key pair and the resource unique identifier corresponding to the device request;
1.5) after indexing to the corresponding session according to the session ID, decrypting the equipment request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to the equipment request;
1.6) through the unique device identifier, the unique resource identifier and the decrypted data request corresponding to the device request, combining the registered device list, performing identity authentication on the device, checking the authority of the device request, and directly using operation unauthorized as a request result if the device request is not authorized; if the device request passes the authorization, the device request is executed.
Referring to fig. 2, the specific way for the SDK at the user side to implement the encrypted communication between the user access security control module of the edge computing gateway and the application system at the application layer is as follows:
2.1) when the SDK of the user side receives an industrial control issuing instruction or an industrial equipment subscribing state sent by an application system of a user layer, randomly generating an SM2 key pair;
2.2) the user access security control module receives a public key in an SM2 key pair sent by the SDK of the user side, establishes a session and generates an SM9 master key pair;
2.3) encrypting the SM9 master key pair by using a public key in an SM2 key pair to obtain an SM9 master key pair ciphertext and sending the SM9 master key pair ciphertext to a user side SDK;
2.4) receiving a user request ciphertext sent by a user side SDK, indexing to a corresponding session, and decrypting the data request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to the user request; the user request ciphertext is obtained by encrypting the data request by the application system by using a public key in the SM9 master key pair and a resource unique identifier corresponding to the data request;
2.5) after the corresponding session is indexed according to the session ID, decrypting the user request ciphertext by using a private key in the SM9 master key pair and a resource unique identifier corresponding to the user request;
2.6) carrying out data access/operation authentication on the user by combining the user unique identifier corresponding to the user request, the resource unique identifier and the decrypted user request with the registered user list, and directly using operation unauthorized as a request result if the user request is not authorized; if the user request passes the authorization, the user request is executed.
The user access security control module 200 is configured to construct an application system data access/operation security policy of the edge computing gateway, where the application system data access/operation security policy includes establishing a user permission control database, constructing a registered user list, where the registered user list includes users authorized by each device and permissions corresponding to each authorized user, sending a data access/operation request to the edge computing microservice through a dedicated private protocol SDK by a response application layer, and verifying authorization information of the request; the user access security control module is also used for issuing a request to the uplink and downlink data isolation exchange module for the request passing the data access/operation security policy authentication; receiving reported data of an uplink and downlink data isolation switching module, and reporting equipment state data to a special private protocol SDK;
the uplink and downlink data isolation and exchange module 300 is configured to respectively construct an equipment uplink data channel and an equipment downlink data channel for the equipment with successfully authenticated identity; receiving an issuing request of a user access security control module, indexing a device downlink data channel, and directionally issuing the request to the device access security control module; receiving the directional data report of the device access safety control module and indexing the device uplink data channel, and reporting the data to the user access safety control module;
the device access security control module 400 is configured to construct a data source device access security policy of the edge computing gateway, where the data source device access security policy includes establishing a data source device authentication information database, constructing a registered device list, where the registered device list includes registered devices and corresponding device unique identifiers, and performing identity authentication on a device in response to an authentication request sent by a device layer through a dedicated private protocol SDK; the device access safety control module is also used for receiving the directional issuing request of the uplink and downlink data isolation exchange module and sending a device command to the special private protocol SDK; and receiving the equipment state report fed back by the special private protocol SDK, and performing directional data report on the uplink and downlink data isolation switching module.
When the application system issues industrial downlink data, the edge computing gateway forwards the downlink data to the corresponding equipment through the equipment downlink data channel:
when receiving an industrial control issuing command sent by an application system of a user layer, an SDK (software development kit) of a user end establishes communication with a user access security control module through a private encryption channel based on authority control, performs data access/operation authentication on a user through the user access security control module, if the user request passes authorization, issues the request to an uplink and downlink data isolation exchange module, the uplink and downlink data isolation exchange module indexes a downlink data channel of equipment, directionally issues the request to the equipment access security control module, and the equipment access security control module sends an equipment command to equipment corresponding to the equipment layer through the SDK of the equipment end.
When an application system subscribes industrial uplink data, the edge computing gateway informs corresponding equipment to report data through the equipment downlink data channel, and then directionally forwards the uplink data to the corresponding application system through the equipment uplink data channel; the directionally forwarding the uplink data to the corresponding application system through the uplink data channel specifically includes: the SDK at the equipment end receives the equipment state report of the equipment layer and forwards the equipment state report to the equipment access safety control module, the equipment access safety control module carries out directional data report to the uplink and downlink data isolation switching module, the uplink and downlink data isolation switching module indexes an equipment uplink data channel to report data to the user access safety control module, and the user access safety control module reports the equipment state data to a corresponding application system through the SDK at the user end.
And the management and control of one device accessing another device in the application layer can be realized based on the device side SDK and the device access security control module.
Referring to fig. 3, the present invention provides a method for safely isolating uplink and downlink data of an edge computing gateway based on a timing chart of the isolation of the uplink and downlink data of the edge computing gateway, where the method includes:
s1, establishing a data source device access security policy of the edge computing gateway, accessing the data source device into the edge computing gateway through a special private protocol SDK, accessing the device into a security control module through the edge computing gateway for device identity authentication, and establishing a device uplink and downlink data channel through an uplink and downlink data isolation exchange module for a device which is successfully authenticated;
s2, constructing an application system data access/operation security policy of the edge computing gateway, accessing the application system to the edge computing gateway through a special private protocol SDK, and performing data access/operation request authority authentication through a user access security control module of the edge computing gateway;
in steps S1 and S2, the dedicated private protocol SDK includes a device side SDK and a user side SDK, where the device side SDK is configured to establish a private encryption channel based on authority control, so as to implement encrypted communication between a device access security control module of the edge computing gateway and a device in the device layer; the SDK at the user end is used for establishing a private encryption channel based on authority control to realize the encryption communication between a user access security control module of the edge computing gateway and an application system of an application layer;
the specific steps of establishing the private encryption channel based on the authority control refer to fig. 2, which includes S01-S15:
when the special private protocol SDK receives an access request or an instruction, randomly generating an SM2 key pair;
the edge computing gateway receives a public key in an SM2 key pair sent by a special private protocol SDK, establishes a session and generates an SM9 master key pair;
encrypting the SM9 master key pair by using a public key in an SM2 key pair to obtain an SM9 master key pair ciphertext and sending the SM9 master key pair ciphertext to a special private protocol (SDK);
receiving a data request ciphertext sent by a special private protocol SDK, indexing to a corresponding session, and decrypting the data request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to the data request; the data request ciphertext is obtained by encrypting the data request by using a public key in an SM9 master key pair and a resource unique identifier corresponding to the data request by using a special private protocol SDK;
after indexing the corresponding session according to the session ID, decrypting the data request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to the data request;
performing identity authentication/authority verification on the equipment/user by combining the equipment unique identifier, the resource unique identifier and the decrypted data request corresponding to the data request with the registered equipment/user list, and directly using operation unauthorized as a request result if the data request is not authorized; if the data request passes the authorization, the data request is executed.
S3, when the application system issues industrial downlink data, the edge computing gateway forwards the downlink data successfully authenticated by the data access/operation request authority to the corresponding equipment through the equipment downlink data channel;
the forwarding, by the edge computing gateway, the downlink data successfully authenticated by the data access/operation request authority to the corresponding device through the device downlink data channel specifically includes: when receiving an industrial control issuing command sent by an application system of a user layer, an SDK (software development kit) of a user end establishes communication with a user access security control module through a private encryption channel based on authority control, performs data access/operation authentication on a user through the user access security control module, if the user request passes authorization, issues the request to an uplink and downlink data isolation exchange module, the uplink and downlink data isolation exchange module indexes a downlink data channel of equipment, directionally issues the request to the equipment access security control module, and the equipment access security control module sends an equipment command to equipment corresponding to the equipment layer through the SDK of the equipment end.
And S4, when the application system subscribes the industrial uplink data, the edge computing gateway forwards the subscribed data successfully authenticated by the data access/operation request authority to the corresponding device through the device downlink data channel, informs the corresponding device to report the data, and the edge computing gateway directionally forwards the uplink data to the corresponding application system through the device uplink data channel.
The edge computing gateway directionally forwarding the uplink data to the corresponding application system through the device uplink data channel specifically includes: the SDK at the equipment end receives the equipment state report of the equipment layer and forwards the equipment state report to the equipment access safety control module, the equipment access safety control module carries out directional data report to the uplink and downlink data isolation switching module, the uplink and downlink data isolation switching module indexes an equipment uplink data channel to report data to the user access safety control module, and the user access safety control module reports the equipment state data to a corresponding application system through the SDK at the user end.
The invention relates to an uplink and downlink data security isolation system and a method based on an edge computing gateway, which perform security isolation and identity verification on uplink and downlink data sources and applications in an industrial field, prevent industrial control system faults and even paralysis caused by invasion of malicious instructions, unauthorized instruction issuing, data input interference from unknown equipment and the like in the industrial control field, and ensure the normal operation of the industrial control system.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (7)

1. An uplink and downlink data security isolation system based on an edge computing gateway is characterized by comprising a special private protocol SDK, a user access security control module, an uplink and downlink data isolation exchange module and an equipment access security control module;
private proprietary protocol SDK: the edge computing gateway is used for providing an external interface for the edge computing gateway by adopting a special private protocol, establishing a private encryption channel based on authority control and realizing encryption communication between the edge computing gateway and an application layer and an equipment layer;
the user access security control module: the application system data access/operation security policy is used for constructing the edge computing gateway; for the request passing the authentication of the data access/operation security policy of the application system, issuing the request to the uplink and downlink data isolation exchange module; receiving reported data of an uplink and downlink data isolation switching module, and reporting equipment state data to a special private protocol SDK;
the uplink and downlink data isolation and exchange module: the device uplink data channel and the device downlink data channel are respectively constructed for the device which is accessed to the safety control module for identity authentication; receiving an issuing request of a user access security control module, indexing a device downlink data channel, and directionally issuing the request to the device access security control module; receiving the directional data report of the device access safety control module and indexing the device uplink data channel, and reporting the data to the user access safety control module;
the equipment is accessed to the safety control module: the data source equipment access security policy is used for constructing the edge computing gateway; receiving a directional issuing request of an uplink and downlink data isolation exchange module, and sending a device command to a special private protocol SDK; receiving the equipment state report fed back by a special private protocol SDK, and performing directional data report to an uplink and downlink data isolation switching module;
the special private protocol SDK comprises a device side SDK and a user side SDK, wherein the device side SDK is used for establishing a private encryption channel based on authority control to realize encrypted communication between a device access security control module of the edge computing gateway and devices of a device layer; the SDK at the user end is used for establishing a private encryption channel based on authority control to realize the encryption communication between a user access security control module of the edge computing gateway and an application system of an application layer;
the specific way for the device side SDK to implement the encrypted communication between the device access security control module of the edge computing gateway and the device in the device layer is as follows:
the SDK at the device end receives a device access request sent by a device of a device layer through an adapter, and randomly generates an SM2 key pair;
the equipment access security control module receives a public key in an SM2 key pair sent by an equipment end SDK, establishes a session and generates an SM9 master key pair;
encrypting the SM9 master key pair by using a public key in an SM2 key pair to obtain an SM9 master key pair ciphertext and sending the SM9 master key pair ciphertext to an equipment side SDK;
receiving an equipment request ciphertext sent by an equipment end SDK, indexing to a corresponding session, and decrypting the equipment request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to an equipment request; the device request ciphertext is obtained by encrypting the device request by the device side SDK according to the public key in the SM9 master key pair and the resource unique identifier corresponding to the device request;
after the corresponding session is indexed according to the session ID, decrypting the equipment request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to the equipment request;
the equipment is subjected to identity authentication through the equipment unique identifier, the resource unique identifier and the decrypted data request corresponding to the equipment request and in combination with the registered equipment list, the authority of the equipment request is verified, and if the equipment request is not authorized, the operation unauthorized is directly used as a request result; if the device request passes the authorization, the device request is executed.
2. The system according to claim 1, wherein the user accesses to the security control module, and the security policy of application system data access/operation of the edge computing gateway includes: establishing a user authority control database, and constructing a registered user list, wherein the registered user list comprises users authorized by each device and corresponding authority of each authorized user; the response application layer sends a data access/operation request to the edge computing microserver through a special private protocol (SDK), and verifies the authorization information of the request;
in the device access security control module, the data source device access security policy of the edge computing gateway includes: establishing a data source equipment authentication information database, and constructing a registered equipment list, wherein the registered equipment list comprises registered equipment and a corresponding equipment unique identifier; and the response equipment layer carries out identity authentication on the equipment through an authentication request sent by the special private protocol SDK.
3. The edge computing gateway-based uplink and downlink data security isolation system of claim 1, wherein when the application system issues the industrial downlink data, the edge computing gateway forwards the downlink data to the corresponding device through the device downlink data channel:
when receiving an industrial control issuing command sent by an application system of a user layer, an SDK (software development kit) of a user end establishes communication with a user access security control module through a private encryption channel based on authority control, performs data access/operation authentication on a user through the user access security control module, if the user request passes authorization, issues the request to an uplink and downlink data isolation exchange module, the uplink and downlink data isolation exchange module indexes a downlink data channel of equipment, directionally issues the request to the equipment access security control module, and the equipment access security control module sends an equipment command to equipment corresponding to the equipment layer through the SDK of the equipment end.
4. The edge computing gateway-based uplink and downlink data security isolation system according to claim 3, wherein when an application system subscribes to industrial uplink data, the edge computing gateway notifies the corresponding device to report data through the device downlink data channel, and directionally forwards the uplink data to the corresponding application system through the device uplink data channel;
the step of directionally forwarding the uplink data to the corresponding application system through the uplink data channel specifically includes: the SDK at the equipment end receives the equipment state report of the equipment layer and forwards the equipment state report to the equipment access safety control module, the equipment access safety control module carries out directional data report to the uplink and downlink data isolation switching module, the uplink and downlink data isolation switching module indexes an equipment uplink data channel to report data to the user access safety control module, and the user access safety control module reports the equipment state data to a corresponding application system through the SDK at the user end.
5. The system according to claim 4, wherein the specific way for the SDK at the user end to implement the encrypted communication between the user access security control module of the edge computing gateway and the application system of the application layer is as follows:
when the SDK of the user side receives an industrial control issuing instruction or an industrial equipment subscribing state sent by an application system of a user layer, an SM2 key pair is randomly generated;
the user access security control module receives a public key in an SM2 key pair sent by the SDK of the user side, establishes a session and generates an SM9 master key pair;
encrypting the SM9 master key pair by using a public key in an SM2 key pair to obtain an SM9 master key pair ciphertext and sending the SM9 master key pair ciphertext to a user side SDK;
receiving a user request ciphertext sent by a user side SDK, indexing to a corresponding session, and decrypting the data request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to a user request; the user request ciphertext is obtained by encrypting the data request by the application system through a public key in the SM9 master key pair and a resource unique identifier corresponding to the data request;
after the corresponding session is indexed according to the session ID, the user request ciphertext is decrypted by a private key in an SM9 master key pair and a resource unique identifier corresponding to the user request;
performing data access/operation authentication on the user by combining the user unique identifier corresponding to the user request, the resource unique identifier and the decrypted user request with the registered user list, and directly using operation unauthorized as a request result if the user request is not authorized; if the user request passes the authorization, the user request is executed.
6. An upstream and downstream data security isolation method based on an edge computing gateway, the method comprising:
establishing a data source device access security policy of an edge computing gateway, accessing the data source device to the edge computing gateway through a special private protocol SDK, accessing the device of the edge computing gateway to a security control module for device identity authentication, and establishing a device uplink and downlink data channel through an uplink and downlink data isolation exchange module for a device which is successfully authenticated;
establishing an application system data access/operation security policy of the edge computing gateway, accessing the application system to the edge computing gateway through a special private protocol SDK, and performing data access/operation request authority authentication through a user access security control module of the edge computing gateway;
when the application system issues industrial downlink data, the edge computing gateway forwards the downlink data successfully authenticated by the data access/operation request authority to corresponding equipment through an equipment downlink data channel;
when an application system subscribes industrial uplink data, the edge computing gateway forwards the subscribed data with successfully authenticated data access/operation request authority to corresponding equipment through the equipment downlink data channel, informs the corresponding equipment to report the data, and directionally forwards the uplink data to the corresponding application system through the equipment uplink data channel;
the special private protocol SDK comprises a device side SDK and a user side SDK, wherein the device side SDK is used for establishing a private encryption channel based on authority control to realize encrypted communication between a device access security control module of the edge computing gateway and devices of a device layer; the SDK at the user end is used for establishing a private encryption channel based on authority control to realize the encryption communication between the user access security control module of the edge computing gateway and an application system of an application layer; the establishment of the private encryption channel based on the authority control specifically comprises the following steps:
when the special private protocol SDK receives an access request or an instruction, randomly generating an SM2 key pair;
the edge computing gateway receives a public key in an SM2 key pair sent by a special private protocol SDK, establishes a session and generates an SM9 master key pair;
encrypting the SM9 master key pair by using a public key in an SM2 key pair to obtain an SM9 master key pair ciphertext and sending the SM9 master key pair ciphertext to a special private protocol (SDK);
receiving a data request ciphertext sent by a special private protocol SDK, indexing to a corresponding session, and decrypting the data request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to the data request; the data request ciphertext is obtained by encrypting the data request by using a public key in an SM9 master key pair and a resource unique identifier corresponding to the data request by using a special private protocol SDK;
after indexing the corresponding session according to the session ID, decrypting the data request ciphertext by using a private key in an SM9 master key pair and a resource unique identifier corresponding to the data request;
performing identity authentication/authority verification on the equipment/user by combining the equipment unique identifier, the resource unique identifier and the decrypted data request corresponding to the data request with the registered equipment/user list, and directly using operation unauthorized as a request result if the data request is not authorized; if the data request passes the authorization, the data request is executed.
7. The upstream and downstream data security isolation method based on the edge computing gateway of claim 6, wherein the forwarding, by the edge computing gateway, the downstream data successfully authenticated by the data access/operation request authority to the corresponding device through the device downstream data channel specifically includes:
when receiving an industrial control issuing instruction sent by an application system of a user layer, an SDK (software development kit) of a user end establishes communication with a user access security control module through a private encryption channel based on authority control, performs data access/operation authentication on a user through the user access security control module, if the user request passes authorization, issues the request to an uplink and downlink data isolation exchange module, the uplink and downlink data isolation exchange module indexes a downlink data channel of equipment, directionally issues the request to the equipment access security control module, and the equipment access security control module sends an equipment command to equipment corresponding to the equipment layer through the SDK of the equipment end;
the edge computing gateway directionally forwarding the uplink data to the corresponding application system through the device uplink data channel specifically includes:
the SDK at the equipment end receives the equipment state report of the equipment layer and forwards the equipment state report to the equipment access safety control module, the equipment access safety control module carries out directional data report to the uplink and downlink data isolation switching module, the uplink and downlink data isolation switching module indexes an equipment uplink data channel to report data to the user access safety control module, and the user access safety control module reports the equipment state data to a corresponding application system through the SDK at the user end.
CN202011410021.2A 2020-12-06 2020-12-06 Uplink and downlink data security isolation system and method based on edge computing gateway Active CN112565260B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011410021.2A CN112565260B (en) 2020-12-06 2020-12-06 Uplink and downlink data security isolation system and method based on edge computing gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011410021.2A CN112565260B (en) 2020-12-06 2020-12-06 Uplink and downlink data security isolation system and method based on edge computing gateway

Publications (2)

Publication Number Publication Date
CN112565260A CN112565260A (en) 2021-03-26
CN112565260B true CN112565260B (en) 2022-08-16

Family

ID=75048592

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011410021.2A Active CN112565260B (en) 2020-12-06 2020-12-06 Uplink and downlink data security isolation system and method based on edge computing gateway

Country Status (1)

Country Link
CN (1) CN112565260B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113691622B (en) * 2021-08-24 2023-06-27 重庆忽米网络科技有限公司 Industrial data forwarding method based on edge calculation
CN115118449B (en) * 2022-05-13 2023-06-27 国网浙江省电力有限公司信息通信分公司 Energy internet-oriented safe and efficient interactive edge proxy server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1592168A1 (en) * 2004-04-27 2005-11-02 Microsoft Corporation System and methods for policy conformance verification in communication networks
CN102687132A (en) * 2009-12-15 2012-09-19 微软公司 Trustworthy extensible markup language for trustworthy computing and data services
CN103491072A (en) * 2013-09-06 2014-01-01 北京信息控制研究所 Boundary access control method based on double one-way separation gatekeepers
CN111901360A (en) * 2020-08-10 2020-11-06 西安交通大学 Control system suitable for safe access of intranet data

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045310B (en) * 2009-10-14 2015-07-15 上海可鲁系统软件有限公司 Industrial Internet intrusion detection as well as defense method and device
CN103237010B (en) * 2010-10-25 2016-12-28 北京中科联众科技股份有限公司 The server end of digital content is cryptographically provided
US9716999B2 (en) * 2011-04-18 2017-07-25 Syniverse Communicationsm, Inc. Method of and system for utilizing a first network authentication result for a second network
CN110365484B (en) * 2015-03-17 2023-01-20 创新先进技术有限公司 Data processing method, device and system for equipment authentication
CN107040459A (en) * 2017-03-27 2017-08-11 高岩 A kind of intelligent industrial secure cloud gateway device system and method
CN110943957B (en) * 2018-09-21 2022-04-15 郑州信大捷安信息技术股份有限公司 Safety communication system and method for vehicle intranet

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1592168A1 (en) * 2004-04-27 2005-11-02 Microsoft Corporation System and methods for policy conformance verification in communication networks
CN102687132A (en) * 2009-12-15 2012-09-19 微软公司 Trustworthy extensible markup language for trustworthy computing and data services
CN103491072A (en) * 2013-09-06 2014-01-01 北京信息控制研究所 Boundary access control method based on double one-way separation gatekeepers
CN111901360A (en) * 2020-08-10 2020-11-06 西安交通大学 Control system suitable for safe access of intranet data

Also Published As

Publication number Publication date
CN112565260A (en) 2021-03-26

Similar Documents

Publication Publication Date Title
US12010251B2 (en) Electric border gateway device and method for chaining and storage of sensing data based on the same
CN112073375A (en) Isolation device and isolation method suitable for power Internet of things client side
EP2391083B1 (en) Method for realizing authentication center and authentication system
CN112565260B (en) Uplink and downlink data security isolation system and method based on edge computing gateway
Tawde et al. Cyber security in smart grid SCADA automation systems
CN109905371A (en) Two-way encrypted authentication system and its application method
CN111711625A (en) Power system information security encryption system based on power distribution terminal
CN112153641B (en) Secondary authentication enhancement and end-to-end encryption method and system based on edge UPF
CN105577365B (en) A kind of user accesses the cryptographic key negotiation method and device of WLAN
CN115549932B (en) Security access system and access method for massive heterogeneous Internet of things terminals
CN115085943B (en) Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions
Zhang et al. A secure revocable fine-grained access control and data sharing scheme for SCADA in IIoT systems
CN112332986A (en) Private encryption communication method and system based on authority control
CN115941236A (en) Zero trust safety protection method for edge side of power distribution network
CN117676579B (en) Automobile safety identity authentication method based on chip construction
CN111064752B (en) Preset secret key sharing system and method based on public network
WO2009070453A1 (en) Method and apparatus for performing key management and key distribution in wireless networks
CN108173641B (en) Zigbee safety communication method based on RSA
CN114422588B (en) Security autonomous realization system and method for authenticating terminal access by edge internet of things agent
CN106792667B (en) Network access authentication method for robot and robot
Zhang et al. Research on power 5G business security architecture and protection technologies
CN115913528B (en) Quantum key management method based on security chip and cloud cooperation
CN214205583U (en) End-to-end external secure communication device based on electric power trusted computing platform communication
KR102423178B1 (en) Agent based cryptographic module interworking system and its method
Santos et al. A federated lightweight authentication protocol for the internet of things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant