CN112995612B - Safe access method and system for power video monitoring terminal - Google Patents

Safe access method and system for power video monitoring terminal Download PDF

Info

Publication number
CN112995612B
CN112995612B CN202110487571.2A CN202110487571A CN112995612B CN 112995612 B CN112995612 B CN 112995612B CN 202110487571 A CN202110487571 A CN 202110487571A CN 112995612 B CN112995612 B CN 112995612B
Authority
CN
China
Prior art keywords
video
monitoring terminal
video monitoring
security
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110487571.2A
Other languages
Chinese (zh)
Other versions
CN112995612A (en
Inventor
陈飞
李明柱
张胜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xinlian Technology Nanjing Co ltd
Original Assignee
Xinlian Technology Nanjing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xinlian Technology Nanjing Co ltd filed Critical Xinlian Technology Nanjing Co ltd
Priority to CN202110487571.2A priority Critical patent/CN112995612B/en
Publication of CN112995612A publication Critical patent/CN112995612A/en
Application granted granted Critical
Publication of CN112995612B publication Critical patent/CN112995612B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/18Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
    • H04N7/181Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast for receiving images from a plurality of remote sources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Power Engineering (AREA)
  • Selective Calling Equipment (AREA)

Abstract

The invention relates to a safe access method of an electric power video monitoring terminal, which adopts a brand new control strategy and carries out access control on the video monitoring terminal through multidimensional authentication detection, including identity authentication and safety state detection, specifically static information detection and dynamic information detection, ensures that the accessed video monitoring terminal is compliant, realizes the safe access of the video monitoring terminal, further designs and applies a special communication protocol aiming at each communication service, simplifies key agreement and identity authentication processes, realizes the high-efficiency and safe transmission of video data, and improves the working efficiency of video monitoring.

Description

Safe access method and system for power video monitoring terminal
Technical Field
The invention relates to a safe access method and system for an electric power video monitoring terminal, and belongs to the technical field of access of internet of things monitoring.
Background
The power video monitoring system is widely applied to various links such as power production, scheduling and comprehensive management, and realizes real-time monitoring of important elements such as equipment and surrounding environment in a power system. The construction of the power video monitoring system becomes an extremely important part for promoting the development of the smart power grid gradually. At present, an integrated video monitoring platform taking IP as a bearer network already occupies the mainstream position of a video monitoring system. Because video monitor terminal most deploys in the open air, the lower outdoor environment of security such as unmanned guard, and adopt the lower network protocol transmission video data of security, have serious potential safety hazard, if: firstly, a camera which is not authenticated can be replaced by an attacker and is used as an attack node; video data is not encrypted and integrity protected, and risks of data leakage and tampering exist; and the camera control link can be used for video control and network attack, and the safety, stability and sustainable development of the power system are seriously threatened.
In order to solve the above problems, the existing technical solution mainly adopts SSL VPN or IPSec VPN to implement secure transmission of video data, including performing identity authentication on a camera and performing encryption transmission on the video data. The specific implementation method comprises the following steps: the method comprises the steps of integrating a hardware security chip embedded with a digital certificate or expanding a security TF card embedded with the digital certificate on a video monitoring terminal, identifying the identity of a camera, installing a security access client program, calling an encryption and decryption algorithm interface provided by the security chip or the security TF card, and establishing an encrypted data transmission channel with a VPN gateway to realize the secure transmission of video data.
The prior art solves the information safety problem of the power video monitoring system to a certain extent, but still has the following defects:
(1) only the identity authentication is carried out on the video monitoring terminal, the credibility of the identity is ensured, whether the video monitoring terminal meets the safety requirement or not is not considered, and the access of a malicious terminal cannot be identified and prevented;
(2) the SSL VPN or IPSec VPN key negotiation and identity authentication process is complex, a large number of data packets need to be interacted, and the network communication efficiency is low.
Disclosure of Invention
The invention aims to solve the technical problem of providing a safe access method of an electric power video monitoring terminal, which adopts a brand new control strategy, carries out access control on the video monitoring terminal through multidimensional authentication detection, and designs and applies a special communication protocol, thereby realizing high-efficiency and safe transmission of video data and improving the working efficiency of video monitoring.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a safety access method of an electric power video monitoring terminal, which is based on a video safety access gateway, a safety certification system and an access control system which are positioned in the same local area network in an electric power internal network, and realizes that each video monitoring terminal in an electric power external network respectively executes the following steps A to H, and is accessed to a monitoring end positioned in the electric power internal network through the video safety access gateway;
a, the video monitoring terminal establishes network connection with a video security access gateway, the video monitoring terminal sends a digital certificate of the video monitoring terminal to the video security access gateway to request identity authentication, and the step B is entered;
b, the video security access gateway forwards the received digital certificate from the video monitoring terminal to a security authentication system, the security authentication system verifies whether the digital certificate is expired or revoked, and if so, the video monitoring terminal fails to be accessed; otherwise, entering the step C;
c, the video security access gateway generates a random number Rs, encrypts the random number Rs by using a digital certificate public key of the video monitoring terminal, sends the encrypted random number Rs to the video monitoring terminal, receives the encrypted random number Rs by the video monitoring terminal, decrypts the encrypted random number Rs by using a digital certificate private key of the video monitoring terminal to obtain the random number Rs, and then enters the step D;
d, the video monitoring terminal collects the software and hardware information of the video monitoring terminal and executes compliance verification, if the verification is passed, the step E is carried out, and if the verification is not passed, the access of the video monitoring terminal is failed;
e, the video monitoring terminal generates a random number Rt, applies a public key of the video security access gateway, encrypts the random number Rt and software and hardware information of the video monitoring terminal, sends the encrypted random number Rt and the software and hardware information to the video security access gateway, and then enters step F;
the video security access gateway uses a private key thereof to decrypt data from the video monitoring terminal to obtain a random number Rt and software and hardware information of the video monitoring terminal, and forwards the software and hardware information to the access control system, the access control system carries out security verification on the software and hardware information, if the verification is passed, the video security access gateway feeds back the verification passed result to the video monitoring terminal, and the step G is carried out, if the verification is not passed, the video monitoring terminal fails to access;
g, the video monitoring terminal signs the random numbers Rs and Rt by using a public key of the video security access gateway, sends the signature information to the video security access gateway, and then enters step H;
step H, the video security access gateway verifies the signature from the video monitoring terminal to confirm the session key between the video monitoring terminal and the video security access gateway, if the verification is passed, the video security access gateway feeds back the verification passing result to the video monitoring terminal, namely the video monitoring terminal is successfully accessed to the monitoring terminal in the power intranet; and if the verification fails, the access of the video monitoring terminal fails.
As a preferred technical scheme of the invention, the method further comprises the following steps of I1 to I3, based on the successful access of the video monitoring terminal to the monitoring terminal in the power intranet, so as to realize the uploading of target video acquisition data between the video monitoring terminal and the monitoring terminal;
step I1, the video monitoring terminal encrypts the target video acquisition data by using the session key, sends the encrypted data to the video security access gateway, and then enters step I2;
step I2, the video security access gateway application session key decrypts the encrypted data to obtain the target video acquisition data, and executes security check, if the check is passed, the method goes to step I3; if the check fails, uploading the target video acquisition data fails;
and step I3, the video security access gateway forwards the acquired target video acquisition data to a monitoring end located in the power intranet.
As a preferred technical scheme of the invention, each video monitoring terminal respectively comprises a video processing module, a security check module, a first hardware password module and a first security communication module; the step D comprises the following steps D1 to D6;
d1, collecting the unique serial number and the international mobile subscriber identity of the first hardware cryptographic module, the version number of the video processing module, the version number of the security check module, the version number of the first hardware cryptographic module, the version number of the first security communication module and the version number of the operating system of the video monitoring terminal by a security check module in the video monitoring terminal to form various software and hardware information of the video monitoring terminal, and then entering the step D2;
step D2, the security check module calls the first hardware password module, HASH operation is carried out on each item of software and hardware information respectively, each HASH value is obtained, then the security check module reads the security policy file pre-stored in the first hardware password module, whether each HASH value is consistent with the corresponding value in the security policy file or not is judged through comparison, if yes, the step D3 is carried out, and if not, the step D6 is carried out;
step D3, the security check module reads the process memory information of the video processing module and the first security communication module, the security check module calls the first hardware password module, HASH operation is carried out on the process memory information to obtain a corresponding HASH value, then whether the HASH value is consistent with the corresponding value in the security policy file is judged by comparison, if yes, the step D4 is executed, otherwise, the step D6 is executed;
step D4, the security check module reads the progress code segment of the video processing module and the first security communication module, and the security check module calls the first hardware code module to perform HASH operation to the progress code segment to obtain the corresponding HASH value, then the HASH value is compared and judged whether to be consistent with the corresponding value in the security policy file, if yes, the step D5 is entered, otherwise, the step D6 is entered;
step D5, the safety check module sends each item of software and hardware information, the process memory information and the process code segment to the first safety communication module according to the judgment results from the step D2 to the step D4, the first safety communication module forwards the received information to the video safety access gateway, namely the compliance verification of the video monitoring terminal is passed, and then the step E is carried out;
and D6, the safety check module sends the judgment result and the illegal information to the first safety communication module and informs the first safety communication module to terminate the network connection between the video monitoring terminal and the video safety access gateway, namely the compliance verification of the video monitoring terminal fails and the access of the video monitoring terminal fails.
As a preferred technical solution of the present invention, the steps a to C are specifically as follows:
step A, the video monitoring terminal applies a Hash algorithm aiming at the ID identification number IDTDigital certificate CerTAnd a randomly generated network serial number SN thereof0Performing hash operation to generate hash H (SN)0,IDT,CerT) Then the video monitoring terminal applies the private key D of the digital certificate and signs the hash to obtain EDt(H(SN0,IDT,CerT) And then sent to video securityThe access gateway requests identity authentication and enters the step B;
b, the video safety access gateway receives the digital certificate Cer of the video monitoring terminalTSending to a security certification system, and verifying the digital certificate Cer by the security certification systemTIf the video monitoring terminal is overdue or cancelled, the access of the video monitoring terminal fails; otherwise, returning the verification result to the video security access gateway, and entering the step C;
and C, the video security access gateway generates a random number Rs, encrypts the random number Rs by using a digital certificate public key of the video monitoring terminal, sends the encrypted random number Rs to the video monitoring terminal, receives the encrypted random number Rs by the video monitoring terminal, decrypts the encrypted random number Rs by using a digital certificate private key of the video monitoring terminal to obtain the random number Rs, and then the step D is carried out.
As a preferred embodiment of the present invention, the steps G to H are performed as follows:
g, the video monitoring terminal synthesizes a session key Rs ^ Rt by using random numbers Rs and Rt, carries out Hash operation on the session key, encrypts a Hash operation result by using a public key of the video security access gateway, sends the Hash operation result to the video security access gateway, and then enters step H;
the video security access gateway decrypts the encrypted data from the video monitoring terminal by using a private key to obtain a hash operation result, synthesizes a random number Rs and Rt in the video security access gateway into a session key Rs inverted T, performs hash operation on the session key, compares the hash operation result with the hash operation result from the video monitoring terminal, if the comparison result is consistent, the verification is passed, the video security access gateway feeds back the verification result to the video monitoring terminal to confirm the session key between the video monitoring terminal and the video security access gateway, and the video monitoring terminal is successfully accessed to a monitoring end in the power intranet; and if the comparison result is inconsistent, namely the verification is not passed, the access of the video monitoring terminal fails.
In view of the above, the technical problem to be solved by the present invention is to provide a system for a secure access method of an electric power video monitoring terminal, which is designed to execute a multidimensional authentication access control for a video monitoring terminal, so as to implement efficient and secure transmission of video data and improve the working efficiency of video monitoring.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a system of a safety access method of a power video monitoring terminal, which is based on a video safety access gateway, a safety certification system and an access control system which are positioned in the same local area network in a power intranet, and also comprises a first switch and a second switch; each video monitoring terminal is connected with the video security access gateway through a first switch arranged in the power intranet through a communication network, and the video security access gateway is connected with a monitoring end positioned in the power intranet through a second switch; and meanwhile, the video security access gateway is respectively connected with the security authentication system and the access control system, and the video security access gateway, the security authentication system and the access control system are arranged in a security access area defined in the power intranet.
As a preferred technical scheme of the invention: in the structure formed by the video processing module, the safety inspection module, the first hardware password module and the first safety communication module in the video monitoring terminal:
the first hardware password module provides encryption and decryption, HASH operation, signature and signature verification services for the video processing module and the first safety communication module through a hardware API (application program interface) interface, and provides safety storage for video acquisition data, a secret key, a safety strategy file and a digital certificate;
the video processing module is respectively connected with the first secure communication module and the first hardware password module, and encrypts and stores video acquisition data into a secure storage area in the first hardware password module or sends the video acquisition data to the first secure communication module;
the safety inspection module is used for safely scanning the software and hardware states of the video monitoring terminal, comprises a unique serial number of a first hardware password module, an international mobile subscriber identity, a video processing module version number, a safety inspection module version number, a first hardware password module version number, a first safety communication module version number and a video monitoring terminal operating system version number, judges according to a safety strategy file, and sends a judgment result to the first safety communication module through interprocess communication;
the first safety communication module is respectively connected with the video processing module, the safety inspection module and the first hardware password module, receives video acquisition data from the video processing module, and selects whether to call encryption and decryption, HASH operation, signature and signature verification services of the first hardware password module according to the result of the safety inspection module, so that the encryption and transmission of the video data are realized.
As a preferred technical scheme of the invention: the video security access gateway comprises a second security communication module, a security filtering module, a video forwarding module and a second hardware password module; the second hardware password module provides encryption and decryption, HASH operation, signature and signature verification services for the second secure communication module through a hardware API (application program interface), and provides secure storage for a secret key, a security policy file and a digital certificate;
the second safety communication module is respectively connected with the safety filtering module and the second hardware password module, and calls the second hardware password module to decrypt video acquisition data from the video monitoring terminal and forward the video acquisition data to the safety filtering module or calls the second hardware password module to encrypt SIP control signaling from the safety filtering module;
the security filtering module is respectively connected with the second security communication module, the video forwarding module and the second hardware password module, reads a security policy file stored in the second hardware password module, checks formats and contents of video acquisition data from the second security communication module and SIP control signaling from the video forwarding module according to a built-in filtering policy, and forwards the video according with the policy and discards the video not according with the policy;
the video forwarding module is connected with the safety filtering module, and forwards the video data filtered by the safety filtering module to a monitoring end in the power intranet, or forwards an SIP control signaling from the monitoring end to the safety filtering module.
As a preferred technical scheme of the invention: the monitoring end positioned in the power intranet comprises a video monitoring platform and a video monitoring workbench.
Compared with the prior art, the safe access method of the power video monitoring terminal has the following technical effects:
the invention designs a safe access method of an electric power video monitoring terminal, which adopts a brand new control strategy and carries out access control on the video monitoring terminal through multidimensional authentication detection, wherein the access control comprises identity authentication and safety state detection, specifically static information detection and dynamic information detection, the accessed video monitoring terminal is ensured to be in compliance, the safe access of the video monitoring terminal is realized, and further, a special communication protocol is designed and applied aiming at each communication service, the key negotiation and the identity authentication process are simplified, the high-efficiency and safe transmission of video data is realized, and the working efficiency of video monitoring is improved.
Drawings
Fig. 1 is a system diagram of a secure access method for a power video monitoring terminal according to the present invention;
FIG. 2 is a schematic diagram of an architecture of a video monitor terminal according to the present invention;
fig. 3 is a schematic diagram of the architecture in the video security access gateway in accordance with the present invention;
fig. 4 is a schematic flow chart of a secure access method for an electric power video monitoring terminal according to the present invention;
FIG. 5 is a schematic flow chart of the self-security check process of the video monitoring terminal according to the present invention;
fig. 6 is a flowchart illustrating a session key negotiation process according to the present invention.
Detailed Description
The following description will explain embodiments of the present invention in further detail with reference to the accompanying drawings.
The invention designs a safety access method of an electric power video monitoring terminal, as shown in figure 1, based on a video safety access gateway, a safety certification system and an access control system which are positioned in the same local area network in an electric power intranet, as shown in figure 4, each video monitoring terminal in the electric power extranet respectively executes the following steps A to H, and is accessed to a monitoring terminal positioned in the electric power intranet through the video safety access gateway.
And step A, the video monitoring terminal establishes network connection with the video security access gateway, the video monitoring terminal sends a digital certificate of the video monitoring terminal to the video security access gateway to request identity authentication, and the step B is entered.
B, the video security access gateway forwards the received digital certificate from the video monitoring terminal to a security authentication system, the security authentication system verifies whether the digital certificate is expired or revoked, and if so, the video monitoring terminal fails to be accessed; otherwise, entering the step C.
And C, the video security access gateway generates a random number Rs, encrypts the random number Rs by using a digital certificate public key of the video monitoring terminal, sends the encrypted random number Rs to the video monitoring terminal, receives the encrypted random number Rs by the video monitoring terminal, decrypts the encrypted random number Rs by using a digital certificate private key of the video monitoring terminal to obtain the random number Rs, and then the step D is carried out.
And D, the video monitoring terminal collects the software and hardware information of the video monitoring terminal, and carries out compliance verification, if the verification is passed, the step E is carried out, and if the verification is not passed, the access of the video monitoring terminal is failed.
And E, the video monitoring terminal generates a random number Rt, encrypts the random number Rt and software and hardware information of the video monitoring terminal by applying a public key of the video security access gateway, sends the encrypted random number Rt and the software and hardware information of the video monitoring terminal to the video security access gateway, and then enters the step F.
And F, the video security access gateway uses a private key thereof to decrypt the data from the video monitoring terminal to obtain the random number Rt and the software and hardware information of the video monitoring terminal, the software and hardware information is forwarded to the admission control system, the admission control system carries out security verification on the software and hardware information, if the verification is passed, the video security access gateway feeds back the verification passing result to the video monitoring terminal, and the step G is carried out, and if the verification is not passed, the video monitoring terminal fails to be accessed.
And G, the video monitoring terminal signs the random numbers Rs and Rt by using the public key of the video security access gateway, sends the signature information to the video security access gateway, and then enters the step H.
Step H, the video security access gateway verifies the signature from the video monitoring terminal to confirm the session key between the video monitoring terminal and the video security access gateway, if the verification is passed, the video security access gateway feeds back the verification passing result to the video monitoring terminal, namely the video monitoring terminal is successfully accessed to the monitoring terminal in the power intranet; and if the verification fails, the access of the video monitoring terminal fails.
The technical scheme of the designed power video monitoring terminal security access method is applied to practice, and as shown in fig. 6, the following implementation scheme is specifically adopted to access the monitoring terminal located in the power intranet through the video security access gateway.
Step A, the video monitoring terminal applies a Hash algorithm aiming at the ID identification number IDTDigital certificate CerTAnd a randomly generated network serial number SN thereof0Performing hash operation to generate hash H (SN)0,IDT,CerT) Then the video monitoring terminal applies the private key D of the digital certificate and signs the hash to obtain EDt(H(SN0,IDT,CerT) And then sending the request to the video security access gateway to request identity authentication, and entering the step B.
B, the video safety access gateway receives the digital certificate Cer of the video monitoring terminalTSending to a security certification system, and verifying the digital certificate Cer by the security certification systemTIf the video monitoring terminal is overdue or cancelled, the access of the video monitoring terminal fails; otherwise, returning the verification result to the video security access gateway and entering the step C.
And C, the video security access gateway generates a random number Rs, encrypts the random number Rs by using a digital certificate public key of the video monitoring terminal, sends the encrypted random number Rs to the video monitoring terminal, receives the encrypted random number Rs by the video monitoring terminal, decrypts the encrypted random number Rs by using a digital certificate private key of the video monitoring terminal to obtain the random number Rs, and then the step D is carried out.
In practical application, as shown in fig. 2, each video monitoring terminal specifically designed includes a video processing module, a security check module, a first hardware cryptographic module, and a first secure communication module; as shown in fig. 5, the execution of step D is realized as follows through the specific execution of steps D1 through D6.
And D1, collecting the unique serial number and the international mobile subscriber identity of the first hardware cryptographic module, the version number of the video processing module, the version number of the security check module, the version number of the first hardware cryptographic module, the version number of the first security communication module and the version number of the operating system of the video monitoring terminal by a security check module in the video monitoring terminal to form various software and hardware information of the video monitoring terminal, and then entering the step D2.
And D2, the security check module calls the first hardware password module, HASH operation is carried out on each item of software and hardware information respectively, each HASH value is obtained, then the security check module reads the security policy file pre-stored in the first hardware password module, whether each HASH value is consistent with the corresponding value in the security policy file or not is judged through comparison, if yes, the step D3 is carried out, and if not, the step D6 is carried out.
And D3, the security check module reads the process memory information of the video processing module and the first security communication module, the security check module calls the first hardware password module, HASH operation is carried out on the process memory information to obtain a corresponding HASH value, then comparison is carried out to judge whether the HASH value is consistent with the corresponding value in the security policy file, if yes, the step D4 is carried out, otherwise, the step D6 is carried out.
And D4, the security check module reads the process code segments of the video processing module and the first security communication module, calls the first hardware password module by the security check module, performs HASH operation on the process code segments to obtain corresponding HASH values, compares and judges whether the HASH values are consistent with the corresponding values in the security policy file, if so, the step D5 is executed, otherwise, the step D6 is executed.
And D5, the safety check module sends various software and hardware information, process memory information and process code segments to the first safety communication module according to the judgment results of the steps D2 to D4, the first safety communication module forwards the received information to the video safety access gateway, namely the compliance of the video monitoring terminal is verified, and then the step E is carried out.
And D6, the safety check module sends the judgment result and the illegal information to the first safety communication module and informs the first safety communication module to terminate the network connection between the video monitoring terminal and the video safety access gateway, namely the compliance verification of the video monitoring terminal fails and the access of the video monitoring terminal fails.
And E, the video monitoring terminal generates a random number Rt, encrypts the random number Rt and software and hardware information of the video monitoring terminal by applying a public key of the video security access gateway, sends the encrypted random number Rt and the software and hardware information of the video monitoring terminal to the video security access gateway, and then enters the step F.
And F, the video security access gateway uses a private key thereof to decrypt the data from the video monitoring terminal to obtain the random number Rt and the software and hardware information of the video monitoring terminal, the software and hardware information is forwarded to the admission control system, the admission control system carries out security verification on the software and hardware information, if the verification is passed, the video security access gateway feeds back the verification passing result to the video monitoring terminal, and the step G is carried out, and if the verification is not passed, the video monitoring terminal fails to be accessed.
And G, as shown in FIG. 6, the video monitoring terminal synthesizes a session key Rs ^ Rt by using a random number Rs and Rt, performs hash operation on the session key, encrypts a hash operation result by using a public key of the video security access gateway, sends the hash operation result to the video security access gateway, and then enters step H.
Step H, as shown in FIG. 6, the video security access gateway decrypts the encrypted data from the video monitoring terminal by using its private key to obtain a hash operation result, and at the same time, the video security access gateway synthesizes the random number Rs and Rt in the video security access gateway into a session key Rs ^ Rt, and performs hash operation on the session key, compares the hash operation result with the hash operation result from the video monitoring terminal, if the comparison result is consistent, the verification is passed, the video security access gateway feeds back the verification passed result to the video monitoring terminal, so as to realize the confirmation of the session key between the video monitoring terminal and the video security access gateway, and the video monitoring terminal is successfully accessed to the monitoring terminal in the power intranet; and if the comparison result is inconsistent, namely the verification is not passed, the access of the video monitoring terminal fails.
In practical application, after the video monitoring terminal is successfully accessed to the monitoring terminal in the power intranet through the steps a to H, the following steps I1 to I3 are further designed and executed to upload target video acquisition data between the video monitoring terminal and the monitoring terminal.
And step I1, the video monitoring terminal encrypts the target video acquisition data by using the session key, sends the encrypted data to the video security access gateway, and then enters step I2.
Step I2, the video security access gateway application session key decrypts the encrypted data to obtain the target video acquisition data, and executes security check, if the check is passed, the method goes to step I3; and if the check is not passed, uploading the target video acquisition data fails.
And step I3, the video security access gateway forwards the acquired target video acquisition data to a monitoring end located in the power intranet.
For the designed power video monitoring terminal security access method, the invention further designs a system for realizing the method, as shown in fig. 1, specifically based on a video security access gateway, a security authentication system and an access control system which are located in the same local area network in the power intranet, and further comprises a first switch and a second switch; each video monitoring terminal is connected with the video security access gateway through a first switch arranged in the power intranet through a communication network, and the video security access gateway is connected with a monitoring end positioned in the power intranet through a second switch; and meanwhile, the video security access gateway is respectively connected with the security authentication system and the access control system, and the video security access gateway, the security authentication system and the access control system are arranged in a security access area defined in the power intranet.
The security authentication system realizes identity authentication of the video monitoring terminal, receives an application of a digital certificate from the video monitoring terminal and the video security access gateway, verifies the application, issues the digital certificate to the video monitoring terminal and the video security access gateway, and verifies timeliness and validity of the digital certificate.
The admission control system manages and requires information such as digital certificate serial numbers, digital certificate validity periods, digital certificate subject information, unique serial numbers of hardware password modules, international mobile subscriber identification codes, video processing modules/security check modules/hardware password modules/security communication module version numbers, HASH values corresponding to all versions, terminal operating system version numbers and the like of all video monitoring terminals, and forms a policy file which is issued to the video monitoring terminals through the video security access gateway.
In a specific practical application, as shown in fig. 2, the video processing module, the security check module, the first hardware cryptographic module, and the first secure communication module in the video monitoring terminal are designed as follows.
The first hardware password module provides encryption and decryption, HASH operation, signature and signature verification services for the video processing module and the first safety communication module through a hardware API (application program interface) interface, and provides safety storage for video acquisition data, a secret key, a safety strategy file and a digital certificate.
The video processing module is respectively connected with the first safety communication module and the first hardware password module, and the video processing module encrypts and stores the video acquisition data in a safety storage area in the first hardware password module or sends the video acquisition data to the first safety communication module.
The safety inspection module is used for safely scanning the software and hardware states of the video monitoring terminal, comprises a unique serial number of a first hardware password module, an international mobile subscriber identity, a version number of a video processing module, a version number of a safety inspection module, a version number of the first hardware password module, a version number of a first safety communication module and a version number of an operating system of the video monitoring terminal, judges according to a safety strategy file, and sends a judgment result to the first safety communication module through interprocess communication.
The first safety communication module is respectively connected with the video processing module, the safety inspection module and the first hardware password module, receives video acquisition data from the video processing module, and selects whether to call encryption and decryption, HASH operation, signature and signature verification services of the first hardware password module according to the result of the safety inspection module, so that the encryption and transmission of the video data are realized.
Regarding the video security access gateway, in practical application, as shown in fig. 3, the video security access gateway is specifically designed to include a second security communication module, a security filtering module, a video forwarding module, and a second hardware cryptographic module; the second hardware password module provides encryption and decryption, HASH operation, signature and signature verification services for the second secure communication module through a hardware API (application program interface), and provides secure storage for a secret key, a security policy file and a digital certificate; the second safety communication module is respectively connected with the safety filtering module and the second hardware password module, and calls the second hardware password module to decrypt video acquisition data from the video monitoring terminal and forward the video acquisition data to the safety filtering module or calls the second hardware password module to encrypt SIP control signaling from the safety filtering module; the security filtering module is respectively connected with the second security communication module, the video forwarding module and the second hardware password module, reads a security policy file stored in the second hardware password module, checks formats and contents of video acquisition data from the second security communication module and SIP control signaling from the video forwarding module according to a built-in filtering policy, and forwards the video according with the policy and discards the video not according with the policy; the video forwarding module is connected with the safety filtering module, and forwards the video data filtered by the safety filtering module to a monitoring end in the power intranet, or forwards an SIP control signaling from the monitoring end to the safety filtering module.
In practical application, the monitoring end in the power intranet comprises a video monitoring platform and a video monitoring workbench, wherein the video monitoring platform is used for managing and controlling the video monitoring terminal, and comprises call establishment and control, user and equipment management, audio and video storage, streaming media processing, audio and video distribution and platform management; the video monitoring workbench realizes multi-picture browsing, picture monitoring of different specifications, historical video playback and local file playing of videos, and remote control of parameters of a video encoder.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (9)

1. A safety access method for a power video monitoring terminal is characterized by comprising the following steps: based on a video security access gateway, a security authentication system and an access control system which are positioned in the same local area network in the power intranet, each video monitoring terminal in the power extranet respectively executes the following steps A to H, and is accessed to a monitoring terminal in the power intranet through the video security access gateway;
a, the video monitoring terminal establishes network connection with a video security access gateway, the video monitoring terminal sends a digital certificate of the video monitoring terminal to the video security access gateway to request identity authentication, and the step B is entered;
b, the video security access gateway forwards the received digital certificate from the video monitoring terminal to a security authentication system, the security authentication system verifies whether the digital certificate is expired or revoked, and if so, the video monitoring terminal fails to be accessed; otherwise, entering the step C;
c, the video security access gateway generates a random number Rs, encrypts the random number Rs by using a digital certificate public key of the video monitoring terminal, sends the encrypted random number Rs to the video monitoring terminal, receives the encrypted random number Rs by the video monitoring terminal, decrypts the encrypted random number Rs by using a digital certificate private key of the video monitoring terminal to obtain the random number Rs, and then enters the step D;
d, the video monitoring terminal collects the software and hardware information of the video monitoring terminal and executes compliance verification, if the verification is passed, the step E is carried out, and if the verification is not passed, the access of the video monitoring terminal is failed;
e, the video monitoring terminal generates a random number Rt, applies a public key of the video security access gateway, encrypts the random number Rt and software and hardware information of the video monitoring terminal, sends the encrypted random number Rt and the software and hardware information to the video security access gateway, and then enters step F;
the video security access gateway uses a private key thereof to decrypt data from the video monitoring terminal to obtain a random number Rt and software and hardware information of the video monitoring terminal, and forwards the software and hardware information to the access control system, the access control system carries out security verification on the software and hardware information, if the verification is passed, the video security access gateway feeds back the verification passed result to the video monitoring terminal, and the step G is carried out, if the verification is not passed, the video monitoring terminal fails to access;
g, the video monitoring terminal signs the random numbers Rs and Rt by using a public key of the video security access gateway, sends the signature information to the video security access gateway, and then enters step H;
step H, the video security access gateway verifies the signature from the video monitoring terminal to confirm the session key between the video monitoring terminal and the video security access gateway, if the verification is passed, the video security access gateway feeds back the verification passing result to the video monitoring terminal, namely the video monitoring terminal is successfully accessed to the monitoring terminal in the power intranet; and if the verification fails, the access of the video monitoring terminal fails.
2. The power video monitoring terminal security access method according to claim 1, characterized in that: the method comprises the steps that based on the fact that a video monitoring terminal is successfully accessed to a monitoring end located in an electric power intranet, the following steps I1 to I3 are executed, and uploading of target video acquisition data between the video monitoring terminal and the monitoring end is achieved;
step I1, the video monitoring terminal encrypts the target video acquisition data by using the session key, sends the encrypted data to the video security access gateway, and then enters step I2;
step I2, the video security access gateway application session key decrypts the encrypted data to obtain the target video acquisition data, and executes security check, if the check is passed, the method goes to step I3; if the check fails, uploading the target video acquisition data fails;
and step I3, the video security access gateway forwards the acquired target video acquisition data to a monitoring end located in the power intranet.
3. The power video monitoring terminal security access method according to claim 1, characterized in that: based on that each video monitoring terminal respectively comprises a video processing module, a security check module, a first hardware password module and a first security communication module; the step D comprises the following steps D1 to D6;
d1, collecting the unique serial number and the international mobile subscriber identity of the first hardware cryptographic module, the version number of the video processing module, the version number of the security check module, the version number of the first hardware cryptographic module, the version number of the first security communication module and the version number of the operating system of the video monitoring terminal by a security check module in the video monitoring terminal to form various software and hardware information of the video monitoring terminal, and then entering the step D2;
step D2, the security check module calls the first hardware password module, HASH operation is carried out on each item of software and hardware information respectively, each HASH value is obtained, then the security check module reads the security policy file pre-stored in the first hardware password module, whether each HASH value is consistent with the corresponding value in the security policy file or not is judged through comparison, if yes, the step D3 is carried out, and if not, the step D6 is carried out;
step D3, the security check module reads the process memory information of the video processing module and the first security communication module, the security check module calls the first hardware password module, HASH operation is carried out on the process memory information to obtain a corresponding HASH value, then whether the HASH value is consistent with the corresponding value in the security policy file is judged by comparison, if yes, the step D4 is executed, otherwise, the step D6 is executed;
step D4, the security check module reads the progress code segment of the video processing module and the first security communication module, and the security check module calls the first hardware code module to perform HASH operation to the progress code segment to obtain the corresponding HASH value, then the HASH value is compared and judged whether to be consistent with the corresponding value in the security policy file, if yes, the step D5 is entered, otherwise, the step D6 is entered;
step D5, the safety check module sends each item of software and hardware information, the process memory information and the process code segment to the first safety communication module according to the judgment results from the step D2 to the step D4, the first safety communication module forwards the received information to the video safety access gateway, namely the compliance verification of the video monitoring terminal is passed, and then the step E is carried out;
and D6, the safety check module sends the judgment result and the illegal information to the first safety communication module and informs the first safety communication module to terminate the network connection between the video monitoring terminal and the video safety access gateway, namely the compliance verification of the video monitoring terminal fails and the access of the video monitoring terminal fails.
4. The power video monitoring terminal security access method according to claim 1, characterized in that: the steps A to C are as follows:
step A, the video monitoring terminal applies a Hash algorithm aiming at the ID identification number IDTDigital certificate CerTAnd a randomly generated network serial number SN thereof0Performing hash operation to generate hash H (SN)0,IDT,CerT) Then the video monitoring terminal applies the private key D of the digital certificate and signs the hash to obtain EDt(H(SN0,IDT,CerT) And then sending the request to the video security access gateway to request identity authentication, and entering the step B;
b, the video safety access gateway receives the digital certificate Cer of the video monitoring terminalTSending to a security certification system, and verifying the digital certificate Cer by the security certification systemTIf the video monitoring terminal is overdue or cancelled, the access of the video monitoring terminal fails; otherwise, returning the verification result to the video security access gateway, and entering the step C;
and C, the video security access gateway generates a random number Rs, encrypts the random number Rs by using a digital certificate public key of the video monitoring terminal, sends the encrypted random number Rs to the video monitoring terminal, receives the encrypted random number Rs by the video monitoring terminal, decrypts the encrypted random number Rs by using a digital certificate private key of the video monitoring terminal to obtain the random number Rs, and then the step D is carried out.
5. The power video monitoring terminal security access method according to claim 1, characterized in that: the steps G to H are performed as follows:
g, the video monitoring terminal synthesizes a session key Rs ^ Rt by using random numbers Rs and Rt, carries out Hash operation on the session key, encrypts a Hash operation result by using a public key of the video security access gateway, sends the Hash operation result to the video security access gateway, and then enters step H;
the video security access gateway decrypts the encrypted data from the video monitoring terminal by using a private key to obtain a hash operation result, synthesizes a random number Rs and Rt in the video security access gateway into a session key Rs inverted T, performs hash operation on the session key, compares the hash operation result with the hash operation result from the video monitoring terminal, if the comparison result is consistent, the verification is passed, the video security access gateway feeds back the verification result to the video monitoring terminal to confirm the session key between the video monitoring terminal and the video security access gateway, and the video monitoring terminal is successfully accessed to a monitoring end in the power intranet; and if the comparison result is inconsistent, namely the verification is not passed, the access of the video monitoring terminal fails.
6. A system for realizing the power video monitoring terminal security access method of any one of claims 1 to 5 is characterized in that: the system comprises a video security access gateway, a security authentication system and an access control system which are based on the same local area network in an electric power intranet, and further comprises a first switch and a second switch; each video monitoring terminal is connected with the video security access gateway through a first switch arranged in the power intranet through a communication network, and the video security access gateway is connected with a monitoring end positioned in the power intranet through a second switch; and meanwhile, the video security access gateway is respectively connected with the security authentication system and the access control system, and the video security access gateway, the security authentication system and the access control system are arranged in a security access area defined in the power intranet.
7. The system of the power video monitoring terminal security access method according to claim 6, wherein: in the structure formed by the video processing module, the safety inspection module, the first hardware password module and the first safety communication module in the video monitoring terminal:
the first hardware password module provides encryption and decryption, HASH operation, signature and signature verification services for the video processing module and the first safety communication module through a hardware API (application program interface) interface, and provides safety storage for video acquisition data, a secret key, a safety strategy file and a digital certificate;
the video processing module is respectively connected with the first secure communication module and the first hardware password module, and encrypts and stores video acquisition data into a secure storage area in the first hardware password module or sends the video acquisition data to the first secure communication module;
the safety inspection module is used for safely scanning the software and hardware states of the video monitoring terminal, comprises a unique serial number of a first hardware password module, an international mobile subscriber identity, a video processing module version number, a safety inspection module version number, a first hardware password module version number, a first safety communication module version number and a video monitoring terminal operating system version number, judges according to a safety strategy file, and sends a judgment result to the first safety communication module through interprocess communication;
the first safety communication module is respectively connected with the video processing module, the safety inspection module and the first hardware password module, receives video acquisition data from the video processing module, and selects whether to call encryption and decryption, HASH operation, signature and signature verification services of the first hardware password module according to the result of the safety inspection module, so that the encryption and transmission of the video data are realized.
8. The system of the power video monitoring terminal security access method according to claim 6, wherein: the video security access gateway comprises a second security communication module, a security filtering module, a video forwarding module and a second hardware password module; the second hardware password module provides encryption and decryption, HASH operation, signature and signature verification services for the second secure communication module through a hardware API (application program interface), and provides secure storage for a secret key, a security policy file and a digital certificate;
the second safety communication module is respectively connected with the safety filtering module and the second hardware password module, and calls the second hardware password module to decrypt video acquisition data from the video monitoring terminal and forward the video acquisition data to the safety filtering module or calls the second hardware password module to encrypt SIP control signaling from the safety filtering module;
the security filtering module is respectively connected with the second security communication module, the video forwarding module and the second hardware password module, reads a security policy file stored in the second hardware password module, checks formats and contents of video acquisition data from the second security communication module and SIP control signaling from the video forwarding module according to a built-in filtering policy, and forwards the video according with the policy and discards the video not according with the policy;
the video forwarding module is connected with the safety filtering module, and forwards the video data filtered by the safety filtering module to a monitoring end in the power intranet, or forwards an SIP control signaling from the monitoring end to the safety filtering module.
9. The system of the power video monitoring terminal security access method according to claim 6, wherein: the monitoring end positioned in the power intranet comprises a video monitoring platform and a video monitoring workbench.
CN202110487571.2A 2021-05-06 2021-05-06 Safe access method and system for power video monitoring terminal Active CN112995612B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110487571.2A CN112995612B (en) 2021-05-06 2021-05-06 Safe access method and system for power video monitoring terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110487571.2A CN112995612B (en) 2021-05-06 2021-05-06 Safe access method and system for power video monitoring terminal

Publications (2)

Publication Number Publication Date
CN112995612A CN112995612A (en) 2021-06-18
CN112995612B true CN112995612B (en) 2021-07-23

Family

ID=76337006

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110487571.2A Active CN112995612B (en) 2021-05-06 2021-05-06 Safe access method and system for power video monitoring terminal

Country Status (1)

Country Link
CN (1) CN112995612B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422256B (en) * 2022-01-24 2023-11-17 南京南瑞信息通信科技有限公司 High-performance security access method and device based on SSAL/SSL protocol
CN114629803A (en) * 2022-02-21 2022-06-14 厦门网为股份有限公司 Zero-trust data monitoring architecture and method based on security key
CN115549932B (en) * 2022-12-06 2023-05-02 信联科技(南京)有限公司 Security access system and access method for massive heterogeneous Internet of things terminals
CN115835194B (en) * 2023-02-15 2023-06-06 信联科技(南京)有限公司 NB-IOT terminal safety access system and access method
CN117478432B (en) * 2023-12-27 2024-03-19 国网天津市电力公司信息通信公司 Safety operation and maintenance system for power communication equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080108426A1 (en) * 2006-11-06 2008-05-08 Igt Remote wager gaming system using a video game console
CN102497581A (en) * 2011-12-14 2012-06-13 广州杰赛科技股份有限公司 Digital-certificate-based video monitoring data transmission method and system
CN107343179A (en) * 2017-08-14 2017-11-10 华北电力大学 A kind of video information encryption and video terminal security certification system, authentication method and its application
CN109218825A (en) * 2018-11-09 2019-01-15 北京京航计算通讯研究所 A kind of video encryption system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080108426A1 (en) * 2006-11-06 2008-05-08 Igt Remote wager gaming system using a video game console
CN102497581A (en) * 2011-12-14 2012-06-13 广州杰赛科技股份有限公司 Digital-certificate-based video monitoring data transmission method and system
CN107343179A (en) * 2017-08-14 2017-11-10 华北电力大学 A kind of video information encryption and video terminal security certification system, authentication method and its application
CN109218825A (en) * 2018-11-09 2019-01-15 北京京航计算通讯研究所 A kind of video encryption system

Also Published As

Publication number Publication date
CN112995612A (en) 2021-06-18

Similar Documents

Publication Publication Date Title
CN112995612B (en) Safe access method and system for power video monitoring terminal
CN107277061B (en) IOT (Internet of things) equipment based end cloud secure communication method
CN110996318B (en) Safety communication access system of intelligent inspection robot of transformer substation
KR101009330B1 (en) Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
KR100980831B1 (en) Method and apparatus for deterrence of secure communication using One Time Password
CN109714360B (en) Intelligent gateway and gateway communication processing method
CN113225352B (en) Data transmission method and device, electronic equipment and storage medium
US9998287B2 (en) Secure authentication of remote equipment
CN111918284B (en) Safe communication method and system based on safe communication module
CN110999223A (en) Secure encrypted heartbeat protocol
CN105491073B (en) Data downloading method, device and system
CN115549932B (en) Security access system and access method for massive heterogeneous Internet of things terminals
CN110839036B (en) Attack detection method and system for SDN (software defined network)
CN110266485B (en) Internet of things safety communication control method based on NB-IoT
CN103152326A (en) Distributed authentication method and authentication system
CN105591748B (en) A kind of authentication method and device
CN213938340U (en) 5G application access authentication network architecture
CN115835194B (en) NB-IOT terminal safety access system and access method
CN105873059A (en) Joint identity authentication method and system for power distribution communication wireless private network
CN108400967B (en) Authentication method and authentication system
CN114928503A (en) Method for realizing secure channel and data transmission method
Yang et al. Link-layer protection in 802.11 i WLANS with dummy authentication
CN114567479B (en) Intelligent equipment safety control reinforcement and monitoring early warning method
CN115208696B (en) Remote communication method and device for substation telecontrol device
TWI385998B (en) Real - time streaming service system and method with authorized function

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant