Identification data encryption access method in nuclear power networking collaborative computing environment
Technical Field
The invention belongs to the technical field related to data information processing in a nuclear power networking collaborative cloud computing platform and application of a nuclear power identification analysis system, and particularly relates to an identification data encryption access method in a nuclear power networking collaborative computing environment.
Background
At present, cloud computing service deployment modes are divided into public cloud, private cloud and hybrid cloud, wherein the hybrid cloud is a future development trend. Public cloud is the current most mainstream and popular service mode, and can provide request service with good development and large scale for the public; the private cloud mainly provides cloud service for the inside of an enterprise and is positioned in a local area network, so that personnel in the enterprise can effectively manage data processing efficiency, safety and the like; the hybrid cloud is composed of two or more clouds, has mutual independence, realizes butt joint combination through standard or proprietary technology, and supports dynamic, intelligent and elastic promotion of local business by expanding private cloud capacity of enterprises by utilizing public clouds.
Cloud storage is one of concrete embodiments of cloud computing technology, is not a storage but a service, and is also classified into three types, namely public cloud, private cloud and hybrid cloud. From the view of a service component, cloud storage refers to the fact that a plurality of storage devices and servers form a set capable of providing cloud computing services through the Internet, and is a service mode for users to access the cloud services mutually; from the aspect of service form, cloud storage provides users with real-time service for accessing cloud resources, and the cloud storage has wide application range of equipment, is easy to operate, is easy to expand and manage, and is favored by more and more users and enterprises.
When a user chooses to deploy a large amount of applications and data into the cloud computing platform, the cloud computing system also becomes a cloud storage system accordingly. The cloud storage system has the advantages of high expansibility, high efficiency, low cost and the like, on one hand, users can enjoy cloud service convenience by sending local storage data to the cloud server, and on the other hand, the cloud server storing the data also has the cloud security problem caused by malicious attack or even illegal acquisition of data information by irrelevant users due to the public access characteristic of the cloud server storing the data. Therefore, how to make users enjoy the convenient and quick use of the cloud server without worrying about the security and confidentiality of the data stored in the cloud is an urgent problem to be solved. Encryption of data is an effective means for guaranteeing data privacy, and various encryption methods with different functions and security intensity are researched and put into use at present, such as a symmetric encryption algorithm and an asymmetric encryption algorithm; in addition, the security and efficient searching of cloud data are ensured, and meanwhile, legal access rights given to related data by users are very important in the data sharing process.
The cloud platform of the nuclear power industry of Shanghai nuclear power and the cloud platform of the Shanghai super computing center are coupled and linked, super computing resources are brought into an integrated cloud resource system, different high-performance computing clusters in private cloud and public cloud environments of enterprises are gradually integrated, a simulation computing resource framework with distinct layers and dynamic expansion is further formed, a unified safe access mechanism, massive simulation computing capacity and high-definition three-dimensional interactive experience are provided for users, and the domestic leading cascade, elastic and professional engineering computing hybrid cloud computing platform is realized.
The industrial Internet identification analysis system is an infrastructure for constructing comprehensive interconnection of people, machines and objects, can realize comprehensive interconnection of industrial elements such as industrial design, research and development, production, sales, service and the like, improves the cooperation efficiency, and promotes the open flow and aggregation of industrial data. According to the actual development demands of enterprises of Shanghai and the targets of establishing a digital research and development system, an identification analysis technology is used as an integrated application framework for solving 'information island' according to the industrial Internet identification analysis of the nuclear power industry, and the nuclear power industry networking collaborative design cloud platform integrated application based on an industrial Internet identification analysis system integrating hardware equipment, virtual resource and resource management, office work, design, calculation, graphic processing and the like is built, so that specialized tool collaboration, data sharing, knowledge transfer and other 'Internet+nuclear power design' technical service capabilities are gradually built.
Disclosure of Invention
In a networked collaborative design cloud platform of a nuclear power industry, which is integrated with an identification analysis system, in order to realize safe collaborative processing of computing data by cross-department designers on the premise that research and development computing personnel use super-computing public cloud resources to carry out simulation computation from the inside of an enterprise through the cloud platform and the computing data is safely transmitted and stored in an encrypted mode under a mixed cloud environment, the invention provides an identification data encryption access method (shown in an attached figure 1) under the networked collaborative computing environment of the nuclear power, which comprises the following five main steps:
firstly, logging in a collaborative design management service platform based on a nuclear power identification analysis system to carry out daily work after a nuclear power equipment professional simulation calculation engineer passes enterprise safety certification. When large-scale simulation analysis of the identified coded nuclear power equipment is carried out, engineers directly log in the super-computing public cloud computing platform through high-performance computing HPC integrated management sub-nodes in the enterprise.
And secondly, the simulation calculation engineer uses the super-computing public cloud calculation platform to call a high-performance calculation cluster to carry out large-scale simulation calculation of the specific identified nuclear power equipment, and corresponding calculation result data is generated. The part of the non-core calculation result data of the identified nuclear power equipment is stored in the super-computing public cloud file server after being encrypted, and the part of the core calculation result data is transmitted back to the enterprise private cloud file server after being encrypted.
Thirdly, logging in a collaborative design management service platform based on a nuclear power identification analysis system to carry out daily work after a nuclear power equipment collaborative design engineer passes enterprise safety certification. And the collaborative design engineer sends a search request of the relevant simulation calculation data of the designated nuclear power equipment according to the nuclear power equipment identification analysis system.
And fourthly, searching part of core calculation result data in the enterprise private cloud storage by the file server and searching part of non-core calculation result data in the super-computing public cloud storage after the nuclear power equipment identification verification and the engineer authority verification pass.
And fifthly, after the two encrypted files are decrypted and combined, returning complete simulation calculation data conforming to the identification information of the nuclear power equipment to the collaborative design management service platform for use by a collaborative design engineer.
The invention surrounds the collaborative research and development work scene of post engineers of different departments in a nuclear power enterprise, develops the collaborative research and development work of nuclear power equipment in a hybrid cloud environment on a networked collaborative design cloud platform of the nuclear power industry based on an identification analysis system, realizes a safe access mechanism of computing data of the identification nuclear power equipment in the hybrid cloud environment through a data encryption and access control technology, improves research and development design efficiency and data information safety, and is beneficial to the enterprise to improve the collaborative design level of complex nuclear power equipment.
Drawings
FIG. 1 is a schematic diagram illustrating the overall implementation of the present invention
FIG. 2 is a flow chart of using super-computing public clouds for a nuclear power platform of an enterprise
FIG. 3 illustrates a computing data slicing encryption storage flow chart
FIG. 4 illustrates a read-decrypt flow chart for identification computing data access
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description which follow:
(1) When the simulation analysis of the nuclear power equipment needs to be carried out, after the professional simulation computing engineer confirms the identity through an enterprise security LDAP unified authentication mechanism, logging in to a collaborative design management service platform based on a nuclear power identification analysis system to carry out daily work. In daily operations, each nuclear power plant component opened by a user on the collaborative design platform must have an explicit identification code.
And starting an initialization algorithm INIT, and generating and outputting a public key PK and a system master key SK to a designated engineer by the enterprise private cloud storage server according to the designated nuclear power equipment identification attribute PA and the security parameter SA.
(2) When large-scale simulation analysis of the identified coded nuclear power equipment is performed, engineers further use an HPC integrated management sub-node which is specially used for performing high-performance calculation in an enterprise collaborative design platform, and can clearly browse software and hardware calculation resource lists of different subjects and different categories which can be provided by public clouds of an external supercomputer center in the sub-node, and the engineers hook corresponding calculation resource items according to actual simulation requirements (see figure 2).
(3) After the public cloud computing resource item is selected by the simulation computing engineer, the simulation computing engineer can directly log in the public cloud computing platform of the external super computing center, and the platform is utilized to freely call the high-performance computing cluster to carry out various large-scale simulation computing works such as structural analysis/fluid analysis/optimization analysis of the identified nuclear power equipment, wherein each nuclear power equipment analysis task can generate new computing task identification codes when submitting computation, and corresponding computing result data is generated after the computation is completed.
(4) The simulation calculation engineer uses a data division algorithm to divide the calculation result data D into core key data D 1 and non-core key data D 2 according to the calculation result data D that has been obtained. After the core key data D 1 is transmitted to the enterprise private cloud storage server, the key ciphertext data SD 1 is output based on an attribute control algorithm by combining the public key PK and the to-be-encrypted computing job identifier JID; after the non-core key data D 2 is transmitted to the super-computing public cloud storage server, a symmetric encryption key SEK is randomly selected in the key space, the D 2 is encrypted based on a searchable encryption algorithm, and non-key ciphertext data SD 2 (see fig. 3) related to the computing job identifier JID is output.
(5) When the collaborative design of the nuclear power equipment needs to be carried out, after the professional simulation computing engineer confirms the identity through an enterprise security LDAP unified authentication mechanism, logging in to a collaborative design management service platform based on a nuclear power identification analysis system to carry out daily work. In daily work, engineers can open a specific nuclear power equipment part data index information base consistent with the appointed identification coding information in the work task arranged by the engineers by means of an identification analysis system on a collaborative design platform.
And starting a collaborative design engineer private key generation algorithm, and generating a collaborative design engineer private key UK according to the engineer authority attribute UA, the private cloud storage server public key PK and the system master key SK.
(6) And sixthly, when the collaborative design engineer needs to review/check/review certain specific simulation calculation result data of the specific nuclear power equipment part, querying all calculation tasks with explicit identification codes belonging to the nuclear power equipment part by means of the identification analysis system again, and sending a search request for retrieving relevant simulation calculation data matched with the nuclear power equipment part and the calculation task identification codes to the nuclear power collaborative design platform.
And the collaborative design engineer utilizes the private key UK and the to-be-searched computing task identifier JID ', sends the to-be-searched computing task identifier JID' to the private cloud server, and utilizes a threshold generation algorithm to output a threshold value THRES.
(7) According to the search request, after the corresponding identification verification of the nuclear power equipment and the authority verification of the collaborative design engineer are consistent, the file server in the nuclear power collaborative design platform searches the encrypted data corresponding to the simulation calculation task which accords with the identification coding information on the enterprise private cloud storage and the encrypted data corresponding to the simulation calculation task which accords with the identification coding information in the super-computing public cloud storage respectively (see figure 4).
And the enterprise private cloud storage server verifies through the threshold value THRES and the key ciphertext data SD 1. If the engineer attribute authority passes verification and the search calculation task identifier is consistent with the encryption calculation task identifier, SD 1 is output, and a threshold value THRES is sent to an supercomputer public cloud storage server to download non-key ciphertext data SD 2 consistent with the calculation task identifier.
(8) In enterprise private cloud storage, two parts of encrypted data are decrypted and combined into a complete calculation result data file, and the complete calculation result data file is transmitted back to a temporary file space of a specific nuclear power equipment part in a nuclear power collaborative design management service platform for a collaborative design engineer to review. When the collaborative design engineer finishes the rechecking/checking/reviewing work for the nuclear power equipment parts and exits the nuclear power collaborative design cloud platform, various temporary files under the file space of the specific nuclear power equipment parts are automatically destroyed.
The private cloud storage server decrypts the non-key ciphertext data SD 2 using the symmetric encryption key SEK to output non-core computing data D 2, and decrypts the key ciphertext data SD 1 using the co-design engineer private key UK to output core computing data D 1. If the two corresponding calculation operation identifiers JID are consistent, the two are combined into a complete file and transmitted back to the nuclear power collaborative design platform for a collaborative design engineer to use.
The technical terms related to the field of the invention are as follows:
lightweight directory access protocol LDAP: this is an open, neutral, industry-standard application protocol that provides access control and maintains directory information for distributed information via the IP protocol. One common use of LDAP is single sign-on, where a user can use the same password in multiple services, typically for sign-on to a company's internal website. The various software applications may not use unique user management methods, but rather perform user authentication through such a unified authentication mechanism.
The core of the identification analysis system comprises three parts of identification coding, an identification analysis system, an identification data service and the like: identification coding relates to a technology for defining, distributing and managing a data structure of a coding format of an object; the system for inquiring the network position or related information of the target object by the identification analysis can perform unique positioning and information inquiry on the target object according to the identification code; the identification data service can carry out industrial identification data management and networked data sharing by means of the identification coding resource and the identification analysis system.
The symmetric encryption algorithm is early in appearance and perfect in system, and is the unique encryption form before the public key encryption algorithm appears. Based on its own advantages, symmetric encryption algorithms are still widely studied and used at present. In a symmetric cryptosystem, a user encrypts and decrypts data using the same key. The two communication parties select the same secret key through negotiation, trust each other and ensure that the secret key is not revealed. The security of a symmetric cryptosystem is mainly determined by the privacy of the key, irrespective of the encryption algorithm.
Public key cryptography proposes to process encryption and decryption keys in a cryptosystem separately, an encryption key is a public key and is disclosed to be transmitted on a network, a decryption key is a private key and is kept by a user. The basic principle of public key cryptography is based on a one-way function, i.e. a corresponding public key can be obtained by calculation using a private key, but the public key can hardly be pushed out of the private key, so that public key cryptography is safer than symmetric cryptography.
The above embodiments are merely illustrative of the principles of the present invention and its effectiveness, and are not intended to limit the invention. Modifications and variations may be made to the above-described embodiments by those skilled in the art without departing from the spirit and scope of the invention. Accordingly, it is intended that all equivalent modifications and variations of the invention be covered by the claims, which are within the ordinary skill of the art, be within the spirit and scope of the present disclosure.