CN113411180B - Data encryption bus self-adaptive industrial equipment remote upgrading system - Google Patents

Data encryption bus self-adaptive industrial equipment remote upgrading system Download PDF

Info

Publication number
CN113411180B
CN113411180B CN202110663759.8A CN202110663759A CN113411180B CN 113411180 B CN113411180 B CN 113411180B CN 202110663759 A CN202110663759 A CN 202110663759A CN 113411180 B CN113411180 B CN 113411180B
Authority
CN
China
Prior art keywords
data
bus
encryption
watermark
remote server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110663759.8A
Other languages
Chinese (zh)
Other versions
CN113411180A (en
Inventor
周志龙
李飞
姚欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan Jiachen Intelligent Control Co Ltd
Original Assignee
Henan Jiachen Intelligent Control Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan Jiachen Intelligent Control Co Ltd filed Critical Henan Jiachen Intelligent Control Co Ltd
Priority to CN202110663759.8A priority Critical patent/CN113411180B/en
Publication of CN113411180A publication Critical patent/CN113411180A/en
Application granted granted Critical
Publication of CN113411180B publication Critical patent/CN113411180B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40006Architecture of a communication node
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40143Bus networks involving priority mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN

Abstract

The invention relates to a data encryption bus self-adaptive industrial equipment remote upgrading system which at least comprises intelligent equipment, a remote server and a bus, wherein the intelligent equipment is accessed into a bus network, the intelligent equipment is connected with the remote server, the remote server encrypts data and then sends the encrypted data to the intelligent equipment, the intelligent equipment decrypts the data for the first time after receiving the data, performs inverse operation on the operation of the data and the indication of the three bits before the data is transmitted during the encryption during the first decryption, judges whether the data is abnormal data or not, immediately terminates the transmission of subsequent data after identifying the abnormal data, obtains the converted data after identifying the abnormal data, decrypts the converted data for the second time, and performs inverse decomposition on a binary system to separate out a real data source.

Description

Data encryption bus self-adaptive industrial equipment remote upgrading system
The invention is a divisional application with the application number of 202011005123.6, the application date of 2020, 9 and 22, and the application type of the invention, and the application name of the invention is a data encryption bus self-adaptive industrial equipment remote system upgrading method.
Technical Field
The invention relates to the technical field of industrial equipment, in particular to a data encryption bus self-adaptive industrial equipment remote upgrading system.
Background
Industrial equipment plays an increasingly important role in the national economic system, has the excellent characteristics of long service time, reliable quality and wear resistance, and once the industrial equipment is put into normal use, time and labor are often wasted in upgrading and updating the system, the disassembly of the whole equipment, the preparation of field upgrading materials and the verification of an upgrading system are involved in the period, more importantly, in the preparation process, the common efforts of technical personnel of both parties are needed, so that multiple wastes of manpower, financial resources and time are caused, and how to ensure the rapid upgrading of an industrial equipment system becomes a key problem in the industry.
The system upgrading of the industrial equipment preferentially needs to ensure the data confidentiality in the system upgrading process so as to prevent illegal molecules from acquiring a core system of the equipment by a technical means; second, ease of upgrade needs to be considered. The industrial equipment in the system relates to various data buses, the data transmission modes of different buses are different, the industrial equipment in each scene is specially adapted to a single data bus, and the system is very troublesome to upgrade.
The rapid development of the domestic internet technology is benefited, the remote upgrading scheme of the industrial equipment is frequently used, but in the existing upgrading scheme, direct network data interaction is adopted, so that the system data of the industrial equipment is directly exposed in the network, and lawless persons can enjoy the function of the internet. Meanwhile, due to the fact that the industrial equipment buses are various, different equipment schemes are needed for different buses by means of the existing technical means, and therefore the upgrading process is not timely in response.
Chinese patent CN107040459A discloses an intelligent industrial security cloud gateway device system and method, which decrypts the encrypted downlink data of the uplink cloud data, adds data classification identification and timestamp to the encrypted data, and implements multiple access authentication security control, protocol conversion, multi-directional interconnection and intercommunication transparent transmission and security isolation, and the intelligent industrial cloud security gateway device includes: an embedded intelligent industrial cloud security gateway equipment platform taking a multi-core processor as a core; communication interface channels of various intelligent devices in industrial fields: contains multiple RS232, RS485, CAN, AS-INTERFACE, LONWORKS, industrial Ethernet (EtherCAT, PROFINET, EtherNET/IP, PROFIBUS, POWERINK, SERCOS 3, BlueTeeth, WiFi), etc.; cloud communication interface channel: the communication interface containing 3G/4G/GPRS is optional; a built-in 10M/100M/1000M Ethernet switch; a GPS positioning and time setting module; an encryption and decryption module; a data classification identification timestamp module; the access security authentication control module is arranged at an industrial field data outlet, is also used as a starting point of cloud service for encrypting data, selecting security mode transmission and data access control, safely scanning data entering a gateway to perform multiple security authentications on visitor Identity (ID), access equipment (IP), authority, path mode and the like, completing real-time conversion of multiple protocols, and realizing an intelligent industrial cloud security gateway for transparent interconnection and intercommunication of multiple pieces of equipment, is a security physical isolation barrier of a data channel between an intelligent factory and the cloud service, and can effectively prevent data leakage and network virus attack.
The traditional upgrading scheme relies on network connection, data are directly transmitted to the equipment, the encryption protection effect of the data is poor, and the frequency band protection of the network is not provided, so that the core data can be easily acquired through the network data packet capturing function, lawless persons are more likely to exist, the whole transmitting link can be simulated, abnormal data are transmitted to the industrial equipment, and the updating failure of an industrial equipment system and the abnormal work are caused. Meanwhile, because the self-adaption of the transmission bus is not realized in the upgrading process, different devices need different transmission buses, and the upgrading of the industrial device system is seriously delayed.
Chinese patent publication No. CN107222553A discloses a method and system for upgrading a device through an internet of things adapter, and the method includes: the Internet of things adapter sends a remote upgrading instruction to the cloud server; the Internet of things adapter downloads the upgrade file from the cloud server to the local; and the Internet of things adapter sends the upgrade file to the industrial equipment, and the industrial equipment carries out upgrade according to the upgrade file.
Patent publication No. CN109818910A discloses a data transmission method, device and medium, which are used to simplify user operations and improve user experience while implementing secure data transmission between a client application program and an application server. The data transmission method comprises the following steps: intercepting a data packet sent to an application server by a client application program; performing Internet Protocol (IP) data packet encapsulation on the data packet according to the network address and the port of the application server; and encrypting the IP data packet and then sending the IP data packet to a security server through a security transmission channel, decrypting the SSL data packet by the security server and then sending the SSL data packet to the application server.
The patent with the publication number of CN111049803A discloses a method for data encryption and platform security access based on a vehicle-mounted CAN bus communication system, which comprises an ECU, a vehicle-mounted T-BOX device, a server, a data center and a digital signature module, wherein the ECU comprises a data encryption module and a network block, the vehicle-mounted T-BOX device comprises a data encryption module, an anti-attack algorithm for active defense and recording, a bus CAN communication module and a network module, and the ECU encrypts and transmits vehicle working condition and fault information to the vehicle-mounted T-BOX through the data encryption module.
The patent with publication number CN111404925A discloses a vehicle-mounted CAN bus data encryption method based on dynamic digital watermarking, which fully utilizes the data space of 8 bytes in the CAN bus data frame, encrypts data under the condition of not increasing communication traffic, ensures the communication safety of data, CAN verify the integrity of data, and prevents tampering attack; meanwhile, the watermark information is generated by utilizing the dynamic password, so that the watermark information generated each time can be ensured to be used and verified only once, and the influence of replay attack is effectively avoided.
In the prior art, data are directly or encrypted and then transmitted to equipment mostly by means of network connection, and when abnormal data transmission occurs, abnormal data are transmitted to the equipment due to the fact that an abnormal identification function is lacked at a receiving equipment end, and the abnormal data cannot be used, so that the equipment works abnormally.
Disclosure of Invention
The invention aims to provide a remote system upgrading method of industrial equipment, which can encrypt data and is self-adaptive to a bus. When the industrial equipment needs to be upgraded, the universal upgrading module is connected to the data bus where the industrial equipment is located, so that the upgrading data from the server can be received to realize the system upgrading of the industrial equipment, and the system upgrading of the industrial equipment can be conveniently and quickly completed.
The invention discloses a data encryption bus self-adaptive industrial equipment remote system upgrading method, which comprises the following steps: the intelligent equipment is accessed to all bus networks of the industrial equipment; after the intelligent equipment is powered on, the intelligent equipment is connected with a remote server, the intelligent equipment is connected with a transmission link through a network technology, and after the remote server receives a networking request of the intelligent equipment, the transmission link is established, and after the connection is completed, an instruction of the remote server is monitored; after sending data, the remote server performs first-layer encryption on the software data, wherein the first-layer encryption is the binary conversion of the software data to be transmitted; after the binary system conversion of the data is finished, carrying out second-layer encryption on the data, wherein the data comprises a network IP and a port; and the data encrypted by the second layer is transmitted to the intelligent equipment through the network transmission link.
According to a preferred embodiment, after receiving the data, the intelligent device decrypts the data for the first time to obtain the converted data, decrypts the converted data for the second time, and inverts the binary system to resolve the real data source.
According to a preferred embodiment, the intelligent device monitors data on the whole bus while decrypting, continuously matches with a bus monitoring program inside the intelligent device, determines the type and key parameters of the bus, and then sends the decrypted data to the industrial device.
According to a preferred embodiment, the remote server communicates with the bus of the industrial installation via the I2C interface to obtain time stamp information, calculates a key from the time stamp information and the security identifier of the electronic control unit and encrypts the transmission data.
According to a preferred embodiment, the encrypted information includes a chip identification ID, a chip public key, and an industrial device VIN, so that the uniqueness of the information interaction identity of the industrial device and networking of the industrial device are standardized.
According to a preferred embodiment, the data encryption module adopts LKT4305-GM, and the encryption module integrates the national secret SM2/SM3, RSA asymmetric encryption and AES symmetric encryption.
According to a preferred embodiment, before data transmission, the remote server generates a first key and a shifting factor by pre-storing a watermark, and further generates a digital watermark by using a dynamic digital watermark generation algorithm; generating a second key by utilizing the position information of the pre-stored watermark; and deleting the data according to the position of the unused data bit in the data, and then inserting the watermark into the data according to the position information of the pre-stored watermark, so that the length of the data after the watermark is inserted is the same as that of the original data.
According to a preferred embodiment, after the intelligent device receives data, a first key and a mobile factor are generated by using a pre-stored watermark, and a digital watermark is generated by a dynamic digital watermark generation algorithm; extracting a second key by using the position information of the pre-stored watermark; extracting a watermark from the received data according to the information of the watermark extraction position, and comparing the extracted watermark with the generated watermark; if the extracted watermark is the same as the generated watermark, the transmitted data is not modified or reset; if the extracted watermark is different from the generated watermark, the data is modified or reset in the transmission process.
The invention also discloses a data encryption bus self-adaptive industrial equipment remote upgrading system, which at least comprises intelligent equipment and a remote server, wherein the intelligent equipment is accessed into a bus network of the industrial equipment, the intelligent equipment is connected to the remote server after being electrified, the intelligent equipment is connected with the remote server through a network technology, and the remote server monitors the instruction of the remote server after receiving the networking request of the intelligent equipment and establishing the transmission link to finish the connection after receiving the networking request of the intelligent equipment; after sending data, the remote server performs first-layer encryption on the software data, wherein the first-layer encryption is the binary conversion of the software data to be transmitted; after the binary system conversion of the data is finished, carrying out second-layer encryption on the data, wherein the data comprises a network IP and a port; and the data encrypted by the second layer is transmitted to the intelligent equipment through a network transmission link.
According to a preferred embodiment, after receiving data, the intelligent device firstly decrypts the data for the first time to obtain converted data, then decrypts the converted data for the second time, and inverts a binary system to resolve a real data source; the intelligent device monitors the data on the whole bus while decrypting, continuously matches with a bus monitoring program inside the intelligent device, judges the type and key parameters of the bus, and then sends the decrypted data to the industrial device.
In the traditional remote upgrading, a remote server directly transmits data to be upgraded to an upgrading terminal in a direct network transmission mode, no data security encryption is performed in the transmission process, and a person with a heart can directly acquire the transmitted data through a network packet capturing tool or send the upgrading data to equipment in the same path mode, so that the abnormality of industrial equipment is caused. Meanwhile, for each update, different bus terminals need to be matched, and a plurality of upgrading terminals are often carried, so that the efficiency is low.
The invention relies on an intelligent upgrade device module. The intelligent device is a device capable of being networked and is compatible with the current mainstream industrial data bus. When the remote system of the industrial equipment is upgraded, the intelligent equipment is preferentially accessed into an industrial bus where the industrial equipment is located, and when the whole system is powered on, the intelligent equipment can be connected with a network and is connected to an upgrade server located at the cloud end. The method is different from the traditional upgrading mode in that the data are encrypted twice in the upgrading process, the first encryption is used for converting a data system to be transmitted, and the second encryption is used for recombining the converted data. The encrypted data is transmitted to the intelligent device through network transmission, and the intelligent device decrypts the data twice after receiving the data. And performing inverse combination on the data for the first time to obtain converted data, and performing inverse binary conversion on the decrypted data for the second time to obtain real and effective data. The intelligent device monitors data on the whole bus while performing an interface, continuously matches with a bus monitoring program inside the intelligent device, judges the type and key parameters of the bus, and transmits the decrypted data to the industrial device through the bus so as to achieve the purpose of updating the industrial device system.
Drawings
FIG. 1 is an overall flow diagram of the data encryption bus adaptive industrial equipment remote system upgrade method of the present invention.
Detailed Description
The following detailed description is made with reference to the accompanying drawings.
Example 1
The embodiment discloses a data encryption bus self-adaptive industrial equipment remote system upgrading method, as shown in fig. 1, the method includes: the intelligent equipment is accessed to all bus networks of the industrial equipment; after the intelligent equipment is powered on, the intelligent equipment is connected with a remote server, the intelligent equipment is connected with a transmission link through a network technology, and after the remote server receives a networking request of the intelligent equipment, the transmission link is established, and after the connection is completed, an instruction of the remote server is monitored; after sending data, the remote server performs first-layer encryption on the software data, wherein the first-layer encryption is the binary conversion of the software data to be transmitted; after the binary system conversion of the data is finished, performing second-layer encryption on the data, wherein the second-layer encrypted data comprises a network IP and a port; and the data encrypted by the second layer is transmitted to the intelligent equipment through the network transmission link. Bus self-adaptation: the device is a transmission protocol link which CAN be automatically adapted to industry and comprises a CAN bus, an RS485 bus, an RS-232-C bus and the like. In this embodiment, the remote server is also referred to as a cloud server.
Preferably, the intelligent device is also called an intelligent upgrading device module. The intelligent device is a device capable of being networked and is compatible with the current mainstream industrial data bus. When the remote system of the industrial equipment is upgraded, the intelligent equipment is preferentially accessed into an industrial bus where the industrial equipment is located, and when the whole system is powered on, the intelligent equipment can be connected with a network and is connected to an upgrade server located at the cloud end. The method is different from the traditional upgrading mode in that the data are encrypted twice in the upgrading process, the first encryption is used for converting a data system to be transmitted, and the second encryption is used for recombining the converted data. The encrypted data is transmitted to the intelligent device through network transmission, and the intelligent device decrypts the data twice after receiving the data. And performing inverse combination on the data for the first time to obtain converted data, and performing inverse binary conversion on the decrypted data for the second time to obtain real and effective data. The intelligent device monitors data on the whole bus while performing an interface, continuously matches with a bus monitoring program inside the intelligent device, judges the type and key parameters of the bus, and transmits the decrypted data to the industrial device through the bus so as to achieve the purpose of updating the industrial device system.
CAN is an abbreviation of controller Area Network, and is a serial communication protocol that is ISO international standardized. The CAN bus provides powerful technical support for realizing real-time and reliable data communication among all nodes of the distributed control system. The CAN bus communication interface integrates the functions of a physical layer and a data link layer of a CAN protocol, and CAN complete framing processing of communication data, including bit filling, data block encoding, cyclic redundancy check, priority discrimination and other works. The CAN protocol eliminates the traditional station address coding and instead encodes the communication data blocks, which CAN make the number of nodes in the network theoretically unlimited, the identifier of the data block CAN be composed of 11-bit or 29-bit binary numbers, so that more than 2 or 2 different data blocks CAN be defined, and the way of encoding the data blocks CAN make different nodes receive the same data at the same time, which is very useful in a distributed control system. The length of the data segment is at most 8 bytes, and the general requirements of control commands, working states and test data in the common industrial field can be met. Meanwhile, 8 bytes can not occupy the bus for too long time, so that the real-time performance of communication is ensured. The CAN protocol adopts CRC check and CAN provide a corresponding error processing function, so that the reliability of data communication is ensured.
The CAN bus adopts a multi-master competition type bus structure and has the characteristics of serial bus running by multiple master stations and decentralized arbitration and broadcast communication. Any node on the CAN bus CAN actively send information to other nodes on the network at any time without primary and secondary, so that free communication CAN be realized among the nodes. The CAN bus plug-in card CAN be arbitrarily plugged into a PC AT XT compatible machine, and a distributed monitoring system is conveniently formed.
rs-485 adopts a half-duplex working mode to support multipoint data communication. The rs-485 bus network topology generally adopts a bus structure with matched terminals. That is, a bus is adopted to connect all the nodes in series, and the ring-shaped or star-shaped network is not supported. rs-485 uses balanced transmission and differential reception, and thus has the capability of suppressing common mode interference. The bus transceiver has high sensitivity and can detect the voltage as low as 200mv, so that the transmission signal can be recovered beyond kilometer. Preferably, the rs-485 transceiver modifies the input impedance to allow up to 8 times more nodes to be connected to the same bus. rs-485 adopts a balanced sending and differential receiving mode to realize communication: the transmitting end converts the ttl level signal of the serial port into two paths of differential signals a and b for output, and the differential signals are restored to the ttl level signal at the receiving end after cable transmission. Because the transmission line usually uses twisted pair, and is differential transmission, so it has strong ability to resist common mode interference, the sensitivity of the bus transceiver is very high, and it can detect the voltage as low as 200 mv. The transmitted signal can be recovered even out of kilometers. The maximum communication distance of rs-485 is about 1219m, the maximum transmission rate is 10mb/s, the transmission rate is inversely proportional to the transmission distance, the maximum communication distance can be reached only at the transmission rate of 10kb/s, and a 485 repeater is needed if a longer distance needs to be transmitted. rs-485 adopts a half-duplex working mode to support multipoint data communication. The rs-485 bus network topology generally adopts a bus structure with matched terminals. That is, a bus is adopted to connect all the nodes in series, and the ring-shaped or star-shaped network is not supported. If a star configuration is desired, 485 repeaters or 485 hubs must be used. The rs-485 bus generally supports a maximum of 32 nodes, and if a special 485 chip is used, 128 or 256 nodes can be achieved, and a maximum of 400 nodes can be supported.
The RS-232-C bus standard has 25 signal lines, including a main channel and an auxiliary channel, and in most cases, the main channel is mainly used, and for general duplex communication, only a few signal lines are needed, such as a transmission line, a reception line, and a ground line. The RS-232-C standard specifies data transmission rates of 50, 75, 100, 150, 300, 600, 1200, 2400, 4800, 9600, 19200 baud per second. The RS-232-C standard specifies that the driver allows a capacitive load of 2500pF, and that the communication distance will be limited by this capacitance. When a 150pF/m communication cable is adopted, the maximum communication distance is 15 m; if the capacitance per meter of cable is reduced, the communication distance can be increased. Another reason for the short transmission distance is that RS-232 is single-ended signal transmission, has problems of common-ground noise and common-mode interference being unable to be suppressed, and is therefore generally used for communication within 20 m.
Preferably, the binary conversion performed by the first layer of encryption includes binary conversion, octal conversion, or hexadecimal conversion. The system conversion mode is determined according to the type of the transmitted data. Preferably, the double type data is converted into hexadecimal data, the float type data is converted into octal data, and the int type data is converted into binary data. In this way, the precision and accuracy of the encrypted data conversion can be ensured.
Preferably, the data after the binary conversion is sequentially divided into two groups of numbers with equal digits. If the converted data is odd number bits, splitting after adding zero to the first bit. Preferably, the splitting may be performed in order of bits or in an alternate order. According to a specific embodiment, for example, the binary-converted data is 1000101, since the number of bits is odd, splitting is performed after zero is added to the first bit, splitting is performed in order of the number of bits, and splitting is performed into 0100 and 0101, if splitting is performed in order of the number of bits, and splitting is performed into 0000 and 1011, if splitting is performed in order of the number of bits. More preferably, the data to be split may be subjected to reverse order arrangement before splitting, and split again after reverse order arrangement. According to another embodiment, one or two of the two groups of numbers with the same split digit number may be transmitted after being arranged in reverse order. Preferably, a three-bit binary character is added before each transmission of data to indicate the processing to which the data has been subjected. For example, according to a preferred embodiment, in the added three-bit binary character, the first bit is "0" to indicate that the data to be split is not arranged in reverse order, the first bit is "1" to indicate that the data to be split is arranged in reverse order, the second bit is "0" to indicate that the data to be split is split in order, the second bit is "1" to indicate that the data is split in alternate bits, the third bit is "0" to indicate that the data is not arranged in reverse order after splitting, and the third bit is "1" to indicate that the data is arranged in reverse order after splitting. This enables formation of 8 processing modes of 000, 001, 010, 100, 111, 110, 101, and 011. By the processing mode, the safety of data encryption can be further ensured. Even if the data is intercepted, the original data cannot be simply obtained through the binary restoration, and the possible damage caused after the data is intercepted is avoided.
According to a preferred embodiment, after receiving the data, the intelligent device decrypts the data for the first time to obtain the converted data, decrypts the converted data for the second time, and inverts the binary system to resolve the real data source.
Preferably, the first decryption is performed by reversing the operation on the data and the instruction to transfer the first three bits of the data in the encryption. In this way, a more secure encrypted transmission can be achieved with less transmission load and additional transmission costs. More importantly, under the condition that data is stolen and transmitted into abnormal data, on one hand, whether the abnormal data is the abnormal data or not can be quickly identified through the numbers of the first three bits of the data, so that the abnormal data can be processed or alarmed, on the other hand, even if the abnormal data cannot be accurately identified, the originally transmitted abnormal data cannot be obtained after the abnormal data is subjected to analog conversion, and the damage to a system possibly caused by the abnormal data is avoided. For example, 4 exclusive patterns are defined from 8 patterns of data processing, and it is possible to quickly determine whether or not data is abnormal by recognizing whether the first three digits are the same as the codes of the 4 patterns. Preferably, transmission of subsequent data is terminated immediately after the identification of anomalous data. By the method, the data transmission quantity is further reduced on the basis of quickly identifying the abnormal data, so that the condition that the abnormal data can be judged only after being completely received is avoided, and other negative effects possibly caused by completely receiving the abnormal data are also avoided. According to a preferred embodiment, the intelligent device monitors data on the whole bus while decrypting, continuously matches with a bus monitoring program inside the intelligent device, determines the type and key parameters of the bus, and then sends the decrypted data to the industrial device.
Preferably, the processing mode of the data processing after the first layer of encryption and/or the mode of the second encryption are/is associated with the bus type and/or the key parameter. For example, according to one specific embodiment, data processing mode "111" is dedicated to the CAN bus, mode "000" is dedicated to the RS485 bus, mode "100" is dedicated to the RS-232-C bus, and so on. In this way, the smart device can send to the remote server after listening for the bus type and key parameters. The remote server can immediately switch the data processing mode and/or the second layer encryption method accordingly. In this way, bidirectional authentication of the bus type is enabled. In the case of multiple types of buses, data mistransmission and mistransmission are avoided. In addition, the method saves the transmission cost to the maximum extent, reduces the transmission load, realizes the safety verification of multiple modes through the minimum extra data transmission quantity and ensures the accuracy of transmission.
According to a preferred embodiment, the remote server communicates with the bus of the industrial plant via an I2C interface to obtain time stamp information, calculates a key based on the obtained time stamp information and the security identifier of the electronic control unit and encrypts the second layer of the transmitted data.
According to a preferred embodiment, the encrypted information includes a chip identification ID, a chip public key, and an industrial device VIN, so that the uniqueness of the information interaction identity of the industrial device and networking of the industrial device are standardized. Preferably, the encrypted information further includes system upgrade version information and system upgrade information, so that the upgraded networking information of the industrial equipment is kept consistent and uniform.
According to a preferred embodiment, the second layer of encryption is performed by using a data encryption module, the data encryption module adopts LKT4305-GM, and the encryption module integrates the national secret SM2/SM3, RSA asymmetric encryption and AES symmetric encryption.
According to a preferred embodiment, before data transmission, the remote server generates a first key and a shifting factor by pre-storing a watermark, and further generates a digital watermark by using a dynamic digital watermark generation algorithm; generating a second key by utilizing the position information of the pre-stored watermark; and deleting the data according to the position of the unused data bit in the data, and then inserting the watermark into the data according to the position information of the pre-stored watermark, so that the length of the data after the watermark is inserted is the same as that of the original data.
According to a preferred embodiment, after the intelligent device receives data, a first key and a mobile factor are generated by using a pre-stored watermark, and a digital watermark is generated by a dynamic digital watermark generation algorithm; extracting a second key by using the position information of the pre-stored watermark; extracting a watermark from the received data according to the information of the watermark extraction position, and comparing the extracted watermark with the generated watermark; if the extracted watermark is the same as the generated watermark, the transmitted data is not modified or reset; if the extracted watermark is different from the generated watermark, the data is modified or reset in the transmission process. By the method, the data processing mode is combined with the data processing mode identification, whether the data is intercepted, tampered or replaced can be further accurately judged, the safety of data transmission is guaranteed, and damage or influence caused by abnormal data is avoided.
In the existing upgrading scheme, direct network data interaction is adopted, so that system data of industrial equipment is directly exposed in a network, and lawless persons can organically acquire the system data of the core industrial equipment. Meanwhile, due to the fact that the industrial equipment buses are various, different equipment schemes are needed for different buses by means of the existing technical means, and therefore the upgrading process is not timely in response.
The traditional upgrading scheme is based on network connection, data are directly transmitted to equipment, data encryption and network frequency band protection are not provided, core data can be easily acquired through a network data packet capturing function, a whole sending link can be simulated, abnormal data are transmitted to industrial equipment, and therefore updating failure and working abnormity of an industrial equipment system are caused. Meanwhile, because the self-adaption of the transmission bus is not realized in the upgrading process, different devices need different transmission buses, and the upgrading of the industrial device system is seriously delayed.
The invention depends on the intelligent upgrading equipment module to carry out system upgrading on the industrial equipment. The data is secondarily encrypted from a data source in the whole system upgrading process, the data is secondarily decrypted at the intelligent equipment, the bus is monitored and responded, the type and parameters of the bus are obtained, the bus self-adaption is realized, and the rapid, safe and stable remote upgrading of the industrial equipment is guaranteed.
The watermark information is inserted by using the unused data bits in the transmission data in the industrial equipment bus, and the watermark information is inserted in the data to encrypt the data under the condition of not increasing extra communication traffic, so that the safety of the data is ensured, the integrity of the data can be verified, and the transmission data is prevented from being tampered or attacked. The dynamic watermark information is generated by adopting a dynamic digital watermark generation algorithm, so that the dynamic generation of the watermark information can be ensured, and the generated dynamic watermark can be used only once each time, so that the attack can be further prevented.
Example 2
The embodiment discloses a data encryption bus self-adaptive industrial equipment remote upgrading system, which at least comprises intelligent equipment and a remote server, wherein the intelligent equipment is accessed into a bus network of the industrial equipment, the intelligent equipment is connected to the remote server after being powered on, a transmission link is connected through a network technology, and the remote server monitors an instruction of the remote server after establishing the transmission link and finishing connection after receiving a networking request of the intelligent equipment; after sending data, the remote server performs first-layer encryption on the software data, wherein the first-layer encryption is the binary conversion of the software data to be transmitted; after the binary system conversion of the data is finished, carrying out second-layer encryption on the data, wherein the data comprises a network IP and a port; and the data encrypted by the second layer is transmitted to the intelligent equipment through the network transmission link.
Preferably, after receiving the data, the intelligent device firstly decrypts the data for the first time to obtain the converted data, then decrypts the converted data for the second time, and inverts the binary system to resolve the real data source; the intelligent device monitors the data on the whole bus while decrypting, continuously matches with a bus monitoring program inside the intelligent device, judges the type and key parameters of the bus, and then sends the decrypted data to the industrial device.
It should be noted that the above-mentioned embodiments are exemplary, and that those skilled in the art, having benefit of the present disclosure, may devise various arrangements that are within the scope of the present disclosure and that fall within the scope of the invention. It should be understood by those skilled in the art that the present specification and figures are illustrative only and are not limiting upon the claims. The scope of the invention is defined by the claims and their equivalents.

Claims (6)

1. A data encryption bus self-adaptive industrial equipment remote upgrading system is characterized by at least comprising intelligent equipment, a remote server and a bus, wherein the intelligent equipment is accessed to all bus networks of the industrial equipment, the intelligent equipment is connected to the remote server after being powered on, a transmission link is connected through a network technology, and the remote server establishes the transmission link after receiving a networking request of the intelligent equipment;
the remote server performs first-layer encryption on the software data after issuing the data, the first-layer encryption is to perform system conversion on the software data to be transmitted, the remote server sequentially divides the data subjected to system conversion into two groups of numbers with equal digits, if the converted data are odd digits, the data are split after adding zero to the first digit, the split is split according to the digit sequence or split at intervals, one or two groups of the two groups of numbers with equal digits after splitting are arranged in a reverse order and then transmitted, and a three-digit binary character is added before each data transmission to represent a data processing mode of the data;
then, carrying out second-layer encryption on the data, wherein the second-layer encrypted data comprises a network IP and a port; the data encrypted by the second layer is transmitted to the intelligent equipment through a network transmission link;
the intelligent equipment decrypts the data for the first time after receiving the data, performs inverse operation on the operation of the data and the indication of the first three bits of the transmitted data during encryption during the first decryption, judges whether the data is abnormal data or not, immediately stops the transmission of subsequent data after identifying the abnormal data, obtains the converted data after identifying the abnormal data, decrypts the converted data for the second time, and performs inverse conversion on a binary system to analyze a real data source;
the intelligent equipment monitors data on the whole bus while decrypting, continuously matches with a bus monitoring program inside the intelligent equipment, judges the type and key parameters of the bus, and then sends the decrypted data to the industrial equipment;
the data processing mode after the first layer of encryption and the mode of the second encryption are associated with the bus type and the key parameter;
after monitoring the bus type and the key parameters, the intelligent device can send the bus type and the key parameters to a remote server, and the remote server can immediately and correspondingly switch the data processing mode and the second-layer encryption method.
2. The data encryption bus adaptive industrial device remote upgrade system of claim 1, wherein the smart device is capable of listening for instructions from a remote server after the smart device is connected to the remote server.
3. The data encryption bus adaptive industrial device remote upgrade system according to claim 2, wherein the remote server communicates with the bus of the industrial device through an I2C interface to obtain timestamp information, calculates a key based on the obtained timestamp information and the security identification code of the electronic control unit and encrypts the transmission data.
4. The data encryption bus adaptive industrial equipment remote upgrade system according to claim 3, wherein the data encryption module employs LKT4305-GM, and the encryption module integrates SM2/SM3, RSA asymmetric encryption and AES symmetric encryption.
5. The data encryption bus adaptive industrial device remote upgrade system according to claim 4, wherein, before data transmission, the remote server generates a first key and a shifting factor by pre-storing a watermark, and generates a digital watermark using a dynamic digital watermark generation algorithm; generating a second key by utilizing the position information of the pre-stored watermark; and deleting the data according to the position of the unused data bit in the data, and then inserting the pre-stored watermark into the data according to the position information of the pre-stored watermark, so that the length of the data after the watermark is inserted is the same as that of the original data.
6. The data encryption bus adaptive industrial device remote upgrade system of claim 5, wherein after the intelligent device receives the data, a pre-stored watermark is used to generate a first key and a shifting factor, and a digital watermark is generated by a dynamic digital watermark generation algorithm; extracting a second key by using the position information of the pre-stored watermark; extracting a watermark from the received data according to the information of the watermark extraction position, and comparing the extracted watermark with the generated watermark; if the extracted watermark is the same as the generated watermark, the transmitted data is not modified or reset; if the extracted watermark is different from the generated watermark, the data is modified or reset in the transmission process.
CN202110663759.8A 2020-09-22 2020-09-22 Data encryption bus self-adaptive industrial equipment remote upgrading system Active CN113411180B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110663759.8A CN113411180B (en) 2020-09-22 2020-09-22 Data encryption bus self-adaptive industrial equipment remote upgrading system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110663759.8A CN113411180B (en) 2020-09-22 2020-09-22 Data encryption bus self-adaptive industrial equipment remote upgrading system
CN202011005123.6A CN112118091B (en) 2020-09-22 2020-09-22 Data encryption bus self-adaptive industrial equipment remote system upgrading method

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN202011005123.6A Division CN112118091B (en) 2020-09-22 2020-09-22 Data encryption bus self-adaptive industrial equipment remote system upgrading method

Publications (2)

Publication Number Publication Date
CN113411180A CN113411180A (en) 2021-09-17
CN113411180B true CN113411180B (en) 2022-05-06

Family

ID=73800957

Family Applications (3)

Application Number Title Priority Date Filing Date
CN202011005123.6A Active CN112118091B (en) 2020-09-22 2020-09-22 Data encryption bus self-adaptive industrial equipment remote system upgrading method
CN202110663759.8A Active CN113411180B (en) 2020-09-22 2020-09-22 Data encryption bus self-adaptive industrial equipment remote upgrading system
CN202110663687.7A Active CN113411179B (en) 2020-09-22 2020-09-22 Safety communication method based on industrial data bus

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202011005123.6A Active CN112118091B (en) 2020-09-22 2020-09-22 Data encryption bus self-adaptive industrial equipment remote system upgrading method

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202110663687.7A Active CN113411179B (en) 2020-09-22 2020-09-22 Safety communication method based on industrial data bus

Country Status (1)

Country Link
CN (3) CN112118091B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107040459A (en) * 2017-03-27 2017-08-11 高岩 A kind of intelligent industrial secure cloud gateway device system and method
CN108551450A (en) * 2018-04-18 2018-09-18 何小林 A kind of data segment transmission method and system based on wireless protocols
CN109429222A (en) * 2017-08-22 2019-03-05 马鞍山明阳通信科技有限公司 A kind of pair of Wireless Communication Equipment upgrade procedure and the method for communication data encryption
CN111049803A (en) * 2019-11-20 2020-04-21 江苏物联网络科技发展有限公司 Data encryption and platform security access method based on vehicle-mounted CAN bus communication system

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102238001B (en) * 2010-05-07 2014-10-01 腾讯数码(深圳)有限公司 Method and device for enhancing data security
CN102981440B (en) * 2012-11-02 2014-10-29 武汉理工大学 Intelligent device monitoring and managing system based on software as a service (SaaS)
CN105528347B (en) * 2014-09-28 2019-03-26 北京古盘创世科技发展有限公司 Data block storage method, data query method and data modification method
CN105005215A (en) * 2015-05-28 2015-10-28 徐禄勇 Protocol conversion device and data acquisition control system for industrial bus equipment
US9756024B2 (en) * 2015-09-18 2017-09-05 Trillium Incorporated Computer-implemented cryptographic method for improving a computer network, and terminal, system and computer-readable medium for the same
CN106101147B (en) * 2016-08-12 2019-04-23 北京同余科技有限公司 A kind of method and system for realizing smart machine and the communication of remote terminal dynamic encryption
CN107222553A (en) * 2017-06-26 2017-09-29 深圳市智物联网络有限公司 Pass through the method for Internet of Things adapter upgrade equipment, system and Internet of Things adapter
CN107682148A (en) * 2017-10-12 2018-02-09 华东师范大学 Security access system and method between a kind of vehicle bus and internet communication system
CN109818910B (en) * 2017-11-21 2022-07-01 中移(杭州)信息技术有限公司 Data transmission method, device and medium
WO2019168907A1 (en) * 2018-02-27 2019-09-06 Excelfore Corporation Broker-based bus protocol and multi-client architecture
CN109150703B (en) * 2018-08-23 2019-07-02 北方工业大学 Intelligent cloud gateway for industrial Internet of things and communication method thereof
US11539782B2 (en) * 2018-10-02 2022-12-27 Hyundai Motor Company Controlling can communication in a vehicle using shifting can message reference
CN109600287A (en) * 2018-10-18 2019-04-09 广州虹科电子科技有限公司 The method and storage medium of gateway, processing end monitoring CAN bus
CN111083025A (en) * 2018-10-22 2020-04-28 中兴通讯股份有限公司 Data transmission method, vehicle-mounted communication equipment and computer readable storage medium
CN111224951A (en) * 2019-12-24 2020-06-02 广州市中海达测绘仪器有限公司 Data processing method and device, vehicle-mounted terminal and storage medium
CN111327689A (en) * 2020-01-22 2020-06-23 大运汽车股份有限公司 Method for realizing remote upgrading of vehicle ECU (electronic control Unit) based on UDS (Universal data System) communication protocol
CN111404925B (en) * 2020-03-12 2021-05-11 北京航空航天大学 Vehicle-mounted CAN bus data encryption method based on dynamic digital watermarking
CN111614728A (en) * 2020-04-27 2020-09-01 西安电子科技大学 Data transmission method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107040459A (en) * 2017-03-27 2017-08-11 高岩 A kind of intelligent industrial secure cloud gateway device system and method
CN109429222A (en) * 2017-08-22 2019-03-05 马鞍山明阳通信科技有限公司 A kind of pair of Wireless Communication Equipment upgrade procedure and the method for communication data encryption
CN108551450A (en) * 2018-04-18 2018-09-18 何小林 A kind of data segment transmission method and system based on wireless protocols
CN111049803A (en) * 2019-11-20 2020-04-21 江苏物联网络科技发展有限公司 Data encryption and platform security access method based on vehicle-mounted CAN bus communication system

Also Published As

Publication number Publication date
CN112118091B (en) 2021-04-23
CN112118091A (en) 2020-12-22
CN113411179B (en) 2022-05-03
CN113411180A (en) 2021-09-17
CN113411179A (en) 2021-09-17

Similar Documents

Publication Publication Date Title
US10547594B2 (en) Systems and methods for implementing data communication with security tokens
WO2017067154A1 (en) Data communication method and system for in-vehicle network comprising multiple subnetworks, and gateway
CN116405302B (en) System and method for in-vehicle safety communication
CN114071698A (en) Ad hoc network data receiving and transmitting method and device with parameter dynamic configuration and state perception
NZ337060A (en) Secure packet radio network, newly activated user stations pass key request to network operator station
CN111211894B (en) Data transmission method, device and system
CN113411180B (en) Data encryption bus self-adaptive industrial equipment remote upgrading system
US9729521B2 (en) Methods and systems for auto-commissioning of devices in a communication network
CN110290151B (en) Message sending method and device and readable storage medium
CN115834210A (en) Quantum secure network data transmitting and receiving method and communication system
CN110572352A (en) intelligent distribution network security access platform and implementation method thereof
CN114826748A (en) Audio and video stream data encryption method and device based on RTP, UDP and IP protocols
CN103560891A (en) Method for identifying communication identifier of household wireless Internet of Things
CN110048838B (en) Power line carrier system
CN108768969B (en) Network penetration system
KR100265978B1 (en) Method and apparatus for communication controlling between terminal equipment and branch processor
JP4519495B2 (en) Communication apparatus and communication system
CN108234461A (en) A kind of encrypted blinded communication system and method based on USB pairings
US11882114B2 (en) Authentication method and authentication system in IP communication
CN115296887B (en) Data transmission method, device, electronic equipment and storage medium
CN110086800B (en) Method and device for secret communication
KR101658322B1 (en) Apparatus and method for handling protocol for advanced metering infrastructure
KR102052552B1 (en) Method for transmitting data based on SMS communication at supervisory control and data acquisition system
CN108141357B (en) Circuit arrangement for generating a secret in a network
CN105516908B (en) A kind of locking method and system based on bluetooth

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: No.99, Jingbei 6th Road, Zhengzhou area (Jingkai), Henan pilot Free Trade Zone, Zhengzhou, Henan Province, 450000

Applicant after: Henan Jiachen Intelligent Control Co.,Ltd.

Address before: No.99, Jingbei 6th Road, Zhengzhou area (Jingkai), Henan pilot Free Trade Zone, Zhengzhou, Henan Province, 450000

Applicant before: ZHENGZHOU JIACHEN ELECTRIC Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant