CN113904934B - High-safety equipment configuration method and device based on heterogeneous verification - Google Patents
High-safety equipment configuration method and device based on heterogeneous verification Download PDFInfo
- Publication number
- CN113904934B CN113904934B CN202111497255.XA CN202111497255A CN113904934B CN 113904934 B CN113904934 B CN 113904934B CN 202111497255 A CN202111497255 A CN 202111497255A CN 113904934 B CN113904934 B CN 113904934B
- Authority
- CN
- China
- Prior art keywords
- configuration
- data
- verification
- heterogeneous
- processing modules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0866—Checking the configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of data security, and relates to a high-security device configuration method based on heterogeneous verification, which comprises the following steps: the method comprises the following steps that firstly, a remote configuration client is used for issuing configuration files to a configuration processing unit, and the configuration processing unit comprises a multi-trunk configuration processing module; step two, after the authority verification of the configuration file is passed, the configuration processing modules receive the configuration file, convert the configuration file into configuration data and send the configuration data to the configuration issuing module; and thirdly, the configuration issuing module receives the configuration data and then performs configuration verification, and issues the configuration data after the verification is passed. The invention uses an active defense mode of heterogeneous security to realize high-security processing of edge data and effectively prevent risks brought by external attacks and self-generated bugs.
Description
Technical Field
The invention belongs to the technical field of data security, and relates to a high-security device configuration method and device based on heterogeneous verification.
Background
At present, generally, a gateway device needs an external server to configure service and interface data thereof, a general industrial gateway generally needs two services of startup configuration and configuration update, and configuration data is the most core data of the gateway, and the security is extremely important. Currently, self-generated vulnerabilities and external attacks by gateway devices make configuration data and procedures unreliable.
Disclosure of Invention
In order to solve the technical problems in the prior art, the invention provides a method and a device for configuring a high-security device for heterogeneous verification, which are used for realizing data calculation and control of an edge data plane in a gateway device and realizing high-security processing of edge data by using an active defense mode for heterogeneous security, and the specific technical scheme is as follows:
a high-safety device configuration method based on heterogeneous verification comprises the following steps:
step one, a remote configuration client is used for issuing authority verification messages and configuration files to a plurality of configuration processing modules;
step two, after all the authority checks of the configuration files pass, the plurality of configuration processing modules receive the configuration files, convert the configuration files into configuration data and send the configuration data to the configuration issuing module;
and thirdly, the configuration issuing module receives the configuration data and then performs configuration verification, and issues the configuration data after the verification is passed.
Further, the plurality of configuration processing modules are heterogeneous in hardware and have the same function, each configuration processing module has an independent permission checking mechanism and an independent authentication password, and each configuration processing module is independent of each other, wherein the heterogeneous hardware comprises a processor with an architecture of X86, ARM and MIPS, the operating system comprises Windows, Ubuntu and centros, and the function of the configuration processing modules is the same as that of a program written by C + + or python to run configuration processing software.
Further, the second step specifically includes the following substeps:
step 1, a plurality of configuration processing modules receive configuration authority verification data, verify corresponding authorities and enter an authority verification state from a waiting state;
step 2, if all the configuration processing modules pass the authority verification, receiving a configuration file, reading the information of the configuration file, converting the information into configuration data, sending the distribution data to a configuration issuing module, and performing configuration issuing through the configuration issuing module; otherwise, entering a waiting authority checking state.
Furthermore, the authority verification modes of different configuration processing modules are different, and the authentication passwords of different configuration processing modules are different; and when each configuration processing module passes the verification, the configuration issuing module acquires the permission of configuration operation so as to modify and issue the configuration.
Further, the third step specifically includes:
the configuration issuing module receives the configuration data sent by each configuration processing module and checks and validates each configuration data, wherein when the contents of the configuration data sent by all the configuration processing modules are consistent, the configuration is validated; when the configuration data of one configuration processing module is missing or the content of the configuration data of at least one configuration processing module is inconsistent with the content of the configuration data of other configuration processing modules, the configuration is not effective.
Furthermore, the permission verification modes of different configuration processing modules comprise at least two of aes 128-bit encryption, Hash encryption and certificate authentication.
A high-safety device configuration device based on heterogeneous check comprises one or more processors and is used for realizing the high-safety device configuration method based on heterogeneous check.
A computer-readable storage medium having stored thereon a program which, when executed by a processor, implements the high security device configuration method based on heterogeneous checking.
The invention has the beneficial effects that:
the invention uses an active defense mode of heterogeneous security to realize high-security processing of edge data and effectively prevent risks brought by external attacks and self-generated bugs.
Drawings
FIG. 1 is a block diagram of a heterogeneous edge data plane data processing module according to the present invention;
FIG. 2 is a flow chart of the present invention implementing edge data processing;
FIG. 3 is a schematic diagram illustrating a configuration module privilege verification process according to the present invention;
FIG. 4 is a schematic diagram of a configuration issuing process of the configuration issuing module according to the present invention;
FIG. 5 is a schematic diagram of mutual authentication of configuration processing modules according to the present invention;
fig. 6 is a block diagram of a high security device configuration apparatus based on heterogeneous check according to the present invention.
Detailed Description
In order to make the objects, technical solutions and technical effects of the present invention more clearly apparent, the present invention is further described in detail below with reference to the accompanying drawings and examples.
As shown in fig. 1, the method for configuring a high security device with heterogeneous verification according to the present invention includes the following steps:
step one, using a user issuing service module to issue configuration files to n configuration processing modules;
step two, after all the authority checks of the configuration files pass, the n configuration processing modules receive the configuration files, convert the configuration files into configuration data and send the configuration data to the configuration issuing module;
step three, the configuration issuing module performs configuration verification after receiving the configuration data, and issues the configuration data after the verification is passed, specifically: the configuration issuing module receives the configuration data sent by each configuration processing module, checks and validates each configuration data, judges that the configuration is validated only when the configuration data sent by all the configuration processing modules are the same, and if the data of one configuration processing module is lacked or the data of the configuration processing module is incorrect, the configuration is not validated.
The n configuration processing modules have different hardware and same functions, each configuration processing module has an independent authority verification mechanism and an independent authentication password, and each configuration processing module is independent of each other. The embodiment of the invention adopts processors with different hardware structures of three configuration processing modules, namely X86, ARM and MIPS architectures, and the operating system adopts Windows, Ubuntu and Centos, and the same functions are realized by running configuration processing module software by using programs written by C + + or python. The configuration processing modules with the same structure and functions carry out dynamic redundancy permission verification, each heterogeneous processing module has the functions of permission verification and configuration issuing, but the verification mode and the password of the permission verification are completely different, the functions of configuration issuing are completely the same as the data, and configuration issuing is realized based on the mechanism.
As shown in fig. 5, before the configuration processing module performs the external permission verification, one configuration processing module is elected in an internal election manner to perform mutual authentication of all the configuration processing modules, the elected configuration processing module is the configuration processing module x, the configuration processing module x sends verified problem information to all the configuration processing modules, other configuration processing modules respond after analyzing the problem through presetting, mutual authentication and verification information is returned, and after the mutual authentication is obtained, the configuration processing module which passes the authentication performs subsequent external permission verification processing and configuration issuing functions.
As shown in fig. 2, the process is configured to run the processing module. The configuration processing module is in a waiting authority verification state when configuration operation is not needed, receives configuration authority verification data when configuration operation is needed, verifies corresponding authority according to the configuration authority verification data, and enters an authority verification state; and sending the configuration file data to the equipment after the verification is passed, otherwise, entering a waiting permission verification state.
The 3 configuration processing modules adopt different permission verification methods, and the first configuration processing module adopts common password verification, for example, aes 128-bit encryption; the second configuration processing module adopts Hash encryption to carry out password verification; the configuration processing module III adopts a certificate authentication mode to verify; and only when the authority verification of the three modules passes, the authority of the configuration operation can be acquired, and the configuration is modified and issued.
The configuration file received by the configuration processing module is in a json format with strong readability, and the specific content includes basic configuration of the device, such as ip information, network connection and the like, associated serial port configuration, such as serial port baud rate, parity check and the like, and associated CAN port configuration, network port configuration and the like. The configuration processing module reads the received configuration file information, performs configuration data conversion on the configuration file according to the associated interface or module, and converts the configuration file information into specific configuration data information for equipment reading and writing, such as setting the baud rate of a serial port and needing to write in an interface configuration address of the serial port; if the data is the network port configuration data, the data is written into the corresponding network port configuration address after being analyzed. And if the decryption or verification of the configuration processing module fails, the configuration data is not sent.
As shown in fig. 3, the configuration processing module is in a state of waiting for a configuration message before configuration data arrives, and needs to perform permission verification before receiving the configuration message, and performs respective independent permission verification after receiving permission verification sent by the remote configuration client, and receives the configuration message sent by the remote configuration client after all the independent permission verifications pass.
As shown in fig. 4, the configuration issuing module is always in a state of waiting for configuration message before the configuration data arrives, and performs configuration self-check after receiving the configuration file sent by the remote configuration client, and determines whether to receive the configuration data sent by 3 configuration processing modules, and if one configuration processing module does not send data or the data sent by 3 configuration processing modules are inconsistent, does not issue the configuration data, and enters a state of waiting for configuration message; and only if the configuration messages sent by the 3 configuration processing modules are successfully received and the data are consistent, the configuration messages are issued. The configuration issuing process is executed only after the permission verification of the configuration issuing module passes, for example, if the configuration self-verification of the configuration processing module I does not pass, the configuration issuing module does not issue the configuration data, and when only the configuration processing module II and the configuration processing module III issue the configuration data, the configuration data of the final device cannot be issued and updated because of the missing of the configuration data.
Corresponding to the embodiment of the high-safety device configuration method based on the heterogeneous verification, the invention also provides an embodiment of a high-safety device configuration device based on the heterogeneous verification.
Referring to fig. 6, an apparatus for configuring a high security device based on a heterogeneous check provided in an embodiment of the present invention includes one or more processors, and is configured to implement the method for configuring a high security device based on a heterogeneous check in the foregoing embodiment.
The embodiment of the high-security device configuration apparatus based on heterogeneous verification of the present invention can be applied to any device with data processing capability, such as a computer or other devices or apparatuses. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and as a logical device, the device is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for running through the processor of any device with data processing capability. In terms of hardware, as shown in fig. 6, a hardware structure diagram of any device with data processing capability where the high security device configuration apparatus based on heterogeneous check is located in the present invention is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 6, in the embodiment, any device with data processing capability where the apparatus is located may also include other hardware generally according to the actual function of the any device with data processing capability, which is not described again.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the invention. One of ordinary skill in the art can understand and implement it without inventive effort.
An embodiment of the present invention further provides a computer-readable storage medium, on which a program is stored, where the program, when executed by a processor, implements the high security device configuration method based on heterogeneous check in the foregoing embodiments.
The computer readable storage medium may be an internal storage unit, such as a hard disk or a memory, of any data processing capability device described in any of the foregoing embodiments. The computer readable storage medium may also be an external storage device of the wind turbine, such as a plug-in hard disk, a Smart Media Card (SMC), an SD Card, a Flash memory Card (Flash Card), and the like, provided on the device. Further, the computer readable storage medium may include both an internal storage unit and an external storage device of any data processing capable device. The computer-readable storage medium is used for storing the computer program and other programs and data required by the arbitrary data processing-capable device, and may also be used for temporarily storing data that has been output or is to be output.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way. Although the foregoing has described the practice of the present invention in detail, it will be apparent to those skilled in the art that modifications may be made to the practice of the invention as described in the foregoing examples, or that certain features may be substituted in the practice of the invention. All changes, equivalents and modifications which come within the spirit and scope of the invention are desired to be protected.
Claims (5)
1. A high-safety equipment configuration method based on heterogeneous verification is characterized by comprising the following steps:
step one, a remote configuration client is used for issuing authority verification messages and configuration files to a plurality of configuration processing modules;
step two, after all the authority checks of the configuration files pass, the plurality of configuration processing modules receive the configuration files, convert the configuration files into configuration data and send the configuration data to the configuration issuing module; the method specifically comprises the following steps:
step 1, a plurality of configuration processing modules receive configuration authority verification data, verify corresponding authorities and enter an authority verification state from a waiting state;
step 2, if all the configuration processing modules pass the authority verification, receiving a configuration file, reading the information of the configuration file, converting the information into configuration data, sending the configuration data to a configuration issuing module, and performing configuration issuing through the configuration issuing module; otherwise, entering a waiting authority verification state;
thirdly, the configuration issuing module receives the configuration data and then performs configuration verification, and issues the configuration data after the verification is passed;
the multiple configuration processing modules are heterogeneous in hardware and have the same function, each configuration processing module is provided with an independent authority verification mechanism and an independent authentication password, and each configuration processing module is independent of each other, wherein the heterogeneous hardware comprises a processor with an X86, ARM and MIPS architecture, an operating system adopts Windows, Ubuntu and Centos, and the same function is that a program written by C + + or python is used for running configuration processing software;
the authority verification modes of different configuration processing modules are different, and the authentication passwords of different configuration processing modules are different; and when each configuration processing module passes the verification, the configuration issuing module acquires the permission of configuration operation so as to modify and issue the configuration.
2. The high-security device configuration method based on heterogeneous verification as claimed in claim 1, wherein the configuration issuing module receives the configuration data sent by each configuration processing module and verifies and validates each configuration data, wherein when the contents of the configuration data sent by all the configuration processing modules are consistent, the configuration is validated; when the configuration data of one configuration processing module is missing or the content of the configuration data of at least one configuration processing module is inconsistent with the content of the configuration data of other configuration processing modules, the configuration is not effective.
3. The method as claimed in claim 1, wherein the permission verification modes of different configuration processing modules include at least two of aes 128-bit encryption, Hash encryption and certificate authentication.
4. An apparatus for configuring a high security device based on heterogeneous check, comprising one or more processors configured to implement the method for configuring a high security device based on heterogeneous check of any one of claims 1 to 3.
5. A computer-readable storage medium, having stored thereon a program which, when executed by a processor, implements the high security device configuration method based on heterogeneous check of any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111497255.XA CN113904934B (en) | 2021-12-09 | 2021-12-09 | High-safety equipment configuration method and device based on heterogeneous verification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111497255.XA CN113904934B (en) | 2021-12-09 | 2021-12-09 | High-safety equipment configuration method and device based on heterogeneous verification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113904934A CN113904934A (en) | 2022-01-07 |
| CN113904934B true CN113904934B (en) | 2022-04-08 |
Family
ID=79025627
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111497255.XA Active CN113904934B (en) | 2021-12-09 | 2021-12-09 | High-safety equipment configuration method and device based on heterogeneous verification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113904934B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101325491A (en) * | 2008-07-28 | 2008-12-17 | 北京中星微电子有限公司 | Method and system for controlling user interface of instant communication software |
| CN112751879A (en) * | 2021-01-08 | 2021-05-04 | 北京润通丰华科技有限公司 | Communication encryption and decryption method for mimicry DNS (Domain name System) defense system |
| CN113507488A (en) * | 2021-09-10 | 2021-10-15 | 之江实验室 | Edge data plane control system and method based on heterogeneous security |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105100029B (en) * | 2014-05-22 | 2018-10-30 | 阿里巴巴集团控股有限公司 | The method and apparatus that authentication is carried out to user |
| CN105005720B (en) * | 2015-06-24 | 2018-01-19 | 青岛大学 | Computer security control system |
| CN107743112A (en) * | 2016-10-31 | 2018-02-27 | 腾讯科技(深圳)有限公司 | A kind of auth method, device and system |
| CN108650098B (en) * | 2018-05-08 | 2021-04-20 | 创新先进技术有限公司 | Method and device for user-defined verification mode |
| US11343148B2 (en) * | 2020-03-09 | 2022-05-24 | Microsoft Technology Licensing, Llc | Secure management of devices |
| CN113378151A (en) * | 2021-06-23 | 2021-09-10 | 上海红阵信息科技有限公司 | Unified identity authentication system and method based on mimicry structure |
| CN113672884A (en) * | 2021-08-23 | 2021-11-19 | 浙江大华技术股份有限公司 | Identity authentication method, identity authentication device, storage medium and identity authentication equipment |
-
2021
- 2021-12-09 CN CN202111497255.XA patent/CN113904934B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101325491A (en) * | 2008-07-28 | 2008-12-17 | 北京中星微电子有限公司 | Method and system for controlling user interface of instant communication software |
| CN112751879A (en) * | 2021-01-08 | 2021-05-04 | 北京润通丰华科技有限公司 | Communication encryption and decryption method for mimicry DNS (Domain name System) defense system |
| CN113507488A (en) * | 2021-09-10 | 2021-10-15 | 之江实验室 | Edge data plane control system and method based on heterogeneous security |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113904934A (en) | 2022-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11258769B2 (en) | Provisioning network keys to devices to allow them to provide their identity | |
| US11757641B2 (en) | Decentralized data authentication | |
| US10530752B2 (en) | Efficient device provision | |
| US11356445B2 (en) | Data access interface for clustered devices | |
| US10621055B2 (en) | Adaptive data recovery for clustered data devices | |
| CN105099705B (en) | A kind of safety communicating method and its system based on usb protocol | |
| CN113225351B (en) | Request processing method and device, storage medium and electronic equipment | |
| CN110598429B (en) | Data encryption storage and reading method, terminal equipment and storage medium | |
| WO2019178763A1 (en) | Certificate importing method and terminal | |
| CN111835774A (en) | Data processing method, device, equipment and storage medium | |
| JP2018041448A (en) | Solid state drive, method and system for authenticating critical operation on solid state drive | |
| CN112187453A (en) | Digital certificate updating method and system, electronic equipment and readable storage medium | |
| CN101807237B (en) | Signature method and device | |
| CN113678131A (en) | Protecting online applications and web pages using blockchains | |
| CN108023732B (en) | Data protection method, device, equipment and storage medium | |
| CN109657454A (en) | A kind of Android application trust authentication method based on TF crypto module | |
| CN111600701B (en) | Private key storage method, device and storage medium based on blockchain | |
| WO2021012732A1 (en) | Blockchain-based information verification apparatus and method, and storage medium | |
| CN110968899B (en) | Data blocking confirmation method, device, equipment and medium based on block chain | |
| CN113904934B (en) | High-safety equipment configuration method and device based on heterogeneous verification | |
| CN109413111B (en) | Security access system and method based on intelligent data center | |
| CN114567446B (en) | Login authentication method and device, electronic equipment and storage medium | |
| CN114238925A (en) | Aggregation authentication method of non-mutual trust heterogeneous system based on JWT token | |
| CN112532586A (en) | Network communication method, system, computer equipment and storage medium | |
| CN113966510A (en) | Trusted device and computing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |