CN113919003A - Information security protection method and system based on urban rail PaaS platform - Google Patents
Information security protection method and system based on urban rail PaaS platform Download PDFInfo
- Publication number
- CN113919003A CN113919003A CN202111178321.7A CN202111178321A CN113919003A CN 113919003 A CN113919003 A CN 113919003A CN 202111178321 A CN202111178321 A CN 202111178321A CN 113919003 A CN113919003 A CN 113919003A
- Authority
- CN
- China
- Prior art keywords
- data
- paas platform
- verification
- urban rail
- target data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The invention provides an information security protection method and system based on an urban rail PaaS platform, wherein the method comprises the following steps: deploying a server cipher machine to an urban rail PaaS platform; receiving a data processing micro-service request, and carrying out information safety protection verification on target data based on the server cipher machine; wherein the target data is determined according to data carried in the data processing microservice request; the information security check at least comprises encryption and decryption check, data check and signature check. The system performs the method. According to the invention, the cipher machine is deployed on the PaaS platform, the integrity and the tampering are improved through data verification, the anti-denial property is improved through signature verification and verification, and the confidentiality is improved through encryption and decryption, so that the data security capability of the urban rail PaaS platform is improved.
Description
Technical Field
The invention relates to the technical field of rail transit, in particular to an information security protection method and system based on an urban rail PaaS platform.
Background
An urban rail Platform and service (PaaS) Platform is a PaaS Platform which is iteratively developed according to rail transit characteristics in the urban rail transit industry and bears rail transit service application. Based on Infrastructure as a Service (IaaS) layer computing, storing and network resource pool, a platform capable of uniformly bearing applications in different Service fields in a rail transit industry safety production network, an internal management network and an external Service network is realized through a micro-Service technology, wherein the platform comprises data acquisition, data integration, data conversion, data storage, data application and the like. The PaaS platform acquires state monitoring data of key infrastructure equipment in a safety production network, an internal management network and an external service network through data acquisition equipment and application, acquires unstructured, semi-structured, structured and other data of various business applications, then performs data processing such as protocol analysis, data conversion, flow processing and the like, stores the data in the data platform, is used for supporting upper-layer intelligent applications such as asset equipment full-life-cycle management, predictive fault detection and maintenance, data sharing, business flow management and the like, and achieves the purposes of reducing operation and maintenance cost and management cost, optimizing business flow, improving operation and maintenance efficiency and management efficiency and the like.
How to guarantee the data security capability of the PaaS platform is a problem which needs to be solved urgently at present.
Disclosure of Invention
The information security protection method and system based on the urban rail PaaS platform are used for solving the problems in the prior art, and improve the integrity and prevent tampering by deploying the cipher machine on the PaaS platform, improve the anti-denial property by verifying the signature and verifying the signature, and improve the confidentiality by encrypting and decrypting, thereby improving the data security of the urban rail PaaS platform.
The invention provides an information security protection method based on an urban rail PaaS platform, which comprises the following steps:
deploying a server cipher machine to an urban rail PaaS platform;
receiving a data processing micro-service request, and carrying out information safety protection verification on target data based on the server cipher machine;
wherein the target data is determined according to data carried in the data processing microservice request;
the information security check at least comprises encryption and decryption check, data check and signature check.
According to the information security protection method based on the urban rail PaaS platform, the method for deploying the server cipher machine to the urban rail PaaS platform comprises the following steps:
integrating the server cipher machine to the PaaS platform based on a software development kit of the server cipher machine;
packaging a software interface of the server cipher machine into a data processing application program interface API of the PaaS platform;
opening the data processing API into data processing microservices on the basis of microservice technology on a SaaS layer;
and packaging the data processing microservices into a container mirror image, and operating the data processing microservices based on the container mirror image.
According to the information security protection method based on the urban rail PaaS platform, the method for receiving the data processing micro-service request and carrying out information security protection verification on the target data based on the server cipher machine comprises the following steps:
receiving the data processing micro-service request;
and responding to the data processing microservice request based on the data processing microservice called by the server cipher machine so as to perform the encryption and decryption verification, the data verification and the signature verification on the target data.
According to the information security protection method based on the urban rail PaaS platform, the encryption and decryption verification of the target data comprises the following steps:
importing a session key of the server cipher machine;
encrypting the target data based on a preset encryption algorithm;
decrypting the encrypted target data based on a preset decryption algorithm;
logging off the session key. According to the information security protection method based on the urban rail PaaS platform, the data verification of the target data comprises the following steps:
initializing the session of the server cipher machine, and allocating a first computing resource for the data verification;
according to the first computing resource, acquiring a first message hash value of the target data based on a message digest algorithm;
and comparing the first message hash values obtained for multiple times so as to carry out the data verification on the target data.
According to the information security protection method based on the urban rail PaaS platform, the signature verification and verification are carried out on the target data, and the method comprises the following steps:
generating a public key and a private key of the target data based on the server cipher machine;
initializing the session of the server cipher machine, and allocating second computing resources for signature verification and verification;
acquiring a second message hash value of the target data according to the second computing resource and based on the public key and a message digest algorithm;
determining a signature code of the target data based on the private key and the second message hash value;
and checking the signature of the target data according to the public key and the signature code.
The invention also provides an information safety protection system based on the urban rail PaaS platform, which comprises the following steps: a deployment module and a protection module;
the deployment module is used for deploying the server cipher machine to the urban rail PaaS platform;
the protection module is used for receiving a data processing micro-service request and carrying out information safety protection verification on target data based on the server cipher machine;
wherein the target data is determined according to data carried in the data processing microservice request;
the information security check at least comprises encryption and decryption check, data check and signature check.
The invention also provides electronic equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the steps of any one of the above information security protection methods based on the urban rail PaaS platform when executing the program.
The present invention also provides a non-transitory computer readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the above-mentioned urban rail PaaS platform-based information security protection method.
The invention also provides a computer program product, which comprises a computer program, wherein the computer program realizes the steps of any one of the above information security protection methods based on the urban rail PaaS platform when being executed by a processor.
According to the information security protection method and system based on the urban rail PaaS platform, the cipher machine is deployed on the PaaS platform, the integrity and the tampering are improved through data verification, the resistance to the denial is improved through verification of signature verification, and the data confidentiality is improved through encryption and decryption, so that the data security capability of the urban rail PaaS platform is improved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of an information security protection method based on an urban rail PaaS platform according to the present invention;
FIG. 2 is a schematic flow chart of data encryption/decryption verification provided by the present invention;
FIG. 3 is a schematic flow chart of data verification provided by the present invention;
FIG. 4 is a schematic flow chart of data signature provided by the present invention;
FIG. 5 is a schematic flow chart of data verification provided by the present invention;
fig. 6 is a schematic structural diagram of an information security protection system based on an urban rail PaaS platform provided in the present invention;
fig. 7 is a schematic physical structure diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides an information safety protection method based on an urban rail PaaS platform, which integrates a set of data safety solution scheme for improving data availability, integrity and confidentiality in the urban rail PaaS platform to ensure data safety, and is specifically realized as follows:
fig. 1 is a schematic flow diagram of an information security protection method based on an urban rail PaaS platform, and as shown in fig. 1, the method includes:
s1, deploying the server cipher machine to an urban rail PaaS platform;
s2, receiving a data processing micro-service request, and carrying out information security protection verification on target data based on a server cipher machine;
the target data is determined according to data carried in the data processing microservice request;
the information security check at least comprises encryption and decryption check, data check and signature check.
It should be noted that the execution subject of the method may be a computer device.
Optionally, the server cryptographic engine is deployed on the urban rail PaaS platform, and according to the received data processing micro-service request, the server cryptographic engine deployed on the urban rail PaaS platform is called, the data processing micro-service request is responded, and information security protection verification such as encryption and decryption verification, data verification and signature verification is performed on data (namely target data) carried in the data processing micro-service request.
The server cipher machine supports the cipher devices of a group cipher algorithm SM1 algorithm, an asymmetric cipher algorithm SM2 algorithm, a message digest algorithm SM3 algorithm, a symmetric cipher algorithm SM4 algorithm and a ZUC grand algorithm, meets the relevant standard specifications of GM/T0018-2012 cryptographic device application interface specification, GM/T0019-2012 universal cipher service interface specification and GM/T0020 plus 2012 certificate application integrated service interface specification, can support the heavy point information system to use the cryptographic algorithms to perform data encryption, decryption, data verification and other processing, and can be integrated into various security application systems. The cryptographic algorithm is used in the information system, which is beneficial to ensuring the safety of the important information system.
Based on the cryptographic algorithm, the algorithm functions of symmetry, asymmetry, abstract and the like are respectively realized, and the cryptographic algorithm is particularly suitable for being applied to related fields of embedded Internet of things and the like to complete the functions of identity authentication, data encryption and decryption and the like. Among them, the SM1 algorithm, the SM2 algorithm, the SM3 algorithm, and the SM4 algorithm all have a key length and a packet length of 128 bits. The encryption strength of the SM1 algorithm is equivalent to the AES algorithm; the SM2 algorithm is realized based on an elliptic encryption algorithm (ECC) algorithm, and is equivalent to an asymmetric encryption algorithm (RSA); the SM3 algorithm is relative to the message digest algorithm MD 5. The identification cipher algorithm SM9 algorithm may be used in addition to the encryption algorithm described above.
According to the information security protection method based on the urban rail PaaS platform, the cipher machine is deployed on the PaaS platform, the integrity and the tampering are improved through data verification, the resistance to the denial is improved through verification of signature verification, and the data confidentiality is improved through encryption and decryption, so that the data security capability of the urban rail PaaS platform is improved.
Further, in an embodiment, the step S1 may specifically include:
s11, integrating the server cipher machine to the PaaS platform based on a software development kit of the server cipher machine;
s12, packaging a software interface of the server cipher machine into a data processing Application Program Interface (API) of the PaaS platform;
s13, opening a data processing API into a data processing microservice on the basis of microservice technology on the SaaS layer;
s14, packaging the data processing micro-service into a container mirror image, and operating the data processing micro-service based on the container mirror image.
Optionally, the server crypto-machine is integrated into the urban rail PaaS platform via a Software Development Kit (SDK) that is compatible with the server crypto-machine.
The server cipher machine conforms to the relevant standard specifications of GM/T0018-2012 code equipment application interface specification, GM/T0019-2012 general cipher service interface specification, GM/T0020-. The server cipher machine application interface comprises six categories of an equipment management function, a key management function, an asymmetric algorithm operation function, a symmetric algorithm operation function, a hash operation function and a user file operation function, and can be flexibly called by external services according to service requirements.
Java, C #, and Python, commonly used high-level Programming languages, may be used to repackage the software interfaces of the server crypto-machine into an Application Programming Interface (API) for the PaaS platform in urban rail.
The SDK of the server cipher machine is realized by C/C + + bottom programming language, most of actual services are realized by common high-level programming languages such as Java, C # and Python, and the high-level programming language is required to be repackaged into the data processing API by the high-level programming language in view of unified specification of the SDK and API specification, so that service calling is facilitated.
The example of the C/C + + bottom layer SDK carried by the server crypto machine is as follows:
device management class function/. The device management class function >
int Sec_GetDeviceInfo();
int Sec_GenerateRandom();
V key management class function
int Sec_GenerateKeyPair_RSA();
int Sec_GenerateKeyPair_ECC();
V. asymmetric Algorithm operation class function
int Sec_ExternalPublicKeyOperation_RSA();
int Sec_ExternalEncrypt_ECC();
int Sec_ExternalDecrypt_ECC();
V. symmetric Algorithm operation class function
int Sec_Encrypt();
int Sec_Decrypt();
V hash operation class function
int Sec_HashInit();
int Sec_HashUpdate();
int Sec_HashFinal();
V. user File operation class function +
int Sec_CreateFile();
int Sec_ReadFile();
int Sec_WriteFile();
int Sec_DeleteFile();
Repackaging into a data processing API example using a high level programming language, as follows:
device management class function/. The device management class function >
int Sec_GetDeviceInfo();
int Sec_GenerateRandom();
V key management class function
int Sec_GenerateKeyPair_RSA();
int Sec_GenerateKeyPair_ECC();
V. asymmetric Algorithm operation class function
int Sec_ExternalPublicKeyOperation_RSA();
int Sec_ExternalEncrypt_ECC();
int Sec_ExternalDecrypt_ECC();
V. symmetric Algorithm operation class function
int Sec_Encrypt();
int Sec_Decrypt();
V hash operation class function
int Sec_HashInit();
int Sec_HashUpdate();
int Sec_HashFinal();
V. user File operation class function +
int Sec_CreateFile();
int Sec_ReadFile();
int Sec_WriteFile();
int Sec_DeleteFile();
And a micro-service technology is used in the SaaS layer to open the data processing API of the urban rail PaaS into a data processing micro-service.
The micro-service technology is established on the container technology, and the micro-service architecture is relative to a single application, and divides the application or service into a plurality of fine-grained and loosely-coupled service components, and through the flexible combination of different service components, rapid iteration is performed through continuous integration and continuous deployment, and dynamic scheduling of services and resources is performed, so that the variable requirements of users are rapidly responded.
An example of a data processing microservice (Python language) is as follows:
an example of a data processing microservice (Java language) is as follows:
@RestController
public class Sec_API{
@RequestMapping("/api/sec_externalencrypt_ecc")
public String sec_externalencrypt_ecc(@RequestParam("data")String data){
String response_json;
try{
Sec sec=new Sec();
char[]result=Sec.ExternalEncrypt_ECC(data);
response_json=String.copyValueOf(result);
)catch(Exception ex){
return null;
}
return response_json;
}
}
the data processing microservices are packaged into container images using container technology.
And executing the container building command to build a container mirror image to prepare for the next step of running the service.
The container technology mainly uses a virtualization technology to optimize the utilization rate of computing resources, and is different from a Hypervisor virtualization technology, research results show that compared with the Hypervisor, the container technology has a great improvement on a plurality of key indexes, has better performance than the Hypervisor in a plurality of fields, has almost twice the running speed of the container technology and has performance close to a local operating system.
The build-time process outputs, examples are as follows:
Sending build context to Docker daemon 3.64MB
step1/9 FROM "File directory"/ubuntu 19.04_ jdk1.8_ tomcat-8.5.45v1.0
--->288dca7dd3db
Step 2/9: MAINTAINER "File directory" < Web site >
--->Using cache
--->36809a809842
Step 3/9:ENV REFRESHED_AT 2021-08-17
--->Using cache
--->e8e5776d2503
Step4/9:VOLUME/JavaSec
--->Using cache
--->442fa1f91a2d
Step5/9:COPY./JavaSec_Demo/*.sh/JavaSec/
--->Using cache
--->93ca3cbf7d2b
Step6/9:ADD./JavaSec/JavaSec-1.0.tar.gz$CATALINA_HOME/web apps
--->Using cache
--->edc63825168b
Step7/9:ENVJavaSec_HOME
$CATALINA_HOME/webapps/JavaSec
--->Running in 275c07065393
--->d8802295832a
Removing intermediate container 275c07065393
Step8/9:EXPOSE 8080
--->Running in e23b9e271e93
--->fbe34fae70f2
Removing intermediate container e23b9e271e93
Step9/9:ENTRYPOINT$CATALINA_HOME/bin/startup.sh
--->Running in e0609b5de44c
--->473698897592
Removing intermediate container e0609b5de44c
Successfully built 473698897592
If an error occurs, an error prompt message is prompted, and the Dockerfile file is modified according to the error prompt and then is built for many times. After the construction is successful, the background prompts 'success build'.
An example of a command to view the constructed mirror information is as follows:
#docker images
and (3) outputting:
REPOSITORY TAG IMAGE ID CREATED SIZE "File directory"/ubuntu 19.04_ jdk1.8_ tomcat-8.5.45_ javasec v1.04736989759257minutes ago 494MB 494
"File directory"/ubuntu 19.04_ jdk1.8_ tomcat-8.5.45 v1.0288dca 7dd3db 5minutes ago 491MB
"File directory"/ubuntu 19.04_ jdk1.8.0_221 v1.05324ff0f2c886seconds ago 477MB 477
docker.io/ubuntu 19.04a157bb381987 34hours ago 70MB
The method comprises the following steps of running and issuing a data processing microservice based on a container mirror image of the data processing microservice in a software as a service (SaaS) platform:
# # creates a namespace
#kubectl create-f 01.javasec.namespace-development.yaml
#kubectl get namespaces
The # should create Service first and then RC
Defining Context runtime Environment ##
# development Environment
#kubectl config set-context ctx-javasec-dev--namespace=javasec-development--cluster=kubernetes-cluster--user=jav asec-dev
#kubectl config view
The # set workgroup works in a specific Context, i.e. specifies the current running Context
##kubectl config use-context ctx-javasec-dev
# Create Pod and Service of an application
#kubectl create-f 04-01.javasec.appserver.pod.yaml
#kubectl create-f 04-02.javasec.appserver.service-nodePort.yaml
#kubectl create-f 04-03.javasec.appserver.rc.yaml
# automatic expansion
#kubectl create-f 05.javasec.appserver.hpa.yaml
According to the information security protection method based on the urban rail PaaS platform, the server encryption machine is integrated based on the urban rail PaaS, the data encryption and decryption and data verification capabilities of the urban rail PaaS are improved, the PaaS platform is linked with the hardware and software interface of the server encryption machine, the dynamic change of the data processing micro-service request can be processed according to business application, and the response quantity of the data processing micro-service request can be automatically and dynamically adjusted.
Further, in an embodiment, the step S2 may specifically include:
s21, receiving a data processing micro-service request;
and S22, responding to the data processing micro-service request based on the data processing micro-service called by the server cipher machine to perform encryption/decryption verification, data verification and signature verification on the target data.
Optionally, a data processing micro-service request is received, and the data processing micro-service request is responded based on the data processing micro-service called by the server cipher machine, so as to complete encryption and decryption verification, data verification and signature verification of the target data.
The data processing micro service can be called through service applications (such as data acquisition, data integration, data conversion, data storage and data application) or other micro services to respond to a data processing micro service request and complete encryption and decryption verification, data verification and signature verification of target data.
According to the information safety protection method based on the urban rail PaaS platform, the urban rail PaaS platform is linked with the hardware and software interface of the server cipher machine, processes the data processing micro-service request according to the service application, and improves the usability of the data through the data backup reduction and load balancing technology of the urban rail PaaS platform.
Further, in an embodiment, the encrypting and decrypting the target data in step S22 may specifically include:
s220, importing a session key of the server cipher machine;
s221, encrypting the target data based on a preset encryption algorithm;
s222, decrypting the encrypted target data based on a preset decryption algorithm;
and S223, logging off the session key.
Optionally, the confidentiality of the target data is protected by a symmetric cryptographic algorithm or an asymmetric cryptographic algorithm. Calling a preset encryption and decryption algorithm of the server cryptographic engine, such as an SM1 or SM4 symmetric block cipher algorithm, to perform encryption and decryption operations on the target data, as shown in fig. 2:
the service application can call the packaged Sec _ ImportKeyWithISK _ ECC API, a session key of the server cipher machine is imported, and whether the Sec _ ImportKeyWithISK _ ECC API can be successfully called or not is determined according to a return value of the packaged Sec _ ImportKeyWithISK _ ECC API; if the return value is 0, the call is successfully called.
Setting the type of the encryption and decryption algorithm as SM1 algorithm or SM4 algorithm, mode and IV value (key length of the encryption and decryption algorithm), calling Sec _ Encrypt API to Encrypt target data, calling Sec _ Decrypt API to Decrypt the encrypted target data, and calling Sec _ DestroyKey API to logout a session key after completing the encryption and decryption operation of the target data.
According to the information security protection method based on the urban rail PaaS platform, the server cipher machine is integrated in the urban rail PaaS platform, the processing capacity of encrypted and decrypted data is opened into a public service API (application program interface) for service calling, and the data confidentiality of the urban rail PaaS platform is improved through data encryption and decryption.
Further, in an embodiment, the data verification performed on the target data in step S22 may specifically include:
s224, initializing the session of the server cipher machine, and distributing first computing resources for data verification;
s225, acquiring a first message hash value of the target data based on a message digest algorithm according to the first computing resource;
and S226, comparing the hash values of the first message obtained for multiple times to check the target data.
Optionally, as shown in fig. 3, a prepackaged Sec _ HashInit API is called, a session of the server crypto engine is initialized, a first computing resource is allocated for data verification, based on the first computing resource, the prepackaged Sec _ HashUpdate API is called to compute a first message hash value of the target data, and whether the Sec _ HashUpdate API is successfully called is determined by a return value of the Sec _ HashUpdate API, and if the return value is 0, the calling is successful.
And then calling the pre-packaged Sec _ HashFinal API to return a first message hash value of the target data, and finishing the data verification of the target data by comparing the obtained first message hash values for multiple times.
According to the information security protection method based on the urban rail PaaS platform, the server cipher machine is integrated in the urban rail PaaS platform, the data inspection processing capacity is opened into a public service API for service calling, and the urban rail PaaS platform can guarantee the integrity of data and prevent the data from being tampered through data verification.
Further, in an embodiment, the signature verification performed on the target data in step S22 may specifically include:
s227, generating a public key and a private key of the target data based on the server cipher machine;
s228, initializing the session of the server cipher machine, and distributing second computing resources for signature verification and verification;
acquiring a second message hash value of the target data based on the public key and a message digest algorithm according to the second computing resource;
s229, determining a signature code of the target data based on the private key and the second message hash value;
and checking the target data according to the public key and the signature code.
Alternatively, as shown in fig. 4, the public key and the private key of the target data are generated based on the server crypto engine;
and calling the pre-packaged Sec _ HashInit API, initializing the session of the server cipher machine, allocating a second computing resource for data verification, and calling the pre-packaged Sec _ HashUpdate API to compute a second message hash value of the target data based on the second computing resource.
Then, calling a pre-packaged Sec _ HashFinal API to return a second message hash value of the target data, and acquiring the second message hash value of the target data based on a public key and a message digest algorithm according to a second computing resource;
and calling the pre-packaged Sec _ GetPrivateKeyAccess Right API to acquire the private key use right.
If the return value of the Sec _ GetPrivateKeyAccessRight API is 0, the Sec _ GetPrivateKeyAccessRight API is successfully called, the signature code of the target data is calculated based on the private key and the second message hash value to complete the signature of the target data, and then the use right of the private key is released by calling the packaged Sec _ ReleasePrivateKeyAccessRight API.
Finally, according to the public key and the signature code, performing signature verification on the target data, as shown in fig. 5 specifically:
calling the pre-packaged Sec _ HashInit API, initializing the session of the server cipher machine, allocating a third computing resource for data verification, calling the pre-packaged Sec _ HashUpdate API to compute a third message hash value of the target data based on the first computing resource, and returning the third message hash value of the target data by calling the pre-packaged Sec _ HashFinal API.
If the return value of the Sec _ HashFinal API is 0, the Sec _ HashFinal API is successfully called, then the public key and the signature code are transmitted, and the Sec _ ExternalVerify _ ECC API which is packaged in advance is called to verify the signature code so as to finish signature verification and verification of target data.
According to the information security protection method based on the urban rail PaaS platform, the server cipher machine is integrated in the urban rail PaaS platform, the data signature verification processing capacity is opened into a public service API for service calling, and the data resistance is improved through signature verification, so that the data security is improved.
The information security protection system based on the urban rail PaaS platform provided by the invention is described below, and the information security protection system based on the urban rail PaaS platform described below and the information security protection method based on the urban rail PaaS platform described above can be referred to correspondingly.
Fig. 6 is a schematic structural diagram of an information security protection system based on an urban rail PaaS platform, as shown in fig. 6, including: a deployment module 610 and a protection module 611;
the deployment module 610 is used for deploying the server cipher machine to the urban rail PaaS platform;
the protection module 611 is configured to receive the data processing micro-service request, and perform information security protection verification on the target data based on the server crypto engine;
the target data is determined according to data carried in the data processing microservice request;
the information security check at least comprises encryption and decryption check, data check and signature check.
According to the information security protection system based on the urban rail PaaS platform, the cipher machine is deployed on the PaaS platform, the integrity and the tampering are improved through data verification, the resistance to the denial is improved through signature verification and verification, and the confidentiality is improved through encryption and decryption, so that the data security capability of the urban rail PaaS platform is improved.
Fig. 7 is a schematic physical structure diagram of an electronic device provided in the present invention, and as shown in fig. 7, the electronic device may include: a processor (processor)710, a communication interface 711, a memory (memory)712 and a bus (bus)713, wherein the processor 710, the communication interface 711 and the memory 712 are communicated with each other via the bus 713. The processor 710 may call logic instructions in the memory 712 to perform the following method:
deploying a server cipher machine to an urban rail PaaS platform;
receiving a data processing micro-service request, and carrying out information safety protection verification on target data based on a server cipher machine;
the target data is determined according to data carried in the data processing microservice request;
the information security check at least comprises encryption and decryption check, data check and signature check.
In addition, the logic instructions in the memory may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention or a part thereof, which essentially contributes to the prior art, can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer power screen (which may be a personal computer, a server, or a network power screen, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like.
Further, the present invention discloses a computer program product, the computer program product includes a computer program stored on a non-transitory computer readable storage medium, the computer program includes program instructions, when the program instructions are executed by a computer, the computer can execute the information security protection method based on the urban rail PaaS platform provided by the above-mentioned method embodiments, for example, the method includes:
deploying a server cipher machine to an urban rail PaaS platform;
receiving a data processing micro-service request, and carrying out information safety protection verification on target data based on a server cipher machine;
the target data is determined according to data carried in the data processing microservice request;
the information security check at least comprises encryption and decryption check, data check and signature check.
In another aspect, the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to, when executed by a processor, perform the method for information security protection based on an urban rail PaaS platform provided in the foregoing embodiments, for example, the method includes:
deploying a server cipher machine to an urban rail PaaS platform;
receiving a data processing micro-service request, and carrying out information safety protection verification on target data based on a server cipher machine;
the target data is determined according to data carried in the data processing microservice request;
the information security check at least comprises encryption and decryption check, data check and signature check.
The above-described system embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on such understanding, the above technical solutions may be essentially or partially implemented in the form of software products, which may be stored in computer readable storage media, such as ROM/RAM, magnetic disk, optical disk, etc., and include instructions for causing a computer power supply screen (which may be a personal computer, a server, or a network power supply screen, etc.) to execute the method according to the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An information security protection method based on an urban rail PaaS platform is characterized by comprising the following steps:
deploying a server cipher machine to an urban rail PaaS platform;
receiving a data processing micro-service request, and carrying out information safety protection verification on target data based on the server cipher machine;
wherein the target data is determined according to data carried in the data processing microservice request;
the information security check at least comprises encryption and decryption check, data check and signature check.
2. The information security protection method based on the urban rail PaaS platform as claimed in claim 1, wherein the deploying the server cryptographic engine to the urban rail PaaS platform comprises:
integrating the server cipher machine to the PaaS platform based on a software development kit of the server cipher machine;
packaging a software interface of the server cipher machine into a data processing application program interface API of the PaaS platform;
opening the data processing API into data processing microservices on the basis of microservice technology on a SaaS layer;
and packaging the data processing microservices into a container mirror image, and operating the data processing microservices based on the container mirror image.
3. The information security protection method based on the urban rail PaaS platform as claimed in claim 2, wherein the receiving a data processing microservice request and performing information security protection verification on target data based on the server cryptographic engine comprises:
receiving the data processing micro-service request;
and responding to the data processing microservice request based on the data processing microservice called by the server cipher machine so as to perform the encryption and decryption verification, the data verification and the signature verification on the target data.
4. The information security protection method based on the urban rail PaaS platform as claimed in claim 3, wherein the performing the encryption/decryption verification on the target data comprises:
importing a session key of the server cipher machine;
encrypting the target data based on a preset encryption algorithm;
decrypting the encrypted target data based on a preset decryption algorithm;
logging off the session key.
5. The information security protection method based on the urban rail PaaS platform as claimed in claim 3, wherein the data verification of the target data comprises:
initializing the session of the server cipher machine, and allocating a first computing resource for the data verification;
according to the first computing resource, acquiring a first message hash value of the target data based on a message digest algorithm;
and comparing the first message hash values obtained for multiple times so as to carry out the data verification on the target data.
6. The information security protection method based on the urban rail PaaS platform as claimed in claim 3, wherein the signature verification of the target data comprises:
generating a public key and a private key of the target data based on the server cipher machine;
initializing the session of the server cipher machine, and allocating second computing resources for signature verification and verification;
acquiring a second message hash value of the target data according to the second computing resource and based on the public key and a message digest algorithm;
determining a signature code of the target data based on the private key and the second message hash value;
and checking the signature of the target data according to the public key and the signature code.
7. The utility model provides an information security protection system based on urban rail PaaS platform which characterized in that includes: a deployment module and a protection module;
the deployment module is used for deploying the server cipher machine to the urban rail PaaS platform;
the protection module is used for receiving a data processing micro-service request and carrying out information safety protection verification on target data based on the server cipher machine;
wherein the target data is determined according to data carried in the data processing microservice request;
the information security check at least comprises encryption and decryption check, data check and signature check.
8. An electronic device comprising a processor and a memory storing a computer program, wherein the processor, when executing the computer program, implements the steps of the method for information security protection based on an urban rail PaaS platform according to any one of claims 1 to 6.
9. A processor-readable storage medium, characterized in that the processor-readable storage medium stores a computer program for causing a processor to execute the steps of the urban rail PaaS platform-based information security method according to any one of claims 1 to 6.
10. A computer program product comprising a computer program, wherein the computer program when executed by a processor implements the steps of the method for information security protection based on an urban rail PaaS platform according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111178321.7A CN113919003A (en) | 2021-10-09 | 2021-10-09 | Information security protection method and system based on urban rail PaaS platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111178321.7A CN113919003A (en) | 2021-10-09 | 2021-10-09 | Information security protection method and system based on urban rail PaaS platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113919003A true CN113919003A (en) | 2022-01-11 |
Family
ID=79238602
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111178321.7A Pending CN113919003A (en) | 2021-10-09 | 2021-10-09 | Information security protection method and system based on urban rail PaaS platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113919003A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114866565A (en) * | 2022-04-20 | 2022-08-05 | 北京红山信息科技研究院有限公司 | Software and hardware resource distribution system based on pass platform |
| CN116707806A (en) * | 2023-08-09 | 2023-09-05 | 中电信量子科技有限公司 | Password equipment management method and management platform |
-
2021
- 2021-10-09 CN CN202111178321.7A patent/CN113919003A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114866565A (en) * | 2022-04-20 | 2022-08-05 | 北京红山信息科技研究院有限公司 | Software and hardware resource distribution system based on pass platform |
| CN114866565B (en) * | 2022-04-20 | 2024-03-22 | 北京红山信息科技研究院有限公司 | Distribution system for software resources based on pass platform |
| CN116707806A (en) * | 2023-08-09 | 2023-09-05 | 中电信量子科技有限公司 | Password equipment management method and management platform |
| CN116707806B (en) * | 2023-08-09 | 2023-10-31 | 中电信量子科技有限公司 | Password equipment management method and management platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111541785B (en) | Block chain data processing method and device based on cloud computing | |
| WO2021184973A1 (en) | External data accessing method and device | |
| CA2892874C (en) | System and method for sharing cryptographic resources across multiple devices | |
| US8549592B2 (en) | Establishing virtual endorsement credentials for dynamically generated endorsement keys in a trusted computing platform | |
| CN112948810B (en) | Trusted computing program calling method and device, electronic equipment and storage medium | |
| WO2022237123A1 (en) | Method and apparatus for acquiring blockchain data, electronic device, and storage medium | |
| EP2999158A1 (en) | Secure communication authentication method and system in distributed environment | |
| US20220114249A1 (en) | Systems and methods for secure and fast machine learning inference in a trusted execution environment | |
| CN113919003A (en) | Information security protection method and system based on urban rail PaaS platform | |
| KR102134491B1 (en) | Network based management of protected data sets | |
| US11652631B2 (en) | Distribution of security credentials | |
| CN113014539A (en) | Internet of things equipment safety protection system and method | |
| CN101883122A (en) | Safety connection establishing method and client equipment for establishing safety connection | |
| CN115580413B (en) | Zero-trust multi-party data fusion calculation method and device | |
| JP2022177828A (en) | Method, apparatus and computer program for federated learning with reduced information leakage (federated learning with partitioned and dynamically-shuffled model updates) | |
| CN115473648A (en) | Certificate signing and issuing system and related equipment | |
| Salman et al. | Securing cloud computing: A review | |
| US11856002B2 (en) | Security broker with consumer proxying for tee-protected services | |
| US20230030816A1 (en) | Security broker for consumers of tee-protected services | |
| US20230036165A1 (en) | Security broker with post-provisioned states of the tee-protected services | |
| Le Vinh | Security and trust in mobile cloud computing | |
| Haouari et al. | TASMR: Towards advanced secure mapreduc framework across untrusted hybrid clouds | |
| US11886223B2 (en) | Leveraging hardware-based attestation to grant workloads access to confidential data | |
| Tenório et al. | Low-cost, practical data confidentiality support for IoT data sources | |
| US20220191046A1 (en) | Secure End-to-End Deployment of Workloads in a Virtualized Environment Using Hardware-Based Attestation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |