CN114885325A - Credible auditing method and system for regulating and controlling service network security suitable for 5G network - Google Patents
Credible auditing method and system for regulating and controlling service network security suitable for 5G network Download PDFInfo
- Publication number
- CN114885325A CN114885325A CN202210296506.6A CN202210296506A CN114885325A CN 114885325 A CN114885325 A CN 114885325A CN 202210296506 A CN202210296506 A CN 202210296506A CN 114885325 A CN114885325 A CN 114885325A
- Authority
- CN
- China
- Prior art keywords
- data
- audit
- audit data
- node
- original
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a system for regulating and controlling the network security credible audit of a service, which are applicable to a 5G network, and relate to the technical field of intelligent power grid security, wherein the method comprises the following steps: acquiring original audit data, encrypting and signing the original audit data to generate signed encrypted audit data; transmitting the signed encrypted audit data to each node of a management center slicing network to obtain data to be audited transmitted to each node; carrying out Hash calculation on encrypted audit data in the data to be audited respectively to obtain Hash values; constructing a Merkle tree based on the obtained hash value; acquiring a hash value in a Merkle tree root and a signature value in data to be audited on any node, verifying, and if the verification is passed, decrypting encrypted audit data in the data to be audited to obtain original audit data and outputting the original audit data; and if the verification fails, outputting audit error information. The invention can ensure the credibility and tamper resistance of the network audit data and ensure the accuracy and consistency of the data of each node.
Description
Technical Field
The invention relates to the technical field of intelligent power grid security, in particular to a reliable auditing method and system for regulating and controlling business network security, which are suitable for a 5G network.
Background
Because the 5G communication characteristics are highly matched with the power communication requirements, the fusion of the 5G network and the power grid can bring better service provision and economic benefits for the power industry. With the fusion of the 5G technology and the power grid, the smart power grid starts to be changed into a 5G + smart power grid, meanwhile, the 5G also causes the extension of the power grid boundary, the network attacks suffered by the power grid network are increased, and the probability of information data in the power grid being changed and leaked is increased.
Massive data are transmitted in the smart grid, and comprise user electricity consumption privacy data, real-time electricity price data, resource scheduling data, communication data among basic grid devices and the like, and once the data are transmitted in the network and are attacked and utilized by illegal persons, huge threats can be generated to the grid or users, and therefore the safety of the 5G + smart grid is extremely important to guarantee.
The network security protection comprises a priori prediction and a posteriori tracking. The pre-prediction specifically comprises the steps of realizing early warning of a security event by means of log audit, intrusion detection event analysis and the like, and sensing and monitoring security states of networks, equipment and the like accessed to a power grid; the post-tracking specifically includes performing event tracking and event source positioning through a centralized event auditing system and an intrusion detection system after a security event occurs, formulating a corresponding security policy and generating a problem report to prevent the attack event from occurring again.
The block chain is a data structure which utilizes a block chain technology to construct an information sharing database and realizes the safe storage and calling of data resources. The block chain technology has the characteristics of decentralization, no trust, transparence, traceability, non-tamper property, anonymity and reliability, and is gradually applied to multiple fields of finance, Internet of things, entertainment and the like. At present, in network security audit based on a block chain, the problems of lack of credibility and signature failure can occur when public and private key encryption and a digital certificate certification authority are used.
Noun interpretation
KSI, key Signature Infrastructure, without the need for cryptographic Signature Infrastructure. The block chain technology only uses the hash function for encryption, so that the authentication only depends on the safety of the hash function and the effectiveness of a public account book, and large-scale data authentication can be performed without depending on a centralized trust mechanism.
The Merkle tree is a hash binary tree, which is a data structure used for rapidly summarizing and checking the integrity of large-scale data. Leaves of a Merkle tree are hash values of data blocks (e.g., files or collections of files), and non-leaf nodes are hashes of their corresponding child node series strings.
Disclosure of Invention
The invention aims to provide a credible auditing method and a credible auditing system for regulating and controlling the service network security, which are suitable for a 5G network, can ensure the credibility and the tamper resistance of network auditing data, and ensure the accuracy and the consistency of each node data. The technical scheme adopted by the invention is as follows.
On one hand, the invention provides a reliable auditing method for regulating and controlling the safety of a service network, which is suitable for a 5G network, and comprises the following steps:
acquiring original audit data, wherein the original audit data is audit data which takes a management center slicing network as a target transmission direction;
encrypting and signing the original audit data to generate signed encrypted audit data;
transmitting the signed encrypted audit data to each node of a management center slicing network, and acquiring the data transmitted to each node as data to be audited;
carrying out Hash calculation on encrypted audit data in the data to be audited of each node respectively to obtain a Hash value corresponding to each data to be audited;
constructing a Merkle tree based on the obtained hash value;
acquiring a hash value in a Merkle tree root and a signature value in data to be audited on any node, and verifying to obtain a verification result;
according to the verification result: if the verification is passed, decrypting the encrypted audit data in the data to be audited to obtain original audit data, and outputting the original audit data; and if the verification fails, outputting audit error information.
Optionally, the method further includes encapsulating the pending count data and the Merkle tree information acquired from each node into a data block with a timestamp, and adding the data block into a block chain;
in each block in the block chain, a leaf node of a Merkle tree stores a hash value of encrypted audit data in count data to be audited of each node, a father node stores hash values of two child nodes, and if the number n of data points of the data to be audited does not meet the condition that n% 4 is equal to 0, the hash value corresponding to the data to be audited of the last node is repeatedly added into leaf nodes until the number of the leaf nodes is multiple of 4; the root node hash value of the Merkle tree is stored into the block header of the block.
The specific content of the block chain for storing the data block can refer to the prior art. In the scheme, the root node numerical value recorded by the block chain can not be changed, so that the extraction of the information to be verified and the tracing after abnormal verification can be facilitated, the effect of deterring internal personnel is achieved, and network attack from the inside of the smart power grid is prevented. When the block chain is added, the block file can be named according to the Merkle tree root node value and the timestamp information, and the block file and the information data thereof are encrypted and protected by applying a digital signature technology.
The invention adopts the Merkle tree technology to avoid excessively redundant verification of a large amount of data, and can efficiently and simply complete verification of the data to be audited transmitted on a large number of nodes.
Optionally, in the method, the obtaining the hash value in the Merkle tree root and the signature value in the data to be audited on any node includes: and acquiring the hash value in the Merkle tree root and the signature value in the data to be audited on any node from the block body of the block chain. Therefore, for data to be audited recorded by a certain block, the hash value and the signature value can be accessed from the block chain at any time for verification, and the reliability of the data can be ensured.
Optionally, the method further includes, according to the verification result: and if the verification is not passed, acquiring Merkle tree information of the corresponding block from the block chain, and positioning abnormal nodes according to the Merkle tree information.
Optionally, the original audit data is sourced from a slice network where a transmission network or a distribution network is located, or a power consumer network; acquiring original audit data from a boundary router connected with a slicing network of a management center;
the transmission of the signed encrypted audit data to each node of the management center slicing network comprises the following steps: sending the signed encrypted audit data to the border router, and transmitting the signed encrypted audit data to each node of the slicing network by the border router;
the original audit data at least comprises one or more of user electricity consumption data, real-time electricity price data and power distribution network fault information. And is not limited to the grid data indicated.
Optionally, the encrypting and signing the original audit data to generate signed encrypted audit data includes:
generating a key pair, and encrypting the original audit data by using a public key in the key pair;
calculating a hash value of the original audit data by using a preset hash function, sending the hash value to a keyless signature system, and receiving a digital signature returned by the keyless signature system;
generating signed encrypted audit data according to the encryption result of the original audit data and the digital signature;
in the method, the encrypted audit data in the data to be audited is decrypted to obtain the original audit data, and the encrypted audit data is decrypted by adopting a private key in the key pair.
Optionally, the original audit data is encrypted by using a Paillier encryption algorithm;
the preset hash function is a salted hash function, and the calculating the hash value of the original audit data comprises the following steps:
generating an iterative initial hash value A of the original audit data by using a preset hash function;
based on the iteration initial hash value A, calculating to obtain a final hash value according to the number of data points of the original audit data by using a preset hash function and a preset iteration rule;
in the method, the encrypted audit data in the data to be audited of each node are respectively subjected to Hash calculation by adopting the preset Hash function.
Optionally, the iteration calculation formula corresponding to the preset iteration rule is as follows:
in the formula, A m Representing the final Hash value obtained by the mth iteration, wherein the Hash (DEG) represents a preset Hash function and the iteration number
Where n represents the number of data points of the raw audit data.
In the technical scheme, the hash function of the salt can adopt an SHA-521 secure hash algorithm. Meanwhile, the iterative algorithm after the hash value is calculated on the original audit data is substantially the same as the algorithm for establishing the binary tree in the Merkle tree algorithm, so that the verification according to the tree root hash value of the Merkle tree can normally pass if the data transmission process is not falsified, and the effect of verifying the digital signature of the data to be audited of a plurality of nodes is achieved.
Optionally, the obtaining the hash value in the Merkle tree root and the signature value in the data to be audited on any node, and performing verification processing to obtain a verification result includes:
and transmitting the hash value in the Merkle tree root and the signature value in the data to be audited on any node to a keyless signature system for verification, and acquiring a verification result returned by the keyless signature system.
In the scheme, the signature and verification services are provided by the conventional secret key-free signature system KSI (Keyless Signatures' Infrastructure), the computing resources of the power grid do not need to be occupied, and compared with the traditional off-line generation method of the digital signature, the digital signature generated by the server of the secret key-free signature system is not easily affected by secret key leakage, so that the auditing process can be ensured to be more accurate.
In a second aspect, the present invention provides a trusted auditing apparatus for regulating and controlling service network security, which is applicable to a 5G network, and includes:
the system comprises an original audit data acquisition module, a data transmission module and a data transmission module, wherein the original audit data acquisition module is configured to acquire original audit data, and the original audit data is audit data taking a management center slicing network as a target transmission direction;
the encrypted signature processing module is configured for encrypting and signing the original audit data to generate signed encrypted audit data;
the audit data acquisition module is configured to transmit the signed encrypted audit data to each node of a management center slicing network, acquire data transmitted to each node and use the data as audit data;
the audit data hash calculation module is configured for performing hash calculation on encrypted audit data in the audit data of each node to obtain hash values corresponding to the audit data;
a Merkle tree construction module configured to construct a Merkle tree based on the obtained hash value;
the verification module is configured to acquire a hash value in a Merkle tree root and a signature value in data to be audited on any node, and verify the hash value and the signature value to obtain a verification result;
and the audit result output module is configured for outputting the following verification result according to the verification result: if the verification is passed, decrypting the encrypted audit data in the data to be audited to obtain original audit data, and outputting the original audit data; and if the verification fails, outputting audit error information.
Optionally, the trusted audit device for regulating and controlling service network security applicable to the 5G network further includes a block generation module configured to:
and packaging the data to be examined and the Merkle tree information acquired from each node into a data block with a time stamp, and adding the data block into a block chain.
In a third aspect, the invention provides a reliable auditing system for regulating and controlling the safety of a service network, which is suitable for a 5G network, and comprises an auditing server, an encryption server and a block generating server;
the audit server is configured to obtain original audit data taking a management center slicing network as a target transmission direction and send the original audit data to the encryption server;
the encryption server is configured to encrypt and sign the original audit data, generate signed encrypted audit data and return the signed encrypted audit data to the audit server;
the audit server is also configured to transmit the signed encrypted audit data to each node of a management center slicing network, acquire the data transmitted to each node, send the data to be audited to the block generation server as the to-be-audited data, perform hash calculation on the encrypted audit data in the to-be-audited data of each node respectively to obtain hash values corresponding to each to-be-audited data, and transmit the hash values to the block generation server;
the block generation server is configured to construct a Merkle tree based on the hash value corresponding to each data to be audited, and to return the hash value in the Merkle tree root and the signature value in the data to be audited on any node to the encryption server in response to receiving the hash value request information of the encryption server;
the encryption server is also configured to perform verification processing based on the hash value in the Merkle tree root and the signature value in the data to be audited on any node, and obtain a verification result and transmit the verification result to the audit server;
the audit server is configured to: according to the verification result, if the verification is passed, decrypting the encrypted audit data in the data to be audited to obtain original audit data, and outputting the original audit data; and if the verification fails, outputting audit error information.
Optionally, the system for regulating and controlling the security of the service network and trustable auditing further comprises a plurality of distributed hosts, data interaction is performed between the management center slicing network and a power transmission network, a power distribution network or a power consumer network which generate original auditing data through a boundary router, the distributed hosts are configured to acquire the original auditing data from the boundary router and send the original auditing data to an auditing server, receive signed encrypted auditing data from the auditing server and send the signed encrypted auditing data to the management center slicing network, and communicate with each node in the management center slicing network to acquire data to be audited and send the data to the auditing server.
Optionally, the tile generation server is further configured to:
packaging the to-be-examined data corresponding to each node and the Merkle tree information into a data block with a time stamp, and adding the data block into a block chain;
and acquiring audit error information output by the audit server, and packaging the audit error information to a corresponding block in the block chain.
Optionally, the reliable auditing system for regulating and controlling service network security further includes an auditing display end, which is used for receiving the original auditing data or auditing error information output by the auditing server and displaying the received data information.
Optionally, the encrypting server encrypts and signs the original audit data to generate signed encrypted audit data, including:
generating a key pair, encrypting the original audit data by using the public key in the key pair, and transmitting the private key to an audit server;
calculating a hash value of the original audit data by using a preset hash function, sending the hash value to a keyless signature system, and receiving a digital signature returned by the keyless signature system;
generating signed encrypted audit data according to the encryption result of the original audit data and the digital signature;
and the audit server decrypts the encrypted audit data in the audit data to be audited by adopting a private key in the key pair.
Optionally, a virtual firewall is configured on the encryption server, and only an keyless signing system is configured for an externally accessible object in an access control list of the virtual firewall. That is, in the invention, the data interaction between the encryption server and the external network is limited to the data interaction with the keyless signature system, and the potential network attack can be resisted.
Advantageous effects
The method combines data encryption and verification technologies, obtains, encrypts and verifies original audit data before entering a management center slicing network to obtain signed encrypted audit data, and transmits the signed encrypted audit data back to the management center slicing network, so that the signed encrypted audit data are transmitted in each node in the management center slicing network, then the data on each node are obtained to be used as data to be audited to perform hash value calculation, the data verification process is simplified by using a Merkle tree technology, and finally whether the audit data are falsified or not is judged and the original audit data are obtained. In addition, a keyless signature authentication system is introduced to replace a common private key signature, so that the power grid system resources are saved, and the validity of a digital signature is verified without depending on a secret key; the application of the block chain technology also ensures that the auditing process data of the invention can be effectively protected.
Drawings
Fig. 1 is a schematic flow chart of an embodiment of a trusted auditing method for regulating and controlling service network security applicable to a 5G network according to the present invention;
FIG. 2 is a block chain structure in accordance with an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an embodiment of a regulation and control service network security trusted audit system applicable to a 5G network.
Detailed Description
The following further description is made in conjunction with the accompanying drawings and the specific embodiments.
The technical conception of the invention is as follows: aiming at a regulation and control service network, particularly an electric power 5G regulation and control service network, in order to avoid data from being falsified in the wireless communication process and ensure the accuracy and consistency of 5G network node data, the original audit data is obtained before the electric power audit data is transmitted to a management center slicing network, encryption is carried out, a non-key signature system is used for signing, then the signed and encrypted audit data is sent to the management center slicing network, the data transmitted on each network node is obtained, efficient signature verification is carried out on the data of multiple nodes by adopting a Merkle tree algorithm, and whether the audit data is safe and credible is judged according to the verification result.
Example 1
Based on the above inventive concept, this embodiment introduces a trusted auditing method for network security of regulation and control service applicable to 5G network, including:
acquiring original audit data, wherein the original audit data is audit data which takes a management center slicing network as a target transmission direction;
encrypting and signing the original audit data to generate signed encrypted audit data;
transmitting the signed encrypted audit data to each node of a management center slicing network, and acquiring the data transmitted to each node as data to be audited;
carrying out Hash calculation on encrypted audit data in the data to be audited of each node respectively to obtain a Hash value corresponding to each data to be audited;
constructing a Merkle tree based on the obtained hash value;
acquiring a hash value in a Merkle tree root and a signature value in data to be audited on any node, and verifying to obtain a verification result;
according to the verification result: if the verification is passed, decrypting the encrypted audit data in the data to be audited to obtain original audit data, and outputting the original audit data; and if the verification fails, outputting audit error information.
Example 2
Based on the same inventive concept as that of embodiment 1, this embodiment is further improved based on the technical solution of embodiment 1.
The method for regulating and controlling the service network security and trustable auditing of the 5G network further comprises the following steps: packaging the data to be examined and the Merkle tree information acquired from each node into a data block with a time stamp, and adding the data block into a block chain;
in the method, the obtaining of the hash value in the root of the Merkle tree and the signature value in the data to be audited on any node is as follows: and acquiring the hash value in the Merkle tree root and the signature value in the data to be audited on any node from the block body of the block chain.
In the method, if the final verification fails, the audit error information is also stored through the corresponding block.
As shown in fig. 1, the present embodiment specifically relates to the following.
First, original audit data acquisition
The management center slicing network carries out data interaction with a transmission network, a distribution network or a power user network and the like which generate original audit data through the boundary router, so the invention can obtain the original audit data which takes the management center slicing network as a target transmission direction from the boundary router.
The original audit data at least comprises one or more of user electricity consumption data, real-time electricity price data and power distribution network fault information. And is not limited to the grid data indicated.
Encryption and signature of original audit data
For encrypting the collected original audit data, the Paillier encryption algorithm is adopted in the embodiment, a key pair is firstly generated, then the public key in the key pair is used for encrypting the original audit data, and the private key in the key pair is used for decrypting the encrypted audit data when the subsequent verification passes.
When signing the encrypted audit data, the invention introduces the technology of a keyless signing system KSI, wherein the KSI is a global distributed system and is used for providing a timestamp and a digital signing service supported by a server. The KSI system is used for realizing signature and verification, so that the computing resources of the power grid system can be greatly saved. The specific signature process comprises the following steps:
calculating an iterative initial hash value A of the encrypted audit data by using a preset hash function, determining an iteration number m according to the number n of data points in the original audit data, and performing iterative calculation according to the following iteration formula to obtain a final hash value:
in the formula, A m Representing the final hash value obtained in the mth iteration, the number of iterations
Hash (-) represents a preset Hash function, and is a salted Hash function, and the SHA-521 secure Hash algorithm can be selected. In the invention, the hash function has the characteristics of quick forward direction, difficult reverse direction, sensitive input and collision avoidance, and the salted hash function, namely, the hash operation is carried out after a specific character string is inserted into any position of information, so that the safety of the hash function can be ensured to a great extent by salting;
and transmitting the calculated final hash value to a keyless signing system to obtain a digital signature value returned by the keyless signing system.
In this regard, signed encrypted audit data may be generated based on the encrypted audit data and the digital signature value.
Thirdly, acquiring data to be audited
After the signed encrypted audit data is obtained, the signed encrypted audit data is sent back to the slice network of the management center so that the data is transmitted at each node in the network, and then the data transmitted at each node is obtained as the data to be audited.
Construction of four, Merkle tree and signature verification
In the conventional data verification method, for a large amount of node data, each node data needs to be verified respectively, the required computing resources are huge, the verification efficiency is extremely low, and for the application scenario of the invention, whether the data tampering condition exists in the system can be judged after the data acquired from all the nodes are verified respectively. Thus, this embodiment introduces Merkle tree technology.
Firstly, respectively calculating hash values of encrypted audit data in the original audit data of each node, wherein the hash function used here is the same as the hash function used for hash calculation of the encrypted original audit data. Therefore, if the data is not tampered, the hash value calculated here should be a.
And then, constructing a Merkle tree, wherein leaf nodes of the Merkle tree store hash values of encrypted audit data in the to-be-audited data of each node, father nodes store hash values of two child nodes, and if the number n of the data points of the to-be-audited data does not meet the condition that n% 4 is 0, the hash value corresponding to the to-be-audited data of the last node is repeatedly added into leaf nodes until the number of the leaf nodes is a multiple of 4. It can be seen that, if the original audit data corresponding to each leaf node is consistent and has not been tampered, the hash value of each leaf node should be a, and the resulting Merkle tree and hash value should be Am.
In order to ensure that the storage and transmission of data are more reliable, and the subsequent audit is convenient to trace to the source, and the like, the embodiment packages the to-be-audited data and the Merkle tree information acquired from each node into a data block with a timestamp, and adds the data block into a block chain; the root node hash value of the Merkle tree is stored into the block header of the block. The block chain structure is shown in fig. 2.
When the to-be-audited data corresponding to any block needs to be verified, the hash value in the Merkle tree root and the signature value in the to-be-audited data on any node stored in the block are obtained and sent to the KSI system, the KSI system verifies the hash value according to the signature value, if the hash value in the Merkle tree root is found not to be Am, the fact that the data are changed in the transmission process is shown, possibility of tampering exists, the KSI system returns information of verification failure, and otherwise, verification passing information is returned.
Fifthly, outputting audit results
If the KSI system returns the verification passing information, the encrypted audit data in the data to be audited can be decrypted by using a private key in the key pair to obtain original audit data, and the original audit data can be output and displayed at the moment.
If the KSI system returns the verification failure information, an audit error report can be generated and output. The generated audit error report information may be stored simultaneously into the corresponding blocks of the block chain.
Because the hash function has fast forward operation, the Merkle tree can quickly compare a large amount of data, and therefore, the application of the method to the Merkle tree technology greatly simplifies the verification process of multi-node data at the same time. Meanwhile, the Merkle tree technology can be applied to the rapid tracing after the verification failure, if two Merkle roots are the same, two groups of data are the same, when audit data are falsified, the Merkle tree can be rapidly positioned and modified, and the changed data nodes are positioned from the root nodes at most through O (lgn) time according to the tree structure.
Example 3
With the inventive concepts based on embodiments 1 and 2, this embodiment introduces a trusted auditing apparatus for regulating and controlling service network security applicable to a 5G network, including:
the system comprises an original audit data acquisition module, a data transmission module and a data transmission module, wherein the original audit data acquisition module is configured to acquire original audit data, and the original audit data is audit data taking a management center slicing network as a target transmission direction;
the encrypted signature processing module is configured for encrypting and signing the original audit data to generate signed encrypted audit data;
the audit data acquisition module is configured to transmit the signed encrypted audit data to each node of a management center slicing network, acquire data transmitted to each node and use the data as audit data;
the audit data hash calculation module is configured for performing hash calculation on encrypted audit data in the audit data of each node to obtain hash values corresponding to the audit data;
a Merkle tree construction module configured to construct a Merkle tree based on the obtained hash value;
the verification module is configured to acquire a hash value in a Merkle tree root and a signature value in data to be audited on any node, and verify the hash value and the signature value to obtain a verification result;
and the audit result output module is configured for outputting the following verification result according to the verification result: if the verification is passed, decrypting the encrypted audit data in the data to be audited to obtain original audit data, and outputting the original audit data; and if the verification fails, outputting audit error information.
Further, the trusted auditing apparatus for network security of regulation and control service applicable to 5G network in this embodiment further includes a block generation module configured to:
and packaging the data to be examined and the Merkle tree information acquired from each node into a data block with a time stamp, and adding the data block into a block chain.
The specific function of each functional module is realized by referring to the content of the relevant steps in the method of embodiment 1.
Example 4
The embodiment introduces a trusted auditing system for regulating and controlling service network security applicable to a 5G network, which includes an auditing server, an encryption server, a block generation server, and, referring to fig. 3, a plurality of distributed hosts and an auditing display end. The workflow of the system to perform an audit task is as follows.
The management center slicing network carries out data interaction with a transmission network, a distribution network or a power user network which generates original audit data through the boundary router, and the distributed host acquires the original audit data from the boundary router and sends the original audit data to the audit server. And the audit server receives original audit data which is transmitted by the distributed host and takes the management center slicing network as a target transmission direction, and sends the original audit data to the encryption server.
The encryption server generates a key pair, and encrypts the received original audit data by using a public key in the key pair; and calculating the hash value of the encrypted audit data by using a preset hash function, sending the calculated hash value to a keyless signature system KSI for signature processing, returning a digital signature value to an encryption server by the keyless signature system, generating the signed encrypted audit data by using the digital signature value and the encrypted audit data by the encryption server, and returning the signed encrypted audit data to the audit server. The encryption server is provided with a virtual firewall, and an externally accessible object in an access control list of the virtual firewall is only provided with a keyless signature system, so that data interaction between the encryption server and an external network is limited to data interaction with the keyless signature system, and potential network attacks can be resisted.
And after receiving the signed encrypted audit data, the audit server sends the data to a management center slicing network through the distributed host through the boundary router, and transmits the data at each network node of the slicing network. And the auditing server communicates with each network node of the management center slicing network to acquire data transmitted on the nodes as data to be audited.
The audit server respectively carries out Hash calculation on the encrypted audit data in the data to be audited of each node to obtain a Hash value corresponding to each data to be audited, sends the data to be audited of each node and the Hash value obtained through calculation to the block generation server, and transmits the data to be audited of each node and the Hash value to the block generation server. The hash function of hash calculation is the same as the hash function of the encryption server for calculating the hash value of the encrypted raw audit data, and both are hash functions added with salt, such as the SHA-521 secure hash algorithm.
And the block generation server constructs a Merkle tree based on the hash value corresponding to each data to be audited, packages the data to be audited corresponding to each node and the Merkle tree information into a data block with a time stamp, and adds the data block into a block chain.
When audit data of a certain block needs to be verified, the encryption server sends hash value request information to the block generation server, and the block generation server responds to the received hash value request information and returns the hash value in the Merkle tree root and the signature value in the data to be audited on any node to the encryption server;
and the encryption server sends the obtained hash value in the Merkle tree root and the signature value in the data to be audited on any node to the keyless signature system for verification to obtain a verification result returned by the keyless signature system, and the encryption server transmits the verification result to the audit server.
And after receiving the verification result, the audit server requests a private key from the encryption server if the verification is passed, and then decrypts the encrypted audit data by adopting the private key in the key pair.
Decrypting the encrypted audit data in the data to be audited to obtain original audit data, outputting the original audit data, and displaying the original audit data through an audit display end; if the verification fails, outputting audit error information, wherein the audit error information can be displayed at an audit display end.
Audit error information output by the audit server can be packaged to the corresponding blocks in the block chain.
In the embodiment, when the encryption server calculates the hash value of the original audit data, firstly, a preset hash function is used for generating an iterative initial hash value A of the encrypted original audit data; based on the iteration initial hash value A, calculating to obtain a final hash value according to the number of data points of the original audit data by using a preset hash function and a preset iteration rule; the iteration calculation formula corresponding to the preset iteration rule is as follows:
in the formula, A m Representing the final Hash value obtained by the mth iteration, wherein the Hash (DEG) represents a preset Hash function and the iteration number
Where n represents the number of data points of the raw audit data.
It can be seen that the above iterative algorithm is the same as the algorithm for computing the root hash value of the Merkle tree, so that during verification, verification comparison can be realized only by sending the root hash value and the signature value of the Merkle tree to a keyless signature system, and if verification fails, it is indicated that encrypted audit data corresponding to leaf nodes of the Merkle tree has been tampered, and the encrypted audit data is not the original encrypted audit data.
In conclusion, the method and the device can ensure credibility and tamper resistance of network audit data, ensure accuracy and consistency of each node data, save network internal resources and greatly improve verification audit efficiency.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (17)
1. A reliable audit method for regulating and controlling service network security suitable for a 5G network is characterized by comprising the following steps:
acquiring original audit data, wherein the original audit data is audit data which takes a management center slicing network as a target transmission direction;
encrypting and signing the original audit data to generate signed encrypted audit data;
transmitting the signed encrypted audit data to each node of a management center slicing network, and acquiring the data transmitted to each node as data to be audited;
carrying out Hash calculation on encrypted audit data in the data to be audited of each node respectively to obtain a Hash value corresponding to each data to be audited;
constructing a Merkle tree based on the obtained hash value;
acquiring a hash value in a Merkle tree root and a signature value in data to be audited on any node, and verifying to obtain a verification result;
according to the verification result: if the verification is passed, decrypting the encrypted audit data in the data to be audited to obtain original audit data, and outputting the original audit data; and if the verification fails, outputting audit error information.
2. The method of claim 1, further comprising encapsulating the pending data obtained from each node and the Merkle tree information into time-stamped data blocks, adding the data blocks to a blockchain;
in each block in the block chain, a leaf node of a Merkle tree stores a hash value of encrypted audit data in count data to be audited of each node, a father node stores hash values of two child nodes, and if the number n of data points of the data to be audited does not meet the condition that n% 4 is equal to 0, the hash value corresponding to the data to be audited of the last node is repeatedly added into leaf nodes until the number of the leaf nodes is multiple of 4; the root node hash value of the Merkle tree is stored into the block header of the block.
3. The method as claimed in claim 2, wherein the obtaining of the hash value in the root of the Merkle tree and the signature value in the data to be audited at any node is: and acquiring the hash value in the Merkle tree root and the signature value in the data to be audited on any node from the block body of the block chain.
4. The method of claim 2, further comprising, based on the verification result: and if the verification fails, acquiring Merkle tree information of the corresponding block from the block chain, and positioning the abnormal node according to the Merkle tree information.
5. A method according to claim 1, wherein the raw audit data originates from a slice network where the transmission or distribution network is located, or from an electricity consumer network; acquiring original audit data from a boundary router connected with a slicing network of a management center;
the transmission of the signed encrypted audit data to each node of the management center slicing network comprises the following steps: sending the signed encrypted audit data to the border router, and transmitting the signed encrypted audit data to each node of the slicing network by the border router;
the original audit data at least comprises one or more of user electricity consumption data, real-time electricity price data and power distribution network fault information. And is not limited to the grid data indicated.
6. The method of claim 1, wherein said encrypting and signing the raw audit data to produce signed encrypted audit data comprises:
generating a key pair, and encrypting the original audit data by using a public key in the key pair;
calculating a hash value of the original audit data by using a preset hash function, sending the hash value to a keyless signature system, and receiving a digital signature returned by the keyless signature system;
generating signed encrypted audit data according to the encryption result of the original audit data and the digital signature;
in the method, the encrypted audit data in the data to be audited is decrypted to obtain the original audit data, and the encrypted audit data is decrypted by adopting a private key in the key pair.
7. The method of claim 1, wherein said encrypting the raw audit data employs a Paillier encryption algorithm;
the preset hash function is a salted hash function, and the calculating the hash value of the original audit data comprises the following steps:
generating an iterative initial hash value A of the original audit data by using a preset hash function;
based on the iteration initial hash value A, calculating to obtain a final hash value according to the number of data points of the original audit data by using a preset hash function and a preset iteration rule;
in the method, the encrypted audit data in the data to be audited of each node are respectively subjected to Hash calculation by adopting the preset Hash function.
8. The method of claim 7, wherein the predetermined iteration rule corresponds to an iterative calculation formula as follows:
in the formula, A m Representing the final Hash value obtained by the mth iteration, wherein the Hash (DEG) represents a preset Hash function and the iteration number
Where n represents the number of data points of the raw audit data.
9. The method as claimed in claim 1, wherein the obtaining the hash value in the Merkle root and the signature value in the data to be audited on any node, and performing verification processing to obtain a verification result comprises:
and transmitting the hash value in the Merkle tree root and the signature value in the data to be audited on any node to a keyless signature system for verification, and acquiring a verification result returned by the keyless signature system.
10. A reliable audit device of regulation and control service network security suitable for 5G network is characterized by comprising:
the system comprises an original audit data acquisition module, a data transmission module and a data transmission module, wherein the original audit data acquisition module is configured to acquire original audit data, and the original audit data is audit data taking a management center slicing network as a target transmission direction;
the encrypted signature processing module is configured for encrypting and signing the original audit data to generate signed encrypted audit data;
the audit data acquisition module is configured to transmit the signed encrypted audit data to each node of a management center slicing network, acquire data transmitted to each node and use the data as audit data;
the audit data hash calculation module is configured for performing hash calculation on encrypted audit data in the audit data of each node to obtain hash values corresponding to the audit data;
a Merkle tree construction module configured to construct a Merkle tree based on the obtained hash value;
the verification module is configured to acquire a hash value in a Merkle tree root and a signature value in data to be audited on any node, and verify the hash value and the signature value to obtain a verification result;
and the audit result output module is configured for outputting the following verification result according to the verification result: if the verification is passed, decrypting the encrypted audit data in the data to be audited to obtain original audit data, and outputting the original audit data; and if the verification fails, outputting audit error information.
11. The regulatory service network security trusted audit device applicable to 5G network of claim 10 further comprising a block generation module configured to:
and packaging the data to be examined and the Merkle tree information acquired from each node into a data block with a time stamp, and adding the data block into a block chain.
12. A reliable audit system of regulation and control service network security suitable for 5G network is characterized by comprising an audit server, an encryption server and a block generation server;
the audit server is configured to obtain original audit data taking a management center slicing network as a target transmission direction and send the original audit data to the encryption server;
the encryption server is configured to encrypt and sign original audit data to generate signed encrypted audit data, and the signed encrypted audit data is returned to the audit server;
the audit server is also configured to transmit the signed encrypted audit data to each node of a management center slicing network, acquire the data transmitted to each node, send the data to be audited to the block generation server as the to-be-audited data, perform hash calculation on the encrypted audit data in the to-be-audited data of each node respectively to obtain hash values corresponding to each to-be-audited data, and transmit the hash values to the block generation server;
the block generation server is configured to construct a Merkle tree based on the hash value corresponding to each data to be audited, and to return the hash value in the Merkle tree root and the signature value in the data to be audited on any node to the encryption server in response to receiving the hash value request information of the encryption server;
the encryption server is also configured to perform verification processing based on the hash value in the Merkle tree root and the signature value in the data to be audited on any node, and obtain a verification result and transmit the verification result to the audit server;
the audit server is configured to: according to the verification result, if the verification is passed, decrypting the encrypted audit data in the data to be audited to obtain original audit data, and outputting the original audit data; and if the verification fails, outputting audit error information.
13. The regulatory service network security trusted audit system applicable to 5G network as claimed in claim 12, further comprising a plurality of distributed hosts, wherein the management center slicing network performs data interaction with the power transmission network, the power distribution network or the power consumer network generating the original audit data through the boundary router, the distributed hosts are configured to obtain the original audit data from the boundary router and send the original audit data to the audit server, receive the signed encrypted audit data from the audit server and send the signed encrypted audit data to the management center slicing network, and communicate with each node in the management center slicing network to obtain the data to be audited and send the data to the audit server.
14. The regulatory service network security trusted audit system of claim 12 wherein said block generation server is further configured to:
packaging the to-be-examined data corresponding to each node and the Merkle tree information into a data block with a time stamp, and adding the data block into a block chain;
and acquiring audit error information output by the audit server, and packaging the audit error information to a corresponding block in the block chain.
15. The regulatory service network security trusted audit system applicable to 5G network as claimed in claim 12, further comprising an audit display end for receiving original audit data or audit error information output by the audit server and displaying the received data information.
16. The regulatory service network security trusted audit system applicable to 5G network as claimed in claim 12, wherein said encryption server encrypts and signs original audit data to generate signed encrypted audit data, comprising:
generating a key pair, encrypting the original audit data by using the public key in the key pair, and transmitting the private key to an audit server;
calculating a hash value of the original audit data by using a preset hash function, sending the hash value to a keyless signature system, and receiving a digital signature returned by the keyless signature system;
generating signed encrypted audit data according to the encryption result of the original audit data and the digital signature;
and the audit server decrypts the encrypted audit data in the audit data to be audited by adopting a private key in the key pair.
17. The regulatory service network security trusted audit system applicable to 5G network as claimed in claim 12, wherein a virtual firewall is configured on said encryption server, and only the keyless signature system is configured for externally accessible objects in the access control list of the virtual firewall.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210296506.6A CN114885325A (en) | 2022-03-24 | 2022-03-24 | Credible auditing method and system for regulating and controlling service network security suitable for 5G network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210296506.6A CN114885325A (en) | 2022-03-24 | 2022-03-24 | Credible auditing method and system for regulating and controlling service network security suitable for 5G network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114885325A true CN114885325A (en) | 2022-08-09 |
Family
ID=82667059
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210296506.6A Pending CN114885325A (en) | 2022-03-24 | 2022-03-24 | Credible auditing method and system for regulating and controlling service network security suitable for 5G network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114885325A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115348114A (en) * | 2022-10-19 | 2022-11-15 | 浙江浩普智能科技有限公司 | Intelligent power plant data safety transmission method and system, electronic equipment and medium |
| CN116074843A (en) * | 2023-02-16 | 2023-05-05 | 北京派网科技有限公司 | Zero trust security trusted audit method for 5G dual-domain private network |
-
2022
- 2022-03-24 CN CN202210296506.6A patent/CN114885325A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115348114A (en) * | 2022-10-19 | 2022-11-15 | 浙江浩普智能科技有限公司 | Intelligent power plant data safety transmission method and system, electronic equipment and medium |
| CN115348114B (en) * | 2022-10-19 | 2023-02-28 | 浙江浩普智能科技有限公司 | Intelligent power plant data safety transmission method and system, electronic equipment and medium |
| CN116074843A (en) * | 2023-02-16 | 2023-05-05 | 北京派网科技有限公司 | Zero trust security trusted audit method for 5G dual-domain private network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111130757B (en) | Multi-cloud CP-ABE access control method based on block chain | |
| Zhu et al. | Dynamic audit services for outsourced storages in clouds | |
| Zhu et al. | Dynamic audit services for integrity verification of outsourced storages in clouds | |
| CN114499895B (en) | Data trusted processing method and system fusing trusted computing and block chain | |
| CN101834860B (en) | Method for remote dynamic verification on integrality of client software | |
| Alowolodu et al. | Elliptic curve cryptography for securing cloud computing applications | |
| CN112543187B (en) | Industrial Internet of things safety data sharing method based on edge block chain | |
| CN112800450B (en) | Data storage method, system, device, equipment and storage medium | |
| Muthurajkumar et al. | Secured temporal log management techniques for cloud | |
| JP2023504492A (en) | Efficient threshold storage of data objects | |
| CN114885325A (en) | Credible auditing method and system for regulating and controlling service network security suitable for 5G network | |
| Accorsi | A secure log architecture to support remote auditing | |
| CN112906056A (en) | Cloud storage key security management method based on block chain | |
| Kumar et al. | TPA auditing to enhance the privacy and security in cloud systems | |
| Zhu et al. | Secure collaborative integrity verification for hybrid cloud environments | |
| Marian et al. | Experimenting with digital signatures over a DNP3 protocol in a multitenant cloud-based SCADA architecture | |
| Aditham et al. | A novel framework for mitigating insider attacks in big data systems | |
| CN115733659A (en) | Intelligent encryption contract detection system based on block chain | |
| Yoosuf | Lightweight fog‐centric auditing scheme to verify integrity of IoT healthcare data in the cloud environment | |
| Liu et al. | Data integrity audit scheme based on quad Merkle tree and blockchain | |
| Cao et al. | Design and implementation for MD5-based data integrity checking system | |
| Saxena et al. | Collaborative approach for data integrity verification in cloud computing | |
| Arki et al. | A multi-agent security framework for cloud data storage | |
| WO2022132718A1 (en) | Technologies for trust protocol with immutable chain storage and invocation tracking | |
| CN115391795A (en) | Data processing method, related device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |