CN114915443A - Industrial edge operating system supporting national encryption algorithm - Google Patents

Industrial edge operating system supporting national encryption algorithm Download PDF

Info

Publication number
CN114915443A
CN114915443A CN202210229421.6A CN202210229421A CN114915443A CN 114915443 A CN114915443 A CN 114915443A CN 202210229421 A CN202210229421 A CN 202210229421A CN 114915443 A CN114915443 A CN 114915443A
Authority
CN
China
Prior art keywords
security
equipment
sdk
platform
industrial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210229421.6A
Other languages
Chinese (zh)
Inventor
朱少昕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mingtech Co ltd
Original Assignee
Mingtech Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mingtech Co ltd filed Critical Mingtech Co ltd
Priority to CN202210229421.6A priority Critical patent/CN114915443A/en
Publication of CN114915443A publication Critical patent/CN114915443A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • General Factory Administration (AREA)

Abstract

The invention provides an industrial edge operating system supporting a national encryption algorithm, which is an industrial edge operating system based on linux and comprises a security certification platform system, wherein the security certification platform system comprises: the system comprises a security chip production system, a TSM system, an equipment ID system, a key management system, a security communication system, an equipment identity authentication system, an SE-SDK, an application SDK and a developer platform, wherein the SE-SDK and the application SDK are used for carrying out equipment access and service access, an accessed terminal equipment of the Internet of things adopts a unique serial number of the security chip as an equipment unique ID for identification, and the service access carries out identity authentication and communication data encryption security protection on the equipment based on a symmetric and asymmetric cryptographic algorithm. The invention has the beneficial effects that: the industrial information safety is guaranteed, and the account management, the identity authentication, the data transmission and the protection of an industrial internet platform are enhanced.

Description

Industrial edge operating system supporting national encryption algorithm
Technical Field
The invention belongs to the technical field of Internet of things, and particularly relates to an industrial edge operating system supporting a national encryption algorithm.
Background
The password technology is used as a basic safety protection means and runs through the encryption, authentication and integrity verification processes of an industrial internet platform edge access layer, an IaaS layer, a PaaS layer and a SaaS layer, but the use of domestic passwords in the security technology is still in a starting stage.
Disclosure of Invention
In order to overcome the defects pointed out by the prior art, the invention relates to an industrial edge operating system supporting a national encryption algorithm, which is used for ensuring industrial information safety and strengthening the account management, identity authentication, data transmission and protection of an industrial internet platform.
An industrial edge operating system supporting a national encryption algorithm is an industrial edge operating system based on linux, and comprises a security authentication platform system, wherein the security authentication platform system comprises: the system comprises a safety chip production system, a TSM system, an equipment ID system, a key management system, a safety communication system, an equipment identity authentication system, an SE-SDK, an application SDK and a developer platform, wherein the SE-SDK and the application SDK are used for carrying out equipment access and service access, an accessed terminal equipment of the Internet of things adopts a unique serial number of a safety chip as an equipment unique ID for identification, and the service access carries out identity authentication and communication data encryption safety protection on the equipment based on a symmetric and asymmetric cryptographic algorithm.
Furthermore, the equipment identity authentication system issues certificates for all equipment and cloud sides in the scene of the internet of things by establishing a PKI/CA infrastructure based on a domestic algorithm, and records all the equipment by identifying and authenticating the equipment and binding the equipment with the certificates.
Further, the key management system signs and encrypts the transmitted data packet in the transmission link without establishing the SSL secure channel through the combined use of SM2 and SM4, so as to ensure the security and the credibility of the data.
Furthermore, the secure communication system establishes SSL bidirectional link communication based on the national password standard, and the signing certificate signs to confirm the identity of both parties and handshake through a dual-certificate system, and the encryption certificate carries out data secure communication.
The invention has the beneficial effects that: the industrial information safety is guaranteed, and the account management, identity authentication, data transmission and protection of an industrial internet platform are enhanced. And the safety certification of the equipment of the Internet of things is realized by adopting a PKI safety certification mechanism/a symmetric key certification mechanism. And the security chip is used as a trusted root to store sensitive data such as keys and equipment certificates. The security chip provides hardware protection for sensitive data, ensures that the data cannot be read out, and encrypts and stores key data.
Drawings
Fig. 1 is a block diagram of a system configuration in an embodiment of the present invention.
Fig. 2 is a flowchart of an authentication key according to an embodiment of the present invention.
Fig. 3 is a flowchart of the domestic encryption algorithm of the embodiment of the present invention for performing encrypted storage on an account and a user.
Detailed Description
The present invention is further illustrated by the following examples, which are only a part of the examples of the present invention, and these examples are only for explaining the present invention and do not limit the scope of the present invention.
As shown in fig. 1, an industrial edge operating system supporting a cryptographic algorithm is a linux-based industrial edge operating system, which includes a security authentication platform system, and the security authentication platform system includes: the system comprises a safety chip production system, a TSM system, an equipment ID system, a key management system, a safety communication system, an equipment identity authentication system, an SE-SDK, an application SDK and a developer platform, wherein the SE-SDK and the application SDK are used for carrying out equipment access and service access, an accessed terminal equipment of the Internet of things adopts a unique serial number of a safety chip as an equipment unique ID for identification, and the service access carries out identity authentication and communication data encryption safety protection on the equipment based on a symmetric and asymmetric cryptographic algorithm.
In the embodiment of the invention, the built-in hardware algorithm coprocessor provides security algorithm modules with excellent performance, such as DES/3DES, AES, SHA, RSA, ECC, national commercial passwords SM1/SM2/SM3/SM4 and the like, and integrates various application peripheral interfaces of 12-bit 1Msps high-precision SARADC, 10-bit DAC, a comparator, an RTC real-time clock, high-performance PWM, USB2.0(FS), multi-path SPI, UART, I2C and ISO7816, so that the Internet of things and mobile Internet security certification solution can be easily realized. The identity authentication means that the authentication key of the SE needs to be updated (namely, key replacement) when the device is powered on and initialized for the first time, the authentication key is updated only once, and the subsequent authentication is performed by using the updated key.
As shown in fig. 2, in the embodiment of the present invention, the method for applying the asymmetric cryptographic algorithm of the system includes the following steps:
step 1, a service platform initializes new network access equipment;
step 2, the gateway calls the SE-SDK to initialize the security chip;
step 3, the SE-SDK acquires a card random number and applies a serial number;
step 4, the card random number and the application serial number are sent to a service platform;
step 5, the service platform calls an SDK initial key updating interface of the national security cloud;
step 6, the national security cloud checks whether the application serial number is legal;
step 7, the national security cloud generates a formal security authentication key ciphertext;
step 8, the service platform acquires a key ciphertext through the national security cloud SDK and issues the key ciphertext to the terminal;
step 9, the terminal calls the SE-SDK to transmit the cipher key ciphertext;
step 10, generating a writekey instruction by the SE-SDK, and updating the authentication key;
step 11, the SE returns a key updating result;
step 12, the service platform calls the national security cloud SDK to return a key writing result;
and step 13, the national security cloud transfers the data into a platform equipment table.
Authentication and authentication run through all levels of the industrial internet platform. In an edge access layer of an industrial internet platform and a massive device access platform, a blacklist is used only for resisting known harmful device threats and not for resisting unknown device threats, so that a white list mechanism is needed to perform identity authentication and identification on accessed devices and users, and only an entity passing authentication can allow access and start to transmit data; at an IaaS layer, identity authentication is required to be carried out on a server user; at the PaaS layer and the SaaS layer, identity authentication and authentication of a login user are required. The SM2 elliptic curve public key cryptographic algorithm secret key proposed in China has high generation speed and high safety, and can better realize identity authentication and authentication functions compared with RSA. The use of the SM2 algorithm in edge device authentication and verification can substantially improve device access security.
Device and user account management runs through the industrial internet platform. As long as login and authorization are required, account management is inevitable. The security of the account number and the password is related to the trust degree of the user on the platform, and once the account information is leaked, the security has great negative influence on the normal development of the expansion service of the platform. Therefore, platform enterprises should pay high attention to the encryption management of accounts. The encryption algorithms of the national secrets SM1, SM7 and ZUChong can be widely popularized in the scene, the encrypted storage is carried out on the account and the user through the secure domestic encryption algorithm, various attack methods aiming at the block cipher algorithm are resisted, including exhaustive search attack, differential attack, linear attack and the like, and the attack means can be resisted in the practical application.
As shown in fig. 3, the system of the present invention can implement encrypted storage for accounts and users by using a secure domestic encryption algorithm, and comprises the following steps:
step 1, the gateway obtains a device certificate and a device random number through SE-SDK;
step 2, sending the equipment certificate and the equipment random number to a Haier platform;
step 3, requesting the certificate verification service of the national security platform equipment by the Haier platform through the platform SDK;
and 4, returning a verification result by the national security platform.
The user account and the password can be locked, the account information can be ensured to be 'unintelligible' under the condition of being stolen, and a security defense line is provided for the security of the user account.
The system of the present invention may also provide communication protection. The industrial internet platform should ensure confidentiality, integrity, non-repudiation and tampering of communication, for example, when data mining and analysis are performed on a PaaS layer, it is required to protect data in a communication process to ensure that original data are not tampered, are completely usable, and private data are not leaked. The common data protection adopts international cryptographic algorithms such as AES, RSA, MD5, ECC and the like.
The first embodiment is as follows:
the embodiment of the invention is applied to the field of medical treatment. The technology of internet of things brings great changes to modern medical treatment. The traditional medical treatment mode is symptom occurrence, hospital detection and doctor diagnosis confirmation, the timeliness of the traditional medical treatment mode is very poor, and a plurality of serious diseases cannot be prevented in advance. Wearable medical devices, such as contact lens type collectors that can determine the health status of a human body by analyzing tears, need to send the collected data to a doctor, and evaluate the health status of a patient after performing big data analysis. In addition, the development of implantable medical devices also becomes an indispensable treatment means for modern medical treatment, such as a novel cardiac pacemaker or an artificial joint, and human activity data can be acquired and sent to doctors through the internet. These networked medical devices have become a new point of interest for attackers and hackers.
Data security of medical devices concerns the lives of people and the privacy of patients, and belongs to extremely sensitive core data. Such data can only be transferred between authorized personnel and patients in a medical facility, and any illegal disclosure thereof can have a tremendous effect. The medical field should therefore be the focus of the application of cryptography.
By adopting the national commercial cipher standard, the integrity, the privacy, the authentification and other aspects of the data can be ensured, and based on the algorithms of SM2, SM3, SM4 and the like, a complete medical data protection scheme can be constructed, and related industrial regulations can be further formed. The medical equipment of the internet of things has some differences from other applications of the internet of things, and most of embedded medical equipment has limited capability of locally storing data, so that the embedded medical equipment has great dependence on data transmitted by the internet of things. Therefore, medical devices of the internet of things are important for secure link application, and particularly, transmission between the medical devices and the cloud needs to adopt technical means with independent intellectual property rights and independent controllability, such as commercial password related standards. And the high-strength encryption algorithm is required to be used for storing the cloud data, so that the safety of the data is ensured.
Although the present invention has been described with reference to a preferred embodiment, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (4)

1. An industrial edge operating system supporting a national encryption algorithm is characterized in that the industrial edge operating system is based on linux and comprises a security authentication platform system, and the security authentication platform system comprises: the system comprises a security chip production system, a TSM system, an equipment ID system, a key management system, a security communication system, an equipment identity authentication system, an SE-SDK, an application SDK and a developer platform, wherein the SE-SDK and the application SDK are used for carrying out equipment access and service access, an accessed terminal equipment of the Internet of things adopts a unique serial number of the security chip as an equipment unique ID for identification, and the service access carries out identity authentication and communication data encryption security protection on the equipment based on a symmetric and asymmetric cryptographic algorithm.
2. The industrial edge operating system of claim 1, wherein the device identity authentication system issues certificates for each device and cloud in the context of the internet of things by establishing a PKI/CA infrastructure based on a domestic algorithm, and records each device by identifying and authenticating the device and binding the certificate.
3. The industrial edge operating system of claim 2, wherein the key management system ensures the security and credibility of data by using the combination of SM2 and SM4 to sign and encrypt the transmitted data packets in the transmission link without establishing the SSL security channel.
4. The industrial edge operating system of claim 2, wherein the secure communication system establishes SSL two-way link communication based on the cryptographic standard, and performs signing, identity confirmation, handshake and data secure communication of the encrypted certificate through a dual-certificate system.
CN202210229421.6A 2022-03-09 2022-03-09 Industrial edge operating system supporting national encryption algorithm Pending CN114915443A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210229421.6A CN114915443A (en) 2022-03-09 2022-03-09 Industrial edge operating system supporting national encryption algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210229421.6A CN114915443A (en) 2022-03-09 2022-03-09 Industrial edge operating system supporting national encryption algorithm

Publications (1)

Publication Number Publication Date
CN114915443A true CN114915443A (en) 2022-08-16

Family

ID=82762889

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210229421.6A Pending CN114915443A (en) 2022-03-09 2022-03-09 Industrial edge operating system supporting national encryption algorithm

Country Status (1)

Country Link
CN (1) CN114915443A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140098872A (en) * 2013-01-31 2014-08-08 남궁용주 security system and method using trusted service manager and biometric for web service of mobile nfc device
CN109347635A (en) * 2018-11-14 2019-02-15 中云信安(深圳)科技有限公司 A kind of Internet of Things security certification system and authentication method based on national secret algorithm
CN113595985A (en) * 2021-06-30 2021-11-02 江西海盾信联科技有限责任公司 Internet of things security cloud platform implementation method based on state cryptographic algorithm security chip
CN114139176A (en) * 2021-11-12 2022-03-04 航天新长征大道科技有限公司 Industrial internet core data protection method and system based on state secret

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140098872A (en) * 2013-01-31 2014-08-08 남궁용주 security system and method using trusted service manager and biometric for web service of mobile nfc device
CN109347635A (en) * 2018-11-14 2019-02-15 中云信安(深圳)科技有限公司 A kind of Internet of Things security certification system and authentication method based on national secret algorithm
CN113595985A (en) * 2021-06-30 2021-11-02 江西海盾信联科技有限责任公司 Internet of things security cloud platform implementation method based on state cryptographic algorithm security chip
CN114139176A (en) * 2021-11-12 2022-03-04 航天新长征大道科技有限公司 Industrial internet core data protection method and system based on state secret

Similar Documents

Publication Publication Date Title
CN113783836B (en) Internet of things data access control method and system based on block chain and IBE algorithm
CN103124269B (en) Based on the Bidirectional identity authentication method of dynamic password and biological characteristic under cloud environment
CN106104562B (en) System and method for securely storing and recovering confidential data
CN112954675B (en) Multi-gateway authentication method, system, storage medium, computer device and terminal
CN110247881B (en) Identity authentication method and system based on wearable equipment
KR101198120B1 (en) Iris information based 3-factor user authentication method for otp generation and secure two way authentication system of wireless communication device authentication using otp
WO2017097041A1 (en) Data transmission method and device
CN109361668A (en) A kind of data trusted transmission method
CN109410406A (en) A kind of authorization method, device and system
CN108243166A (en) A kind of identity identifying method and system based on USBKey
CN102024123A (en) Method and device for importing mirror image of virtual machine in cloud calculation
Kim et al. On the security of two remote user authentication schemes for telecare medical information systems
CN114938382B (en) Electronic medical record safe and controllable sharing method based on alliance block chain
CN104821883A (en) Privacy protection credit reporting method based on asymmetric cryptographic algorithm
KR100668446B1 (en) Safe --method for transferring digital certificate
CN112073422A (en) Intelligent home protection system and protection method thereof
CN110519222B (en) External network access identity authentication method and system based on disposable asymmetric key pair and key fob
CN110572825A (en) Wearable equipment authentication device and authentication encryption method
CN113904767A (en) System for establishing communication based on SSL
Beck et al. BCG & ECG-based secure communication for medical devices in Body Area Networks
CN113890890B (en) Efficient data management method applied to intelligent medical system
CN110289961A (en) Tele-medicine authentication method
CN102025743A (en) Method and device for exporting mirror image of virtual machine in cloud computing
CN111953675B (en) Key management method based on hardware equipment
CN115766098A (en) Personal health data sharing method based on block chain and proxy re-encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination