CN114915443A - Industrial edge operating system supporting national encryption algorithm - Google Patents
Industrial edge operating system supporting national encryption algorithm Download PDFInfo
- Publication number
- CN114915443A CN114915443A CN202210229421.6A CN202210229421A CN114915443A CN 114915443 A CN114915443 A CN 114915443A CN 202210229421 A CN202210229421 A CN 202210229421A CN 114915443 A CN114915443 A CN 114915443A
- Authority
- CN
- China
- Prior art keywords
- security
- equipment
- sdk
- platform
- industrial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- General Factory Administration (AREA)
Abstract
The invention provides an industrial edge operating system supporting a national encryption algorithm, which is an industrial edge operating system based on linux and comprises a security certification platform system, wherein the security certification platform system comprises: the system comprises a security chip production system, a TSM system, an equipment ID system, a key management system, a security communication system, an equipment identity authentication system, an SE-SDK, an application SDK and a developer platform, wherein the SE-SDK and the application SDK are used for carrying out equipment access and service access, an accessed terminal equipment of the Internet of things adopts a unique serial number of the security chip as an equipment unique ID for identification, and the service access carries out identity authentication and communication data encryption security protection on the equipment based on a symmetric and asymmetric cryptographic algorithm. The invention has the beneficial effects that: the industrial information safety is guaranteed, and the account management, the identity authentication, the data transmission and the protection of an industrial internet platform are enhanced.
Description
Technical Field
The invention belongs to the technical field of Internet of things, and particularly relates to an industrial edge operating system supporting a national encryption algorithm.
Background
The password technology is used as a basic safety protection means and runs through the encryption, authentication and integrity verification processes of an industrial internet platform edge access layer, an IaaS layer, a PaaS layer and a SaaS layer, but the use of domestic passwords in the security technology is still in a starting stage.
Disclosure of Invention
In order to overcome the defects pointed out by the prior art, the invention relates to an industrial edge operating system supporting a national encryption algorithm, which is used for ensuring industrial information safety and strengthening the account management, identity authentication, data transmission and protection of an industrial internet platform.
An industrial edge operating system supporting a national encryption algorithm is an industrial edge operating system based on linux, and comprises a security authentication platform system, wherein the security authentication platform system comprises: the system comprises a safety chip production system, a TSM system, an equipment ID system, a key management system, a safety communication system, an equipment identity authentication system, an SE-SDK, an application SDK and a developer platform, wherein the SE-SDK and the application SDK are used for carrying out equipment access and service access, an accessed terminal equipment of the Internet of things adopts a unique serial number of a safety chip as an equipment unique ID for identification, and the service access carries out identity authentication and communication data encryption safety protection on the equipment based on a symmetric and asymmetric cryptographic algorithm.
Furthermore, the equipment identity authentication system issues certificates for all equipment and cloud sides in the scene of the internet of things by establishing a PKI/CA infrastructure based on a domestic algorithm, and records all the equipment by identifying and authenticating the equipment and binding the equipment with the certificates.
Further, the key management system signs and encrypts the transmitted data packet in the transmission link without establishing the SSL secure channel through the combined use of SM2 and SM4, so as to ensure the security and the credibility of the data.
Furthermore, the secure communication system establishes SSL bidirectional link communication based on the national password standard, and the signing certificate signs to confirm the identity of both parties and handshake through a dual-certificate system, and the encryption certificate carries out data secure communication.
The invention has the beneficial effects that: the industrial information safety is guaranteed, and the account management, identity authentication, data transmission and protection of an industrial internet platform are enhanced. And the safety certification of the equipment of the Internet of things is realized by adopting a PKI safety certification mechanism/a symmetric key certification mechanism. And the security chip is used as a trusted root to store sensitive data such as keys and equipment certificates. The security chip provides hardware protection for sensitive data, ensures that the data cannot be read out, and encrypts and stores key data.
Drawings
Fig. 1 is a block diagram of a system configuration in an embodiment of the present invention.
Fig. 2 is a flowchart of an authentication key according to an embodiment of the present invention.
Fig. 3 is a flowchart of the domestic encryption algorithm of the embodiment of the present invention for performing encrypted storage on an account and a user.
Detailed Description
The present invention is further illustrated by the following examples, which are only a part of the examples of the present invention, and these examples are only for explaining the present invention and do not limit the scope of the present invention.
As shown in fig. 1, an industrial edge operating system supporting a cryptographic algorithm is a linux-based industrial edge operating system, which includes a security authentication platform system, and the security authentication platform system includes: the system comprises a safety chip production system, a TSM system, an equipment ID system, a key management system, a safety communication system, an equipment identity authentication system, an SE-SDK, an application SDK and a developer platform, wherein the SE-SDK and the application SDK are used for carrying out equipment access and service access, an accessed terminal equipment of the Internet of things adopts a unique serial number of a safety chip as an equipment unique ID for identification, and the service access carries out identity authentication and communication data encryption safety protection on the equipment based on a symmetric and asymmetric cryptographic algorithm.
In the embodiment of the invention, the built-in hardware algorithm coprocessor provides security algorithm modules with excellent performance, such as DES/3DES, AES, SHA, RSA, ECC, national commercial passwords SM1/SM2/SM3/SM4 and the like, and integrates various application peripheral interfaces of 12-bit 1Msps high-precision SARADC, 10-bit DAC, a comparator, an RTC real-time clock, high-performance PWM, USB2.0(FS), multi-path SPI, UART, I2C and ISO7816, so that the Internet of things and mobile Internet security certification solution can be easily realized. The identity authentication means that the authentication key of the SE needs to be updated (namely, key replacement) when the device is powered on and initialized for the first time, the authentication key is updated only once, and the subsequent authentication is performed by using the updated key.
As shown in fig. 2, in the embodiment of the present invention, the method for applying the asymmetric cryptographic algorithm of the system includes the following steps:
step 1, a service platform initializes new network access equipment;
step 2, the gateway calls the SE-SDK to initialize the security chip;
step 3, the SE-SDK acquires a card random number and applies a serial number;
step 4, the card random number and the application serial number are sent to a service platform;
step 5, the service platform calls an SDK initial key updating interface of the national security cloud;
step 6, the national security cloud checks whether the application serial number is legal;
step 8, the service platform acquires a key ciphertext through the national security cloud SDK and issues the key ciphertext to the terminal;
step 9, the terminal calls the SE-SDK to transmit the cipher key ciphertext;
step 10, generating a writekey instruction by the SE-SDK, and updating the authentication key;
step 11, the SE returns a key updating result;
step 12, the service platform calls the national security cloud SDK to return a key writing result;
and step 13, the national security cloud transfers the data into a platform equipment table.
Authentication and authentication run through all levels of the industrial internet platform. In an edge access layer of an industrial internet platform and a massive device access platform, a blacklist is used only for resisting known harmful device threats and not for resisting unknown device threats, so that a white list mechanism is needed to perform identity authentication and identification on accessed devices and users, and only an entity passing authentication can allow access and start to transmit data; at an IaaS layer, identity authentication is required to be carried out on a server user; at the PaaS layer and the SaaS layer, identity authentication and authentication of a login user are required. The SM2 elliptic curve public key cryptographic algorithm secret key proposed in China has high generation speed and high safety, and can better realize identity authentication and authentication functions compared with RSA. The use of the SM2 algorithm in edge device authentication and verification can substantially improve device access security.
Device and user account management runs through the industrial internet platform. As long as login and authorization are required, account management is inevitable. The security of the account number and the password is related to the trust degree of the user on the platform, and once the account information is leaked, the security has great negative influence on the normal development of the expansion service of the platform. Therefore, platform enterprises should pay high attention to the encryption management of accounts. The encryption algorithms of the national secrets SM1, SM7 and ZUChong can be widely popularized in the scene, the encrypted storage is carried out on the account and the user through the secure domestic encryption algorithm, various attack methods aiming at the block cipher algorithm are resisted, including exhaustive search attack, differential attack, linear attack and the like, and the attack means can be resisted in the practical application.
As shown in fig. 3, the system of the present invention can implement encrypted storage for accounts and users by using a secure domestic encryption algorithm, and comprises the following steps:
step 1, the gateway obtains a device certificate and a device random number through SE-SDK;
step 2, sending the equipment certificate and the equipment random number to a Haier platform;
step 3, requesting the certificate verification service of the national security platform equipment by the Haier platform through the platform SDK;
and 4, returning a verification result by the national security platform.
The user account and the password can be locked, the account information can be ensured to be 'unintelligible' under the condition of being stolen, and a security defense line is provided for the security of the user account.
The system of the present invention may also provide communication protection. The industrial internet platform should ensure confidentiality, integrity, non-repudiation and tampering of communication, for example, when data mining and analysis are performed on a PaaS layer, it is required to protect data in a communication process to ensure that original data are not tampered, are completely usable, and private data are not leaked. The common data protection adopts international cryptographic algorithms such as AES, RSA, MD5, ECC and the like.
The first embodiment is as follows:
the embodiment of the invention is applied to the field of medical treatment. The technology of internet of things brings great changes to modern medical treatment. The traditional medical treatment mode is symptom occurrence, hospital detection and doctor diagnosis confirmation, the timeliness of the traditional medical treatment mode is very poor, and a plurality of serious diseases cannot be prevented in advance. Wearable medical devices, such as contact lens type collectors that can determine the health status of a human body by analyzing tears, need to send the collected data to a doctor, and evaluate the health status of a patient after performing big data analysis. In addition, the development of implantable medical devices also becomes an indispensable treatment means for modern medical treatment, such as a novel cardiac pacemaker or an artificial joint, and human activity data can be acquired and sent to doctors through the internet. These networked medical devices have become a new point of interest for attackers and hackers.
Data security of medical devices concerns the lives of people and the privacy of patients, and belongs to extremely sensitive core data. Such data can only be transferred between authorized personnel and patients in a medical facility, and any illegal disclosure thereof can have a tremendous effect. The medical field should therefore be the focus of the application of cryptography.
By adopting the national commercial cipher standard, the integrity, the privacy, the authentification and other aspects of the data can be ensured, and based on the algorithms of SM2, SM3, SM4 and the like, a complete medical data protection scheme can be constructed, and related industrial regulations can be further formed. The medical equipment of the internet of things has some differences from other applications of the internet of things, and most of embedded medical equipment has limited capability of locally storing data, so that the embedded medical equipment has great dependence on data transmitted by the internet of things. Therefore, medical devices of the internet of things are important for secure link application, and particularly, transmission between the medical devices and the cloud needs to adopt technical means with independent intellectual property rights and independent controllability, such as commercial password related standards. And the high-strength encryption algorithm is required to be used for storing the cloud data, so that the safety of the data is ensured.
Although the present invention has been described with reference to a preferred embodiment, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (4)
1. An industrial edge operating system supporting a national encryption algorithm is characterized in that the industrial edge operating system is based on linux and comprises a security authentication platform system, and the security authentication platform system comprises: the system comprises a security chip production system, a TSM system, an equipment ID system, a key management system, a security communication system, an equipment identity authentication system, an SE-SDK, an application SDK and a developer platform, wherein the SE-SDK and the application SDK are used for carrying out equipment access and service access, an accessed terminal equipment of the Internet of things adopts a unique serial number of the security chip as an equipment unique ID for identification, and the service access carries out identity authentication and communication data encryption security protection on the equipment based on a symmetric and asymmetric cryptographic algorithm.
2. The industrial edge operating system of claim 1, wherein the device identity authentication system issues certificates for each device and cloud in the context of the internet of things by establishing a PKI/CA infrastructure based on a domestic algorithm, and records each device by identifying and authenticating the device and binding the certificate.
3. The industrial edge operating system of claim 2, wherein the key management system ensures the security and credibility of data by using the combination of SM2 and SM4 to sign and encrypt the transmitted data packets in the transmission link without establishing the SSL security channel.
4. The industrial edge operating system of claim 2, wherein the secure communication system establishes SSL two-way link communication based on the cryptographic standard, and performs signing, identity confirmation, handshake and data secure communication of the encrypted certificate through a dual-certificate system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210229421.6A CN114915443A (en) | 2022-03-09 | 2022-03-09 | Industrial edge operating system supporting national encryption algorithm |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210229421.6A CN114915443A (en) | 2022-03-09 | 2022-03-09 | Industrial edge operating system supporting national encryption algorithm |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114915443A true CN114915443A (en) | 2022-08-16 |
Family
ID=82762889
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210229421.6A Pending CN114915443A (en) | 2022-03-09 | 2022-03-09 | Industrial edge operating system supporting national encryption algorithm |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114915443A (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20140098872A (en) * | 2013-01-31 | 2014-08-08 | 남궁용주 | security system and method using trusted service manager and biometric for web service of mobile nfc device |
CN109347635A (en) * | 2018-11-14 | 2019-02-15 | 中云信安(深圳)科技有限公司 | A kind of Internet of Things security certification system and authentication method based on national secret algorithm |
CN113595985A (en) * | 2021-06-30 | 2021-11-02 | 江西海盾信联科技有限责任公司 | Internet of things security cloud platform implementation method based on state cryptographic algorithm security chip |
CN114139176A (en) * | 2021-11-12 | 2022-03-04 | 航天新长征大道科技有限公司 | Industrial internet core data protection method and system based on state secret |
-
2022
- 2022-03-09 CN CN202210229421.6A patent/CN114915443A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20140098872A (en) * | 2013-01-31 | 2014-08-08 | 남궁용주 | security system and method using trusted service manager and biometric for web service of mobile nfc device |
CN109347635A (en) * | 2018-11-14 | 2019-02-15 | 中云信安(深圳)科技有限公司 | A kind of Internet of Things security certification system and authentication method based on national secret algorithm |
CN113595985A (en) * | 2021-06-30 | 2021-11-02 | 江西海盾信联科技有限责任公司 | Internet of things security cloud platform implementation method based on state cryptographic algorithm security chip |
CN114139176A (en) * | 2021-11-12 | 2022-03-04 | 航天新长征大道科技有限公司 | Industrial internet core data protection method and system based on state secret |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113783836B (en) | Internet of things data access control method and system based on block chain and IBE algorithm | |
CN103124269B (en) | Based on the Bidirectional identity authentication method of dynamic password and biological characteristic under cloud environment | |
CN106104562B (en) | System and method for securely storing and recovering confidential data | |
CN112954675B (en) | Multi-gateway authentication method, system, storage medium, computer device and terminal | |
CN110247881B (en) | Identity authentication method and system based on wearable equipment | |
KR101198120B1 (en) | Iris information based 3-factor user authentication method for otp generation and secure two way authentication system of wireless communication device authentication using otp | |
WO2017097041A1 (en) | Data transmission method and device | |
CN109361668A (en) | A kind of data trusted transmission method | |
CN109410406A (en) | A kind of authorization method, device and system | |
CN108243166A (en) | A kind of identity identifying method and system based on USBKey | |
CN102024123A (en) | Method and device for importing mirror image of virtual machine in cloud calculation | |
Kim et al. | On the security of two remote user authentication schemes for telecare medical information systems | |
CN114938382B (en) | Electronic medical record safe and controllable sharing method based on alliance block chain | |
CN104821883A (en) | Privacy protection credit reporting method based on asymmetric cryptographic algorithm | |
KR100668446B1 (en) | Safe --method for transferring digital certificate | |
CN112073422A (en) | Intelligent home protection system and protection method thereof | |
CN110519222B (en) | External network access identity authentication method and system based on disposable asymmetric key pair and key fob | |
CN110572825A (en) | Wearable equipment authentication device and authentication encryption method | |
CN113904767A (en) | System for establishing communication based on SSL | |
Beck et al. | BCG & ECG-based secure communication for medical devices in Body Area Networks | |
CN113890890B (en) | Efficient data management method applied to intelligent medical system | |
CN110289961A (en) | Tele-medicine authentication method | |
CN102025743A (en) | Method and device for exporting mirror image of virtual machine in cloud computing | |
CN111953675B (en) | Key management method based on hardware equipment | |
CN115766098A (en) | Personal health data sharing method based on block chain and proxy re-encryption |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |