CN114978709B - Lightweight unified security authentication method for medical application - Google Patents

Lightweight unified security authentication method for medical application Download PDF

Info

Publication number
CN114978709B
CN114978709B CN202210574843.7A CN202210574843A CN114978709B CN 114978709 B CN114978709 B CN 114978709B CN 202210574843 A CN202210574843 A CN 202210574843A CN 114978709 B CN114978709 B CN 114978709B
Authority
CN
China
Prior art keywords
hospital
information
key
application server
party application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210574843.7A
Other languages
Chinese (zh)
Other versions
CN114978709A (en
Inventor
袁静
代里嘉
白斌
黄路非
李暄
冯刚
刘培元
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
No 3 Peoples Hospital of Chengdu
Original Assignee
No 3 Peoples Hospital of Chengdu
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by No 3 Peoples Hospital of Chengdu filed Critical No 3 Peoples Hospital of Chengdu
Priority to CN202210574843.7A priority Critical patent/CN114978709B/en
Publication of CN114978709A publication Critical patent/CN114978709A/en
Application granted granted Critical
Publication of CN114978709B publication Critical patent/CN114978709B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a lightweight unified safety authentication system and method for medical application, which abandons the traditional safety enhancement thought based on software installation, fully considers the current situations of high complexity and high modification cost of the existing medical application system, provides a unified safety framework with lightweight, low cost and flexible configuration, can meet the safety enhancement demands of medical application systems with different scales and different demands, and provides a new technical thought for breaking through the bottleneck problem of safety upgrading of the medical application systems in the current stage.

Description

Lightweight unified security authentication method for medical application
Technical Field
The invention belongs to the technical field of medical information security, and particularly relates to a lightweight unified security authentication method for medical application.
Background
The informatization process of the medical and health industry in China is developed rapidly, and particularly the emerging informatization technologies such as mobile Internet, big data and cloud computing are developed at high speed and applied in large scale in China, and meanwhile, the safety problem is also enlarged rapidly, so that the informatization process becomes one of bottleneck problems of the development of future medical application systems. Medical informatization has been established for over twenty years, and has been developed from a simple in-hospital closed information system to Internet online and offline medical resource integration, and on-line reservation, on-line review, on-line prescription and other convenient measures have been developed. However, these functions require interaction with intra-hospital core information systems such as HIS, LIS, EMR, resulting in industry network security facing significant challenges.
Traditional security authentication systems provide services such as data encryption, identity authentication, and behavior monitoring to third party software (each medical application software) through application access interfaces or Web services. In the initial design of the third party software, the problem that no reserved safety interface exists or reserved interfaces among different manufacturers are not uniform is solved, so that the third party software is required to be subjected to later design transformation to adapt to new safety certification requirements. Because the medical information system is very complex, the number of manufacturers involved increases, and the maintenance cost increases. Therefore, the bottleneck problems of high implementation cost, large service influence, high environmental complexity and the like in the safety upgrading and reconstruction of the current medical application system are required to be solved.
Disclosure of Invention
Aiming at the defects in the prior art, the lightweight unified safety authentication system and the method for medical application provided by the invention discard the traditional safety enhancement thought based on software installation, fully consider the current situations of high complexity and high transformation cost of the existing medical application system, and provide a unified safety architecture with lightweight, low cost and flexible configuration. The safety enhancement requirements of medical application systems with different scales and different requirements can be met, and the safety enhancement method is a new technical thought for breaking through the bottleneck problem of safety upgrading of the medical application systems at the current stage.
In order to achieve the aim of the invention, the invention adopts the following technical scheme: a medical application-oriented lightweight unified security authentication system, comprising:
the third party application server is deployed in the public network environment and is used for carrying out service data interaction with the user side;
the hospital external connection safety platform is deployed in the internal network switching area of the hospital and is used for receiving and processing service requests from the public network environment;
the key management center is deployed in the inner network core area of the hospital and is used for managing the key of the service request, realizing the national encryption algorithm, the identity authentication and the encryption and decryption process;
the hospital information system is deployed in a hospital intranet core area and is used for providing access data required by a hospital external security platform;
the database is deployed in the inner network core area of the hospital and is used for storing data in the hospital information system.
Further, the third party application server comprises an original service module, a security module and a data packet encapsulation and analysis module;
the security module comprises a data packet processing unit, a security authentication silence inserting unit and a data encryption silence inserting unit, wherein the data packet processing unit, the security authentication silence inserting unit and the data encryption silence inserting unit are developed based on a Netfilter framework and are realized in a manner of being insensitive to application services.
Further, the hospital external security platform comprises a data packet detection module, a security authentication and data encryption module, a hospital information system interface calling module and an early warning and statistics service module.
A lightweight unified security authentication method based on a lightweight unified security authentication system for hospital application comprises the following steps:
s1, registering to a hospital external security platform through a third party application server to acquire registration information;
s2, generating key information when the third party application server performs data interaction according to the registration information;
s3, based on the data access request and the key information of the user side, sending an encryption message to the hospital external security platform through the third party application server, and decrypting the encryption message in the hospital external security platform;
s4, in the hospital external security platform, data access is carried out on the hospital information system based on the decrypted message plaintext, and the access data is encrypted and returned to a third party application server, so that unified security authentication is realized.
Further, in the step S1, the registration application information submitted when the third party application server registers with the hospital external security platform includes an application name, a vendor name, and a server MAC address;
the registration information is Token of the third party application server i The Token i And after being generated and stored by the hospital extranet security platform, the hospital extranet security platform is returned to the third party application server.
Further, in the step S2, when the third party application server logs in the hospital external connection An Quanping for the first time, the method for generating the key information specifically includes:
s2-1, generating login request information based on a login request of a third party application server and combining an encryption session key, and sending the login request information to a hospital external security platform;
s2-2, decrypting and verifying the login request information through a hospital external connection An Quanping platform, and judging whether the verification is passed or not;
if yes, enter step S2-3;
if not, feeding back login failure information to the third party application server;
s2-3, applying corresponding key basic information to a key management center, combining a public key of a hospital external security platform to form key information, and returning the key information and a login result to a third party application server;
s2-4, extracting key information in the received information in the third party application server and encrypting and storing the key information.
Further, the login request information in the step S2-1 is: TAS (TAS) i -->HEP:LoginReq=T i EKS, wherein TAS i For the ith third party application server, HEP is a hospital external security platform, loginReq is a login request, T i For the time stamp, EKS is the encrypted session key EMS;
the generation method of the encryption session key EMS comprises the following steps:
extracting Token of third party application server i Token is encrypted using SM4 national encryption algorithm i As an encryption key, the generated random numbers R0, R1 are encrypted, and an encryption session key EMS is generated, whose expression EKS is: eks=sm4 Tokeni (R0⊕R1||Token i ) The exclusive OR operationThe | is bit connection operation, and R0 +.R1 is used as the session key KS;
the step S2-2 specifically comprises the following steps:
in the hospital external security platform, the Token of the current third party application server is stored i As a key, an SM4 algorithm is used to decrypt the encrypted session key EKS in the received information and to decrypt the decrypted Token i Verifying when decrypting the Token i With Token stored in an externally connected secure platform i If the login information is consistent, the verification is passed, a step S2-3 is entered, otherwise, login failure information is fed back to a third party application server;
the basic key information in the step S2-3 is a public-private key pair of the third party application server, and is in the form of hep— > HSC: loginReq= { AppName ProName MACAddr }, HSC is a key management center, HEP is a hospital external security platform, HSC is a key management center, appName is an application name, proName is an application contractor name, MACAddr is a server MAC address, and I is a bit connection operation;
the key information in the step S2-3 is HSC->HEP:RegisterResp={PK HEP ||SK TASi ||PK TASi HSC as key management center, registerResp as registration reply message, PK HEP Is an externally connected safety platform of a hospital, SK TASi Application server private key, PK for third party TASi The server public key is applied for the third party.
Further, the step S3 specifically includes:
s3-1, carrying out encryption processing on a service data access request of a user by using a session key KS to obtain encryption information secretmsg=SM4 KS (business data);
s3-2, processing the encrypted information by using an SM3 algorithm to obtain a hash value SM3 (secretMsg);
s3-3, using private key pair Token of third party application server i Performing SM2 operation to obtain authentication information SM2 SK-TASi (Token i ) And sends the encrypted message formed by the encrypted message and the hash value SM3 (secretMsg) to the hospital-external security platform;
wherein the encrypted message request is in the form of: TASi-)>HEP:Msg={SM2 SK-TASi (Token i ) +secretmsg+sm3 (SecretMsg) }, TASi is the ith third party application server, HEP is a hospital extranet security platform, msg is the encrypted message content;
s3-4, in the hospital external security platform, using a public key of a third party application server as a secret key, calling an SM2 algorithm to analyze the public key and perform identity verification, and judging whether the verification is passed;
if yes, enter step S3-5;
if not, entering a step S3-7;
s3-5, performing SM3 hash operation on the encryption information SecretMsg, and verifying the integrity of the received message;
s3-6, decrypting the encrypted message by adopting an SM4 algorithm and a session key to obtain a decrypted message plaintext SM4 KS (SecretMsg);
S3-7, early warning information is generated, and detailed parameters of the early warning information are fed back to the early warning and statistics service module.
Further, the step S4 specifically includes:
s4-1, performing data access to a hospital information system according to the request content in the message text, obtaining corresponding data, packaging the corresponding data into a message reply message, and forming an encrypted reply message by grouping and returning the encrypted reply message to a third party application server:
s4-2, in the third party application server, analyzing and verifying the received encrypted reply message;
s4-3, decrypting the verified encrypted reply message to obtain a message reply plaintext, and feeding the message reply plaintext back to the user side to realize the same security authentication.
Further, in the step S4-1, the encrypted reply message is in the form of: HEP-)>TASi:MsgRsp={SM2 SK-HEP (PK HEP )+SecretMsgRsp+SM3(SecretMsgRsp)}
Wherein HEP is the hospital external security level, TASi is the ith third party application server, msgRsp is the encrypted reply message, SM2 SK-HEP (PK HEP ) For passing through the outside of hospitalThe private key of the security platform performs SM2 operation on the public key to obtain identity verification information, the secretMsgRsp is a message reply message obtained from a hospital information system, and the SM3 (secretMsgRsp) is a hash value obtained by performing operation on the secretMsgRsp by using a national secret SM3 algorithm;
the step S4-2 specifically comprises the following steps:
the public key of the hospital external security platform is used as a secret key, a national secret SM2 algorithm is called to analyze the encrypted reply message, when the analyzed message is consistent with the stored public key of the hospital external security platform, verification is successful, SM3 hash operation is carried out on the encrypted reply message which is successfully verified, and the integrity of the received message is verified;
the step S4-3 specifically comprises the following steps:
decrypting the decrypted reply message using a national cipher SM4 algorithm and a session key to obtain a message reply plaintext SM4 KS (SecretMsgRsp)。
Drawings
Fig. 1 is a schematic structural diagram of a lightweight security authentication system for medical applications provided by the invention.
Fig. 2 is a schematic diagram of a third party application server provided by the present invention.
Fig. 3 is a schematic diagram of an external hospital security platform provided by the invention.
Fig. 4 is a schematic diagram of a key management center provided by the present invention.
Fig. 5 is a flowchart of a lightweight security authentication method provided by the invention.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and all the inventions which make use of the inventive concept are protected by the spirit and scope of the present invention as defined and defined in the appended claims to those skilled in the art.
Example 1:
as shown in fig. 1, an embodiment of the present invention provides a lightweight unified security authentication system for medical applications, including:
the third party application server is deployed in the public network environment and is used for carrying out service data interaction with the user side;
the hospital external connection safety platform is deployed in the internal network switching area of the hospital and is used for receiving and processing service requests from the public network environment;
the key management center is deployed in the inner network core area of the hospital and is used for managing the key of the service request, realizing the national encryption algorithm, the identity authentication and the encryption and decryption process;
the hospital information system is deployed in a hospital intranet core area and is used for providing access data required by a hospital external security platform;
the database is deployed in the inner network core area of the hospital and is used for storing data in the hospital information system.
As shown in fig. 2, the third party application server in the embodiment of the present invention includes an original service module, a security module, and a packet encapsulation and parsing module;
the original service module is used for acquiring an original data access request of a receiving user; the security module is used for realizing the silence insertion of identity authentication and data encryption and decryption, the encapsulation of the original business data packet and the analysis processing of the received network layer data packet,
the data packet processing unit mainly realizes the encapsulation and analysis of the data packet, performs data interaction with the original service module, realizes the identity authentication process of the network layer, and realizes the data encryption and decryption of the network layer.
The data packet processing unit, the security authentication silence insertion unit and the data encryption silence insertion unit IN this embodiment are all developed based on Netfilter framework, and are implemented IN a manner of being insensitive to application services, the Netfilter is a framework for providing operation and modification to network data packets by using Linux kernel, and IN this embodiment, the corresponding hook function is developed based on Netfilter framework, and is mounted at nf_ip_pre_routing, nf_ip_local_in, nf_ip_forwarding, nf_ip_local_out, nf_ip_post_routing, so as to implement interception, modification, forwarding and other processing to network layer data packets.
As shown in FIG. 3, the external security platform of the hospital in the embodiment of the invention comprises a data packet detection module, a security authentication and data encryption module, a hospital information system interface calling module and an early warning and statistics service module. The data packet detection module judges whether the received data packet accords with the rule or not, and abandons the rule if the data packet is non-rule; the safety authentication and data encryption module realizes identity authentication and encryption and decryption; the hospital information system interface calling module packages and calls according to the interface specification of the hospital intranet information system, and analyzes and processes the transmitted information; the early warning and statistics service module is mainly used for counting the number and the type of the data packets, alarming abnormal data packet invasion and the like.
As shown in fig. 4, the key management center in the embodiment of the present invention mainly realizes functions of key management, implementation of cryptographic algorithms SM2, SM3 and SM4, identity authentication, encryption and decryption, etc., where key management includes key distribution, key generation and update, key storage and key negotiation.
Based on the above system structure, the working process of the system in this embodiment is as follows: after receiving the request of the third party application server, the hospital external security platform analyzes the data packet, performs identity verification, decrypts the data packet after the identity verification is passed, calls a corresponding interface to perform data request for the request needing to interact with the hospital information system, and finally encrypts the obtained data and returns the encrypted data to the third party application server.
Example 2:
the embodiment of the invention provides a lightweight unified security authentication method of a system in embodiment 1, as shown in fig. 5, comprising the following steps:
s1, registering to a hospital external security platform through a third party application server to acquire registration information;
s2, generating key information when the third party application server performs data interaction according to the registration information;
s3, based on the data access request and the key information of the user side, sending an encryption message to the hospital external security platform through the third party application server, and decrypting the encryption message in the hospital external security platform;
s4, in the hospital external security platform, data access is carried out on the hospital information system based on the decrypted message plaintext, and the access data is encrypted and returned to a third party application server, so that unified security authentication is realized.
The security authentication method provided by the embodiment of the invention can prevent the medical sensitive data from being eavesdropped, tampered, replay attack and the like in the transmission process, and adopts the national cipher encryption and decryption technology as a security communication method, thereby improving the security and reducing the calculation time consumption and the communication quantity.
In step S1 of the embodiment of the present invention, registration application information submitted when a third party application server registers with a hospital external security platform includes an application name, a vendor name, and a server MAC address;
token with registration information being third party application server i Token i And after being generated and stored by the hospital extranet security platform, the hospital extranet security platform is returned to the third party application server.
In step S2 of the embodiment of the present invention, when the third party application server logs in the hospital external connection An Quanping for the first time, the method for generating the key information specifically includes:
s2-1, generating login request information based on a login request of a third party application server and combining an encryption session key, and sending the login request information to a hospital external security platform;
s2-2, decrypting and verifying the login request information through a hospital external connection An Quanping platform, and judging whether the verification is passed or not;
if yes, enter step S2-3;
if not, feeding back login failure information to the third party application server;
s2-3, applying corresponding key basic information to a key management center, combining a public key of a hospital external security platform to form key information, and returning the key information and a login result to a third party application server;
s2-4, extracting key information in the received information in the third party application server and encrypting and storing the key information.
The login request information in step S2-1 of the present embodiment is: TAS (TAS) i -->HEP:LoginReq=T i EKS, wherein TAS i For the ith third party application server, HEP is a hospital external security platform, loginReq is a login request, T i For the time stamp, EKS is the encrypted session key EMS;
in this embodiment, the method for generating the encrypted session key EMS includes: extracting Token of third party application server i Token is encrypted using SM4 national encryption algorithm i As an encryption key, the generated random numbers R0, R1 are encrypted, and an encryption session key EMS is generated, whose expression EKS is: eks=sm4 Tokeni (R0⊕R1||Token i ) And (2) exclusive or operation, i is bit connection operation, R0 and R1 are used as session keys KS, so that 'one session one key' can be achieved, and network attacks such as replay attacks and the like are prevented.
In this embodiment, specific examples of the above-described process are:
the third party application server sends a login request comprising token information and a time stamp and TAS to the hospital external security platform i -->HEP:LoginReq=Token i ||T i ,TAS i The data packet processing module of the system analyzes the message after intercepting the data from the network layer, judges the message to be login information, and extracts Token from the original information i The method comprises the steps of carrying out a first treatment on the surface of the Random numbers R0 and R1 are generated by a random number generation module, and SM4 cryptographic algorithm and Token are used i As an encryption key, encrypting the random number and the token, generating an encryption session key EMS: eks=sm4 Tokeni (R0⊕R1||Token i ) The method comprises the steps of carrying out a first treatment on the surface of the Changing the transmitted information to TAS by the packet processing module i -->HEP:LoginReq=T i ||EKS。
The step S2-2 of this embodiment specifically comprises:
in medical scienceIn the outside-hospital security platform, the Token of the current third party application server is stored i As a key, an SM4 algorithm is used to decrypt the encrypted session key EKS in the received information and to decrypt the decrypted Token i Verifying when decrypting the Token i With Token stored in an externally connected secure platform i If the login information is consistent, the verification is passed, a step S2-3 is entered, otherwise, login failure information is fed back to a third party application server;
when the hospital external security platform receives the login request information, the security authentication and encryption module uses a Token of a third party application server stored in the platform i The encrypted session key EKS is decrypted as a key.
The basic key information in step S2-3 in this embodiment is a public-private key pair of the third party application server, which is in the form of hep— > HSC: loginReq= { AppName ProName MACAddr }, HSC is a key management center, HEP is a hospital external security platform, HSC is a key management center, appName is an application name, proName is an application contractor name, MACAddr is a server MAC address, and I is a bit connection operation;
the key information in step S2-3 of the present embodiment is HSC->HEP:RegisterResp={PK HEP ||SK TASi ||PK TASi HSC as key management center, registerResp as registration reply message, PK HEP Is an externally connected safety platform of a hospital, SK TASi Application server private key, PK for third party TASi The server public key is applied for the third party.
In step S2-4 of the present embodiment, in the third party application server, the key information is extracted and the parameter storage SM4{ PK }, is encrypted HEP, SK TASi, PK TASi Sign-on status RegStatus i And forwarding to the original business module of the third party application server.
The step S3 of the implementation of the invention is specifically as follows:
s3-1, carrying out encryption processing on a service data access request of a user by using a session key KS to obtain encryption information secretmsg=SM4 KS (business data);
s3-2, processing the encrypted information by using an SM3 algorithm to obtain a hash value SM3 (secretMsg);
s3-3, using private key pair Token of third party application server i Performing SM2 operation to obtain authentication information SM2 SK-TASi (Token i ) And sends the encrypted message formed by the encrypted message and the hash value SM3 (secretMsg) to the hospital-external security platform;
wherein the encrypted message request is in the form of: TASi-)>HEP:Msg={SM2 SK-TASi (Token i ) +secretmsg+sm3 (SecretMsg) }, TASi is the ith third party application server, HEP is a hospital extranet security platform, msg is the encrypted message content; s3-4, in the hospital external security platform, using a public key of a third party application server as a secret key, calling an SM2 algorithm to analyze the public key and perform identity verification, and judging whether the verification is passed;
if yes, enter step S3-5;
if not, entering a step S3-7;
s3-5, performing SM3 hash operation on the encryption information SecretMsg, and verifying the integrity of the received message;
s3-6, decrypting the encrypted message by adopting an SM4 algorithm and a session key to obtain a decrypted message plaintext SM4 KS (SecretMsg);
S3-7, early warning information is generated, and detailed parameters of the early warning information are fed back to the early warning and statistics service module.
Specific examples of step S3-1 of the present embodiment are:
after the data is obtained by the data packet processing unit, the data encryption and decryption silence insertion unit encrypts and organizes the data packet, thereby obtaining an encrypted message secretmsg=sm4 KS (traffic data).
The step S4 of the embodiment of the invention specifically comprises the following steps:
s4-1, performing data access to a hospital information system according to the request content in the message text, obtaining corresponding data, packaging the corresponding data into a message reply message, and forming an encrypted reply message by grouping and returning the encrypted reply message to a third party application server:
s4-2, in the third party application server, analyzing and verifying the received encrypted reply message;
s4-3, decrypting the verified encrypted reply message to obtain a message reply plaintext, and feeding the message reply plaintext back to the user side to realize the same security authentication.
In step S4-1 of the present embodiment, the encrypted reply message is in the form of: HEP-)>TASi:MsgRsp={SM2 SK-HEP (PK HEP )+SecretMsgRsp+SM3(SecretMsgRsp)}
Wherein HEP is the hospital external security level, TASi is the ith third party application server, msgRsp is the encrypted reply message, SM2 SK-HEP (PK HEP ) For authentication information obtained by performing SM2 operation on a public key through a private key of a hospital external security platform, the secretmsgRsp is a message reply message obtained from a hospital information system, and the SM3 (secretmsgRsp) is a hash value obtained by performing operation on the secretmsgRsp by using a national secret SM3 algorithm;
the step S4-2 of this embodiment specifically comprises:
the public key of the hospital external security platform is used as a secret key, a national secret SM2 algorithm is called to analyze the encrypted reply message, when the analyzed message is consistent with the stored public key of the hospital external security platform, verification is successful, SM3 hash operation is carried out on the encrypted reply message which is successfully verified, and the integrity of the received message is verified;
the step S4-3 specifically comprises the following steps:
decrypting the decrypted reply message using a national cipher SM4 algorithm and a session key to obtain a message reply plaintext SM4 KS (SecretMsgRsp)。
In the embodiment of the invention, the safety realization of identity authentication, data transmission encryption and the like between the medical internet application and the hospital intranet core information system is ensured through the process. The invention solves the bottleneck problem of safety enhancement of the existing medical application system by utilizing a lightweight virtual technology, and realizes the minimization of the safety enhancement cost. Compared with the traditional patch type security upgrading method, the invention creatively provides a transparent security enhancement method of an application system, utilizes a virtualization technology to realize an application-independent hidden security layer on a network layer, does not need the application system to participate in transformation or upgrading, supports continuous security upgrading, flexible security configuration and diversified security architecture, and can meet different security enhancement requirements of different scale medical systems. The invention minimizes the deployment cost of the safety system of the existing medical application system, reduces the complexity of the multi-manufacturer and multi-platform complex medical application system, solves the bottleneck problem of safety enhancement of the existing complex medical application system, minimizes the deployment complexity of the safety enhancement system and the influence on the medical application system, and helps the existing and future medical application systems to acquire continuous safety enhancement at the minimum cost.

Claims (4)

1. The lightweight unified security authentication method for the hospital application is characterized in that a lightweight security authentication system for realizing the lightweight security authentication method comprises a third party application server which is deployed in a public network environment and is used for carrying out business data interaction with a user side;
the hospital external connection safety platform is deployed in the internal network switching area of the hospital and is used for receiving and processing service requests from the public network environment;
the key management center is deployed in the inner network core area of the hospital and is used for managing the key of the service request, realizing the national encryption algorithm, the identity authentication and the encryption and decryption process;
the hospital information system is deployed in a hospital intranet core area and is used for providing access data required by a hospital external security platform;
the database is deployed in the inner network core area of the hospital and is used for storing data in the hospital information system;
the third party application server comprises an original service module, a security module and a data packet encapsulation and analysis module;
the security module comprises a data packet processing unit, a security authentication silence inserting unit and a data encryption silence inserting unit, wherein the data packet processing unit, the security authentication silence inserting unit and the data encryption silence inserting unit are developed based on a Netfilter framework and are realized in a manner of no sense with application business;
the hospital external security platform comprises a data packet detection module, a security authentication and data encryption module, a hospital information system interface calling module and an early warning and statistics service module;
the lightweight security authentication method comprises the following steps:
s1, registering to a hospital external security platform through a third party application server to acquire registration information;
s2, generating key information when the third party application server performs data interaction according to the registration information;
s3, based on the data access request and the key information of the user side, sending an encryption message to the hospital external security platform through the third party application server, and decrypting the encryption message in the hospital external security platform;
s4, in the hospital external security platform, performing data access to the hospital information system based on the decrypted message plaintext, and encrypting and replying the access data to a third party application server to realize unified security authentication;
in the step S1, registration application information submitted when the third party application server registers with the hospital external security platform includes an application name, a vendor name, and a server MAC address;
the registration information is Token of the third party application server i The Token i The hospital external security platform generates and stores the data and returns the data to the third party application server;
in the step S2, when the third party application server logs in the hospital external connection An Quanping for the first time, the method for generating the key information specifically includes:
s2-1, generating login request information based on a login request of a third party application server and combining an encryption session key, and sending the login request information to a hospital external security platform;
s2-2, decrypting and verifying the login request information through a hospital external connection An Quanping platform, and judging whether the verification is passed or not;
if yes, enter step S2-3;
if not, feeding back login failure information to the third party application server;
s2-3, applying corresponding key basic information to a key management center, combining a public key of a hospital external security platform to form key information, and returning the key information and a login result to a third party application server;
s2-4, extracting key information in the received information in a third party application server, encrypting and storing the key information;
the login request information in the step S2-1 is as follows: TAS (TAS) i -->HEP:LoginReq=T i EKS, wherein TAS i For the ith third party application server, HEP is a hospital external security platform, loginReq is a login request, T i For the time stamp, EKS is the encrypted session key EMS;
the generation method of the encryption session key EMS comprises the following steps:
extracting Token of third party application server i Token is encrypted using SM4 national encryption algorithm i As an encryption key, the generated random numbers R0, R1 are encrypted, and an encryption session key EMS is generated, whose expression EKS is: eks=sm4 Tokeni (R0⊕R1||Token i ) (II) exclusive OR operation, |bit connection operation, and R0 is equal to R1 as a session key KS;
the step S2-2 specifically comprises the following steps:
in the hospital external security platform, the Token of the current third party application server is stored i As a key, an SM4 algorithm is used to decrypt the encrypted session key EKS in the received information and to decrypt the decrypted Token i Verifying when decrypting the Token i With Token stored in an externally connected secure platform i If the login information is consistent, the verification is passed, a step S2-3 is entered, otherwise, login failure information is fed back to a third party application server;
the basic key information in the step S2-3 is a public-private key pair of the third party application server, and is in the form of hep— > HSC: loginReq= { AppName ProName MACAddr }, HSC is a key management center, HEP is a hospital external security platform, HSC is a key management center, appName is an application name, proName is an application contractor name, MACAddr is a server MAC address, and I is a bit connection operation;
the key information in the step S2-3 is HSC->HEP:RegisterResp={PK HEP ||SK TASi ||PK TASi HSC as key management center, registerResp as registration reply message, PK HEP Is an externally connected safety platform of a hospital, SK TASi Application server private key, PK for third party TASi The server public key is applied for the third party.
2. The lightweight unified security authentication method according to claim 1, wherein the step S3 specifically comprises:
s3-1, carrying out encryption processing on a service data access request of a user by using a session key KS to obtain encryption information secretmsg=SM4 KS (business data);
s3-2, processing the encrypted information by using an SM3 algorithm to obtain a hash value SM3 (secretMsg);
s3-3, using private key pair Token of third party application server i Performing SM2 operation to obtain authentication information SM2 SK-TASi (Token i ) And sends the encrypted message formed by the encrypted message and the hash value SM3 (secretMsg) to the hospital-external security platform;
wherein the encrypted message request is in the form of: TASi-)>HEP:Msg={SM2 SK-TASi (Token i ) +secretmsg+sm3 (SecretMsg) }, TASi is the ith third party application server, HEP is a hospital extranet security platform, msg is the encrypted message content;
s3-4, in the hospital external security platform, using a public key of a third party application server as a secret key, calling an SM2 algorithm to analyze the public key and perform identity verification, and judging whether the verification is passed;
if yes, enter step S3-5;
if not, entering a step S3-7;
s3-5, performing SM3 hash operation on the encryption information SecretMsg, and verifying the integrity of the received message;
s3-6, decrypting the encrypted message by adopting an SM4 algorithm and a session key to obtain a decrypted message plaintext SM4 KS (SecretMsg);
S3-7, early warning information is generated, and detailed parameters of the early warning information are fed back to the early warning and statistics service module.
3. The lightweight unified security authentication method according to claim 2, wherein step S4 specifically comprises:
s4-1, performing data access to a hospital information system according to the request content in the message text, obtaining corresponding data, packaging the corresponding data into a message reply message, and forming an encrypted reply message by grouping and returning the encrypted reply message to a third party application server:
s4-2, in the third party application server, analyzing and verifying the received encrypted reply message;
s4-3, decrypting the verified encrypted reply message to obtain a message reply plaintext, and feeding the message reply plaintext back to the user side to realize the same security authentication.
4. A lightweight unified security authentication method according to claim 3, wherein in step S4-1, the encrypted reply message is in the form of: HEP-)>TASi:MsgRsp={SM2 SK-HEP (PK HEP )+SecretMsgRsp+SM3(SecretMsgRsp)}
Wherein HEP is the hospital external security level, TASi is the ith third party application server, msgRsp is the encrypted reply message, SM2 SK-HEP (PK HEP ) For authentication information obtained by performing SM2 operation on a public key through a private key of a hospital external security platform, the secretmsgRsp is a message reply message obtained from a hospital information system, and the SM3 (secretmsgRsp) is a hash value obtained by performing operation on the secretmsgRsp by using a national secret SM3 algorithm;
the step S4-2 specifically comprises the following steps:
the public key of the hospital external security platform is used as a secret key, a national secret SM2 algorithm is called to analyze the encrypted reply message, when the analyzed message is consistent with the stored public key of the hospital external security platform, verification is successful, SM3 hash operation is carried out on the encrypted reply message which is successfully verified, and the integrity of the received message is verified;
the step S4-3 specifically comprises the following steps:
decrypting the decrypted reply message using a national cipher SM4 algorithm and a session key to obtain a message reply plaintext SM4 KS (SecretMsgRsp)。
CN202210574843.7A 2022-05-24 2022-05-24 Lightweight unified security authentication method for medical application Active CN114978709B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210574843.7A CN114978709B (en) 2022-05-24 2022-05-24 Lightweight unified security authentication method for medical application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210574843.7A CN114978709B (en) 2022-05-24 2022-05-24 Lightweight unified security authentication method for medical application

Publications (2)

Publication Number Publication Date
CN114978709A CN114978709A (en) 2022-08-30
CN114978709B true CN114978709B (en) 2023-06-27

Family

ID=82955915

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210574843.7A Active CN114978709B (en) 2022-05-24 2022-05-24 Lightweight unified security authentication method for medical application

Country Status (1)

Country Link
CN (1) CN114978709B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103490895A (en) * 2013-09-12 2014-01-01 北京斯庄格科技有限公司 Industrial control identity authentication method and device with state cryptographic algorithms
CN104717648A (en) * 2013-12-12 2015-06-17 中国移动通信集团公司 Unified authentication method and device based on SIM card
CN106657014A (en) * 2016-11-16 2017-05-10 东软集团股份有限公司 Data accessing method, device and system
CN107018155A (en) * 2017-05-31 2017-08-04 南京燚麒智能科技有限公司 A kind of outer net terminal security accesses the method and system of the specific data of Intranet
CN107733861A (en) * 2017-09-05 2018-02-23 四川中电启明星信息技术有限公司 It is a kind of based on enterprise-level intranet and extranet environment without password login implementation method
WO2018049646A1 (en) * 2016-09-18 2018-03-22 Nokia Shanghai Bell Co., Ltd. Unified security architecture
CN109981290A (en) * 2019-03-26 2019-07-05 南京信息工程大学 The communication system and method close based on no certificate label under a kind of intelligent medical environment
US10630682B1 (en) * 2016-11-23 2020-04-21 Amazon Technologies, Inc. Lightweight authentication protocol using device tokens
CN114143066A (en) * 2021-11-26 2022-03-04 国网四川省电力公司南充供电公司 Intranet and extranet docking system and method based on agent isolation device
CN114448700A (en) * 2022-01-28 2022-05-06 杭州亿格云科技有限公司 Data access method, data access system, computer device and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9973492B2 (en) * 2012-12-25 2018-05-15 At&T Mobility Ip, Llc Unified mobile security system and method of operation
CN105162785B (en) * 2015-09-07 2019-01-04 飞天诚信科技股份有限公司 A kind of method and apparatus registered based on authenticating device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103490895A (en) * 2013-09-12 2014-01-01 北京斯庄格科技有限公司 Industrial control identity authentication method and device with state cryptographic algorithms
CN104717648A (en) * 2013-12-12 2015-06-17 中国移动通信集团公司 Unified authentication method and device based on SIM card
WO2018049646A1 (en) * 2016-09-18 2018-03-22 Nokia Shanghai Bell Co., Ltd. Unified security architecture
CN106657014A (en) * 2016-11-16 2017-05-10 东软集团股份有限公司 Data accessing method, device and system
US10630682B1 (en) * 2016-11-23 2020-04-21 Amazon Technologies, Inc. Lightweight authentication protocol using device tokens
CN107018155A (en) * 2017-05-31 2017-08-04 南京燚麒智能科技有限公司 A kind of outer net terminal security accesses the method and system of the specific data of Intranet
CN107733861A (en) * 2017-09-05 2018-02-23 四川中电启明星信息技术有限公司 It is a kind of based on enterprise-level intranet and extranet environment without password login implementation method
CN109981290A (en) * 2019-03-26 2019-07-05 南京信息工程大学 The communication system and method close based on no certificate label under a kind of intelligent medical environment
CN114143066A (en) * 2021-11-26 2022-03-04 国网四川省电力公司南充供电公司 Intranet and extranet docking system and method based on agent isolation device
CN114448700A (en) * 2022-01-28 2022-05-06 杭州亿格云科技有限公司 Data access method, data access system, computer device and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
医院移动业务平台中安全模式设计及应用;徐骁;李爱勤;陈敏莲;胡外光;胡珊珊;;医学信息学杂志(第10期);全文 *
成都市各级医疗机构空间分布自相关研究;李扬;李暄;袁静;马春燕;张敏;;医学与社会(第05期);全文 *

Also Published As

Publication number Publication date
CN114978709A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
WO2022206349A1 (en) Information verification method, related apparatus, device, and storage medium
US8646104B2 (en) Stateless challenge-response broadcast protocol
US8626929B2 (en) Scalable session management using an encrypted session key
Gaba et al. Robust and lightweight key exchange (LKE) protocol for industry 4.0
CN114024710B (en) Data transmission method, device, system and equipment
US11470060B2 (en) Private exchange of encrypted data over a computer network
US9876773B1 (en) Packet authentication and encryption in virtual networks
CN106790045B (en) distributed virtual machine agent device based on cloud environment and data integrity guarantee method
Khashan et al. Efficient hybrid centralized and blockchain-based authentication architecture for heterogeneous IoT systems
Dahlmanns et al. Transparent end-to-end security for publish/subscribe communication in cyber-physical systems
CN109995530B (en) Safe distributed database interaction system suitable for mobile positioning system
US20080072280A1 (en) Method and system to control access to a secure asset via an electronic communications network
JPH07325785A (en) Network user identifying method, ciphering communication method, application client and server
CN114616797A (en) Processing requests to control information stored at multiple servers
US20030046532A1 (en) System and method for accelerating cryptographically secured transactions
CN114978709B (en) Lightweight unified security authentication method for medical application
Alsaeed et al. A scalable and lightweight group authentication framework for Internet of Medical Things using integrated blockchain and fog computing
Dee et al. Message integrity and authenticity in secure CAN
CN116614275B (en) Method for entrusting acceleration of privacy computing integrated machine
Zhang et al. Formal Modeling and Verification of ICN-IoT Middleware Architecture (S).
WO2023151427A1 (en) Quantum key transmission method, device and system
US20240015028A1 (en) Blockchain-based data detection method and apparatus, device, storage medium, and program product
Vashishtha et al. Mechanism Incorporating Secure Mutual Validation and Key Spreading Organization in Intelligent Transport System
Latif et al. Machine Learning Empowered Security and Privacy Architecture for IoT Networks with the Integration of Blockchain.
Andrade et al. I Can’t Escape Myself: Cloud Inter-Processor Attestation and Sealing using Intel SGX

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant