CN115296934B - Information transmission method and device based on industrial control network intrusion and electronic equipment - Google Patents

Information transmission method and device based on industrial control network intrusion and electronic equipment Download PDF

Info

Publication number
CN115296934B
CN115296934B CN202211219298.6A CN202211219298A CN115296934B CN 115296934 B CN115296934 B CN 115296934B CN 202211219298 A CN202211219298 A CN 202211219298A CN 115296934 B CN115296934 B CN 115296934B
Authority
CN
China
Prior art keywords
user
user terminal
server
information
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211219298.6A
Other languages
Chinese (zh)
Other versions
CN115296934A (en
Inventor
周磊
姜双林
赵时晴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Andi Technology Co ltd
Original Assignee
Beijing Andi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Andi Technology Co ltd filed Critical Beijing Andi Technology Co ltd
Priority to CN202211219298.6A priority Critical patent/CN115296934B/en
Publication of CN115296934A publication Critical patent/CN115296934A/en
Application granted granted Critical
Publication of CN115296934B publication Critical patent/CN115296934B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the disclosure discloses an information transmission method, an information transmission device and electronic equipment based on industrial control network intrusion. One embodiment of the method comprises: generating a first user terminal session key according to the subject name of the information to be transmitted; according to the first user terminal session key, encrypting the information to be transmitted and a first user terminal identification corresponding to the first user terminal to generate encrypted transmission information; according to the first user terminal communication key, respectively encrypting the first user terminal session key and the first user terminal identification to generate a first user terminal encryption session key and a first encryption user terminal identification; and packaging the encrypted transmission information, the subject name and the first encrypted user side identifier into packaged encrypted transmission information, sending the packaged encrypted transmission information to a transfer server, and sending the first user side encrypted session key to an authentication server. The implementation mode improves the safety of information transmission and reduces the possibility of information leakage.

Description

Information transmission method and device based on industrial control network intrusion and electronic equipment
Technical Field
The embodiment of the disclosure relates to the technical field of computers, in particular to an information transmission method, an information transmission device and electronic equipment based on industrial control network intrusion.
Background
In the data acquisition system, the data acquisition system acquires data on the industrial equipment according to a specific industrial control protocol, and generally transmits information through a plaintext or encrypts information to be transmitted through an RSA encryption algorithm. In this case, the technician can easily intercept and capture the communication message and analyze it to obtain real-time data on the industrial equipment or control the industrial equipment by command.
However, the above-mentioned method for information transmission usually has the following technical problems:
firstly, information is sent in a plaintext manner, so that information leakage is easy to cause, and the information is easy to be tampered by external technicians; the information to be transmitted is encrypted through an RSA encryption algorithm, and an encrypted key is easy to decipher, so that the information security is low;
secondly, the user side directly sends the encryption key to the information receiving end every time information is transmitted, so that the confidentiality of the key is reduced, and the key is easy to leak;
thirdly, after the information receiving end receives the encrypted information, the received information is not verified, and when the encrypted information is replaced or attacked, the authenticity of the received information cannot be determined;
fourthly, the key generated by the user side is simple, and once the key is lost or stolen, the encrypted information is easily leaked.
Disclosure of Invention
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
Some embodiments of the present disclosure propose industrial control network intrusion based information transmission methods, apparatuses, electronic devices, computer readable media and program products to solve one or more of the technical problems mentioned in the background section above.
In a first aspect, some embodiments of the present disclosure provide an information transmission method based on industrial control network intrusion, where the method includes: the first user terminal responds to the received information to be transmitted uploaded by the user, and reads a preset first user terminal communication key from a first user terminal database; the first user terminal generates a first user terminal session key according to the subject name of the information to be transmitted; the first user terminal encrypts the information to be transmitted and a first user terminal identifier corresponding to the first user terminal according to the first user terminal session key to generate encrypted transmission information; the first user terminal encrypts the first user terminal session key and the first user terminal identifier according to the first user terminal communication key, so as to generate a first user terminal encrypted session key and a first encrypted user terminal identifier; the first user end packages the encrypted transmission information, the subject name and the first encrypted user end identification into packaged encrypted transmission information, sends the packaged encrypted transmission information to a related transfer server, and sends the first user end encrypted session key to a related authentication server.
In a second aspect, some embodiments of the present disclosure provide an information transmission apparatus based on industrial control network intrusion, the apparatus including: the reading unit is configured to read a preset first user terminal communication key from a first user terminal database in response to receiving information to be transmitted uploaded by a user; the generating unit is configured to generate a first user terminal session key according to the subject name of the information to be transmitted; a first encryption unit, configured to encrypt, according to the first user session key, the to-be-transmitted information and a first user identifier corresponding to the first user to generate encrypted transmission information; a second encryption unit configured to encrypt the first user session key and the first user id according to the first user communication key, respectively, so as to generate a first user encrypted session key and a first encrypted user id; a sending unit, configured to encapsulate the encrypted transmission information, the subject name, and the first encrypted ue id as encapsulated encrypted transmission information, send the encapsulated encrypted transmission information to an associated transit server, and send the first ue encrypted session key to an associated authentication server.
In a third aspect, some embodiments of the present disclosure provide an electronic device, comprising: one or more processors; a storage device having one or more programs stored thereon, which when executed by one or more processors, cause the one or more processors to implement the method described in any of the implementations of the first aspect.
In a fourth aspect, some embodiments of the present disclosure provide a computer readable medium on which a computer program is stored, wherein the program, when executed by a processor, implements the method described in any of the implementations of the first aspect.
In a fifth aspect, some embodiments of the present disclosure provide a computer program product comprising a computer program that, when executed by a processor, implements the method described in any of the implementations of the first aspect above.
The above embodiments of the present disclosure have the following advantages: through the information transmission method based on industrial control network intrusion, the safety of information transmission is improved, and the possibility of information leakage is reduced. Specifically, the reason why the security of the information is low is that: the information is sent in a plaintext, so that the information is easy to leak, and is easy to be tampered by external technicians; the information to be transmitted is encrypted by an RSA encryption algorithm, and an encrypted key is easy to decipher, so that the information security is low. Based on this, in the information transmission method based on industrial control network intrusion according to some embodiments of the present disclosure, first, the first user side reads a preset first user side communication key from the first user side database in response to receiving the to-be-transmitted information uploaded by the user. Therefore, the information to be transmitted is encrypted conveniently according to the preset secret key. And secondly, the first user terminal generates a first user terminal session key according to the subject name of the information to be transmitted. Therefore, different keys can be set according to different information, so that the uniqueness of the encryption key of each piece of information is ensured. Then, the first user terminal encrypts the information to be transmitted and a first user terminal identifier corresponding to the first user terminal according to the first user terminal session key to generate encrypted transmission information. Therefore, the transmitted information can be encrypted preliminarily, and meanwhile, after the transmission of the information is completed, the information receiving end can verify the authenticity of the information according to the first user end identification conveniently. Then, the first user terminal encrypts the first user terminal session key and the first user terminal identifier according to the first user terminal communication key, so as to generate a first user terminal encrypted session key and a first encrypted user terminal identifier. Therefore, the first user terminal session key and the first user terminal identification can be encrypted through the preset first user terminal communication key. Thus, the confidentiality of the key is improved. Finally, the first user end packages the encrypted transmission information, the subject name and the first encrypted user end identification into packaged encrypted transmission information, sends the packaged encrypted transmission information to a related transfer server, and sends the first user end encrypted session key to a related authentication server. Therefore, the transfer server and the authentication server can verify the information transmitted by the user side and verify whether the user side is a legal user side. Therefore, the safety of information transmission is improved, and the possibility of information leakage is reduced.
Drawings
The above and other features, advantages, and aspects of embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and elements are not necessarily drawn to scale.
FIG. 1 is a flow diagram of some embodiments of an industrial control network intrusion based information transmission method according to the present disclosure;
FIG. 2 is a schematic block diagram of some embodiments of an industrial control network intrusion based information transfer device according to the present disclosure;
FIG. 3 is a schematic block diagram of an electronic device suitable for use in implementing some embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings. The embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 is a flow diagram of some embodiments of an industrial control network intrusion based information transmission method according to the present disclosure. A flow 100 of some embodiments of an industrial control network intrusion based information transmission method according to the present disclosure is shown. The information transmission method based on industrial control network intrusion comprises the following steps:
step 101, the first user terminal reads a preset first user terminal communication key from a first user terminal database in response to receiving information to be transmitted uploaded by a user.
In some embodiments, the first user terminal may read a preset first user terminal communication key from the first user terminal database in response to receiving information to be transmitted uploaded by the user. Here, the first user terminal may refer to an information distribution terminal. The information to be transmitted may be information that needs to be transmitted to an information receiving end (e.g., an information subscribing terminal, a second user end). The first client database may be a database on a finger of the first client. The first user side communication key may refer to a communication key negotiated between the first user side and the authentication server.
And 102, the first user terminal generates a first user terminal session key according to the subject name of the information to be transmitted.
In some embodiments, the first user terminal may generate a first user terminal session key according to the subject name of the information to be transmitted. Here, the topic name may refer to a name of an information topic of information to be transmitted. In practice, first, the first user side may perform a vector encoding process on the topic name to generate a topic name vector. And then, determining the sum of all the numerical values which are not zero in the topic name vector as the first user terminal session key.
Step 103, the first user terminal encrypts the information to be transmitted and the first user terminal identifier corresponding to the first user terminal according to the first user terminal session key, so as to generate encrypted transmission information.
In some embodiments, the first ue may encrypt the information to be transmitted and the first ue id corresponding to the first ue by using the first ue session key as an encryption key, so as to generate encrypted transmission information. Here, the encryption process may refer to symmetric encryption. In practice, first, the information to be transmitted and the first ue id corresponding to the first ue may be merged into transmission information. And then, the first user terminal session key is used as an encryption key to carry out symmetric encryption processing on the transmission information so as to generate encrypted transmission information.
And step 104, the first user terminal encrypts the first user terminal session key and the first user terminal identifier according to the first user terminal communication key, so as to generate a first user terminal encrypted session key and a first encrypted user terminal identifier.
In some embodiments, the first ue encrypts the first ue session key and the first ue id according to the first ue communication key, so as to generate a first ue encrypted session key and a first encrypted ue id. That is, the first ue may use a first ue communication key as an encryption key to perform symmetric encryption processing on the first ue session key and the first ue identity, respectively, so as to generate a first ue encrypted session key and a first encrypted ue identity.
Step 105, the first user encapsulates the encrypted transmission information, the subject name and the first encrypted user identifier into encapsulated encrypted transmission information, sends the encapsulated encrypted transmission information to an associated transit server, and sends the first user encrypted session key to an associated authentication server.
In some embodiments, the first ue may encapsulate the encrypted transmission information, the subject name, and the first encrypted ue id as encapsulated encrypted transmission information, send the encapsulated encrypted transmission information to an associated transit server, and send the first ue encrypted session key to an associated authentication server. Here, the format of the encapsulated encrypted transmission information may be a PUBLISH message format. The transit server may be a server for forwarding information sent by the first user terminal to the second user terminal. The authentication server may be a server for verifying the first client.
Optionally, in response to receiving the encapsulated encrypted transmission information sent by the first user, the transit server parses an parsed-topic name corresponding to the encapsulated encrypted transmission information, parses a first encrypted-user-side identifier included in the encapsulated encrypted transmission information, and queries a second user-side identifier corresponding to the parsed-topic name.
In some embodiments, the relay server may, in response to receiving the encapsulated encrypted transmission information sent by the first user, parse an analysis topic name corresponding to the encapsulated encrypted transmission information, parse a first encrypted user identifier included in the encapsulated encrypted transmission information, and query a second user identifier corresponding to the analysis topic name. Here, the parsing out the parsing topic name corresponding to the above-mentioned encapsulated encrypted transmission information may refer to a topic name included in the encapsulated encrypted transmission information. In practice, the transit server may determine, from the second clients corresponding to the pre-stored topic names, the second client identifier of the second client corresponding to the resolved topic name. A second user end corresponds to a theme name.
Optionally, the transit server sends the resolution subject name, the second user identifier, and the first encryption user identifier to the authentication server.
In some embodiments, the transfer server may send the resolution subject name, the second client identifier, and the first encryption client identifier to the authentication server.
Optionally, the authentication server, in response to receiving the first user-side encrypted session key sent by the first user side, decrypts the first user-side encrypted session key according to a preset first server communication key to generate a first decrypted user-side session key.
In some embodiments, the authentication server may decrypt the first user-side encrypted session key according to a preset first server communication key in response to receiving the first user-side encrypted session key sent by the first user side, so as to generate a first decrypted user-side session key. The first server communication key corresponds to the first user communication key. In practice, the authentication server may decrypt the first client-side encrypted session key with the first server communication key as a decryption key to generate a first decryption client-side session key. The first server communication key and the first client communication key are a pair of symmetric keys.
Optionally, the authentication server, in response to receiving the analysis subject name, the second user identifier, and the first encryption user identifier sent by the transit server, decrypts the first encryption user identifier according to the first server communication key to generate a first decryption user identifier.
In some embodiments, the authentication server may decrypt, according to the first server communication key, the first encrypted user-side identifier to generate a first decrypted user-side identifier in response to receiving the resolution subject name, the second user-side identifier, and the first encrypted user-side identifier sent by the transit server. In practice, the authentication server may use the first server communication key as a decryption key to decrypt the first encryption client identifier to generate the first decryption client identifier.
Optionally, the authentication server generates a subscription public key and a subscription private key corresponding to the parsed topic name and the second user identifier.
In some embodiments, the authentication server may randomly generate a subscription public key and a subscription private key corresponding to the parsed topic name and the second user identifier through a key generation algorithm. Here, the subscription public key and the subscription private key are a pair of public private keys.
Optionally, the authentication server encrypts the subscription private key according to a preset second server communication key to generate an encrypted subscription private key, and sends the encrypted subscription private key to a second user corresponding to the second user identifier.
In some embodiments, the authentication server may encrypt the subscription private key according to a preset second server communication key to generate an encrypted subscription private key, and send the encrypted subscription private key to the second user corresponding to the second user identifier. In practice, first, the authentication server may perform symmetric encryption processing on the subscription private key by using the second server communication key as an encryption key to generate an encrypted subscription private key. Then, the encrypted subscription private key is sent to the second user end corresponding to the second user end identification
Optionally, the authentication server encrypts the first decryption client session key and the first decryption client identifier according to the subscription public key to generate an encryption client ciphertext.
In some embodiments, the authentication server may encrypt the first decryption client session key and the first decryption client identifier according to the subscription public key to generate an encryption client ciphertext. In practice, first, the first decryption client session key and the first decryption client identifier may be combined into a client plaintext. Then, the subscription public key is used as an encryption key to symmetrically encrypt the plaintext of the user side so as to generate an encrypted ciphertext of the user side.
Optionally, the authentication server sends the encrypted user-side ciphertext and the second server communication key to the relay server.
In some embodiments, the authentication server may send the encrypted user-side ciphertext and the second server communication key to the transit server.
The related content in the above optional cases is used as an invention point of the present disclosure, thereby solving the technical problem two mentioned in the background art that the user side directly sends the encryption key to the information receiving end every time the information is transmitted, the confidentiality of the key is reduced, and the key leakage is easily caused. ". Factors that tend to cause key leakage are as follows: the user side directly sends the encryption key to the information receiving end every time information is transmitted, the confidentiality of the key is reduced, and the key is easy to leak. If the above factors are solved, the effect of reducing the key leakage can be achieved. In order to achieve this effect, first, the authentication server, in response to receiving the first user-side encrypted session key sent by the first user side, decrypts the first user-side encrypted session key according to a preset first server communication key to generate a first decrypted user-side session key. Therefore, after receiving the information transmitted by the first user terminal, the decryption processing is carried out. Secondly, the authentication server responds to the received analysis subject name, the second user end identification and the first encryption user end identification sent by the transit server, and decrypts the first encryption user end identification according to the first server communication secret key to generate a first decryption user end identification. And then, the authentication server generates a subscription public key and a subscription private key corresponding to the analysis topic name and the second user terminal identification. Therefore, the authentication server can re-encrypt the information sent by the first user end to avoid the leakage of the information of the first user end. And the encryption is carried out by using the newly generated key, so that the leakage of the encrypted information cannot be influenced even if the key of the first user end is lost. And because the key is generated in the authentication server, the confidentiality of the key is improved. And then, the authentication server encrypts the subscription private key according to a preset second server communication key to generate an encrypted subscription private key, and sends the encrypted subscription private key to a second user side corresponding to the second user side identifier. Thus, the re-encrypted information can be transmitted to the information receiving side (second user side). To ensure the security of the information.
Optionally, the relay server, in response to receiving the encrypted user-side ciphertext and the second server communication key sent by the authentication server, merges the encrypted transmission information included in the encapsulated encrypted transmission information and the encrypted user-side ciphertext into target transmission information.
In some embodiments, the transit server may combine the encrypted transmission information included in the encapsulated encrypted transmission information and the encrypted user-side ciphertext into the target transmission information in response to receiving the encrypted user-side ciphertext and the second server communication key sent by the authentication server.
Optionally, the relay server encrypts the target transmission information according to the second server communication key to generate encrypted target transmission information, and sends the encrypted target transmission information to a second user corresponding to the second user identifier.
In some embodiments, the relay server may encrypt the target transmission information according to the second server communication key to generate encrypted target transmission information, and send the encrypted target transmission information to a second ue corresponding to the second ue identifier. In practice, first, the relay server may perform symmetric encryption processing on the target transmission information by using the second server communication key as an encryption key to generate encrypted target transmission information. And then, the encrypted target transmission information is sent to a second user end corresponding to the second user end identification.
Optionally, the second user performs, in response to receiving the encrypted target transmission information sent by the transit server, decryption processing on the encrypted target transmission information according to a preset second user communication key, so as to generate decrypted target transmission information.
In some embodiments, the second user performs, in response to receiving the encrypted target transmission information sent by the transit server, decryption processing on the encrypted target transmission information according to a preset second user communication key, so as to generate decrypted target transmission information. Wherein, the decrypting the target transmission information includes: and encrypting the transmission information and the encrypted user-side ciphertext. Here, the second client communication key corresponds to the second server communication key. That is, the second client communication key and the second server communication key are a pair of symmetric keys. In practice, the second user end may decrypt the encrypted target transmission information by using the second user end communication key as a decryption key to generate decrypted target transmission information.
Optionally, the second user performs, in response to receiving the encrypted subscription private key sent by the authentication server, decryption processing on the encrypted subscription private key according to the second user communication key, so as to generate a decrypted subscription private key.
In some embodiments, the second user side may, in response to receiving the encrypted subscription private key sent by the authentication server, perform decryption processing on the encrypted subscription private key according to the second user side communication key to generate a decrypted subscription private key. In practice, the second user may decrypt the encrypted subscription private key with the second user communication key as a decryption key to generate a decrypted subscription private key.
Optionally, the second user performs decryption processing on the encrypted user-side ciphertext according to the decryption subscription private key to generate a decrypted user-side ciphertext.
In some embodiments, the second user terminal may decrypt the encrypted user-side ciphertext according to the decryption subscription private key to generate a decrypted user-side ciphertext. The decryption client ciphertext comprises a first decryption client session key and a first decryption client identifier.
Optionally, the second user performs decryption processing on the encrypted transmission information according to the session key of the first decryption user, so as to generate decrypted transmission information.
In some embodiments, the second ue may decrypt the encrypted transmission message according to the session key of the first decryption ue to generate a decrypted transmission message. The decryption transmission information comprises information to be transmitted and a first user terminal identification.
Optionally, the second ue determines whether the first decryption ue id is the same as the first ue id.
In some embodiments, the second ue may determine whether the first decryption ue id is the same as the first ue id.
Optionally, the second user terminal stores the information to be transmitted in a second user terminal database in response to determining that the first decryption user terminal identifier is the same as the first user terminal identifier.
In some embodiments, the second user terminal stores the information to be transmitted in a second user terminal database in response to determining that the first decryption user terminal identifier is the same as the first user terminal identifier. The second user-side database may refer to a database of the second user side.
Optionally, the second user determines the information to be transmitted as abnormal information to be transmitted in response to determining that the first decryption user identifier is different from the first user identifier, and sends the abnormal information to be transmitted, the first decryption user identifier, and the first user identifier to the authentication server.
In some embodiments, the second ue may determine the information to be transmitted as abnormal information to be transmitted in response to determining that the first decryption ue id is different from the first ue id, and send the abnormal information to be transmitted, the first decryption ue id, and the first ue id to the authentication server.
The related contents in the above-mentioned optional cases serve as an invention point of the present disclosure, thereby solving the technical problems mentioned in the background art, i.e. the information receiving end does not verify the received information after receiving the encrypted information, and the authenticity of the received information cannot be determined when the encrypted information is replaced or attacked. ". The factors that make it impossible to determine the authenticity of the received information are often as follows: after the information receiving end receives the encrypted information, the received information is not verified, and when the encrypted information is replaced or attacked, the authenticity of the received information cannot be determined. If the above factors are solved, the effect of verifying the authenticity of the received information can be achieved. In order to achieve the effect, first, the second user terminal decrypts the encrypted target transmission information according to a preset second user terminal communication key in response to receiving the encrypted target transmission information sent by the transit server, so as to generate decrypted target transmission information. Therefore, the second user side can decrypt the information sent by the transfer server, and the decrypted information can be conveniently verified subsequently. Secondly, the second user end responds to the received encrypted subscription private key sent by the authentication server, and decrypts the encrypted subscription private key according to the second user end communication key to generate a decrypted subscription private key. Therefore, the ciphertext and the key are sent by different servers, so that the confidentiality of the ciphertext and the key is ensured. And then, the second user terminal decrypts the encrypted user terminal ciphertext according to the decryption subscription private key so as to generate a decrypted user terminal ciphertext. The decryption client ciphertext comprises a first decryption client session key and a first decryption client identifier. Then, the second user terminal decrypts the encrypted transmission information according to the session key of the first decryption user terminal to generate decrypted transmission information. The decryption transmission information comprises information to be transmitted and a first user terminal identification. Thus, data support can be provided for verifying the authenticity of the transmitted information. Then, the second user end determines whether the first decryption user end identification is the same as the first user end identification. And finally, the second user end responds to the fact that the first decryption user end identification is the same as the first user end identification, and the information to be transmitted is stored in a second user end database. Thus, after receiving the encrypted information, the received information can be verified to determine the authenticity of the received information.
Optionally, the first user side communication key is generated through the following steps:
first, the first user terminal performs a first hash process on the first user terminal network token, the first user terminal identifier and the first timestamp to generate a first user terminal hash value. The first user-side network Token may refer to a network Token (Token) issued by the authentication server to the first user side. The first user identity may uniquely identify the first user. The first timestamp may refer to a timestamp of the current time. In practice, the first client network token, the first client identifier and the first timestamp may be subjected to a first hash process by a hash algorithm to generate a first client hash value. For example, the hash algorithm may be the MD5 algorithm.
And secondly, the first user end carries out hash abstract processing on the first user end hash value, the first user end identification and the first time stamp so as to generate a first user end hash abstract. In practice, the first user may perform hash digest processing on the first user hash value, the first user identifier, and the first timestamp through a digest algorithm to generate a first user hash digest. For example, the digest algorithm may be an MD algorithm (message digest algorithm).
And thirdly, the first user end sends the first user end identification, the first time stamp, the first user end hash value and the first user end hash abstract to an authentication server.
And fourthly, the first user responds to the received first user encryption authentication information sent by the authentication server, and hash digest processing is carried out on the first user public key, the second timestamp and the first user network token which are included in the first user encryption authentication information, so that a second user hash digest is generated. Wherein, the first user side encryption authentication information includes: the server side comprises a first server side Hash abstract, a server side random number and a second server side public key. Here, the first server public key, the second timestamp, and the first user network token may be generated by the authentication server. In practice, the first user may perform hash digest processing on the first service public key, the second timestamp, and the first user network token included in the first user encryption authentication information through a digest algorithm to generate a second user hash digest. For example, the digest algorithm may be an MD algorithm (message digest algorithm). The server side random number is generated by the authentication server.
And step five, the first user end determines whether the second user end hash abstract is consistent with the first service end hash abstract or not. That is, the first ue may determine whether the second ue hash digest is the same as the first server hash digest.
And sixthly, the first user terminal generates a first user terminal public key and a first user terminal private key in response to the fact that the second user terminal hash digest is consistent with the first service terminal hash digest. In practice, the first user may randomly generate the first user public key and the first user private key. The first user public key and the first user private key are a pair of public and private keys.
And seventhly, the first user terminal performs hash digest processing on the first user terminal public key, the first user terminal network token and the third timestamp to generate a third user terminal hash digest. In practice, the first user may perform hash digest processing on the first user public key, the first user network token, and the third timestamp through a digest algorithm to generate a third user hash digest. For example, the digest algorithm may be an MD algorithm (message digest algorithm). The third timestamp may refer to a timestamp of the current time.
And step eight, the first user sends the third user hash abstract, the first user public key, the first user random number and the third timestamp to the authentication server.
Ninth, the first user generates a first user communication key according to the server random number, the first user hash digest, the first server hash digest, the third user hash digest, the first server public key, the second server public key, and the first user private key in response to receiving a key generation command sent by the authentication server.
In practice, the ninth step may include the following sub-steps:
the first sub-step, hash the first user hash digest, the first service hash digest and the third user hash digest by a hash algorithm to generate a hash value.
And a second substep, determining the product of the preset first user end random number extreme value and the server end random number extreme value as a target random value.
And a third substep of determining a ratio of the target random value to the first target number as a first random number.
And a fourth substep of determining a ratio of the target random value to the second target number as a second random number. The first target number is smaller than the first user side random number extreme value and the server side random number extreme value, and the second target number is smaller than the first target number.
And a fifth substep of rounding up the ratio of the server side random number extremum to the first random number to obtain a first coefficient.
And a sixth sub-step, performing rounding-up processing on the ratio of the first user end random number extremum to the second random number to obtain a second coefficient.
And a seventh sub-step of generating an encryption parameter according to the first coefficient, the second coefficient, the server random number, the first user random number, the first random number, the second random number and the target random value. First, the product of the server random number, the first coefficient and the first random number is determined as the server coefficient. And then, determining the product of the first user terminal random number, the second coefficient and the second random number as the user terminal coefficient. And then, determining the sum of the service end coefficient and the user end coefficient as an encryption total coefficient. Finally, the encryption parameters may be generated by the following formula: x = (Y) mod (Z). x may represent an encryption parameter. Y may represent the encryption total coefficient. Z may represent a target random value.
And an eighth substep of encrypting the hash value and the encryption parameter by using the first server public key, the second server public key and the first user private key to generate a first user communication key. In practice, the first user-side communication key may be generated by the following formula: a = e (Fx + tR). Where a may represent a first user-side communication key. e may represent the first client private key. F may represent the second server public key. R may represent the first server public key. x may represent an encryption parameter. t may represent a hash value.
The related content in the above options serves as an inventive point of the present disclosure, thereby solving the technical problem mentioned in the background art, i.e., the key generated by the user side is relatively simple, and once the key is lost or stolen, the encrypted information is easily leaked. ". Factors that tend to cause leakage of encrypted information are as follows: the key generated by the credit client is simple, and once the key is lost or stolen, the encrypted information is easily leaked. If the above-mentioned factors are solved, the effect of improving the security of the encrypted information can be achieved. To achieve this effect, first, the first user performs a first hash process on the first user network token, the first user identifier, and the first timestamp to generate a first user hash value. Therefore, the first user terminal network token and the first user terminal identification are used for generating the hash value, and the information receiving terminal is convenient to inform the source of information transmission. The first time stamp is used for generating the hash value, so that the uniqueness of the hash value can be guaranteed. Then, the first user performs hash digest processing on the first user hash value, the first user id and the first timestamp to generate a first user hash digest. Then, the first user sends the first user id, the first timestamp, the first user hash value, and the first user hash digest to an authentication server. Therefore, the authentication server can be authenticated, and data support is provided for establishing the communication key. And the first user responds to the received first user encryption authentication information sent by the authentication server, and performs hash digest processing on the first user public key, the second timestamp and the first user network token included in the first user encryption authentication information to generate a second user hash digest. And thirdly, the first user end determines whether the second user end hash abstract is consistent with the first service end hash abstract or not. Therefore, whether the information is tampered or not or whether the information is incomplete or not can be verified in the information interaction process between the first user side and the authentication server. Then, the first user generates a first user public key and a first user private key in response to determining that the second user hash digest is consistent with the first service hash digest. Thus, data support is provided for subsequent generation of the first user side communication key. Then, the first user performs hash digest processing on the first user public key, the first user network token and the third timestamp to generate a third user hash digest. And then, the first user sends the third user hash abstract, the first user public key, the first user random number and the third timestamp to the authentication server. Therefore, the authentication server can have the first user public key set by the first user. Finally, the first user generates a first user communication key according to the server random number, the first user hash digest, the first server hash digest, the third user hash digest, the first server public key, the second server public key, and the first user private key in response to receiving the key generation command sent by the authentication server. Therefore, the first user side communication key can be generated by utilizing the mutual set information of the authentication server and the first user side. And also because of the information that interacts with the first client through the authentication server, a key is generated. Thus, the confidentiality of the key is improved.
Optionally, the first server communication key is generated by:
first, the authentication server responds to a first user identifier, a first timestamp, a first user hash value and a first user hash digest which are received and sent by a first user, and performs hash digest processing on the first user hash value, the first user identifier and the first timestamp to generate a first alternative user hash digest. In practice, the authentication server may perform hash digest processing on the first user side hash value, the first user side identifier, and the first timestamp through a digest algorithm to generate a first alternative user side hash digest. For example, the digest algorithm may be an MD algorithm (message digest algorithm).
And secondly, the authentication server determines whether the first alternative user side hash digest is consistent with the first user side hash digest. That is, the authentication server determines whether the first candidate ue hash digest is identical to the first ue hash digest.
And thirdly, the authentication server reads a first user terminal network token corresponding to the first user terminal identification from a local database in response to the first alternative user terminal hash digest and the first user terminal hash digest being determined to be consistent. Here, the local database may refer to a database of the authentication server, which stores the first user network token of each first user.
And fourthly, the authentication server performs a first hash process on the first user terminal network token, the first user terminal identification and the first timestamp to generate a first hash value. That is, the authentication server may perform a first hash process on the first user-side network token, the first user-side identifier, and the first timestamp through a hash algorithm to generate a first hash value. For example, the hash algorithm may be the MD5 algorithm.
And fifthly, the authentication server generates a first server public key, a first server private key, a second server public key and a second server private key in response to determining that the first hash value is the same as the first client hash value. The first server public key corresponds to the first server private key, and the second server public key corresponds to the second server private key. That is, the authentication server may randomly generate the first server public key, the first server private key, the second server public key, and the second server private key. The first server public key and the first server private key are a pair of public private keys. The second server public key and the second server private key are a pair of public private keys.
And sixthly, the authentication server performs hash digest processing on the first service public key, the first user network token and the second timestamp to generate a first service hash digest. That is, the authentication server may perform hash digest processing on the first server public key, the first client network token, and the second timestamp through a digest algorithm to generate a first server hash digest. For example, the digest algorithm may be an MD algorithm (message digest algorithm).
And seventhly, the authentication server combines the first server public key, the second server public key, the server random number, the first server hash digest and the second timestamp into first user encryption authentication information, and sends the first user encryption authentication information to the first user. Here, combining may refer to splicing.
And step eight, the authentication server responds to the third user side hash digest, the first user side public key, the first user side random number and the third time stamp sent by the first user side, and carries out hash digest processing on the first user side public key, the first user side network token and the third time stamp so as to generate a third alternative user side hash digest. That is, the authentication server may perform hash digest processing on the first user public key, the first user network token, and the third timestamp through a digest algorithm to generate a third alternative user hash digest.
Ninth, the authentication server generates a first server communication key based on the server random number, the first user hash digest, the first server hash digest, the third user hash digest, the first server private key, the second server private key, and the first user public key in response to a key generation command sent to the first user in response to determining that the third user hash digest is identical to the third alternative user hash digest. That is, the authentication server may send the key generation instruction to the first user in response to determining that the third user hash digest is the same as the third alternative user hash digest.
In practice, the ninth step may include the following sub-steps:
the first sub-step, hash the first user hash abstract, the first service hash abstract and the third user hash abstract through a hash algorithm, so as to generate a server hash value.
And a second substep, determining the product of the preset first user terminal random number extreme value and the server terminal random number extreme value as a target random value.
And a third substep of determining a ratio of the target random value to the first target number as a first random number.
And a fourth substep of determining a ratio of the target random value to the second target number as a second random number. The first target number is smaller than the first user side random number extreme value and the server side random number extreme value, and the second target number is smaller than the first target number.
And a fifth substep of rounding up the ratio of the server side random number extremum to the first random number to obtain a first coefficient.
And a sixth substep of rounding up the ratio of the first user-side random number extremum to the second random number to obtain a second coefficient.
And a seventh substep of generating an encryption parameter according to the first coefficient, the second coefficient, the server random number, the first user random number, the first random number, the second random number and the target random value. First, the product of the server random number, the first coefficient and the first random number is determined as a server coefficient. And then, determining the product of the first user terminal random number, the second coefficient and the second random number as the user terminal coefficient. And then, determining the sum of the service end coefficient and the user end coefficient as an encryption total coefficient. Finally, the encryption parameters may be generated by the following formula: x = (Y) mod (Z). x may represent an encryption parameter. Y may represent the encryption total coefficient. Z may represent a target random value.
And an eighth substep of encrypting the server hash value and the encryption parameter by using the first server private key, the second server private key and the first user public key to generate a first server communication key. In practice, the first server communication key may be generated by the following formula: b = E (fx + tr). B may represent the first server communication key. E may represent the first client public key. f may represent a second server private key. r may represent a first server private key. x may represent an encryption parameter. t may represent a digest hash value.
It should be noted that, the generation manner of the second server communication key and the second user-side communication key may refer to the generation manner of the first server communication key and the first user-side communication key, which is not described herein again.
The above embodiments of the present disclosure have the following beneficial effects: through the information transmission method based on industrial control network intrusion, the safety of information transmission is improved, and the possibility of information leakage is reduced. Specifically, the reason why the security of the information is low is that: the information is sent in a plaintext, so that the information is easy to leak, and is easy to be tampered by external technicians; the information to be transmitted is encrypted by an RSA encryption algorithm, and an encrypted key is easy to decipher, so that the information security is low. Based on this, in the information transmission method based on industrial control network intrusion according to some embodiments of the present disclosure, first, the first user terminal reads a preset first user terminal communication key from the first user terminal database in response to receiving the to-be-transmitted information uploaded by the user. Therefore, the information to be transmitted is encrypted conveniently according to the preset secret key. And secondly, the first user terminal generates a first user terminal session key according to the subject name of the information to be transmitted. Therefore, different keys can be set according to different information so as to ensure the uniqueness of the encryption key of each piece of information. Then, the first user terminal encrypts the information to be transmitted and a first user terminal identifier corresponding to the first user terminal according to the first user terminal session key to generate encrypted transmission information. Therefore, the transmitted information can be encrypted preliminarily, and meanwhile, after the transmission of the information is completed, the information receiving end can verify the authenticity of the information according to the first user end identification conveniently. Then, the first user terminal encrypts the first user terminal session key and the first user terminal identifier according to the first user terminal communication key, so as to generate a first user terminal encrypted session key and a first encrypted user terminal identifier. Therefore, the first user terminal session key and the first user terminal identification can be encrypted through the preset first user terminal communication key. Thus, the confidentiality of the key is improved. Finally, the first user end packages the encrypted transmission information, the subject name and the first encrypted user end identification into packaged encrypted transmission information, sends the packaged encrypted transmission information to a related transfer server, and sends the first user end encrypted session key to a related authentication server. Therefore, the transit server and the authentication server can verify the information transmitted by the user side and verify whether the user side is a legal user side. Therefore, the safety of information transmission is improved, and the possibility of information leakage is reduced.
With further reference to fig. 2, as an implementation of the methods shown in the above-mentioned figures, the present disclosure provides some embodiments of an information transmission apparatus based on industrial control network intrusion, which correspond to those of the method embodiments shown in fig. 1, and which can be applied in various electronic devices.
As shown in fig. 2, an information transmission apparatus 200 based on industrial control network intrusion according to some embodiments includes: a reading unit 201, a generating unit 202, a first encrypting unit 203, a second encrypting unit 204, and a transmitting unit 205. The reading unit 201 is configured to, in response to receiving information to be transmitted uploaded by a user, read a preset first user-side communication key from a first user-side database; a generating unit 202, configured to generate a first user session key according to the subject name of the information to be transmitted; a first encryption unit 203, configured to encrypt, according to the first user session key, the to-be-transmitted information and a first user identifier corresponding to the first user to generate encrypted transmission information; a second encryption unit 204, configured to perform encryption processing on the first ue session key and the first ue id according to the first ue communication key, respectively, so as to generate a first ue encrypted session key and a first encrypted ue id; a sending unit 205, configured to encapsulate the encrypted transmission information, the subject name, and the first encrypted ue id as encapsulated encrypted transmission information, send the encapsulated encrypted transmission information to an associated transit server, and send the first ue encrypted session key to an associated authentication server.
It is to be understood that the units described in the industrial control network intrusion based information transmission apparatus 200 correspond to the respective steps in the method described with reference to fig. 1. Therefore, the operations, features and beneficial effects of the methods described above are also applicable to the information transmission apparatus 200 based on industrial control network intrusion and the units included therein, and are not described herein again.
Referring now to fig. 3, a schematic diagram of an electronic device (e.g., a first user-side) 300 suitable for use in implementing some embodiments of the present disclosure is shown. The electronic device in some embodiments of the present disclosure may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a vehicle-mounted terminal (e.g., a car navigation terminal), and the like, and a stationary terminal such as a digital TV, a desktop computer, and the like. The electronic device shown in fig. 3 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 3, the electronic device 300 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 301 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM) 302 or a program loaded from a storage means 308 into a Random Access Memory (RAM) 303. In the RAM303, various programs and data necessary for the operation of the electronic apparatus 300 are also stored. The processing device 301, the ROM302, and the RAM303 are connected to each other via a bus 304. An input/output (I/O) interface 305 is also connected to bus 304.
Generally, the following devices may be connected to the I/O interface 305: input devices 306 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 307 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage devices 308 including, for example, magnetic tape, hard disk, etc.; and a communication device 309. The communication means 309 may allow the electronic device 300 to communicate wirelessly or by wire with other devices to exchange data. While fig. 3 illustrates an electronic device 300 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided. Each block shown in fig. 3 may represent one device or may represent multiple devices, as desired.
In particular, according to some embodiments of the present disclosure, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, some embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated by the flow chart. In some such embodiments, the computer program may be downloaded and installed from a network through the communication device 309, or installed from the storage device 308, or installed from the ROM 302. The computer program, when executed by the processing apparatus 301, performs the above-described functions defined in the methods of some embodiments of the present disclosure.
It should be noted that the computer readable medium described in some embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In some embodiments of the disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In some embodiments of the present disclosure, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: the first user terminal responds to the received information to be transmitted uploaded by the user, and reads a preset first user terminal communication key from a first user terminal database; the first user terminal generates a first user terminal session key according to the subject name of the information to be transmitted; the first user terminal encrypts the information to be transmitted and a first user terminal identifier corresponding to the first user terminal according to the first user terminal session key to generate encrypted transmission information; the first user terminal encrypts the first user terminal session key and the first user terminal identifier according to the first user terminal communication key, so as to generate a first user terminal encrypted session key and a first encrypted user terminal identifier; the first user end packages the encrypted transmission information, the subject name and the first encrypted user end identification into packaged encrypted transmission information, sends the packaged encrypted transmission information to a related transfer server, and sends the first user end encrypted session key to a related authentication server.
Computer program code for carrying out operations for embodiments of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in some embodiments of the present disclosure may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes a reading unit, a generating unit, a first encrypting unit, a second encrypting unit, and a transmitting unit. The names of the units do not form a limitation on the units themselves in some cases, for example, the reading unit may also be described as a "unit for the first user end to read a preset first user end communication key from the first user end database in response to receiving information to be transmitted uploaded by the user".
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems on a chip (SOCs), complex Programmable Logic Devices (CPLDs), and the like.
Some embodiments of the present disclosure also provide a computer program product, which includes a computer program, and the computer program, when executed by a processor, implements any of the above-mentioned information transmission methods based on industrial control network intrusion.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the embodiments of the present disclosure is not limited to the specific combinations of the above-mentioned features, and other embodiments in which the above-mentioned features or their equivalents are combined arbitrarily without departing from the spirit of the invention are also encompassed. For example, the above features and (but not limited to) technical features with similar functions disclosed in the embodiments of the present disclosure are mutually replaced to form the technical solution.

Claims (6)

1. An information transmission method based on industrial control network intrusion comprises the following steps:
the first user terminal responds to the received information to be transmitted uploaded by the user, and reads a preset first user terminal communication key from a first user terminal database;
the first user terminal generates a first user terminal session key according to the subject name of the information to be transmitted;
the first user terminal encrypts the information to be transmitted and a first user terminal identification corresponding to the first user terminal according to the first user terminal session key so as to generate encrypted transmission information;
the first user terminal encrypts the first user terminal session key and the first user terminal identification respectively according to the first user terminal communication key to generate a first user terminal encrypted session key and a first encrypted user terminal identification;
the first user end packages the encrypted transmission information, the subject name and the first encrypted user end identification into packaged encrypted transmission information, sends the packaged encrypted transmission information to an associated transfer server, and sends the first user end encrypted session key to an associated authentication server;
wherein the first user side communication key is generated by the following steps:
the first user terminal carries out first hash processing on a first user terminal network token, a first user terminal identification and a first time stamp to generate a first user terminal hash value, wherein the first user terminal network token is a network token issued to the first user terminal by an authentication server, the first user terminal identification uniquely identifies the first user terminal, and the first time stamp is a time stamp of the current time;
the first user end carries out hash abstract processing on the first user end hash value, the first user end identification and the first time stamp so as to generate a first user end hash abstract;
the first user side sends the first user side identification, the first time stamp, the first user side hash value and the first user side hash abstract to an authentication server;
the first user terminal responds to the first user terminal encryption authentication information sent by the authentication server, and performs hash digest processing on the first user terminal network token and a first service terminal public key and a second timestamp included in the first user terminal encryption authentication information to generate a second user terminal hash digest, wherein the first user terminal encryption authentication information further includes: the first server hash abstract, the server random number and the second server public key;
the first user end determines whether the second user end hash abstract is consistent with the first service end hash abstract or not;
the first user side generates a first user side public key and a first user side private key in response to the fact that the second user side hash abstract is consistent with the first server side hash abstract;
the first user terminal performs hash digest processing on the first user terminal public key, the first user terminal network token and a third timestamp to generate a third user terminal hash digest, wherein the third timestamp refers to a timestamp of the current time;
the first user side sends the third user side hash abstract, the first user side public key, the first user side random number and the third time stamp to the authentication server;
and the first user responds to a key generation instruction sent by the authentication server, and generates a first user communication key according to the server random number, the first user hash digest, the first server hash digest, the third user hash digest, the first server public key, the second server public key and the first user private key.
2. The method of claim 1, wherein the method further comprises:
the transfer server responds to the received packaged encrypted transmission information sent by the first user terminal, analyzes an analysis subject name corresponding to the packaged encrypted transmission information, analyzes a first encrypted user terminal identification included in the packaged encrypted transmission information, and queries a second user terminal identification corresponding to the analysis subject name;
and the transfer server sends the analysis subject name, the second user end identification and the first encryption user end identification to the authentication server.
3. The method of claim 2, wherein the method further comprises:
the transfer server responds to the received encrypted user side ciphertext and a second server communication key sent by the authentication server, and combines encrypted transmission information and the encrypted user side ciphertext which are included in the packaged encrypted transmission information into target transmission information;
and the transfer server encrypts the target transmission information according to the second server communication key to generate encrypted target transmission information, and sends the encrypted target transmission information to a second user end corresponding to the second user end identification.
4. An information transmission device based on industrial control network intrusion, comprising:
the reading unit is configured to read a preset first user terminal communication key from a first user terminal database in response to receiving information to be transmitted uploaded by a user; wherein the first user side communication key is generated by the following steps:
the first user terminal carries out first hash processing on a first user terminal network token, a first user terminal identification and a first time stamp to generate a first user terminal hash value, wherein the first user terminal network token is a network token issued to the first user terminal by an authentication server, the first user terminal identification uniquely identifies the first user terminal, and the first time stamp is a time stamp of the current time;
the first user end carries out hash abstract processing on the first user end hash value, the first user end identification and the first time stamp so as to generate a first user end hash abstract;
the first user end sends the first user end identification, the first time stamp, the first user end hash value and the first user end hash abstract to an authentication server;
the first user terminal responds to the first user terminal encryption authentication information sent by the authentication server, and performs hash digest processing on the first user terminal network token and a first service terminal public key and a second timestamp included in the first user terminal encryption authentication information to generate a second user terminal hash digest, wherein the first user terminal encryption authentication information further includes: the method comprises the steps that a first server hash abstract, a server random number and a second server public key are obtained;
the first user end determines whether the second user end hash abstract is consistent with the first service end hash abstract or not;
the first user side generates a first user side public key and a first user side private key in response to the fact that the second user side hash abstract is consistent with the first server side hash abstract;
the first user side carries out hash digest processing on the first user side public key, the first user side network token and a third timestamp to generate a third user side hash digest, wherein the third timestamp refers to the timestamp of the current time;
the first user end sends the third user end hash abstract, the first user end public key, the first user end random number and the third time stamp to the authentication server;
the first user terminal responds to a received key generation instruction sent by the authentication server and generates a first user terminal communication key according to the server terminal random number, the first user terminal hash abstract, the first service terminal hash abstract, the third user terminal hash abstract, the first server terminal public key, the second server terminal public key and the first user terminal private key;
the generating unit is configured to generate a first user terminal session key according to the subject name of the information to be transmitted;
a first encryption unit, configured to encrypt, according to the first user session key, a first user identifier corresponding to the first user and the information to be transmitted, so as to generate encrypted transmission information;
a second encryption unit, configured to perform encryption processing on the first user session key and the first user identifier according to the first user communication key, respectively, so as to generate a first user encryption session key and a first encryption user identifier;
a sending unit, configured to encapsulate the encrypted transmission information, the subject name, and the first encrypted user end identifier as encapsulated encrypted transmission information, send the encapsulated encrypted transmission information to an associated transit server, and send the first user end encrypted session key to an associated authentication server.
5. An electronic device, comprising:
one or more processors;
a storage device having one or more programs stored thereon;
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-3.
6. A computer-readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the method of any one of claims 1-3.
CN202211219298.6A 2022-10-08 2022-10-08 Information transmission method and device based on industrial control network intrusion and electronic equipment Active CN115296934B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211219298.6A CN115296934B (en) 2022-10-08 2022-10-08 Information transmission method and device based on industrial control network intrusion and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211219298.6A CN115296934B (en) 2022-10-08 2022-10-08 Information transmission method and device based on industrial control network intrusion and electronic equipment

Publications (2)

Publication Number Publication Date
CN115296934A CN115296934A (en) 2022-11-04
CN115296934B true CN115296934B (en) 2023-01-24

Family

ID=83833682

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211219298.6A Active CN115296934B (en) 2022-10-08 2022-10-08 Information transmission method and device based on industrial control network intrusion and electronic equipment

Country Status (1)

Country Link
CN (1) CN115296934B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147225A (en) * 2018-11-02 2020-05-12 中国科学院沈阳自动化研究所 Credible measurement and control network authentication method based on double secret values and chaotic encryption
CN111770092A (en) * 2020-06-29 2020-10-13 华中科技大学 Numerical control system network security architecture and secure communication method and system
CN112883435A (en) * 2021-04-12 2021-06-01 北京飞天数科科技有限公司 Method and equipment for realizing safe communication with intelligent contract

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11606688B2 (en) * 2019-02-20 2023-03-14 Coretigo Ltd. Secure key exchange mechanism in a wireless communication system
CN109831464A (en) * 2019-04-01 2019-05-31 北京百度网讯科技有限公司 Method and apparatus for ciphertext data
US11606193B2 (en) * 2020-09-14 2023-03-14 Oracle International Corporation Distributed session resumption

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147225A (en) * 2018-11-02 2020-05-12 中国科学院沈阳自动化研究所 Credible measurement and control network authentication method based on double secret values and chaotic encryption
CN111770092A (en) * 2020-06-29 2020-10-13 华中科技大学 Numerical control system network security architecture and secure communication method and system
CN112883435A (en) * 2021-04-12 2021-06-01 北京飞天数科科技有限公司 Method and equipment for realizing safe communication with intelligent contract

Also Published As

Publication number Publication date
CN115296934A (en) 2022-11-04

Similar Documents

Publication Publication Date Title
EP4191430A1 (en) Data processing method and apparatus applied to blockchain system
US20120054491A1 (en) Re-authentication in client-server communications
US8495383B2 (en) Method for the secure storing of program state data in an electronic device
CN110401677B (en) Method and device for acquiring digital copyright key, storage medium and electronic equipment
CN109151508B (en) Video encryption method
CN108923925B (en) Data storage method and device applied to block chain
WO2018120938A1 (en) Offline key transmission method, terminal and storage medium
CN111030827A (en) Information interaction method and device, electronic equipment and storage medium
CN112329044A (en) Information acquisition method and device, electronic equipment and computer readable medium
CN114553590A (en) Data transmission method and related equipment
CN116633582A (en) Secure communication method, apparatus, electronic device and storage medium
CN117061105A (en) Data processing method and device, readable medium and electronic equipment
CN116781292A (en) Data processing method, device, equipment and readable storage medium
CN111786955B (en) Method and apparatus for protecting a model
CN115296807B (en) Key generation method, device and equipment for preventing industrial control network viruses
CN113810779B (en) Code stream signature verification method, device, electronic equipment and computer readable medium
CN114499893B (en) Bidding file encryption and evidence storage method and system based on block chain
CN115296934B (en) Information transmission method and device based on industrial control network intrusion and electronic equipment
CN114554485B (en) Asynchronous session key negotiation and application method, system, electronic equipment and medium
CN116961973A (en) Data transmission method, device, electronic equipment and computer readable storage medium
CN114430345A (en) Data transmission method and device, storage medium and electronic equipment
CN114978769A (en) Unidirectional lead-in device, method, medium, and apparatus
CN111431846B (en) Data transmission method, device and system
CN115378743B (en) Information encryption transmission method, device, equipment and medium
CN111314320B (en) Communication method, terminal, server and system based on HTTP

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant