CN115987500A - Data safety transmission method and system based on industrial equipment data acquisition - Google Patents
Data safety transmission method and system based on industrial equipment data acquisition Download PDFInfo
- Publication number
- CN115987500A CN115987500A CN202211647333.4A CN202211647333A CN115987500A CN 115987500 A CN115987500 A CN 115987500A CN 202211647333 A CN202211647333 A CN 202211647333A CN 115987500 A CN115987500 A CN 115987500A
- Authority
- CN
- China
- Prior art keywords
- data
- key
- random factor
- ciphertext
- cloud
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention belongs to the field of data security, and discloses a data security transmission method and a data security transmission system based on industrial equipment data acquisition. The invention uses the domestic encryption algorithm to encrypt the equipment data, and ensures the confidentiality of the equipment data in the transmission process; the high-entropy random number is used for participating in the manufacture of a working key, so that the key is difficult to calculate; and meanwhile, the private key is special, so that safety protection and usability and integrity check are provided for data.
Description
Technical Field
The invention belongs to the field of industrial equipment data acquisition, and particularly relates to a data security transmission method and system based on industrial equipment data acquisition.
Background
At present, the industrial internet is a product of deep integration of modern industrial technology and a new generation of digital technology, which is one of the important construction fields of new capital construction in China. Under the new concept and ecology of the industrial internet, the equipment data is a production element of the industrial internet, plays an important role in the whole process of the industry and goes through the whole process of the industrial production. The status of industrial device data in the internet of things of industry is self-evident, and in the era of everything interconnection, industrial data security also faces very large security risks, such as data leakage, data theft, data tampering and the like.
The existing data encryption has the risk that a public key is hijacked, and a common encryption mode is easy to break through the hijacked public key. The public key is hijacked, so that wrong information data can be simulated and sent, and malicious attack to the system can be caused.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a data safety transmission method and system based on industrial equipment data acquisition.
The invention is realized in such a way that a data security transmission method based on industrial equipment data acquisition guarantees the security of data transmission in the environment of the Internet of things by utilizing a state cryptographic algorithm and equipment fingerprint information, ensures the security of data through the operation of random factors, and can prevent malicious attack after a public key is hijacked through the equipment fingerprint.
Further, the data security transmission method based on the industrial equipment data acquisition comprises the following steps:
initializing a cloud preset public and private key pair and a cloud random factor RA; the edge computing gateway sends data to the cloud, a working key is computed by adopting a dynamic key, SM2, SM3 and SM4 encryption algorithms and a high-entropy random number generated by a snowflake algorithm, and then original data are encrypted to obtain ciphertext data; the cloud end receives the ciphertext data sent by the edge computing gateway, computes a working key, and then decrypts the ciphertext data to obtain original data; and finally, checking.
Further, the initializing includes:
the cloud end creates a public key and a private key, and is used for encrypting and decrypting part of data when the cloud end creates the public key and the private key and randomly generating a binary string as a cloud end random factor RA; converting the device fingerprint data of the edge gateway into a binary form; and presetting the generated random factor RA and the binary device fingerprint in the edge gateway device.
Further, the edge computing gateway sending data to the cloud comprises:
preparing original data to be sent; generating an edge calculation gateway random factor RB by using the snowflake algorithm, and encrypting the edge calculation gateway random factor RB by using an SM2 encryption algorithm by using a public key as a key to obtain a random factor ciphertext RB1;
the cloud random factor RA, the edge calculation gateway random factor RB, the device fingerprint and a public key are added to obtain a working key SK;
encrypting the device fingerprint of the edge computing gateway by using an SM2 encryption algorithm by using a public key as a secret key to obtain a device fingerprint ciphertext PP;
entropy is carried out on original data, and the SM3 encryption algorithm is used for obtaining summary information M1;
encrypting original data by using the working key SK as a key and adopting an SM4 encryption algorithm to obtain ciphertext data; and creates a data structure for transferring data.
Further, the generation process of the working key SK comprises:
performing exclusive-or operation on the cloud random factor RA and the edge computing gateway random factor RB to obtain a result RC, encrypting the RC by using an SM4 encryption algorithm by using a public key as a key to obtain a result and converting the result into binary data RD, taking the first eight bits of the RD as F1, and taking the last eight bits of the RD as F2;
encrypting the equipment fingerprint of the current equipment by using an SM4 encryption algorithm, wherein a secret key is F1, and obtaining ciphertext data and converting the ciphertext data into binary data FA;
performing XOR operation on the result obtained by using the binary data RD and FA and then performing XOR operation on the result and F2 to obtain a working key SK, and if the F2 digit is not enough, supplementing 0 at a high position;
the data structure for transmitting data comprises:
fill data field one: a random factor ciphertext RB1;
filling a data field II: a device fingerprint ciphertext PP;
filling a data field three: summary information M1;
filling a data field four: and (4) ciphertext data.
Further, the cloud receiving the data sent by the edge computing gateway includes:
receiving the ciphertext data; the random factor ciphertext RB1 and the private key are decrypted by adopting an SM2 asymmetric algorithm to obtain an edge computing gateway random factor RB;
decrypting the fingerprint ciphertext PP and the private key by adopting an SM2 asymmetric algorithm to obtain an equipment fingerprint DF;
adding a random factor RA of a cloud end, a random factor RB of an edge calculation gateway, a device fingerprint and a private key to obtain a working key SK;
and the working key SK is used as a key, and the SM4 algorithm is adopted to decrypt the ciphertext data to obtain original data.
Further, the receiving the ciphertext data is to obtain a value of each data field by analyzing the data structure, and includes:
analyzing a data field I: random factor ciphertext RB1;
and analyzing a data field II: a device fingerprint ciphertext PP;
analyzing a data domain III: summary information M1;
analyzing a data field four: and (4) ciphertext data.
Further, the process of checking includes:
the cloud end calculates the decrypted original data by using an SM3 abstract algorithm to obtain abstract information M2;
comparing the summary information with the summary information M1 transmitted to the cloud end by the edge computing gateway, wherein if the M1 is the same as the M2, the data is available; if M1 is different from M2, the data is not available and the tap is discarded.
Another object of the present invention is to provide a data security transmission system based on data acquisition of industrial equipment,
the cloud end comprises an initialization module, a decryption module and a verification module, wherein the initialization module is used for creating a public key and a private key and generating a random factor RA; the decryption module is used for decrypting the decrypted data to obtain original data; and the verification module is used for comparing the summary information M1 obtained by encryption with the summary information M2 obtained by decryption and verifying the correctness of the data.
And the encryption module is used for encrypting the equipment data by using an encryption algorithm and generating a transmission protocol.
Further, the cloud initialization module creates a public key and a private key for encryption and decryption of partial data when communicating with the edge computing gateway, generates a random character string and converts the random character string into binary data to define the binary data as a cloud random factor RA (the random factor can be updated according to specific conditions according to time), converts the device fingerprint of each edge computing gateway into a binary system, and presets the generated public key, the random factor RA and the binary device fingerprint in each data acquisition device (edge computing gateway).
And an encryption module of the edge computing gateway generates an edge computing gateway random factor RB by using a snowflake algorithm, and then encrypts the equipment data by using a public key, a random factor RA and the equipment fingerprint through an encryption algorithm and generates a transmission protocol.
The cloud receives the transmission protocol, the decryption module decrypts the encrypted device data through a public key pair, the random factor RA and the device fingerprint through a decryption algorithm to obtain original data, and the verification module verifies the correctness of the data by comparing summary information M1 obtained through encryption with summary information M2 obtained through decryption.
Another object of the present invention is to provide a computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of the method for secure transmission of data based on data acquisition of an industrial device.
Another object of the present invention is to provide a computer readable storage medium, storing a computer program, which, when executed by a processor, causes the processor to perform the steps of the method for secure transmission of data based on data acquisition of an industrial device.
Another objective of the present invention is to provide an information data processing terminal, which is used for implementing the data security transmission system based on data acquisition of industrial equipment.
By combining the technical scheme and the technical problem to be solved, the technical scheme to be protected by the invention has the advantages and positive effects that:
first, aiming at the technical problems existing in the prior art and the difficulty in solving the problems, the technical problems to be solved by the technical scheme of the present invention are closely combined with results, data and the like in the research and development process, and some creative technical effects are brought after the problems are solved. The specific description is as follows:
the invention integrates dynamic secret keys, domestic encryption algorithms, digital signature technology and special secret key, and provides safety protection and availability and integrity verification for data. The device can be verified through the digital signature, and the simulation attack behavior after the public key is hijacked can be effectively prevented. The scheme realizes the dynamic property of the secret key through the random factor and the national secret algorithm technology, and effectively ensures the safe transmission of data information.
Secondly, considering the technical scheme as a whole or from the perspective of products, the technical effect and advantages of the technical scheme to be protected by the invention are specifically described as follows:
the invention uses a domestic encryption algorithm to encrypt the equipment data, and ensures the confidentiality of the equipment data in the transmission process. The key is generated by using a high-entropy random number and performing complex operation on the device fingerprint, so that an attacker can obtain the key in time, the key is also dynamically changed, and the attacker cannot calculate a new key according to an old key.
The invention uses SM3 encryption algorithm to ensure the integrity and the usability of data, and even if an attacker tampers with the transmitted data, the cloud can judge whether the data is tamped by checking the message digest.
The invention adopts the snowflake algorithm, generates non-repeated random numbers at the edge computing gateway with high efficiency, then carries out encryption through the SM2 algorithm and converts the random numbers into binary data, uses the high-entropy random numbers to participate in the manufacture of working keys, and ensures that the keys are difficult to be calculated.
Third, as an inventive supplementary proof of the claims of the present invention, there are also presented several important aspects:
(1) The expected income and commercial value after the technical scheme of the invention is converted are as follows:
the invention can effectively solve the safety of data acquisition and data transmission of industrial equipment and avoid malicious attack of the equipment caused by public key data leakage.
(2) The technical scheme of the invention solves the technical problem that people are eagerly to solve but can not be successfully solved all the time:
the invention effectively solves the technical problems existing in the prior art by combining the domestic encryption algorithm, the SM3 encryption algorithm and the snowflake algorithm, so that the key is difficult to be falsified and calculated, the availability, the safety and the integrity of data are ensured, and the safety risk of industrial data safety is reduced.
Drawings
Fig. 1 is an architecture diagram of a data security transmission method based on data acquisition of an industrial device according to an embodiment of the present invention;
fig. 2 is a flow chart of a core algorithm of a data security transmission method based on data acquisition of industrial equipment according to an embodiment of the present invention;
FIG. 3 is a flow chart of encryption provided by an embodiment of the present invention;
FIG. 4 is a flow chart of decryption provided by an embodiment of the present invention;
FIG. 5 is a flow chart of verification provided by an embodiment of the present invention;
fig. 6 is an architecture diagram of a data security transmission system based on data acquisition of industrial equipment according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
This section is an explanatory embodiment expanding on the claims so as to fully understand how the present invention is embodied by those skilled in the art.
As shown in fig. 1, the data security transmission method based on data acquisition of the industrial equipment provided by the embodiment of the present invention mainly includes a data sending part and a data receiving part, and is completely new defined for transmission related to an instruction type or command type protocol.
The data sending process of the edge computing gateway comprises the following steps:
s1: original data to be sent;
s2: the random factor RA, the random factor RB, the device fingerprint and the public key are used for obtaining a working key;
s3: the random factor RB and the public key are added to obtain a random factor ciphertext RB1;
s4: the device fingerprint and the public key are added to obtain a device fingerprint ciphertext PP;
s5: entropy is carried out on original data to obtain abstract information M1;
s6: the original data is encrypted using the working key.
The cloud data receiving process comprises the following steps:
s1: receiving data;
s2: the random factor RB1 is encrypted with a private key and decrypted to obtain a random factor RB;
s3: the fingerprint ciphertext PP is encrypted by a private key and decrypted to obtain the equipment fingerprint;
s4: random factor RA plus random factor RB plus device fingerprint and private key to obtain a working key;
s5: acquiring original data by the working key and the encrypted data;
s6: entropy is carried out on original data to obtain M2, the abstract information M1 is compared, if the original data are the same, the data are valid, and if the original data are different, the data are invalid.
In the embodiment of the invention, the initialization stage is as follows: the cloud initialization module creates a public key and a private key for encryption and decryption of partial data when the cloud initialization module is in communication with the edge computing gateway, generates a random character string and converts the random character string into binary data to define the binary data as a cloud random factor RA (the random factor can be updated according to specific conditions according to time), obtains the device fingerprint of each edge computing gateway and converts the device fingerprint into a binary system, and finally presets the generated random factor RA, the binary device fingerprint and the public key in each edge computing gateway device.
In the embodiment of the invention, the edge computing gateway obtains the encryption flow.
S1, original data to be sent are original data of equipment;
s2, obtaining a working key, generating a unique identifier according to a snowflake algorithm, defining the data as a random factor RB, carrying out XOR operation on the random factor RA and the RB to obtain a result RC, using a public key as a key to encrypt the RC by using an SM4 encryption algorithm to obtain a result and converting the result into a binary RD, taking the first eight bits of the RD as F1, and taking the last eight bits of the RD as F2; encrypting the equipment fingerprint of the current equipment by using an SM4 encryption algorithm, wherein the secret key is F1, and obtaining ciphertext data and converting the ciphertext data into binary data FA; performing XOR operation on the result obtained by using RD and FA and F2 to obtain a working key SK, and if the F2 digit is not enough, supplementing 0 at the high position;
s3: using public key as key to encrypt random factor RB by SM2 encryption algorithm to obtain random factor RB1 of edge computing gateway
And S4, encrypting the device fingerprint of the edge computing gateway by using the SM2 algorithm by using the public key as a secret key to obtain a device fingerprint ciphertext PP.
S5, generating information summary data M1 by the original equipment data through SM3 hash algorithm
And S6, encrypting the data acquired by the equipment by using the working key SK generated in the second step as a key and adopting an SM4 symmetric algorithm to obtain ciphertext data.
In the embodiment of the invention, a data structure of a transmission protocol is created:
fill data field one: random factor ciphertext RB1;
filling a data field II: a device fingerprint ciphertext PP;
filling a data field three: summary information M1;
filling a data field four: ciphertext data;
finally, the transmission protocol is sent to the cloud
In the embodiment of the present invention, the data decryption process sent by the cloud receiving edge computing gateway:
s1, receiving data, namely receiving a transmission protocol, and analyzing the transmission protocol.
Analyzing a data protocol structure, and acquiring the value of each data field:
analyzing a data field one: random factor ciphertext RB1;
and analyzing a data field II: a device fingerprint ciphertext PP;
and analyzing a data domain III: summary information M1;
analyzing a data field four: ciphertext data;
s2: and acquiring a random factor RB.
And using the private key as a secret key, and decrypting the random factor ciphertext RB1 by adopting an SM2 asymmetric algorithm to obtain the random factor RB.
S3, acquiring the device fingerprint DF:
and (3) using the private key as a secret key, and decrypting the equipment fingerprint ciphertext PP by adopting an SM2 asymmetric algorithm to obtain the equipment fingerprint DF.
And S4, calculating a working key SK:
performing exclusive-or operation on a cloud random factor RA and an edge computing gateway random factor RB to obtain an RC, encrypting the RC by using an SM4 encryption algorithm by using a public key as a secret key to obtain a result, and converting the result into binary data RD, wherein the first eight bits of the RD are taken as F1, and the last eight bits of the RD are taken as F2;
encrypting the equipment fingerprint DF by using an SM4 encryption algorithm, wherein a secret key is F1, and obtaining ciphertext data and converting the ciphertext data into binary data FA;
performing XOR operation on the result obtained by using RD and FA and F2 to obtain a working key SK, and supplementing 0 in high order when the number of F2 bits is insufficient;
and S5, decrypting the data of the ciphertext to obtain original data, using the working key SK as a key, and using an SM4 algorithm to decrypt the ciphertext data to obtain equipment data.
S6, checking
And the cloud end calculates the decrypted equipment data by using an SM3 abstract algorithm to obtain abstract information M2.
And comparing the abstract information M1 transmitted by the edge computing gateway analyzed by the transmission protocol:
and comparing the data with the abstract data obtained by the edge computing gateway, wherein if the data are the same, the data are valid, and if the data are different, the data are invalid.
In the initialization stage, in order to complete the generation of the public and private key pair, the random factor RA and the conversion of the fingerprint of each device, the cloud presets the public key, the random factor RA and the converted fingerprint of the device into each corresponding device, so that the next encryption and decryption stage can be performed.
As shown in FIG. 2, the specific process of the data security transmission method based on the data acquisition of the industrial equipment
The method comprises the following steps:
during initialization, the cloud end can preset a public and private key pair and a cloud end random factor RA. All data acquisition devices (edge computing gateway presets cloud generated public key). In the data encryption and data transmission processes, all adopted encryption algorithms are national encryption algorithms, the idea of dynamic keys is used, and high-entropy randomness and device fingerprint numbers generated by an edge computing gateway and a cloud are used for obtaining a working key through complex computation.
When data are received, a working key is calculated through a decryption device fingerprint, a random factor RB and a cloud random factor RA, and then ciphertext data are decrypted to obtain original data.
And finally, calculating the abstract through the original data, decrypting the received message abstract ciphertext, and comparing the two, wherein the data is available if the two are the same.
Further, the specific initialization process includes:
the cloud creates a public key and a private key for encrypting and decrypting partial data when communicating with the edge computing gateway, simultaneously generates a random character string and converts the random character string into binary data, defines the cloud random factor RA (the random factor can be updated according to specific conditions according to time) and the device fingerprint of each edge computing gateway into binary, and presets the generated binary device fingerprint of the random factor RA in each device.
As shown in fig. 3, the encryption process includes:
generating a working key (SK): firstly, generating an edge computing gateway random factor RB by using a snowflake algorithm, and then carrying out XOR operation by using the RB and a cloud random factor RA to obtain a process parameter RC. And (3) adopting the public key as a secret key, and obtaining the process parameter RD by using SM4 symmetric encryption algorithm for the process parameter RC. The first eight bits of the process parameter RD are taken as the process parameter F1, and the last eight bits of the RD are taken as the process parameter F2. And F1 is used as a key (the digit is not high enough to complement 0), and the SM4 symmetric encryption algorithm is used for encrypting the device fingerprint DF to obtain a process parameter FA. And finally, the result obtained by carrying out XOR operation on the process parameter FA and the process parameter F2 and the result obtained by carrying out XOR operation on the process parameter RD is used as the working key.
Generating a random factor ciphertext RB1: and encrypting the random factor RB by using an SM2 asymmetric encryption algorithm by using the public key as a secret key to obtain ciphertext data RB1.
Data encryption and digest operation: carrying out SM3 abstract algorithm on the equipment data to obtain abstract information M1;
and encrypting the data acquired by the equipment by using the generated working key SK as a key and adopting an SM4 symmetric algorithm.
Finally, a data structure for transmitting data is created:
(1) Filling the data field one: random factor ciphertext RB1;
(2) Filling a data field II: a device fingerprint ciphertext PP;
(3) Filling a data field three: summary information M1;
(4) Filling a data field four: ciphertext data;
further, the data element defines a specification:
data field one: and a random factor ciphertext RB1, wherein a random number generated by the data acquisition equipment is generated by encrypting through an SM4 encryption algorithm.
And a second data field: and the equipment fingerprint ciphertext PP and the data acquisition equipment fingerprint are generated by encrypting through an SM4 encryption algorithm.
And a data domain three: summary information M1, information summary data generated by the SM3 hash algorithm on the original data.
And a data field four: and ciphertext data generated by encrypting the original data through a working key.
As shown in fig. 4, the decryption process includes:
analyzing the data protocol structure to obtain the value of each data field, including:
(1) Analyzing a data field one: random factor ciphertext RB1;
(2) And analyzing a data field II: a device fingerprint ciphertext PP;
(3) And analyzing a data domain III: summary information M1;
(4) Analyzing a data field IV: ciphertext data;
calculating a random factor RB: and (3) adopting a private key as a secret key, and decrypting by using an SM2 decryption algorithm to obtain a random factor RB.
Calculating a device fingerprint DF: and decrypting the equipment fingerprint ciphertext PP by using an SM2 decryption algorithm to obtain an equipment fingerprint plaintext DF, wherein the secret key is a private key.
Calculating a working key SK: and carrying out XOR operation by using the random factor RA and the random factor RB of the edge computing gateway to obtain a process parameter RC. And encrypting the process parameter RC by using the SM4 symmetric encryption algorithm by using the public key as a secret key to obtain a process parameter RD, wherein the first eight bits of the process parameter RD are taken as a process parameter F1, and the last eight bits of the RD are taken as a process parameter F2. And F1 is used as a key (the digit is not high enough to complement 0), and the SM4 symmetric encryption algorithm is used for encrypting the device fingerprint DF to obtain a process parameter FA. And finally, the result obtained by carrying out XOR operation on the process parameter FA and the process parameter F2 and the result obtained by carrying out XOR operation on the process parameter RD is used as the working key.
And (3) decrypting the ciphertext data: and performing SM4 decryption algorithm on the ciphertext data by using the working key to obtain plaintext equipment data.
As shown in fig. 5, the verification process includes:
calculating a message digest M2: and calculating the message digest M2 by using SM3 digest algorithm on the plaintext device data.
Two summary information are compared: the summary information M1 transmitted to the cloud end by the edge computing gateway is compared with the summary information M2 obtained by the previous step, a result is obtained, and if the M1 is the same as the M2, data is available; if M1 is different from M2, the data is not available and the hit is discarded.
In order to prove the creativity and the technical value of the technical scheme of the invention, the part is the application example of the technical scheme of the claims on specific products or related technologies.
The embodiment of the invention can be applied to industrial production equipment, such as instruction transmission of PLC, DCS and other equipment. In the scene of simulating the information transmission and reception of the industrial equipment, compared with the traditional encryption mode, the method has the advantages that the data transmission of the simulated data is refused after the public key is hijacked, the error operation of the industrial equipment is not caused, and the equipment communication and the normal industrial production are guaranteed hundreds of percent. And after the traditional encryption is hijacked with a public key, equipment can receive an error instruction to threaten industrial production through data attack.
Another object of the present invention is to provide a data security transmission system based on data acquisition of industrial equipment,
the cloud end comprises an initialization module, a decryption module and a verification module, wherein the initialization module is used for creating a public key and a private key and generating a random factor RA; the decryption module is used for decrypting the decrypted data to obtain original data; and the verification module is used for comparing the summary information M1 obtained by encryption with the summary information M2 obtained by decryption and verifying the correctness of the data.
And the encryption module is used for encrypting the equipment data by using an encryption algorithm and generating a transmission protocol.
The initialization module of the cloud end creates a public key and a private key for encrypting and decrypting partial data when communicating with the edge computing gateway, simultaneously generates a random character string and converts the random character string into binary data to define as a cloud end random factor RA (the random factor can be updated according to specific conditions according to time), converts the device fingerprint of each edge computing gateway into a binary system, and presets the generated public key, the random factor RA and the binary device fingerprint in each data acquisition device (edge computing gateway).
And an encryption module of the edge computing gateway generates an edge computing gateway random factor RB by using a snowflake algorithm, and then encrypts the equipment data by using a public key, a random factor RA and the equipment fingerprint through an encryption algorithm and generates a transmission protocol.
The cloud receives the transmission protocol, the decryption module decrypts the encrypted device data through a public key pair, the random factor RA and the device fingerprint through a decryption algorithm to obtain original data, and the verification module verifies the correctness of the data by comparing summary information M1 obtained through encryption with summary information M2 obtained through decryption.
It should be noted that the embodiments of the present invention can be realized by hardware, software, or a combination of software and hardware. The hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory and executed by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the apparatus and methods described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided on a carrier medium such as a disk, CD-or DVD-ROM, programmable memory such as read only memory (firmware), or a data carrier such as an optical or electronic signal carrier, for example. The apparatus and its modules of the present invention may be implemented by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., or by software executed by various types of processors, or by a combination of hardware circuits and software, e.g., firmware.
The above description is only for the purpose of illustrating the embodiments of the present invention, and the scope of the present invention should not be limited thereto, and any modifications, equivalents and improvements made by those skilled in the art within the technical scope of the present invention as disclosed in the present invention should be covered by the scope of the present invention.
Claims (10)
1. A data security transmission method based on industrial equipment data acquisition is characterized in that security of data transmission in an Internet of things environment is guaranteed by means of a state secret algorithm and equipment fingerprint information, security of data is guaranteed through operation of random factors, and malicious attack after a public key is hijacked is prevented through equipment fingerprints.
2. The data security transmission method based on the industrial equipment data acquisition as claimed in claim 1, wherein the data security transmission method based on the industrial equipment data acquisition comprises:
initializing a cloud preset public and private key pair and a cloud random factor RA; the edge computing gateway sends data to the cloud, a working key is computed by adopting a dynamic key, SM2, SM3 and SM4 encryption algorithms and a high-entropy random number generated by a snowflake algorithm, and then original data are encrypted to obtain ciphertext data; the cloud end receives the ciphertext data sent by the edge computing gateway, computes a working key, and then decrypts the ciphertext data to obtain original data; and finally, checking.
3. The method for secure data transmission based on data collection of industrial equipment according to claim 2, wherein the initialization comprises:
the cloud end creates a public key and a private key, is used for encrypting and decrypting part of data when the cloud end creates the public key and the private key and randomly generates a binary string as a cloud end random factor RA at the same time when the cloud end creates the public key and the private key and is used for encrypting and decrypting part of data when the cloud end creates the public key and the private key and is used for randomly generating a binary string as the cloud end random factor RA; converting the device fingerprint data of the edge gateway into a binary form; and presetting the generated random factor RA and the binary device fingerprint in the edge gateway device.
4. The method for secure data transmission based on data acquisition of industrial equipment according to claim 2, wherein the sending of the data to the cloud by the edge computing gateway comprises:
preparing original data to be sent; generating an edge calculation gateway random factor RB by using the snowflake algorithm, and encrypting the edge calculation gateway random factor RB by using an SM2 encryption algorithm by using a public key as a key to obtain a random factor ciphertext RB1;
the cloud random factor RA, the edge calculation gateway random factor RB, the device fingerprint and a public key are added to obtain a working key SK;
encrypting the device fingerprint of the edge computing gateway by using an SM2 encryption algorithm by using a public key as a secret key to obtain a device fingerprint ciphertext PP;
entropy is carried out on original data, and the SM3 encryption algorithm is used for obtaining summary information M1;
encrypting original data by using the working key SK as a key and adopting an SM4 encryption algorithm to obtain ciphertext data; and creates a data structure for transferring data.
5. The data security transmission method based on the industrial equipment data acquisition as claimed in claim 4, wherein the generation process of the working key SK comprises:
performing exclusive-or operation on the cloud random factor RA and the edge computing gateway random factor RB to obtain a result RC, encrypting the RC by using an SM4 encryption algorithm by using a public key as a key to obtain a result and converting the result into binary data RD, taking the first eight bits of the RD as F1, and taking the last eight bits of the RD as F2;
encrypting the equipment fingerprint of the current equipment by using an SM4 encryption algorithm, wherein a secret key is F1, and obtaining ciphertext data and converting the ciphertext data into binary data FA;
using the binary data RD and FA to perform XOR operation to obtain a result, and then performing XOR operation with F2 to obtain a working key SK, and if the number of bits of F2 is not enough, supplementing 0 at a high bit;
the data structure for transmitting data comprises:
filling the data field one: random factor ciphertext RB1;
filling a data field II: a device fingerprint ciphertext PP;
filling a data field three: summary information M1;
filling a data field four: and (4) ciphertext data.
6. The data security transmission method based on the industrial equipment data acquisition as claimed in claim 2, wherein the cloud receiving the data sent by the edge computing gateway comprises:
receiving the ciphertext data; the random factor ciphertext RB1 and the private key are decrypted by adopting an SM2 asymmetric algorithm to obtain an edge computing gateway random factor RB;
decrypting the fingerprint ciphertext PP and the private key by adopting an SM2 asymmetric algorithm to obtain an equipment fingerprint DF;
the cloud random factor RA plus the edge calculation gateway random factor RB plus the device fingerprint and the private key obtain a working key SK;
and the working key SK is used as a key, and the SM4 algorithm is adopted to decrypt the ciphertext data to obtain original data.
7. The data security transmission method based on the industrial equipment data acquisition as claimed in claim 6, wherein the receiving the ciphertext data is to obtain the value of each data field by analyzing the data structure, and the method comprises:
analyzing a data field one: random factor ciphertext RB1;
and analyzing a data field II: a device fingerprint ciphertext PP;
and analyzing a data domain III: summary information M1;
analyzing a data field four: and (4) ciphertext data.
8. The data security transmission method based on the industrial equipment data acquisition as claimed in claim 2, wherein the verification process comprises:
the cloud end calculates the decrypted original data by using an SM3 abstract algorithm to obtain abstract information M2;
comparing the summary information with the summary information M1 transmitted to the cloud end by the edge computing gateway, wherein if the M1 is the same as the M2, the data is available; if M1 is different from M2, the data is not available and the hit is discarded.
9. A data security transmission system based on industrial equipment data acquisition is characterized by comprising:
the cloud end comprises an initialization module, a decryption module and a verification module, wherein the initialization module is used for creating a public key and a private key and generating a random factor RA; the decryption module is used for decrypting the decrypted data to obtain original data; the verification module is used for comparing the summary information M1 obtained by encryption with the summary information M2 obtained by decryption and verifying the correctness of the data;
and the encryption module is used for encrypting the equipment data by using an encryption algorithm and generating a transmission protocol.
10. The system according to claim 9, wherein the cloud initialization module creates a public key and a private key for encryption and decryption of partial data when communicating with the edge computing gateway, generates a random string and converts the random string into binary data to define as a cloud random factor RA, converts a device fingerprint of each edge computing gateway into binary data, and presets the generated public key, random factor RA and binary device fingerprint in each data collection device;
an encryption module of the edge computing gateway generates an edge computing gateway random factor RB by using a snowflake algorithm, and then encrypts equipment data by using a public key, a random factor RA and equipment fingerprints through an encryption algorithm to generate a transmission protocol;
the cloud receives the transmission protocol, the decryption module decrypts the encrypted device data through a public key pair, the random factor RA and the device fingerprint through a decryption algorithm to obtain original data, and the verification module verifies the correctness of the data by comparing summary information M1 obtained through encryption with summary information M2 obtained through decryption.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211647333.4A CN115987500A (en) | 2022-12-21 | 2022-12-21 | Data safety transmission method and system based on industrial equipment data acquisition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211647333.4A CN115987500A (en) | 2022-12-21 | 2022-12-21 | Data safety transmission method and system based on industrial equipment data acquisition |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115987500A true CN115987500A (en) | 2023-04-18 |
Family
ID=85960446
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211647333.4A Pending CN115987500A (en) | 2022-12-21 | 2022-12-21 | Data safety transmission method and system based on industrial equipment data acquisition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115987500A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117255116A (en) * | 2023-11-20 | 2023-12-19 | 中国移动紫金(江苏)创新研究院有限公司 | Method and system for supporting traditional PLC cloud and remote operation and maintenance based on safety Box |
-
2022
- 2022-12-21 CN CN202211647333.4A patent/CN115987500A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117255116A (en) * | 2023-11-20 | 2023-12-19 | 中国移动紫金(江苏)创新研究院有限公司 | Method and system for supporting traditional PLC cloud and remote operation and maintenance based on safety Box |
| CN117255116B (en) * | 2023-11-20 | 2024-02-13 | 中国移动紫金(江苏)创新研究院有限公司 | Method and system for supporting traditional PLC cloud and remote operation and maintenance based on safety Box |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8670563B2 (en) | System and method for designing secure client-server communication protocols based on certificateless public key infrastructure | |
| US7571320B2 (en) | Circuit and method for providing secure communications between devices | |
| CN107147488A (en) | A kind of signature sign test system and method based on SM2 enciphering and deciphering algorithms | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| CN107395368B (en) | Digital signature method, decapsulation method and decryption method in media-free environment | |
| CN110958219B (en) | SM2 proxy re-encryption method and device for medical cloud shared data | |
| CN111614621B (en) | Internet of things communication method and system | |
| WO2006019614A2 (en) | Method of delivering direct proof private keys in signed groups to devices using a distribution cd | |
| WO2012172080A1 (en) | Generation of cryptographic keys | |
| CN107135070A (en) | Method for implanting, framework and the system of RSA key pair and certificate | |
| CN109861956B (en) | Data verification system, method, device and equipment based on state channel | |
| Zhao et al. | ePUF: A lightweight double identity verification in IoT | |
| JP2020530726A (en) | NFC tag authentication to remote servers with applications that protect supply chain asset management | |
| CN109951276B (en) | Embedded equipment remote identity authentication method based on TPM | |
| CN113312608B (en) | Electric power metering terminal identity authentication method and system based on time stamp | |
| CN114826656A (en) | Trusted data link transmission method and system | |
| CN113114475A (en) | PUF identity authentication system and protocol based on bit self-checking | |
| CN115987500A (en) | Data safety transmission method and system based on industrial equipment data acquisition | |
| CN117318941B (en) | Method, system, terminal and storage medium for distributing preset secret key based on in-car network | |
| CN111490874B (en) | Distribution network safety protection method, system, device and storage medium | |
| CN110855667B (en) | Block chain encryption method, device and system | |
| CN109633693A (en) | The anti-fraud schemes of Beidou II navigation system based on domestic password | |
| CN113784342B (en) | Encryption communication method and system based on Internet of things terminal | |
| CN102487321B (en) | Signcryption method and system | |
| CN116633530A (en) | Quantum key transmission method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |