CN116886466A - Remote operation and maintenance diagnosis system, equipment and method capable of meeting end-to-end safety - Google Patents
Remote operation and maintenance diagnosis system, equipment and method capable of meeting end-to-end safety Download PDFInfo
- Publication number
- CN116886466A CN116886466A CN202310898684.0A CN202310898684A CN116886466A CN 116886466 A CN116886466 A CN 116886466A CN 202310898684 A CN202310898684 A CN 202310898684A CN 116886466 A CN116886466 A CN 116886466A
- Authority
- CN
- China
- Prior art keywords
- maintenance
- gateway
- data
- edge computing
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012423 maintenance Methods 0.000 title claims abstract description 167
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000003745 diagnosis Methods 0.000 title claims abstract description 17
- 238000004891 communication Methods 0.000 claims abstract description 9
- 230000002159 abnormal effect Effects 0.000 claims description 12
- 238000001514 detection method Methods 0.000 claims description 10
- 238000004458 analytical method Methods 0.000 claims description 7
- 238000012544 monitoring process Methods 0.000 claims description 6
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 230000006855 networking Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of electronic information, in particular to a remote operation and maintenance diagnosis system, equipment and a method for meeting end-to-end safety; the operation and maintenance gateway is arranged in an operation and maintenance area and has a fixed IP address, and can be accessed through the Internet; the client edge computing gateway is arranged in the client system; the client side edge computing gateway presets a fixed IP address of the operation and maintenance gateway, actively connects with the preset IP address, and shares a secret key with the operation and maintenance gateway, thereby establishing a data security channel; the terminal equipment needing operation and maintenance in the client system is connected with the client edge computing gateway in the local area network, and an operation and maintenance person is connected with the client edge computing gateway through the operation and maintenance gateway, so that maintenance and operation and maintenance services can be provided for the terminal equipment of the client system, communication data between the terminal equipment and the client system are processed by a cryptographic technology, and safety protection of remote operation and maintenance service processes on the data of the client system and safety protection of operation and maintenance service itself are guaranteed.
Description
Technical Field
The invention relates to the technical field of electronic information, in particular to a remote operation and maintenance diagnosis system, equipment and method capable of meeting end-to-end safety.
Background
With the development of network technology, the number of devices connected to the internet has also continued to increase rapidly, and the variety and scale of internet-based applications have increased. Both these network-connected devices and systems require operational maintenance. However, the on-site operation and maintenance cost is high, and sometimes a small technical problem is solved, but a technician is required to remotely run. If the remote operation and maintenance can be carried out through the network, a great amount of labor cost can be saved, and the operation and maintenance are more timely. Thus, many network-connected systems and devices allow a manufacturer or operator to provide an operation and maintenance service through a network.
Obviously, when an application system connected with a network remotely performs system operation and maintenance, an operation and maintenance engineer needs to enter the equipment in the customer intranet and the application system thereof through the network, check the running condition of the system, log records and the like, and even update the system parameters. The back of this operation is the constant transfer of data between the operation and maintenance engineer and the system under inspection, wherein the customer's business data and the operation instructions of the operation and maintenance engineer are not spent. On the other hand, an attacker may also impersonate a network system in which the operation and maintenance service attempts to invade the client. Thus, remote operation may present a security risk to the client system and the client's data.
Accordingly, the present invention provides a remote operation and maintenance diagnostic system, apparatus and method satisfying end-to-end security for solving the above-mentioned related technical problems.
Disclosure of Invention
The invention aims to provide a remote operation and maintenance diagnosis system, equipment and a method for meeting end-to-end safety, so as to solve the problem of safety protection of client data in the remote operation and maintenance process and avoid network intrusion behaviors of an attacker in impersonating operation and maintenance services.
In order to achieve the above purpose, the present invention provides the following technical solutions:
the first aspect of the invention: the remote operation and maintenance diagnosis device meeting the end-to-end safety comprises at least one client edge computing gateway device, wherein the client edge computing gateway device meets the following requirements:
(1) Presetting a fixed IP address which needs to be connected with a network;
(2) Actively connecting the fixed IP address after networking;
(3) Detecting whether the running state of terminal equipment connected with the gateway equipment in a local area network of a client system is normal or not;
(4) Detecting whether the data sent and received by the terminal equipment connected with the gateway equipment in the local area network of the client system are normal or not;
(5) If abnormal data or abnormal equipment is detected, sending a detection result to the fixed IP address;
(6) And if no abnormal equipment and abnormal data are found in the detected local area network within a period of time, sending heartbeat packet data to the fixed IP address.
The invention is further provided with: the client edge computing gateway device also satisfies the following requirements:
(1) The client edge computing gateway device shares a key k and an encryption algorithm E with the fixed IP address;
(2) And encrypting important service data by using a secret key k in communication with the fixed IP address, wherein the actually transmitted data is encrypted ciphertext data.
The invention is further provided with: the client edge computing gateway device also satisfies the following requirements:
(1) The edge computing gateway device is provided with a unique identity IDa;
(2) When the data is encrypted through communication with the fixed IP address, the self identity information IDa is also encrypted to form ciphertext c=E (k, IDa, data), wherein E is an encryption algorithm preset by the edge computing gateway equipment.
The invention is further provided with: when the data is encrypted by communication with the fixed IP address, the current time T of the system is also encrypted to form ciphertext c=e (k, IDa, T, data).
The second aspect of the invention: the remote operation and maintenance diagnosis system meeting the end-to-end safety comprises an operation and maintenance gateway and at least one client edge computing gateway, and meets the following requirements:
(1) The operation and maintenance gateway is arranged in the operation and maintenance area and has a fixed IP address, and can send and receive data through the Internet;
(2) The client edge computing gateway is arranged in a client system;
(3) The client edge computing gateway satisfies the characteristics of the end-to-end secure remote operation and maintenance diagnostic device.
The invention is further provided with: the operation and maintenance gateway can check parameters and operation conditions of the client terminal equipment connected with the client edge computing gateway.
The invention is further provided with: the remote operation and maintenance diagnosis system meets the following requirements:
(1) The operation and maintenance gateway can update the heartbeat packet data sending frequency and the content of the client edge computing gateway on line;
(2) The operation and maintenance gateway can update the key of the client edge computing gateway on line;
(3) The online updating process of the condition (1) and the condition (2) needs data security protection, so that whether the data source is real or not, the data integrity and the data freshness can be checked in the updating process, and the updating parameters are encrypted and protected.
The invention is further provided with: the operation and maintenance gateway can update the security detection method of the client edge computing gateway on line and can protect the security of updating operation.
The invention is further provided with: when the operation and maintenance gateway is connected with the client edge computing gateway, the operation and maintenance gateway needs to pass through a firewall of a client system where the client edge computing gateway is located.
The invention is further provided with: the following requirements are also met:
(1) The edge computing gateway equipment has an intelligent monitoring function, monitors the running condition of the client terminal equipment connected with the edge computing gateway equipment in real time, analyzes monitoring data, and sends an analysis result to the operation and maintenance gateway;
(2) The operation and maintenance gateway performs intelligent analysis on the received data and makes corresponding reactions;
(3) If the edge computing gateway equipment changes the IP address, the edge computing gateway equipment is connected with an operation and maintenance gateway with a built-in fixed IP address when the network is connected, and the operation and maintenance gateway modifies the IP address corresponding to the edge computing gateway equipment.
A third aspect of the invention: the invention also provides a remote operation and maintenance diagnosis method meeting end-to-end safety, which comprises the following steps:
step one, a client edge computing gateway device presets a public key pk0 and a public key encryption algorithm Enc of an operation and maintenance gateway device with a fixed IP address;
step two, when the client edge computing gateway device sends data to the operation and maintenance gateway device of the IP address, the following steps are executed:
(1) attaching necessary additional data to the data;
(2) generating a random number k as an encryption key, and encrypting data 'to obtain ciphertext c1=e (k, data');
(3) encrypting the random number k by using a public key of the operation and maintenance gateway equipment to obtain ciphertext c2=enc (pk 0, k);
(4) transmitting c1 and c2 to the operation gateway equipment together;
and step three, when the operation and maintenance gateway equipment receives the data c1 and c2 in the step two, executing the following operations:
(1) decrypting c2 by using the private key of the user to obtain k;
(2) decrypting c1 by using k to obtain data';
(3) and separating the data and other additional data from the data', and verifying the correctness of the additional data to determine the authenticity of the data source, the integrity of the data and the timeliness of the data.
The invention is further provided with: and the client side edge computing gateway equipment presets a public key certificate of the operation and maintenance gateway equipment with the fixed IP address, and obtains a public key of the operation and maintenance gateway equipment through the public key certificate.
The invention is further provided with: the operation and maintenance gateway equipment has public key certificates of all client edge computing gateway equipment communicated with the operation and maintenance gateway equipment.
Compared with the prior art, the invention has the beneficial effects that:
the operation and maintenance gateway is arranged in an operation and maintenance area and has a fixed IP address, and can be accessed through the Internet; the client edge computing gateway is arranged in the client system, can have a fixed IP address, and can also have an intranet IP address distributed by the client system; the edge of the client calculates the fixed IP address of the gateway preset operation and maintenance gateway and actively connects with the preset IP address, thereby ensuring network connection; the client edge computing gateway and the operation and maintenance gateway share a secret key, so that a data security channel is established; the terminal equipment needing operation and maintenance in the client system is connected with the client edge computing gateway in the local area network, and an operation and maintenance person is connected with the client edge computing gateway through the operation and maintenance gateway, so that maintenance and operation and maintenance services can be provided for the terminal equipment of the client system, communication data between the terminal equipment and the client system are processed by a cryptographic technology, and safety protection of remote operation and maintenance service processes on the data of the client system and safety protection of operation and maintenance service itself are guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a diagram of an end-to-end secure remote operation and maintenance system architecture according to the present invention;
FIG. 2 is a schematic diagram of an operation and maintenance area device connection according to the present invention;
FIG. 3 is a schematic diagram of a client system device connection of the present invention;
fig. 4 is a schematic diagram of embodiment 2 of the present invention.
Description of the embodiments
The following description of the technical solutions in the embodiments of the present invention will be clear and complete, and it is obvious that the described embodiments are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Examples
The embodiment provides a remote operation and maintenance diagnosis system meeting end-to-end safety. The system includes an operation and maintenance gateway and one or more client edge computing gateways, as shown in fig. 1, including: the operation and maintenance gateway is arranged in the operation and maintenance area and has a fixed IP address, and can be accessed through the Internet; the client edge computing gateway is arranged in the client system, can have a fixed IP address, and can also have an intranet IP address of a client local area network; the client side edge computing gateway presets the fixed IP address of the operation and maintenance gateway and actively connects the IP address, thereby ensuring the network connection between the operation and maintenance gateway and the client side edge computing gateway.
In the operation and maintenance area, operation and maintenance personnel can carry out maintenance and operation and maintenance service on the terminal equipment of the client system through the operation and maintenance gateway, as shown in fig. 2.
In the client system, the terminal equipment needing operation and maintenance is connected with the client edge computing gateway in the local area network, and the remote operation and maintenance gateway is monitored and connected through the edge computing gateway to receive detection and inspection of operation and maintenance personnel, as shown in fig. 3.
The client edge computing gateway device should meet the following configuration requirements:
(1) Presetting a fixed IP address which needs network connection;
(2) Actively connecting the fixed IP address after networking;
(3) Detecting whether the running state of terminal equipment connected with the gateway equipment in the local area network is normal or not;
(4) Detecting whether the data sent and received by the terminal equipment connected with the gateway equipment in the local area network are normal or not;
(5) If abnormal data or abnormal equipment is detected, sending a detection result to the fixed IP address;
(6) And if no abnormal equipment and abnormal data are found in the detected local area network within a period of time, sending heartbeat packet data to the fixed IP address.
In order to realize the security protection of the data in the client system in the operation and maintenance process, a key k and an encryption algorithm E are shared between the edge computing gateway and the operation and maintenance gateway of the client, so that a data security channel is established for the operation and maintenance process; business data and asset information of relevant clients generated in the operation and maintenance process are encrypted, so that the safety protection of client system data in the remote operation and maintenance service process is ensured.
Typically an operation and maintenance gateway corresponds to a plurality of client edge computing gateways, and therefore each edge computing gateway device should have a unique identity. For convenience of description, the identity of a certain client edge computing gateway device is denoted by the symbol IDa. When the edge computing gateway device encrypts data to be sent to the operation and maintenance gateway device, the edge computing gateway device also encrypts own identity information IDa to form ciphertext c=e (k, IDa, data); the purpose of encrypting the identity information is to verify the identity information after decryption by the addressee so as to ensure the authenticity of the data source and protect the data integrity.
In the case of unstable networks, the data transmission may face a long delay. In order to ensure that the data of the operation and maintenance system is not affected by replay attacks, it is necessary to attach the current time of the device at the time of data transmission and encrypt the time stamp T to ensure that T is not illegally tampered with. Although clocks between different devices may not be synchronized, small errors do not affect the protection of data freshness by the timestamp. Data freshness protection may be resistant to data replay attacks. The method used by the invention is to add a local timestamp T to the encrypted data to form ciphertext c=e (k, IDa, T, data).
The IP address of the operation and maintenance gateway is preset by the client side edge computing gateway, and the operation and maintenance gateway is actively connected after the operation and maintenance gateway is started, so that the network connection between the operation and maintenance gateway and the client side edge computing gateway is established.
The operation and maintenance personnel can send instructions to the operated and maintained client equipment through the operation and maintenance gateway, and control the client edge computing gateway to perform operations within the authority range on equipment in the connected client system, such as deleting a certain process or restarting the system.
The operation and maintenance personnel can also carry out remote update on the configuration of the client edge computing gateway through the operation and maintenance gateway, including update on the heartbeat packet data sending frequency and content;
the operation and maintenance personnel can update the shared key of the operation and maintenance gateway and the client edge computing gateway.
The operation and maintenance personnel can update the security detection method of the client edge computing gateway through the operation and maintenance gateway, such as updating detection tools, updating the evaluation standard of the detection result and the like.
The process of updating and configuring the client edge computing gateway by operation and maintenance personnel requires data security protection technologies including data source authentication, data integrity protection and data freshness protection.
In all of the above cases, the operation and maintenance gateway may need to traverse the firewall of the client system where the client edge computing gateway is located when connecting with the client edge computing gateway.
In the remote operation and maintenance diagnosis system, the system also has the following functions:
(1) The edge computing gateway equipment has an intelligent monitoring function, monitors the running condition of terminal equipment of a client system connected with the edge computing gateway equipment in real time, analyzes monitoring data, and sends an analysis result to the operation and maintenance gateway;
(2) The operation and maintenance gateway performs intelligent analysis on the received data and makes corresponding reactions including sound, alarm, flashing light and the like;
(3) If the edge computing gateway device replaces the IP address, it connects with its built-in fixed IP address when connecting to the network.
In addition, the embodiment also provides a remote operation and maintenance diagnosis method meeting end-to-end safety, which comprises the following steps:
(1) The client edge computing gateway equipment presets a public key pk0 and a public key encryption algorithm Enc of the operation and maintenance gateway equipment with fixed IP addresses;
(2) When the client edge computing gateway device sends data to the operation and maintenance gateway device of the IP address, the following steps are executed:
(1) attaching necessary additional data to the data, such as identity information IDa and a time stamp T, forming data';
(2) generating a random number k as an encryption key, and encrypting data 'to obtain ciphertext c1=e (k, data');
(3) encrypting the random number k by using a public key of the operation and maintenance gateway device to obtain ciphertext c2=enc (pk 0, k);
(4) and c1 and c2 are sent to the operation and maintenance gateway equipment together.
(3) When the operation and maintenance gateway device receives the data c1 and c2 of the step (2), the following operations are performed:
(1) decrypting c2 by using the private key of the user to obtain k;
(2) decrypting c1 by using k to obtain data';
(3) and separating the data and other additional data from the data', and verifying the correctness of the additional data to determine the authenticity of the data source, the integrity of the data and the timeliness of the data.
Further, the client side edge computing gateway equipment presets a public key certificate of the operation and maintenance gateway equipment with a fixed IP address, and obtains a public key of the operation and maintenance gateway equipment through the public key certificate.
Further, the operation and maintenance gateway device has public key certificates of all client edge computing gateway devices in communication with it, thereby grasping their public keys.
Examples
Assuming that three engineer terminals S1, S2 and S3 are arranged in the operation and maintenance area, and are respectively connected with an operation and maintenance gateway OPGW; there are two client systems maintained, client system a and client system B, respectively. In the client system, one client edge computing gateway ECA and ECB are installed, respectively. The equipment to be operated and maintained in the client system A is accessed to the edge computing gateway ECA, and the equipment to be operated and maintained in the client system B is accessed to the edge computing gateway ECB. The client edge computing gateways ECA and ECB are respectively connected with the operation and maintenance gateway OPGW through the internet.
Assuming that the ECA is directly connected to the internet, there is a fixed IP address; the ECB distributes an intranet IP address from the client system B to the inside, and since the ECA and the ECB preset IP addresses of the operation and maintenance gateway OPGW, the OPGW is actively connected during the system installation test, and thus network connections are respectively established between the ECA and the OPGW, and between the ECB and the OPGW, as shown in fig. 4. Thus, the operation and maintenance engineer may connect the ECA and the ECB through the terminal device S1 or S2 or S3, thereby further connecting to the operation and maintenance interface of the operated and maintenance device accessing the ECA and the ECB, and then perform the operation and maintenance services of detection, analysis, configuration, optimization, and the like.
During the operation and maintenance service, the data seen by the operation and maintenance engineer and the operations performed on the operated and maintained equipment all need to transmit the relevant data through the internet. However, the internet itself does not have a security protection function. This faces two security risks: (1) The data of the client device is stolen during the transmission of the Internet; (2) Operations performed by the operation and maintenance engineer on the operated and maintained equipment are tampered when transmitted through the internet. In order to protect against both security threats, a shared key is set between the ECA and the OPGW, and between the ECB and the OPGW, respectively, which is set by the operator before the ECA and the ECB are installed. The data transmitted between the ECA and the OPGW are encrypted through a national cryptographic standard encryption algorithm SM4, so that the data security is protected, and the content theft and instruction tampering attack are resisted. By adding the identity information IDA of the ECA to the encrypted data, a data origin authentication service can be provided; by adding a time stamp T to the encrypted data, a data freshness service can be provided. Of course, the same data security protection is required between the ECB and OPGW.
Examples
When the operation and maintenance gateway OPGW needs to update the shared key k with a certain client edge computing gateway ECA, the following steps are performed:
(1) OPGW ECA: header, Ek(IDa, T, k1),
wherein, the header is a key update description, E is an SM4 encryption algorithm, K is a current shared key of the operation and maintenance gateway OPGW and the client edge computing gateway ECA, T is a current time of the operation and maintenance gateway OPGW, IDa is identity information of the client edge computing gateway ECA, and K1 is a new key to be updated.
(2) The client edge computing gateway ECA performs the following calculations:
a) Decryption data Ek (IDa, T, k 1);
b) Verifying the correctness of IDa and the legality of T, and if the verification is passed, updating k to k1; otherwise, discarding the data;
c) If the key update is successful, a message is sent to the operation and maintenance gateway OPGW to confirm that the key update is successful.
(3) When the OPGW receives the key update acknowledgement sent by the ECA, the key k is updated to k1 as well.
In practice, when the key is successfully updated, the old key remains because it is uncertain whether the partner with which it communicates has successfully updated the key. When the updated key is used successfully, the old key may be deleted.
In the description of the present specification, the descriptions of the terms "one embodiment," "example," "specific example," and the like, mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The preferred embodiments of the invention disclosed above are intended only to assist in the explanation of the invention. The preferred embodiments are not exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. The invention is limited only by the claims and the full scope and equivalents thereof.
Claims (13)
1. A remote operation and maintenance diagnostic device satisfying end-to-end security, characterized in that: the client edge computing gateway device comprises at least one client edge computing gateway device, and the client edge computing gateway device meets the following requirements:
(1) Presetting a fixed IP address which needs to be connected with a network;
(2) Actively connecting the fixed IP address after networking;
(3) Detecting whether the running state of terminal equipment connected with the gateway equipment in a local area network of a client system is normal or not;
(4) Detecting whether the data sent and received by the terminal equipment connected with the gateway equipment in the local area network of the client system are normal or not;
(5) If abnormal data or abnormal equipment is detected, sending a detection result to the fixed IP address;
(6) And if no abnormal equipment and abnormal data are found in the detected local area network within a period of time, sending heartbeat packet data to the fixed IP address.
2. A remote operation and maintenance diagnostic device that satisfies end-to-end security according to claim 1, wherein the client edge computing gateway device further satisfies the following requirements:
(1) The client edge computing gateway device shares a key k and an encryption algorithm E with the fixed IP address;
(2) And encrypting important service data by using a secret key k in communication with the fixed IP address, wherein the actually transmitted data is encrypted ciphertext data.
3. A remote operation and maintenance diagnostic device satisfying end-to-end security as claimed in claim 2, wherein: the client edge computing gateway device also satisfies the following requirements:
(1) The edge computing gateway device is provided with a unique identity IDa;
(2) When the data is encrypted through communication with the fixed IP address, the self identity information IDa is also encrypted to form ciphertext c=E (k, IDa, data), wherein E is an encryption algorithm preset by the edge computing gateway equipment.
4. A remote operation and maintenance diagnostic device satisfying end-to-end security as claimed in claim 3, wherein: when the data is encrypted by communication with the fixed IP address, the current time T of the system is also encrypted to form ciphertext c=e (k, IDa, T, data).
5. A remote operation and maintenance diagnosis system meeting end-to-end safety is characterized in that: the system comprises an operation and maintenance gateway and at least one client edge computing gateway, and meets the following requirements:
(1) The operation and maintenance gateway is arranged in the operation and maintenance area and has a fixed IP address, and can send and receive data through the Internet;
(2) The client edge computing gateway is arranged in a client system;
(3) The client edge computing gateway satisfies the characteristics of the end-to-end secure remote operation and maintenance diagnostic device.
6. A remote operation and maintenance diagnostic system for satisfying end-to-end security as set forth in claim 5, wherein: the operation and maintenance gateway can check parameters and operation conditions of the client terminal equipment connected with the client edge computing gateway.
7. A remote operation and maintenance diagnostic system for satisfying end-to-end security as set forth in claim 6, wherein: the remote operation and maintenance diagnosis system meets the following requirements:
(1) The operation and maintenance gateway can update the heartbeat packet data sending frequency and the content of the client edge computing gateway on line;
(2) The operation and maintenance gateway can update the key of the client edge computing gateway on line;
(3) The online updating process of the condition (1) and the condition (2) needs data security protection, so that whether the data source is real or not, the data integrity and the data freshness can be checked in the updating process, and the updating parameters are encrypted and protected.
8. A remote operation and maintenance diagnostic system for satisfying end-to-end security as set forth in claim 7, wherein: the operation and maintenance gateway can update the security detection method of the client edge computing gateway on line and can protect the security of updating operation.
9. A remote operation and maintenance diagnostic system for satisfying end-to-end security as set forth in claim 8, wherein: when the operation and maintenance gateway is connected with the client edge computing gateway, the operation and maintenance gateway needs to pass through a firewall of a client system where the client edge computing gateway is located.
10. A remote operation and maintenance diagnostic system for satisfying end-to-end security as set forth in claim 9, wherein: the following requirements are also met:
(1) The edge computing gateway equipment has an intelligent monitoring function, monitors the running condition of the client terminal equipment connected with the edge computing gateway equipment in real time, analyzes monitoring data, and sends an analysis result to the operation and maintenance gateway;
(2) The operation and maintenance gateway performs intelligent analysis on the received data and makes corresponding reactions;
(3) If the edge computing gateway equipment changes the IP address, the edge computing gateway equipment is connected with an operation and maintenance gateway with a built-in fixed IP address when the network is connected, and the operation and maintenance gateway modifies the IP address corresponding to the edge computing gateway equipment.
11. The remote operation and maintenance diagnosis method meeting the end-to-end safety is characterized by comprising the following steps of:
step one, a client edge computing gateway device presets a public key pk0 and a public key encryption algorithm Enc of an operation and maintenance gateway device with a fixed IP address;
step two, when the client edge computing gateway device sends data to the operation and maintenance gateway device of the IP address, the following steps are executed:
(1) attaching necessary additional data to the data;
(2) generating a random number k as an encryption key, and encrypting data 'to obtain ciphertext c1=e (k, data');
(3) encrypting the random number k by using a public key of the operation and maintenance gateway equipment to obtain ciphertext c2=enc (pk 0, k);
(4) transmitting c1 and c2 to the operation gateway equipment together;
and step three, when the operation and maintenance gateway equipment receives the data c1 and c2 in the step two, executing the following operations:
(1) decrypting c2 by using the private key of the user to obtain k;
(2) decrypting c1 by using k to obtain data';
(3) and separating the data and other additional data from the data', and verifying the correctness of the additional data to determine the authenticity of the data source, the integrity of the data and the timeliness of the data.
12. A method of remote operation and maintenance diagnosis for end-to-end security as claimed in claim 11, wherein: and the client side edge computing gateway equipment presets a public key certificate of the operation and maintenance gateway equipment with the fixed IP address, and obtains a public key of the operation and maintenance gateway equipment through the public key certificate.
13. A method of remote operation and maintenance diagnosis for end-to-end security as claimed in claim 11, wherein: the operation and maintenance gateway equipment has public key certificates of all client edge computing gateway equipment communicated with the operation and maintenance gateway equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310898684.0A CN116886466A (en) | 2023-07-21 | 2023-07-21 | Remote operation and maintenance diagnosis system, equipment and method capable of meeting end-to-end safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310898684.0A CN116886466A (en) | 2023-07-21 | 2023-07-21 | Remote operation and maintenance diagnosis system, equipment and method capable of meeting end-to-end safety |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116886466A true CN116886466A (en) | 2023-10-13 |
Family
ID=88256527
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310898684.0A Pending CN116886466A (en) | 2023-07-21 | 2023-07-21 | Remote operation and maintenance diagnosis system, equipment and method capable of meeting end-to-end safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116886466A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118413437B (en) * | 2024-07-03 | 2024-09-20 | 安全邦(北京)信息技术有限公司 | Remote operation and maintenance diagnosis system and method capable of meeting end-to-end safety |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110430179A (en) * | 2019-07-26 | 2019-11-08 | 西安交通大学 | A kind of control method and system for intranet and extranet secure access |
| CN111901360A (en) * | 2020-08-10 | 2020-11-06 | 西安交通大学 | Control system suitable for safe access of intranet data |
| CN114545860A (en) * | 2022-03-07 | 2022-05-27 | 河钢数字技术股份有限公司 | Remote PLC maintenance method based on gateway of Internet of things |
-
2023
- 2023-07-21 CN CN202310898684.0A patent/CN116886466A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110430179A (en) * | 2019-07-26 | 2019-11-08 | 西安交通大学 | A kind of control method and system for intranet and extranet secure access |
| CN111901360A (en) * | 2020-08-10 | 2020-11-06 | 西安交通大学 | Control system suitable for safe access of intranet data |
| CN114545860A (en) * | 2022-03-07 | 2022-05-27 | 河钢数字技术股份有限公司 | Remote PLC maintenance method based on gateway of Internet of things |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118413437B (en) * | 2024-07-03 | 2024-09-20 | 安全邦(北京)信息技术有限公司 | Remote operation and maintenance diagnosis system and method capable of meeting end-to-end safety |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1212682B1 (en) | System and method for quickly authenticating messages using sequence numbers | |
| US6886102B1 (en) | System and method for protecting a computer network against denial of service attacks | |
| CN110198297B (en) | Flow data monitoring method and device, electronic equipment and computer readable medium | |
| JP2001292176A (en) | Gateway device and method for integrating control/ information network | |
| CN111988289B (en) | EPA industrial control network security test system and method | |
| CN116886466A (en) | Remote operation and maintenance diagnosis system, equipment and method capable of meeting end-to-end safety | |
| CN115549932A (en) | Safety access system and access method for massive heterogeneous Internet of things terminals | |
| CN113572788A (en) | BACnet/IP protocol equipment authentication safety method | |
| CN112205018B (en) | Method and device for monitoring encrypted connections in a network | |
| Wibowo et al. | Network security analysis using HTTPS with SSL on general election quick count website | |
| US20210176051A1 (en) | Method, devices and computer program product for examining connection parameters of a cryptographically protected communication connection during establishing of the connection | |
| CN113794563A (en) | Communication network security control method and system | |
| CN109587134B (en) | Method, apparatus, device and medium for secure authentication of interface bus | |
| CN115086085B (en) | New energy platform terminal security access authentication method and system | |
| CN107968777B (en) | Network security monitoring system | |
| CN114157509B (en) | Encryption method and device with SSL and IPsec based on cryptographic algorithm | |
| CN111490971A (en) | General hospital information infrastructure safety operation and maintenance and auditing method | |
| Yasinsac | An environment for security protocol intrusion detection | |
| JP2005217907A (en) | Remote supervisory control system, remote supervisory control method and its program | |
| Kiuchi et al. | Security technologies, usage and guidelines in SCADA system networks | |
| CN115225415B (en) | Password application platform for new energy centralized control system and monitoring and early warning method | |
| KR20110087972A (en) | Method for blocking abnormal traffic using session table | |
| Gemmecke | Network traffic and protocol analyses of OT environments for SIEM integration | |
| CN117527411A (en) | Password security protection method and device for multiple security areas | |
| Xue et al. | Research on the Security Assessment of Cloud Communication in Intelligent Connected Vehicle |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |