CN117527398A - Numerical control system safety protection method - Google Patents
Numerical control system safety protection method Download PDFInfo
- Publication number
- CN117527398A CN117527398A CN202311602380.1A CN202311602380A CN117527398A CN 117527398 A CN117527398 A CN 117527398A CN 202311602380 A CN202311602380 A CN 202311602380A CN 117527398 A CN117527398 A CN 117527398A
- Authority
- CN
- China
- Prior art keywords
- user
- request
- password
- login
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 62
- 230000004044 response Effects 0.000 claims abstract description 14
- 238000013500 data storage Methods 0.000 claims description 24
- 238000013475 authorization Methods 0.000 claims description 20
- 238000012795 verification Methods 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 15
- 230000008520 organization Effects 0.000 claims 1
- 238000004519 manufacturing process Methods 0.000 description 20
- 238000007726 management method Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 15
- 230000008569 process Effects 0.000 description 14
- 238000012545 processing Methods 0.000 description 9
- 230000015654 memory Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000007596 consolidation process Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Abstract
The disclosure provides a method for protecting the safety of a numerical control system, which is characterized by comprising the following steps: responding to a received login request of a user, and performing identity authentication on the login request based on a preset national encryption algorithm; the preset national encryption algorithm comprises a symmetric encryption algorithm, an asymmetric encryption algorithm and a password hash algorithm; responding to the login request to pass identity authentication, and completing user login; in response to receiving an operation request of a user, detecting whether the user has permission to execute the operation request or not based on a preset national encryption algorithm; and executing the operation request in response to the user having the authority to execute the operation request. The method and the device ensure the information security of the numerical control system through the identity authentication and the authority control based on the national encryption algorithm. The disclosure also provides a numerical control system safety protection device, equipment and a storage medium.
Description
Technical Field
The disclosure relates to the technical field of intelligent manufacturing, and more particularly to a numerical control system safety protection method.
Background
The numerical control system is developed from the traditional manufacturing industry to the digitization, networking and intellectualization, and the protection problem of information security is inevitably encountered in the transformation and upgrading process. The numerical control machine tool is used as an important component of a numerical control system and is in face of industrial virus and network attack problems. Once the numerical control system is destroyed, paralysis and information leakage of the numerical control machine tool can be caused, sound numerical control machine tool information safety coping measures are established, and the information protection and safety of the numerical control system are improved, so that the numerical control system is a serious task.
In view of the safety of numerical control systems, there are mainly the following problems: (1) In the traditional numerical control manufacturing industry, the information safety protection requirement of a numerical control system is not high due to the sealing property of the numerical control system. Therefore, the information security protection of the numerical control system does not pay attention to numerical control system manufacturers at home and abroad; (2) The encryption protection degree of the numerical control system data file is not high, and most numerical control machine tool control systems transmit and manage the processing codes in a plaintext mode, so that the unencrypted processing codes are easily obtained illegally, and the processing objects are restored through special software, so that the manufacturing data is leaked.
Disclosure of Invention
In view of the above, the present disclosure provides a method for protecting a numerical control system to improve the security of the numerical control system.
The present disclosure provides a method for protecting the safety of a numerical control system, comprising: responding to a received login request of a user, and performing identity authentication on the login request based on a preset national encryption algorithm; the preset national encryption algorithm comprises a symmetric encryption algorithm, an asymmetric encryption algorithm and a password hash algorithm; responding to the login request to pass identity authentication, and completing user login; in response to receiving an operation request of a user, detecting whether the user has permission to execute the operation request or not based on a preset national encryption algorithm; and executing the operation request in response to the user having the authority to execute the operation request.
According to an embodiment of the present disclosure, authenticating a login request includes: acquiring authorization of a user to input login information; logging in the login information after obtaining the authorization of the user to log in the login information; wherein the login information at least comprises a user name and a password; reading a national encryption certificate in the password equipment of the user; the national secret certificate is issued by a self-built certificate issuing mechanism and is downloaded to the password equipment in advance; the national encryption certificate at least comprises the authority level of the user; the password equipment at least comprises a USB key; and carrying out digital signature on the login information by using the national cryptographic certificate and a preset national cryptographic algorithm, and authenticating the login request based on the login information and the digital signature.
According to an embodiment of the present disclosure, authenticating a login request based on login information and a digital signature includes: checking login information; and calling a public key certificate of a self-built certificate authority to verify the validity of the national secret certificate and the digital signature.
According to an embodiment of the present disclosure, the operation request includes at least an operation object and an operation instruction; detecting whether the user has permission to execute the operation request, comprising: extracting a signature certificate of the operation object, and determining the authority level of the operation object according to the signature certificate; decrypting the national encryption certificate in the user's password equipment by using a preset national encryption algorithm, and determining the authority level of the user; and determining that the user has the authority to execute the operation request in response to the authority level of the user being higher than the authority level of the operation object.
According to an embodiment of the present disclosure, performing an operation request includes: responding to the operation request to create a virtual disk for the data storage request, and encrypting the virtual disk; data is stored to the virtual disk.
According to an embodiment of the present disclosure, encrypting a virtual disk according to a disk password includes: obtaining a password of a virtual disk; in the cipher equipment of the user, the encryption and decryption of the virtual disk are completed by using a preset national cipher algorithm and cipher.
According to an embodiment of the disclosure, executing an operation request includes obtaining authorization of a user to enter a password of a virtual disk in response to the operation request being a data transmission request; after obtaining the authorization of the user to enter login information, entering the password of the virtual disk; and responding to the pass of the password verification of the virtual disk, decrypting by using a preset national encryption algorithm, mounting the virtual disk, and executing a data transmission request.
A second aspect of the present disclosure provides a numerical control system safety protection device configured to be used in the above numerical control system safety protection method, including: the identity authentication module is used for responding to the received login request of the user and carrying out identity authentication on the login request; responding to the login request to pass identity authentication, and completing user login; the permission limiting module is used for responding to the received operation request of the user and detecting whether the user has permission to execute the operation request or not; and the operation executing module is used for executing the operation request in response to the permission of the user to execute the operation request.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and the memory is used for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, enable the one or more processors to execute the numerical control system safety protection method.
A fourth aspect of the present disclosure also provides a computer readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the numerical control system security method described above.
According to the numerical control system security protection method provided by the disclosure, identity authentication and authority authentication in the numerical control system operation flow are encrypted through a preset national encryption algorithm. Because the national encryption algorithm is integrated into the numerical control system, the technical problem that the numerical control system has potential safety hazards is at least partially solved, and the technical effect of guaranteeing the safety of the numerical control system is realized.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates a flow chart of a method of numerical control system security protection in accordance with an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of identity authentication according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of signature verification according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of rights control in accordance with an embodiment of the present disclosure;
FIG. 5 schematically illustrates an application scenario of data storage encryption according to an embodiment of the present disclosure;
FIG. 6 schematically illustrates a flow chart of data storage according to an embodiment of the disclosure;
FIG. 7 schematically illustrates a flow chart of data storage medium binding according to an embodiment of the present disclosure;
FIG. 8 schematically illustrates a flow chart of data storage medium unbinding according to an embodiment of the present disclosure;
FIG. 9 schematically illustrates a schematic diagram of a production line application scenario in accordance with an embodiment of the present disclosure;
FIG. 10 schematically illustrates a schematic diagram of an authentication application scenario according to an embodiment of the present disclosure;
FIG. 11 schematically illustrates a block diagram of a numerical control system safety shield apparatus in accordance with an embodiment of the present disclosure;
FIG. 12 schematically illustrates an architecture diagram of identity authentication in accordance with an embodiment of the present disclosure;
fig. 13 schematically illustrates a secure memory module architecture diagram of an operation execution module according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
First, the technical terms referred to herein are described as follows:
presetting a national encryption algorithm: the national cryptographic algorithm, namely the national commercial cryptographic algorithm, is a published cryptographic algorithm standard and an application specification thereof, wherein part of the cryptographic algorithm has become an international standard, such as SM series cipher, and SM stands for commercial cipher, namely commercial cipher, which refers to a cryptographic technology for business, wherein a symmetric encryption algorithm (block encryption algorithm) comprises SM1, SM4 and SM7; the asymmetric encryption algorithm comprises SM2 and SM9; the cryptographic hash algorithm includes SM3.
Fig. 1 schematically illustrates a flowchart of a method for protecting a numerical control system according to an embodiment of the present disclosure, and as illustrated in fig. 1, an embodiment of the present disclosure provides a flowchart of a method for protecting a numerical control system, including: responding to a received login request of a user, and performing identity authentication on the login request based on a preset national encryption algorithm; the preset national encryption algorithm comprises a symmetric encryption algorithm, an asymmetric encryption algorithm and a password hash algorithm; responding to the login request to pass identity authentication, and completing user login; in response to receiving an operation request of a user, detecting whether the user has permission to execute the operation request or not based on a preset national encryption algorithm; and executing the operation request in response to the user having the authority to execute the operation request.
According to the embodiment of the disclosure, the authentication and authority authentication in the operation flow of the numerical control system are encrypted through the preset national encryption algorithm, and the technical problem that the numerical control system has potential safety hazard is solved by integrating the national encryption algorithm into the numerical control system.
On the basis of the above embodiments, fig. 2 schematically illustrates a flowchart of identity authentication according to an embodiment of the disclosure, and as shown in fig. 2, the authentication of a login request includes: acquiring authorization of a user to input login information; logging in the login information after obtaining the authorization of the user to log in the login information; wherein the login information at least comprises a user name and a password; reading a national encryption certificate in the password equipment of the user; the national secret certificate is issued by a self-built certificate issuing mechanism and is downloaded to the password equipment in advance; the national encryption certificate at least comprises the authority level of the user; the password equipment at least comprises a USB key; and carrying out digital signature on the login information by using the national cryptographic certificate and a preset national cryptographic algorithm, and authenticating the login request based on the login information and the digital signature.
In the embodiment, firstly, a self-built CA system is applied for a national secret certificate through an RA system, the operation can be completed through an interface or an RA management page, the certificate is downloaded to a USBkey after the application is completed, the downloaded USBkey of the certificate is issued to a numerical control machine tool operator or an administrator for storage, a certificate control and a component are embedded in a login window, a server side generates random numbers and carries out digital signature, a plug-and-play login authentication mode is realized, and only the USBkey is inserted to automatically enumerate the digital certificate in the Key, and the certificate is selected; secondly, after a user inputs a certificate password and clicks a login submitting button, a window calls an operation script of a certificate control, after the certificate password is checked, a random number and a digital signature generated by a server are verified, an intelligent numerical control machine tool carries out digital signature on the random number, and authentication information is submitted to the server for verification; the authentication information mainly includes: the method comprises the steps that random numbers, client certificates, client signatures and the like are used for verifying the certificate validity of the client and the validity of digital signatures by a server background program; finally, the numerical control system sends the service message with the digital signature to the numerical control machine tool master control system, the numerical control machine tool master control system firstly confirms the identity through the user information in the message, and meanwhile, calls a signature verification server to verify the signature, and returns the machine tool verification result after the whole identity verification process is completed; the authentication server extracts a user digital certificate of the intelligent numerical control machine tool from the authentication information, analyzes a unique identification of the certificate from the certificate, compares the unique identification in a background database, and performs access control; after the server passes the authentication, the login authorization information in a standard format is formed, and the login authorization information is returned to the intelligent numerical control machine tool.
According to the embodiment of the disclosure, the USB Key is adopted to apply the national secret certificate to the self-built CA system through the RA system, the national secret certificate is utilized to check whether the user is a legal user, login information is protected, the actual requirement of the numerical control system is met, and the cost is low.
On the basis of the above embodiment, authenticating a login request based on login information and a digital signature includes: checking login information; and calling a public key certificate of a self-built certificate authority to verify the validity of the national secret certificate and the digital signature.
In this embodiment, fig. 3 schematically illustrates a flow chart of signature verification according to an embodiment of the disclosure, as shown in fig. 3, the disclosure supports remote verification and local verification at the same time, firstly selects a national certificate stored in a USB key, obtains a national certificate signature, signs login information after inputting a PIN code of the USB key, and if the PIN code is the remote verification, invokes a signature verification server; if the signature is the local signature verification, the SM2 signature verification is carried out on the signature data according to the validity of a trusted root certificate or a middle-level certificate of a self-built certificate issuing mechanism.
According to the embodiment of the disclosure, the validity of the national secret certificate is checked through the public key certificate of the self-built certificate issuing institution, so that signature and signature verification service is realized locally, and the method and the device are applicable to the condition with higher requirements on security management and control.
On the basis of the above embodiment, the operation request includes at least an operation object and an operation instruction; detecting whether the user has permission to execute the operation request, comprising: extracting a signature certificate of the operation object, and determining the authority level of the operation object according to the signature certificate; decrypting the national encryption certificate in the user's password equipment by using a preset national encryption algorithm, and determining the authority level of the user; and determining that the user has the authority to execute the operation request in response to the authority level of the user being higher than the authority level of the operation object.
Fig. 4 schematically illustrates a flowchart of authority control according to an embodiment of the present disclosure, first, to prevent an illegal terminal from accessing an internet communication network, a body identifier is allocated to a body accessing the network, where the body identifier is a set of data for identifying an identity, and may be a network card MAC address, a 4G chip serial number, or an industrial internet identifier (Ecode, OID, handle) currently being implemented, or the like. The main body identifier is generated and held by the terminal, is uniformly managed by the agent, has the functions of auditing, inquiring, canceling and the like based on the identifier, writes the access security level of the equipment into the signature certificate of the equipment, uses an ECC-SM4-SM3 suite in algorithm aspect, and judges the authority level of the equipment by acquiring the signature certificate of the equipment by the adapter; then obtaining the authority level contained in the national cryptographic certificate of the user; finally, the authority levels of the user and the equipment (namely the operation object) are compared, so that whether the user has the operation authority or not is judged.
It should be noted that, even if the user has the operation authority, the mobile storage device held by the user is a registered device, so that the data transmission can be performed.
By the embodiment of the invention, the security authentication and the data transmission encryption function are provided for the data access among the devices of the production line network by defining the authority level for the operation object and the user, so that the access security among the devices of the production line network is ensured.
On the basis of the above embodiment, executing the operation request includes: responding to the operation request to create a virtual disk for the data storage request, and encrypting the virtual disk; data is stored to the virtual disk.
On the basis of the above embodiment, encrypting the virtual disk according to the disk password includes: obtaining a password of a virtual disk; in the cipher equipment of the user, the encryption and decryption of the virtual disk are completed by using a preset national cipher algorithm and cipher.
On the basis of the embodiment, executing an operation request, wherein the operation request comprises responding to the operation request as a data transmission request and acquiring authorization of a user for inputting a password of a virtual disk; after obtaining the authorization of the user to enter login information, entering the password of the virtual disk; and responding to the pass of the password verification of the virtual disk, decrypting by using a preset national encryption algorithm, mounting the virtual disk, and executing a data transmission request.
In this embodiment, fig. 5 schematically illustrates an application scenario of data storage encryption according to an embodiment of the present disclosure; around the storage safety problem in the open numerical control system, researching local storage of G codes, process flow files and the like in the numerical control system and a remote storage safety protection scheme of big data generated in the running of the numerical control system, constructing an encryption file system, combining trusted computing 3.0 to the trusted measurement and access monitoring of files and processes, and realizing the encryption storage and safety access of the local files; designing homomorphic or semi-homomorphic encryption algorithm, dynamic order-preserving encryption algorithm and searchable encryption algorithm which can prove the security, and combining with the national encryption algorithm, protecting the safe storage, rapid calculation and retrieval of remote data (such as MES database and cloud storage) in an open environment; researching a unified identification method of a numerical control system user and equipment, and realizing encryption storage and exchange of files by using an SM9 identification encryption algorithm; research on the implementation of a quick algorithm of SM9 online-offline combination, and protect SM9 private keys by using a file storage security policy of trusted computing 3.0; and the SM9 is studied to be combined with an identity and attribute certificate, other authentication modes and NC-Link protocol, so that safe sharing of remote encrypted data is realized.
It should be noted that, the data storage adopts a virtual disk technology, the local file is virtualized into a disk by a device mapper technology, and the file to be protected is saved in the virtual disk, so as to achieve the purpose of protecting the file. Creating a disk file during data storage requires setting an encryption password, and then SM4 encrypting all sectors of the storage medium according to the set encryption password. When the mounting is carried out, a password is also required to be input, and only the password is correct, the mounting can be carried out. Meanwhile, in order to ensure the security of the password calculation, the encryption and decryption process is completed in the UKey.
According to the embodiment of the disclosure, SM4 encryption is carried out on all sectors of the storage medium according to the set encryption password, the file stored in the numerical control system is protected through the virtual disk technology, and the virtual disk storing the file can be hung only when a correct password is input, so that the safety of the numerical control system data is ensured, and the file encryption and data transmission encryption functions are provided.
Example 1
Fig. 9 schematically illustrates a schematic diagram of a production line application scenario in accordance with an embodiment of the present disclosure
(1) Illegal identity login
Before starting production work of the production line, a worker logs in a master control system in an account number and password mode, sets production tasks of the production line after starting various services in the system, and then controls the production line to carry out production work. In the process of logging in by the user, only the account number and the password are verified, and the identity of the logged-in user is not verified. After an illegal user obtains an account number and a password, logging in a master control system to copy important files, revealing production data, malicious operation and the like, cause serious safety problems for a production line.
Aiming at the problems, a mode of realizing Ukey digital authentication based on SM2 algorithm is provided for solving. The original 'account number + password' login mode is replaced by a Ukey digital authentication mode. The Ukey contains the identity information and the digital certificate information of the user. When a user logs in the master control system, ukeys are inserted to authenticate certificates and identity information, and after the authentication is successful, personal PIN codes of the Ukeys are input to authenticate the Ukeys. Therefore, each user can only use the Ukey to log in the master control system, and the login of illegal users is effectively refused.
(2) User operation data file
As shown in fig. 9, in the intelligent manufacturing line scenario, a certain encryption protection is not available for a data storage file, and the data leakage problem easily occurs for the data file.
In order to solve the problems, the SM4 algorithm-based data storage encryption function is provided to solve the problem of data leakage. The host consolidation system opens up new disk space in the storage area and performs encryption processing. Any data is encrypted as long as it is stored in the region, and the copy-and-paste operation of the data is restricted. The data is encrypted after being copied and pasted, and the copied data is displayed in a ciphertext state. And the data leakage of illegal users in a copying mode is effectively prevented.
(3) USB flash disk copy system file
In the general control system, permission management and control are not performed on the use of mobile equipment such as a USB flash disk. In the process of carrying out production line production activities, a user uses the U disk to carry out file copying operation according to the needs. The master control system does not take security measures for the USB interface, and the stored data files have the risk of theft.
In view of the above, device control techniques are provided to address the risks of copying files. After the docking host is strengthened, the USB interface is limited. After the USB flash disk is inserted into the master control system, the access right of the USB flash disk can be limited. The unregistered devices cannot access the master control system and only after registration can normally access the data files. Meanwhile, copying operation of the data file can be limited, a user can only carry out file transmission through host reinforcement and the file can be displayed in a ciphertext state, and the problem that the user leaks files through mobile equipment such as a USB flash disk is effectively prevented.
Example two
Fig. 10 schematically illustrates a schematic diagram of an authentication application scenario according to an embodiment of the present disclosure.
(1) Illegal user login
As shown in fig. 10, during the use of the numerical control system, the authority of the user cannot be controlled. The numerical control system comprises 5 user levels, wherein operators, workshop administrators, machine tool manufacturers, numerical control manufacturers and system administrators respectively correspond to 5 user passwords, and each user level contains different operation authorities. Under the password login mode, an operator acquires a login password of a system administrator, and can log in the numerical control system according to the identity of the system administrator, so that the numerical control system is illegally operated.
Aiming at the problem that the user authority is not controlled, the user authority control function is provided for solving. The user uses Ukey identity authentication mode to replace original password login, and each user only knows own user identity and Ukey PIN code. In the Ukey authentication process, authentication is performed on user identity authentication information in the Ukey and a PIN code of the Ukey, and the user identity authentication information and the PIN code of the Ukey are successfully authenticated to log in the numerical control system. The illegal user is effectively prevented from logging in the numerical control system.
(2) Data storage encryption
In a numerical control system, encryption protection is lacking for data files. In the process of processing, a user can use mobile equipment such as a U disk and the like to copy G codes and PLC files into and out of other equipment for modification or reading. In the process, the numerical control system does not control the authority of mobile equipment such as a USB flash disk and the like, does not encrypt the copying operation of the data file, and any user can copy the file in the system by using the USB flash disk, so that the problem of data leakage is easily caused.
To address this problem, data encryption and device control are provided to solve. The user can encrypt the data during the copying operation, the copied data or file can be displayed in ciphertext, and the user can not see the copied file content. And mobile equipment can be controlled, and equipment such as unregistered USB flash disk and the like cannot read numerical control system files normally. Thus, encryption of data storage is effectively realized, and the protection data is leaked in a copying mode.
Based on the numerical control system safety protection method, the disclosure also provides a numerical control system safety protection device configured to be capable of realizing the numerical control system safety protection method.
The numerical control system safety protection device of the embodiment comprises an identity authentication module, a permission limiting module and an operation executing module.
The identity authentication module is used for responding to the received login request of the user and carrying out identity authentication on the login request; and responding to the login request to pass identity authentication, and completing user login.
And the permission limiting module is used for responding to the received operation request of the user and detecting whether the user has permission to execute the operation request.
And the operation executing module is used for executing the operation request in response to the permission of the user to execute the operation request.
Fig. 11 schematically illustrates a block diagram of a numerical control system safety guard in accordance with an embodiment of the present disclosure. As shown in fig. 11, the digital control system is developed based on an identity authentication technology, a data security storage technology and the like aiming at the hidden trouble of the existing digital control system, and provides functions of user identity authentication, file encryption and data transmission encryption, and omnibearing protection for the digital control system. The software contains the cryptographic infrastructure, the CA certificate module. On the basis, the intelligent password key, the biological recognition equipment and other password equipment and the encryption module and other software modules are used for providing security services such as identity authentication, file encryption, transmission encryption and the like, so that the function of numerical control system information security protection is achieved. The modules and functions conform to the safety standard and specification of the numerical control system.
Based on domestic cipher infrastructure, the intelligent cipher key, biological recognition equipment and other cipher equipment and other software modules, such as cipher module, provide identity authentication, file encryption, transmission encryption and other safety services to reach the function of protecting the numerical control system information. The modules and functions conform to the safety standard and specification of the numerical control system.
The smart key, identification, etc. in fig. 11 belong to the hardware device. Aiming at the requirements of different levels of numerical control systems, the numerical control systems of different grades integrate different user identity authentication technologies. The low-grade numerical control system product adopts a user name/password to carry out identity authentication, and the high-grade numerical control system integrates an intelligent password key or face recognition equipment to carry out identity authentication. The software part contains CA certificates, encryption modules, etc. The software system of the numerical control system can be divided into a control layer and a user layer. The control layer is responsible for the control of the system, and the user layer is responsible for non-controlling software modules, such as: man-machine interaction interface, network communication, file reading and writing, etc. Because the control layer software is forbidden to receive interference, the safe storage module and the data transmission module in the operation execution module must be integrated in the user layer of the numerical control system.
Fig. 12 schematically illustrates an architecture diagram of identity authentication according to an embodiment of the present disclosure. The identity authentication module adopts digital certificates, security components, password operation, digital signature, digital envelope and other technologies to ensure the authenticity of the user identity, and can effectively avoid risks of identity impersonation, identity repudiation, replay and man-in-the-middle attack, thereby ensuring the authentication security to a certain extent. The encryption of the data can be realized by adopting standard SM3 and SM4 algorithms, namely, the encryption of the data in the network transmission process can be realized. Confidentiality, integrity and anti-repudiation of login information are guaranteed through technologies such as encryption and signature of login data, and expansion is added in a protocol, so that the expandability of the protocol can be improved, and better high-density performance is improved in the future.
The identity authentication module is at least further capable of implementing the steps of: the identity authentication module consists of an authentication management system and a digital certificate authentication system. The authentication management system realizes the functions of user management, identity authentication, authorization management, security audit and the like; digital certificate authentication systems (self-built certificate authorities) enable digital certificate issuance and digital certificate management for users. The authentication management system is integrated with the digital certificate authentication system to realize the synchronization of newly added user information, and a certificate manager can directly manufacture a certificate through a self-built certificate issuing mechanism only by logging in the digital certificate authentication system of the password infrastructure and checking out the user information. An identity authentication system is deployed in the intelligent numerical control machine tool, so that all users can be managed, and the users can perform identity authentication through an identity authentication module.
For hierarchical authentication of users with different grades, for users with lower authority, the lowest authentication grade can be adopted: a user name/password mode; for the user with higher authority, the lowest authentication level needs to be set as a USBKEY mode with a digital certificate. The authentication level of the user and the authentication mode of the user can be dynamically configured in the background of the authentication system.
For example, the USBKey user: the USBKey user obtains the USBKey intelligent device which is written with the digital certificate from the CA authentication center according to the strict identity information authentication, and then inserts the USBKey to log in through the access authentication system, so that the intelligent numerical control machine tool application within the authority range of the user can be conveniently accessed. The identity information of the user digital certificate in the USBKey is consistent with the user information registered in the authentication system (the key information is name, certificate type and certificate number), and reliable identity authentication can be realized only on the premise of consistent information.
For example, password user: the password user is directly registered by the unit manager according to the user information without the need of CA center identity authentication and issuing a digital certificate.
The rights limitation module is at least further capable of implementing the steps of: in order to ensure the access controllability of the intelligent numerical control machine tool, the intelligent numerical control machine tool is prevented from being accessed illegally, trusted authorization management service is provided on the premise that the identity of a user is truly and credible, effective management and access control of various users are realized, the intelligent numerical control machine tool is protected from being accessed illegally or unauthorized, and information leakage is prevented. The authority management is operated by an administrator for resource classification configuration, user role definition, authorization and the like; the authority authentication is mainly to judge the authority of the user according to the identity of the user so as to determine whether the user has the authority for accessing the corresponding resource. Because the authentication management system needs to be closely combined with the application systems to solve the problem of fine-granularity resource authority control in each application system, the authentication management system is subjected to custom integrated development by combining the local resource authority mode by each application system on the basis of coarse-granularity access control of the identity authentication system. Because a distributed authorization management model is adopted, firstly strict identity authentication is carried out on the user, the authenticity of the user identity is ensured, and on the basis, the user is subjected to strict authority authentication by an authorization management system integrating the authority allocation of the internal resources of each application system, so that the fine-granularity authorized access control of the internal resources of each application system is realized.
The whole authorization control workflow is as follows: initializing an authentication management system, adding and configuring a system administrator; adding and configuring a subordinate administrator or user by a system administrator; the administrator adds the controlled access resource and sets the authority of each user; the user logs in the intelligent numerical control machine tool system, and the authentication system firstly verifies the identity of the user; after passing the authentication, authenticating the authority of the user according to the identity of the user; if the user passes the authority authentication, the user can enter the application system and access the resources in the authority permission; otherwise, the user is denied access.
FIG. 13 schematically illustrates a secure memory module architecture diagram of an operation execution module according to an embodiment of the present disclosure; the data safety storage technology is a confidentiality method for system files and part processing files stored locally in a numerical control system. When the data safety storage module is designed, the reuse of original resources of a user is fully considered when the system is deployed, and the resource waste is reduced. The data security storage solution fully utilizes mature security technology to improve the security of the system. The module function framework mainly comprises a secure storage service module, a user access module, a storage facility and a secure facility.
Wherein, the safe storage service module: and the transparent file encryption and decryption service and the security authentication service are provided. The bottom layer of encryption and decryption is realized by adopting a hardware encryption card, the encryption and decryption processes are realized in the encryption card, and the encryption algorithm adopts a national encryption SM4 algorithm; user access module: providing a user with an access mode of a secure storage system, wherein the user must pass secure authentication when accessing the storage system, authentication adopts a certificate-based body-building authentication technology provided by PKI basic service, and a certificate storage medium adopts a USB Key; storage facility: the method is responsible for storing final ciphertext data, and the method adopts disk storage; safety facility: the basic service responsible for the secure storage of data is provided by a trusted domestic cryptographic infrastructure.
The user side accesses the file in a driver mapping mode, and the access operation on the file is just like the operation on a general file, so that the daily operation habit of the user is not influenced. By combining with the mature PKI technology, the certificate-based security identity authentication and the protection of some important data are provided, and the security of the system is ensured.
The data storage component adopts a virtual disk technology, virtualizes a local file into a disk through a device mapper technology, and achieves the aim of protecting the file by storing the file to be protected into the virtual disk. The data storage component needs to set an encryption password when creating the disk file, and then performs SM4 encryption on all sectors of the storage medium. The encryption key is derived from the set password. When mounting, the password is input, and only the password is correct for mounting. Meanwhile, in order to ensure the security of the password calculation, the encryption and decryption process is completed in the UKey.
FIG. 6 schematically illustrates a flow chart of data storage, creating a data storage medium (Volume file) flow, according to an embodiment of the present disclosure, as shown in FIG. 6; FIG. 7 schematically illustrates a flow chart of data storage medium binding, volume virtual disk to data storage medium (Volume file) binding as shown in FIG. 7, in accordance with an embodiment of the present disclosure; fig. 8 schematically illustrates a flow chart of data storage medium unbinding, with Volume virtual disk unbinding from a data storage medium (Volume file) as shown in fig. 8, according to an embodiment of the present disclosure. Wherein, the data storage encryption is composed of the following: the datastorage sdk module: managing an external interface, and starting up and down; volume module: managing the Volume object; volumeCreater Module: managing the creation process of the Volume file; coreBase module: command interaction of an operating system and custom packaging of operating system level instructions; fuseService module: a custom file system (virtual directory) is managed, primarily for auxiliary indexing.
The present disclosure also provides an electronic device according to an embodiment of the present disclosure, which includes a processor that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) or a program loaded from a storage section into a Random Access Memory (RAM). The processor may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor may also include on-board memory for caching purposes. The processor may comprise a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.
In the RAM, various programs and data required for the operation of the electronic device are stored. The processor, ROM and RAM are connected to each other by a bus. The processor performs various operations of the method flow according to embodiments of the present disclosure by executing programs in ROM and/or RAM. It should be noted that the program may also be stored in one or more memories other than ROM and RAM. The processor may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to embodiments of the present disclosure, the electronic device may further include an input/output (I/O) interface, which is also connected to the bus. The electronic device may also include one or more of the following components connected to the I/O interface: an input section including a keyboard, a mouse, etc.; an output section including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), etc., and a speaker, etc.; a storage section including a hard disk or the like; and a communication section including a network interface card such as a LAN card, a modem, and the like. The communication section performs communication processing via a network such as the internet. The drives are also connected to the I/O interfaces as needed. Removable media such as magnetic disks, optical disks, magneto-optical disks, semiconductor memories, and the like are mounted on the drive as needed so that a computer program read therefrom is mounted into the storage section as needed.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (10)
1. The numerical control system safety protection method is characterized by comprising the following steps:
responding to a received login request of a user, and performing identity authentication on the login request based on a preset national encryption algorithm; the preset national encryption algorithm comprises a symmetric encryption algorithm, an asymmetric encryption algorithm and a password hash algorithm;
responding to the login request to pass identity authentication, and completing user login;
responding to the received operation request of a user, and detecting whether the user has permission to execute the operation request or not based on the preset national encryption algorithm;
and executing the operation request in response to the user having the authority to execute the operation request.
2. The method of claim 1, wherein the authenticating the login request comprises:
acquiring authorization of the user to enter login information; logging in the login information after obtaining the authorization of logging in the login information by the user; wherein, the login information at least comprises a user name and a password;
reading a national encryption certificate in the user's password equipment; wherein the national secret certificate is issued by a self-built certificate issuing organization and is downloaded into the password equipment in advance; the national encryption certificate at least comprises the authority level of the user; the password equipment at least comprises a USB key;
and carrying out digital signature on the login information by utilizing the national cryptographic certificate and the preset national cryptographic algorithm, and authenticating the login request based on the login information and the digital signature.
3. The method of claim 2, wherein the authenticating the login request based on the login information and the digital signature comprises:
checking the login information;
and calling a public key certificate of a self-built certificate authority to verify the validity of the national secret certificate and the digital signature.
4. The method of claim 2, wherein the operation request includes at least an operation object and an operation instruction;
the detecting whether the user has the authority to execute the operation request includes:
extracting a signature certificate of the operation object, and determining the authority level of the operation object according to the signature certificate;
decrypting a national encryption certificate in the user's password equipment by using the preset national encryption algorithm, and determining the authority level of the user;
and determining that the user has the authority to execute the operation request in response to the authority level of the user being higher than the authority level of the operation object.
5. The method of claim 1, wherein the executing the operation request comprises:
responding to the operation request to create a virtual disk for a data storage request, and encrypting the virtual disk;
and storing the data to a virtual disk.
6. The method of claim 5, wherein the encrypting the virtual disk according to the disk password comprises:
acquiring the password of the virtual disk;
and in the password equipment of the user, the encryption and decryption of the virtual disk are completed by utilizing the preset national password algorithm and the password.
7. The method of claim 5, wherein the executing the operation request comprises:
responding to the operation request and a data transmission request, and acquiring authorization of the user to enter a password of the virtual disk; after obtaining the authorization of the user to enter login information, entering a password of a virtual disk;
and responding to the pass of the password verification of the virtual disk, decrypting by utilizing the preset national encryption algorithm, mounting the virtual disk, and executing the data transmission request.
8. A numerical control system safety protection device configured to be used to implement the numerical control system safety protection method of any one of claims 1 to 7, comprising:
the identity authentication module is used for responding to a received login request of a user and carrying out identity authentication on the login request; responding to the login request to pass identity authentication, and completing user login;
the permission limiting module is used for responding to the received operation request of the user and detecting whether the user has permission to execute the operation request or not;
and the operation executing module is used for executing the operation request in response to the permission of the user to execute the operation request.
9. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311602380.1A CN117527398A (en) | 2023-11-28 | 2023-11-28 | Numerical control system safety protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311602380.1A CN117527398A (en) | 2023-11-28 | 2023-11-28 | Numerical control system safety protection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117527398A true CN117527398A (en) | 2024-02-06 |
Family
ID=89747514
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311602380.1A Pending CN117527398A (en) | 2023-11-28 | 2023-11-28 | Numerical control system safety protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117527398A (en) |
-
2023
- 2023-11-28 CN CN202311602380.1A patent/CN117527398A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113824562B (en) | Tokenized hardware security module | |
| US10404476B1 (en) | Systems and methods for providing authentication to a plurality of devices | |
| CN105187362B (en) | Method and device for connection authentication between desktop cloud client and server | |
| US7526649B2 (en) | Session key exchange | |
| CN111147255B (en) | Data security service system, method and computer readable storage medium | |
| CN103843303B (en) | The management control method and device of virtual machine, system | |
| CN106888084B (en) | Quantum fort machine system and authentication method thereof | |
| US9900157B2 (en) | Object signing within a cloud-based architecture | |
| CN101841525A (en) | Secure access method, system and client | |
| CN103152179A (en) | Uniform identity authentication method suitable for multiple application systems | |
| KR101817152B1 (en) | Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential | |
| CN103095704A (en) | Trusted medium online validation method and device | |
| CN106992978B (en) | Network security management method and server | |
| CN115277168A (en) | Method, device and system for accessing server | |
| WO2012120313A1 (en) | A cryptographic system and method | |
| CN104462899A (en) | Trust access control method for comprehensive avionics system | |
| CN109474431B (en) | Client authentication method and computer readable storage medium | |
| US20090327704A1 (en) | Strong authentication to a network | |
| CN111538973A (en) | Personal authorization access control system based on state cryptographic algorithm | |
| CN111190694A (en) | Virtualization security reinforcement method and device based on Roc platform | |
| WO2021170049A1 (en) | Method and apparatus for recording access behavior | |
| CN111815811B (en) | Electronic lock safety coefficient | |
| CN117527398A (en) | Numerical control system safety protection method | |
| Kim et al. | Secure user authentication based on the trusted platform for mobile devices | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |