WO2024139926A1 - Grading processing, encryption, and verification method for rail transit data, and system - Google Patents

Grading processing, encryption, and verification method for rail transit data, and system Download PDF

Info

Publication number
WO2024139926A1
WO2024139926A1 PCT/CN2023/134397 CN2023134397W WO2024139926A1 WO 2024139926 A1 WO2024139926 A1 WO 2024139926A1 CN 2023134397 W CN2023134397 W CN 2023134397W WO 2024139926 A1 WO2024139926 A1 WO 2024139926A1
Authority
WO
WIPO (PCT)
Prior art keywords
configuration file
encrypted
file
encryption
wireless modem
Prior art date
Application number
PCT/CN2023/134397
Other languages
French (fr)
Chinese (zh)
Inventor
黄辉
华晟
王美茜
韩熠
季庆华
周学兵
苏阿峰
马钰昕
Original Assignee
卡斯柯信号有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 卡斯柯信号有限公司 filed Critical 卡斯柯信号有限公司
Publication of WO2024139926A1 publication Critical patent/WO2024139926A1/en

Links

Abstract

Disclosed in the present invention are a grading processing, encryption, and verification method for rail transit data, and a system. The method comprises: an original configuration file is converted into a basic seed file; data classification and grading processing are performed on the basic seed file by means of a grading and classification module to form a seed file to be encrypted and a plaintext seed file; a batch processing module performs batch processing on the plaintext seed file and the seed file to be encrypted to respectively generate a plaintext configuration file and a configuration file to be encrypted; an encryption module encrypts the configuration file to be encrypted to generate an encrypted configuration file; and configurations of the plaintext configuration file and the encrypted configuration file are uploaded to a wireless modulation and demodulation device, after the configurations are uploaded, the wireless modulation and demodulation device separately performs integrity verification on the plaintext configuration file and the encrypted configuration file, and after the verification is successful, the wireless modulation and demodulation device receives the uploaded configuration files. The advantages of the present invention are: the method improves the protection capability and security of important data in the system by means of a selection mechanism for data classification and grading.

Description

一种轨道交通数据的分级处理、加密和校验方法及系统A method and system for hierarchical processing, encryption and verification of rail transit data 技术领域Technical Field
本发明涉及轨道交通数据处理领域,具体涉及轨道交通信号系统无线调制解调设备配置文件数据的分级处理、加密和完整性校验,尤其是涉及分级处理的方法,对敏感数据的加密,生成一个明文配置文件和一个加密的配置文件,并且批量生成配置文件的方法。The present invention relates to the field of rail transit data processing, and in particular to hierarchical processing, encryption and integrity verification of configuration file data of wireless modem equipment of rail transit signal systems, and in particular to a method for hierarchical processing, encryption of sensitive data, generation of a plaintext configuration file and an encrypted configuration file, and a method for batch generation of configuration files.
背景技术Background technique
城市轨道交通中信号系统的无线网络涉及到在沿线部署无线调制解调设备来获得良好的无线覆盖,其使用的配置文件中的数据没有进行分类分级管理,存在一定的非授权接入风险,且配置文件的敏感参数存在被窥视、截取甚至篡改的可能。而目前无线调制解调设备的配置文件仅采用一种MD5的摘要算法进行数据发布至现场使用,没有采用加密算法,密钥的存储和更新也缺乏相应的机制,存在较大的安全隐患。因此,需要对其进行改进以提升数据的安全性。The wireless network of the signal system in urban rail transit involves the deployment of wireless modem equipment along the line to obtain good wireless coverage. The data in the configuration files used are not classified and managed, which poses a certain risk of unauthorized access, and the sensitive parameters of the configuration files may be spied on, intercepted, or even tampered with. At present, the configuration files of wireless modem equipment only use an MD5 digest algorithm to publish data for on-site use, and no encryption algorithm is used. There is also a lack of corresponding mechanisms for the storage and update of keys, which poses a great security risk. Therefore, it is necessary to improve it to enhance data security.
可以理解的是,上述陈述仅提供与本发明有关的背景技术,而并不必然地构成现有技术。It will be understood that the above statements merely provide background technology related to the present invention and do not necessarily constitute prior art.
发明内容Summary of the invention
本发明的目的在于提供一种轨道交通数据的分级处理、加密和完整性校验方法及系统,该方法通过对数据分类分级的选择机制,使在同一个原始配置文件中使用不同数据保护方法存在可能,提升了系统重要数据的防护能力;同时也为线路实施时,采用批量处理方式生成配置文件提供方法,增加了项目数据制作的便捷性;最后通过灵活设置密钥的存储更新机制,加强密钥的有效性,从而有利于保护系统重要配置数据安全,防止数据泄漏、截取和篡改对系统造成重大影响,实现信号系统无线设备配置数据的高安全性和高可靠性。The purpose of the present invention is to provide a method and system for hierarchical processing, encryption and integrity verification of rail transit data. The method makes it possible to use different data protection methods in the same original configuration file through a selection mechanism for data classification and grading, thereby improving the protection capability of important system data; at the same time, it also provides a method for generating configuration files in batch processing when the line is implemented, thereby increasing the convenience of project data production; finally, by flexibly setting the storage and update mechanism of the key, the validity of the key is enhanced, which is conducive to protecting the security of important system configuration data, preventing data leakage, interception and tampering from causing significant impact on the system, and achieving high security and high reliability of the configuration data of wireless equipment in the signal system.
为了达到上述目的,本发明通过以下技术方案实现:In order to achieve the above object, the present invention is implemented by the following technical solutions:
一种轨道交通数据的分级处理、加密和完整性校验方法,包含:A method for hierarchical processing, encryption and integrity verification of rail transit data, comprising:
将原始配置文件转换为适用于所有无线调制解调设备的基础种子seed文件;Convert the original configuration file into a base seed file suitable for all wireless modem devices;
通过分级分类模块对所述基础种子seed文件中的数据进行数据分类分级处理,将其划分为敏感参数和一般参数,所述敏感参数形成需加密的seed文件,所述一般参数形成明文seed文件;The data in the basic seed file is classified and processed by a classification module to be classified and divided into sensitive parameters and general parameters. The sensitive parameters form a seed file to be encrypted, and the general parameters form a plaintext seed file.
批处理模块对明文seed文件和需加密的seed文件分别进行批处理,分别生成各个无线调制解调设备的明文配置文件和需加密的配置文件,加密模块对需加密的配置文件进行加密处理生成加密的配置文件;The batch processing module batch processes the plain text seed file and the seed file to be encrypted respectively, and generates the plain text configuration file and the configuration file to be encrypted of each wireless modem device respectively. The encryption module encrypts the configuration file to be encrypted to generate an encrypted configuration file.
将明文配置文件和加密的配置文件配置上传给无线调制解调设备,配置上传后无线调制解调设备对明文配置文件和加密的配置文件分别进行完整性校验,校验成功后接收上传。The plain text configuration file and the encrypted configuration file are uploaded to the wireless modem device. After the configuration is uploaded, the wireless modem device performs integrity verification on the plain text configuration file and the encrypted configuration file respectively, and accepts the upload after the verification is successful.
可选的,将原始配置文件中适用于对应项目的数据的值采用通配符进行替代生成基础种子seed文件。Optionally, the values of the data applicable to the corresponding project in the original configuration file are replaced with wildcards to generate a basic seed file.
可选的,所述一般参数包含发射功率、切换门限、设备名称中的一种或多种;Optionally, the general parameters include one or more of transmit power, switching threshold, and device name;
所述敏感参数包含无线调制解调设备的接入密码、http的登录密码、SNMP的认证和加密密码、802.1x的认证服务器共享秘钥中的一种或多种。The sensitive parameters include one or more of an access password of a wireless modem device, a login password of http, an authentication and encryption password of SNMP, and a shared secret key of an 802.1x authentication server.
可选的,所述明文配置文件和加密的配置文件配置上传给无线调制解调设备之前需使用摘要计算模块分别进行摘要计算,所述无线调制解调设备对经摘要处理后的明文配置文件和加密的配置文件分别进行完整性校验,校验无误后可在设备上加载。Optionally, before uploading the plaintext configuration file and the encrypted configuration file to the wireless modem device, a summary calculation module needs to be used to perform summary calculations respectively. The wireless modem device performs integrity checks on the plaintext configuration file and the encrypted configuration file after summary processing respectively, and they can be loaded on the device after verification.
可选的,通过哈希算法的SHA384算法对明文配置文件进行摘要计算,得到其哈希值。Optionally, a digest calculation is performed on the plaintext configuration file using a SHA384 algorithm of a hash algorithm to obtain a hash value thereof.
可选的,需加密的seed文件在加密处理的同时进行摘要计算;Optionally, the seed file to be encrypted is digested while being encrypted;
需加密的seed文件通过哈希算法的SHA384算法进行摘要计算,并同时采用加盐的hash算法对关键的http密码进行密文存储;The seed file to be encrypted is digested using the SHA384 algorithm of the hash algorithm, and the key http password is stored in ciphertext using a salted hash algorithm.
和/或,需加密的seed文件采用的加密算法为AES256算法,并采用一次一密机制。And/or, the encryption algorithm used by the seed file to be encrypted is the AES256 algorithm, and a one-time pad mechanism is adopted.
可选的,无线调制解调设备对加密的配置文件进行完整性校验时需要先输入密钥进行解密,然后再进行完整性校验;Optionally, when the wireless modem device performs integrity check on the encrypted configuration file, it is necessary to first input a key for decryption and then perform integrity check;
无线调制解调设备对明文配置文件直接进行完整性校验。The wireless modem device directly performs integrity verification on the plain text configuration file.
可选的,所述明文配置文件为可修改状态,所述明文配置文件经修改后需重新进行批处理、摘要处理、配置上传以及完整性校验过程。Optionally, the plain text configuration file is in a modifiable state, and after being modified, the plain text configuration file needs to undergo batch processing, summary processing, configuration upload, and integrity verification processes again.
可选的,一种执行前述的轨道交通数据的分级处理、加密和完整性校验方法的系统,包含:Optionally, a system for executing the aforementioned method for hierarchical processing, encryption and integrity verification of rail transit data comprises:
分级分类模块,用于将基础种子seed文件划分为明文seed文件和需加密的seed文件;A hierarchical classification module is used to divide the basic seed files into plaintext seed files and seed files that need to be encrypted;
批处理模块,与所述分级分类模块连接,所述批处理模块用于对明文seed文件和需加密的seed文件分别进行批处理,分别生成各无线调制解调设备的明文配置文件和需加密的配置文件;A batch processing module connected to the grading and classification module, the batch processing module is used to batch process the plaintext seed file and the seed file to be encrypted, respectively, to generate a plaintext configuration file and a configuration file to be encrypted for each wireless modem device;
加密模块,与所述批处理模块连接,所述加密模块用于对所述需加密的配置文件进行加密处理,生成加密的配置文件;无线调制解调设备对明文配置文件和加密的配置文件分别进行完整性校验,校验成功后接收上传。The encryption module is connected to the batch processing module, and is used to encrypt the configuration file to be encrypted to generate an encrypted configuration file; the wireless modem device performs integrity verification on the plain text configuration file and the encrypted configuration file respectively, and receives and uploads the files after the verification is successful.
可选的,还包含:Optionally, also include:
摘要计算模块,与所述批处理模块连接,所述摘要计算模块用于对所述明文配置文件和需加密的配置文件进行摘要计算,上传配置时由无线调制解调设备进行完整性校验,校验成功后完成数据的加载。A summary calculation module is connected to the batch processing module. The summary calculation module is used to perform summary calculations on the plain text configuration file and the configuration file to be encrypted. When uploading the configuration, the wireless modem device performs integrity verification. After the verification is successful, the data loading is completed.
可选的,所述明文配置文件和加密的配置文件上传无线调制解调设备后,无线调制解调设备对所述加密的配置文件先进行解密,再经过完整性校验;无线调制解调设备对所述明文配置文件直接进行完整性校验;校验无误后可在无线调制解调设备上加载。Optionally, after the plaintext configuration file and the encrypted configuration file are uploaded to the wireless modem device, the wireless modem device first decrypts the encrypted configuration file and then performs an integrity check; the wireless modem device directly performs an integrity check on the plaintext configuration file; after the check is correct, it can be loaded on the wireless modem device.
本发明与现有技术相比具有以下优点:Compared with the prior art, the present invention has the following advantages:
本发明的一种轨道交通数据的分级处理、加密和完整性校验方法及系统中,该方法通过采用对信号系统无线调制解调设备的配置文件中的各参数进行分类分级,对不常使用的敏感参数进行加密的方式,实现重要数据的保密性管理,其余的参数设置为一般参数,不进行加密处理,方便调试修改;然后对明文配置文件和加密配置文件进行摘要计算,实现重要数据的完整性保护;同时还能实现对无线调制解调设备的配置文件批量生成功能。In a method and system for hierarchical processing, encryption and integrity verification of rail transit data of the present invention, the method realizes confidentiality management of important data by classifying and grading various parameters in the configuration file of wireless modulation and demodulation equipment of the signal system, encrypting infrequently used sensitive parameters, and setting the remaining parameters as general parameters without encryption processing to facilitate debugging and modification; then, digest calculation is performed on the plain text configuration file and the encrypted configuration file to realize integrity protection of important data; at the same time, the method can also realize the function of batch generation of configuration files for wireless modulation and demodulation equipment.
进一步的,该方法灵活性高,不同级别的配置数据可以采用不同的处理方法,应对不同的工程需求。Furthermore, the method is highly flexible, and different levels of configuration data can be processed using different methods to meet different engineering requirements.
进一步的,该方法健壮性好,通过对无线调制解调设备配置文件高强度的加密算法和完整性哈希校验,避免对于信号系统重要设备的配置进行篡改造成影响。Furthermore, the method has good robustness and avoids tampering with the configuration of important equipment in the signal system by using a high-strength encryption algorithm and integrity hash check on the configuration file of the wireless modem equipment.
进一步的,该方法时效性好,通过密钥更新机制,增加外界的恶意破译的难度。Furthermore, the method has good timeliness and increases the difficulty of malicious decryption by the outside world through the key update mechanism.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本发明的一种轨道交通数据的分级处理、加密和完整性校验方法;FIG1 is a method for hierarchical processing, encryption and integrity verification of rail transit data according to the present invention;
图2为本发明的一种执行轨道交通数据的分级处理、加密和完整性校验方法的系统框架示意图;FIG2 is a schematic diagram of a system framework of a method for performing hierarchical processing, encryption and integrity verification of rail transit data according to the present invention;
图3为本发明的一种执行轨道交通数据的分级处理、加密和完整性校验方法的系统作用关系示意图。FIG3 is a schematic diagram of the system function relationship of a method for executing hierarchical processing, encryption and integrity verification of rail transit data according to the present invention.
实施方式Implementation
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明的一部分实施例,而不是全部实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都应属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work should fall within the scope of protection of the present invention.
如图1所示为本发明的一种轨道交通数据的分级处理、加密和完整性校验方法,该方法包含:As shown in FIG1 , a method for hierarchical processing, encryption and integrity verification of rail transit data of the present invention is shown, and the method comprises:
S1、将原始配置文件转换为适用于所有无线调制解调设备即无线调制解调器设备的基础种子seed文件。所述原始配置文件为信号系统无线网络设备中未经处理的配置文件。S1. Converting an original configuration file into a basic seed file applicable to all wireless modulation and demodulation devices, namely wireless modem devices. The original configuration file is an unprocessed configuration file in a signal system wireless network device.
具体地,在本实施例中,将原始配置文件中适用于对应项目即本项目的的数据的值采用通配符进行替代生成基础种子seed文件,以便后续数据处理。Specifically, in this embodiment, the values of the data applicable to the corresponding project, ie, the present project, in the original configuration file are replaced with wildcards to generate a basic seed file for subsequent data processing.
S2、通过分级分类模块对所述基础种子seed文件中的数据进行数据分类分级处理,将其划分为敏感参数和一般参数,所述敏感参数形成需加密的seed文件,所述一般参数形成明文seed文件。S2. The data in the basic seed file is classified and processed by a classification module to divide it into sensitive parameters and general parameters. The sensitive parameters form a seed file to be encrypted, and the general parameters form a plaintext seed file.
可选的,所述一般参数包含发射功率、切换门限、设备名称中的一种或多种。进一步的,所述敏感参数包含无线调制解调设备的接入密码、http的登录密码、SNMP的认证和加密密码、802.1x的认证服务器共享秘钥中的一种或多种。可以理解的是,所述一般参数和敏感参数包含的数据类型不仅限于上述,在其他实施例中,其还可以包含其他数据类型,本发明对此不加以限制。Optionally, the general parameters include one or more of the transmission power, the switching threshold, and the device name. Further, the sensitive parameters include one or more of the access password of the wireless modem device, the login password of http, the authentication and encryption password of SNMP, and the shared secret key of the authentication server of 802.1x. It is understandable that the data types included in the general parameters and sensitive parameters are not limited to the above. In other embodiments, they may also include other data types, which are not limited by the present invention.
S3、批处理模块对明文seed文件和需加密的seed文件分别进行批处理,批量生成多个无线调制解调设备的配置文件,每个设备生成两个配置文件,分别为明文配置文件和需加密的配置文件。需加密的配置文件的加密和摘要计算在本步骤同时完成,即需加密的seed文件在加密处理的同时进行摘要计算。具体的,通过摘要计算模块对需加密的配置文件进行摘要计算,通过加密模块对需加密的配置文件进行加密处理生成加密的配置文件。在本实施例中,需加密的seed文件采用的加密算法为AES256算法,根据设置的密钥进行加密,功能设置为每次进行加密必须设置不同的密钥,即一次一密机制,调试人员不具备使用加密模块的权限。同时,需加密的seed文件通过哈希算法的SHA384算法进行摘要计算,得到其哈希值,并同时采用加盐的hash算法对关键的http密码进行密文存储。S3, the batch processing module batch processes the plaintext seed file and the seed file to be encrypted respectively, and generates configuration files of multiple wireless modem devices in batches. Each device generates two configuration files, namely, the plaintext configuration file and the configuration file to be encrypted. The encryption and summary calculation of the configuration file to be encrypted are completed simultaneously in this step, that is, the summary calculation of the seed file to be encrypted is performed while the encryption processing is being performed. Specifically, the summary calculation of the configuration file to be encrypted is performed by the summary calculation module, and the encryption module encrypts the configuration file to be encrypted to generate an encrypted configuration file. In this embodiment, the encryption algorithm used by the seed file to be encrypted is the AES256 algorithm, which is encrypted according to the set key. The function is set to set a different key each time encryption is performed, that is, a one-time one-key mechanism, and the debugger does not have the authority to use the encryption module. At the same time, the seed file to be encrypted is calculated by the SHA384 algorithm of the hash algorithm to obtain its hash value, and the salted hash algorithm is used to store the key http password in ciphertext.
S4、将明文配置文件和加密的配置文件配置上传给无线调制解调设备,配置上传后无线调制解调设备会对明文配置文件和加密的配置文件分别进行完整性校验,校验成功后在无线调制解调设备上加载。S4. Upload the plain text configuration file and the encrypted configuration file to the wireless modem device. After the configuration is uploaded, the wireless modem device will perform integrity checks on the plain text configuration file and the encrypted configuration file respectively. After the check is successful, they will be loaded on the wireless modem device.
在本实施例中,所述明文配置文件和加密的配置文件配置上传给无线调制解调设备之前需使用摘要计算模块分别进行摘要计算,无线调制解调设备对经摘要处理后的明文配置文件和加密的配置文件分别进行完整性校验(可分别输入哈希值进行校验),校验无误后可在无线调制解调设备上加载。在本实施例中,通过哈希算法的SHA384算法对明文配置文件进行摘要计算,得到其哈希值。加密的配置文件的摘要计算已在前述加密时实现了计算。In this embodiment, the plain text configuration file and the encrypted configuration file need to be respectively digested using a digest calculation module before being uploaded to the wireless modem device. The wireless modem device performs integrity checks on the plain text configuration file and the encrypted configuration file after digest processing (the hash values can be input for verification respectively), and after the verification is correct, they can be loaded on the wireless modem device. In this embodiment, the plain text configuration file is digested by the SHA384 algorithm of the hash algorithm to obtain its hash value. The digest calculation of the encrypted configuration file has been calculated during the aforementioned encryption.
进一步的,在本实施例中,无线调制解调设备对加密的配置文件进行完整性校验时需要先输入密钥(加密密码)进行解密,然后再进行完整性校验。无线调制解调设备对明文配置文件直接进行完整性校验。然后无线调制解调设备加载经过校验无误的各配置文件,完成配置上传。Furthermore, in this embodiment, when the wireless modem device performs integrity check on the encrypted configuration file, it is necessary to first input the key (encryption password) for decryption, and then perform integrity check. The wireless modem device directly performs integrity check on the plain text configuration file. Then the wireless modem device loads each configuration file that has been verified to be correct, and completes the configuration upload.
在本实施例中,所述明文配置文件为可修改状态,调试人员可根据调试情况修改明文配置文件。所述明文配置文件经修改后需重新进行批处理、摘要处理、配置上传以及完整性校验过程,以完成该配置文件的配置上传。考虑到数据敏感性,调试人员不具备修改加密的配置文件的权限。In this embodiment, the plain text configuration file is in a modifiable state, and the debugger can modify the plain text configuration file according to the debugging situation. After the plain text configuration file is modified, it is necessary to re-process the batch processing, summary processing, configuration upload and integrity verification process to complete the configuration upload of the configuration file. Considering the sensitivity of the data, the debugger does not have the authority to modify the encrypted configuration file.
由上述可知,与现有技术相比,本发明的轨道交通数据的分级处理、加密和完整性校验方法具有适用范围广、保密程度高、使用方便等优点,避免了无线设备重要参数的泄漏或者被破解,从而更好的保障轨道交通的安全运营。From the above, it can be seen that compared with the prior art, the hierarchical processing, encryption and integrity verification method of rail transit data of the present invention has the advantages of wide application range, high confidentiality and easy use, which avoids the leakage or cracking of important parameters of wireless devices, thereby better ensuring the safe operation of rail transit.
基于同一发明构思,本发明还提供了一种可执行前述的轨道交通数据的分级处理、加密和完整性校验方法的系统,如图2所示,该系统可视为一个数据处理工具,基础种子seed文件经该数据处理工具处理后可上传至无线调制解调设备。Based on the same inventive concept, the present invention also provides a system that can execute the aforementioned hierarchical processing, encryption and integrity verification method of rail transit data. As shown in Figure 2, the system can be regarded as a data processing tool, and the basic seed file can be uploaded to the wireless modem device after being processed by the data processing tool.
具体的,如图2和图3结合所示,该系统包含:分级分类模块、批处理模块和加密模块。其中,所述分级分类模块用于将基础种子seed文件划分为明文seed文件和需加密的seed文件。所述批处理模块与所述分级分类模块连接,所述批处理模块用于对明文seed文件和需加密的seed文件分别进行批处理,分别生成各无线调制解调设备的明文配置文件和需加密的配置文件。所述加密模块与所述批处理模块连接,所述加密模块用于对所述需加密的配置文件进行加密处理,生成加密的配置文件。所述明文配置文件和加密的配置文件上传配置时,所述无线调制解调设备对所述明文配置文件和加密的配置文件分别进行完整性校验,校验成功后完成数据的加载。Specifically, as shown in combination with FIG. 2 and FIG. 3, the system includes: a hierarchical classification module, a batch processing module and an encryption module. Among them, the hierarchical classification module is used to divide the basic seed seed file into a plaintext seed file and a seed file to be encrypted. The batch processing module is connected to the hierarchical classification module, and the batch processing module is used to batch process the plaintext seed file and the seed file to be encrypted respectively, and generate a plaintext configuration file and a configuration file to be encrypted for each wireless modem device respectively. The encryption module is connected to the batch processing module, and the encryption module is used to encrypt the configuration file to be encrypted and generate an encrypted configuration file. When the plaintext configuration file and the encrypted configuration file are uploaded for configuration, the wireless modem device performs integrity verification on the plaintext configuration file and the encrypted configuration file respectively, and completes the loading of the data after the verification is successful.
进一步的,该系统还包含摘要计算模块,所述摘要计算模块与所述批处理模块连接,所述摘要计算模块用于对明文配置文件和需加密的配置文件分别进行摘要计算。所述明文配置文件和加密的配置文件配置上传给无线调制解调设备之前需使用摘要计算模块分别进行摘要计算,所述无线调制解调设备对经摘要处理后的明文配置文件和加密的配置文件分别进行完整性校验,校验无误后可在无线调制解调设备上加载。Furthermore, the system further comprises a summary calculation module, which is connected to the batch processing module and is used to perform summary calculations on the plain text configuration file and the configuration file to be encrypted. The plain text configuration file and the encrypted configuration file need to be respectively summarized by the summary calculation module before being uploaded to the wireless modem device. The wireless modem device performs integrity checks on the plain text configuration file and the encrypted configuration file after summary processing, and the files can be loaded on the wireless modem device after the verification is correct.
综上所述,本发明的一种轨道交通数据的分级处理、加密和完整性校验方法及系统中,该方法主要针对信号系统无线调制解调设备的配置文件,通过采用对配置文件中的各参数进行分类分级的方法,对不常使用的敏感参数进行加密的方式,实现重要数据的保密性管理,对项目调试经常要修改的参数,则划分为一般参数,不进行加密处理,方便调试修改;然后对明文配置文件和加密的配置文件进行摘要计算,实现重要数据的完整性保护。同时该方法还能实现对无线调制解调设备的配置文件批量生成功能,极大方便了项目实施过程中的数据制作过程。In summary, in a method and system for hierarchical processing, encryption and integrity verification of rail transit data of the present invention, the method is mainly aimed at the configuration file of the wireless modem equipment of the signal system, and the confidentiality management of important data is realized by adopting a method of classifying and grading each parameter in the configuration file, and encrypting the infrequently used sensitive parameters. The parameters that are often modified in project debugging are classified as general parameters, and are not encrypted, which is convenient for debugging and modification; then the summary calculation of the plain text configuration file and the encrypted configuration file is performed to realize the integrity protection of important data. At the same time, the method can also realize the batch generation function of the configuration file of the wireless modem equipment, which greatly facilitates the data production process during the project implementation.
尽管本发明的内容已经通过上述优选实施例作了详细介绍,但应当认识到上述的描述不应被认为是对本发明的限制。在本领域技术人员阅读了上述内容后,对于本发明的多种修改和替代都将是显而易见的。因此,本发明的保护范围应由所附的权利要求来限定。Although the content of the present invention has been described in detail through the above preferred embodiments, it should be appreciated that the above description should not be considered as a limitation of the present invention. After reading the above content, it will be apparent to those skilled in the art that various modifications and substitutions of the present invention will occur. Therefore, the protection scope of the present invention should be limited by the appended claims.

Claims (11)

  1. 一种轨道交通数据的分级处理、加密和完整性校验方法,其特征在于,包含:A method for hierarchical processing, encryption and integrity verification of rail transit data, characterized by comprising:
    将原始配置文件转换为适用于所有无线调制解调设备的基础种子seed文件;Convert the original configuration file into a base seed file suitable for all wireless modem devices;
    通过分级分类模块对所述基础种子seed文件中的数据进行数据分类分级处理,将其划分为敏感参数和一般参数,所述敏感参数形成需加密的seed文件,所述一般参数形成明文seed文件;The data in the basic seed file is classified and processed by a classification module to be classified and divided into sensitive parameters and general parameters. The sensitive parameters form a seed file to be encrypted, and the general parameters form a plaintext seed file.
    批处理模块对明文seed文件和需加密的seed文件分别进行批处理,分别生成各个无线调制解调设备的明文配置文件和需加密的配置文件,加密模块对需加密的配置文件进行加密处理生成加密的配置文件;The batch processing module batch processes the plain text seed file and the seed file to be encrypted respectively, and generates the plain text configuration file and the configuration file to be encrypted of each wireless modem device respectively. The encryption module encrypts the configuration file to be encrypted to generate an encrypted configuration file.
    将明文配置文件和加密的配置文件配置上传给无线调制解调设备,配置上传后无线调制解调设备对明文配置文件和加密的配置文件分别进行完整性校验,校验成功后接收上传。The plain text configuration file and the encrypted configuration file are uploaded to the wireless modem device. After the configuration is uploaded, the wireless modem device performs integrity verification on the plain text configuration file and the encrypted configuration file respectively, and accepts the upload after the verification is successful.
  2. 如权利要求1所述的轨道交通数据的分级处理、加密和完整性校验方法,其特征在于,The method for hierarchical processing, encryption and integrity verification of rail transit data according to claim 1, characterized in that:
    将原始配置文件中适用于对应项目的数据的值采用通配符进行替代生成基础种子seed文件。The values of the data applicable to the corresponding project in the original configuration file are replaced with wildcards to generate a basic seed file.
  3. 如权利要求1所述的轨道交通数据的分级处理、加密和完整性校验方法,其特征在于,The method for hierarchical processing, encryption and integrity verification of rail transit data according to claim 1, characterized in that:
    所述一般参数包含发射功率、切换门限、设备名称中的一种或多种;The general parameters include one or more of transmission power, switching threshold, and device name;
    所述敏感参数包含无线调制解调设备的接入密码、http的登录密码、SNMP的认证和加密密码、802.1x的认证服务器共享秘钥中的一种或多种。The sensitive parameters include one or more of an access password of a wireless modem device, a login password of http, an authentication and encryption password of SNMP, and a shared secret key of an 802.1x authentication server.
  4. 如权利要求1所述的轨道交通数据的分级处理、加密和完整性校验方法,其特征在于,The method for hierarchical processing, encryption and integrity verification of rail transit data according to claim 1, characterized in that:
    所述明文配置文件和加密的配置文件配置上传给无线调制解调设备之前需使用摘要计算模块分别进行摘要计算,所述无线调制解调设备对经摘要处理后的明文配置文件和加密的配置文件分别进行完整性校验,校验无误后可在设备上加载。The plain text configuration file and the encrypted configuration file need to be respectively digested using a digest calculation module before being uploaded to the wireless modem device. The wireless modem device performs integrity checks on the plain text configuration file and the encrypted configuration file after digest processing, and they can be loaded on the device after the verification is correct.
  5. 如权利要求4所述的轨道交通数据的分级处理、加密和完整性校验方法,其特征在于,The method for hierarchical processing, encryption and integrity verification of rail transit data as claimed in claim 4, characterized in that:
    通过哈希算法的SHA384算法对明文配置文件进行摘要计算,得到其哈希值。The plaintext configuration file is digested using the SHA384 algorithm to obtain its hash value.
  6. 如权利要求4所述的轨道交通数据的分级处理、加密和完整性校验方法,其特征在于,The method for hierarchical processing, encryption and integrity verification of rail transit data as claimed in claim 4, characterized in that:
    需加密的seed文件在加密处理的同时进行摘要计算;The seed file to be encrypted is digested while being encrypted;
    需加密的seed文件通过哈希算法的SHA384算法进行摘要计算,并同时采用加盐的hash算法对关键的http密码进行密文存储;The seed file to be encrypted is digested using the SHA384 algorithm of the hash algorithm, and the key http password is stored in ciphertext using a salted hash algorithm.
    和/或,需加密的seed文件采用的加密算法为AES256算法,并采用一次一密机制。And/or, the encryption algorithm used by the seed file to be encrypted is the AES256 algorithm, and a one-time pad mechanism is adopted.
  7. 如权利要求1所述的轨道交通数据的分级处理、加密和完整性校验方法,其特征在于,The method for hierarchical processing, encryption and integrity verification of rail transit data according to claim 1, characterized in that:
    无线调制解调设备对加密的配置文件进行完整性校验时需要先输入密钥进行解密,然后再进行完整性校验;When the wireless modem device performs integrity check on the encrypted configuration file, it needs to first input the key for decryption and then perform integrity check;
    无线调制解调设备对明文配置文件直接进行完整性校验。The wireless modem device directly performs integrity verification on the plain text configuration file.
  8. 如权利要求1所述的轨道交通数据的分级处理、加密和完整性校验方法,其特征在于,The method for hierarchical processing, encryption and integrity verification of rail transit data according to claim 1, characterized in that:
    所述明文配置文件为可修改状态,所述明文配置文件经修改后需重新进行批处理、摘要处理、配置上传以及完整性校验过程。The plain text configuration file is in a modifiable state. After being modified, the plain text configuration file needs to undergo batch processing, summary processing, configuration upload, and integrity verification again.
  9. 一种执行如权利要求1~8任一项所述的轨道交通数据的分级处理、加密和完整性校验方法的系统,其特征在于,包含:A system for executing the method for hierarchical processing, encryption and integrity verification of rail transit data as claimed in any one of claims 1 to 8, characterized in that it comprises:
    分级分类模块,用于将基础种子seed文件划分为明文seed文件和需加密的seed文件;A hierarchical classification module is used to divide the basic seed files into plaintext seed files and seed files that need to be encrypted;
    批处理模块,与所述分级分类模块连接,所述批处理模块用于对明文seed文件和需加密的seed文件分别进行批处理,分别生成各无线调制解调设备的明文配置文件和需加密的配置文件;A batch processing module connected to the grading and classification module, the batch processing module is used to batch process the plaintext seed file and the seed file to be encrypted, respectively, to generate a plaintext configuration file and a configuration file to be encrypted for each wireless modem device;
    加密模块,与所述批处理模块连接,所述加密模块用于对所述需加密的配置文件进行加密处理,生成加密的配置文件;无线调制解调设备对明文配置文件和加密的配置文件分别进行完整性校验,校验成功后接收上传。The encryption module is connected to the batch processing module, and is used to encrypt the configuration file to be encrypted to generate an encrypted configuration file; the wireless modem device performs integrity verification on the plain text configuration file and the encrypted configuration file respectively, and receives and uploads the files after the verification is successful.
  10. 如权利要求9所述的执行所述轨道交通数据的分级处理、加密和完整性校验方法的系统,其特征在于,还包含:The system for executing the method for hierarchical processing, encryption and integrity verification of rail transit data according to claim 9, characterized in that it also comprises:
    摘要计算模块,与所述批处理模块连接,所述摘要计算模块用于对所述明文配置文件和需加密的配置文件进行摘要计算,上传配置时由无线调制解调设备进行完整性校验,校验成功后完成数据的加载。A summary calculation module is connected to the batch processing module. The summary calculation module is used to perform summary calculations on the plain text configuration file and the configuration file to be encrypted. When uploading the configuration, the wireless modem device performs integrity verification. After the verification is successful, the data loading is completed.
  11. 如权利要求9所述的执行所述轨道交通数据的分级处理、加密和完整性校验方法的系统,其特征在于,The system for executing the method for hierarchical processing, encryption and integrity verification of rail transit data as claimed in claim 9, characterized in that:
    所述明文配置文件和加密的配置文件上传无线调制解调设备后,无线调制解调设备对所述加密的配置文件先进行解密,再经过完整性校验;无线调制解调设备对所述明文配置文件直接进行完整性校验;校验无误后可在无线调制解调设备上加载。After the plain text configuration file and the encrypted configuration file are uploaded to the wireless modem device, the wireless modem device first decrypts the encrypted configuration file and then performs an integrity check; the wireless modem device directly performs an integrity check on the plain text configuration file; after the check is correct, it can be loaded on the wireless modem device.
PCT/CN2023/134397 2022-12-26 2023-11-27 Grading processing, encryption, and verification method for rail transit data, and system WO2024139926A1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211677665.7 2022-12-26

Publications (1)

Publication Number Publication Date
WO2024139926A1 true WO2024139926A1 (en) 2024-07-04

Family

ID=

Similar Documents

Publication Publication Date Title
US20230396426A1 (en) Communication network with cryptographic key management for symmetric cryptography
US8694467B2 (en) Random number based data integrity verification method and system for distributed cloud storage
CN111222155A (en) Method and system for combining re-encryption and block link
JP5815294B2 (en) Secure field programmable gate array (FPGA) architecture
CN112311865B (en) File encryption transmission method and device
US20080025515A1 (en) Systems and Methods for Digitally-Signed Updates
CN104935568A (en) Interface authentication signature method facing cloud platform
US20130077782A1 (en) Method and Apparatus for Security Over Multiple Interfaces
WO2023035507A1 (en) Trusted executive environment multi-node authentication method
WO2023005734A1 (en) Vehicle data uploading method and apparatus, and vehicle, system and storage medium
JP2017187724A (en) Encryption device, encryption method, decryption device, and decryption method
US20230269078A1 (en) Key sharing method, key sharing system, authenticating device, authentication target device, recording medium, and authentication method
CN117318941B (en) Method, system, terminal and storage medium for distributing preset secret key based on in-car network
CN105871858A (en) Method and system for ensuring high data safety
CN116743372A (en) Quantum security protocol implementation method and system based on SSL protocol
WO2024139926A1 (en) Grading processing, encryption, and verification method for rail transit data, and system
CN114553557B (en) Key calling method, device, computer equipment and storage medium
CN114553566B (en) Data encryption method, device, equipment and storage medium
KR102539418B1 (en) Apparatus and method for mutual authentication based on physical unclonable function
CN111343421B (en) Video sharing method and system based on white-box encryption
CN114282189A (en) Data security storage method, system, client and server
CN109981264B (en) Application key generation method and cipher machine equipment assembly
CN116017434A (en) Hierarchical processing, encrypting and checking method and system for rail transit data
CN115242392B (en) Method and system for realizing industrial information safety transmission based on safety transmission protocol
CN115544583B (en) Data processing method and device of server cipher machine