CN110061989B - Data acquisition gateway full-isolation method - Google Patents
Data acquisition gateway full-isolation method Download PDFInfo
- Publication number
- CN110061989B CN110061989B CN201910319489.1A CN201910319489A CN110061989B CN 110061989 B CN110061989 B CN 110061989B CN 201910319489 A CN201910319489 A CN 201910319489A CN 110061989 B CN110061989 B CN 110061989B
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- module
- encryption module
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a data acquisition gateway full-isolation method, which is characterized in that a data encryption module is added in a data acquisition terminal to encrypt uploaded data, and the data is decrypted on a big data platform by adopting special software to realize the transmission protection of the data; the encryption module is connected with the MCU and the communication module through a serial port; the following technical scheme design for encrypting and isolating industrial internet data acquisition comprises the following steps: the method comprises the following steps of designing an integral structure, designing hardware of an encryption module, designing a working mode of the encryption module, designing a cipher key and designing a management flow; the encryption isolation design of this scheme, because the data acquisition gateway uses the open source agreement, does not sacrifice original easy development, the characteristic of easy access, owing to use the encryption chip, data are actually with ciphertext state transmission in the network, it is effectual to keep secret, gives up the integral type design that has most adopted now, each system can design separately to standardized production is favorable to reduce cost.
Description
Technical Field
The invention belongs to the technical field of data security isolation, and particularly relates to a full isolation method for a data acquisition gateway.
Background
The industrial data acquisition is to utilize the ubiquitous sensing technology to carry out real-time efficient acquisition and cloud convergence on element information of multi-source equipment, a heterogeneous system, an operation environment, people and the like. The industrial data acquisition corresponds to an edge layer in an industrial internet platform architecture. Different devices, systems and products are accessed through various communication means, large-range and deep-level industrial data are collected, protocol conversion and edge processing of heterogeneous data are carried out, and a data base of an industrial internet platform is constructed.
Currently, the industrial data acquisition industry supply side mainly has the following three types of enterprises:
the industrial automation enterprise mainly provides access equipment for industrial data acquisition from the core product capacity of the enterprise, and the access equipment is used as a source of industrial data acquisition, such as 15 siemens, porphyry, honeywell, safety control and the like;
secondly, industrial network service enterprises mainly provide supporting equipment and services such as industrial network protocol conversion, transmission, safety and the like for industrial data acquisition, and some enterprises are actively extending and developing from the original advantage field to the manufacturing field, such as China telecom, China Xingxi communication, Huawei and the like;
and thirdly, an industrial data acquisition solution enterprise mainly provides services such as industrial data acquisition solutions, system development, project implementation, system integration and the like, such as North self-service, Harmonious and Ming Jiang JiangZhi.
The industrial data acquisition architecture comprises three layers of equipment access, protocol conversion and edge data processing, wherein equipment or intelligent products are accessed downwards and are upwards butted with an industrial internet platform/industrial application system, as shown in figure 1.
As can be seen from fig. 1, data collection to data application necessarily passes through multiple hierarchical networks. Such as RS485/232, industrial Ethernet, CAN bus and other field level network interfaces faced by the equipment access layer; chip-level network interfaces such as UART, IIC and SPI facing protocol conversion and edge processing; and http, mqtt, S7 and other application layer network interfaces for transmitting data to the industrial internet platform/industrial application system. Therefore, the construction of the future industrial internet necessarily involves the deployment of a large number of data acquisition gateways or similar products, and as before, the industrial internet is an important node for data information circulation. What is different, the data acquisition gateway related to the industrial internet has new challenges of facing to numerous protocols, complex working conditions, high reliability requirements, difficult safety guarantee and the like.
State of the art many products have fully satisfied the existing needs in terms of the functionality to enable communication and data exchange. The main technical scheme comprises two types:
one is achieved by integrating ethernet communication components from products originally used for underlying industrial control. Like the SIMATIC controller of Siemens, the SIMATIC controller has been developed from S3 series to S7 series nowadays, has small volume, high speed, standardization, network communication capability, stronger function and higher reliability5. Taking S7-200Smart series as an example: the microprocessor, the integrated power supply, the input circuit and the output circuit are combined into a shell with a compact structure to form the Micro PLC with powerful functions. After downloading the user program, the CPU will contain the logic needed by the input and output devices in the monitoring application;
and secondly, integrating industrial control and data acquisition components by the product originally used for network communication. Such as the macro industrial router series and the industrial wireless DTU series, originally used for M2M (machine to machine communication), this field is one of the predecessors and the most important business links of the internet of things. The industrial wireless DTU is based on a GPRS data communication network, is a wireless terminal device which is specially used for converting serial port data into IP data or converting the IP data into the serial port data and transmitting the serial port data through the wireless communication network, and is widely applied to industries such as electric power, environmental monitoring, vehicle-mounted, water conservancy, meteorology, street lamp monitoring, heating power pipe networks, coal mines, oil fields and the like at present. The industrial router is an industrial router developed based on 3G/4G wireless communication, the design of wide voltage and electromagnetic compatibility is adopted, 4G, 3G and 2.5G network systems are supported, dual-mode dual cards are supported, a built-in 4G wireless WIFI module is supported, APN/VPDN private network access is supported, the industrial router provides a wireless long-distance data transmission function for users by utilizing a public 2G/3G/4G wireless network, the transmission rate is faster and more stable, 7 x 24h stably runs, the router can be more suitable for severe environments, remote management/maintenance/upgrading is realized, and the operation and maintenance cost of an enterprise is reduced. The method is widely applied to the industries of finance, media, traffic, vehicle-mounted, electric power, environmental protection, industrial automation, commercial chain and the like.
Firstly, the construction of the industrial internet is applied to the construction of an industrial large data platform, otherwise, network effect and innovative application cannot be formed. Secondly, in order to provide a large-scale application service of data as a platform, an open source protocol is necessarily used, otherwise, users and application developers pay huge learning cost in the face of numerous closed source/semi-closed source protocols, which obviously is not beneficial to the development of the platform. The existing INDIS industry big data platform uses the open source protocol (MQTT and RESTFUL).
But this causes data security problems because plaintext data using open source protocols is very easily recognized, captured, copied and tampered when transmitted over the internet.
Existing similar products solve the problem that the security risk generally uses a closed-source private Protocol, such as S7, PPI (both are siemens series), DDP (DTU DSC Protocol, DTU manufacturers such as macro-electricity and hankotai, generally defined by manufacturers), LoRa WAN (LoRa series), and the like, obviously, the advantages and disadvantages of the existing similar products are as described above, and the private Protocol belongs to the universal characteristic of the product to improve the user viscosity, and is not beneficial to the development of an industrial internet platform.
Further, since the nature of the private protocol is still plaintext data, and only the information of the closed source is asymmetric, a cracking product specially aiming at the private protocol appears in the market. The occurrence of cracked products can cause that the same protocol or related products in the same series face security risks, and the connection quantity of the industrial internet is considered to be one order of magnitude higher than that of the existing internet.7Exposure of the same agreement or series of related products to safety risks will result in an order of magnitude higher direct loss and hazard, which also excludes indirect loss and hazard.
In summary, the challenge encountered in the construction of the existing industrial internet is that the generality and the security cannot be considered under the existing framework. The mainstream solution is to sacrifice versatility to ensure security. Because the industrial internet is still in the initial construction stage so far, all the related enterprises in the industrial data acquisition industry are developing their own data exchange standards such as protocols and interfaces in order to take the market, and the universality is not seriously considered. However, the next stage development requirement of the industrial internet must be both universal and secure, as the previous mobile communication network development.
Disclosure of Invention
The invention aims to provide a data acquisition gateway full-isolation method to solve the problems in the background technology.
In order to achieve the purpose, the invention adopts the following technical scheme:
a data acquisition gateway full-isolation method is characterized in that a data encryption module is added in a data acquisition terminal to encrypt uploaded data, and the data is decrypted on a big data platform by adopting special software to realize data transmission protection; the encryption module is connected with the MCU and the communication module through a serial port; the following technical scheme design for encrypting and isolating industrial internet data acquisition comprises the following steps:
s1, designing an integral structure:
the data acquisition terminal collects enterprise data, sends the enterprise data to the GPRS transmission module through the MCU, and sends the enterprise data to the big data platform; enterprise data may face risks of stealing and leakage in the transmission process and needs confidentiality protection;
a data encryption module is added in the data acquisition terminal to encrypt the uploaded data, and the data is decrypted on a big data platform by adopting special software to realize the transmission protection of the data; the encryption module passes the serial port;
s2, designing hardware of an encryption module:
considering the area, power consumption and cost, the encryption module is realized by adopting a special algorithm SOC chip + standard interface; the main functions are realized by an algorithm chip, and the chip comprises a master control CPU, a cryptographic algorithm operation unit, a key storage unit, an interface module and the like; the standard interface realizes data interaction between the encryption module and the acquisition terminal and between the encryption module and the transmission module; in this way, the encryption module mainly comprises an algorithm chip and a matched device; the password SOC chip is additionally provided with two rows of 1 x 5 contact pins, the area of the module is within 2cmX2cm, the data encryption module adopts UART to communicate with the outside, the module needs to provide power supply from the outside, and the module adopts two single rows of contact pins 1 x 5 with the distance of 2.54 mm;
s3, the encryption module works in a mode that:
the encryption module can be designed into two different working modes in the terminal: serial mode and parallel mode:
serial mode:
in the serial mode, the encryption module is used as an independent unit to be connected in series on a data path; the MCU sends the acquired data to the encryption module, and the module encrypts and encapsulates the data and sends the data to the communication module for transmission; at the moment, the encryption module needs more work, and can set technical barriers and barriers for the conditions that a terminal manufacturer sends the enterprise data plaintext to other service platforms and the like; the data encryption module needs to do the following development work:
1) the cipher module-MCU interface is standardized; the method comprises the following steps that an MCU is used as a main device, a password module is used as a slave device, communication interfaces of the MCU and the cipher module are defined and realized in an AT instruction mode, and the main interfaces comprise network connection parameter configuration, a connection platform server side, data sending, time correction data requesting and the like;
2) realizing an encryption function; including key agreement, data encryption, etc.;
3) packaging an MQTT protocol; the MQTT client function is realized, the platform server is connected, and the encrypted load data is submitted to a GPRS module to be sent;
4) driving and data receiving and transmitting of the GPRS module; the driving GPRS module is connected with the cloud platform, sends data and receives timing data; in addition, the GPRS is used as a passive communication device driven by the cryptographic module, and if different device manufacturers select different wireless communication modules, the cryptographic modules need to be adapted and developed respectively;
parallel mode:
in the parallel mode, the encryption module is only used as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, the data packaging work is completed by the MCU, in the parallel mode, the encryption module only serves as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, and the data packaging work is completed by the MCU;
s4, cipher key design:
the cipher chip selected in the encryption module can provide algorithms of SM2, SM3, SM4 and the like of common national standards, can realize different encryption modes such as symmetric encryption, public key encryption and the like, and can realize different modes such as preset keys, key agreement and the like in key management; in order to simplify the user management process and improve the decryption efficiency of the large data platform end, a mode of symmetric encryption plus preset keys is adopted;
the encryption module adopts symmetric algorithm encryption, encryption keys are preset in the chip and are divided according to modules, and the encryption keys of different modules are different; the chip is added with safety protection measures, and the encryption key cannot be read from the outside; when the encryption module is produced and leaves a factory, internal key initialization is required to be completed, an ID and an encryption key are internally generated, and the encryption key and the ID are submitted to a decryption program of the big data platform for decrypting data; on a big data platform, the encryption keys of all encryption modules are encrypted and stored to prevent leakage;
the algorithm chip provides rich algorithm operation units, the embedded CPU can also modify the matching mode of the cipher key, and subsequently if the using mode of the cipher key needs to be modified, the required functions can be realized through software upgrading without changing hardware, so that the flexibility is improved;
s5, management flow design:
equipment production: the data acquisition terminal is mainly divided into an acquisition terminal and an encryption module, a standard interface is defined between the acquisition terminal and the encryption module, and the acquisition terminal and the encryption module are respectively generated by different manufacturers and respectively purchased; after the encryption module is produced, initialization operation is required, an equipment ID and an encryption key are generated, and the ID and the corresponding encryption key are submitted, encrypted and stored;
assembling equipment: the acquisition terminal and the encryption module are synthesized and then issued to a user manufacturer
Communication flow:
encryption module
(1) Powering on the equipment, and reading the equipment ID and the encryption key;
(2) the encryption module encrypts the appointed fixed plaintext data by using an encryption key to obtain data _ en;
(3) sending (ID, data _ en) as handshake data to the big data platform;
a big data platform:
(1) establishing connection with the terminal equipment;
(2) receiving handshake data (ID, ciphertext);
(3) according to the ID, obtaining an encryption key ciphertext of the encryption terminal, and decrypting to obtain plaintext data;
(4) decrypting the data _ en by using the encryption key to obtain data;
(5) comparing whether the data is appointed fixed data or not, and disconnecting if not; if so, a connection is established and subsequent data is decrypted using the encryption key.
Preferably, in S3, in the serial mode, the data encryption module needs to perform the following development work:
1) the cipher module-MCU interface is standardized; the method comprises the following steps that an MCU is used as a main device, a password module is used as a slave device, communication interfaces of the MCU and the cipher module are defined and realized in an AT instruction mode, and the main interfaces comprise network connection parameter configuration, a connection platform server side, data sending, time correction data requesting and the like;
2) realizing an encryption function; including key agreement, data encryption, etc.;
3) packaging an MQTT protocol; the MQTT client function is realized, the platform server is connected, and the encrypted load data is submitted to a GPRS module to be sent;
4) driving and data receiving and transmitting of the GPRS module; the driving GPRS module is connected with the cloud platform, sends data and receives timing data; in addition, GPRS is a passive communication device driven by a cryptographic module, and different device manufacturers need to respectively perform adaptation development on the cryptographic module if they select different wireless communication modules.
Preferably, in S3, in the parallel mode, the data encryption module needs to perform the following development work:
providing cipher service functions including key agreement, data encryption and the like for the MCU; the interface is standardized by AT command mode.
Preferably, in S3, the serial mode is compared with the parallel mode:
the serial design is equivalent to the function of the original equipment manufacturer to be migrated to the cryptographic module; for equipment manufacturers, the finished things are drawn to deliver the cryptographic module for development; for the platform, after the platform is originally connected with a manufacturer in an butt joint mode, the platform needs to be connected with a password equipment manufacturer in a butt joint mode for the second time; overall, the original equipment main MCU has the capability, is abandoned, needs the cryptographic module to increase the function, needs a high-end chip to be replaced, and increases the development and debugging of protocol communication.
The invention has the technical effects and advantages that: compared with the prior art, the data acquisition gateway full-isolation method provided by the invention has the following advantages:
1. the challenge encountered in the construction of the existing industrial internet is that the universality and the safety cannot be considered under the existing framework. The mainstream solution is to sacrifice versatility to ensure security; the encryption isolation design of the scheme solves the problems at the same time;
2. universality: because the data acquisition gateway uses an open source protocol, the original characteristics of easy development and easy access are not sacrificed;
3. safety: because of using the encryption chip, data is actually transmitted in a ciphertext state in a network, and the method has three advantages:
(1) even if the ciphertext is intercepted, the ciphertext is difficult to crack and is difficult to generate security vulnerabilities such as tampering and stealing;
(2) even if the ciphertext is cracked, because the encryption chip is a framework with one machine and one secret, the security loophole only exists in a single machine, the multiple machines in the same series and large range cannot be spread, and the potential safety hazard is relatively controllable;
(3) the ciphertext can be restored into the plaintext only by a corresponding decryption mechanism, so that if hidden passages such as a backdoor and the like are hidden in a communication system, the communication system is automatically disabled, and only a data destination with the corresponding decryption mechanism is deployed to obtain effective information;
4. and (3) standardization: the encryption chip uses universal interfaces such as UART and the like, so that the industrial data acquisition system design of data acquisition, data encryption and data transmission can be further adopted. The existing integrated design which is mostly adopted is abandoned, and each system can be designed independently and produced in a standardized way, so that the cost is reduced.
Drawings
FIG. 1 is a schematic diagram of a prior art industrial data acquisition architecture;
FIG. 2 is a schematic diagram of an industrial Internet data acquisition encryption isolation scheme of the present invention;
FIG. 3 is a schematic diagram of a data acquisition encryption isolation chip according to the present invention;
FIG. 4 is a schematic diagram of the physical dimensions of the data acquisition encryption isolation chip of the present invention;
FIG. 5 is a schematic diagram of the serial operating mode of the encryption isolation chip according to the present invention;
FIG. 6 is a schematic diagram of a parallel operation mode of the encryption isolation chip according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to fig. 2 to 6 in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. The specific embodiments described herein are merely illustrative of the invention and do not delimit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a data acquisition gateway full-isolation method, which is characterized in that a data encryption module is added in a data acquisition terminal to encrypt uploaded data, and the data is decrypted on a big data platform by adopting special software to realize the transmission protection of the data; the encryption module is connected with the MCU and the communication module through a serial port; the following technical scheme design for encrypting and isolating industrial internet data acquisition comprises the following steps:
s1, designing an integral structure:
the data acquisition terminal collects enterprise data, sends the enterprise data to the GPRS transmission module through the MCU, and sends the enterprise data to the big data platform; enterprise data may face risks of stealing and leakage in the transmission process and needs confidentiality protection;
a data encryption module is added in the data acquisition terminal to encrypt the uploaded data, and the data is decrypted on a big data platform by adopting special software to realize the transmission protection of the data; the encryption module is connected with the MCU and the communication module through a serial port, and the position in the acquisition terminal is shown in figure 2;
in the design of the encryption scheme, based on the principles of safety, usability and economy, the change of the original system is reduced as much as possible while the data safety is ensured, a standard interface is used, the implementation cost is controlled, and the application and popularization of the encryption scheme are facilitated;
s2, designing hardware of an encryption module:
considering the area, power consumption and cost, the encryption module is realized by adopting a special algorithm SOC chip + standard interface; the main functions are realized by an algorithm chip, and the chip comprises a master control CPU, a cryptographic algorithm operation unit, a key storage unit, an interface module and the like; the standard interface realizes data interaction between the encryption module and the acquisition terminal and between the encryption module and the transmission module; in this way, the encryption module mainly comprises an algorithm chip and a matched device, so that the design is simplified, the area is reduced, and the cost is reduced; the hardware block diagram of the encryption module is shown in fig. 3, the encryption SOC chip is additionally provided with two rows of 1 × 5 pins, and the module area is within 2cmX2 cm;
because the data encryption module adopts UART to communicate with the outside, the module needs to provide power supply from the outside, the module adopts two single row pins 1 x 5 with the distance of 2.54mm, and the interface provided by the module to the outside is shown as the following table:
the physical dimensions of the modules are shown in FIG. 4;
s3, the encryption module works in a mode that:
the encryption module can be designed into two different working modes in the terminal: a serial mode and a parallel mode;
3.1 Serial mode
In serial mode, the flow of data is as shown in FIG. 5;
in the serial mode, the encryption module is used as an independent unit to be connected in series on a data path; the MCU sends the acquired data to the encryption module, and the module encrypts and encapsulates the data and sends the data to the communication module for transmission; at the moment, the encryption module needs more work, and can set technical barriers and barriers for the conditions that a terminal manufacturer sends the enterprise data plaintext to other service platforms and the like;
pin 1 signal definition
Pin 2 signal definition
In the serial mode, the data encryption module needs to do the following development work:
1) the cipher module-MCU interface is standardized; the method comprises the following steps that an MCU is used as a main device, a password module is used as a slave device, communication interfaces of the MCU and the cipher module are defined and realized in an AT instruction mode, and the main interfaces comprise network connection parameter configuration, a connection platform server side, data sending, time correction data requesting and the like;
2) realizing an encryption function; including key agreement, data encryption, etc.;
3) packaging an MQTT protocol; the MQTT client function is realized, the platform server is connected, and the encrypted load data is submitted to a GPRS module to be sent;
4) driving and data receiving and transmitting of the GPRS module; the driving GPRS module is connected with the cloud platform, sends data and receives timing data; in addition, the GPRS is used as a passive communication device driven by the cryptographic module, and if different device manufacturers select different wireless communication modules, the cryptographic modules need to be adapted and developed respectively;
3.2 parallel mode
In the parallel mode, the encryption module is only used as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, and the data packaging work is completed by the MCU;
in the parallel mode, the flow of data is as shown in FIG. 6;
in the parallel mode, the encryption module is only used as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, and the data packaging work is completed by the MCU;
in the parallel mode, the data encryption module needs to do the following development work:
1) providing cipher service functions including key agreement, data encryption and the like for the MCU; standardizing an interface in an AT instruction mode;
3.3 two Module comparison
The serial design is equivalent to the function of the original equipment manufacturer to be migrated to the cryptographic module; for equipment manufacturers, the finished things are drawn to deliver the cryptographic module for development; for the platform, after the platform is originally connected with a manufacturer in an butt joint mode, the platform needs to be connected with a password equipment manufacturer in a butt joint mode for the second time; in the whole, the main MCU of the original equipment has the capability, is abandoned, and the cryptographic module increases the function, needs to replace a high-end chip and increases the development and debugging of protocol communication; therefore, the serial mode development workload is slightly more, and the cycle is slightly longer;
s4, cipher key design:
the cipher chip selected in the encryption module can provide algorithms of SM2, SM3, SM4 and the like of common national standards, can realize different encryption modes such as symmetric encryption, public key encryption and the like, and can realize different modes such as preset keys, key agreement and the like in key management; in order to simplify the user management process and improve the decryption efficiency of the large data platform end, a mode of symmetric encryption plus preset keys is adopted;
the encryption module adopts symmetric algorithm encryption, encryption keys are preset in the chip and are divided according to modules, and the encryption keys of different modules are different; the chip is added with safety protection measures, and the encryption key cannot be read from the outside; when the encryption module is produced and leaves a factory, internal key initialization is required to be completed, an ID and an encryption key are internally generated, and the encryption key and the ID are submitted to a decryption program of the big data platform for decrypting data; on a big data platform, the encryption keys of all encryption modules are encrypted and stored to prevent leakage;
the algorithm chip provides rich algorithm operation units, the embedded CPU can also modify the matching mode of the cipher key, and subsequently if the using mode of the cipher key needs to be modified, the required functions can be realized through software upgrading without changing hardware, so that the flexibility is improved;
s5, management flow design:
5.1 production by plants
The data acquisition terminal is mainly divided into an acquisition terminal and an encryption module, a standard interface is defined between the acquisition terminal and the encryption module, and the acquisition terminal and the encryption module are respectively generated by different manufacturers and respectively purchased;
after the encryption module is produced, initialization operation is required, an equipment ID and an encryption key are generated, and the ID and the corresponding encryption key are submitted, encrypted and stored;
5.2 Equipment Assembly
Synthesizing the acquisition terminal and the encryption module, and then issuing the synthesized acquisition terminal and the encryption module to a user manufacturer;
5.3 communication flow
1) Encryption module
(1) Powering on the equipment, and reading the equipment ID and the encryption key;
(2) the encryption module encrypts the appointed fixed plaintext data by using an encryption key to obtain data _ en;
(3) sending (ID, data _ en) as handshake data to the big data platform;
2) big data platform
(1) Establishing connection with the terminal equipment;
(2) receiving handshake data (ID, ciphertext);
(3) according to the ID, obtaining an encryption key ciphertext of the encryption terminal, and decrypting to obtain plaintext data;
(4) decrypting the data _ en by using the encryption key to obtain data;
(5) comparing whether the data is appointed fixed data or not, and disconnecting if not; if so, a connection is established and subsequent data is decrypted using the encryption key.
This scheme, the design of encryption chip: whether the data acquisition system works in a serial mode or a parallel mode, the encryption chip design can be considered as the data acquisition system adopts the encryption and server decryption modes of the data acquisition gateway, and the encryption of the data acquisition gateway is completed by a single module or chip;
physical size of the encryption chip: the original physical size of the module, and the scaling up and down. Defining and arranging pins;
encryption chip communication protocol: the communication flow, the protocol command and the internal algorithm are set.
There are two main alternatives, destructuring and deconstructioning.
Structuring: the encryption chip has complicated functions, and mainly has a communication transmission part after integration to become an encryption transmission unit, which is similar to a VPN (virtual private network) and a private line; or the forward data acquisition part is integrated to become an encryption immediate acquisition unit, similar to acquisition equipment using a private protocol; or the device is designed by integrating software and hardware completely to form a closed type safe acquisition unit.
And (3) texture reduction: the encryption chip function is simplified, for example, only the function of storing the key is undertaken, and the encryption algorithm is not deployed. Or some simple encryption algorithm may be used in order to provide part of the security features.
Therefore, the scheme is as follows:
1. the challenge encountered in the construction of the existing industrial internet is that the universality and the safety cannot be considered under the existing framework. The mainstream solution is to sacrifice versatility to ensure security; the encryption isolation design of the scheme solves the problems at the same time;
2. universality: because the data acquisition gateway uses an open source protocol, the original characteristics of easy development and easy access are not sacrificed;
3. safety: because of using the encryption chip, data is actually transmitted in a ciphertext state in a network, and the method has three advantages:
(1) even if the ciphertext is intercepted, the ciphertext is difficult to crack and is difficult to generate security vulnerabilities such as tampering and stealing;
(2) even if the ciphertext is cracked, because the encryption chip is a framework with one machine and one secret, the security loophole only exists in a single machine, the multiple machines in the same series and large range cannot be spread, and the potential safety hazard is relatively controllable;
(3) the ciphertext can be restored into the plaintext only by a corresponding decryption mechanism, so that if hidden passages such as a backdoor and the like are hidden in a communication system, the communication system is automatically disabled, and only a data destination with the corresponding decryption mechanism is deployed to obtain effective information;
4. and (3) standardization: the encryption chip uses universal interfaces such as UART and the like, so that the industrial data acquisition system design of data acquisition, data encryption and data transmission can be further adopted. The existing integrated design which is mostly adopted is abandoned, and each system can be designed independently and produced in a standardized way, so that the cost is reduced.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments or portions thereof without departing from the spirit and scope of the invention.
Claims (3)
1. A data acquisition gateway full-isolation method is characterized in that a data encryption module is added in a data acquisition terminal to encrypt uploaded data, and the data is decrypted on a big data platform by adopting special software to realize data transmission protection; the encryption module is connected with the MCU and the communication module through a serial port; the following technical scheme design for encrypting and isolating industrial internet data acquisition comprises the following steps:
s1, designing an integral structure:
the data acquisition terminal collects enterprise data, sends the enterprise data to the GPRS transmission module through the MCU, and sends the enterprise data to the big data platform; enterprise data may face risks of stealing and leakage in the transmission process and needs confidentiality protection;
a data encryption module is added in the data acquisition terminal to encrypt the uploaded data, and the data is decrypted on a big data platform by adopting special software to realize the transmission protection of the data; the encryption module passes the serial port;
s2, designing hardware of an encryption module:
considering the area, power consumption and cost, the encryption module is realized by adopting a special algorithm SOC chip + standard interface; the main functions are realized by an algorithm chip, and the chip comprises a master control CPU, a cryptographic algorithm operation unit, a key storage unit and an interface module; the standard interface realizes data interaction between the encryption module and the acquisition terminal and between the encryption module and the transmission module; in this way, the encryption module mainly comprises an algorithm chip and a matched device; the password SOC chip is additionally provided with two rows of 1 x 5 contact pins, the area of the module is within 2cmX2cm, the data encryption module adopts UART to communicate with the outside, the module needs to provide power supply from the outside, and the module adopts two single rows of contact pins 1 x 5 with the distance of 2.54 mm;
s3, the encryption module works in a mode that:
the encryption module can be designed into two different working modes in the terminal: serial mode and parallel mode:
serial mode:
in the serial mode, the encryption module is used as an independent unit to be connected in series on a data path; the MCU sends the acquired data to the encryption module, and the module encrypts and encapsulates the data and sends the data to the communication module for transmission; at the moment, the encryption module needs more work and can set technical barriers and barriers for terminal manufacturers to send enterprise data plaintext to other service platforms; the data encryption module needs to do the following development work:
1) the cipher module-MCU interface is standardized; the method comprises the following steps that an MCU is used as a main device, a password module is used as a slave device, communication interfaces of the MCU and the cipher module are defined and realized in an AT instruction mode, and the main interfaces comprise network connection parameter configuration, a connection platform server side, data sending and timing data requesting;
2) realizing an encryption function; key agreement and data encryption are included;
3) packaging an MQTT protocol; the MQTT client function is realized, the platform server is connected, and the encrypted load data is submitted to a GPRS module to be sent;
4) driving and data receiving and transmitting of the GPRS module; the driving GPRS module is connected with the cloud platform, sends data and receives timing data; in addition, the GPRS is used as a passive communication device driven by the cryptographic module, and if different device manufacturers select different wireless communication modules, the cryptographic modules need to be adapted and developed respectively;
parallel mode:
in the parallel mode, the encryption module is only used as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, the data packaging work is completed by the MCU, in the parallel mode, the encryption module only serves as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, and the data packaging work is completed by the MCU;
s4, cipher key design:
the cipher chip selected in the encryption module can provide commonly used national standard SM2, SM3 and SM4 algorithms, different encryption modes of symmetric encryption and public key encryption can be realized, and different modes of key presetting and key negotiation can be realized in key management; in order to simplify the user management process and improve the decryption efficiency of the large data platform end, a mode of symmetric encryption plus preset keys is adopted;
the encryption module adopts symmetric algorithm encryption, encryption keys are preset in the chip and are divided according to modules, and the encryption keys of different modules are different; the chip is added with safety protection measures, and the encryption key cannot be read from the outside; when the encryption module is produced and leaves a factory, internal key initialization is required to be completed, an ID and an encryption key are internally generated, and the encryption key and the ID are submitted to a decryption program of the big data platform for decrypting data; on a big data platform, the encryption keys of all encryption modules are encrypted and stored to prevent leakage;
the algorithm chip provides rich algorithm operation units, the embedded CPU can also modify the matching mode of the cipher key, and subsequently if the using mode of the cipher key needs to be modified, the required functions can be realized through software upgrading without changing hardware, so that the flexibility is improved;
s5, management flow design:
equipment production: the data acquisition terminal is mainly divided into an acquisition terminal and an encryption module, a standard interface is defined between the acquisition terminal and the encryption module, and the acquisition terminal and the encryption module are respectively generated by different manufacturers and respectively purchased; after the encryption module is produced, initialization operation is required, an equipment ID and an encryption key are generated, and the ID and the corresponding encryption key are submitted, encrypted and stored;
assembling equipment: the acquisition terminal and the encryption module are synthesized and then issued to a user manufacturer
Communication flow:
encryption module
(1) Powering on the equipment, and reading the equipment ID and the encryption key;
(2) the encryption module encrypts the appointed fixed plaintext data by using an encryption key to obtain data _ en;
(3) sending (ID, data _ en) as handshake data to the big data platform;
a big data platform:
(1) establishing connection with the terminal equipment;
(2) receiving handshake data (ID, ciphertext);
(3) according to the ID, obtaining an encryption key ciphertext corresponding to the encryption terminal, and decrypting to obtain plaintext data;
(4) decrypting the data _ en by using the encryption key to obtain data;
(5) comparing whether the data is appointed fixed data or not, and disconnecting if not; if so, a connection is established and subsequent data is decrypted using the encryption key.
2. The data acquisition gateway full isolation method according to claim 1, wherein: in S3, in the serial mode, the data encryption module needs to do the following development work:
1) the cipher module-MCU interface is standardized; the method comprises the following steps that an MCU is used as a main device, a password module is used as a slave device, communication interfaces of the MCU and the cipher module are defined and realized in an AT instruction mode, and the main interfaces comprise network connection parameter configuration, a connection platform server side, data sending and timing data requesting;
2) realizing an encryption function; key agreement and data encryption are included;
3) packaging an MQTT protocol; the MQTT client function is realized, the platform server is connected, and the encrypted load data is submitted to a GPRS module to be sent;
4) driving and data receiving and transmitting of the GPRS module; the driving GPRS module is connected with the cloud platform, sends data and receives timing data; in addition, GPRS is a passive communication device driven by a cryptographic module, and different device manufacturers need to respectively perform adaptation development on the cryptographic module if they select different wireless communication modules.
3. The data acquisition gateway full isolation method according to claim 1, wherein: in S3, in the parallel mode, the data encryption module needs to do the following development work:
providing cipher service functions including key agreement and data encryption for MCU; the interface is standardized by AT command mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910319489.1A CN110061989B (en) | 2019-04-19 | 2019-04-19 | Data acquisition gateway full-isolation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910319489.1A CN110061989B (en) | 2019-04-19 | 2019-04-19 | Data acquisition gateway full-isolation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110061989A CN110061989A (en) | 2019-07-26 |
| CN110061989B true CN110061989B (en) | 2021-07-13 |
Family
ID=67319803
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910319489.1A Active CN110061989B (en) | 2019-04-19 | 2019-04-19 | Data acquisition gateway full-isolation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110061989B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110933153A (en) * | 2019-11-22 | 2020-03-27 | 广西建工集团智慧制造有限公司 | Building site all-purpose Internet of things equipment |
| CN111064779A (en) * | 2019-12-10 | 2020-04-24 | 北京国网富达科技发展有限责任公司 | SF of transformer substation6Online monitoring device, method and system |
| CN111556093A (en) * | 2020-03-27 | 2020-08-18 | 天津市普迅电力信息技术有限公司 | Multifunctional edge Internet of things agent device for power grid information acquisition |
| CN111600705B (en) * | 2020-05-14 | 2022-10-04 | 国网电力科学研究院有限公司 | Isolation card based on auto-negotiation mechanism |
| CN114430417B (en) * | 2020-10-16 | 2024-03-08 | 卡奥斯工业智能研究院(青岛)有限公司 | Data storage and calling method and device of industrial Internet platform |
| CN113347172A (en) * | 2021-05-28 | 2021-09-03 | 吉萨特自动化技术(上海)有限公司 | Cloud digitization platform and using method thereof |
| CN115664841B (en) * | 2022-11-14 | 2024-10-18 | 济南大学 | Data acquisition system and method with network isolation and unidirectional encryption transmission functions |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1761209A (en) * | 2004-04-27 | 2006-04-19 | 微软公司 | System and methods for providing network quarantine |
| US7490332B2 (en) * | 2003-04-04 | 2009-02-10 | Sesma Systems, Inc. | System and method for accessing ActiveX objects in a platform dependent environment from objects in a platform independent environment |
| CN103281377A (en) * | 2013-05-31 | 2013-09-04 | 北京鹏宇成软件技术有限公司 | Cryptograph data storage and searching method for cloud |
| CN103873230A (en) * | 2014-04-06 | 2014-06-18 | 汪风珍 | Single-direction encryption-decryption technology |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050180337A1 (en) * | 2004-01-20 | 2005-08-18 | Roemerman Steven D. | Monitoring and reporting system and method of operating the same |
| US20070091926A1 (en) * | 2005-10-21 | 2007-04-26 | Apostolopoulos John G | Method for optimizing portions of data from a plurality of data streams at a transcoding node |
-
2019
- 2019-04-19 CN CN201910319489.1A patent/CN110061989B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7490332B2 (en) * | 2003-04-04 | 2009-02-10 | Sesma Systems, Inc. | System and method for accessing ActiveX objects in a platform dependent environment from objects in a platform independent environment |
| CN1761209A (en) * | 2004-04-27 | 2006-04-19 | 微软公司 | System and methods for providing network quarantine |
| CN103281377A (en) * | 2013-05-31 | 2013-09-04 | 北京鹏宇成软件技术有限公司 | Cryptograph data storage and searching method for cloud |
| CN103873230A (en) * | 2014-04-06 | 2014-06-18 | 汪风珍 | Single-direction encryption-decryption technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110061989A (en) | 2019-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110061989B (en) | Data acquisition gateway full-isolation method | |
| CN106850611B (en) | Cross-system Internet of things secure communication technology service platform method | |
| CN110430014B (en) | Hardware encryption gateway and encryption method for field bus channel encryption | |
| CN102280929B (en) | System for information safety protection of electric power supervisory control and data acquisition (SCADA) system | |
| CN105610706B (en) | A kind of intelligent gateway platform of internet of things oriented control system | |
| CN110289952B (en) | Quantum data link security terminal and security communication network | |
| CN105099711B (en) | A kind of small cipher machine and data ciphering method based on ZYNQ | |
| CN107040459A (en) | A kind of intelligent industrial secure cloud gateway device system and method | |
| CN102799121A (en) | Remote cooking method based on Internet | |
| CN103152183A (en) | Electric modem switching device and method for mutual switching of electric signals and network signals | |
| CN205304872U (en) | Cloud control system towards remote terminal unit | |
| CN100559820C (en) | A kind of dialing security gateway device | |
| CN111262823B (en) | Security gateway and data processing method thereof | |
| CN104539573A (en) | Communication method and device of industrial security gateway based on embedded system | |
| CN115079648A (en) | Intelligent industrial control system | |
| CN110850802A (en) | Safe intelligent programmable logic controller supporting cloud data interconnection | |
| CN111541698B (en) | Data acquisition system and data acquisition method based on power distribution | |
| CN104468519B (en) | A kind of embedded electric power security protection terminal encryption device | |
| CN105553838A (en) | ARM-based embedded gateway accessing PROFIBUS-DP to Wi-Fi and communication method thereof | |
| CN113014385B (en) | Double-network-port hardware network data encryption system | |
| CN103198574A (en) | Remote control intelligent water meter embedded with information safety management module | |
| CN206226450U (en) | A kind of distribution Tiny Encryption terminal | |
| CN109831404A (en) | A kind of instant communicating system and method for compatible multiple terminals | |
| Kyusakov et al. | Emerging energy management standards and technologies—Challenges and application prospects | |
| CN208063238U (en) | Data encryption security ViGap |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |