CN103581173B - Safe data transmission method, system and device based on industrial Ethernet - Google Patents

Safe data transmission method, system and device based on industrial Ethernet Download PDF

Info

Publication number
CN103581173B
CN103581173B CN201310412456.4A CN201310412456A CN103581173B CN 103581173 B CN103581173 B CN 103581173B CN 201310412456 A CN201310412456 A CN 201310412456A CN 103581173 B CN103581173 B CN 103581173B
Authority
CN
China
Prior art keywords
information
message
industrial protocol
data message
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310412456.4A
Other languages
Chinese (zh)
Other versions
CN103581173A (en
Inventor
丁杰
孔勇
马化
马化一
仁参考
李硕
张俭锋
薛百华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Dongtu vision Industrial Technology Co. Ltd.
Kyland Technology Co Ltd
Original Assignee
Kyland Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kyland Technology Co Ltd filed Critical Kyland Technology Co Ltd
Priority to CN201310412456.4A priority Critical patent/CN103581173B/en
Publication of CN103581173A publication Critical patent/CN103581173A/en
Application granted granted Critical
Publication of CN103581173B publication Critical patent/CN103581173B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The inventions discloses a safe data transmission method, system and device based on the industrial Ethernet, and aims to solve the problems that in the process of data transmission in the existing industrial Ethernet, a receiving terminal can not verify the identity of a transmitting terminal and the safety of data transmission can not be guaranteed. According to the method, when the transmitting terminal transmits data information, the transmitting terminal also transmits the digital signature and information to be verified of the transmitting terminal, conversion equipment completes primary verification of the identity of the transmitting terminal according to timestamp information and secret key information which are contained in the information to be verified, completes secondary verification of the identity of the transmitting terminal according to the digital signature and checks the safety of the data information according to industrial protocol information of the data information when the transmitting terminal passes identity verification. According to the safe data transmission method, system and device based on the industrial Ethernet, because comprehensive detection of the transmitting terminal and the data information is achieved, the purpose of verifying the identity of the transmitting terminal is achieved, detection of the safety of the data information is also achieved, and accordingly the safety of data transmission in the industrial Ethernet is improved.

Description

A kind of data safe transmission method based on EPA, system and device
Technical field
The present invention relates to industrial Ethernet technology field, more particularly, to a kind of Security Data Transmission based on EPA Method, system and device.
Background technology
Developing rapidly with mechanics of communication, information network has become as the important guarantee of social development.Due to network The expansion of networking scale and the diversification of networking model, for network system disposal ability and concatenation ability requirement also continuous Ground improves.But while concatenation ability, information flow ability improve, also become increasingly conspicuous based on the safety problem of network connection.
EPA is the ethernet technology being applied to industrial control field, and it is with its strong applicability, high real-time, height The outstanding features such as interoperability manipulation, high reliability and anti-interference, meet industry spot higher to safety and reliability Require.Change the fast development merged with Internet of Things with two, the safety problem that industrial control system faces is increasingly serious, how to protect The data transmission security of card EPA, will be the major issue that futurity industry field is badly in need of solving.
When EPA carries out data transmission, often it is transmitted in the form of plaintext, with data white list Issue as a example:When carrying out the transmission of data white list, general by network, the equipment such as the switch of opposite end are carried out remotely Monitoring management, when the first switch device logs in second switch equipment, by belonging to gerentocratic username and password pair This is verified as gerentocratic first switch device, and when being verified, the first switch device can be arbitrarily to The data white list information such as two switch device distributing policies.
General second switch equipment in the prior art is not verified to the identity of the first switch device, as long as should First switch device can input correct username and password, you can carries out data by network to second switch equipment The operation of white list transmission, but in the method, the second switch equipment of receiving data white list is it is impossible to determine whether for corresponding Manager's corresponding data white list that it is sent, even and if the authentication that completes to the first switch device, also no Method determines this data white list safety issue of itself.
Therefore, when carrying out data transmission in existing EPA, because the identity of transmitting terminal cannot be tested Card, so not can determine that whether the data receiving is reliable, thus serious potential safety hazard will be led to, even and if transmitting terminal Identity passes through checking, and the data message that this transmitting terminal is sent also lacks further measuring means, therefore, it is impossible to ensure industry The safety of data transfer in Ethernet.
Content of the invention
The embodiment of the present invention provides a kind of data safe transmission method based on EPA, system and device, in order to When solution prior art carries out data transmission in the switching equipment of EPA, receiving terminal can not enter to the identity of transmitting terminal Row certification is it is impossible to the problem of assuring data security.
Embodiments provide a kind of data safe transmission method based on EPA, the method includes:
Switching equipment receive other equipment send message, wherein said message include data message, its digital signature, Timestamp information and key information;
Extract the timestamp information in described message, this message is verified, and according to the key information preserving, to this Message is verified;
When being verified, according to the public key that itself preserves, this digital signature is decrypted, obtains its corresponding Hash Value, and Hash operation is carried out to this data message, determine the cryptographic Hash of this data message;
By the cryptographic Hash of this data message with deciphering after obtain cryptographic Hash be compared;
When the cryptographic Hash judging this data message is consistent with the cryptographic Hash obtaining after deciphering, extract in described data message Industrial protocol information;
Each industrial protocol information that the described industrial protocol information extracted is preserved with itself is mated;
When the match is successful, process this data message.
Embodiments provide a kind of data safe transmission system based on EPA, this system includes:
Other equipment, for sending message to switching equipment, wherein said message includes data message, its numeral is signed Name, timestamp information and key information;
Switching equipment, for extracting the timestamp information in described message, verifies to this message, and according to preservation Key information, verifies to this message;When being verified, according to the public key that itself preserves, this digital signature is solved Close, obtain its corresponding cryptographic Hash, and Hash operation is carried out to this data message, determine the cryptographic Hash of this data message;Should The cryptographic Hash of data message with deciphering after obtain cryptographic Hash be compared;After judging the cryptographic Hash of this data message with deciphering When the cryptographic Hash of acquisition is consistent, extract the industrial protocol information in described data message;The described industrial protocol information that will extract The each industrial protocol information being preserved with itself is mated;When the match is successful, process this data message.
Embodiments provide a kind of Security Data Transmission device based on EPA, this device includes:
Receiver module, for receiving the message of other equipment transmission, wherein said message includes data message, its numeral Signature, timestamp information and key information;
Authentication module, for extracting the timestamp information in described message, verifies to this message, and according to preservation Key information, verifies to this message;When being verified, according to the public key that itself preserves, this digital signature is solved Close, obtain its corresponding cryptographic Hash, and Hash operation is carried out to this data message, determine the cryptographic Hash of this data message;Should The cryptographic Hash of data message with deciphering after obtain cryptographic Hash be compared;After judging the cryptographic Hash of this data message with deciphering When the cryptographic Hash of acquisition is consistent, extract the industrial protocol information in described data message;The described industrial protocol information that will extract The each industrial protocol information being preserved with itself is mated;
Processing module, for when the match is successful, processing this data message.
Embodiments provide a kind of data safe transmission method based on EPA, system and device, should In method switching equipment receive other equipment send message, wherein said message include data message, its digital signature, when Between stamp information and key information;Extract the timestamp information in described message, this message is verified, and close according to preserve Key information, verifies to this message;When being verified, according to the public key that itself preserves, this digital signature is decrypted, Obtain its corresponding cryptographic Hash, and Hash operation is carried out to this data message, determine the cryptographic Hash of this data message;By this data The cryptographic Hash of information with deciphering after obtain cryptographic Hash be compared;Obtain after judging the cryptographic Hash of this data message with deciphering Cryptographic Hash consistent when, extract described data message in industrial protocol information;By the described industrial protocol information extracted and certainly Each industrial protocol information that body preserves is mated;When the match is successful, process this data message.Due in the embodiment of the present invention Middle switching equipment carries out Information Authentication according to the checking information itself preserving to the data message receiving, and passes through industrial protocol The match cognization of information carries out secondary checking to this data message, thus the safety reaching to message data information is verified Purpose, therefore, the method increase the safety of data transfer in industrial network.
Brief description
Fig. 1 is a kind of Security Data Transmission process schematic based on EPA provided in an embodiment of the present invention;
Fig. 2 is one of a kind of Security Data Transmission based on EPA provided in an embodiment of the present invention to be implemented in detail Process schematic;
Fig. 3 is a kind of another detailed enforcement of Security Data Transmission based on EPA provided in an embodiment of the present invention Process schematic;
Fig. 4 is a kind of data safe transmission system structural representation based on EPA provided in an embodiment of the present invention Figure;
Fig. 5 is a kind of structural representation of Security Data Transmission device based on EPA provided in an embodiment of the present invention Figure;
Fig. 6 is a kind of structural representation of Security Data Transmission device based on EPA provided in an embodiment of the present invention Figure.
Specific embodiment
The present invention, in order to improve the reliability of data transfer in EPA, embodiments provides a kind of base In the data safe transmission method of EPA, system and device.
With reference to Figure of description, the present invention is described in detail.
Fig. 1 is a kind of Security Data Transmission process schematic based on EPA provided in an embodiment of the present invention, should Process comprises the following steps:
S101:Switching equipment receives the message that other equipment sends, and wherein said message includes data message, its numeral Signature, timestamp information and key information.
In embodiments of the present invention in order to ensure the safety of message transmissions in EPA, when other equipment is to friendship When exchange device sends message, its digital signature is determined according to the data message of this message, determines the transmission time of this message, should Transmission time corresponding timestamp information, digital signature, key information and data message are sent to the friendship as receiving terminal in the lump Exchange device.Wherein, described other equipment can exchange for the node device such as terminal and sensor or switch etc. and set Standby.
S102:Extract the timestamp information in described message, this message is verified, and according to the key letter preserving Breath, verifies to this message, judges whether to be verified, when being verified, carry out step S103, otherwise, by receive Data abandons.
After switching equipment receives the message of other equipment transmission, extract timestamp information and the key information of this message This message is verified, mainly realizes the checking to transmitting terminal identity, in embodiments of the present invention as the friendship of receiving terminal Exchange device, when carrying out authentication to this transmission equipment, can first pass through timestamp information and carry out checking and then carry out key again Information Authentication, or, first pass through key information and carry out checking and then carry out timestamp information checking again.
S103:According to the public key that itself preserves, this digital signature is decrypted, obtains its corresponding cryptographic Hash, and to this Data message carries out Hash operation, determines the cryptographic Hash of this data message.
After the identity of this transmitting terminal being verified by timestamp information and key information, in order to increase number further According to the safety of white list transmission, this digital signature generates according to the data message of this message, therefore in embodiments of the present invention Further the other equipment as transmitting terminal can also be verified according to this data signature.
This digital signature specific when generating, believe according to hash algorithm and this data by the other equipment as transmitting terminal Breath, determines the cryptographic Hash of this data message;According to the cryptographic Hash of this data message determining, and this data of the private key pair letter preserving The cryptographic Hash of breath is encrypted generation digital signature.Transmitting terminal can comprise the report of this digital signature and data message generating Literary composition, is sent to the switching equipment as receiving terminal.
S104:By the cryptographic Hash of this data message with deciphering after obtain cryptographic Hash be compared, judge this data message Cryptographic Hash with deciphering after obtain cryptographic Hash whether consistent, when judged result for be when, carry out step S105, otherwise, it determines This data is dangerous, by this packet loss.
According to the generating process of above-mentioned digital signature, this digital signature is according to hash algorithm and as transmitting terminal The private key that other equipment preserves generates, and therefore receiving terminal, when being verified to the identity of transmitting terminal according to this digital signature, is made For receiving terminal the second switching equipment comprising to identify digital signature in the message of this data message and its digital signature, according to The public key itself preserving is decrypted to this digital signature, obtains its corresponding cryptographic Hash, afterwards this data message is breathed out Uncommon computing, determines the cryptographic Hash of this digital white list.
The cryptographic Hash obtaining after the cryptographic Hash of data message and deciphering is compared, judges that both are whether consistent, when sentencing When both disconnected unanimously, confirm that this transmitting terminal has corresponding data is activation identity, complete the authentication of data sending terminal.
S105:When the cryptographic Hash judging this data message is consistent with the cryptographic Hash obtaining after deciphering, extract described data Industrial protocol information in information.
After EPA is passed through to the authentication of transmitting terminal by above-mentioned flow process, need this transmitting terminal is sent Message in comprise data message safety further verified, switching equipment extracts the industrial protocol of this data message Information, verifies to this industrial protocol information.Wherein, described industrial protocol information includes:Industrial protocol type feature code and Industrial protocol keyword.
S106:The each industrial protocol information that preserved with itself of described industrial protocol information extracted is mated, when When being made into work(, carry out step S107, otherwise, it determines this data message is dangerous, by this packet loss.
Switching equipment as receiving terminal obtains this from the message data information that the other equipment as transmitting terminal sends The industrial protocol information of data message, is mated in each industrial protocol information that itself preserves, in view of EPA Networking model, only has the industrial protocol type that switching equipment is supported could identify and be processed, when this in EPA The industrial protocol information of data message when the match is successful in switching equipment, illustrates that this data message is illegal, there is peace Full hidden danger, therefore, by this packet loss.
S107:Process the data message of this message.
Due to receiving the second switching equipment of the message of other equipment transmission in embodiments of the present invention, by timestamp Information and key information are verified to the data message of this message, and according to the public key itself preserving and hash algorithm to this number It is believed that breath is verified, thus reaching the purpose to transmitting terminal authentication, because if the identity of transmitting terminal is problematic, this number Will be unable to be verified according to white list;After the authentication of transmitting terminal is passed through, the present invention passes through to this message data extracting The industrial protocol information of information is verified, verifies the safety of data, each industrial protocol only preserving with itself further The successful data of information matches just can carry out subsequent treatment, therefore the method increases the safety of data transfer.
In order to increase the safety of data transfer in the present invention is implemented, and the switching equipment as receiving terminal can be made The identity of the equipment as transmitting terminal can be authenticated, in embodiments of the present invention, when the other equipment as transmitting terminal To as receiving terminal switching equipment send data when, after the other equipment of this transmitting terminal is processed to this data, then carry out Send.
Specifically, as transmitting terminal this other exchange device according to this data message to be sent, and the Kazakhstan itself preserving Uncommon algorithm, carries out Hash operation to this data message, determines the cryptographic Hash of this data message.Afterwards according to this data letter determining The cryptographic Hash of breath, and the private key itself preserving, are encrypted to the cryptographic Hash of this data message, generate digital signature, afterwards will After this digital signature is attached to this data message.
In addition, in embodiments of the present invention in order to increase the safety of data transfer further, receiving terminal can be enable The identity of transmitting terminal is verified, the node device as transmitting terminal or switching equipment are sending this data message and its number During word signature, also send key information and the transmission time corresponding timestamp information with this message.
Because this data safe transmission method provided in an embodiment of the present invention is be applied to EPA, in industrial ether Main equipment and when carrying out accurate pair by 1588 agreements between equipment in net, therefore can ensure that and keeps between every equipment Very high clock synchronization accuracy.When this information to be verified be timestamp information when, as transmitting terminal other equipment according to oneself The time of body this message currently transmitted, the timestamp information of this current time is carried in message to be sent, with this data The digital signature of information and this data message is sent to the switching equipment as receiving terminal in the lump.
When the switching equipment as receiving terminal receives timestamp information, data message and its numeral of other equipment transmission During signature, it is verified, when being only verified, the identity of this transmitting terminal of guarantee is safe.Specifically work as institute When to state information to be verified be timestamp information, the timestamp information in the described message of described extraction, this message is carried out with checking bag Include:
Switching equipment includes source IP letter according to the source address information of described this message of Receive message, wherein this source address information Breath or source MAC information;
According to described source address information and the address information of itself, determine the link delay between equipment;
Time according to described link delay, the described timestamp information, current receiving time information and preservation of extraction Threshold information, verifies to this message.
Specifically, described according to described link delay, extract described timestamp information, current receiving time information and The time threshold information preserving, carries out checking and includes to this message:
According to described link delay, the described timestamp information of extraction, determine the theoretical time receiving described message;
Judge described theoretical time, and whether the absolute value of current receiving time information difference is less than described time threshold letter Breath.
When switching equipment receives the message of other equipment transmission, extract the timestamp information that this message comprises, and remember Record receives the time of the described message of other equipment transmission(The i.e. reception time of this timestamp, is also digital information and its number The reception time of word signature), obtain the source address information of this message, wherein this source address information includes source IP information or source MAC Information, the source IP information according to this message or source MAC information and the address information of itself, the other equipment determining transmitting terminal is to friendship The physical link changed planes, calculates switching equipment to the link delay of transmitting terminal according to precision interval clock agreement.
Switching equipment, according to the described timestamp information of this link delay calculating and extraction, is determined to receive in theory and is somebody's turn to do The time of message, switching equipment receives the absolute value of the time difference of this message according to theoretical receiving time information with record, permissible The identity of the other equipment as transmitting terminal is authenticated, if this information is attack equipment illegally obtained, this theory The absolute value that receiving time information and record receive the time difference of this message is necessarily not less than the threshold value setting, if contrary this its His equipment has the authority sending this message, then this theoretical receiving time information and record receive the absolute of the time difference of this message Value is less than the threshold value setting.
Or, switching equipment, according to the time of the described message of reception of this link delay calculating and record, determines reason Send the time of this message by upper other equipment, switching equipment according to the theoretical transmission time information of this message with extract this when Between stab information gap absolute value it is also possible to be authenticated to the identity of the other equipment as transmitting terminal, if this information is to attack The illegal acquisition of the equipment that hits, then the theoretical transmission time information of this message absolute value poor with this timestamp information extracting is certain Not less than the threshold value setting, if this other equipment contrary has the authority sending this message, the theoretical transmission time of message Information is less than, with the absolute value of this timestamp information difference extracted, the threshold value setting.
Fig. 2 is one of a kind of Security Data Transmission based on EPA provided in an embodiment of the present invention to be implemented in detail Process schematic, this process comprises the following steps:
S201:Switching equipment receives the message that other equipment sends, and wherein said message includes data message, its numeral Signature and timestamp information.
Specifically, other equipment is according to data message to be sent, and the hash algorithm itself preserving, to this data message Carry out Hash operation, determine the cryptographic Hash of this data message, the cryptographic Hash of this data message according to determination, and itself preserve Private key, is encrypted to the cryptographic Hash of this data message, generates digital signature, afterwards this digital signature is attached to this data letter After breath, according to the time of itself this data currently transmitted, the timestamp information of this current time is carried in report to be sent Wen Zhong, is sent to the switching equipment as receiving terminal in the lump with the digital signature of this data message and this data message.
S202:Switching equipment includes according to the source address information of described this message of Receive message, wherein this source address information Source IP information or source MAC information.
S203:Switching equipment, according to described source address information and the address information of itself, determines that the link between equipment prolongs When.
S204:According to described link delay, the described timestamp information of extraction, determine receive described message theoretical when Between.
S205:Whether judge this theoretical time and the absolute value of current receiving time information difference less than the threshold value setting, When judged result is to be, carry out step S206, otherwise, it determines this number message is dangerous, by this packet loss.
S206:According to the public key that itself preserves, this digital signature is decrypted, obtains its corresponding cryptographic Hash, and to this Data message carries out Hash operation, determines the cryptographic Hash of this data message.
S207:By the cryptographic Hash of this data message with deciphering after obtain cryptographic Hash be compared, judge this data message Cryptographic Hash with deciphering after obtain cryptographic Hash whether consistent, when judged result for be when, carry out step S208, otherwise, it determines This message is dangerous, by this packet loss.
S208:Extract the industrial protocol information in described data message, this industrial protocol information extracted is protected with itself The each industrial protocol information deposited is mated, and when the match is successful, carries out step S209, otherwise, it determines this data message is uneasy Entirely, by this packet loss.
S209:Process the data message of this message.
In addition, the information to be verified carrying in the data that this other equipment sends to switching equipment in embodiments of the present invention Key information can also be included.Specifically, this as the other equipment of transmitting terminal according to this data message to be sent, and itself The hash algorithm preserving, carries out Hash operation to this data message, determines the cryptographic Hash of this data message.Afterwards according to determination The cryptographic Hash of this data message, and the private key itself preserving, are encrypted to the cryptographic Hash of this data message, generate numeral and sign Name, after being attached to this data message by this digital signature afterwards.
As transmitting terminal other equipment in order to increase the safety of data transfer, according to itself preserve asymmetric (AES)Key, is encrypted to this data message and its digital signature.I.e. this is non-right for this key information in embodiments of the present invention Claim key.The digital signature of key information, data message and this data message that other equipment sends, can be in the form of plaintext Transmission, and the safety for data transfer, above- mentioned information can also be transmitted after above- mentioned information being encrypted using public key.I.e. Data message after encrypting and its digital signature and this unsymmetrical key are carried out adding by other equipment using the public key itself preserving After close, it is sent to switching equipment.
When this information to be verified is key information, the described checking information being preserved according to itself, switching equipment is treated to this Checking information carries out checking and includes:
The private key that described switching equipment preserves according to itself, is decrypted to the message receiving;
The key information in this message after identification deciphering;
Judge whether this key information can be decrypted to this data message and its digital signature.
In order to increase the safety of data transfer in EPA, and the identity of transmitting terminal can be verified, In the embodiment of the present invention, transmitting terminal can also carry key information to be verified in data when carrying out data is activation, with The digital signature of this data message and data message is sent to the switching equipment as receiving terminal in the lump.
After switching equipment receives above- mentioned information, if above- mentioned information is cryptographically transmitted, switching equipment is first The private key being preserved according to itself, is decrypted to above- mentioned information, obtains this key information, data message and this data letter after deciphering The digital signature of breath.
Identify key information in switching equipment information after decryption, this key information is verified, this switching equipment First determine whether whether this key information can be decrypted to the data message after encryption and its digital signature, when this key information It is determined that the authentication of this transmitting terminal is passed through when this data message and its digital signature can be verified.
In addition, in embodiments of the present invention in order to increase the reliability of data transfer further, switching equipment is also further According to the public key that itself preserves, this digital signature is decrypted, obtains its corresponding cryptographic Hash, and this data message is carried out Hash operation, determines the cryptographic Hash of this digital information;The cryptographic Hash obtaining after the cryptographic Hash of digital information and deciphering is compared Relatively;When the cryptographic Hash obtaining after the cryptographic Hash of digital information and deciphering is consistent, then the authentication to transmitting terminal is passed through, no Then, determine that the other equipment sending this message is dangerous, by this packet loss.
Fig. 3 is a kind of another detailed enforcement of Security Data Transmission based on EPA provided in an embodiment of the present invention Process schematic, this process comprises the following steps:
S301:Switching equipment receives the message that other equipment sends, and wherein said message includes data message, its numeral Signature and key information.
Specifically, other equipment is according to data message to be sent, and the hash algorithm itself preserving, to this data message Carry out Hash operation, determine the cryptographic Hash of this data message, the cryptographic Hash of this data message according to determination, and itself preserve Private key, is encrypted to the cryptographic Hash of this data message, generates digital signature, afterwards this digital signature is attached to this data letter After breath, according to the asymmetric AES key of itself preservation, this data message and its digital signature are encrypted, adopt itself The private key preserving, is encrypted to the data message after this asymmetric AES key and encryption and its digital signature, and after encrypting Information be sent to switching equipment.
S302:The public key that switching equipment preserves according to itself, is decrypted to the data after the encryption receiving, and obtains non- Symmetrical AES key, and the data message after encryption and its digital signature.
S303:Using this asymmetric AES key, the data message after encryption and its digital signature information are decrypted, sentence Whether the asymmetric AES key that breaks can be decrypted to this data message and its digital signature, when deciphering, carry out step S304, otherwise, it determines this data message is dangerous, by this packet loss.
S304:According to the public key that itself preserves, this digital signature is decrypted, obtains its corresponding cryptographic Hash, and to this Data message carries out Hash operation, determines the cryptographic Hash of this data message.
S305:The cryptographic Hash obtaining after the cryptographic Hash of data message and deciphering is compared, judges the Kazakhstan of data message Whether the cryptographic Hash obtaining after uncommon value and deciphering is consistent, when judged result is to be, carries out step S306, otherwise, it determines this number It is believed that breath is dangerous, by this packet loss.
S306:Extract the industrial protocol information in described data message.
S307:Each industrial protocol information that this industrial protocol information extracted is preserved with itself is mated, and works as coupling When successful, carry out step S308, otherwise, it determines this data message is dangerous, by this packet loss
S308:Process the data message of this message.
In order to increase the safety of data transfer further in the present invention is implemented, reduce the wind that data clear text transmission exists Danger, other equipment after determining the digital signature of data message, according to itself preserve asymmetric AES key, to this data Information and its digital signature are encrypted, the public key being preserved using itself, to the data letter after this asymmetric AES key and encryption Breath and its digital signature are encrypted, afterwards, according to the time of itself this message currently transmitted, by the timestamp of this current time Information carries in message to be sent, and this timestamp information is sent to switching equipment in the lump.
After switching equipment receives the message that this is sent in the lump, identify the timestamp information in this message, according to connecing Receive the time of this message, and and as the link delay between the other equipment of transmitting terminal, determine that the theory of this other equipment is sent out Send temporal information, according to this theoretical transmission time information determining and this timestamp information, the identity of this transmitting terminal is tested Card, when being verified, according to the private key of itself preservation, is decrypted to the information after the encryption receiving, obtains asymmetric Data message after AES key, and encryption and its digital signature information.Using this asymmetric AES key to the data after encryption Information and its digital signature information are decrypted, according to whether can test to the identity of this transmitting terminal further successful decryption Card, thus improve the safety of data transfer.
When being verified, this switching equipment can also be decrypted to this digital signature according to the public key that itself preserves, Obtain its corresponding cryptographic Hash, and Hash operation is carried out to this data message, determine the cryptographic Hash of this digital information;By numeral letter The cryptographic Hash obtaining after the cryptographic Hash of breath and deciphering is compared;The Hash judging the cryptographic Hash of digital information and obtaining after deciphering Whether value is consistent, and the safety to this message source identity coming again is verified, further increases data transfer Safety.
In addition, for the safety improving data transfer in EPA further, in conjunction with EPA networking The feature of pattern, after the authentication of transmitting terminal is passed through, the present invention also by data message industrial protocol information to data The safety of information is verified, described industrial protocol information includes:Industrial protocol type feature code and industrial protocol keyword;
Described by each industrial protocol information that preserves with itself of described industrial protocol information extracted carry out mating including:
Extract the industrial protocol type feature code in described data message, the described industrial protocol type feature that will extract Code, each industrial protocol type feature code being preserved with itself is mated;When the match is successful, extract in described data message Industrial protocol keyword;Each industrial protocol keyword that the described industrial protocol keyword extracting is preserved with itself is carried out Join;Or,
Extract the industrial protocol keyword in described data message;The described industrial protocol keyword extracting is protected with itself The each industrial protocol keyword deposited is mated, and when the match is successful, the industrial protocol type extracted in described data message is special Levy code, the described industrial protocol type feature code that will extract, each industrial protocol type feature code being preserved with itself is mated.
Specifically, switching equipment is in the body to the other equipment sending described message by key information and timestamp information Part carries out verifying for the first time, and is entered by the cryptographic Hash data message after deciphering being carried out with Hash operation and comprise with this message After row compares second authentication completing, extract the industrial protocol type feature code of this data message and industrial protocol closes Key word, is being mated in the industrial protocol type feature code storehouse that itself preserves and industrial protocol key word library respectively.Wherein, Described industrial protocol type feature code include EtherCAT, Powerlink, IEC61850GOOSE, IEC61850SV, PROFinet, Modbus TCP and IEC61850MMS etc..
Fig. 4 is a kind of data safe transmission system structural representation based on EPA provided in an embodiment of the present invention Figure, this system includes:
Other equipment 41, for sending message to switching equipment, wherein said message includes data message, its numeral is signed Name, timestamp information and key information;
Switching equipment 42, for extracting the timestamp information in described message, verifies to this message, and according to preservation Key information, this message is verified;When being verified, according to the public key that itself preserves, this digital signature is solved Close, obtain its corresponding cryptographic Hash, and Hash operation is carried out to this data message, determine the cryptographic Hash of this data message;Should The cryptographic Hash of data message with deciphering after obtain cryptographic Hash be compared;After judging the cryptographic Hash of this data message with deciphering When the cryptographic Hash of acquisition is consistent, extract the industrial protocol information in described data message;The described industrial protocol information that will extract The each industrial protocol information being preserved with itself is mated;When the match is successful, process this data message.
Fig. 5 is a kind of structural representation of Security Data Transmission device based on EPA provided in an embodiment of the present invention Figure, this device includes:
Receiver module 51, for receiving the message of other equipment transmission, wherein said message includes data message, its number Word signature, timestamp information and key information;
Authentication module 52, for extracting the timestamp information in described message, verifies to this message, and according to preservation Key information, this message is verified;When being verified, according to the public key that itself preserves, this digital signature is solved Close, obtain its corresponding cryptographic Hash, and Hash operation is carried out to this data message, determine the cryptographic Hash of this data message;Should The cryptographic Hash of data message with deciphering after obtain cryptographic Hash be compared;After judging the cryptographic Hash of this data message with deciphering When the cryptographic Hash of acquisition is consistent, extract the industrial protocol information in described data message;The described industrial protocol information that will extract The each industrial protocol information being preserved with itself is mated;
Processing module 53, for when the match is successful, processing this data message.
Described authentication module 52, specifically for the source address information according to described this message of Receive message, wherein this source ground Location information includes source IP information or source MAC information;According to described source address information and the address information of itself, determine between equipment Link delay;The described timestamp information that according to described link delay, extracts, current receiving time information and preservation when Between threshold information, this message is verified.
Described authentication module 52, specifically for according to described link delay, the described timestamp information of extraction, determining and receiving The theoretical time of described message;Judge described theoretical time, and whether the absolute value of current receiving time information difference is less than institute State time threshold information.
Described authentication module 52, specifically for extracting the industrial protocol type feature code in described data message, will extract Described industrial protocol type feature code, with itself preserve each industrial protocol type feature code mated;When the match is successful When, extract the industrial protocol keyword in described data message;The described industrial protocol keyword extracting is preserved with itself Each industrial protocol keyword is mated;Or, extracting the industrial protocol keyword in described data message;The described work that will extract Each industrial protocol keyword that industry protocol keyword is preserved with itself is mated, and when the match is successful, extracts described data letter Industrial protocol type feature code in breath, the described industrial protocol type feature code that will extract, each industry association preserving with itself View type feature code is mated.
This device is located in receiving device.
Fig. 6 is a kind of structural representation of Security Data Transmission device based on EPA provided in an embodiment of the present invention Figure, this device includes:
First encrypting module 61, for according to data message to be sent, and the hash algorithm preserving, determine that this data is white The cryptographic Hash of list;
Second encrypting module 62, for the private key of the cryptographic Hash according to this data message determining and itself preservation, determines The digital signature of this data message;
Sending module 63, for according to current transmission time information, current timestamp being carried in data, with this Data message and its digital signature send jointly to other devices;Or the number according to this data message and this data message of determination Word is signed, using the unsymmetrical key preserving to this data message and its digital signature encryption, by the data message after encryption and Its digital signature is sent to other devices together with after this asymmetric-key encryption.
This device is located in sending ending equipment.
Embodiments provide a kind of data safe transmission method based on EPA, system and device, should In method switching equipment receive other equipment send message, wherein said message include data message, its digital signature, when Between stamp information and key information;Extract the timestamp information in described message, this message is verified, and close according to preserve Key information, verifies to this message;When being verified, according to the public key that itself preserves, this digital signature is decrypted, Obtain its corresponding cryptographic Hash, and Hash operation is carried out to this data message, determine the cryptographic Hash of this data message;By this data The cryptographic Hash of information with deciphering after obtain cryptographic Hash be compared;Obtain after judging the cryptographic Hash of this data message with deciphering Cryptographic Hash consistent when, extract described data message in industrial protocol information;By the described industrial protocol information extracted and certainly Each industrial protocol information that body preserves is mated;When the match is successful, process this data message.Due in the embodiment of the present invention Middle switching equipment carries out Information Authentication according to the checking information itself preserving to the data message receiving, and passes through industrial protocol The match cognization of information carries out secondary checking to this data message, thus the safety reaching to message data information is verified Purpose, therefore, the method increase the safety of data transfer in industrial network.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program Product.Therefore, the application can be using complete hardware embodiment, complete software embodiment or the reality combining software and hardware aspect Apply the form of example.And, the application can be using in one or more computers wherein including computer usable program code Usable storage medium(Including but not limited to disk memory, CD-ROM, optical memory etc.)The computer program of upper enforcement produces The form of product.
The application is with reference to according to the method for the embodiment of the present application, equipment(System), and computer program flow process Figure and/or block diagram are describing.It should be understood that can be by each stream in computer program instructions flowchart and/or block diagram Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided The processor instructing general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device is to produce A raw machine is so that produced for reality by the instruction of computer or the computing device of other programmable data processing device The device of the function of specifying in present one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing device with spy Determine in the computer-readable memory that mode works so that the instruction generation inclusion being stored in this computer-readable memory refers to Make the manufacture of device, this command device realize in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or The function of specifying in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that counting On calculation machine or other programmable devices, execution series of operation steps to be to produce computer implemented process, thus in computer or On other programmable devices, the instruction of execution is provided for realizing in one flow process of flow chart or multiple flow process and/or block diagram one The step of the function of specifying in individual square frame or multiple square frame.
Although having been described for the preferred embodiment of the application, those skilled in the art once know basic creation Property concept, then can make other change and modification to these embodiments.So, claims are intended to be construed to including excellent Select embodiment and fall into being had altered and changing of the application scope.
Obviously, those skilled in the art can carry out the various changes and modification essence without deviating from the application to the application God and scope.So, if these modifications of the application and modification belong to the scope of the application claim and its equivalent technologies Within, then the application is also intended to comprise these changes and modification.

Claims (10)

1. a kind of data safe transmission method based on EPA is it is characterised in that methods described includes:
Switching equipment receives the message that other equipment sends, and wherein said message includes data message, described other equipment Digital signature, timestamp information and key information;
Extract the timestamp information in described message, this message is verified, and according to the key information preserving, to this message Verified;
When being verified, according to the public key that itself preserves, this digital signature is decrypted, obtains its corresponding cryptographic Hash, and Hash operation is carried out to this data message, determines the cryptographic Hash of this data message;
By the cryptographic Hash of this data message with deciphering after obtain cryptographic Hash be compared;
When the cryptographic Hash judging this data message is consistent with the cryptographic Hash obtaining after deciphering, extract the work in described data message Industry protocol information;
Each industrial protocol information that the described industrial protocol information extracted is preserved with itself is mated;
When the match is successful, process this data message.
2. the method for claim 1 is it is characterised in that timestamp information in the described message of described extraction, to this report Literary composition carries out checking and includes:
Switching equipment according to the source address information of described this message of Receive message, wherein this source address information include source IP information or Source MAC information;
According to described source address information and the address information of itself, determine the link delay between equipment;
Time threshold according to described link delay, the described timestamp information, current receiving time information and preservation of extraction Information, verifies to this message.
3. method as claimed in claim 2 it is characterised in that described according to described link delay, extract described timestamp The time threshold information of information, current receiving time information and preservation, carries out checking and includes to this message:
According to described link delay, the described timestamp information of extraction, determine the theoretical time receiving described message;
Judge described theoretical time, and whether the absolute value of current receiving time information difference is less than described time threshold information.
4. the method for claim 1, it is characterised in that the described key information according to preservation, is tested to this message Card includes:
The private key that described switching equipment preserves according to itself, is decrypted to the message receiving;
The key information in this message after identification deciphering;
Judge whether this key information can be decrypted to this data message and its digital signature.
5. the method for claim 1 is it is characterised in that described industrial protocol information includes:Industrial protocol type feature Code and industrial protocol keyword;
Described by each industrial protocol information that preserves with itself of described industrial protocol information extracted carry out mating including:
Extract the industrial protocol type feature code in described data message, the described industrial protocol type feature code that will extract, with The each industrial protocol type feature code itself preserving is mated;When the match is successful, extract the industry in described data message Protocol keyword;Each industrial protocol keyword that the described industrial protocol keyword extracting is preserved with itself is mated;Or,
Extract the industrial protocol keyword in described data message;The described industrial protocol keyword extracting is preserved with itself Each industrial protocol keyword is mated, and when the match is successful, extracts the industrial protocol type feature code in described data message, The described industrial protocol type feature code that will extract, each industrial protocol type feature code being preserved with itself is mated.
6. a kind of data safe transmission system based on EPA is it is characterised in that described system includes:
Other equipment, for sending message to switching equipment, wherein said message includes data message, described other equipment Digital signature, timestamp information and key information;
Switching equipment, for extracting the timestamp information in described message, verifies to this message, and according to the key preserving Information, verifies to this message;When being verified, according to the public key that itself preserves, this digital signature is decrypted, obtains Obtain its corresponding cryptographic Hash, and Hash operation is carried out to this data message, determine the cryptographic Hash of this data message;This data is believed Breath cryptographic Hash with deciphering after acquisition cryptographic Hash be compared;Obtain after judging the cryptographic Hash of this data message with deciphering When cryptographic Hash is consistent, extract the industrial protocol information in described data message;By extract described industrial protocol information and itself The each industrial protocol information preserving is mated;When the match is successful, process this data message.
7. a kind of Security Data Transmission device based on EPA is it is characterised in that described device includes:
Receiver module, for receiving the message of other equipment transmission, wherein said message includes data message, described other set Standby digital signature, timestamp information and key information;
Authentication module, for extracting the timestamp information in described message, verifies to this message, and according to the key preserving Information, verifies to this message;When being verified, according to the public key that itself preserves, this digital signature is decrypted, obtains Obtain its corresponding cryptographic Hash, and Hash operation is carried out to this data message, determine the cryptographic Hash of this data message;This data is believed Breath cryptographic Hash with deciphering after acquisition cryptographic Hash be compared;Obtain after judging the cryptographic Hash of this data message with deciphering When cryptographic Hash is consistent, extract the industrial protocol information in described data message;By extract described industrial protocol information and itself The each industrial protocol information preserving is mated;
Processing module, for when the match is successful, processing this data message.
8. device as claimed in claim 7 is it is characterised in that described authentication module, specifically for according to described Receive message The source address information of this message, wherein this source address information include source IP information or source MAC information;According to described source address information And the address information of itself, determine the link delay between equipment;Described timestamp letter according to described link delay, extraction The time threshold information of breath, current receiving time information and preservation, verifies to this message.
9. device as claimed in claim 8 is it is characterised in that described authentication module, specifically for according to described link delay, The described timestamp information extracting, determines the theoretical time receiving described message;Judge described theoretical time, and current reception Whether the absolute value of temporal information difference is less than described time threshold information.
10. device as claimed in claim 7 is it is characterised in that described industrial protocol information includes:Industrial protocol type feature Code and industrial protocol keyword;Described authentication module, specifically for extracting the industrial protocol type feature in described data message Code, the described industrial protocol type feature code that will extract, each industrial protocol type feature code being preserved with itself is mated;When When the match is successful, extract the industrial protocol keyword in described data message;By the described industrial protocol keyword extracting and certainly Each industrial protocol keyword that body preserves is mated;Or, extracting the industrial protocol keyword in described data message;To extract Each industrial protocol keyword of preserving with itself of described industrial protocol keyword mated, when the match is successful, extract institute State the industrial protocol type feature code in data message, the described industrial protocol type feature code that will extract, preserve with itself Each industrial protocol type feature code is mated.
CN201310412456.4A 2013-09-11 2013-09-11 Safe data transmission method, system and device based on industrial Ethernet Active CN103581173B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310412456.4A CN103581173B (en) 2013-09-11 2013-09-11 Safe data transmission method, system and device based on industrial Ethernet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310412456.4A CN103581173B (en) 2013-09-11 2013-09-11 Safe data transmission method, system and device based on industrial Ethernet

Publications (2)

Publication Number Publication Date
CN103581173A CN103581173A (en) 2014-02-12
CN103581173B true CN103581173B (en) 2017-02-22

Family

ID=50052103

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310412456.4A Active CN103581173B (en) 2013-09-11 2013-09-11 Safe data transmission method, system and device based on industrial Ethernet

Country Status (1)

Country Link
CN (1) CN103581173B (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015035576A1 (en) * 2013-09-11 2015-03-19 北京东土科技股份有限公司 Secure data transmission method, system and device based on industrial ethernet
CN106576241B (en) * 2014-10-31 2020-05-19 宇龙计算机通信科技(深圳)有限公司 Method for checking MIC in D2D communication and D2D communication system
CN104579627B (en) * 2014-12-06 2018-06-05 上海移远通信技术股份有限公司 A kind of data ciphering method and system
CN104917765A (en) * 2015-06-10 2015-09-16 杭州华三通信技术有限公司 Attack prevention method, and equipment
CN105721500B (en) * 2016-04-10 2019-01-15 北京工业大学 A kind of safe Enhancement Method of the Modbus/TCP agreement based on TPM
CN105978798A (en) * 2016-06-29 2016-09-28 深圳中兴网信科技有限公司 Message encryption transmission method, terminal and server
CN107979470A (en) * 2016-10-25 2018-05-01 航天信息股份有限公司 For signature server, the method for terminal and signature server, terminal
CN106597903A (en) * 2016-12-26 2017-04-26 刘震 System for perceiving environment of stationary position
CN107547559B (en) * 2017-09-20 2021-07-20 新华三信息安全技术有限公司 Message processing method and device
CN108718339A (en) * 2018-05-23 2018-10-30 杭州优行科技有限公司 Data processing method, device and server
CN108471430A (en) * 2018-07-03 2018-08-31 杭州安恒信息技术股份有限公司 A kind of Internet of Things embedded-type security means of defence and device
CN109345665A (en) * 2018-09-18 2019-02-15 金邦达有限公司 A kind of separate type novel intelligent door-locking system and its working method
CN109613898B (en) * 2018-12-13 2020-09-11 四川永能油气技术开发有限公司 Enterprise production data monitoring method based on industrial Internet of things
CN111371786A (en) * 2020-03-04 2020-07-03 盛科网络(苏州)有限公司 Encryption method and device for clock synchronization messages between Ethernet devices
CN113259347B (en) * 2021-05-12 2022-11-18 东信和平科技股份有限公司 Equipment safety system and equipment behavior management method in industrial Internet
CN113824705B (en) * 2021-09-10 2022-05-10 浙江大学 Safety reinforcement method for Modbus TCP (transmission control protocol)
CN115549983B (en) * 2022-09-14 2023-07-25 电子科技大学 Safety authentication device and method for IPv6 network transmission equipment based on time synchronization
CN116684203B (en) * 2023-08-03 2023-12-22 南京南自华盾数字技术有限公司 Method and system for realizing ModbusTCP protocol security protection without code variation
CN116980230B (en) * 2023-09-19 2023-12-01 深圳市众志天成科技有限公司 Information security protection method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102137095A (en) * 2010-12-29 2011-07-27 中国电力科学研究院 Industrial control system data exchange safety protection method and system and device thereof

Also Published As

Publication number Publication date
CN103581173A (en) 2014-02-12

Similar Documents

Publication Publication Date Title
CN103581173B (en) Safe data transmission method, system and device based on industrial Ethernet
CN109257327B (en) Communication message safety interaction method and device for power distribution automation system
CN107749848B (en) Internet of things data processing method and device and Internet of things system
CN104735068B (en) Method based on the close SIP safety certification of state
CN101917270B (en) Weak authentication and key agreement method based on symmetrical password
CN109309565A (en) A kind of method and device of safety certification
CN101789866B (en) High-reliability safety isolation and information exchange method
CN114900338B (en) Encryption and decryption method, device, equipment and medium
CN102024123B (en) Method and device for importing mirror image of virtual machine in cloud calculation
CN106452721A (en) Method and system for instruction identification of intelligent device based on identification public key
CN103491072A (en) Boundary access control method based on double one-way separation gatekeepers
CN109194656A (en) A kind of method of distribution wireless terminal secure accessing
CN108259407B (en) Symmetric encryption method and system based on timestamp
CN102664739A (en) PKI (Public Key Infrastructure) implementation method based on safety certificate
CN106973056A (en) The safety chip and its encryption method of a kind of object-oriented
CN106850207A (en) Identity identifying method and system without CA
CN110149209A (en) Internet of things equipment and its method and apparatus of improve data transfer safety
CN107743132A (en) The identification of Internet of Things trusted identity and control method based on id password
CN104506500A (en) GOOSE message authentication method based on transformer substation
CN103701787A (en) User name password authentication method implemented on basis of public key algorithm
TWI526871B (en) Server, user device, and user device and server interaction method
CN105099705A (en) Safety communication method and system based on USB protocol
CN109451504B (en) Internet of things module authentication method and system
CN109922022A (en) Internet of Things communication means, platform, terminal and system
CN104079408B (en) Strengthen the method for communications security in a kind of industrial control system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20190513

Address after: 100041 Beijing Shijingshan District, Shixing Street, No. 30 Courtyard, No. 2 Building, 8th to 12th floors, 901

Co-patentee after: Shanghai Dongtu vision Industrial Technology Co. Ltd.

Patentee after: Beijing Dongtu Technology Co., Ltd.

Address before: 100041 Chongxin Creative Building, 18 Shixing East Street, Shijingshan District, Beijing

Patentee before: Beijing Dongtu Technology Co., Ltd.

EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20140212

Assignee: Hubei Dongtu Taiyi Wisdom Technology Co., Ltd.

Assignor: Beijing Dongtu Technology Co., Ltd.|Shanghai Dongtu vision Industrial Technology Co. Ltd.

Contract record no.: 2019990000250

Denomination of invention: Safe data transmission method, system and device based on industrial Ethernet

Granted publication date: 20170222

License type: Common License

Record date: 20190723