CN117056879A - Distributed control system trusted policy start-stop authorization method and system - Google Patents
Distributed control system trusted policy start-stop authorization method and system Download PDFInfo
- Publication number
- CN117056879A CN117056879A CN202311322825.0A CN202311322825A CN117056879A CN 117056879 A CN117056879 A CN 117056879A CN 202311322825 A CN202311322825 A CN 202311322825A CN 117056879 A CN117056879 A CN 117056879A
- Authority
- CN
- China
- Prior art keywords
- hardware encryption
- encryption lock
- upper computer
- management module
- usb port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000013475 authorization Methods 0.000 title claims abstract description 30
- 238000012795 verification Methods 0.000 claims abstract description 83
- 230000000737 periodic effect Effects 0.000 claims description 3
- 238000004590 computer program Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/123—Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2211/00—Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
- G06F2211/007—Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
- G06F2211/008—Public Key, Asymmetric Key, Asymmetric Encryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Remote Sensing (AREA)
- Radar, Positioning & Navigation (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the field of a distributed control system, and provides a method and a system for starting and stopping authorization of a trusted policy of the distributed control system, wherein the method comprises the following steps: s1, a management module in an upper computer periodically scans a USB port of the upper computer to detect whether a hardware encryption lock is inserted into the USB port of the upper computer; s2, if no hardware encryption lock is inserted, returning to S1; if the hardware encryption lock is inserted, the management module acquires the verification information of the inserted hardware encryption lock, the verification information of the inserted hardware encryption lock is verified according to the pre-stored verification information of the upper computer, and if the verification is successful, S3 is executed; if the verification fails, executing S4; s3, authorizing a user to operate a trusted policy on the management module; s4, prohibiting a user from operating the trusted policy on the management module to start and stop, and returning to S1. The invention carries out authorization management on the start and stop of the trusted strategy by combining the hardware encryption lock and the software encryption, thereby improving the safety and the reliability of the system.
Description
Technical Field
The invention relates to a distributed control system, in particular to a method and a system for starting and stopping authorization of a trusted policy of the distributed control system.
Background
The distributed control system (DCS, distributed Control System) is core equipment of an electric power system infrastructure, is an important guarantee of electric power production, has the characteristics of high instantaneity and complex overall structure, and relates to multiple fields such as an operating system, desktop application software, embedded software and embedded hardware. In a DCS system, an embedded safety protection technology is designed, so that the embedded safety protection technology becomes a main scheme for guaranteeing the safety of the DCS system. The trusted computing is used as an omnibearing safety verification means from hardware to software to an operating system, and meets the requirements of a DCS system on safety and instantaneity. The user can implement the trusted computing flow management of the DCS system by performing trusted policy configuration on a trusted platform of the DCS system.
In the power production process, how to ensure safe and reliable start-stop of a DCS system trusted strategy has important significance on the trusted computing. In the existing DCS system, the start and stop control is not authorized or only controlled by soft authorization, so that the hidden danger of misoperation or attack of the system is caused.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a distributed control system trusted policy start-stop authorization method and system, which enable the DCS system trusted policy start-stop management to be convenient and reliable.
The invention is realized by the following technical scheme:
a distributed control system trusted policy start-stop authorization method comprises the following steps:
s1, a management module in an upper computer periodically scans a USB port of the upper computer to detect whether a hardware encryption lock is inserted into the USB port of the upper computer;
s2, if the scanning result of the S1 shows that no hardware encryption lock is inserted into the USB port of the upper computer, returning to the S1; if the scanning result of the S1 shows that the hardware encryption lock is inserted into the USB port of the upper computer, the management module acquires the verification information of the inserted hardware encryption lock, verifies the verification information of the inserted hardware encryption lock according to the pre-stored verification information of the upper computer, and if the verification is successful, the S3 is executed; if the verification fails, executing S4;
s3, authorizing a user to operate a trusted policy on the management module;
s4, prohibiting a user from operating the trusted policy on the management module to start and stop, and returning to S1.
Preferably, S1 specifically includes:
s11, a management module in an upper computer is started, a USB port scanning timer is initialized, the period of the USB port scanning timer is set to be a USB port scanning period, and the USB port scanning timer is started;
and S12, if the management module detects that the USB port scanning timer is overtime, scanning the USB port of the upper computer once to detect whether a hardware encryption lock is inserted into the USB port of the upper computer.
Preferably, S2 specifically includes:
s21, if the scanning result of S1 shows that no hardware encryption lock is inserted into the USB port of the upper computer, returning to S1, and if the scanning result of S1 shows that the hardware encryption lock is inserted into the USB port of the upper computer, executing S22;
s22, opening the inserted hardware encryption lock through a user PIN code, and returning to S1 if the opening fails; and if the hardware encryption lock is successfully opened, the management module acquires the verification information of the inserted hardware encryption lock, verifies the verification information of the inserted hardware encryption lock according to the pre-stored verification information of the upper computer, if the verification is successful, the S3 is executed, and if the verification is failed, the S4 is executed.
Further, the verification information of the inserted hardware encryption lock comprises a hardware encryption lock ID and a user ID, and the pre-stored verification information of the upper computer comprises the hardware encryption lock ID and the user ID; s22 specifically comprises the following steps:
s221, the management module enumerates the inserted hardware encryption locks, and obtains the number of the inserted hardware encryption locks;
s222, traversing all the inserted hardware encryption locks, opening the inserted hardware encryption locks through the PIN codes of the users, and returning to S1 if the opening fails; if the opening is successful, S223 is executed;
s223, the management module obtains the hardware encryption lock ID and the user ID of the inserted hardware encryption lock, compares the obtained hardware encryption lock ID with the hardware encryption lock ID prestored by the upper computer, compares the obtained user ID with the user ID prestored by the upper computer, and if the comparison results of the two are consistent, executes S224; otherwise, returning to S1;
and S224, the management module performs periodic verification on the inserted hardware encryption lock, if the verification is successful, the S3 is executed, and if the verification is failed, the S4 is executed.
Further, S224 specifically includes:
s2241, a period checking timer is started;
s2242, if the period check timer is overtime, the management module generates a random character string, encrypts the random character string by utilizing a public key stored in advance by the upper computer, sends the obtained encrypted character string to the inserted hardware encryption lock, decrypts the received encrypted character string by the inserted hardware encryption lock, and sends the decrypted character string to the management module;
s2243, the management module judges whether the received decrypted character string is consistent with the random character string generated by the management module, if so, the verification is successful, and S3 is executed; if not, executing S2244;
s2244, adding 1 to the unsuccessful times, and returning to S2242 if the unsuccessful times are less than 3; if the unsuccessful times are equal to 3, the verification fails, and S4 is executed.
Further, in S2242, the inserted hardware encryption lock decrypts the received encrypted string, specifically: and decrypting the received encrypted character string by adopting a private key file and a private key decryption code stored in the inserted hardware encryption lock.
Further, S3 specifically includes: and (4) the authorized user operates the trusted policy on/off on the management module to zero the unsuccessful times, and the process returns to S2242.
Further, S4 specifically includes: and prohibiting a user from operating a trusted policy on the management module, starting and stopping a period checking timer, releasing the hardware encryption lock ID and the user ID of the inserted hardware encryption lock acquired by the management module, and returning to S1.
A distributed control system trusted policy start-stop authorization system, comprising: the upper computer, the management module and the hardware encryption lock; the management module is positioned on the upper computer;
the hardware encryption lock is pre-stored with verification information and is used for being inserted into a USB port of the upper computer;
the upper computer is pre-stored with verification information corresponding to the verification information of the hardware encryption lock;
the management module is positioned on the upper computer and is used for periodically scanning the USB port of the upper computer, if a scanning result shows that the hardware encryption lock is inserted into the USB port of the upper computer, the verification information of the inserted hardware encryption lock is obtained, the verification information of the inserted hardware encryption lock is verified according to the pre-stored verification information of the upper computer, and if the verification is successful, a user is authorized to operate a trusted policy on the management module; and if the verification fails, prohibiting a user from operating the trusted policy on the management module, and continuously periodically scanning the USB port of the upper computer.
Preferably, the pre-stored verification information of the hardware encryption lock includes: hardware encryption lock ID and user ID;
the pre-stored verification information of the upper computer, which corresponds to the verification information of the hardware encryption lock, comprises the following steps: hardware encryption lock ID and user ID.
Compared with the prior art, the invention has the following beneficial effects:
the invention relates to a distributed control system trusted policy start-stop authorization scheme based on a hardware encryption technology, which carries out authorization management on start-stop of a trusted policy by adopting a mode of combining a hardware encryption lock and a software encryption technology, improves the safety and reliability of the distributed control system and avoids the risk of manual misoperation or potential attack. The start-stop management function of the trusted strategy can be integrated in the DCS engineer station through hardware authority division and authorization, so that the integration level of the distributed control system is improved, and the endophytic safety of the distributed control system is ensured.
Furthermore, the hardware encryption lock is periodically checked, the hardware encryption lock can be continuously monitored after the authorization, and when the hardware encryption lock is pulled out or replaced, the trusted strategy start-stop function authorized by the hardware encryption lock can be disabled in time, so that a user cannot operate, and the system safety is further improved.
Drawings
FIG. 1 is a flow chart of a trusted policy start-stop authorization method for a distributed control system according to the present invention;
fig. 2 is a flowchart of an embodiment of a trusted policy start-stop authorization method for a distributed control system according to the present invention.
Detailed Description
For a further understanding of the present invention, the present invention is described below in conjunction with the following examples, which are provided to further illustrate the features and advantages of the present invention and are not intended to limit the claims of the present invention.
Referring to fig. 1, the method for authorizing start-stop of a trusted policy of a decentralized control system according to the present invention includes the following steps:
s1, a management module in an upper computer periodically scans a USB port of the upper computer to detect whether a hardware encryption lock is inserted into the USB port of the upper computer; the management module is management software and is integrated in upper computer software, and the upper computer software runs in an upper computer;
s2, if the scanning result of the S1 shows that no hardware encryption lock is inserted into the USB port of the upper computer, returning to the S1; if the scanning result of the S1 shows that the hardware encryption lock is inserted into the USB port of the upper computer, the management module acquires the verification information of the inserted hardware encryption lock, verifies the verification information of the inserted hardware encryption lock according to the pre-stored verification information of the upper computer, and if the verification is successful, the S3 is executed; if the verification fails, executing S4;
s3, authorizing a user to operate a trusted policy on the management module;
s4, prohibiting a user from operating the trusted policy on the management module to start and stop, and returning to S1.
In specific implementation, S3 is specifically; authorizing a user to operate a trusted policy on the management module, and continuing to detect the validity of the inserted hardware encryption lock by the management module; if the detection result shows that the inserted hardware encryption lock is pulled out halfway, the trusted policy on the management module is not usable in start-stop related operation, and the method returns to S1 to periodically scan the USB port of the upper computer again.
Before the hardware encryption lock is used, related initialization operation is needed, which specifically includes:
setting a user code (Personal Identification Number, PIN); generating a public key file and a private key file through an encryption algorithm; storing the public key file in a catalog of a management module in the upper computer; encrypting the hardware encryption lock ID (IDentity) and the user ID by adopting a public key file, and storing the encrypted hardware encryption lock ID and the encrypted user ID in a catalog of a management module in the upper computer; the private key file is stored in the hardware encryption lock, the written private key decryption code is stored in the hardware encryption lock, and a unified interface is designed for the management module to call. Referring to fig. 2, the method for authorizing start-stop of a trusted policy of a decentralized control system according to the present invention comprises the following specific implementation processes:
step 1, a management module in an upper computer is started, a USB port scanning timer is initialized, the period of the USB port scanning timer is set to be a USB port scanning period, and the USB port scanning timer is started.
And step 2, if the management module detects that the USB port scanning timer is overtime, scanning the USB port of the upper computer once, and detecting whether a hardware encryption lock is inserted into the USB port of the upper computer.
And step 3, if no hardware encryption lock is inserted into the USB port of the upper computer, returning to the step 2 for continuous execution, and if the hardware encryption lock is inserted into the USB port of the upper computer, executing the step 4.
And 4, enumerating the inserted hardware encryption locks, and acquiring the number of the inserted hardware encryption locks, the inherent information of the inserted hardware encryption locks and the information carried by the hardware encryption locks when leaving the factory, such as encryption lock manufacturers, encryption lock leaving dates and encryption lock types.
Step 5, traversing all inserted hardware encryption locks; opening the hardware encryption lock through the PIN code, if the opening fails, releasing the inherent information of the hardware encryption lock and the resources related to the carried information in the memory of the upper computer, and returning to the step 2; if the hardware encryption lock is successfully opened, reading verification information of the hardware encryption lock, including a hardware encryption lock ID and a user ID, respectively comparing the obtained hardware encryption lock ID and the user ID with corresponding hardware encryption lock IDs and user IDs which are pre-stored in a management module catalog by the upper computer, and if the comparison results of the hardware encryption lock ID and the user ID are consistent, executing the step 6; and if at least one comparison result is inconsistent, releasing the resources related to the hardware encryption lock information in the memory of the upper computer, and returning to the step 2.
And 6, the management module enters a normal running state, stops the USB port scanning timer, does not scan the USB port any more, and starts the period checking timer.
And 7, if the period checking timer is overtime, the management module generates random character strings of 128 random characters, encrypts the random character strings by utilizing a public key under a management module directory in the upper computer, sends the obtained encrypted character strings to the inserted hardware encryption lock after encryption is completed, reads a private key file and a private key decryption code stored in the hardware encryption lock by the inserted hardware encryption lock, decrypts the received encrypted character strings by utilizing the private key file and the private key decryption code, and sends the decrypted character strings to the management module.
Step 8, if the decrypted character string received by the management module from the inserted hardware encryption lock is consistent with the random character string generated by the management module, the verification is successful, and step 9 is executed; otherwise, the verification is unsuccessful, and step 10 is performed.
And 9, starting and stopping the hardware encryption lock authorization trusted strategy, wherein a user can start and stop the DCS trusted strategy to zero unsuccessful times, and returning to the step 7 to continue checking.
Step 10, adding 1 to the unsuccessful times, and returning to the step 7 to continue checking if the unsuccessful times are less than 3; if the unsuccessful times are equal to 3, the verification fails, at the moment, related resources of the hardware encryption lock information in the memory of the upper computer are required to be released, the start-stop function of the trusted strategy authorized by the hardware encryption lock is disabled, the user cannot operate, the unsuccessful times are reset to zero, the periodic verification timer is stopped, the USB port scanning timer is started, and the step 2 is returned to continue to execute.
The following are device embodiments of the present invention that may be used to perform method embodiments of the present invention. For details of the device embodiment that are not careless, please refer to the method embodiment of the present invention.
In still another embodiment of the present invention, a trusted policy start-stop authorization system of a decentralized control system is provided, which can be used to implement the above-mentioned trusted policy start-stop authorization method of a decentralized control system, and specifically, the trusted policy start-stop authorization system of a decentralized control system includes:
the upper computer, the management module and the hardware encryption lock; the management module is positioned on the upper computer;
the hardware encryption lock is pre-stored with verification information and is used for being inserted into a USB port of the upper computer;
the upper computer is pre-stored with verification information corresponding to the verification information of the hardware encryption lock;
the management module is positioned on the upper computer and is used for periodically scanning the USB port of the upper computer, if a scanning result shows that the hardware encryption lock is inserted into the USB port of the upper computer, the verification information of the inserted hardware encryption lock is obtained, the verification information of the inserted hardware encryption lock is verified according to the pre-stored verification information of the upper computer, and if the verification is successful, a user is authorized to operate a trusted policy on the management module; and if the verification fails, prohibiting a user from operating the trusted policy on the management module, and continuously periodically scanning the USB port of the upper computer.
The verification information pre-stored by the hardware encryption lock comprises: hardware encryption lock ID and user ID;
the pre-stored verification information of the upper computer, which corresponds to the verification information of the hardware encryption lock, comprises the following steps: hardware encryption lock ID and user ID.
In yet another embodiment of the present invention, a computer device is provided that includes a processor and a memory for storing a computer program including program instructions, the processor for executing the program instructions stored by the computer storage medium. The processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field-Programmable gate arrays (FPGAs) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., which are the computational core and control core of the terminal adapted to implement one or more instructions, in particular adapted to load and execute one or more instructions in a computer storage medium to implement a corresponding method flow or a corresponding function; the processor provided by the embodiment of the invention can be used for operating a distributed control system trusted policy start-stop authorization method.
In yet another embodiment of the present invention, a storage medium, specifically a computer readable storage medium (Memory), is a Memory device in a computer device, for storing a program and data. It is understood that the computer readable storage medium herein may include both built-in storage media in a computer device and extended storage media supported by the computer device. The computer-readable storage medium provides a storage space storing an operating system of the terminal. Also stored in the memory space are one or more instructions, which may be one or more computer programs (including program code), adapted to be loaded and executed by the processor. The computer readable storage medium herein may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. One or more instructions stored in a computer-readable storage medium may be loaded and executed by a processor to implement the corresponding steps of the distributed control system trusted policy start-stop authorization method in the above embodiments.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.
Claims (10)
1. A method for authorizing start-stop of a trusted strategy of a distributed control system is characterized by comprising the following steps:
s1, a management module in an upper computer periodically scans a USB port of the upper computer to detect whether a hardware encryption lock is inserted into the USB port of the upper computer;
s2, if the scanning result of the S1 shows that no hardware encryption lock is inserted into the USB port of the upper computer, returning to the S1; if the scanning result of the S1 shows that the hardware encryption lock is inserted into the USB port of the upper computer, the management module acquires the verification information of the inserted hardware encryption lock, verifies the verification information of the inserted hardware encryption lock according to the pre-stored verification information of the upper computer, and if the verification is successful, the S3 is executed; if the verification fails, executing S4;
s3, authorizing a user to operate a trusted policy on the management module;
s4, prohibiting a user from operating the trusted policy on the management module to start and stop, and returning to S1.
2. The method for authorized start-stop authorization of a trusted policy of a decentralized control system according to claim 1, wherein S1 specifically comprises:
s11, a management module in an upper computer is started, a USB port scanning timer is initialized, the period of the USB port scanning timer is set to be a USB port scanning period, and the USB port scanning timer is started;
and S12, if the management module detects that the USB port scanning timer is overtime, scanning the USB port of the upper computer once to detect whether a hardware encryption lock is inserted into the USB port of the upper computer.
3. The method for authorized start-stop authorization of a trusted policy of a decentralized control system according to claim 1, wherein S2 specifically comprises:
s21, if the scanning result of S1 shows that no hardware encryption lock is inserted into the USB port of the upper computer, returning to S1, and if the scanning result of S1 shows that the hardware encryption lock is inserted into the USB port of the upper computer, executing S22;
s22, opening the inserted hardware encryption lock through a user PIN code, and returning to S1 if the opening fails; and if the hardware encryption lock is successfully opened, the management module acquires the verification information of the inserted hardware encryption lock, verifies the verification information of the inserted hardware encryption lock according to the pre-stored verification information of the upper computer, if the verification is successful, the S3 is executed, and if the verification is failed, the S4 is executed.
4. The distributed control system trusted policy start-stop authorization method according to claim 3, wherein the verification information of the inserted hardware encryption lock includes a hardware encryption lock ID and a user ID, and the pre-stored verification information of the upper computer includes the hardware encryption lock ID and the user ID; s22 specifically comprises the following steps:
s221, the management module enumerates the inserted hardware encryption locks, and obtains the number of the inserted hardware encryption locks;
s222, traversing all the inserted hardware encryption locks, opening the inserted hardware encryption locks through the PIN codes of the users, and returning to S1 if the opening fails; if the opening is successful, S223 is executed;
s223, the management module obtains the hardware encryption lock ID and the user ID of the inserted hardware encryption lock, compares the obtained hardware encryption lock ID with the hardware encryption lock ID prestored by the upper computer, compares the obtained user ID with the user ID prestored by the upper computer, and if the comparison results of the two are consistent, executes S224; otherwise, returning to S1;
and S224, the management module performs periodic verification on the inserted hardware encryption lock, if the verification is successful, the S3 is executed, and if the verification is failed, the S4 is executed.
5. The method for authorized start-stop authorization of distributed control system trusted policy as set forth in claim 4, wherein S224 specifically comprises:
s2241, a period checking timer is started;
s2242, if the period check timer is overtime, the management module generates a random character string, encrypts the random character string by utilizing a public key stored in advance by the upper computer, sends the obtained encrypted character string to the inserted hardware encryption lock, decrypts the received encrypted character string by the inserted hardware encryption lock, and sends the decrypted character string to the management module;
s2243, the management module judges whether the received decrypted character string is consistent with the random character string generated by the management module, if so, the verification is successful, and S3 is executed; if not, executing S2244;
s2244, adding 1 to the unsuccessful times, and returning to S2242 if the unsuccessful times are less than 3; if the unsuccessful times are equal to 3, the verification fails, and S4 is executed.
6. The method for authorized start-stop authorization of the distributed control system according to claim 5, wherein in S2242, the inserted hardware encryption lock decrypts the received encrypted string, specifically: and decrypting the received encrypted character string by adopting a private key file and a private key decryption code stored in the inserted hardware encryption lock.
7. The method for authorized start-stop authorization of a trusted policy of a decentralized control system according to claim 5, wherein S3 specifically comprises: and (4) the authorized user operates the trusted policy on/off on the management module to zero the unsuccessful times, and the process returns to S2242.
8. The method for authorized start-stop authorization of a trusted policy of a decentralized control system according to claim 5, wherein S4 specifically comprises: and prohibiting a user from operating a trusted policy on the management module, starting and stopping a period checking timer, releasing the hardware encryption lock ID and the user ID of the inserted hardware encryption lock acquired by the management module, and returning to S1.
9. A distributed control system trusted policy start-stop authorization system, comprising: the upper computer, the management module and the hardware encryption lock; the management module is positioned on the upper computer;
the hardware encryption lock is pre-stored with verification information and is used for being inserted into a USB port of the upper computer;
the upper computer is pre-stored with verification information corresponding to the verification information of the hardware encryption lock;
the management module is positioned on the upper computer and is used for periodically scanning the USB port of the upper computer, if a scanning result shows that the hardware encryption lock is inserted into the USB port of the upper computer, the verification information of the inserted hardware encryption lock is obtained, the verification information of the inserted hardware encryption lock is verified according to the pre-stored verification information of the upper computer, and if the verification is successful, a user is authorized to operate a trusted policy on the management module; and if the verification fails, prohibiting a user from operating the trusted policy on the management module, and continuously periodically scanning the USB port of the upper computer.
10. The distributed control system trusted policy start-stop authorization system according to claim 9, wherein the hardware encryption lock pre-stored verification information comprises: hardware encryption lock ID and user ID;
the pre-stored verification information of the upper computer, which corresponds to the verification information of the hardware encryption lock, comprises the following steps: hardware encryption lock ID and user ID.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311322825.0A CN117056879B (en) | 2023-10-13 | 2023-10-13 | Distributed control system trusted policy start-stop authorization method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311322825.0A CN117056879B (en) | 2023-10-13 | 2023-10-13 | Distributed control system trusted policy start-stop authorization method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117056879A true CN117056879A (en) | 2023-11-14 |
| CN117056879B CN117056879B (en) | 2024-01-30 |
Family
ID=88669630
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311322825.0A Active CN117056879B (en) | 2023-10-13 | 2023-10-13 | Distributed control system trusted policy start-stop authorization method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117056879B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102289622A (en) * | 2011-09-01 | 2011-12-21 | 西安电子科技大学 | Trusted startup method based on authentication policy file and hardware information collection |
| CN104484629A (en) * | 2014-12-03 | 2015-04-01 | 合肥联宝信息技术有限公司 | Computer starting method and device |
| US20190042805A1 (en) * | 2018-01-11 | 2019-02-07 | Intel Corporation | Technologies for secure enumeration of usb devices |
| US20190379542A1 (en) * | 2018-06-06 | 2019-12-12 | iStorage Limited | Dongle for ciphering data |
| CN110716831A (en) * | 2019-09-20 | 2020-01-21 | 厦门亿联网络技术股份有限公司 | Terminal, debugging system of USB (universal serial bus) equipment and debugging method of USB equipment |
| CN112016058A (en) * | 2020-08-28 | 2020-12-01 | 上海宝通汎球电子有限公司 | Software protection mechanism based on collaborative verification and data exchange method |
| CN115879099A (en) * | 2021-09-28 | 2023-03-31 | 国能智深控制技术有限公司 | DCS controller, operation processing method and protection subsystem |
-
2023
- 2023-10-13 CN CN202311322825.0A patent/CN117056879B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102289622A (en) * | 2011-09-01 | 2011-12-21 | 西安电子科技大学 | Trusted startup method based on authentication policy file and hardware information collection |
| CN104484629A (en) * | 2014-12-03 | 2015-04-01 | 合肥联宝信息技术有限公司 | Computer starting method and device |
| US20190042805A1 (en) * | 2018-01-11 | 2019-02-07 | Intel Corporation | Technologies for secure enumeration of usb devices |
| US20190379542A1 (en) * | 2018-06-06 | 2019-12-12 | iStorage Limited | Dongle for ciphering data |
| CN110716831A (en) * | 2019-09-20 | 2020-01-21 | 厦门亿联网络技术股份有限公司 | Terminal, debugging system of USB (universal serial bus) equipment and debugging method of USB equipment |
| CN112016058A (en) * | 2020-08-28 | 2020-12-01 | 上海宝通汎球电子有限公司 | Software protection mechanism based on collaborative verification and data exchange method |
| CN115879099A (en) * | 2021-09-28 | 2023-03-31 | 国能智深控制技术有限公司 | DCS controller, operation processing method and protection subsystem |
Non-Patent Citations (3)
| Title |
|---|
| DIPAK K. RABARI 等: "Lock and key share-based random grid visual secret sharing scheme for grayscale and color images with two decoding options", 《2017 ISEA ASIA SECURITY AND PRIVACY (ISEASP)》, pages 1 - 5 * |
| 沈铁志 等: "安全可信主动防护体系创新应用——实现超超临界1000MW火电机组的应用突破", 《自动化博览》, vol. 39, no. 8, pages 58 - 61 * |
| 陶士全 等: "基于加密锁的电力***软件保护", 《计算机安全》, pages 12 - 14 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117056879B (en) | 2024-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101476948B1 (en) | System and method for tamper-resistant booting | |
| CN110688660B (en) | Method and device for safely starting terminal and storage medium | |
| CN102262599B (en) | Trusted root-based portable hard disk fingerprint identification method | |
| CN107508679B (en) | Binding and authentication method for intelligent terminal main control chip and encryption chip | |
| WO2012130167A1 (en) | Mobile terminal encryption method, hardware encryption device and mobile terminal | |
| JP2007534544A (en) | Certification of control equipment in the vehicle | |
| CN108155986A (en) | A kind of key programming system and method based on credible performing environment | |
| KR20060126973A (en) | Secret information processing system and lsi | |
| CN115859267A (en) | Method for safely starting application program, storage control chip and electronic equipment | |
| CN112468294A (en) | Access method and authentication equipment for vehicle-mounted TBOX | |
| CN109586898A (en) | Dual system communication key generation method and computer readable storage medium | |
| CN114817931A (en) | Terminal security protection method, device, equipment and medium based on star trust chain | |
| CN109474431B (en) | Client authentication method and computer readable storage medium | |
| CN108171830B (en) | Hardware encryption method and system based on induction card unlocking and intelligent cloud lock | |
| CN112243154B (en) | Set top box safe starting method, equipment and medium | |
| CN117056879B (en) | Distributed control system trusted policy start-stop authorization method and system | |
| US9977907B2 (en) | Encryption processing method and device for application, and terminal | |
| CN109697351B (en) | Trusted measurement system and method | |
| CN112257064A (en) | Nested page table measurement method, device and related equipment | |
| CN114189862A (en) | Wireless terminal and interface access authentication method of wireless terminal in Uboot mode | |
| CN218068848U (en) | Embedded software encryption protection system based on CPLD | |
| CN115062330B (en) | TPM-based intelligent password key password application interface implementation method | |
| CN109302442B (en) | Data storage proving method and related equipment | |
| CN115455379A (en) | Method for authorizing software use of personal computer | |
| CN115657542A (en) | Trusted technology-based domestic information security processing system and processing method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |