CN117155685A - Trusted acquisition and transmission method, system and storage medium for key data of DCS (distributed control system) - Google Patents
Trusted acquisition and transmission method, system and storage medium for key data of DCS (distributed control system) Download PDFInfo
- Publication number
- CN117155685A CN117155685A CN202311195906.9A CN202311195906A CN117155685A CN 117155685 A CN117155685 A CN 117155685A CN 202311195906 A CN202311195906 A CN 202311195906A CN 117155685 A CN117155685 A CN 117155685A
- Authority
- CN
- China
- Prior art keywords
- trusted
- data
- certificate
- transmission
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 72
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000003860 storage Methods 0.000 title claims abstract description 27
- 230000008569 process Effects 0.000 claims abstract description 23
- 230000006854 communication Effects 0.000 claims abstract description 22
- 238000004891 communication Methods 0.000 claims abstract description 19
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 15
- 230000003993 interaction Effects 0.000 claims abstract description 8
- 238000004590 computer program Methods 0.000 claims description 14
- 238000012795 verification Methods 0.000 claims description 8
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000004378 air conditioning Methods 0.000 claims 1
- 238000007726 management method Methods 0.000 description 15
- 238000013480 data collection Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000005259 measurement Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000010248 power generation Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
A method, a system and a storage medium for trusted acquisition and transmission of key data of a DCS system, wherein the method comprises the following steps: in the data transmission process, an encryption link is adopted, and data on a communication link is encrypted in a classified manner based on the service type of system data; setting up a private CA authentication center, issuing a certificate to a terminal in a system, storing the certificate in a nonvolatile storage space of a trusted computing module, and updating the certificate along with system upgrading; the system client side and the server perform remote bidirectional authentication to prove the system environment state and the current active process, and obtain feedback information of a proof result from the server, judge the identity and the integrity condition of the current terminal environment, and ensure the safety and the credibility of a data interaction party and a link before data transmission. The application performs bidirectional identity authentication and trusted state remote proof before connection and data transmission are established, thereby ensuring the integrity and confidentiality of core data and the instantaneity of service data, and preventing the illegal acquisition of the secret key from the source.
Description
Technical Field
The application belongs to the technical field of safe operation of a DCS controller, and particularly relates to a method, a system and a storage medium for trusted acquisition and transmission of key data of a DCS system.
Background
The distributed control system is called DCS, and is also called "distributed control system" or "distributed computer control system", and adopts basic design idea of controlling distributed, operation and management concentration, and adopts multilayer hierarchical and cooperative autonomous structure form. The DCS has the greatest characteristic in control that the DCS can realize diversified control strategies by means of flexible configuration of various control and operation modules so as to meet the requirements under different conditions, and the complex and complex proposition of the unit combination instrument is simplified. Because the main function of the distributed control system is to control, monitor, manage and decide the production process, it is required to have high reliability so as to ensure the safe and economical operation of the factory. To achieve this, many measures to improve reliability are employed in a distributed control system.
In a DCS controller in the power generation industry, a trusted computing function is integrated, so that the trusted security enhancement is realized on a core infrastructure of an industrial control system by utilizing a trusted computing technology, an operating system security technology and the like, an active immune type trusted security protection system architecture is constructed, and a unified trusted security architecture is provided for a trusted domestic DCS, a trusted domestic upper computer and a trusted server. How to realize the reliable collection and safe transmission of key data in a DCS control system is an important subject for ensuring the safety of the system.
Disclosure of Invention
Aiming at the problems in the prior art, the application provides a method, a system and a storage medium for trusted acquisition and transmission of key data of a DCS system, which ensure the integrity and safe transmission of the key data of the DCS system.
In order to achieve the above purpose, the present application has the following technical scheme:
a method for trusted acquisition and transmission of key data of a DCS system comprises the following steps:
in the data transmission process, an encryption link is adopted, and data on a communication link is encrypted in a classified manner based on the service type of system data;
setting up a private CA authentication center, issuing a certificate to a terminal in a system, storing the certificate in a nonvolatile storage space of a trusted computing module, and updating the certificate along with system upgrading;
the system client side and the server perform remote bidirectional authentication to prove the system environment state and the current active process, and obtain feedback information of a proof result from the server, judge the identity and the integrity condition of the current terminal environment, and ensure the safety and the credibility of a data interaction party and a link before data transmission.
As a preferred scheme, when the data on the communication link is classified and encrypted based on the service type of the system data, the overall trusted state of the trusted computing module is defined as a level 1 trusted state, and the trusted state in the trusted computing module is defined as a level 2 trusted state.
As a preferable scheme, the 1-level trusted status information of the terminal is sent to the background software of the control system while being sent to the trusted management platform, and the method is specifically divided into an active trusted data transmission flow and a passive trusted data transmission flow;
in the active trusted data transmission flow, a trusted agent of a trusted terminal actively transmits trusted data to a trusted management platform, and transmits 1-level active trusted data to control system background software;
in the passive trusted data transmission flow, the trusted management platform or the control system background software requests passive trusted data transmission and sends the level 1 passive trusted data to a requesting party.
As a preferable scheme, the trusted computing module is built by adopting a national chip Z32H330 TC.
As a preferred solution, the step of performing remote bidirectional authentication between the system client and the server includes:
the client sends a request to the server;
the server sends the CA certificate of the server to the client;
the client checks whether the certificate sent by the server is issued by the established private CA authentication center, if so, the authentication process is continuously executed;
the client compares the certificate information and whether the certificate information is consistent with the information sent by the server, if so, the client approves the identity of the other party, and the client adopts server public key communication;
the server requests the client to send the CA certificate of the client, and the server verifies the CA certificate of the client, if the CA certificate of the client fails verification, the communication process is refused; if the verification is passed, the server adopts the public key communication of the client.
As a preferred scheme, the method further comprises an active trusted data acquisition process, which specifically comprises the following steps:
and in the normal operation process of the system, actively checking whether the policy protection object is trusted or not based on the trusted policy of the execution path, and transmitting check information to the trusted agent component if the active check is passed, wherein the trusted agent component completes the transmission of the trusted terminal data to the trusted key data of the trusted management platform and the controller background software.
As a preferable scheme, the method also comprises a passive trusted data acquisition process, which specifically comprises the following steps of
The trusted management platform and the controller background software initiate a trusted data acquisition command;
the trusted agent component receives a trusted data acquisition command and constructs trusted key data of a corresponding terminal, wherein the trusted key data comprises a trusted policy, a trusted report and a trusted state of the corresponding terminal;
and initiating trusted key data transmission.
A DCS key data trusted acquisition and transmission system comprises:
the communication link data encryption module is used for encrypting the data on the communication link in a grading classification manner by adopting an encryption link based on the service type of the system data in the data transmission process;
the certificate issuing module is used for setting up a private CA authentication center, issuing a certificate to a terminal in the system, storing the certificate in a nonvolatile storage space of the trusted computing module, and updating the certificate along with system upgrading;
and the bidirectional authentication module is used for carrying out remote bidirectional authentication on the system client and the server, proving the system environment state and the current active process, acquiring feedback information of the proving result from the server, judging the identity and the integrity condition of the current terminal environment, and ensuring the safety and the credibility of the data interaction party and the link before data transmission.
An electronic device, comprising:
a memory storing at least one instruction; and the processor executes the instructions stored in the memory to realize the method for trusted acquisition and transmission of the key data of the DCS system.
A computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the trusted acquisition and transmission method of the key data of the DCS system when being executed by a processor.
Compared with the prior art, the application has at least the following beneficial effects:
in the data transmission process, an encryption link is adopted to encrypt data on a communication link, so that plaintext data is prevented from being monitored, grabbed and even tampered, and the network data is classified and encrypted and protected based on the service type of the system data due to the requirement of a DCS system on the network instantaneity. By storing the certificate in the non-volatile memory space of the trusted computing module, the key can be prevented from being illegally acquired from the source. Meanwhile, a complete key and certificate management mechanism is designed by combining a trusted computing mechanism, the key and certificate and other core identity information are subjected to full life cycle management, the processes of generating, storing, operating, updating, destroying and the like of the key and the certificate are included, and the performance characteristics of a trusted computing module and a service system are combined for reasonable optimization. Before connection is established and data is transmitted, bidirectional identity authentication and remote proof of trusted state are carried out, and after the identity and the trusted state are verified, the terminal is allowed to access and transmit the data. And the encryption and integrity check are carried out on the transmitted data by adopting a national encryption algorithm, so that the integrity and the safety transmission of the data are ensured.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application, and that other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an active trusted data transmission flow in accordance with an embodiment of the present application;
FIG. 2 is a schematic diagram of a passive trusted data transmission flow according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an embodiment of the present application employing an encrypted link transmission data based on CA authentication and RSA encryption algorithms;
FIG. 4 is a flow chart of active trusted data collection and passive trusted data collection in accordance with an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. Based on the embodiments of the present application, one of ordinary skill in the art may also obtain other embodiments without undue burden.
The embodiment of the application provides a trusted acquisition and transmission method for key data of a DCS (distributed control system), wherein an object for trusted data acquisition comprises trusted data generated by various trusted devices in real time, and the trusted data comprises a trusted state, a trusted alarm, a trusted audit, a trusted strategy, trusted configuration, equipment asset information and the like. The manner of data collection may include active trusted data collection, passive trusted data collection. Structured data generated in real time in daily life can be actively trusted data collection by a series of standard information collection service interfaces. The passive trusted data acquisition is to conduct targeted scanning on various systems or equipment such as an industrial control system, an application system and the like by adopting a progressive scanning method, accurately acquire system information of the system, and reduce system performance loss.
The method for trusted acquisition and transmission of key data of the DCS system comprises the following steps:
in the data transmission process, an encryption link based on CA authentication and RSA encryption algorithm is adopted to encrypt data on a communication link, so that plaintext data is prevented from being monitored, grabbed and even tampered, and due to the requirement of a DCS system on network instantaneity, the network data is classified and protected by encryption based on the service type of the system data, and the trusted module is divided into the following components according to functions: and starting a measurement module, a static measurement module, a dynamic measurement module and the like, wherein the overall trusted state of the module is defined as a level 1 trusted state, and the trusted state in the module is defined as a level 2 trusted state, so that the integrity and confidentiality of core data are ensured, and the instantaneity of service data is also ensured.
The key is protected, a trusted computing technology is adopted, the key is stored in a nonvolatile storage device of a trusted computing module, the trusted computing module is a hardware trusted module based on a national chip Z32H330TC, and the hardware has a nonvolatile storage space and can be used for key data storage, so that the key is prevented from being illegally acquired from the source.
The key and certificate protection difficulty is that a complete key and certificate management mechanism is designed by combining a trusted computing mechanism, full life cycle management is carried out on core identity information such as keys and certificates, the key and certificate generation, storage, operation, updating and destruction are included, and reasonable optimization is carried out by combining performance characteristics of a trusted computing module and a service system.
Setting up a private CA authentication center, issuing a certificate to a terminal in the system, and allowing the terminal in the system to approve the certificate issued by the CA; the design certificate is stored in a nonvolatile storage device of the trusted computing module, and the certificate is updated along with the system upgrade due to the safety characteristic of the power generation field. The system client and the server in the embodiment of the application have the capability of remote certification, can certify the system environment state and the current active process through bidirectional certification, acquire feedback information of a certification result from the server, judge the identity and the integrity condition of the current terminal environment, and ensure the safety and the credibility of a data interaction party and a link before data transmission.
In one possible implementation, the step of remotely authenticating the system client with the server includes:
1) The client sends a request to the server;
2) The server sends the CA certificate of the server to the client;
3) The client checks whether the certificate sent by the server was issued by a third party CA center. If yes, continuing to execute the authentication process; if not, the client generates a warning message: the certificate is not a trusted certificate, asking if it is necessary to proceed;
4) The client compares certificate information, such as public key and the like, and judges whether the certificate information is consistent with the information sent by the server, if so, the client approves the identity of the other party, and the client adopts the server public key for communication;
5) The server requests the client to send the CA certificate of the client, and the server verifies the client certificate, if the client certificate fails verification, the communication process is refused; if the verification is passed, the server adopts client public key communication.
Further, the key data trusted acquisition and transmission method of the DCS system in the embodiment of the application mainly comprises a data active acquisition flow, a trusted key data reporting flow and a data security transmission flow.
The data active collection flow of the embodiment of the application comprises an active trusted data collection flow and a passive trusted data collection flow, as shown in fig. 4, the specific steps of the active trusted data collection flow comprise: and in the normal operation process of the system, actively checking whether the policy protection object is trusted or not based on the trusted policy of the execution path, and transmitting check information to the trusted agent component if the active check is passed, wherein the trusted agent component completes the transmission of the trusted terminal data to the trusted key data of the trusted management platform and the controller background software. If the active verification is not passed, the trusted agent component generates verification failure alarm information.
The passive trusted data acquisition process comprises the following specific steps:
the trusted management platform and the controller background software initiate a trusted data acquisition command;
the trusted agent component receives a trusted data acquisition command and constructs trusted key data of a corresponding terminal, wherein the trusted key data comprises a trusted policy, a trusted report and a trusted state of the corresponding terminal;
and initiating trusted key data transmission.
As shown in fig. 3, the data security transmission flow includes, in order to enable the controller background software to have the sensing capability of the trusted state, the embodiment of the present application sends the controller background software while sending the level 1 trusted state information of the terminal to the trusted management platform.
Referring to fig. 1 and 2, the trusted key data reporting process includes an active trusted data transmission process and a passive trusted data transmission process. In the active trusted data transmission flow, a trusted agent of a trusted terminal actively transmits trusted data to a trusted management platform, and transmits 1-level active trusted data to control system background software;
in the passive trusted data transmission flow, the trusted management platform or the control system background software requests passive trusted data transmission and sends the level 1 passive trusted data to a requesting party.
The method of the embodiment of the application adopts a trusted network connection technology, a remote proving technology, a bidirectional identity authentication technology and a national cryptographic algorithm, establishes a trusted network connection between a host end of an electric power industrial control system and a trusted security management center, performs bidirectional identity authentication and trusted state remote proving before establishing connection and transmitting data, and allows the end to access and transmit data after the identity and the trusted authentication pass. And encrypting and integrity checking are carried out on the transmitted data by adopting a national encryption algorithm, so that the integrity and the safety transmission of the data are ensured.
The application also provides a system for trusted acquisition and transmission of key data of a DCS system, which comprises:
the communication link data encryption module is used for encrypting the data on the communication link in a grading classification manner by adopting an encryption link based on the service type of the system data in the data transmission process;
the certificate issuing module is used for setting up a private CA authentication center, issuing a certificate to a terminal in the system, storing the certificate in a nonvolatile storage space of the trusted computing module, and updating the certificate along with system upgrading;
and the bidirectional authentication module is used for carrying out remote bidirectional authentication on the system client and the server, proving the system environment state and the current active process, acquiring feedback information of the proving result from the server, judging the identity and the integrity condition of the current terminal environment, and ensuring the safety and the credibility of the data interaction party and the link before data transmission.
The embodiment of the application also provides electronic equipment, which comprises: a memory storing at least one instruction; and the processor executes the instructions stored in the memory to realize the method for trusted acquisition and transmission of the key data of the DCS system.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the trusted acquisition and transmission method of the key data of the DCS system when being executed by a processor.
The instructions stored in the memory may be divided into one or more modules/units, where the one or more modules/units are stored in a computer readable storage medium and executed by the processor to complete the method for trusted acquisition and transmission of key data of the DCS system according to the embodiment of the application. The one or more modules/units may be a series of computer readable instruction segments capable of performing a specified function, which describes the execution of the computer program in a server.
The electronic equipment can be a smart phone, a notebook computer, a palm computer, a cloud server and other computing equipment. The electronic device may include, but is not limited to, a processor, a memory. Those skilled in the art will appreciate that the electronic device may also include more or fewer components, or may combine certain components, or different components, e.g., the electronic device may also include input and output devices, network access devices, buses, etc.
The processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may be an internal storage unit of the server, such as a hard disk or a memory of the server. The memory may also be an external storage device of the server, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the server. Further, the memory may also include both an internal storage unit and an external storage device of the server. The memory is used to store the computer readable instructions and other programs and data required by the server. The memory may also be used to temporarily store data that has been output or is to be output.
It should be noted that, because the content of information interaction and execution process between the above module units is based on the same concept as the method embodiment, specific functions and technical effects thereof may be referred to in the method embodiment section, and details thereof are not repeated herein.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, the specific names of the functional units and modules are only for distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application may implement all or part of the flow of the method of the above embodiments, and may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing device/terminal apparatus, recording medium, computer Memory, read-Only Memory (ROM), random access Memory (RAM, random Access Memory), electrical carrier signals, telecommunications signals, and software distribution media. Such as a U-disk, removable hard disk, magnetic or optical disk, etc.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (10)
1. The method for trusted acquisition and transmission of key data of the DCS system is characterized by comprising the following steps of:
in the data transmission process, an encryption link is adopted, and data on a communication link is encrypted in a classified manner based on the service type of system data;
setting up a private CA authentication center, issuing a certificate to a terminal in a system, storing the certificate in a nonvolatile storage space of a trusted computing module, and updating the certificate along with system upgrading;
the system client side and the server perform remote bidirectional authentication to prove the system environment state and the current active process, and obtain feedback information of a proof result from the server, judge the identity and the integrity condition of the current terminal environment, and ensure the safety and the credibility of a data interaction party and a link before data transmission.
2. The method for trusted acquisition and transmission of key data of DCS system according to claim 1, wherein when said data on the communication link is encrypted by classifying the system data based on the service type of the system data, the overall trusted status of the trusted computing module is defined as a level 1 trusted status, and the trusted status in the trusted computing module is defined as a level 2 trusted status.
3. The method for trusted acquisition and transmission of key data of a DCS system according to claim 2, wherein the level 1 trusted status information of the terminal is sent to the trusted management platform and simultaneously to the control system background software, and the method is specifically divided into an active trusted data transmission flow and a passive trusted data transmission flow;
in the active trusted data transmission flow, a trusted agent of a trusted terminal actively transmits trusted data to a trusted management platform, and transmits 1-level active trusted data to control system background software;
in the passive trusted data transmission flow, the trusted management platform or the control system background software requests passive trusted data transmission and sends the level 1 passive trusted data to a requesting party.
4. The method for trusted acquisition and transmission of key data of a DCS system according to claim 2, wherein the trusted computing module is built by using a national chip Z32H330 TC.
5. The method for trusted acquisition and transmission of key data of DCS system according to claim 1, wherein the step of remotely and bidirectionally authenticating the system client and the server comprises:
the client sends a request to the server;
the server sends the CA certificate of the server to the client;
the client checks whether the certificate sent by the server is issued by the established private CA authentication center, if so, the authentication process is continuously executed;
the client compares the certificate information and whether the certificate information is consistent with the information sent by the server, if so, the client approves the identity of the other party, and the client adopts server public key communication;
the server requests the client to send the CA certificate of the client, and the server verifies the CA certificate of the client, if the CA certificate of the client fails verification, the communication process is refused; if the verification is passed, the server adopts the public key communication of the client.
6. The method for trusted acquisition and transmission of key data of a DCS system according to claim 1, further comprising an active trusted data acquisition process, specifically comprising:
and in the normal operation process of the system, actively checking whether the policy protection object is trusted or not based on the trusted policy of the execution path, and transmitting check information to the trusted agent component if the active check is passed, wherein the trusted agent component completes the transmission of the trusted terminal data to the trusted key data of the trusted management platform and the controller background software.
7. The method for trusted acquisition and transmission of key data of a DCS system according to claim 6, further comprising a passive trusted data acquisition process, specifically comprising
The trusted management platform and the controller background software initiate a trusted data acquisition command;
the trusted agent component receives a trusted data acquisition command and constructs trusted key data of a corresponding terminal, wherein the trusted key data comprises a trusted policy, a trusted report and a trusted state of the corresponding terminal;
and initiating trusted key data transmission.
8. The utility model provides a trusted collection transmission system of DCS system key data which characterized in that includes:
the communication link data encryption module is used for encrypting the data on the communication link in a grading classification manner by adopting an encryption link based on the service type of the system data in the data transmission process;
the certificate issuing module is used for setting up a private CA authentication center, issuing a certificate to a terminal in the system, storing the certificate in a nonvolatile storage space of the trusted computing module, and updating the certificate along with system upgrading;
and the bidirectional authentication module is used for carrying out remote bidirectional authentication on the system client and the server, proving the system environment state and the current active process, acquiring feedback information of the proving result from the server, judging the identity and the integrity condition of the current terminal environment, and ensuring the safety and the credibility of the data interaction party and the link before data transmission.
9. An electronic device, comprising:
a memory storing at least one instruction; a kind of electronic device with high-pressure air-conditioning system
A processor executing instructions stored in the memory to implement the DCS system critical data trusted acquisition and transmission method of any one of claims 1 to 7.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the DCS system critical data trusted acquisition transmission method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311195906.9A CN117155685A (en) | 2023-09-15 | 2023-09-15 | Trusted acquisition and transmission method, system and storage medium for key data of DCS (distributed control system) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311195906.9A CN117155685A (en) | 2023-09-15 | 2023-09-15 | Trusted acquisition and transmission method, system and storage medium for key data of DCS (distributed control system) |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117155685A true CN117155685A (en) | 2023-12-01 |
Family
ID=88884113
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311195906.9A Pending CN117155685A (en) | 2023-09-15 | 2023-09-15 | Trusted acquisition and transmission method, system and storage medium for key data of DCS (distributed control system) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117155685A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118012725A (en) * | 2024-04-09 | 2024-05-10 | 西安热工研究院有限公司 | Trusted management platform alarm management method, system, equipment and storage medium |
-
2023
- 2023-09-15 CN CN202311195906.9A patent/CN117155685A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118012725A (en) * | 2024-04-09 | 2024-05-10 | 西安热工研究院有限公司 | Trusted management platform alarm management method, system, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103747036B (en) | Trusted security enhancement method in desktop virtualization environment | |
| CN110708388B (en) | Vehicle body safety anchor node device, method and network system for providing safety service | |
| US11424915B2 (en) | Terminal registration system and terminal registration method with reduced number of communication operations | |
| US11799630B2 (en) | Method and device for blockchain nodes | |
| CN112235301B (en) | Access right verification method and device and electronic equipment | |
| CN113676332B (en) | Two-dimensional code authentication method, communication device and storage medium | |
| CN114301705A (en) | Industrial control defense method and system based on trusted computing | |
| Bae | Verifying a secure authentication protocol for IoT medical devices | |
| CN112583588B (en) | Communication method and device and readable storage medium | |
| CN110838919A (en) | Communication method, storage method, operation method and device | |
| CN116881936A (en) | Trusted computing method and related equipment | |
| CN117155685A (en) | Trusted acquisition and transmission method, system and storage medium for key data of DCS (distributed control system) | |
| CN113783846B (en) | Trusted data transmission system and method | |
| WO2022212396A1 (en) | Systems and methods of protecting secrets in use with containerized applications | |
| CN117063174A (en) | Security module and method for inter-app trust through app-based identity | |
| CN113869901A (en) | Key generation method, key generation device, computer-readable storage medium and computer equipment | |
| CN115935379A (en) | Service processing method, device, equipment and computer readable storage medium | |
| CN114128207A (en) | Data distribution system, data processing device, and program | |
| CN113194090B (en) | Authentication method, authentication device, terminal device and computer readable storage medium | |
| CN116561820B (en) | Trusted data processing method and related device | |
| CN114844695B (en) | Business data circulation method, system and related equipment based on block chain | |
| JP7310003B2 (en) | Remote authentication method and device | |
| CN117354016A (en) | Whole car OTA security upgrading method, device, equipment and medium | |
| CN117527276A (en) | Equipment network access method, server, terminal, medium and electronic equipment | |
| Yavari et al. | Research Article An Improved Blockchain-Based Authentication Protocol for IoT Network Management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |