CN118740420A

CN118740420A - A security protection system and method for an Internet of Things server

Info

Publication number: CN118740420A
Application number: CN202410676418.8A
Authority: CN
Inventors: 黎新; 梁永坚; 谢铭; 明少锋; 凌颖; 宾冬梅; 韩松明; 杨春燕; 卢杰科; 唐福川; 张维
Original assignee: Electric Power Research Institute of Guangxi Power Grid Co Ltd
Current assignee: Electric Power Research Institute of Guangxi Power Grid Co Ltd
Priority date: 2024-05-29
Filing date: 2024-05-29
Publication date: 2024-10-01

Abstract

The invention discloses a safety protection system and method of an Internet of things server, and relates to the technical field of server information safety. The system comprises a data server, a cloud server, a unified password platform, an Internet platform and at least one terminal; the data server is connected with the Internet platform through VPN and interacts with the encrypted data/encrypted service; the data server is respectively connected with the cloud server and the terminal through a system intranet, and performs interaction of encrypted data/encrypted service with the terminal, and uploads the encrypted data to the cloud server for storage; the data server is connected with the unified password platform and sends an encryption request/verification request to the unified password platform; the unified password platform processes the encryption request/verification request and returns a decryption result/verification result to the data server for storage. The invention realizes the external interconnection and the data interaction in the pair of the system and ensures the safety and stability and the data integrity in the data interaction process.

Description

A security protection system and method for an Internet of Things server

技术领域Technical Field

本发明涉及服务器信息安全技术领域，特别涉及一种物联网服务器的安全防护系统及方法。The present invention relates to the technical field of server information security, and in particular to a security protection system and method for an Internet of Things server.

背景技术Background Art

随着信息时代的到来，物联网的不断快速发展和广泛应用。随着物联网技术的日益成熟，很多企业或单位的计算机等办公终端被连接到互联网，形成了庞大的物联网网络。然而，这也为攻击者提供了更多的入口和攻击机会。With the advent of the information age, the Internet of Things has continued to develop rapidly and be widely used. As the Internet of Things technology becomes increasingly mature, many computers and other office terminals in enterprises or units are connected to the Internet, forming a huge Internet of Things network. However, this also provides attackers with more entry points and attack opportunities.

很多企业或单位在物联网设备通常缺乏足够的安全保护措施，导致物联网系统面临着各种安全威胁，如设备劫持、数据泄露、身份伪造等，这些威胁很有可能损害企业或单位的经济利益。因此，针对物联网服务器的安全防护变得至关重要。Many enterprises or organizations usually lack adequate security protection measures for IoT devices, which leads to various security threats to IoT systems, such as device hijacking, data leakage, identity forgery, etc. These threats are likely to damage the economic interests of enterprises or organizations. Therefore, security protection for IoT servers has become extremely important.

发明内容Summary of the invention

针对现有技术中很多企业或单位在物联网设备通常缺乏足够的安全保护措施，造成企业或单位的经济利益损失的问题，本发明提供了一种物联网服务器的安全防护系统及方法，能够通过在物联网数据服务器进行数据交互/业务交互时，配合统一密码平台执行加密和校验等流程的安全措施，确保物联网中数据服务器的安全、稳定以及数据的完整性。具体技术方案如下：In view of the problem that many enterprises or units in the prior art usually lack sufficient security protection measures in IoT devices, resulting in economic loss of enterprises or units, the present invention provides a security protection system and method for IoT servers, which can ensure the security, stability and data integrity of IoT data servers by cooperating with a unified password platform to perform encryption and verification and other security measures when IoT data servers perform data interaction/business interaction. The specific technical solution is as follows:

一种物联网服务器的安全防护系统，包括数据服务器、云服务器、统一密码平台、互联网平台以及至少一个终端；所述数据服务器通过VPN连接互联网平台，并与互联网平台进行加密数据/加密业务的交互；所述数据服务器通过系统内网分别与所述云服务器和所述终端连接，并与所述终端进行加密数据/加密业务的交互，和上传加密数据到所述云服务器进行存储；所述数据服务器与所述统一密码平台连接，并向所述统一密码平台发送加密请求/校验请求；所述互联网平台通过VPN连接所述统一密码平台；所述统一密码平台对所述加密请求/校验请求进行处理，并返回解密结果/校验结果到所述数据服务器进行储存，或返回解密结果/校验结果到所述互联网平台。A security protection system for an Internet of Things server comprises a data server, a cloud server, a unified cryptographic platform, an Internet platform and at least one terminal; the data server is connected to the Internet platform via a VPN and interacts with the Internet platform for encrypted data/encrypted services; the data server is respectively connected to the cloud server and the terminal via a system intranet, interacts with the terminal for encrypted data/encrypted services, and uploads encrypted data to the cloud server for storage; the data server is connected to the unified cryptographic platform and sends an encryption request/verification request to the unified cryptographic platform; the Internet platform is connected to the unified cryptographic platform via a VPN; the unified cryptographic platform processes the encryption request/verification request and returns a decryption result/verification result to the data server for storage, or returns a decryption result/verification result to the Internet platform.

优选的，所述数据服务器通过VPN与互联网平台进行加密数据/加密业务的交互包括所述数据服务器通过VPN与互联网平台进行数据传输过程的加密解密场景；Preferably, the interaction of encrypted data/encrypted services between the data server and the Internet platform through the VPN includes an encryption and decryption scenario of the data transmission process between the data server and the Internet platform through the VPN;

所述数据服务器通过VPN与互联网平台进行数据传输过程的加密解密场景，具体包括：The encryption and decryption scenarios of the data server performing data transmission with the Internet platform through VPN specifically include:

所述数据服务器向所述统一密码平台进行密钥加密请求，所述统一密码平台对密钥进行加密后反馈回所述数据服务器；The data server makes a key encryption request to the unified cryptographic platform, and the unified cryptographic platform encrypts the key and feeds it back to the data server;

所述数据服务器发送已加密的密钥到所述互联网平台进行，所述互联网平台将已加密的密钥发送到所述统一密码平台进行解密；The data server sends the encrypted key to the Internet platform for decryption, and the Internet platform sends the encrypted key to the unified cryptographic platform for decryption;

所述统一密码平台将解密后的密钥返回到所述互联网平台，所述互联网平台验证密钥后反馈到所述数据服务器。The unified cryptographic platform returns the decrypted key to the Internet platform, and the Internet platform verifies the key and feeds it back to the data server.

优选的，所述数据服务器通过VPN与互联网平台进行加密数据/加密业务的交互包括所述数据服务器通过VPN与互联网平台进行数据传输的保护场景；Preferably, the interaction of encrypted data/encrypted services between the data server and the Internet platform via VPN includes a protection scenario in which the data server transmits data with the Internet platform via VPN;

所述数据服务器通过VPN与互联网平台进行数据传输的保护场景，具体包括：The protection scenarios for data transmission between the data server and the Internet platform through VPN specifically include:

所述互联网平台向所述数据服务器发送账号同步请求，所述数据服务器将所述账号信息输送至所述统一密码平台；The Internet platform sends an account synchronization request to the data server, and the data server transmits the account information to the unified password platform;

所述统一密码平台计算MAC码，并返回计算的MAC值到所述数据服务器；The unified cryptographic platform calculates the MAC code and returns the calculated MAC value to the data server;

所述数据服务器发送所述账号信息和所述MAC值到苏搜狐互联网平台，所述互联网平台将所述账号信息和所述MAC值发送到所述统一密码平台进行校验，并将所述校验结果返回到所述互联网平台。The data server sends the account information and the MAC value to the Sohu Internet platform, and the Internet platform sends the account information and the MAC value to the unified password platform for verification, and returns the verification result to the Internet platform.

优选的，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端用户登录账号密码的验证请求的场景；Preferably, the data server interacts with the terminal through the system intranet to perform encrypted data/encrypted services, including a scenario in which the terminal user's login account and password are verified;

所述终端用户登录账号密码的验证请求的场景，具体包括：The scenarios of the terminal user login account and password verification request specifically include:

用户登录所述终端时，通过所述数据服务器向所述统一密码服务平台申请公钥；When a user logs in to the terminal, he applies for a public key from the unified password service platform through the data server;

所述统一密码服务平台生成密钥对后，返回公钥给所述数据服务器进行存储，且所述数据服务器将公钥返回所述终端；After the unified cryptographic service platform generates the key pair, it returns the public key to the data server for storage, and the data server returns the public key to the terminal;

所述终端使用公钥对用户名密码加密，并通过所述数据服务器向所述统一密码服务获取解密密码明文；The terminal encrypts the username and password using the public key, and obtains the decrypted password plaintext from the unified password service through the data server;

所述统一密码平台解密后，将密码明文返回到所述数据服务器进行校验，所述数据服务器返回登录结果到所述终端。After decryption, the unified password platform returns the plain text of the password to the data server for verification, and the data server returns the login result to the terminal.

优选的，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端通过系统内网上传未加密的密码到所述数据服务器进行存储的场景；Preferably, the interaction of the encrypted data/encrypted service between the data server and the terminal through the system intranet includes a scenario in which the terminal uploads an unencrypted password to the data server through the system intranet for storage;

所述终端通过系统内网上传未加密的密码到所述数据服务器进行存储的场景，具体包括：The scenario in which the terminal uploads the unencrypted password to the data server for storage via the system intranet specifically includes:

所述终端将未加密的密码传输至所述数据服务器，所述数据服务器向所述统一密码平台调用api加密密码；所述统一密码平台将加密后的密码返回到所述数据服务器进行存储。The terminal transmits the unencrypted password to the data server, and the data server calls an API to encrypt the password on the unified password platform; the unified password platform returns the encrypted password to the data server for storage.

优选的，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端采集用户信息到所述数据服务器的数据传输加密场景；Preferably, the data server interacts with the terminal through the system intranet to perform encrypted data/encrypted services, including a data transmission encryption scenario in which the terminal collects user information to the data server;

所述终端采集用户信息到所述数据服务器的数据传输加密场景，具体包括：The data transmission encryption scenario of the terminal collecting user information to the data server specifically includes:

所述数据服务器接收来自所述终端用户的敏感信息后，并向所述统一密码平台申请的公钥进行加密；After receiving the sensitive information from the terminal user, the data server encrypts the information using the public key applied for from the unified cryptographic platform;

所述数据服务器将加密后的所述用户的敏感信息进行传输，并在通过所述统一密码平台对所述用户的敏感信息解密后传至所述数据服务器；The data server transmits the encrypted sensitive information of the user, and transmits the encrypted sensitive information of the user to the data server after decrypting the sensitive information through the unified password platform;

所述数据服务器将所述用户的敏感信息上送至所述云服务器。The data server sends the user's sensitive information to the cloud server.

优选的，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端应用访问所述数据服务器的完整保护场景；Preferably, the interaction of encrypted data/encrypted services between the data server and the terminal through the system intranet includes a complete protection scenario in which the terminal application accesses the data server;

所述所述终端应用访问所述数据服务器的完整保护场景，具体包括：The complete protection scenario of the terminal application accessing the data server specifically includes:

所述终端向所述数据服务器进行获取权限信息/变更权限信息的请求；The terminal makes a request to the data server to obtain permission information/change permission information;

所述数据服务器接收所述终端的请求信息后，获取存储的MAC校验码和keycode，并构造信息摘要，向所述统一密码平台发送校验请求；After receiving the request information from the terminal, the data server obtains the stored MAC verification code and keycode, constructs an information summary, and sends a verification request to the unified password platform;

所述统一密码平台对MAC码进行校验，并返回校验结果表到所述数据服务器；The unified password platform verifies the MAC code and returns a verification result table to the data server;

所述数据服务器返回获取的权限信息/变更后的权限信息到所述终端。The data server returns the acquired authority information/modified authority information to the terminal.

优选的，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端向所述数据服务器进行存储关键数据/调用关键数据的完整保护场景；Preferably, the data server interacts with the terminal through the system intranet to perform encrypted data/encrypted services, including a complete protection scenario in which the terminal stores key data/calls key data to the data server;

所述终端向所述数据服务器进行存储关键数据/调用关键数据的完整保护场景，具体包括：The complete protection scenario in which the terminal stores key data/calls key data to the data server specifically includes:

所述终端向所述数据服务器进行变更关键数据/调用关键信息的请求；The terminal makes a request to the data server to change key data/call key information;

所述数据服务器返回调用的关键数据/变更后的关键数据到所述终端。The data server returns the called key data/modified key data to the terminal.

优选的，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端向所述数据服务器获取日志信息的完整保护场景；Preferably, the data server interacts with the terminal through the system intranet to perform encrypted data/encrypted services, including a complete protection scenario in which the terminal obtains log information from the data server;

所述终端向所述数据服务器获取日志信息的完整保护场景，具体包括：The complete protection scenario in which the terminal obtains log information from the data server specifically includes:

所述终端向所述数据服务器进行获取日志信息的请求；The terminal makes a request to the data server to obtain log information;

所述数据服务器返回日志信息到所述终端。The data server returns log information to the terminal.

一种物联网服务器的安全防护方法，应用于前述的物联网服务器的安全防护系统，所述方法包括：A security protection method for an Internet of Things server is applied to the security protection system of the Internet of Things server, and the method comprises:

所述数据服务器通过VPN连接互联网平台，并与互联网平台进行加密数据/加密业务的交互；所述数据服务器通过系统内网分别与所述云服务器和所述终端连接，并与所述终端进行加密数据/加密业务的交互，和上传加密数据到所述云服务器进行存储；所述数据服务器与所述统一密码平台连接，并向所述统一密码平台发送加密请求/校验请求；所述统一密码平台对所述加密请求/校验请求进行处理，并返回解密结果/校验结果到所述数据服务器进行储存，和返回解密结果/校验结果到所述互联网平台。The data server is connected to the Internet platform via VPN and interacts with the Internet platform for encrypted data/encrypted services; the data server is connected to the cloud server and the terminal respectively through the system intranet, interacts with the terminal for encrypted data/encrypted services, and uploads encrypted data to the cloud server for storage; the data server is connected to the unified cryptographic platform and sends an encryption request/verification request to the unified cryptographic platform; the unified cryptographic platform processes the encryption request/verification request and returns the decryption result/verification result to the data server for storage, and returns the decryption result/verification result to the Internet platform.

与现有技术相比，本发明的有益效果为：Compared with the prior art, the present invention has the following beneficial effects:

本发明的一种物联网服务器的安全防护系统利用数据服务器通过VPN连接互联网平台，并与互联网平台进行加密数据/加密业务的交互，实现系统对外交互窗口，还保证了系统内部的数据安全；利用数据服务器通过系统内网分别与所述云服务器和所述终端连接，并与所述终端进行加密数据/加密业务的交互，实现系统内部的数据安全，防止数据泄露，和上传加密数据到所述云服务器进行存储，进一步保证数据的完整；利用数据服务器与所述统一密码平台连接，并向所述统一密码平台发送加密请求/校验请求；所述统一密码平台对所述加密请求/校验请求进行处理，并返回解密结果/校验结果到所述数据服务器进行储存。本发明的物联网服务器的安全防护系统通过在物联网中数据服务器进行数据交互/业务交互时，配合统一密码平台执行的加密和校验等流程的安全措施，实现系统对外和对内建立互信匹配的数据交互，确保数据交互过程中物联网服务器的安全、稳定以及数据的完整性。A security protection system for an Internet of Things server of the present invention utilizes a data server to connect to an Internet platform through a VPN, and interacts with the Internet platform to encrypt data/encrypted services, thereby realizing a system external interaction window and ensuring data security within the system; utilizes a data server to connect to the cloud server and the terminal respectively through a system intranet, and interacts with the terminal to encrypt data/encrypted services, thereby realizing data security within the system, preventing data leakage, and uploading encrypted data to the cloud server for storage, thereby further ensuring data integrity; utilizes a data server to connect to the unified password platform, and sends an encryption request/verification request to the unified password platform; the unified password platform processes the encryption request/verification request, and returns a decryption result/verification result to the data server for storage. The security protection system for an Internet of Things server of the present invention realizes data interaction that establishes mutual trust and matching between the system and the outside world by cooperating with the security measures of encryption and verification processes executed by the unified password platform when the data server performs data interaction/service interaction in the Internet of Things, thereby ensuring the security, stability and data integrity of the Internet of Things server during data interaction.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明具体实施方式或现有技术中的技术方案，下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍。在所有附图中，类似的元件或部分一般由类似的附图标记标识。附图中，各元件或部分并不一定按照实际的比例绘制。In order to more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the following is a brief introduction to the drawings required for the specific embodiments or the description of the prior art. In all the drawings, similar elements or parts are generally identified by similar reference numerals. In the drawings, the elements or parts are not necessarily drawn according to the actual scale.

图1为本发明的一种物联网服务器的安全防护系统原理图。FIG1 is a schematic diagram of a security protection system of an Internet of Things server of the present invention.

图2为本发明的一种物联网服务器的安全防护系统的实施例二示意图。FIG. 2 is a schematic diagram of a second embodiment of a security protection system for an Internet of Things server of the present invention.

图3为本发明的一种物联网服务器的安全防护系统的实施例三示意图。FIG. 3 is a schematic diagram of a third embodiment of a security protection system for an Internet of Things server of the present invention.

图4为本发明的一种物联网服务器的安全防护系统的实施例四示意图。FIG. 4 is a schematic diagram of a fourth embodiment of a security protection system for an Internet of Things server of the present invention.

图5为本发明的一种物联网服务器的安全防护系统的实施例五示意图。FIG. 5 is a schematic diagram of a fifth embodiment of a security protection system for an Internet of Things server of the present invention.

图6为本发明的一种物联网服务器的安全防护系统的实施例六示意图。FIG. 6 is a schematic diagram of a sixth embodiment of a security protection system for an Internet of Things server according to the present invention.

图7为本发明的一种物联网服务器的安全防护系统的实施例七示意图。FIG. 7 is a schematic diagram of a seventh embodiment of a security protection system for an Internet of Things server of the present invention.

图8为本发明的一种物联网服务器的安全防护系统的实施例八示意图。FIG. 8 is a schematic diagram of an eighth embodiment of a security protection system for an Internet of Things server of the present invention.

图9为本发明的一种物联网服务器的安全防护系统的实施例九示意图。FIG. 9 is a schematic diagram of a ninth embodiment of a security protection system for an Internet of Things server according to the present invention.

具体实施方式DETAILED DESCRIPTION

下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

应当理解，当在本说明书和所附权利要求书中使用时，术语“包括”和“包含”指示所描述特征、整体、步骤、操作、元素和/或组件的存在，但并不排除一个或多个其它特征、整体、步骤、操作、元素、组件和/或其集合的存在或添加。It should be understood that when used in this specification and the appended claims, the terms "include" and "comprises" indicate the presence of described features, integers, steps, operations, elements and/or components, but do not exclude the presence or addition of one or more other features, integers, steps, operations, elements, components and/or combinations thereof.

还应当理解，在本发明说明书中所使用的术语仅仅是出于描述特定实施例的目的而并不意在限制本发明。如在本发明说明书和所附权利要求书中所使用的那样，除非上下文清楚地指明其它情况，否则单数形式的“一”、“一个”及“该”意在包括复数形式。It should also be understood that the terms used in the present specification are only for the purpose of describing specific embodiments and are not intended to limit the present invention. As used in the present specification and the appended claims, the singular forms "a", "an" and "the" are intended to include plural forms unless the context clearly indicates otherwise.

还应当进一步理解，在本发明说明书和所附权利要求书中使用的术语“和/或”是指相关联列出的项中的一个或多个的任何组合以及所有可能组合，并且包括这些组合。It should be further understood that the term "and/or" used in the present description and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.

实施例一Embodiment 1

请参阅图1，本实施例提供一种物联网服务器的安全防护系统，包括数据服务器、云服务器、统一密码平台、互联网平台以及至少一个终端；所述数据服务器通过VPN连接互联网平台，并与互联网平台进行加密数据/加密业务的交互；所述数据服务器通过系统内网分别与所述云服务器和所述终端连接，并与所述终端进行加密数据/加密业务的交互，和上传加密数据到所述云服务器进行存储；所述数据服务器与所述统一密码平台连接，并向所述统一密码平台发送加密请求/校验请求；所述互联网平台通过VPN连接所述统一密码平台；所述统一密码平台对所述加密请求/校验请求进行处理，并返回解密结果/校验结果到所述数据服务器进行储存，或返回解密结果/校验结果到所述互联网平台。Please refer to Figure 1. This embodiment provides a security protection system for an Internet of Things server, including a data server, a cloud server, a unified cryptographic platform, an Internet platform and at least one terminal; the data server is connected to the Internet platform via a VPN, and interacts with the Internet platform for encrypted data/encrypted services; the data server is connected to the cloud server and the terminal respectively through the system intranet, and interacts with the terminal for encrypted data/encrypted services, and uploads encrypted data to the cloud server for storage; the data server is connected to the unified cryptographic platform, and sends an encryption request/verification request to the unified cryptographic platform; the Internet platform is connected to the unified cryptographic platform via a VPN; the unified cryptographic platform processes the encryption request/verification request, and returns the decryption result/verification result to the data server for storage, or returns the decryption result/verification result to the Internet platform.

在本实施例中，终端可以当做一种智能办公设备，例如台式电脑和平台电脑等；当然也可以是一些能够实现数据交互的其它智能设备。In this embodiment, the terminal can be regarded as a kind of intelligent office equipment, such as a desktop computer and a platform computer, etc.; of course, it can also be some other intelligent devices that can realize data interaction.

在本实施例中，云服务器是一种简单高效、安全可靠、处理能力可弹性伸缩的计算服务。云服务器可以根据应用需求，可以随时灵活扩容或缩减资源，有效避免资源浪费或不足的问题；云服务器具备多线互通的带宽优势，能够智能检测并自动选择最佳网络路径，实现数据传输的高效与快捷；云服务器支持便捷的数据备份功能，即便遭遇硬件故障，数据依然安全，可以保护数据完整和持续保护等特点。同时，云服务器能够虚拟出多个独立服务器部分，具备卓越的安全稳定性，黑客攻击也较为困难，进一步保证物联网服务器的数据安全。In this embodiment, the cloud server is a simple, efficient, safe, reliable, and scalable computing service. The cloud server can flexibly expand or reduce resources at any time according to application requirements, effectively avoiding the problem of resource waste or shortage; the cloud server has the bandwidth advantage of multi-line interconnection, can intelligently detect and automatically select the best network path, and achieve efficient and fast data transmission; the cloud server supports convenient data backup functions, even in the event of hardware failure, the data is still safe, and can protect the integrity and continuous protection of the data. At the same time, the cloud server can virtualize multiple independent server parts, has excellent security and stability, and is more difficult to be attacked by hackers, further ensuring the data security of the Internet of Things server.

在本实施例中，统一密码平台是一个基于密码运算、以密码设备为支撑、以密码服务为思想、采用资源集中化管理手段的安全管理平台。该平台的主要目标是简化应用业务系统对密码设备的调用和管理的复杂性，通过统一的引擎接口及调度策略实现密码设备的资源调度，满足物联网及移动终端等多样化的密码需求。统一密码平台提供的密码服务内容主要包括密钥管理服务、密码运算服务等，并对各类已使用密码技术的应用系统提供统一的调用接口。该平台还可以提供身份认证、通信加密、数据加密、文件加密等密码服务。In this embodiment, the unified cryptographic platform is a security management platform based on cryptographic operations, supported by cryptographic devices, based on cryptographic services, and using centralized resource management methods. The main goal of the platform is to simplify the complexity of calling and managing cryptographic devices by application business systems, and to achieve resource scheduling of cryptographic devices through a unified engine interface and scheduling strategy to meet the diverse cryptographic needs of the Internet of Things and mobile terminals. The cryptographic services provided by the unified cryptographic platform mainly include key management services, cryptographic operation services, etc., and provide a unified calling interface for various application systems that have used cryptographic technology. The platform can also provide cryptographic services such as identity authentication, communication encryption, data encryption, and file encryption.

在本实施例中，数据服务器是指专门用于存储、管理和处理数据的服务器设备，提供高效的数据存储和访问能力，能够满足大规模数据处理和分析的需求。数据服务器具备强大的存储能力，可以存储大量的数据，并提供高效的数据访问能力。数据服务器可以对存储的数据进行加密和安全控制，保障数据的安全性和保密性。In this embodiment, the data server refers to a server device specifically used for storing, managing and processing data, providing efficient data storage and access capabilities, and meeting the needs of large-scale data processing and analysis. The data server has a strong storage capacity, can store a large amount of data, and provides efficient data access capabilities. The data server can encrypt and securely control the stored data to ensure the security and confidentiality of the data.

另外，在本实施例中，数据服务器也可以用作数据库服务器，为各种应用程序提供数据存储和访问服务。同时数据服务器还为云服务器提供数据存储和处理能力。In addition, in this embodiment, the data server can also be used as a database server to provide data storage and access services for various applications. At the same time, the data server also provides data storage and processing capabilities for the cloud server.

本发明的一种物联网服务器的安全防护系统中，数据服务器可以根据空间区域采用分布式布置，将其分成一个总数据服务器，总数据服务器下面包括若干个次数据服务器，每个次数据服务器都在一个不同的空间区域进行部署，且每个次数据服务器都连接云服务器。总数据服务器与次数据服务器直接通过系统内网进行连接，同时总数据服务器通过系统内网的同一局域网连接一批终端；次数据服务器通过系统内网的同一局域网或者系统内网的另一局域网连接一批终端，可以实现系统内部的空间区别分布管理。In a security protection system for an Internet of Things server of the present invention, a data server can be distributed according to a spatial area, and divided into a general data server, and the general data server includes a plurality of secondary data servers, each of which is deployed in a different spatial area, and each secondary data server is connected to a cloud server. The general data server and the secondary data server are directly connected through the system intranet, and the general data server is connected to a group of terminals through the same local area network of the system intranet; the secondary data server is connected to a group of terminals through the same local area network of the system intranet or another local area network of the system intranet, which can realize the spatial difference distribution management within the system.

本发明的一种物联网服务器的安全防护系统利用数据服务器通过VPN连接互联网平台，并与互联网平台进行加密数据/加密业务的交互，使得数据服务器物联网，实现物联网数据服务器对外加密交互的窗口，还保证了系统内部的数据安全；利用数据服务器通过系统内网分别与所述云服务器和所述终端连接，并与所述终端进行加密数据/加密业务的交互，实现系统内部的加密数据交互，防止数据泄露，和上传加密数据到所述云服务器进行存储，进一步保证数据的完整；利用数据服务器与所述统一密码平台连接，并向所述统一密码平台发送加密请求/校验请求；所述统一密码平台对所述加密请求/校验请求进行处理，并返回解密结果/校验结果到所述数据服务器进行储存。本发明的物联网服务器的安全防护系统通过在物联网中数据服务器进行数据交互/业务交互时，配合统一密码平台执行的加密和校验等流程的安全措施，实现系统对外和对内建立互信匹配的数据交互，确保数据交互过程中物联网服务器的安全、稳定以及数据的完整性。A security protection system for an Internet of Things server of the present invention utilizes a data server to connect to an Internet platform through a VPN, and interacts with the Internet platform to encrypt data/encrypt services, so that the data server Internet of Things realizes a window for external encrypted interaction of the Internet of Things data server, and also ensures the data security within the system; utilizes a data server to connect to the cloud server and the terminal respectively through the system intranet, and interacts with the terminal to encrypt data/encrypt services, realizes encrypted data interaction within the system, prevents data leakage, and uploads encrypted data to the cloud server for storage, further ensuring the integrity of the data; utilizes a data server to connect to the unified password platform, and sends an encryption request/verification request to the unified password platform; the unified password platform processes the encryption request/verification request, and returns the decryption result/verification result to the data server for storage. The security protection system for the Internet of Things server of the present invention realizes data interaction that establishes mutual trust and matching between the system and the outside and the inside by cooperating with the security measures of encryption and verification processes executed by the unified password platform when the data server performs data interaction/service interaction in the Internet of Things, and ensures the security, stability and data integrity of the Internet of Things server during the data interaction process.

实施例二Embodiment 2

请参阅图2，在申请的一个优选实施例中，所述数据服务器通过VPN与互联网平台进行加密数据/加密业务的交互包括所述数据服务器通过VPN与互联网平台进行数据传输过程的加密解密场景；Please refer to FIG. 2 , in a preferred embodiment of the application, the interaction of the encrypted data/encrypted service between the data server and the Internet platform via VPN includes an encryption and decryption scenario of the data transmission process between the data server and the Internet platform via VPN;

针对物联网中数据服务器与互联网平台之间数据相互传输时，需要对数据进行加密传输以防被抓包信息泄漏，数据发送方可利用统一密码平台进行数据加密，数据接收方可利用统一密码平台进行数据解密，这样可以实现数据完整性验证，MAC码是数据的一个唯一标识，它基于数据的内容和特定的密钥生成。如果数据在传输过程中被篡改，那么重新计算得到的MAC码将与发送方提供的MAC码不匹配。这允许接收方快速识别数据是否被修改过，从而确保数据的完整性；还可以实现数据源验证，MAC码不仅依赖于数据的内容，还依赖于生成MAC时所使用的密钥。因此，只有持有正确密钥的实体才能生成有效的MAC码，确保数据来自可信的发送方；还可以防止重放攻击，MAC码通常与某种时间戳或随机数一起使用，以确保每个数据消息都是唯一的；还可以增强安全性，通过使用强加密算法和密钥管理方案，统一密码平台可以确保MAC码的安全性。这意味着即使攻击者截获了数据和MAC码，他们也无法伪造有效的MAC码或解密原始数据，从而提高了数据传输的安全性。When data is transmitted between data servers and Internet platforms in the Internet of Things, it is necessary to encrypt the data to prevent information leakage from being captured. The data sender can use the unified password platform to encrypt the data, and the data receiver can use the unified password platform to decrypt the data. In this way, data integrity verification can be achieved. The MAC code is a unique identifier of the data, which is generated based on the content of the data and a specific key. If the data is tampered with during transmission, the recalculated MAC code will not match the MAC code provided by the sender. This allows the receiver to quickly identify whether the data has been modified, thereby ensuring the integrity of the data; it can also achieve data source verification. The MAC code depends not only on the content of the data, but also on the key used when generating the MAC. Therefore, only entities holding the correct key can generate a valid MAC code to ensure that the data comes from a trusted sender; it can also prevent replay attacks. The MAC code is usually used with some kind of timestamp or random number to ensure that each data message is unique; it can also enhance security. By using a strong encryption algorithm and a key management scheme, the unified password platform can ensure the security of the MAC code. This means that even if an attacker intercepts the data and the MAC code, they cannot forge a valid MAC code or decrypt the original data, thereby improving the security of data transmission.

实施例三Embodiment 3

请参阅图3，在申请的一个优选实施例中，所述数据服务器通过VPN与互联网平台进行加密数据/加密业务的交互包括所述数据服务器通过VPN与互联网平台进行数据传输的保护场景；Please refer to FIG. 3 , in a preferred embodiment of the application, the interaction of the data server with the Internet platform through VPN for encrypted data/encrypted services includes a protection scenario in which the data server transmits data with the Internet platform through VPN;

系统在数据服务器与互联网平台互联后，需账号同步，在账号开始建立连接时需要数据服务器和互联网平台的密钥验证，密钥在互联传输中发送方可调用统一密码平台进行加密后再传输，接收方拿到已加密的密钥后，可调用统一密码平台进行解密后在业务验证密钥传输经过加密解密后，验证成功则继续账号同步，验证失败则停止操作。After the system's data server and Internet platform are interconnected, account synchronization is required. When the account starts to establish a connection, key verification of the data server and the Internet platform is required. During the Internet transmission, the sender can call the unified password platform to encrypt the key before transmitting it. After the receiver obtains the encrypted key, it can call the unified password platform to decrypt it. After the business verification key transmission is encrypted and decrypted, if the verification is successful, the account synchronization will continue, otherwise the operation will be stopped.

在多平台服务器互联并实现帐号同步的场景中，密钥验证是确保通信安全和数据完整性。当帐号开始建立连接时，使用密钥进行验证不仅可以确认通信双方的身份，还可以防止恶意第三方的介入。而在密钥的互联传输过程中，调用统一密码平台进行加密可以实现数据机密性保护，加密可以确保密钥在传输过程中不会被未经授权的第三方窃取或截获。即使密钥被截获，由于它已经被加密，没有正确的密钥或解密方法，截获者也无法获取密钥的原始内容；还可以防止数据篡改，加密后的密钥在传输过程中具有数字签名或其他完整性验证机制，可以确保密钥在传输过程中没有被篡改；实现了认证和身份验证，密钥本身也用于认证和身份验证过程。通过加密传输密钥，可以确保只有拥有正确密钥的服务器才能相互通信，从而防止未经授权的服务器接入网络。因此，在多平台服务器互联并实现帐号同步的场景中，使用密钥进行验证并通过统一密码平台进行加密传输可以确保通信的安全性和数据的完整性，降低安全风险并提高系统的可靠性。In the scenario where multi-platform servers are interconnected and account synchronization is achieved, key verification is to ensure communication security and data integrity. When the account starts to establish a connection, using the key for verification can not only confirm the identity of the two communicating parties, but also prevent the intervention of malicious third parties. In the process of interconnected transmission of keys, calling the unified password platform for encryption can achieve data confidentiality protection. Encryption can ensure that the key will not be stolen or intercepted by unauthorized third parties during transmission. Even if the key is intercepted, since it has been encrypted, without the correct key or decryption method, the interceptor cannot obtain the original content of the key; it can also prevent data tampering. The encrypted key has a digital signature or other integrity verification mechanism during transmission, which can ensure that the key has not been tampered with during transmission; authentication and identity verification are achieved, and the key itself is also used in the authentication and identity verification process. By encrypting the transmission of keys, it can be ensured that only servers with the correct key can communicate with each other, thereby preventing unauthorized servers from accessing the network. Therefore, in the scenario where multi-platform servers are interconnected and account synchronization is achieved, using keys for verification and encrypted transmission through the unified password platform can ensure the security of communication and the integrity of data, reduce security risks and improve the reliability of the system.

实施例四Embodiment 4

请参阅图4，在申请的一个优选实施例中，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端用户登录账号密码的验证请求的场景；Please refer to FIG. 4 , in a preferred embodiment of the application, the data server interacts with the terminal through the system intranet to perform encrypted data/encrypted services including a scenario in which the terminal user's login account and password are verified;

用户登录所述终端时，通过所述数据服务器向所述统一密码服务平台申请获取SM2公钥；When the user logs in to the terminal, he applies to the unified password service platform through the data server to obtain the SM2 public key;

所述统一密码服务平台生成SM2密钥对后，返回SM2公钥给所述数据服务器进行存储，且所述数据服务器将SM2公钥返回所述终端；After the unified cryptographic service platform generates the SM2 key pair, it returns the SM2 public key to the data server for storage, and the data server returns the SM2 public key to the terminal;

所述终端使用SM2公钥对用户名密码加密，并通过所述数据服务器向所述统一密码服务获取解密密码明文；The terminal encrypts the username and password using the SM2 public key, and obtains the decrypted password plaintext from the unified password service through the data server;

系统中用户使用账号密码登录时需要通过统一密码服务平台进行加解密处理，可以确保用户账号和密码信息的安全性，防止信息泄露和被盗用，保障系统的正常运行和用户的合法权益。When users log in to the system using their account and password, they need to perform encryption and decryption through the unified password service platform, which can ensure the security of user account and password information, prevent information leakage and theft, and protect the normal operation of the system and the legitimate rights and interests of users.

实施例五Embodiment 5

请参阅图5，在申请的一个优选实施例中，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端通过系统内网上传未加密的密码到所述数据服务器进行存储的场景；Please refer to FIG. 5 , in a preferred embodiment of the application, the interaction of the encrypted data/encrypted service between the data server and the terminal through the system intranet includes a scenario in which the terminal uploads an unencrypted password to the data server for storage through the system intranet;

另外，当用户修改密码后，将密码传给数据服务器，数据服务器通过事先申请好的密钥调用统一密码平台api加密；数据服务器将加密过的密码进行存储，并上传到云服务器存储，以后登录时的密码都要经过解密后再比较，完成密码修改。In addition, when the user changes the password, the password is transmitted to the data server. The data server calls the unified password platform API to encrypt it using the key applied in advance. The data server stores the encrypted password and uploads it to the cloud server for storage. All subsequent passwords must be decrypted and compared to complete the password change.

用户使用密码在存储时，通过统一密码平台进行加密后再存入服务器中，When storing user passwords, they are encrypted through the unified password platform and then stored in the server.

加密后的密码在存储和传输过程中被保护，即使数据库遭到未授权访问，攻击者也无法直接读取到明文密码，从而大大提高了数据的安全性；加密技术能有效防止密码被泄露，即使攻击者获取了数据库中的数据，也无法通过解密手段轻易还原出原始密码；统一密码平台通常提供密码策略管理、密码审计和报告等功能，有助于企业更好地管理和控制密码的生成、存储和使用。通过统一密码平台进行密码加密和存储可以提高数据安全性、防止密码泄露、简化密码管理等作用，确保了企业用户密码的安全性和可用性。The encrypted password is protected during storage and transmission. Even if the database is accessed without authorization, the attacker cannot directly read the plain text password, which greatly improves the security of the data. Encryption technology can effectively prevent the password from being leaked. Even if the attacker obtains the data in the database, the original password cannot be easily restored by decryption. The unified password platform usually provides password policy management, password auditing and reporting functions, which helps enterprises better manage and control the generation, storage and use of passwords. Password encryption and storage through the unified password platform can improve data security, prevent password leakage, simplify password management, etc., ensuring the security and availability of enterprise user passwords.

实施例六Embodiment 6

请参阅图6，在申请的一个优选实施例中，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端采集用户信息到所述数据服务器的数据传输加密场景；Please refer to FIG. 6 , in a preferred embodiment of the application, the data server interacts with the terminal through the system intranet to perform encrypted data/encrypted services, including a data transmission encryption scenario in which the terminal collects user information to the data server;

所述数据服务器将加密后的所述用户的敏感信息进行传输，并在通过所述统一密码平台对所述用户的敏感信息解密后传至所述数据服务器；The data server transmits the encrypted sensitive information of the user, and transmits the encrypted sensitive information of the user to the data server after decrypting it through the unified password platform;

系统在收集用户的敏感信息，例如身份证号时，通过在统一密码平台申请的公钥加密后再传输，之后在数据服务器通过统一密码平台解密后，再存入数据服务器和云服务器。保证了传输过程的安全。存储在数据服务器上的敏感数据进行加密和保护，防止数据在传输或存储过程中被窃取或篡改。When the system collects sensitive information of users, such as ID number, it is encrypted by the public key applied for on the unified password platform before transmission. After that, it is decrypted on the data server through the unified password platform and then stored in the data server and cloud server. The security of the transmission process is guaranteed. Sensitive data stored on the data server is encrypted and protected to prevent the data from being stolen or tampered with during transmission or storage.

实施例七Embodiment 7

请参阅图7，在申请的一个优选实施例中，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端应用访问所述数据服务器的完整保护场景；Please refer to FIG. 7 , in a preferred embodiment of the application, the data server interacts with the terminal through the system intranet to perform encrypted data/encrypted services, including a complete protection scenario in which the terminal application accesses the data server;

所述数据服务器接收所述终端的请求信息后，获取存储的MAC(MessageAuthentication Code)校验码和keycode，并构造信息摘要，向所述统一密码平台发送校验请求；After receiving the request information from the terminal, the data server obtains the stored MAC (Message Authentication Code) verification code and keycode, constructs an information digest, and sends a verification request to the unified password platform;

系统在对于访问权限以及用户的权限的完整性保护上借助统一密码平台的MAC校验码实现，借助统一密码平台的MAC校验码实现可以确保数据完整性，MAC校验码可以确保配置文件或配置信息在传输或存储过程中没有被篡改。任何对数据的修改都会导致重新计算出的MAC值与原始MAC值不匹配，从而及时检测到数据的完整性被破坏；还可以防止未经授权的修改，由于MAC校验码是基于密钥和消息内容生成的，只有拥有正确密钥的实体才能生成有效的MAC值。因此，即使攻击者获得了对配置文件的访问权限，如果他们没有正确的密钥，他们也无法修改配置文件并生成有效的MAC值，从而防止了未经授权的修改；还可以简化密钥管理，在统一密码平台上实现MAC校验码功能，可以集中管理和分发密钥。这样可以减少密钥泄露的风险，并提高密钥管理的效率和安全性。同时，也可以确保所有使用MAC校验码的实体都使用相同的密钥，从而保持一致性；还可以快速检测篡改，当配置文件或配置信息被篡改时，通过验证MAC值可以迅速检测到这种篡改。这有助于及时发现并应对潜在的安全威胁，减少因配置文件被篡改而导致的系统风险。借助统一密码平台的MAC校验码实现访问权限以及用户权限的完整性保护，可以提高系统的安全性和可靠性，防止权限滥用和篡改，确保系统的正常运行和数据的安全。The system uses the MAC check code of the unified password platform to implement the integrity protection of access rights and user rights. The MAC check code of the unified password platform can ensure data integrity. The MAC check code can ensure that the configuration file or configuration information has not been tampered with during transmission or storage. Any modification to the data will cause the recalculated MAC value to not match the original MAC value, thereby timely detecting the destruction of data integrity; it can also prevent unauthorized modifications. Since the MAC check code is generated based on the key and message content, only entities with the correct key can generate a valid MAC value. Therefore, even if an attacker gains access to the configuration file, if they do not have the correct key, they cannot modify the configuration file and generate a valid MAC value, thereby preventing unauthorized modifications; it can also simplify key management. Implementing the MAC check code function on the unified password platform can centrally manage and distribute keys. This can reduce the risk of key leakage and improve the efficiency and security of key management. At the same time, it can also ensure that all entities using the MAC check code use the same key to maintain consistency; it can also quickly detect tampering. When the configuration file or configuration information is tampered with, such tampering can be quickly detected by verifying the MAC value. This helps to promptly detect and respond to potential security threats and reduce system risks caused by configuration file tampering. Using the MAC verification code of the unified password platform to implement access rights and integrity protection of user rights can improve the security and reliability of the system, prevent abuse and tampering of rights, and ensure the normal operation of the system and the security of data.

在另一些实施例中，系统通过身份验证和授权机制，系统可以控制哪些用户或设备可以访问数据服务器，这可以防止未经授权的访问和潜在的安全威胁。In other embodiments, the system can control which users or devices can access the data server through identity authentication and authorization mechanisms, which can prevent unauthorized access and potential security threats.

实施例八Embodiment 8

请参阅图8，在申请的一个优选实施例中，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端向所述数据服务器进行存储关键数据/调用关键数据的完整保护场景；Please refer to FIG8 , in a preferred embodiment of the application, the data server interacts with the terminal through the system intranet to encrypt data/encrypt services, including a complete protection scenario in which the terminal stores key data/calls key data to the data server;

系统内的一些关键的重要配置文件或者配置信息完整性保护上，借助统一密码平台的MAC校验码实现，可以确保数据完整性，MAC校验码可以确保配置文件或配置信息在传输或存储过程中没有被篡改。任何对数据的修改都会导致重新计算出的MAC值与原始MAC值不匹配，从而及时检测到数据的完整性被破坏；还可以防止未经授权的修改，由于MAC校验码是基于密钥和消息内容生成的，只有拥有正确密钥的实体才能生成有效的MAC值。因此，即使攻击者获得了对配置文件的访问权限，如果他们没有正确的密钥，他们也无法修改配置文件并生成有效的MAC值，从而防止了未经授权的修改；还可以简化密钥管理，在统一密码平台上实现MAC校验码功能，可以集中管理和分发密钥。这样可以减少密钥泄露的风险，并提高密钥管理的效率和安全性。同时，也可以确保所有使用MAC校验码的实体都使用相同的密钥，从而保持一致性；还可以快速检测篡改，当配置文件或配置信息被篡改时，通过验证MAC值可以迅速检测到这种篡改。这有助于及时发现并应对潜在的安全威胁，减少因配置文件被篡改而导致的系统风险。借助统一密码平台的MAC校验码实现关键重要配置文件或配置信息的完整性保护，可以提高系统的安全性和可靠性，降低因数据篡改而带来的风险。In terms of the integrity protection of some key and important configuration files or configuration information in the system, the MAC check code of the unified password platform can be used to ensure data integrity. The MAC check code can ensure that the configuration file or configuration information has not been tampered with during transmission or storage. Any modification to the data will cause the recalculated MAC value to not match the original MAC value, thereby timely detecting the integrity of the data being destroyed; it can also prevent unauthorized modifications. Since the MAC check code is generated based on the key and message content, only entities with the correct key can generate a valid MAC value. Therefore, even if an attacker gains access to the configuration file, if they do not have the correct key, they cannot modify the configuration file and generate a valid MAC value, thereby preventing unauthorized modifications; it can also simplify key management. By implementing the MAC check code function on the unified password platform, keys can be centrally managed and distributed. This can reduce the risk of key leakage and improve the efficiency and security of key management. At the same time, it can also ensure that all entities using the MAC check code use the same key to maintain consistency; it can also quickly detect tampering. When the configuration file or configuration information is tampered with, such tampering can be quickly detected by verifying the MAC value. This helps to promptly discover and respond to potential security threats and reduce system risks caused by tampering of configuration files. By using the MAC check code of the unified password platform to implement integrity protection for key and important configuration files or configuration information, the security and reliability of the system can be improved and the risks caused by data tampering can be reduced.

实施例九Embodiment 9

请参阅图9，在申请的一个优选实施例中，所述数据服务器通过系统内网与所述终端进行加密数据/加密业务的交互包括所述终端向所述数据服务器获取日志信息的完整保护场景；Please refer to FIG. 9 , in a preferred embodiment of the application, the data server interacts with the terminal through the system intranet to perform encrypted data/encrypted services, including a complete protection scenario in which the terminal obtains log information from the data server;

系统在对于操作日志，在登录日志的完整性保护上，借助统一密码平台的MAC校验码实现，可以确保数据完整性，MAC校验码是一个基于密钥和消息内容的固定长度值。只有在消息内容和密钥都保持不变的情况下，生成的MAC值才会相同。因此，如果在消息传输或存储过程中被篡改，那么接收方计算出的MAC值将与发送方发送的MAC值不匹配，从而可以检测到数据的完整性被破坏；还可以提供消息认证，由于MAC值是基于密钥和消息内容生成的，只有拥有正确密钥的发送方才能生成有效的MAC值。因此，接收方可以通过验证MAC值来确认消息是否来自合法的发送方，从而提供消息认证的功能；还可以防止重放攻击，MAC还可以结合时间戳或序列号等机制来防止重放攻击。在这种情况下，MAC值不仅基于消息内容和密钥生成，还会包含时间戳或序列号等动态信息。这样，即使攻击者截获了之前的消息并试图重新发送，由于时间戳或序列号已经过时，接收方也能识别出这是一个重放的消息并拒绝处理；还可以简化密钥管理：在统一密码平台上实现MAC校验码功能，可以集中管理和分发密钥。这样可以减少密钥泄露的风险，并提高密钥管理的效率和安全性；还可以提高系统的整体安全性，由于MAC校验码提供了数据完整性保护和消息认证功能，因此它可以提高整个系统的安全性。当攻击者试图篡改或伪造登录日志时，他们很难绕过MAC校验码的检测机制。借助统一密码平台的MAC校验码实现登录日志的完整性保护是一种非常有效的方法，可以提高系统的安全性和可靠性。The system can ensure data integrity by using the MAC check code of the unified password platform to protect the integrity of operation logs and login logs. The MAC check code is a fixed-length value based on the key and message content. The generated MAC value will be the same only when the message content and key remain unchanged. Therefore, if the message is tampered with during transmission or storage, the MAC value calculated by the receiver will not match the MAC value sent by the sender, so that the integrity of the data can be detected to be destroyed; it can also provide message authentication. Since the MAC value is generated based on the key and message content, only the sender with the correct key can generate a valid MAC value. Therefore, the receiver can confirm whether the message comes from a legitimate sender by verifying the MAC value, thereby providing the function of message authentication; it can also prevent replay attacks. MAC can also combine mechanisms such as timestamps or serial numbers to prevent replay attacks. In this case, the MAC value is not only generated based on the message content and key, but also contains dynamic information such as timestamps or serial numbers. In this way, even if the attacker intercepts the previous message and tries to resend it, the receiver can recognize that it is a replayed message and refuse to process it because the timestamp or sequence number is outdated. It can also simplify key management: the MAC check code function is implemented on the unified password platform, and keys can be centrally managed and distributed. This can reduce the risk of key leakage and improve the efficiency and security of key management. It can also improve the overall security of the system. Since the MAC check code provides data integrity protection and message authentication functions, it can improve the security of the entire system. When attackers try to tamper with or forge login logs, it is difficult for them to bypass the detection mechanism of the MAC check code. Using the MAC check code of the unified password platform to implement integrity protection of login logs is a very effective method to improve the security and reliability of the system.

本申请实施例还提供一种物联网服务器的安全防护方法，应用于前述的物联网服务器的安全防护系统，所述方法包括：The embodiment of the present application also provides a security protection method for an Internet of Things server, which is applied to the security protection system of the Internet of Things server mentioned above, and the method includes:

所述数据服务器通过VPN连接互联网平台，并与互联网平台进行加密数据/加密业务的交互；所述数据服务器通过系统内网分别与所述云服务器和所述终端连接，并与所述终端进行加密数据/加密业务的交互，和上传加密数据到所述云服务器进行存储；所述数据服务器与所述统一密码平台连接，并向所述统一密码平台发送加密请求/校验请求；所述统一密码平台对所述加密请求/校验请求进行处理，并返回解密结果/校验结果到所述数据服务器进行储存，和返回解密结果/校验结果到所述互联网平台。The data server is connected to the Internet platform via VPN and interacts with the Internet platform for encrypted data/encrypted services; the data server is connected to the cloud server and the terminal respectively via the system intranet, interacts with the terminal for encrypted data/encrypted services, and uploads encrypted data to the cloud server for storage; the data server is connected to the unified cryptographic platform and sends an encryption request/verification request to the unified cryptographic platform; the unified cryptographic platform processes the encryption request/verification request and returns the decryption result/verification result to the data server for storage, and returns the decryption result/verification result to the Internet platform.

本实施例的一种物联网服务器的安全防护方法的有益效果与实施例一的一种物联网服务器的安全防护系统的有益效果相同，在此不再重复赘述。The beneficial effects of the security protection method for an Internet of Things server of this embodiment are the same as the beneficial effects of the security protection system for an Internet of Things server in Embodiment 1, and will not be repeated here.

最后应说明的是：以上各实施例仅用以说明本发明的技术方案，而非对其限制；尽管参照前述各实施例对本发明进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述各实施例所记载的技术方案进行修改，或者对其中部分或者全部技术特征进行等同替换；而这些修改或者替换，并不使相应技术方案的本质脱离本发明各实施例技术方案的范围，其均应涵盖在本发明的权利要求和说明书的范围当中。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit it. Although the present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or replace some or all of the technical features therein by equivalents. These modifications or replacements do not make the essence of the corresponding technical solutions deviate from the scope of the technical solutions of the embodiments of the present invention, and they should all be included in the scope of the claims and specification of the present invention.

Claims

1. A security protection system for an Internet of Things server, characterized in that it includes a data server, a cloud server, a unified cryptographic platform, an Internet platform and at least one terminal; the data server is connected to the Internet platform via a VPN, and interacts with the Internet platform for encrypted data/encrypted services; the data server is connected to the cloud server and the terminal respectively through a system intranet, interacts with the terminal for encrypted data/encrypted services, and uploads encrypted data to the cloud server for storage; the data server is connected to the unified cryptographic platform, and sends an encryption request/verification request to the unified cryptographic platform; the Internet platform is connected to the unified cryptographic platform via a VPN; the unified cryptographic platform processes the encryption request/verification request, and returns the decryption result/verification result to the data server for storage, or returns the decryption result/verification result to the Internet platform.

2. A security protection system for an Internet of Things server according to claim 1, characterized in that the interaction of encrypted data/encrypted services between the data server and the Internet platform through VPN includes encryption and decryption scenarios of data transmission between the data server and the Internet platform through VPN;

The encryption and decryption scenarios of the data server performing data transmission with the Internet platform through VPN specifically include:

The data server makes a key encryption request to the unified cryptographic platform, and the unified cryptographic platform encrypts the key and feeds it back to the data server;

The data server sends the encrypted key to the Internet platform for decryption, and the Internet platform sends the encrypted key to the unified cryptographic platform for decryption;

The unified cryptographic platform returns the decrypted key to the Internet platform, and the Internet platform verifies the key and feeds it back to the data server.

3. A security protection system for an Internet of Things server according to claim 1, characterized in that the interaction of encrypted data/encrypted services between the data server and the Internet platform through VPN includes a protection scenario in which the data server transmits data with the Internet platform through VPN;

The protection scenarios for data transmission between the data server and the Internet platform through VPN specifically include:

The Internet platform sends an account synchronization request to the data server, and the data server transmits the account information to the unified password platform;

The unified cryptographic platform calculates the MAC code and returns the calculated MAC value to the data server;

The data server sends the account information and the MAC value to the Sohu Internet platform, and the Internet platform sends the account information and the MAC value to the unified password platform for verification, and returns the verification result to the Internet platform.

4. A security protection system for an Internet of Things server according to claim 1, characterized in that the interaction of encrypted data/encrypted services between the data server and the terminal through the system intranet includes a scenario in which the terminal user's login account and password are verified;

The scenarios of the terminal user login account and password verification request specifically include:

When a user logs in to the terminal, he applies for a public key from the unified password service platform through the data server;

After the unified cryptographic service platform generates the key pair, it returns the public key to the data server for storage, and the data server returns the public key to the terminal;

The terminal encrypts the username and password using the public key, and obtains the decrypted password plaintext from the unified password service through the data server;

After decryption, the unified password platform returns the plain text of the password to the data server for verification, and the data server returns the login result to the terminal.

5. A security protection system for an Internet of Things server according to claim 1, characterized in that the interaction of encrypted data/encrypted services between the data server and the terminal through the system intranet includes a scenario in which the terminal uploads an unencrypted password to the data server for storage through the system intranet;

The scenario in which the terminal uploads the unencrypted password to the data server for storage through the system intranet specifically includes: the terminal transmits the unencrypted password to the data server, the data server calls the API of the unified password platform to encrypt the password; the unified password platform returns the encrypted password to the data server for storage.

6. A security protection system for an Internet of Things server according to claim 1, characterized in that the interaction of encrypted data/encrypted services between the data server and the terminal through the system intranet includes a data transmission encryption scenario in which the terminal collects user information to the data server;

The data transmission encryption scenario of the terminal collecting user information to the data server specifically includes:

After receiving the sensitive information from the terminal user, the data server encrypts the information using the public key applied for from the unified cryptographic platform;

The data server transmits the encrypted sensitive information of the user, and transmits the encrypted sensitive information of the user to the data server after decrypting the sensitive information through the unified password platform;

The data server sends the user's sensitive information to the cloud server.

7. A security protection system for an Internet of Things server according to claim 1, characterized in that the interaction of encrypted data/encrypted services between the data server and the terminal through the system intranet includes a complete protection scenario in which the terminal application accesses the data server;

The complete protection scenario of the terminal application accessing the data server specifically includes:

The terminal makes a request to the data server to obtain permission information/change permission information;

After receiving the request information from the terminal, the data server obtains the stored MAC verification code and keycode, constructs an information summary, and sends a verification request to the unified password platform;

The unified password platform verifies the MAC code and returns a verification result table to the data server;

The data server returns the acquired authority information/modified authority information to the terminal.

8. A security protection system for an Internet of Things server according to claim 1, characterized in that the interaction of encrypted data/encrypted services between the data server and the terminal through the system intranet includes a complete protection scenario in which the terminal stores key data/calls key data to the data server;

The complete protection scenario in which the terminal stores key data/calls key data to the data server specifically includes: the terminal makes a request to the data server to change key data/call key information;

The data server returns the called key data/modified key data to the terminal.

9. A security protection system for an Internet of Things server according to claim 1, characterized in that the interaction of encrypted data/encrypted services between the data server and the terminal through the system intranet includes a complete protection scenario in which the terminal obtains log information from the data server;

The complete protection scenario in which the terminal obtains log information from the data server specifically includes:

The terminal makes a request to the data server to obtain log information;

The data server returns log information to the terminal.

10. A security protection method for an Internet of Things server, characterized in that it is applied to the security protection system for the Internet of Things server according to any one of claims 1 to 9, and the method comprises:

The data server is connected to the Internet platform via VPN and interacts with the Internet platform for encrypted data/encrypted services;

The data server is connected to the cloud server and the terminal respectively through the system intranet, interacts with the terminal for encrypted data/encrypted services, and uploads encrypted data to the cloud server for storage; the data server is connected to the unified cryptographic platform, and sends an encryption request/verification request to the unified cryptographic platform; the unified cryptographic platform processes the encryption request/verification request, and returns the decryption result/verification result to the data server for storage, and returns the decryption result/verification result to the Internet platform.