[go: up one dir, main page]

CN112202714B - Lightweight network security encryption device and method suitable for Internet of things - Google Patents

Lightweight network security encryption device and method suitable for Internet of things Download PDF

Info

Publication number
CN112202714B
CN112202714B CN202010897129.2A CN202010897129A CN112202714B CN 112202714 B CN112202714 B CN 112202714B CN 202010897129 A CN202010897129 A CN 202010897129A CN 112202714 B CN112202714 B CN 112202714B
Authority
CN
China
Prior art keywords
data processing
data
encryption
terminal
processing terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010897129.2A
Other languages
Chinese (zh)
Other versions
CN112202714A (en
Inventor
陈宏达
郝武俊
魏洪昌
孙志宇
朱成杰
房海腾
何健
蒋雷雷
吴学进
陈暴默
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Linyi Power Supply Co of State Grid Shandong Electric Power Co Ltd
State Grid Corp of China SGCC
Original Assignee
Linyi Power Supply Co of State Grid Shandong Electric Power Co Ltd
State Grid Corp of China SGCC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Linyi Power Supply Co of State Grid Shandong Electric Power Co Ltd, State Grid Corp of China SGCC filed Critical Linyi Power Supply Co of State Grid Shandong Electric Power Co Ltd
Priority to CN202210977847.XA priority Critical patent/CN115348088B/en
Priority to CN202010897129.2A priority patent/CN112202714B/en
Publication of CN112202714A publication Critical patent/CN112202714A/en
Application granted granted Critical
Publication of CN112202714B publication Critical patent/CN112202714B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

本公开公开的一种适用于物联网的轻量型网络安全加密装置及方法,包括:与第一网络通信终端连接的第一数据处理端,和与第二网络通信终端连接的第二数据处理端,所述第一数据处理端与所述第二数据处理端连接;所述的第一数据处理端采集第一网络通信终端的原始数据并加密获得加密数据,所述第二数据处理端接收加密数据并对加密数据进行解密获得原始数据,并发送原始数据至第二网络通信终端。通过设置第一数据处理端和第二数据处理端,实现了网络通信终端之间,或网络通信终端与数据中心之间数据的安全传输。

Figure 202010897129

The present disclosure discloses a lightweight network security encryption device and method suitable for the Internet of Things, comprising: a first data processing terminal connected to a first network communication terminal, and a second data processing terminal connected to the second network communication terminal The first data processing terminal is connected to the second data processing terminal; the first data processing terminal collects the original data of the first network communication terminal and encrypts it to obtain encrypted data, and the second data processing terminal receives the encrypted data. Encrypt and decrypt the encrypted data to obtain original data, and send the original data to the second network communication terminal. By arranging the first data processing terminal and the second data processing terminal, secure data transmission between network communication terminals or between network communication terminals and a data center is realized.

Figure 202010897129

Description

一种适用于物联网的轻量型网络安全加密装置及方法A lightweight network security encryption device and method suitable for the Internet of Things

技术领域technical field

本公开涉及一种适用于物联网的轻量型网络安全加密装置及方法。The present disclosure relates to a lightweight network security encryption device and method suitable for the Internet of Things.

背景技术Background technique

本部分的陈述仅仅是提供了与本公开相关的背景技术信息,不必然构成在先技术。The statements in this section merely provide background information related to the present disclosure and do not necessarily constitute prior art.

目前常用的数据通信传输方案是物联网网络通信终端经防火墙进行数据过滤后进入数据中心设备或其他网络通信终端处,完成网络通信终端之间,或网络通信终端与数据中心之间的数据传输。该种数据通信传输方案在数据传输的过程中仅通过防火墙一道安全防护,然而当数据传输的距离较长时,数据在传输的过程中容易受到拦截而导致泄露,造成不可挽回的损失。At present, the commonly used data communication transmission scheme is that the Internet of Things network communication terminal enters the data center equipment or other network communication terminal after data filtering through the firewall, and completes the data transmission between the network communication terminals, or between the network communication terminal and the data center. In this data communication transmission scheme, only a firewall is used for security protection during the data transmission process. However, when the data transmission distance is long, the data is easily intercepted and leaked during the transmission process, resulting in irreparable losses.

随着物联网的建设与发展,网络通信终端数量增长,且网络通信终端部署分散,间隔距离较远,结构复杂,传统防火墙、IPS硬件串接的方式,对数量庞大、部署分散的物联网组网结构难以适应,亟需一种通信加密策略,可以对数据在传输过程中进行安全加密,提高数据传输的安全性。With the construction and development of the Internet of Things, the number of network communication terminals has increased, and the deployment of network communication terminals is scattered, the distance is long, and the structure is complex. The structure is difficult to adapt, and a communication encryption strategy is urgently needed, which can securely encrypt data during transmission and improve the security of data transmission.

发明内容SUMMARY OF THE INVENTION

本公开为了解决上述问题,提出了一种适用于物联网的轻量型网络安全加密装置及方法,通过在第一网络通信终端处连接第一数据处理端,在数据中心或第二网络通信终端处连接第二数据处理端,第一数据处理端对第一网络通信终端的数据进行加密后发送至第二数据处理端,第二数据处理端对加密数据解密后发送至数据中心或第二网络通信终端,实现了网络通信终端之间数据的安全传输。In order to solve the above problems, the present disclosure proposes a lightweight network security encryption device and method suitable for the Internet of Things. The second data processing terminal is connected to the second data processing terminal. The first data processing terminal encrypts the data of the first network communication terminal and sends it to the second data processing terminal. The second data processing terminal decrypts the encrypted data and sends it to the data center or the second network. The communication terminal realizes the secure transmission of data between network communication terminals.

为实现上述目的,本公开采用如下技术方案:To achieve the above object, the present disclosure adopts the following technical solutions:

在一个或多个实例中,提出一种适用于物联网的轻量型网络安全加密装置,包括:In one or more examples, a lightweight network security encryption device suitable for the Internet of Things is proposed, including:

与第一网络通信终端连接的第一数据处理端,和与第二网络通信终端连接的第二数据处理端,所述第一数据处理端与所述第二数据处理端连接;a first data processing terminal connected with the first network communication terminal, and a second data processing terminal connected with the second network communication terminal, the first data processing terminal is connected with the second data processing terminal;

所述的第一数据处理端采集第一网络通信终端的原始数据并加密获得加密数据,所述第二数据处理端接收加密数据并对加密数据进行解密获得原始数据,并发送原始数据至第二网络通信终端。The first data processing terminal collects the original data of the first network communication terminal and encrypts it to obtain the encrypted data, and the second data processing terminal receives the encrypted data and decrypts the encrypted data to obtain the original data, and sends the original data to the second data processing terminal. network communication terminal.

在一个或多个实施例中,提出一种适用于物联网的轻量型网络安全加密装置的使用方法,包括:In one or more embodiments, a method for using a lightweight network security encryption device suitable for the Internet of Things is provided, including:

通过第一数据处理端采集第一网络通信终端的原始数据并加密获得加密数据;Collect the original data of the first network communication terminal through the first data processing terminal and encrypt it to obtain encrypted data;

第一数据处理端将加密数据发送至第二数据处理端;The first data processing terminal sends the encrypted data to the second data processing terminal;

第二数据处理端对接收的加密数据进行解密,获得原始数据;The second data processing terminal decrypts the received encrypted data to obtain original data;

第二数据处理端将解密获得的原始数据发送至第二网络通信终端。The second data processing end sends the original data obtained by decryption to the second network communication terminal.

与现有技术相比,本公开的有益效果为:Compared with the prior art, the beneficial effects of the present disclosure are:

1、本公开通过在第一网络通信终端处连接第一数据处理端,在第二网络通信终端或数据中心通信主机处连接第二数据处理端,第一数据处理端对第一网络通信终端的数据进行加密后发送至第二数据处理端,第二数据处理端对加密数据解密后发送至第二网络通信终端或数据中心通信主机,实现了网络通信终端之间,或网络通信终端与数据中心之间数据的安全传输。1. In the present disclosure, the first data processing terminal is connected at the first network communication terminal, the second data processing terminal is connected at the second network communication terminal or the data center communication host, and the first data processing terminal is connected to the first network communication terminal. After the data is encrypted, it is sent to the second data processing end, and the second data processing end decrypts the encrypted data and sends it to the second network communication terminal or data center communication host. Secure transfer of data between.

2、本公开可以防止非法网络渗透攻击者在企业网或地域网络范围内,对物联网网络终端实施主动攻击和被动信息收集,实现数据安全“拿不走、看不懂”。确保物联网终端、数据中心只能与合规的通信对象进行数据交换。保证数据传输的安全性。2. The present disclosure can prevent illegal network penetration attackers from implementing active attacks and passive information collection on IoT network terminals within the scope of the enterprise network or regional network, so as to realize data security "can't take away, can't understand". Ensure that IoT terminals and data centers can only exchange data with compliant communication objects. Guarantee the security of data transmission.

3、本公开的第一数据处理端与第二数据处理端均属于轻量型装置,便于安装使用,且本公开通过第一数据处理端与第二数据处理端实现了网络通信终端间数据传输的安全性,且不受网络通信终端间距离和中途网络结构的影响,当两个网络通信终端间距离较长时,依然能保证数据传输的安全性。3. Both the first data processing terminal and the second data processing terminal of the present disclosure are lightweight devices, which are easy to install and use, and the present disclosure realizes data transmission between network communication terminals through the first data processing terminal and the second data processing terminal. It is not affected by the distance between network communication terminals and the network structure in the middle. When the distance between two network communication terminals is long, the security of data transmission can still be guaranteed.

附图说明Description of drawings

构成本申请的一部分的说明书附图用来提供对本申请的进一步理解,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。The accompanying drawings that form a part of the present application are used to provide further understanding of the present application, and the schematic embodiments and descriptions of the present application are used to explain the present application and do not constitute improper limitations on the present application.

图1为本公开的安全加密装置连接示意图;1 is a schematic diagram of the connection of a security encryption device of the present disclosure;

图2为本公开第一数据处理终端A(单信道加密装置)结构示意图;2 is a schematic structural diagram of a first data processing terminal A (single-channel encryption device) of the present disclosure;

图3为本公开第一数据处理终端B(多信道加密装置)结构示意图;3 is a schematic structural diagram of a first data processing terminal B (multi-channel encryption device) of the present disclosure;

图4为本公开的安全加密装置的通信模型。FIG. 4 is a communication model of the security encryption device of the present disclosure.

其中:1、加密贴片M,2、通信接口,3、通信接口,4、加密贴片X,5、加密贴片Y,6、加密贴片Z,7、扩展板堆叠插槽,8、加密贴片插槽。Among them: 1. Encrypted patch M, 2. Communication interface, 3. Communication interface, 4. Encrypted patch X, 5. Encrypted patch Y, 6. Encrypted patch Z, 7. Expansion board stacking slot, 8, Encrypted patch slot.

具体实施方式:Detailed ways:

下面结合附图与实施例对本公开作进一步说明。The present disclosure will be further described below with reference to the accompanying drawings and embodiments.

应该指出,以下详细说明都是例示性的,旨在对本申请提供进一步的说明。除非另有指明,本文使用的所有技术和科学术语具有与本申请所属技术领域的普通技术人员通常理解的相同含义。It should be noted that the following detailed description is exemplary and intended to provide further explanation of the application. Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.

需要注意的是,这里所使用的术语仅是为了描述具体实施方式,而非意图限制根据本申请的示例性实施方式。如在这里所使用的,除非上下文另外明确指出,否则单数形式也意图包括复数形式,此外,还应当理解的是,当在本说明书中使用术语“包含”和/或“包括”时,其指明存在特征、步骤、操作、器件、组件和/或它们的组合。It should be noted that the terminology used herein is for the purpose of describing specific embodiments only, and is not intended to limit the exemplary embodiments according to the present application. As used herein, unless the context clearly dictates otherwise, the singular is intended to include the plural as well, furthermore, it is to be understood that when the terms "comprising" and/or "including" are used in this specification, it indicates that There are features, steps, operations, devices, components and/or combinations thereof.

在本公开中,术语如“上”、“下”、“左”、“右”、“前”、“后”、“竖直”、“水平”、“侧”、“底”等指示的方位或位置关系为基于附图所示的方位或位置关系,只是为了便于叙述本公开各部件或元件结构关系而确定的关系词,并非特指本公开中任一部件或元件,不能理解为对本公开的限制。In this disclosure, terms such as "upper", "lower", "left", "right", "front", "rear", "vertical", "horizontal", "side", "bottom", etc. The orientation or positional relationship is based on the orientation or positional relationship shown in the drawings, and is only a relational word determined for the convenience of describing the structural relationship of each component or element of the present disclosure, and does not specifically refer to any component or element in the present disclosure, and should not be construed as a reference to the present disclosure. public restrictions.

本公开中,术语如“固接”、“相连”、“连接”等应做广义理解,表示可以是固定连接,也可以是一体地连接或可拆卸连接;可以是直接相连,也可以通过中间媒介间接相连。对于本领域的相关科研或技术人员,可以根据具体情况确定上述术语在本公开中的具体含义,不能理解为对本公开的限制。In the present disclosure, terms such as "fixed connection", "connected", "connected", etc. should be understood in a broad sense, indicating that it may be a fixed connection, an integral connection or a detachable connection; it may be directly connected, or through an intermediate connection. media are indirectly connected. For the relevant scientific research or technical personnel in the field, the specific meanings of the above terms in the present disclosure can be determined according to specific situations, and should not be construed as limitations on the present disclosure.

实施例1Example 1

为了实现物联网网络通信终端之间,或物联网网络通信终端与数据中心之间数据通信的安全性,在本实施例中,提出了一种适用于物联网的轻量型网络安全加密装置,结合图1-4对该安全加密装置进行说明,包括:In order to realize the security of data communication between IoT network communication terminals, or between IoT network communication terminals and a data center, in this embodiment, a lightweight network security encryption device suitable for the IoT is proposed, The security encryption device will be described with reference to Figures 1-4, including:

与第一网络通信终端连接的第一数据处理端,和与第二网络通信终端连接的第二数据处理端,所述第一数据处理端与所述第二数据处理端连接;a first data processing terminal connected with the first network communication terminal, and a second data processing terminal connected with the second network communication terminal, the first data processing terminal is connected with the second data processing terminal;

所述的第一数据处理端采集第一网络通信终端的原始数据并加密获得加密数据,所述第二数据处理端接收加密数据并对加密数据进行解密,获得原始数据,并发送原始数据至第二网络通信终端。The first data processing terminal collects the original data of the first network communication terminal and encrypts it to obtain the encrypted data, and the second data processing terminal receives the encrypted data and decrypts the encrypted data, obtains the original data, and sends the original data to the first data processing terminal. 2. Network communication terminals.

物联网的底层采用LWIP的RAW模式配合C语言进行数据处理,之后发送数据至二层网络形成二层网络数据包,二层网络数据包缓存并整合为三层IP包,IP包在第一数据处理端使用加密算法进行加密,在第二数据处理端提取加密后的IP包,并解密获得原始数据后发送至第二网络通信终端。The bottom layer of the IoT adopts the RAW mode of LWIP and the C language for data processing, and then sends the data to the second-layer network to form the second-layer network data packet. The second-layer network data packet is cached and integrated into the third-layer IP packet. The processing end uses an encryption algorithm to encrypt, extracts the encrypted IP packet at the second data processing end, decrypts to obtain the original data, and sends it to the second network communication terminal.

其中,第一数据处理端、第二数据处理端均采用透明部署,适用于任意的IP网络,不改变原物联网的网路拓扑结构和IP地址规划。Among them, the first data processing terminal and the second data processing terminal are transparently deployed, which are applicable to any IP network, and do not change the network topology and IP address planning of the original Internet of Things.

第一网络通信终端与第二网络通信终端可以处于小范围局域网中,也可处于长距离广域网中;可以采用OSPF、BGP等路由协议;采用PPPoE、MPLS VPN等承载协议。The first network communication terminal and the second network communication terminal may be located in a small-scale local area network or a long-distance wide area network; routing protocols such as OSPF and BGP may be used; and bearer protocols such as PPPoE and MPLS VPN may be used.

第一数据处理端和第二数据处理端均包括底座,底座上设置加密芯片,底座的两端设置通信接口,第一数据处理端与第二数据处理端的加密贴片配对使用。Both the first data processing end and the second data processing end include a base, an encryption chip is arranged on the base, and a communication interface is arranged at both ends of the base, and the encryption patches of the first data processing end and the second data processing end are paired for use.

底座上的通信接口可以为RJ45网线接口,或SFP光口。The communication interface on the base can be an RJ45 network cable interface or an SFP optical interface.

第一数据处理端与第二数据处理端可以为单信道数据传输,也可以为多信道数据传输,针对单信道数据传输,或多信道数据传输,对第一数据处理端与第二数据处理端,设置了多种结构。The first data processing end and the second data processing end may be single-channel data transmission or multi-channel data transmission. For single-channel data transmission or multi-channel data transmission, the first data processing end and the second data processing end , set up a variety of structures.

其中,第一数据处理端A和第二数据处理端A指单信道加密装置,如图2。The first data processing end A and the second data processing end A refer to a single-channel encryption device, as shown in FIG. 2 .

第二数据处理端B和第二数据处理端B指多信道加密装置,如图3。The second data processing end B and the second data processing end B refer to the multi-channel encryption device, as shown in FIG. 3 .

第一数据处理端A和第二数据处理端A结构相同,如图2所示,均包括底座,底座上设置一个加密贴片M1,底座的两端分别设置一个通信接口2,底座的长为4±0.5cm,宽2±0.5cm,高2±0.5cm,从而使得第一数据处理端与第二数据处理端为轻量型装置。The first data processing terminal A and the second data processing terminal A have the same structure, as shown in FIG. 2 , both include a base, an encryption patch M1 is set on the base, and a communication interface 2 is set at both ends of the base, and the length of the base is 4±0.5cm, 2±0.5cm wide, and 2±0.5cm high, so that the first data processing end and the second data processing end are lightweight devices.

第一数据处理端B和第二数据处理端B结构相同,如图3所示,均包括底座,底座上设置至少两个加密贴片,底座的两端设置一个或多个通信接口3,底座同一端的多个通信接口3支持链路聚合,底座上设置用于扩展加密贴片数量的扩展板堆叠插槽7,且底座上设置加密贴片插槽8用于插接加密贴片,底座的长为10±0.5cm,宽15±0.5cm,高2±0.5cm,第一数据处理端B与第二数据处理端B同样为轻量型装置。The first data processing terminal B and the second data processing terminal B have the same structure. As shown in FIG. 3 , they both include a base, at least two encryption patches are arranged on the base, and one or more communication interfaces 3 are arranged at both ends of the base. Multiple communication interfaces 3 at the same end support link aggregation. An expansion board stacking slot 7 is set on the base for expanding the number of encrypted patches, and an encrypted patch slot 8 is set on the base for inserting encrypted patches. The length is 10±0.5cm, the width is 15±0.5cm, and the height is 2±0.5cm. The first data processing terminal B and the second data processing terminal B are also lightweight devices.

当第一网络通信终端只与单一目标的第二网络通信终端通信时,在第一网络通信终端处连接第一数据处理端A,在第二网络通信终端处连接第二数据处理端A,第一数据处理端A与第二数据处理端A的加密芯片配对使用。When the first network communication terminal only communicates with the second network communication terminal of a single target, the first data processing terminal A is connected to the first network communication terminal, the second data processing terminal A is connected to the second network communication terminal, and the first network communication terminal is connected to the second data processing terminal A. A data processing terminal A is paired with the encryption chip of the second data processing terminal A.

当第一网络通信终端与多个第二网络通信终端通信时,第一网络通信终端处连接第一数据处理端B,每个第二网络通信终端处连接第二数据处理端A,第一数据处理端B上设置有与第二网络通信终端数量相同的加密贴片,多个加密贴片与多个第二数据处理端A的加密贴片分别配对,实现将同一个第一网络通信终端的数据安全传送至多个第二网络通信终端中。When the first network communication terminal communicates with multiple second network communication terminals, the first network communication terminal is connected to the first data processing terminal B, each second network communication terminal is connected to the second data processing terminal A, and the first data processing terminal A is connected to each second network communication terminal. The processing terminal B is provided with the same number of encryption patches as the second network communication terminals, and multiple encryption patches are paired with multiple encryption patches of the second data processing terminal A respectively, so as to realize the transmission of the same first network communication terminal. The data is securely transmitted to a plurality of second network communication terminals.

当一个第二网络通信终端与多个第一网络通信终端通信时,每个第一网络通信终端处连接第一数据处理端A,第二网络通信终端处连接第二数据处理端B,第二数据处理端B上设置有与第一网络通信终端数量相同的加密贴片,且第二数据处理端B上的加密贴片与多个第一数据处理端A的加密贴片分别配对,实现将多个第一网络通信终端的数据安全传送至同一个第二网络通信终端中。When a second network communication terminal communicates with multiple first network communication terminals, each first network communication terminal is connected to the first data processing terminal A, the second network communication terminal is connected to the second data processing terminal B, and the second network communication terminal is connected to the second data processing terminal B. The data processing terminal B is provided with the same number of encrypted patches as the first network communication terminals, and the encrypted patches on the second data processing terminal B are respectively paired with the encrypted patches of the plurality of first data processing terminals A, so as to realize the The data of the multiple first network communication terminals are securely transmitted to the same second network communication terminal.

当多个第二网络通信终端与同一个第一网络通信终端通信,且同一个第二网络通信终端还要与多个第一网络通信终端通信时,在每个第一网络通信终端处连接第一数据处理端B,每个第二网络通信终端处连接第二数据处理端B,同一个第一数据处理端B连接多个第二数据处理端B,多个第一数据处理端B与同一个第二数据处理端B连接。When multiple second network communication terminals communicate with the same first network communication terminal, and the same second network communication terminal also communicates with multiple first network communication terminals, connect the first network communication terminal at each first network communication terminal. A data processing terminal B, each second network communication terminal is connected to the second data processing terminal B, the same first data processing terminal B is connected to multiple second data processing terminals B, and the multiple first data processing terminals B are connected to the same first data processing terminal B. A second data processing terminal B is connected.

本实施例中的第二网络通信终端也可以为数据中心通信主机,即实现互联网网络通信终端与数据中心通信主机的通信连接。The second network communication terminal in this embodiment may also be a data center communication host, that is, a communication connection between the Internet network communication terminal and the data center communication host is realized.

假设物联网网络中,如图4所示,有n个网络通信终端E1、E2、E3……E(n),某个网络通信终端E(x)实际与另外Sum(E(x))个网络通信终端有数据收发需求,即网路通信终端E(x)有Sum(E(x))条逻辑信道,那么全网中共有

Figure BDA0002658808330000081
条逻辑信道,需要
Figure BDA0002658808330000082
对加密贴片,计算过程如下:Assume that in the IoT network, as shown in Figure 4, there are n network communication terminals E1, E2, E3...E(n), and a certain network communication terminal E(x) actually communicates with another Sum(E(x)) The network communication terminal needs to send and receive data, that is, the network communication terminal E(x) has Sum(E(x)) logical channels, then the whole network has a total of
Figure BDA0002658808330000081
logical channels, need
Figure BDA0002658808330000082
For encrypted patches, the calculation process is as follows:

(1)所需的加密装置底座数量=n,其中单信道加密装置底座数量=∑(Sum(E(i))=1?1:0),多信道加密装置底座数量=n-∑(Sum(E(i))=1?1:0)。(1) The required number of bases for encryption devices=n, where the number of bases for single-channel encryption devices=∑(Sum(E(i))=1?1:0), and the number of bases for multi-channel encryption devices=n-∑(Sum (E(i))=1?1:0).

(2)

Figure BDA0002658808330000083
(2)
Figure BDA0002658808330000083

加密贴片采用含特殊算法的电子芯片制成,配对使用,制造出厂后不能修改,确保独一无二,一端被盗或损坏后只能配对更换硬件。作为安全附加功能,加密贴片支持首次通信自动绑定IP和MAC地址;通信接口支持高可用性的链路聚合。The encryption patch is made of electronic chips with special algorithms, used in pairs, and cannot be modified after being manufactured to ensure uniqueness. After one end is stolen or damaged, it can only be paired to replace the hardware. As an additional security feature, the encryption patch supports automatic binding of IP and MAC addresses for the first communication; the communication interface supports link aggregation for high availability.

加密贴片两个一组配对,具有一个全球唯一的信道ID,组内两个加密贴片分别放置于逻辑信道的两端做加解密使用。同一组的两个加密贴片可以互相加解密,不同组的加密贴片不能互相加解密。假设一组配对的两个加密贴片名称为P1贴片、P2贴片,另外一组配对的两个加密贴片为S1贴片、S2贴片,那么其加解密通信效果如表1所示。The encrypted patches are paired in two groups, with a globally unique channel ID. The two encrypted patches in the group are placed at both ends of the logical channel for encryption and decryption. Two encrypted patches in the same group can encrypt and decrypt each other, but encrypted patches in different groups cannot encrypt and decrypt each other. Assuming that a pair of two encrypted patches are named P1 patch and P2 patch, and the other paired two encrypted patches are S1 patch and S2 patch, the encryption and decryption communication effects are shown in Table 1. .

通信效果Communication effect 数据接收方data recipient P1P1 P2P2 S1S1 S2S2 数据发送方data sender P1P1 ———— 成功success 失败fail 失败fail P2P2 成功success ———— 失败fail 失败fail S1S1 失败fail 失败fail ———— 成功success S2S2 失败fail 失败fail 成功success ————

表1Table 1

加密贴片经过芯片硬件烧制,采用防读取、防篡改措施,在制造出厂后不能软件修改,确保独一无二。一端被盗或损坏后只能一起更换两个加密贴片硬件,无法补充、无法修复。The encrypted patch is burned by chip hardware, and adopts anti-reading and anti-tampering measures. It cannot be modified by software after manufacturing to ensure uniqueness. After one end is stolen or damaged, only two encryption patch hardware can be replaced together, which cannot be supplemented or repaired.

作为安全附加功能,加密贴片支持首次通信自动绑定IP和MAC地址;通信接口支持高可用性的链路聚合,该通信接口包括RJ45网口和SFP光口。As a security additional function, the encryption patch supports the automatic binding of IP and MAC addresses for the first communication; the communication interface supports high-availability link aggregation, and the communication interface includes RJ45 network port and SFP optical port.

在将新的加密贴片接入物联网网络运行时,首次通电正式运时自动截获发送方的网络终端MAC地址与IP地址,通过预制程序写入芯片自身且无法修改,永久绑定IP和MAC地址,当网络系统变更IP或更换网络终端MAC地址后,原加密贴片无法使用,必须成对更换新的加密贴片,适用于网络渗透攻击黑客非法更换、篡改设备,增强安全性。When the new encrypted patch is connected to the IoT network for operation, the sender's network terminal MAC address and IP address are automatically intercepted when the power is turned on for the first time, and the sender's network terminal MAC address and IP address are automatically written into the chip itself through a pre-made program and cannot be modified, and the IP and MAC are permanently bound. When the network system changes IP or replaces the MAC address of the network terminal, the original encryption patch cannot be used, and must be replaced with a new encryption patch in pairs. It is suitable for network penetration attacks and hackers to illegally replace and tamper with equipment to enhance security.

加密装置底座同侧的多个通信接口可支持链路聚合,适用于当前网络多链路聚合、服务器多网卡聚合绑定等情景,增强链路高可用性、健壮性。Multiple communication interfaces on the same side of the base of the encryption device can support link aggregation, which is suitable for current network multi-link aggregation, server multi-NIC aggregation and binding, etc., and enhances the high availability and robustness of the link.

结合图2、图3对加密贴片的加解密通信逻辑进行论述,如表2所示。The encryption and decryption communication logic of the encryption patch is discussed with reference to FIG. 2 and FIG. 3 , as shown in Table 2.

Figure BDA0002658808330000101
Figure BDA0002658808330000101

表2Table 2

因每对加密贴片形成“单线”形逻辑信道,故正常不会形成通信环路。但需在组网安装时注意不能人为添加环路,即不能在两个网络终端上放置两组或以上加密贴片,保证有通信需求的两个网络终端有且只有一组加密贴片。Since each pair of encrypted patches forms a "single-wire" logical channel, normally no communication loop is formed. However, it is necessary to pay attention not to artificially add loops during network installation, that is, two or more sets of encryption patches cannot be placed on two network terminals to ensure that the two network terminals with communication needs have one and only one set of encryption patches.

本实施例适用于物联网的轻量型网络安全加密装置和技术,适用于电力、环境、化工、物流等各行业物联网网络,其轻量型体现在成本低、部署方便等优势,同时因加密贴片采用STM32等互联型芯片架构,适用于一般数据量的物联网环境。This embodiment is suitable for the lightweight network security encryption device and technology of the Internet of Things, and is suitable for the Internet of Things networks in various industries such as electric power, environment, chemical industry, and logistics. The encrypted patch adopts interconnected chip architecture such as STM32, which is suitable for the Internet of Things environment with general data volume.

实施例2Example 2

在该实施例中,提出了一种适用于物联网的轻量型网络安全加密方法,包括:In this embodiment, a lightweight network security encryption method suitable for the Internet of Things is proposed, including:

通过第一数据处理端采集第一网络通信终端的数据并进行加密;Collect and encrypt the data of the first network communication terminal through the first data processing terminal;

第一数据处理端将加密数据发送至第二数据处理端;The first data processing terminal sends the encrypted data to the second data processing terminal;

第二数据处理端对接收的加密数据进行解密,获得加密前的原始数据;The second data processing terminal decrypts the received encrypted data to obtain the original data before encryption;

第二数据处理端将解密获得的原始数据发送至第二网络通信终端。The second data processing end sends the original data obtained by decryption to the second network communication terminal.

以上仅为本申请的优选实施例而已,并不用于限制本申请,对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above are only preferred embodiments of the present application, and are not intended to limit the present application. For those skilled in the art, the present application may have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included within the protection scope of this application.

上述虽然结合附图对本公开的具体实施方式进行了描述,但并非对本公开保护范围的限制,所属领域技术人员应该明白,在本公开的技术方案的基础上,本领域技术人员不需要付出创造性劳动即可做出的各种修改或变形仍在本公开的保护范围以内。Although the specific embodiments of the present disclosure are described above in conjunction with the accompanying drawings, they do not limit the protection scope of the present disclosure. Those skilled in the art should understand that on the basis of the technical solutions of the present disclosure, those skilled in the art do not need to pay creative efforts. Various modifications or variations that can be made are still within the protection scope of the present disclosure.

Claims (8)

1. A lightweight network security encryption device suitable for the Internet of things, comprising:
the system comprises a first data processing end connected with a first network communication terminal and a second data processing end connected with a second network communication terminal, wherein the first data processing end is connected with the second data processing end;
the first data processing terminal acquires original data of the first network communication terminal and encrypts the original data to obtain encrypted data, the second data processing terminal receives the encrypted data, decrypts the encrypted data to obtain the original data, and sends the original data to the second network communication terminal;
the first data processing end and the second data processing end respectively comprise a base, encryption patches are arranged on the bases, communication interfaces are arranged at two ends of each base, and the first data processing end and the encryption patches of the second data processing end are used in a matched mode;
the encryption patch automatically binds the IP and the MAC address for the first communication, and the bound IP and MAC address cannot be modified after binding.
2. A lightweight network security encryption apparatus suitable for internet of things as claimed in claim 1, wherein the first data processing terminal is connected with the first network communication terminal in series in a transparent manner, and the second data processing terminal is connected with the second network communication terminal in series in a transparent manner.
3. A lightweight network security encryption device adapted for the internet of things as recited in claim 1, wherein said encryption patch is plugged into said base.
4. A lightweight network security encryption device adapted for the internet of things as recited in claim 1, wherein said encryption patch provides both encryption and decryption functions.
5. A lightweight network security encryption device suitable for internet of things as claimed in claim 1, wherein the first data processing end and the second data processing end are in single-channel data transmission, the first data processing end and the second data processing end have the same structure, the base is provided with an encryption patch, two ends of the base are respectively provided with a communication interface, and the encryption patch of the first data processing end and the encryption patch of the second data processing end are used in pair.
6. A lightweight network security encryption device suitable for internet of things as claimed in claim 1, wherein the first data processing terminal and the second data processing terminal are for multi-channel data transmission, the first data processing terminal and the second data processing terminal have the same structure, the base is provided with at least two encryption patches, encryption algorithms of the encryption patches on the same base are different from each other, the second data processing terminal is provided with an encryption patch paired with the first data processing terminal, and two ends of the base are provided with one or more communication interfaces.
7. A lightweight network security encryption device adapted for internet of things as recited in claim 1, wherein said base has communication interfaces at the same end supporting link aggregation, and wherein said base has expansion board stacking slots for expanding the number of encryption patches.
8. A method for using a lightweight network security encryption device for internet of things, which utilizes the lightweight network security encryption device for internet of things as claimed in any one of claims 1 to 7, comprising:
acquiring original data of a first network communication terminal through a first data processing terminal and encrypting the original data to obtain encrypted data;
the first data processing terminal sends the encrypted data to the second data processing terminal;
the second data processing end decrypts the received encrypted data to obtain original data;
and the second data processing terminal sends the original data obtained by decryption to a second network communication terminal.
CN202010897129.2A 2020-08-31 2020-08-31 Lightweight network security encryption device and method suitable for Internet of things Active CN112202714B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210977847.XA CN115348088B (en) 2020-08-31 2020-08-31 A communication network security encryption method
CN202010897129.2A CN112202714B (en) 2020-08-31 2020-08-31 Lightweight network security encryption device and method suitable for Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010897129.2A CN112202714B (en) 2020-08-31 2020-08-31 Lightweight network security encryption device and method suitable for Internet of things

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202210977847.XA Division CN115348088B (en) 2020-08-31 2020-08-31 A communication network security encryption method

Publications (2)

Publication Number Publication Date
CN112202714A CN112202714A (en) 2021-01-08
CN112202714B true CN112202714B (en) 2022-08-30

Family

ID=74005826

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202010897129.2A Active CN112202714B (en) 2020-08-31 2020-08-31 Lightweight network security encryption device and method suitable for Internet of things
CN202210977847.XA Active CN115348088B (en) 2020-08-31 2020-08-31 A communication network security encryption method

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202210977847.XA Active CN115348088B (en) 2020-08-31 2020-08-31 A communication network security encryption method

Country Status (1)

Country Link
CN (2) CN112202714B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115766093A (en) * 2022-10-20 2023-03-07 浙江浙能绍兴滨海热电有限责任公司 An Internet of Things terminal encryption device and encryption method thereof

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101873587A (en) * 2010-05-27 2010-10-27 大唐微电子技术有限公司 Wireless communication device and method for realizing service security thereof
CN202711261U (en) * 2012-08-16 2013-01-30 北京江南天安科技有限公司 Encryption card
CN103139058A (en) * 2013-01-28 2013-06-05 公安部第一研究所 Internet of things security access gateway
CN103997495A (en) * 2014-05-23 2014-08-20 中国人民解放军理工大学 Security isolation file transmission control method
CN109302432A (en) * 2018-12-17 2019-02-01 何书霞 Network communication data combined ciphering transmission method based on network security isolation technique
CN209358570U (en) * 2018-11-30 2019-09-06 全球能源互联网研究院有限公司 A network isolation device suitable for power grid information security

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5757924A (en) * 1995-09-18 1998-05-26 Digital Secured Networks Techolognies, Inc. Network security device which performs MAC address translation without affecting the IP address
US11310198B2 (en) * 2017-05-31 2022-04-19 Crypto4A Technologies Inc. Integrated multi-level or cross-domain network security management appliance, platform and system, and remote management method and system therefor
WO2020107098A1 (en) * 2018-11-29 2020-06-04 Crypto4A Technologies Inc. Trusted hardware network interconnection device and resources, and integrated multi-level or cross-domain network security management appliance, platform and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101873587A (en) * 2010-05-27 2010-10-27 大唐微电子技术有限公司 Wireless communication device and method for realizing service security thereof
CN202711261U (en) * 2012-08-16 2013-01-30 北京江南天安科技有限公司 Encryption card
CN103139058A (en) * 2013-01-28 2013-06-05 公安部第一研究所 Internet of things security access gateway
CN103997495A (en) * 2014-05-23 2014-08-20 中国人民解放军理工大学 Security isolation file transmission control method
CN209358570U (en) * 2018-11-30 2019-09-06 全球能源互联网研究院有限公司 A network isolation device suitable for power grid information security
CN109302432A (en) * 2018-12-17 2019-02-01 何书霞 Network communication data combined ciphering transmission method based on network security isolation technique

Also Published As

Publication number Publication date
CN115348088A (en) 2022-11-15
CN115348088B (en) 2024-08-02
CN112202714A (en) 2021-01-08

Similar Documents

Publication Publication Date Title
US20210297414A1 (en) Autonomic Control Plane Packet Transmission Method, Apparatus, and System
US10091102B2 (en) Tunnel sub-interface using IP header field
EP2100406B1 (en) Method and apparatus for implementing multicast routing
Zia et al. A security framework for wireless sensor networks
CN112383944B (en) Unmanned aerial vehicle bee colony self-adaptive networking method with built-in block chain
CN102571591B (en) Method, edge router and system for realizing marked network communication
JP3599552B2 (en) Packet filter device, authentication server, packet filtering method, and storage medium
CN101436995B (en) A Method of Fast IP Address Blocking Based on BGP Virtual Next Hop
CN101022394A (en) Method for realizing virtual local network aggregating method and converging exchanger
CN102611634A (en) IP (Internet protocol) network access method and edge device
CN111385259B (en) Data transmission method, device, related equipment and storage medium
WO2020258302A1 (en) Method, switch, and sites for data transmission
US7710903B2 (en) System and method for floating port configuration
WO2019196562A1 (en) Message processing method and device, storage medium and processor
CN114124436B (en) APN access trusted computing management system based on electric power Internet of things universal terminal
CN112202714B (en) Lightweight network security encryption device and method suitable for Internet of things
CN107302428A (en) The machinery of consultation of the cryptographic algorithm of data transport services in a kind of power distribution network
US20060143701A1 (en) Techniques for authenticating network protocol control messages while changing authentication secrets
CN216819851U (en) A safety access device in a substation
CN114844902A (en) SDN controller and equipment interaction method based on block chain technology
WO2014090098A1 (en) Method and device for implementing detection protocol in distributed system
CN108092897A (en) A kind of credible routing power supply management method based on SDN
CN101567886B (en) Entry security management method and device
CN103347103A (en) System and method for achieving dual-network content distribution of IPv4 and IPv6
CN113315834A (en) Cloud platform of technical result transaction system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant