CN-121980573-A - Laboratory digital safety working space management method, system, equipment and medium based on trusted computing

Abstract

The invention discloses a laboratory digital safety working space management method, a system, equipment and a medium based on trusted computing, which belong to the technical field of laboratory information safety management and comprise the steps of starting a chain through trusted hardware measurement, uploading a measurement value after verification, completing multi-factor authentication and encryption channel establishment, performing policy compliance checking, creating a resource-isolated working space, loading a safety policy in real time, monitoring user behavior and peripheral access, performing enhanced authentication and encryption verification transfer, generating a tamper-proof chain audit log, and automatically starting hierarchical response and joint treatment based on the log and a monitoring result to form a traceable responsibility judgment link. The invention ensures the credibility of the running environment of the terminal system based on the credible computing root, realizes multi-task isolation and data leakage prevention by adopting a containerized digital working space, implements authority control by an identity and task self-adaptive security policy, and improves the response capability and operation traceability of security events by means of a real-time monitoring and audit log library.

Inventors

• GENG ZHENWEI
• LI SHENZHANG
• ZHAO XIAOPING
• ZHU YANJIE
• WEI GUANGCHENG
• LI YUE

Assignees

• 云南电力试验研究院(集团)有限公司
• 云南电网有限责任公司数智运营中心

Dates

Publication Date

20260505

Application Date

20260127

Claims (10)

1. 1. The method for managing the laboratory digital safe working space based on trusted computing is characterized by comprising the following steps of, Measuring the starting chain through trusted hardware, uploading a measurement value after verification is passed, and entering an authentication link; authenticating the identity of a user by adopting a multi-factor authentication mechanism, establishing an encrypted communication channel, and performing policy compliance check on access attributes; According to the experimental task and the user identity, a working space is dynamically created, and the task environments are ensured to be independent and the resources are ensured to be isolated; dynamically loading a security policy from a management center to a workspace; monitoring user terminal behavior and peripheral access in the working space operation process in real time; Enhanced authentication is carried out during cross-domain transmission, and data verification and transmission are completed through a controlled encryption channel; the whole process records operation and generates tamper-proof chain type signature logs which are stored in a centralized way for auditing and analysis; And automatically generating an event report based on the log and the monitoring result, and starting hierarchical response and joint treatment to form a traceable responsibility judgment link.
2. 2. The trusted computing-based laboratory digital security workspace management method of claim 1, wherein said measuring a startup chain by trusted hardware comprises, At the moment of powering up or restarting a laboratory terminal, the trusted starting module calls a trusted platform module or an equivalent security chip on a terminal hardware platform to finish the integrity measurement of a starting chain step by step, wherein the integrity measurement comprises the verification of a boot loader, an operating system kernel, a driver and an application file; each level of measurement generates a corresponding hash value, compares the hash value with a trusted reference value pre-stored in a trusted platform module, and generates a trusted measurement value after measurement is completed; If the hash value generated by each level of measurement is the same as the trusted reference value pre-stored in the trusted platform module and the comparison is successful, the digital safe working space access management system judges that the laboratory terminal is in a trusted state; If the hash value generated by any level of measurement is different from the trusted reference value pre-stored in the trusted platform module, and the comparison fails, the digital safe working space access management system enters a safe isolation mode, the user is forbidden to continue to operate, and meanwhile an administrator is prompted to repair and recheck.
3. 3. The method for managing a laboratory digital security workspace based on trusted computing as claimed in claim 2, wherein said authenticating the user identity using a multi-factor authentication mechanism comprises a primary authentication, a secondary authentication, and a tertiary authentication; The first-level verification is that an experimenter needs to input an account password and pass local encryption verification; the second-level verification is to collect biological characteristic information of experimenters and compare the biological characteristic information with reserved information in a database; The third-level verification is to call a digital certificate stored in the user terminal or the laboratory smart card, and the verification of the public key/private key pair is completed; When the primary verification, the secondary verification and the tertiary verification pass, the digital safety working space access management system calls the hardware safety module to generate a one-time dynamic key, and the two-way identity verification is completed through digital signature; the policy compliance checking of the access attribute includes, After the bidirectional identity verification is completed, the digital safe working space access management system establishes an encryption channel based on a TLS or IPSec protocol between the laboratory terminal and the safety management center so as to verify whether the network address, the access mode and the access time of the access laboratory terminal meet preset specifications, and if not, the access request is refused.
4. 4. A trusted computing-based laboratory digital security workspace management method as defined in claim 3, wherein said dynamically creating a workspace comprises, After user identity verification is completed and access permission is obtained, the digital safe working space access management system starts a safe working space generating process by the working space management module according to user identity information and the applied experimental task type; the workspace is built based on virtualization and containerization techniques.
5. 5. A trusted computing-based laboratory digital security workspace management method as defined in claim 4, wherein said dynamically loading security policies into a workspace comprises, After the initialization of the safety working space is completed, the safety strategy module automatically invokes the safety strategy matched with the user roles and the experimental tasks from the safety management center, and the safety strategy module comprises the following steps: the data access authority defines a data directory and an operation range which can be accessed by an experimenter in a working space; the application running white list is used for limiting the running experimental software and analysis tools; The peripheral access limit is a peripheral type specifying the permitted connection; The network communication range is a network address range which defines the work space to allow access; The cross-domain transmission control is used for triggering an additional verification and controlled transmission mechanism when the experimental task relates to cross-laboratory data interaction; if the policy loading fails or is tampered, the digital safe working space access management system immediately stops task execution and prompts an administrator to check.
6. 6. The trusted computing-based laboratory digital security workspace management method of claim 4, wherein said cross-domain transfer-time enhanced authentication comprises, When experimenters need to access or share data among different experimental domains, the digital safe working space access management system automatically starts a cross-domain transmission control mechanism comprising, Triggering secondary identity verification, requiring the user to reconfirm the identity, after verification, carrying out data transmission on the server side by the cloud terminal through a controlled encryption channel, carrying out encryption processing on the transmission content before transmission, and attaching an integrity check code; the digital safe working space access management system monitors the transmission frequency in real time, and when the transmission frequency exceeds a threshold value, an alarm is triggered and the transmission channel is temporarily frozen.
7. 7. The method for trusted computing-based laboratory digital security workspace management as defined in claim 4, wherein said generating a tamper-resistant chained signature log comprises, Recording all operation behaviors and generating chained log entries in a safe working space life cycle; The log entries are connected by adopting hash pointers and are provided with time stamps and digital signatures; the audit log is stored in a trusted log library, and can be called by a security management center to perform unified analysis and tracing; the initiating a hierarchical response and joint treatment includes, When a security event occurs, the security management center automatically generates an event report based on the audit log and the monitoring result; performing hierarchical response measures according to the report, including local isolation, network blocking, policy upgrade, or cross-domain joint treatment; a traceable secure disposal link is formed for laboratory compliance verification and liability attribution determination.
8. 8. The laboratory digital safe working space management system based on trusted computing, which is applied to the laboratory digital safe working space management method based on trusted computing as claimed in any one of claims 1 to 7, is characterized by comprising a trusted starting module, an identity authentication and safety access module, a working space management module, a safety strategy module, a trusted monitoring module and a safety audit module The trusted starting module is used for calling the trusted platform module to execute integrity measurement on the boot loader, the operating system kernel, the driver and the application and generate a trusted measurement value when the laboratory terminal is powered on or started; the identity authentication and safety access module is used for authenticating the identity of the experimenter based on a multi-factor mode, establishing an encrypted communication channel based on TLS or IPSec after authentication is passed, realizing the trusted access of the experimenter and the terminal, and verifying the access time, the access mode and the network position; The working space management module is used for generating, destroying and isolating a safe working space in the laboratory terminal by utilizing a virtualization and containerization technology; the security policy module is used for loading and issuing a differential access control policy according to the user identity and the task type and supporting dynamic policy adjustment; The trusted monitoring module is used for monitoring system call, process behavior, network communication and peripheral access in the running process of the safe working space in real time, and executing isolation and alarm when abnormality is detected; and the security audit module is used for generating a chained stored log and storing the chained log in a trusted log library so as to realize operation behaviors.
9. 9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the trusted computing based laboratory digital secure workspace management method of any of claims 1to 7 when the computer program is executed.
10. 10. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor implements the steps of the trusted computing based laboratory digital secure workspace management method of any of claims 1 to 7.

Description

Laboratory digital safety working space management method, system, equipment and medium based on trusted computing Technical Field The invention relates to the technical field of laboratory information security management, in particular to a method, a system, equipment and a medium for managing laboratory digital security working space based on trusted computing. Background Along with the acceleration of digital transformation of laboratory scientific research activities, a large amount of experimental data, experimental parameters and research results are stored and transmitted in a network environment. However, the existing laboratory information systems generally have the following problems: the lack of a trusted security mechanism leads to the digital security workspace access management system being vulnerable to malware or unauthorized access; The safety isolation between the laboratory terminal and the server is insufficient, and experimental data leakage and tampering cannot be effectively prevented; the safety strategy of the working space has no dynamic adaptability, and is difficult to realize differential management and control according to different experimental tasks and personnel authorities. Therefore, there is a need for a laboratory digital security workspace management method and system that combines trusted computing technology to achieve trusted verification, dynamic isolation and security management of laboratory terminals and data, ensuring integrity and confidentiality of scientific research data and experimental processes. The invention relates to the field of information security management and laboratory digitization, in particular to a laboratory digital security working space management method and system based on trusted computing, which are suitable for scientific research laboratories, detection laboratories and digitization experimental environments related to sensitive data processing. Disclosure of Invention The present invention has been made in view of the above-described problems. The technical problems to be solved by the invention are that a digital safety working space access management system is easily threatened by malicious software or unauthorized access due to the lack of a safety guarantee mechanism of a trusted root, the safety isolation of a laboratory terminal and a server is insufficient, experimental data leakage and tampering cannot be effectively prevented, the safety strategy of the working space has no dynamic adaptability, and differential management and control are difficult to realize according to different experimental tasks and personnel authorities. In order to solve the technical problems, the invention provides a laboratory digital safe working space management method based on trusted computing, which comprises the following steps of, Measuring the starting chain through trusted hardware, uploading a measurement value after verification is passed, and entering an authentication link; and authenticating the identity of the user by adopting a multi-factor authentication mechanism, establishing an encrypted communication channel, and performing policy compliance check on the access attribute. And dynamically creating a working space according to the experimental task and the user identity, and ensuring that the task environments are independent and the resources are isolated. The security policies are dynamically loaded from the management center to the workspace. And monitoring the behavior of the user terminal and the access of the peripheral equipment in the working space operation process in real time. And performing enhanced authentication during cross-domain transmission, and completing data verification and transmission through a controlled encryption channel. The whole process records operation and generates tamper-proof chain type signature logs which are stored in a centralized way for auditing and analysis; And automatically generating an event report based on the log and the monitoring result, and starting hierarchical response and joint treatment to form a traceable responsibility judgment link. As a preferred embodiment of the method and system for managing a laboratory digital safe working space based on trusted computing according to the present invention, the measuring the startup chain by the trusted hardware includes, And at the moment of powering up or restarting the laboratory terminal, the trusted starting module invokes a trusted platform module or an equivalent security chip on a terminal hardware platform to finish the integrity measurement of a starting chain step by step, wherein the integrity measurement comprises the verification of a boot loader, an operating system kernel, a driver and an application file. Each level of measurement generates a corresponding hash value, compares the hash value with a trusted reference value pre-stored in a trusted platform module, and generates a trusted measurement value after measure