CN-122027322-A - Edge node authentication and data encryption transmission system based on industrial Internet of things

Abstract

The invention discloses an edge node authentication and data encryption transmission system based on an industrial Internet of things, which belongs to the technical field of industrial Internet of things encryption transmission and comprises the following steps of S1, establishing an edge industrial Internet of things edge node authentication network. According to the invention, the identity information is pre-stored in the edge gateway by constructing the edge node authentication network, and the access and replay attack of illegal equipment are effectively prevented by combining a time-based one-time dynamic password (OTP) mechanism, so that the identity authentication safety of an industrial Internet of things system is remarkably enhanced, meanwhile, the system automatically divides data safety levels (SL 1-SL 4) according to the characteristic extraction result of the edge gateway on acquired data, adopts symmetric encryption (AES-GCM), asymmetric encryption (RSA) or a hybrid encryption strategy for different levels, and avoids resource expenditure caused by over-encryption of low-risk data while guaranteeing strong encryption of high-sensitivity data, and optimizes calculation and communication efficiency.

Inventors

• RAO YI

Assignees

• 饶毅

Dates

Publication Date

20260512

Application Date

20260307

Claims (6)

1. 1. An edge node authentication and data encryption transmission system based on industrial Internet of things, comprising the following components: s1, establishing an edge node authentication network of an edge industrial Internet of things, wherein the edge node authentication network is provided with at least five groups of edge gateways in an industrial Internet of things system, and pre-storing identity transmission information in the edge gateways to form an encrypted communication link; S2, collecting data through various sensors deployed in industrial equipment, production lines and environments and a PLC (programmable logic controller) and an RTU (real time unit) controller, and then carrying out feature extraction on the data by an edge gateway, and grading the safety according to the data features; S3, encrypting different security data grades in different modes, wherein the encryption modes comprise symmetric encryption, asymmetric encryption and hybrid encryption; S4, the edge gateway transmits the encrypted data stream to the edge node, the node calculates the data, after confirming that the data is correct, the edge node forms a key chain for the local edge gateway, finally generates an encrypted data packet, and updates the encrypted data packet regularly; And S5, when the industrial cross-regional transmission is performed, the edge gateway of the receiving end receives the transmission data packet, the legality of the node identifier of the transmitting end is identified through the authentication network, the corresponding key chain is called according to the data security level identifier, if the authentication is passed, the data is distributed to the target industrial equipment and the cloud platform, and if the authentication is failed, the abnormal alarm is triggered and the data transmission is blocked.
2. 2. The edge node authentication and data encryption transmission system based on the industrial Internet of things, which is characterized in that the S1 pre-stored authentication information adopts a random screening mechanism, and six-digit random numbers are input by an initiator to carry out screening comparison with information pre-stored in an edge gateway; Pre-storing information, namely a shared key K (128-bit symmetric key), an equipment IDD and a time synchronization reference T0, wherein an initiator and an edge gateway generate/verify six digits based on the same algorithm and a current time window, and the six digits input by a user are real one-time dynamic passwords; The screening formula is as follows: Setting: k. shared secret key pre-stored between edge gateway and legal initiator (secret) T current UNIX timestamp (Unit: seconds) Deltat: time window length (e.g. 30 seconds) Current time slot number (integer) H (·) cryptographic hash functions (e.g. HMAC-SHA 256) Truncate (·) dynamically intercepting the function, outputting 6-bit decimal numbers (000000-999999), and screening logic prestored in the edge gateway is as follows: OTPexpected=Truncate(HMAC-SHA256(K,Encode(DTslot))) the six digits entered by the initiator are OTPinput.
3. 3. The industrial internet of things-based edge node authentication and data encryption transmission system is characterized in that a formula for extracting characteristics of data by an edge gateway in S2 is F= [ fi, F2, & gt, fn ] = [ out-of-limit sign, change rate, event type coding, equipment criticality ] & gt.
4. 4. The edge node authentication and data encryption transmission system based on the industrial Internet of things according to claim 3, wherein the specific modes of symmetric encryption, asymmetric encryption and hybrid encryption in S3 are as follows: Symmetric encryption, namely the same key is used for encryption and decryption, wherein an algorithm is AES, the AES supports 128/192/256 bit keys, and the AES-GCM mode simultaneously provides encryption and authentication; Asymmetric encryption, namely encrypting by using a public key and decrypting by using a private key, which are used for identity authentication and key exchange, wherein an algorithm is RSA; Hybrid encryption, in which asymmetric encryption is used to negotiate a temporary session key, and the session key is used to carry out symmetric encryption to transmit actual data.
5. 5. The system for authentication and data encryption transmission of edge nodes based on industrial Internet of things according to claim 4, wherein the formula for generating the key chain in S4 is as follows: The key Kn used by the nth round of session is generated by the following formula: Kn=KDF(Kn-1,Label|Contextn||Countern) Wherein: K 0 an initial key (128/256 bits) is obtained by secure negotiation in an authentication stage; KDF (& gt) Key derivation function, recommended HKDF (RFC 5869) or AES-CMAC-based KDF; Label, fixed string identification, such as 'IIoOT _Session_Key'; Contextn contextual information, comprising: Double party equipment ID (IDnode | IDGATEWAY) Current timestamp Tn (optional for time synchronization) Random challenge value Rn (optional, enhanced randomness) Countern = n session round counter (incremented from 1); Representing byte concatenation.
6. 6. The system for authentication and data encryption transmission of edge nodes based on industrial Internet of things according to claim 5, wherein the overall formula of industrial cross-regional transmission verification in S5 is: if a (IDs) =true (identity legal) andk ←K (N) (acquisition of corresponding Key) And Dec Nonce, IDs SLIIn +.l (decryption success) Wherein: ID. is that the transmitting end edge node unique identification; SL e {1,2,3,4} is the Security Level (Security Level); a (-) is an authentication network verification function (return Boolean value); K The key chain corresponding to the security level SL; n is the key index (session round/time window number); C is ciphertext; t is an authentication label; deck (C, nonce, A) is that the plaintext is successfully returned and the failure is returned to T by decrypting and verifying the plaintext using the key K, nonce and the additional data A.

Description

Edge node authentication and data encryption transmission system based on industrial Internet of things Technical Field The invention belongs to the technical field of industrial internet of things encryption transmission, and particularly relates to an edge node authentication and data encryption transmission system based on the industrial internet of things. Background With the rapid development of industry 4.0 and intelligent manufacturing, industrial internet of things (Industrial Internet of Things, IIoT) has become a core support technology for realizing factory automation, equipment interconnection and intelligent operation and maintenance. In IIoT systems, a large number of sensors, programmable Logic Controllers (PLCs), remote Terminal Units (RTUs) and other edge devices are widely deployed in production lines, devices and environments, and key operation data such as temperature, pressure, vibration, current and the like are collected in real time and uploaded to a local node or cloud platform through an edge gateway for analysis and decision. However, the openness and distributed nature of IIoT systems also present significant security challenges. Firstly, the number of edge nodes is huge, the distribution is wide, most resources are limited (such as computing capacity, storage space and energy consumption), the traditional high-strength security mechanism is difficult to deploy, secondly, illegal equipment can implement replay attack, man-in-the-middle attack or data tampering through counterfeiting identity access networks, the integrity and usability of an industrial control system are seriously threatened, and moreover, different types of industrial data have different sensitivity degrees, such as equipment state alarm data are compared with process parameters, the former can only need basic protection, and once the latter is leaked, the core technology can leak or production accidents can be caused. If a uniform high-strength encryption policy is adopted for all data, not only is the waste of calculation and communication resources caused, but also the transmission efficiency of industrial control instructions with higher real-time requirements may be affected, so that an edge security architecture capable of integrating dynamic identity authentication, data security level classification and self-adaptive encryption policies is needed to cope with increasingly complex industrial network security threats. Disclosure of Invention The invention aims to provide an edge node authentication and data encryption transmission system based on industrial Internet of things, which aims to solve the problems in the background technology. In order to achieve the above purpose, the invention provides a technical scheme that an edge node authentication and data encryption transmission system based on industrial Internet of things comprises, S1, establishing an edge node authentication network of an edge industrial Internet of things, wherein the edge node authentication network is provided with at least five groups of edge gateways in an industrial Internet of things system, and pre-storing identity transmission information in the edge gateways to form an encrypted communication link; S2, collecting data through various sensors deployed in industrial equipment, production lines and environments and a PLC (programmable logic controller) and an RTU (real time unit) controller, and then carrying out feature extraction on the data by an edge gateway, and grading the safety according to the data features; S3, encrypting different security data grades in different modes, wherein the encryption modes comprise symmetric encryption, asymmetric encryption and hybrid encryption; S4, the edge gateway transmits the encrypted data stream to the edge node, the node calculates the data, after confirming that the data is correct, the edge node forms a key chain for the local edge gateway, finally generates an encrypted data packet, and updates the encrypted data packet regularly; S5, when industrial trans-regional transmission is performed, a receiving end edge gateway receives a transmission data packet, sends the validity of an end node identifier through an authentication network, calls a corresponding key chain according to the data security level identifier, distributes data to target industrial equipment and a cloud platform if verification is passed, and triggers an abnormal alarm and blocks data transmission if verification is failed; as a further preferable mode of the technical scheme, the step S1 is to pre-store authentication information, wherein a random screening mechanism is adopted, namely, six-digit random numbers are input by an initiator to carry out screening comparison with information pre-stored in an edge gateway; Pre-storing information, namely a shared key K (128-bit symmetric key), an equipment IDD and a time synchronization reference T0, wherein an initiator and an edge gateway generate/verify six