[go: up one dir, main page]

CN118540135B - System component communication method and storage medium applied to port network security - Google Patents

System component communication method and storage medium applied to port network security Download PDF

Info

Publication number
CN118540135B
CN118540135B CN202410686297.5A CN202410686297A CN118540135B CN 118540135 B CN118540135 B CN 118540135B CN 202410686297 A CN202410686297 A CN 202410686297A CN 118540135 B CN118540135 B CN 118540135B
Authority
CN
China
Prior art keywords
certificate
data
key
communication
component
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410686297.5A
Other languages
Chinese (zh)
Other versions
CN118540135A (en
Inventor
吴南海
付伟
陈玉明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Broad Vision Xiamen Technology Co ltd
Original Assignee
Broad Vision Xiamen Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Broad Vision Xiamen Technology Co ltd filed Critical Broad Vision Xiamen Technology Co ltd
Priority to CN202410686297.5A priority Critical patent/CN118540135B/en
Publication of CN118540135A publication Critical patent/CN118540135A/en
Application granted granted Critical
Publication of CN118540135B publication Critical patent/CN118540135B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公布一种应用于港口网络安全的系统组件通信方法及存储介质,其中通信方法包括如下步骤:证书授权中心的建立;证书签名请求的创建和提交;身份验证和证书签名请求的审查;证书的生成;证书的分发;数据传输:判断待通信的组件双方携带的数字证书是否有效,若是,则进行通信,若否,则拒绝通信。通过选定一个组件作为证书授权中心来管理组件的密钥和数字证书,负责为加入系统的其他组件颁发数字证书,并进行数字签名。此后,系统内的通信将要求使用由证书授权中心签发的数字证书,这确保了只有经过认证的组件才能相互通信,从而防止未经授权的设备加入系统,从而防止未经授权的访问和数据泄露。

The present invention discloses a system component communication method and storage medium applied to port network security, wherein the communication method includes the following steps: establishment of a certificate authority; creation and submission of a certificate signing request; review of identity authentication and certificate signing request; generation of certificates; distribution of certificates; data transmission: judging whether the digital certificates carried by both components to be communicated are valid, if so, communication is performed, if not, communication is rejected. A component is selected as a certificate authority to manage the key and digital certificate of the component, and is responsible for issuing digital certificates and digital signatures for other components added to the system. Thereafter, communication within the system will require the use of digital certificates issued by the certificate authority, which ensures that only authenticated components can communicate with each other, thereby preventing unauthorized devices from joining the system, thereby preventing unauthorized access and data leakage.

Description

System component communication method and storage medium applied to port network security
Technical Field
The present invention relates to the technical field of port network security, and in particular, to a system component communication method and a storage medium applied to port network security.
Background
At present, the container throughput of ports in China is continuously increased, which inevitably promotes dock operators to continuously improve the working efficiency of each department and link of the dock, and the hoisting speed of dock hoisting equipment is the most influencing factor of the operation efficiency of the dock. Ports are used as a collection and distribution place of goods and information, and a large amount of data needs to be processed every day, including information of the goods, operation states of cranes, hoisting instructions of containers and the like.
In the current port network security field, with the improvement of port automation and intelligence, port network systems increasingly depend on communication between various components. These components include, but are not limited to, port machine PLCs (programmable logic controllers), video signal servers, video hosts, consoles, and the like. Traditional communication methods may lack an effective security mechanism, which results in that data in the communication process is easy to be accessed, tampered or destroyed by unauthorized, thereby affecting the normal operation of ports and confidentiality of data. Therefore, how to implement an efficient and secure authentication mechanism in a network system of a port becomes an urgent problem to be solved.
Disclosure of Invention
Therefore, it is necessary to provide a system component communication method and a storage medium applied to port network security, which solve the problem of how to implement an efficient and secure authentication mechanism in a port network system.
In order to achieve the above object, the present invention provides a system component communication method applied to port network security, comprising the steps of:
the establishment of the certificate authority comprises the steps that the components comprise a port machine PLC, a video signal server, a video host and a console, and one of the components is selected as the certificate authority;
the creation and submission of the certificate signing request, wherein the requesting components generate respective key pairs, each requesting component creates a certificate signing request by using the private key of the respective key pair and sends the certificate signing request to a certificate authority, and the certificate signing comprises the public key of the key pair of the component and the identification information of the component;
The certificate authority receives the certificate signing request sent by the requested component, verifies the identity of the requested component, examines the certificate signing request, judges whether the public key of the requested component key pair is tampered, and if not, the requested component passes the verification;
the certificate is generated by using the public key of the requested assembly key pair by the certificate authority, combining the identification information of the requested assembly to create a digital certificate, and using the private key to digitally sign the digital certificate by the certificate authority;
the certificate authority center sends the signed digital certificate to the requested component, and the requested component installs the signed digital certificate;
and data transmission, namely judging whether the digital certificates carried by the two parties of the components to be communicated are valid, if so, carrying out communication, and if not, refusing the communication.
Further, when the "determining whether the digital certificates carried by both the components to be communicated are valid" further includes the following steps:
exchanging digital certificates, namely exchanging respective digital certificates by two parties of the components to be communicated;
the certificate signature is verified, namely a public key of a certificate authority is obtained from a trusted certificate repository, and the signature of the digital certificate of the opposite party is verified by the public key;
and checking the validity period of the certificate, namely judging whether the digital certificate of the component to be communicated is in the validity period, if so, the digital certificate is valid, and the two corresponding components to be communicated can be used for communication, and if not, the digital certificate is invalid, and the two corresponding components to be communicated cannot be used for communication.
Further, after the "check certificate validity period", the method further comprises the following steps:
and (3) checking the certificate revocation status, namely acquiring a certificate revocation list of a certificate authority, judging whether the digital certificate of the component to be communicated is in the certificate revocation list, if not, the digital certificate is valid, and the two corresponding components to be communicated can be used for communication, if so, the digital certificate is invalid, and the two corresponding components to be communicated cannot be used for communication.
Further, in the "data transmission", the method further includes the following steps:
Judging whether the sensitivity of the transmitted information is greater than a threshold value, if so, adopting an asymmetric encryption mode for communication, and if not, adopting a symmetric encryption mode for communication.
Further, the information with the sensitivity greater than the threshold value comprises a user account password, personal identity information and financial records.
Further, when the communication is performed by adopting the asymmetric encryption mode, the method further comprises the following steps:
The key pair is created by a random number generator, the public key of the key pair is acquired by a certificate authority, and the private key of the key pair is stored and backed up by a component in an encrypted mode.
Further, the method also comprises the following steps:
Judging whether the sensitivity of the transmitted information is greater than a threshold value, if so, encrypting and storing the information with the sensitivity greater than the threshold value on a server.
Further, when the "information with sensitivity greater than the threshold value is encrypted and stored on the server", the method further includes the following steps:
the trusted platform module generates an encryption key, encrypts the information with sensitivity greater than the threshold value through the encryption key generated by the trusted platform module, and stores the information on the server.
Further, the method also comprises the following steps:
the trusted platform module periodically replaces the encryption key.
To achieve the above object, the present invention provides a storage medium storing a computer program, wherein the computer program, when executed, performs any one of the system component communication methods applied to port network security.
The technical scheme has the following beneficial effects:
The system component communication method provided by the application manages the secret key and the digital certificate of the component by selecting one component as a certificate authority, and is responsible for issuing the digital certificate for other components added into the system and carrying out digital signature. Thereafter, communication within the system will require the use of digital certificates issued by certificate authorities, which ensures that only authenticated components can communicate with each other, thereby preventing unauthorized devices from joining the system, and thus preventing unauthorized access and data leakage. With the expansion and upgrade of port network security systems, new components can be conveniently added and digital certificates generated and distributed for them without requiring significant modifications to the overall system.
Drawings
FIG. 1 is a flow chart of a communication method of a system component in the present embodiment;
FIG. 2 is a second flowchart of a communication method of a system component according to the present embodiment;
FIG. 3 is a third flowchart of a communication method of a system component according to the present embodiment;
FIG. 4 is a flow chart of a communication method of the system component in the present embodiment;
FIG. 5 is a flow chart of a communication method of a system component in the present embodiment;
FIG. 6 is a flowchart showing a communication method of the system component in the present embodiment;
Fig. 7 is a schematic diagram of system components in this embodiment.
Detailed Description
In order to describe the technical content, constructional features, achieved objects and effects of the technical solution in detail, the following description is made in connection with the specific embodiments in conjunction with the accompanying drawings.
Referring to fig. 1, the present embodiment provides a system component communication method applied to port network security, which includes the following steps:
step S101, a certificate authority is established, wherein the components comprise a port machine PLC (programmable logic controller), a video signal server, a video host and a console, and one of the components is selected as the certificate authority;
Port "port machines" in ports are generally referred to as port handling machines, which are a generic term for all types of machinery used in port cargo handling operations. Harbor machines can include various equipment such as cranes, conveyor belts, loading bridges, stackers, etc., which play a vital role in logistics and cargo handling at harbors. The port machine PLC is connected with the port machine and is used for loading and unloading port cargoes by controlling the port machine. The programmable logic controller is in communication connection with a video host through a video signal server, and the video host is used for displaying the loading and unloading information of the container through a monitor, and the structure is shown in fig. 7. Any console is not bound when the port machine does not operate, any console can be bound when the port machine operates, and the relationship between the port machine and the console is M-to-N. When a port terminal driver performs operation on the console, the port machine is remotely controlled through a button and a handle of the console, an executing mechanism of the port machine executes mechanical actions after receiving the instruction, and the executing instruction is sent to a programmable logic controller of the port machine through an IO communication terminal.
In the system initialization phase, a reliable component is selected to serve as a certificate authority according to the security performance and reliability assessment. For example, a video signal server may be selected as a certificate authority responsible for managing the secure communications of the entire system. In some embodiments, the console may be selected to act as a certificate authority, responsible for managing the secure communications of the entire system.
Certificate Authority (CA) plays a core role in port network security system, and is responsible for generating and managing digital certificates, so as to ensure the security of the whole communication process. The CA first generates a 2048 or higher bit key pair using a mature Public Key Infrastructure (PKI) algorithm, such as RSA or ECDSA, to ensure the security and encryption strength of the key. From this key pair, the CA extracts the public key and combines a defined, unique Distinguished Name (DN), signs the information with the private key to form a self-signed root certificate, which serves as the starting point of the trust chain, providing the basis for verifying the validity of other certificates. To maintain long-term security of the system, the CA sets the validity period of the root certificate, typically for many years, reducing the update frequency, while providing a mechanism for updating or renewing before the certificate expires, ensuring continuity of communication. In addition, the environmental security of CA's is also critical, including physical security measures to prevent unauthorized access and physical disruption, and network security measures such as encryption and firewalls to defend against network attacks. By these measures, the CA ensures security of the communication between the components in the port network system and confidentiality of data.
Referring to fig. 1, step S102, the creation and submission of a certificate signing request includes the steps that the requesting components generate respective key pairs, each requesting component creates a certificate signing request by using the private key of the respective key pair, and sends the certificate signing request to a certificate authority, and the certificate signing includes the public key of the requesting component key pair and the identification information of the component;
After selecting the video signal server as a certificate authority, other components in the system, such as the port machine PLC, video host and console, must apply for digital certificates to the certificate authority in order to join the system. The requesting (to be joined) components each need to generate a key pair and create a certificate signing request using the private key. These requests contain the public key and identification information of the component and are sent to the certificate authority.
The Certificate Signing Request (CSR) contains the public key of the component and a series of identification information, such as the component name, the affiliated organization, the department, etc. Together, this information defines the identity of the component and provides the necessary data for the Certificate Authority (CA) to verify the legitimacy of the component. The submitting process of the CSR must be completed through a secure channel to ensure that the information is not intercepted or tampered with during transmission. In practice this usually involves the use of a secure socket layer (HTTPS) connection which provides an encrypted communication channel ensuring the security and integrity of data transmissions. In addition, other encrypted messaging protocols, such as secure/multipurpose internet mail extensions (S/MIME) or Transport Layer Security (TLS), may also be employed, which can also provide strong security. Through these security measures, the CSR can securely transfer from the requesting component to the CA, laying a solid foundation for subsequent certificate generation and authentication.
Referring to fig. 1, step S103, the certificate authority receives a certificate signing request sent by a requested component, verifies the identity of the requested component, and examines the certificate signing request, and determines whether the key pair public key of the requested component is tampered, if not, the requested component passes the verification, and if yes, the following step S104 is executed, and if not, the requested component is prohibited from joining the communication system, and the step S102 is executed;
The certificate authority, upon receiving a Certificate Signing Request (CSR) of a new component, initiates a comprehensive authentication procedure aimed at ensuring the authenticity of the requester. Authentication may be manual, involve manual review of the identity document or credential provided by the new component, or may be automated, through an authentication mechanism built into the system. Automated verification may include checking a pre-shared key between the requesting component and the certificate authority, verifying whether the IP address of the requesting component matches a known or authorized network address, and confirming whether the hardware ID is consistent with the recorded device information. Once the identity of the requested component is verified, the certificate authority will conduct detailed examination on the CSR content, ensure the accuracy of the identification information of the component name, organization, department and the like contained therein, and utilize a hash function or digital signature technique to verify the integrity of the public key, so as to ensure that the public key is not tampered in the transmission process. This continuous verification and auditing process is a critical step in ensuring the security and reliability of the overall certificate issuing process.
Referring to fig. 1, step S104, a digital certificate is generated by using a public key pair of a requested component by a certificate authority, creating the digital certificate in combination with identification information of the requested component, and digitally signing the digital certificate by using a private key by the certificate authority;
The certificate authority will enter the creation phase of the digital certificate after verifying the identity of the requested component and auditing its CSR content. First, the certificate authority will construct a basic framework of certificates based on the public key in the CSR and the identification information of the components, such as component names, organizations, departments, etc. The certificate authority will then set an explicit expiration date for the digital certificate, which is typically determined by the security policy of the organization and the purpose of the certificate, which may be months, years or longer. Once all parameters of the certificate are set, the certificate authority will digitally sign this newly created digital certificate using its own private key. The signing process not only verifies the source of the certificate content and ensures the authenticity of the certificate, but also ensures the integrity of the certificate content in the transmission and storage processes and prevents any unauthorized modification. In this way, the certificate authority ensures that the digital certificates of the new components are both secure and reliable, providing a solid trust basis for inter-component communications in the port network security system.
Referring to fig. 1, step S105, the certificate is distributed, in which a certificate authority transmits a signed digital certificate to a requesting component, and the requesting component installs the signed digital certificate;
The certificate authority sends the signed digital certificate to the verifying (requesting) component, which needs to perform installation configuration once it receives the signed digital certificate, integrating the certificate into its own system environment. This typically involves importing the certificate into the certificate store of the component and configuring associated encrypted communication software to ensure that the component is able to use the newly installed certificate for secure encrypted communication.
Referring to fig. 1, in step S106, data transmission is performed by determining whether the digital certificates carried by both the components to be communicated are valid, if yes, executing step S107 to perform communication, if not, rejecting communication, and then executing step S102.
When data transmission is carried out between components, whether the digital certificates of both sides are valid is checked first. If the communication is valid, the communication is allowed, and if the communication is invalid, the communication is refused, so that the safety of the communication can be ensured.
The system component communication method provided by the application manages the secret key and the digital certificate of the component by selecting one component as a certificate authority, and is responsible for issuing the digital certificate for other components added into the system and carrying out digital signature. Thereafter, communication within the system will require the use of digital certificates issued by certificate authorities, which ensures that only authenticated components can communicate with each other, thereby preventing unauthorized devices from joining the system, and thus preventing unauthorized access and data leakage. With the expansion and upgrade of port network security systems, new components can be conveniently added and digital certificates generated and distributed for them without requiring significant modifications to the overall system.
Referring to fig. 2, in this embodiment, in step S106, when determining whether the digital certificates carried by both the components to be communicated are valid, the method further includes the following steps:
step S1061, exchanging digital certificates, namely exchanging respective digital certificates by two parties of the components to be communicated;
Both parties perform critical certificate exchange operations during a secure session initiation phase, such as a Transport Layer Security (TLS) handshake procedure. In this process, each party presents its own digital certificate to the other party, which includes not only the respective public key, but also other important information in the certificate issued by the Certificate Authority (CA), such as identification information of the certificate holder, validity period of the certificate, serial number of the certificate, signature of the CA, use of the certificate, and the like. Through this exchange, both parties can verify the identity of the other party and ensure that the exchanged public key is authentic. This process is the basis for establishing secure communications that allow two parties to operate using the public key of each other in subsequent communications, thereby ensuring confidentiality and integrity of the data. The mutual authentication mechanism based on the certificates not only improves the communication security, but also provides support for the expandability and the management convenience of the system.
Referring to fig. 2, step S1062, verifying the certificate signature, namely, obtaining the public key of the certificate authority from the trusted certificate repository, and verifying the signature of the digital certificate of the counterpart with the public key;
Each party retrieves the public key of a known, trusted Certificate Authority (CA) from a trusted certificate store. These public keys are pre-installed in the operating system or application as trust anchors for subsequent certificate verification processes. With these CA public keys, the communicating parties will verify the signature on the counterpart digital certificate. This process involves decrypting the digital signature in the certificate using the public key of the CA to confirm the validity of the signature. If the signature verification is successful, this not only proves that the certificate was issued by a trusted CA, but that the certificate contents have not been tampered with or altered since the certificate was issued.
Referring to fig. 2, step S1063 is executed to check the validity period of the certificate, i.e. determine whether the digital certificate of the component to be communicated is within the validity period, if so, the digital certificate is valid, both corresponding components to be communicated can be used for communication, and step S1064 or S107 is executed, if not, the digital certificate is invalid, both corresponding components to be communicated cannot be used for communication.
Each party examines the "valid start date" and "valid end date" fields in the certificate, which explicitly indicate the validity range of the certificate. These date information are then compared to the current system date to verify whether the certificate is still within its predetermined expiration date. If the current system date is outside the range defined by the valid start date and end date of the certificate, then the certificate will be considered to have expired. Once a certificate is determined to be expired, it is no longer suitable for any form of secure communication, as the expired certificate may no longer be trusted by the Certificate Authority (CA) or may no longer conform to current security standards. This verification step is therefore critical to prevent communication using outdated or invalid credentials, which helps to maintain the security and integrity of the data throughout the communication process.
Referring to fig. 3, step S1064 is performed to check the certificate revocation status, i.e. obtain the certificate revocation list of the certificate authority, determine whether the digital certificate of the component to be communicated is in the certificate revocation list, if not, the digital certificate is valid, both corresponding components to be communicated can be used for communication, and execute step S105 or S107, if so, the digital certificate is invalid, both corresponding components to be communicated cannot be used for communication.
To further ensure the current state of the digital certificate, the communicating parties may access a Certificate Revocation List (CRL) issued by a Certificate Authority (CA), which is a list containing the serial numbers of all revoked certificates. By comparing the serial number in the CRL with the serial number of the certificate to be authenticated, it can be determined whether the certificate has been revoked. If the serial number of the certificate to be authenticated appears in the CRL, this indicates that the certificate is no longer valid and cannot be used for secure communication.
To obtain faster revocation status updates, both parties to the communication may also utilize the Online Certificate Status Protocol (OCSP). OCSP allows real-time querying of the OCSP server to obtain the latest revocation status of certificates. OCSP may provide a faster response speed than CRL because it allows for immediate updates and queries, while CRL typically requires periodic updates. By sending a query request to the OCSP server, the communicating parties may receive immediate feedback regarding the current status of the certificate, including whether the certificate has been revoked or is still valid.
Step S1065, final verification, namely once a series of verification steps of the digital certificate are completed, including signature verification, validity period check and revocation status inquiry, the two parties of communication decide whether to continue encrypted communication or not according to the verification result. If the signature verification of the certificate is successful, which indicates that the content of the certificate has not been tampered with since the issuance, and the "valid start date" and "valid end date" fields of the certificate indicate that the certificate is within the validity period, and at the same time, the certificate is confirmed to be not revoked by accessing a Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP), then the certificate is considered to pass the verification, and both parties of communication can use the certificate for encrypted communication securely, so as to ensure confidentiality and integrity of data to be protected.
Conversely, if a problem is found in any of the verification steps, such as a signature verification failure indicating that the certificate may be tampered with, a validity check of the certificate indicates that the certificate has expired, or a CRL and OCSP query result indicates that the certificate has been revoked, then the certificate verification will be deemed to be a failure. In this case, both parties should terminate the communication process immediately to prevent potential security risks. In addition, the system may take appropriate security measures, such as logging events, for further analysis and auditing. If necessary, the system will also report these security events to the system administrator in order to take further actions, such as revoke the associated certificate, update CRL or OCSP information, or enhance security monitoring, etc., to maintain the security and stability of the overall system.
Referring to fig. 4, in this embodiment, in step S107, when performing communication, the method further includes the following steps:
Step S1071, judging whether the sensitivity of the transmitted information is greater than a threshold, if so, executing step S1072 to communicate by adopting an asymmetric encryption mode, and if not, executing step S1073 to communicate by adopting a symmetric encryption mode.
The data transmission stage can determine which encryption mode is adopted according to the sensitivity of the information. In practice, the system first defines a sensitivity threshold that is used to distinguish between the sensitivity levels of the information. When data needs to be transmitted, the system automatically evaluates the sensitivity of the data, possibly based on factors such as the type of data, the source of the data, the content of the data, etc.
The components in the system adopt an encryption communication mode in the communication process so as to ensure the security and confidentiality of the exchanged information. In particular, the system dynamically selects an encryption mode according to the sensitivity level of information, namely, an asymmetric encryption mode is adopted for information containing sensitive and private data, such as user account passwords, personal identity information, financial records and the like, because asymmetric encryption provides stronger security, and a pair of public keys and private keys are used for encrypting the data, and the private keys are used for decrypting, so that only a receiver with the private keys can access the original data. And for the non-sensitive data, the system adopts a symmetrical encryption mode, and the data is encrypted and decrypted by using the same key in the mode, so that compared with asymmetrical encryption, the symmetrical encryption provides a faster encryption speed and is suitable for processing a large amount of data. The dynamic encryption method based on information sensitivity is selected, so that the communication method of the patent not only improves the safety of communication, but also optimizes the efficiency of the encryption process according to the characteristics of data, and realizes the balance of safety and efficiency.
In this embodiment, fine classification of data processed in the system is a key step for ensuring data security. First, data is divided into two major categories, sensitive information and non-sensitive information. Sensitive information refers to data that, once compromised, may have a serious impact on an individual or organization, including but not limited to personal identification information, financial records, account passwords, and the like. Such information is often subject to stringent privacy protection and security regulations, and therefore requires a higher level of confidentiality, integrity, and availability protection. Wherein for sensitive information an existing Public Key Infrastructure (PKI) is established or utilized to facilitate secure distribution and management of public keys.
By relatively insensitive information is meant data that may be publicly available or less security critical, such as some conventional business information or publicly available data. Although the security requirements for such information are relatively low, appropriate management and protection is required according to specific business requirements and security policies. To ensure that each type of data is properly processed, the system will perform a detailed security assessment of each type of data, establishing the specific requirements of confidentiality, integrity and availability required. Confidentiality requirements ensure that sensitive information is not accessed or compromised by unauthorized access, integrity requirements ensure that data is not tampered with or damaged during storage and transmission, and availability requirements ensure that authorized users can access the data when needed.
In this embodiment, the selected encryption method is implemented in the system. For symmetric encryption, secure storage and transmission of keys is ensured. For asymmetric encryption, wide availability of the public key and strict secrecy of the private key are ensured. Performance optimization is performed on the selected encryption algorithms to ensure that they do not negatively impact the response time or user experience of the system. Key management is a core component that ensures efficient operation of the encryption system. The correct key management policy can maximally secure data. The symmetric encryption key must be kept secret and only known to both ends of the communication. Asymmetric encryption involves a public key that is public and a private key that must be kept secret.
In this embodiment, in step S1072, when communication is performed by means of asymmetric encryption, the method further includes the following steps:
The key pair is created by a random number generator, the public key of the key pair is acquired by a certificate authority, and the private key of the key pair is stored and backed up by a component in an encrypted mode.
Namely, the key management method of asymmetric encryption is:
First, the system creates a pair of keys, including a public key and a private key, through a secure random number generator. In order to ensure security, the length of the key pair must meet the latest security standards, for example for the RSA algorithm, a key length of at least 2048 bits is recommended. The distribution of the public key may be through public channels such as websites, emails or Public Key Infrastructure (PKI), while the distribution and authentication may be performed using digital signatures or through a trusted Certificate Authority (CA) in order to verify the authenticity of the public key. The private key must then be stored in a highly secure environment, for example, using a Hardware Security Module (HSM) or a strong password protected cryptographic storage solution, to prevent unauthorized access. In order to further enhance the security of the private key, strict access control measures are implemented, ensuring that only authorized users can access the private key. In addition, the private key needs to be safely backed up to prevent the original private key from being lost or damaged, and the backed-up private key also needs to be encrypted and stored in a safe location. To cope with possible loss or damage of the private key, a secure key recovery procedure is designed and implemented to ensure that the private key can be recovered when required. Meanwhile, the system is also responsible for monitoring and managing the whole service cycle of the secret key, including the states of creation, activation, deactivation, final destruction and the like of the secret key, so as to ensure that the life cycle of the secret key is properly managed.
In this embodiment, in step S1073, when communication is performed by symmetric encryption, the method further includes the steps of first generating a strong key by the system using a secure Random Number Generator (RNG), ensuring that the generated key is at least 128 bits long, and meeting the latest security standards of algorithms such as AES. In the key distribution process, a secure channel is adopted or a temporary key which is exchanged safely is utilized to carry out encryption transmission on the key, so that the key is prevented from being intercepted in the transmission process. In addition, the Key Distribution Center (KDC) is utilized to process the distribution of the keys, so that the security and the efficiency of the distribution process are ensured. When the key is stored locally, the system employs a Hardware Security Module (HSM) or an encrypted database to protect the key from unauthorized access. At the same time, strict access control and multi-factor authentication mechanisms are implemented to ensure that only authenticated and authorized users can access the keys. To reduce the risk of keys being compromised, the system will periodically change keys and immediately change when any risk of key leakage occurs. For keys that are no longer used, the system ensures that they are securely destroyed, avoiding any unauthorized recovery. Through the comprehensive measures, the communication method of the patent not only ensures the safety of the key generation, distribution, storage and replacement processes, but also further enhances the safety of the whole communication system and the capability of resisting potential threats through a periodic replacement and safety destruction mechanism.
In this embodiment, the encryption process involves symmetric encryption and asymmetric encryption. In symmetric encryption, the sender and receiver encrypt and decrypt using the same key, and in asymmetric encryption, encrypt and decrypt using a pair of public and private keys. The implementation steps of these two encryption modes are described in detail below.
A. Implementation steps of symmetric encryption
The sender and the receiver need to share a key in advance. Typically by a secure key exchange protocol such as Diffie-Hellman key exchange or using a secure physical medium such as a USB drive. The sender encrypts the message using the shared key and a selected symmetric encryption algorithm (e.g., AES). This involves converting the text into ciphertext, ensuring that it cannot be read without the key. The sender sends the encrypted ciphertext to the receiver through a network or other communication modes. After receiving the ciphertext, the receiver decrypts the ciphertext by using the same shared secret key and the same encryption algorithm. The decryption process recovers the original plaintext message. The receiver verifies whether the decrypted information is complete and is used without errors.
B. implementation steps of asymmetric encryption
The receiver generates a pair of keys, a public key and a private key. The public key may be distributed publicly, while the private key must be kept secure from leakage. The sender obtains the public key of the receiver. This may be through Public Key Infrastructure (PKI), web site, email, or other trusted approach. The sender encrypts the message to be sent using the public key of the receiver. This ensures that only the receiver holding the matching private key can decrypt the message. The encrypted ciphertext is sent to the receiver via a network or other communication means. The receiving party decrypts the received ciphertext by using the private key of the receiving party. The decryption process converts the ciphertext back to the original plaintext format. The receiver verifies whether the decrypted information is complete and is used without errors.
Referring to fig. 5, in this embodiment, in step S107, when performing communication, the method further includes the following steps:
step S1071, determine whether the sensitivity of the transmitted information is greater than a threshold, if so, execute step S1074, encrypt and store the information with sensitivity greater than the threshold on the server.
For such sensitive information, the system will automatically trigger an encryption process to encrypt the information using an appropriate encryption algorithm (e.g., AES, RSA, etc.). The encrypted information is then securely stored on the server. The storage process may involve the use of secure file transfer protocols and ensuring that the server has the necessary security measures, such as firewalls, intrusion detection systems, etc., to protect the stored data from unauthorized access.
Referring to fig. 6, in the present embodiment, in step S1074, when information with sensitivity greater than the threshold is encrypted and stored on the server, the method further includes the following steps:
Step S10741, a trusted platform module (Trusted Platform Module, TPM) generates an encryption key, and the information with sensitivity greater than the threshold value is encrypted by the encryption key generated by the trusted platform module;
in step S10742, the trusted platform module encrypts the information with sensitivity greater than the threshold value using a strong encryption algorithm, such as AES or RSA. The secret keys are required to be stored separately, so that the secret keys are prevented from being stored together with the encrypted data, and the risk of being revealed simultaneously is reduced;
in step S10743, the trusted platform module stores the information with sensitivity greater than the threshold on the server, and periodically replaces the encryption key.
Firstly, in the key generation stage, the system adopts a high-quality random number generator and combines specific information of hardware to generate a unique key, so that the uniqueness of the key is ensured, and the unpredictability of the key is enhanced. In addition, the system also utilizes a Trusted Platform Module (TPM) of hardware to generate and store the encryption key, and the TPM provides a safe hardware environment for the safe generation and storage of the key, so that the security of the whole encryption process is further enhanced.
In the aspect of data encryption storage, all sensitive data, such as account passwords and the like, must be subjected to encryption processing before storage. The system uses a strong encryption algorithm, such as AES or RSA, to encrypt the data. To further reduce security risks, the keys are stored separately from the encrypted data, avoiding the possibility of the keys and data revealing together.
Finally, in the execution of the security policy, the system implements a mechanism for updating the key periodically, which helps to reduce the risk of the key being hacked. At the same time, the system also executes strict access control strategies to ensure that only authorized users can access sensitive data.
In this embodiment, the transmitted data includes one or more of text, image, video and audio, each mode corresponds to a unique identifier, the format specification of each mode transmission is defined, and other custom data types can be expanded according to actual requirements. Each data type has a unique identifier so that it can be correctly identified and processed at the time of transmission. An operator can customize various multi-modal data types to meet the needs of different application scenarios.
In this embodiment, each modality is packaged into a unified data packet according to the format specification defined by each modality. Various data types are packed into a unified data packet, and the data packet comprises fields such as a data type identifier, a data length, a data content and the like so that a receiving end can accurately analyze the data. When data packaging is carried out, the data is packaged according to a specified format according to the definition of the data type.
For text data, the character string is directly packed as data content, and for binary data such as images, audio and video, the binary data is converted into byte stream, and information such as data type identification and data length is added so as to be accurately analyzed by a receiving end.
The structure of the packet is designed as follows, and each data packet has fields such as data type identification, data length, data content and the like in the packaging process. The data type identifier is used for indicating the type of data so that a receiving end can correctly analyze the data, the data length field is used for indicating the length of data content so that the receiving end correctly reads the data, and the data content field stores actual data content.
In this embodiment, both parties transmit data packets. For example, the transmitting end encrypts and transmits the data packet through the AES symmetric encryption algorithm, and the receiving end receives and decrypts the data packet. The data packet includes text and image, the encrypted text data is aes_encrypted (plaintext _text, key), the encrypted image data=aes_encrypted (plaintext _image, key), wherein plaintext _text and plaintext _image represent the original unencrypted data of the text data and the image data, respectively, and the key represents the key used for encryption.
In this embodiment, before the sending end sends the data packet, the hash value of each mode of data is calculated, the hash value is added to the data packet, after the receiving end receives the data, the hash value is recalculated and compared with the hash value in the data packet, if the recalculated hash value is the same as the hash value in the data packet, the data is not tampered, so as to ensure the integrity of the data.
For example, it is assumed that there are two modes of data, text data and image data, respectively, and the packets of text data to which hash values are added are:
data_type:text,data_length:20,data_content:"Hello,MDTP!",
the data packet of the image data to which the hash value is added is:
data_type:image,data_length:1024,data_content:<binary_image_da ta>。
In this embodiment, the video signal server communicates with a programmable logic controller (Programmable Logic Controller, abbreviated as PLC) of each port machine using a ModbusRTU. The video signal server and the programmable logic controller are provided with a data interface table, and the two parties carry out data transmission according to a register defined by the data interface table. The video signal server sends data requests to the programmable logic controller at a collection frequency of 5 times per second, and the programmable logic controller sends data to a preset register after receiving the requests. After the video signal server reads the key information of each port machine from each programmable logic controller, partial information is converted, encrypted and put into a buffer queue of the server, the IP address and port number of the video host corresponding to the console are found out from the communication queue corresponding to the console, and the communication mode of sampling UDP is sent to the video host of each console.
The technical scheme has the following beneficial effects:
Through a series of steps of data type definition, data packaging, data transmission, verification and the like, the method ensures the safety of data transmission in a complex harbor environment. Particularly in the signature authentication link, the data is effectively prevented from being tampered or stolen in the transmission process, so that the information security of port operation is ensured.
By optimizing the data transmission protocol and the transmission mode, the efficiency and the stability of data transmission are improved. The port operation can be more efficiently performed, operation delay or interruption caused by the data transmission problem is reduced, and the overall operation efficiency of the port is further improved.
The application of the data transmission method provides powerful technical support for the informatization development of ports. By improving the safety and efficiency of data transmission, the process of port informatization construction is promoted, and important guarantee is provided for modern management of ports.
Before the components communicate, authentication is needed to ensure that the data communication source is reliable, the authentication adopts a digital signature mode, the data communication adopts an encryption mode, and the encryption adopts a symmetrical encryption or asymmetrical encryption mode. The main body component also adopts a digital signature authentication mode, and related data is also encrypted.
The present embodiment also provides a storage medium storing a computer program, which when executed, performs the system component communication method applied to port network security according to any one of the above embodiments.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, elements defined by the phrases "including" or "comprising" do not exclude the presence of additional elements in a process, method, article, or terminal device that includes the elements. In addition, herein, "greater than", "less than", "exceeding" and the like are understood to exclude the present number, and "above", "below", "within" and the like are understood to include the present number.
While the embodiments have been described above, other variations and modifications will occur to those skilled in the art once the basic inventive concepts are known, and it is therefore intended that the foregoing description and drawings illustrate only embodiments of the invention and not limit the scope of the invention, and it is therefore intended that the invention not be limited to the specific embodiments described, but that the invention may be practiced with their equivalent structures or with their equivalent processes or with their use directly or indirectly in other related fields.

Claims (6)

1.一种应用于港口网络安全的系统组件通信方法,其特征在于,包括如下步骤:1. A system component communication method for port network security, characterized in that it includes the following steps: 证书授权中心的建立:组件包括港机PLC、视频信号服务器、视频主机、控制台,选定组件中的一者作为证书授权中心;Establishment of a certificate authority: The components include port machinery PLC, video signal server, video host, and console. One of the components is selected as the certificate authority; 证书签名请求的创建和提交:请求的组件生成各自的密钥对,每个请求的组件使用各自密钥对的私钥创建一个证书签名请求,并将其发送至证书授权中心,证书签名包含该组件的密钥对的公钥和组件的标识信息;Creation and submission of certificate signing request: The requesting components generate their own key pairs. Each requesting component uses the private key of its own key pair to create a certificate signing request and sends it to the certificate authority. The certificate signature contains the public key of the key pair of the component and the identification information of the component. 身份验证和证书签名请求的审查:证书授权中心接收请求的组件发送的证书签名请求,验证请求的组件的身份,并审查证书签名请求,判断该请求的组件密钥对的公钥是否被篡改,若否,则该请求的组件通过验证;Identity verification and certificate signing request review: The certificate authority receives the certificate signing request sent by the requested component, verifies the identity of the requested component, and reviews the certificate signing request to determine whether the public key of the requested component key pair has been tampered with. If not, the requested component passes the verification; 证书的生成:证书授权中心使用请求的组件密钥对的公钥,结合该请求的组件的标识信息,创建数字证书,证书授权中心使用私钥对数字证书进行数字签名;Certificate generation: The certificate authority uses the public key of the requested component key pair, combined with the identification information of the requested component, to create a digital certificate, and the certificate authority uses the private key to digitally sign the digital certificate; 证书的分发:证书授权中心将签名后的数字证书发送给请求的组件,请求的组件安装签发的数字证书;Certificate distribution: The certificate authority sends the signed digital certificate to the requesting component, and the requesting component installs the issued digital certificate; 数据传输:判断待通信的组件双方携带的数字证书是否有效,若是,则进行通信,若否,则拒绝通信;判断传输的信息的敏感度是否大于阈值,若是,则采用非对称加密的方式通信,将敏感度大于阈值的信息加密并储存,若否,则采用对称加密的方式通信;Data transmission: Determine whether the digital certificates carried by both components to be communicated are valid. If so, communication is carried out; if not, communication is rejected; determine whether the sensitivity of the transmitted information is greater than the threshold. If so, asymmetric encryption is used to communicate, and the information with sensitivity greater than the threshold is encrypted and stored. If not, symmetric encryption is used to communicate; 在所述“将敏感度大于阈值的信息加密并储存”时,还包括如下步骤:In the step of “encrypting and storing information with a sensitivity greater than a threshold value”, the following steps are also included: 可信平台模块生成加密密钥,将敏感度大于阈值的信息通过可信平台模块生成的加密密钥加密并储存;The trusted platform module generates an encryption key, and encrypts and stores information with a sensitivity greater than a threshold value using the encryption key generated by the trusted platform module; 在所述“采用非对称加密的方式通信”时,非对称加密的密钥管理方法包括:In the case of “communication in an asymmetric encryption manner”, the key management method of asymmetric encryption includes: 通过随机数生成器创建密钥对,证书授权中心获取该密钥对的公钥,硬件安全模块加密存储与备份该密钥对的私钥;A key pair is created through a random number generator, the certificate authority obtains the public key of the key pair, and the hardware security module encrypts, stores and backs up the private key of the key pair; 在数据传输之前,还包括如下步骤:Before data transmission, the following steps are also included: 模态的定义:传输的数据的模态包括文本、图像、视频、音频中的一种或多种,每种模态对应一个唯一标识符,定义每种模态传输的格式规范;Definition of modality: The modality of the transmitted data includes one or more of text, image, video, and audio. Each modality corresponds to a unique identifier, which defines the format specification of each modality transmission; 数据打包:根据每种模态定义的格式规范将各个模态打包成统一的数据包;Data packaging: Packaging each modality into a unified data package according to the format specifications defined for each modality; 在数据传输前,发送端与接收端预先进行签名认证,发送端加密并传输数据包,接收端接收并解密数据包;Before data transmission, the sender and the receiver perform signature authentication in advance. The sender encrypts and transmits the data packet, and the receiver receives and decrypts the data packet. 其中,在发送端发送数据包前,对于每个模态的数据,计算其哈希值,并将哈希值附加到数据包中,在接收端收到数据后,重新计算哈希值并与数据包中的哈希值进行比较,若重新计算的哈希值与数据包中的哈希值相同,表示数据未被篡改,以确保数据的完整性。Among them, before the sending end sends the data packet, the hash value of each modal data is calculated and attached to the data packet. After the receiving end receives the data, the hash value is recalculated and compared with the hash value in the data packet. If the recalculated hash value is the same as the hash value in the data packet, it means that the data has not been tampered with, thereby ensuring the integrity of the data. 2.根据权利要求1所述的通信方法,其特征在于,在所述“判断待通信的组件双方携带的数字证书是否有效”时,还包括如下步骤:2. The communication method according to claim 1, characterized in that, when “determining whether the digital certificates carried by both components to be communicated are valid”, it also includes the following steps: 交换数字证书:待通信的组件双方交换各自的数字证书;Exchange digital certificates: The components to be communicated exchange their respective digital certificates; 验证证书签名:从可信的证书存储库中获取证书授权中心的公钥,并以此公钥来验证对方数字证书的签名;Verify the certificate signature: obtain the public key of the certificate authority from the trusted certificate repository and use this public key to verify the signature of the other party's digital certificate; 检查证书有效期:判断待通信组件的数字证书是否处于有效期内,若是,则数字证书有效,对应的待通信组件双方可用于通信,若否,则数字证书无效,对应的待通信组件双方不可用于通信。Check the validity period of the certificate: determine whether the digital certificate of the component to be communicated is within the validity period. If so, the digital certificate is valid and the corresponding components to be communicated can be used for communication. If not, the digital certificate is invalid and the corresponding components to be communicated cannot be used for communication. 3.根据权利要求2所述的通信方法,其特征在于,在所述“检查证书有效期”后,还包括如下步骤:3. The communication method according to claim 2, characterized in that after the "checking the validity period of the certificate", it also includes the following steps: 检查证书吊销状态:获取证书授权中心的证书吊销列表,判断待通信组件的数字证书是否在证书吊销列表中,若否,则数字证书有效,对应的待通信组件双方可用于通信,若是,则数字证书无效,对应的待通信组件双方不可用于通信。Check the certificate revocation status: obtain the certificate revocation list of the certificate authority, and determine whether the digital certificate of the component to be communicated is in the certificate revocation list. If not, the digital certificate is valid and the corresponding components to be communicated can be used for communication. If so, the digital certificate is invalid and the corresponding components to be communicated cannot be used for communication. 4.根据权利要求1所述的通信方法,其特征在于,敏感度大于阈值的信息包括用户账号密码、个人身份信息与财务记录。4. The communication method according to claim 1 is characterized in that the information with sensitivity greater than a threshold includes user account password, personal identity information and financial records. 5.根据权利要求1所述的通信方法,其特征在于,还包括如下步骤:5. The communication method according to claim 1, further comprising the steps of: 可信平台模块定期更换加密密钥。The Trusted Platform Module periodically changes the encryption keys. 6.一种储存介质,所述存储介质存储计算机程序,其特征在于,所述计算机程序被运行时,执行权利要求1至5任意一项所述的应用于港口网络安全的系统组件通信方法。6. A storage medium storing a computer program, wherein when the computer program is executed, the system component communication method for port network security according to any one of claims 1 to 5 is executed.
CN202410686297.5A 2024-05-30 2024-05-30 System component communication method and storage medium applied to port network security Active CN118540135B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410686297.5A CN118540135B (en) 2024-05-30 2024-05-30 System component communication method and storage medium applied to port network security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410686297.5A CN118540135B (en) 2024-05-30 2024-05-30 System component communication method and storage medium applied to port network security

Publications (2)

Publication Number Publication Date
CN118540135A CN118540135A (en) 2024-08-23
CN118540135B true CN118540135B (en) 2025-03-04

Family

ID=92386103

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410686297.5A Active CN118540135B (en) 2024-05-30 2024-05-30 System component communication method and storage medium applied to port network security

Country Status (1)

Country Link
CN (1) CN118540135B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506387A (en) * 2023-04-11 2023-07-28 武汉理工大学 Instant messaging and social network operation system based on ship digital certificate
CN118018207A (en) * 2024-01-19 2024-05-10 中国华能集团有限公司北京招标分公司 Digital certificate issuing method and system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9455980B2 (en) * 2014-12-16 2016-09-27 Fortinet, Inc. Management of certificate authority (CA) certificates
CN109756500B (en) * 2019-01-11 2021-02-02 如般量子科技有限公司 Anti-quantum computation HTTPS communication method and system based on multiple asymmetric key pools
CN115037465B (en) * 2022-06-14 2024-04-30 武汉理工大学 Intelligent ship identity verification and false identity early warning system based on ship digital certificate
CN117062079B (en) * 2023-10-12 2023-12-15 中汽智联技术有限公司 Digital certificate issuing method, device and storage medium
CN118041611A (en) * 2024-02-01 2024-05-14 北京中睿天下信息技术有限公司 Method for realizing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506387A (en) * 2023-04-11 2023-07-28 武汉理工大学 Instant messaging and social network operation system based on ship digital certificate
CN118018207A (en) * 2024-01-19 2024-05-10 中国华能集团有限公司北京招标分公司 Digital certificate issuing method and system

Also Published As

Publication number Publication date
CN118540135A (en) 2024-08-23

Similar Documents

Publication Publication Date Title
Barker et al. Recommendation for key management part 3: Application-specific key management guidance
RU2718689C2 (en) Confidential communication control
US8059818B2 (en) Accessing protected data on network storage from multiple devices
US9137017B2 (en) Key recovery mechanism
US11533297B2 (en) Secure communication channel with token renewal mechanism
US9847880B2 (en) Techniques for ensuring authentication and integrity of communications
US8788811B2 (en) Server-side key generation for non-token clients
US7039713B1 (en) System and method of user authentication for network communication through a policy agent
CN110890962B (en) Authentication key negotiation method, device, storage medium and equipment
JP5860815B2 (en) System and method for enforcing computer policy
US20110296171A1 (en) Key recovery mechanism
CN101515319B (en) Cipher key processing method, cipher key cryptography service system and cipher key consultation method
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
EP1692811A1 (en) Methods, systems and computer program products for automatic rekeying in an authentication environment
JP2022521525A (en) Cryptographic method for validating data
CN110932850B (en) Communication encryption method and system
Barker et al. Sp 800-57. recommendation for key management, part 1: General (revised)
WO2023151427A1 (en) Quantum key transmission method, device and system
CN116633530A (en) Quantum key transmission method, device and system
CA3172049A1 (en) Exporting remote cryptographic keys
JP4367546B2 (en) Mail relay device
CN116232632A (en) Mobile terminal SSLVPN secure tunnel application method and system
CN100477647C (en) E-mail management system and method
CN118540135B (en) System component communication method and storage medium applied to port network security
JP5376663B2 (en) TRANSMITTING DEVICE, RECEIVING DEVICE, AND MANAGEMENT SERVER FOR ENCRYPTED DATA DISTRIBUTION, TRANSMITTING PROGRAM, RECEIVING PROGRAM, AND MANAGING PROGRAM FOR ENCRYPTED DATA DISTRIBUTION, ENCRYPTED DATA DISTRIBUTION SYSTEM, AND ENCRYPTED DATA DISTRIBUTION METHOD

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant