阅读说明：本技术 一种列车的phm主机及其加密方法 (PHM host of train and encryption method thereof ) 是由 张元庆 王志刚 高广恩 康强 于 2021-07-30 设计创作，主要内容包括：本发明提供了一种列车的PHM主机,PHM主机包括内端机、外端机和物理网闸；内端机用于接收列车的以太网的数据,外端机用于将列车网络中的数据传递给地面服务器,内端机的数据报文通过协议到达物理网闸,物理网闸接收到正确的数据报文后,进行处理,之后,通过协议摆渡至外端机,外端机接收到物理网闸的数据报文。本发明的内端机、外端机和物理网闸之间的数据单向性传输,从而大大的提高了数据流向的安全性；另外本发明内端机、外端机和物理网闸内设计了复杂的加密算法,以确保数据流的安全性,使得数据内容不易被破解、修改等；而且内端机、物理网闸、外端机之间传输的报文使用了“流加密算法”以实现具体功能,还能确保数据内容的安全性。(The invention provides a PHM (physical power management) host of a train, which comprises an inner end machine, an outer end machine and a physical network brake; the inner terminal machine is used for receiving Ethernet data of the train, the outer terminal machine is used for transmitting the data in the train network to the ground server, the data message of the inner terminal machine reaches the physical network brake through a protocol, the physical network brake processes the data message after receiving the correct data message, then the data message is ferred to the outer terminal machine through the protocol, and the outer terminal machine receives the data message of the physical network brake. The unidirectional data transmission among the internal terminal, the external terminal and the physical gatekeeper greatly improves the safety of data flow direction; in addition, complex encryption algorithms are designed in the internal terminal machine, the external terminal machine and the physical gatekeeper, so that the safety of data flow is ensured, and the data content is not easy to crack, modify and the like; and the message transmitted among the internal terminal, the physical network gate and the external terminal uses a 'stream encryption algorithm' to realize specific functions, and the security of data content can be ensured.)

1. The utility model provides a PHM host computer of train which characterized in that: the PHM host comprises an inner end machine, an outer end machine and a physical network gate; the train monitoring system comprises an inner terminal machine, an outer terminal machine and a physical network brake, wherein the inner terminal machine is used for receiving data of an Ethernet of a train, the outer terminal machine is used for transmitting the data in a train network to a ground server, a data message of the inner terminal machine reaches the physical network brake through a protocol, the physical network brake processes the data message after receiving the correct data message, then the data message is ferred to the outer terminal machine through the protocol, and the outer terminal machine receives the data message of the physical network brake.

2. The PHM master of a train as claimed in claim 1, wherein: and the internal terminal, the FPGA physical gateway and the external terminal are respectively provided with an encryption algorithm.

3. The PHM master of a train as claimed in claim 1, wherein: and a stream encryption algorithm is set in the data messages among the internal terminal, the FPGA physical gateway and the external terminal.

4. An encryption method for a PHM host of a train is characterized in that: comprises the following steps of (a) carrying out,

the inner terminal machine uses the inner terminal machine MAC and the fixed sequence A to select an encryption algorithm and seed information, encrypts a text and sends a message to a physical gatekeeper;

after receiving the message, the physical gateway identifies an encryption algorithm and seed information according to a message source MAC and a fixed sequence A, and decrypts the message;

the physical network gate selects a new encryption algorithm and seed information by using the MAC and the fixed sequence B of the physical network gate, re-encrypts the decrypted message and sends the message to the external terminal;

and after receiving the message, the external terminal identifies the encryption algorithm and the seed information according to the message source MAC and the fixed sequence B, and decrypts the message.

5. The encryption method of the PHM host of the train according to claim 4, wherein: the internal end machine, the physical network gate and the external end machine use AES-256 encryption keys and carry out algorithm processing twice before use.

6. The encryption method of the PHM host of the train according to claim 4, wherein: the encryption algorithm of the message and the seed value thereof can be changed.

7. The encryption method of the PHM host of the train according to claim 4, wherein: the body portion has a secure CRC32 check process.

8. The encryption method of the PHM master of the train according to claim 7, wherein: and when the physical gatekeeper identifies the encryption algorithm abnormity or the CRC32 abnormity, the message can be directly discarded without transiting.

Technical Field

The invention relates to the field of PHM of trains, in particular to a PHM host of a train and an encryption method thereof.

Background

PHM (Prognostics and Health Management) of trains is the development direction of future train operation support. The PHM carries out targeted and predictive maintenance according to the monitoring and analysis of the current running situation of the train, and pre-judges the occurrence time of the fault in advance without waiting for the real occurrence of the fault and then carrying out post maintenance. The predictive maintenance can reduce the maintenance cost, reduce the maintenance time, improve the efficiency of train operation and simultaneously avoid major malignant accidents. In view of the data volume of the existing motor train units and in view of long-term development and planning, the PHM system of the motor train unit should be constructed in a big data mode so as to improve the real-time performance and convenience of monitoring of each train of the railway.

However, the PHM physical gatekeeper in the prior art has low data unidirectionality and data security, and cannot meet the use requirements of the existing train.

Disclosure of Invention

The invention aims to provide a PHM host and an encryption method thereof, which can ensure the data unidirectionality and data security of a PHM physical network brake and can meet the requirements of the existing train.

In order to achieve the above purpose, the invention provides the following technical scheme:

a PHM host of a train comprises an inner end machine, an outer end machine and a physical network brake; the train monitoring system comprises an inner terminal machine, an outer terminal machine and a physical network brake, wherein the inner terminal machine is used for receiving data of an Ethernet of a train, the outer terminal machine is used for transmitting the data in a train network to a ground server, a data message of the inner terminal machine reaches the physical network brake through a protocol, the physical network brake processes the data message after receiving the correct data message, then the data message is ferred to the outer terminal machine through the protocol, and the outer terminal machine receives the data message of the physical network brake.

Furthermore, the internal terminal, the FPGA physical gatekeeper and the external terminal are respectively provided with an encryption algorithm.

Furthermore, a stream encryption algorithm is set in the data messages among the internal terminal, the FPGA physical gatekeeper and the external terminal.

An encryption method of a PHM host of a train comprises the following steps,

the inner terminal machine uses the inner terminal machine MAC and the fixed sequence A to select an encryption algorithm and seed information, encrypts a text and sends a message to a physical gatekeeper;

after receiving the message, the physical gateway identifies an encryption algorithm and seed information according to a message source MAC and a fixed sequence A, and decrypts the message;

the physical network gate selects a new encryption algorithm and seed information by using the MAC and the fixed sequence B of the physical network gate, re-encrypts the decrypted message and sends the message to the external terminal;

and after receiving the message, the external terminal identifies the encryption algorithm and the seed information according to the message source MAC and the fixed sequence B, and decrypts the message.

Furthermore, the internal end machine, the physical gatekeeper and the external end machine use AES-256 encryption keys and perform algorithm processing twice before use.

Furthermore, the encryption algorithm of the message and the seed value thereof can be changed.

Further, the body part has a secure CRC32 check process.

Further, the physical gatekeeper identifies that the encryption algorithm is abnormal or the CRC32 is abnormal, so that the message can be directly discarded without transiting.

The invention has the beneficial effects that:

the unidirectional data transmission among the internal terminal, the external terminal and the physical gatekeeper greatly improves the safety of data flow direction; in addition, complex encryption algorithms are designed in the internal terminal machine, the external terminal machine and the physical gatekeeper, so that the safety of data flow is ensured, and the data content is not easy to crack, modify and the like; and the message transmitted among the internal terminal, the physical network gate and the external terminal uses a 'stream encryption algorithm' to realize specific functions, and the security of data content can be ensured.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a block schematic diagram of the present invention.

The attached drawings indicate the following:

1. a PHM host; 2. an inner end machine; 3. an outer end machine; 4. a physical gatekeeper;

Detailed Description

In order that those skilled in the art will better understand the technical solutions of the present invention, the following detailed description of the present invention is provided in conjunction with the accompanying drawings and the specific embodiments.

As shown in fig. 1, a PHM master 1 of a train, the PHM master 1 includes an internal terminal 2, an external terminal 3 and a physical gatekeeper 4, and the physical gatekeeper 4 may be an FPGA physical gatekeeper 4; the inner terminal machine 2 is used for receiving TRDP of the Ethernet of the train and other relevant data, the outer terminal machine 3 is used for transmitting the data in the train network to the ground server, the data message of the inner terminal machine 2 reaches the physical network brake 4 through a protocol, the physical network brake 4 processes the data message after receiving the correct data message, and then the data message is ferred to the outer terminal machine 3 through the protocol, and the outer terminal machine 3 receives the data message of the physical network brake 4.

The data unidirectional transmission among the internal terminal 2, the external terminal 3 and the physical gatekeeper 4 greatly improves the safety of data flow direction; in addition, complex encryption algorithms are designed in the internal terminal 2, the external terminal 3 and the physical gatekeeper 4 to ensure the safety of data flow, so that the data content is not easy to crack, modify and the like; and the messages transmitted among the internal terminal 2, the physical gatekeeper 4 and the external terminal 3 use a 'stream encryption algorithm' to realize specific functions, and the security of data content can be ensured.

The data unidirectional transmission of the invention comprises the following steps: the data message of the internal terminal 2 can only reach the physical gatekeeper 4 through a specific protocol; and the physical gateway 4 receives the correct message and processes the message. Then ferrying to the external terminal 3 through a specific protocol; the external terminal 3 can only receive the ferry message of the physical gatekeeper 4 and cannot see the original message of the internal terminal 2; the physical network gate 4 can not ferry the message of the external terminal 3 to the internal terminal 2, so that the unidirectional property of the data can be ensured;

the data content security of the invention is ensured, the inner terminal machine 2, the physical network gate 4 and the outer terminal machine 3 are designed with complex encryption algorithm to ensure the security of data flow, so that the data content is not easy to crack, modify and the like; in addition, messages among the internal terminal machine 2, the physical gatekeeper 4 and the external terminal machine 3 use a 'stream encryption algorithm' to realize specific functions;

an encryption method of a PHM host 1 of a train,

message format: the message is in UDP format and consists of 2 parts, namely an encryption algorithm header and an encryption text.

The encryption algorithm header contains the following information:

1. a type of text encryption algorithm;

2. a seed of a text encryption algorithm;

3. the initial value of CRC32 for text integrity verification; (the last 4 bytes of the body are the CRC32 value after taking the initial value of CRC32 here and calculating the decrypted UDP body part)

4. In order to avoid the head of the encryption algorithm from being easily cracked, the head content is encrypted by AES-256. The AES-256 encrypted key is 'source MAC address + fixed sequence A';

the encryption calculation process comprises the following steps: and calculating a random sequence for encrypting the text according to the encryption algorithm type in the encryption algorithm header and the seed information of the algorithm, and encrypting the text content.

The inter-device encryption processing procedure comprises

The internal terminal machine 2 uses the MAC of the internal terminal machine 2 and the fixed sequence A to select an encryption algorithm and seed information, encrypts a message and sends the message to the physical gatekeeper 4;

after receiving the message, the physical gateway 4 identifies an encryption algorithm and seed information according to the message source MAC and the fixed sequence A, and decrypts the message;

the physical gateway 4 selects a new encryption algorithm and seed information by using the MAC and the fixed sequence B of the physical gateway 4, re-encrypts the decrypted message and sends the decrypted message to the external terminal 3;

after receiving the message, the external terminal 3 identifies the encryption algorithm and the seed information according to the message source MAC and the fixed sequence B, and decrypts the message.

After the PHM host 1 of the train is encrypted by the encryption method, the data security is greatly improved for the following reasons:

1) AES-256 encryption keys used by the internal terminal 2, the FPGA physical gatekeeper 4 and the external terminal 3 are not public, algorithm processing is carried out twice before use, and analysis and reverse pushing cannot be carried out on messages captured by a network;

2) the encryption algorithm and the seed value of each message can be changed, and the messages cannot be decrypted by using a fixed random sequence;

3) the safe CRC32 checking processing exists in the text part, and the text content is ensured not to be tampered;

4) if the gatekeeper identifies that the encryption algorithm is abnormal or the CRC32 is abnormal, the message can be directly discarded without transiting, so as to avoid influencing the safety.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.