CN114157646A

Movatterモバイル変換

Info

Publication number: CN114157646A
Application number: CN202111310114.2A
Authority: CN
Inventors: 何云华; 赵福会; 石红博; 肖珂; 杨光灿
Original assignee: North China University of Technology
Current assignee: North China University of Technology
Priority date: 2021-11-05
Filing date: 2021-11-05
Publication date: 2022-03-08

Abstract

A home password application system of a video monitoring terminal comprises: the router: the system is used for building a local area network environment and connecting a camera; the network camera: the system comprises a router, a web server and a server, wherein the router is used for shooting video data, adding the video data into a local area network constructed by the router by configuring an IP address and connecting the video data with the web server; a web server: using the proxy forwarding function of the web server, enabling a proxy to access the camera, encrypting and transmitting video data shot by the camera, and forwarding the video data to the client; a client: using a browser to access a web server and establish a secure communication channel therewith for transmitting video data; encrypting the communication channel: based on an opensssl library, a domestic cryptographic algorithm supporting SM2, SM3 and SM4 and a static connection library supporting an SM2 cryptographic digital certificate and an encryption transmission protocol based on the SM2 certificate are realized, and are configured on a web server and accessed by a web server proxy. The system greatly enhances the safety and reliability of the video monitoring system.

Description

Domestic password application system and application method for video monitoring terminal

Technical Field

The invention belongs to the field of video monitoring data security, and provides a domestic password application system of a video monitoring terminal, which is designed and realized for enhancing the security and reliability of a video monitoring system.

Background

With the development of information technology and security, the application field of video monitoring technology is more and more extensive, and the video monitoring technology not only can be widely applied in the fields of government, traffic and the like, but also can be widely applied to the nursing of family old and young people. However, more and more hackers invade the video monitoring system by using system bugs to steal the video data of governments, traffic and families, and the video data security problem is increasingly highlighted, so that the national security, the social stability and the personal life and property security are threatened. Therefore, it is not easy to enhance the security of the video surveillance system.

Disclosure of Invention

According to the technical characteristics and the safety requirements of the existing video monitoring terminal, a domestic cipher algorithm encryption communication channel is established, and finally a set of domestic cipher application system of the video monitoring terminal is realized, so that the safety and the reliability of the video monitoring system are greatly enhanced.

The invention relates to a domestic password application system of a video monitoring terminal, which comprises the following steps:

the router: the system is used for building a local area network environment and connecting a camera;

the network camera: the system comprises a router, a web server and a server, wherein the router is used for shooting video data, adding the video data into a local area network constructed by the router by configuring an IP address and connecting the video data with the web server;

a Web server: the web server is one of NGINX, Apache and IIS, and the proxy forwarding function of the web server is used for accessing the camera by proxy, encrypting and transmitting the video data shot by the camera and forwarding the video data to the client;

a client: accessing a web server using a browser, establishing a secure communication channel with the web server for transmitting video data;

encrypting the communication channel: based on an opensssl library, a domestic cryptographic algorithm supporting SM2, SM3 and SM4, a static connection library supporting an SM2 secret digital certificate and an encryption transmission protocol based on the SM2 certificate are realized, and then the static connection library is configured on a web server and accessed by the web server agent to complete the establishment of an encryption communication channel supporting the secret.

The invention also provides a domestic password application method of the video monitoring terminal, which comprises the following steps:

s1: the method comprises the steps of using three cryptographic algorithms of an SM2 elliptic curve public key cryptographic algorithm, an SM3 hash cryptographic algorithm and an SM4 symmetric cryptographic algorithm to realize a cryptographic suite and an encryption transmission protocol, then configuring the cryptographic suite and the encryption transmission protocol on a web server, and building an encryption communication channel supporting the domestic cryptographic algorithm;

s2: after receiving the real-time data transmitted by the camera, encrypting and transmitting the shot video data through the encryption communication channel and uploading the video data to a server;

s3: and establishing a secure communication channel with the web server by using the browser to access the web server and the video data.

For example, an embodiment of the present invention provides a method for applying a domestic password to a video monitoring terminal, where the step S1 includes:

s11: inserting a camera on the router, and performing IP configuration to enable the camera and the server to be in the same local area network;

s12: installing a docker container web _ server on a server to complete the configuration of a compiling environment;

s13: expanding an openssl library, compiling to generate a static link library file protocol library (libssl.a) and a cryptographic algorithm library (libcrypto.a), and putting the two static library files and an include file folder containing some necessary header files into a gmssl file folder to complete the encryption part of the whole system;

s14: configuring the two static library files and the header file to a web server, and building the web server supporting the domestic cryptographic algorithm;

s15: the authentication of a client and a server in information communication and the selection of related parameters to be used in communication are completed through a handshake layer protocol, and the establishment of an encrypted communication channel is completed; wherein the handshake protocol procedure includes: exchanging hello messages to negotiate to decide a cipher suite; exchanging necessary parameters to negotiate a master key; exchanging certificates to verify the identity of the other party; providing security parameters in a subsequent communication process to the recording layer;

s16: the recording layer protocol encapsulates the data to be sent transmitted from the upper layer, then transmits the encapsulated data packet to the TCP layer protocol, and finally completes the end-to-end safe transmission of the video data on the bottom transmission layer;

for example, an embodiment of the present invention provides a method for applying a domestic password to a video monitoring terminal, where the step S3 includes:

s31: the Client sends a Client Hello message to the server, wherein the Client Hello message carries information of the Client, and the information comprises a password suite list and the like supported by the Client;

s32: the server side sends confirmation information to the Client side, confirms that the information sent by the Client side is received, and then sends a Client Hello message to the Client side, wherein the information carrying the server side comprises a password suite selected by the server side according to a password suite list provided by the Client side and used for subsequent communication;

s33: the client sends confirmation information to the server to confirm the receipt of the information sent by the server.

S34: the server side sends confirmation information to the client side, confirms that the information sent by the client side is received, and then sends a certificate, a secret key and handshake finishing information to the client side;

s35: the client sends confirmation information to the server, confirms that the information sent by the server is received, and then sends information such as a master key of the client to the server;

s36: the server side sends confirmation information to the client side, confirms that the information sent by the client side is received, and then sends encrypted data to the client side for data transmission.

Compared with the prior art, the domestic password application method and the system of the video monitoring terminal have the following advantages that: the domestic password is adopted, so that the safety risk caused by a back door system implanted by the international password technology is effectively avoided, and the safety of the video monitoring technology in China is greatly improved.

The domestic password application method of the video terminal mainly solves the problem that: the domestic encryption algorithm is applied to the video monitoring system, so that the blank of the domestic encryption algorithm in the field of video monitoring is filled.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings of the embodiments will be briefly described below, and it is apparent that the drawings in the following description only relate to some embodiments of the present invention and are not limiting on the present invention.

Fig. 1 is a schematic flow chart of a domestic cryptographic algorithm application system of a video monitoring terminal according to an embodiment of the present invention;

fig. 2 is an installation diagram of a home cryptographic algorithm application system NGINX server of a video monitoring terminal according to an embodiment of the present invention;

fig. 3 is a hierarchical structure diagram of an encryption transmission protocol of a domestic cryptographic algorithm application system of a video monitoring terminal according to an embodiment of the present invention;

fig. 4 is a structural diagram of a domestic cryptographic algorithm application system of a video monitoring terminal according to an embodiment of the present invention;

fig. 5 is a test diagram of an encrypted communication channel of a domestic cryptographic algorithm Application system of a video monitoring terminal according to an embodiment of the present invention, where in the diagram, a ContentType in Transport Layer Security is Application Data (23), Version is tls.1.2(0x0303), and Length is 601;

fig. 6 is a data packet analysis diagram of a video monitoring terminal domestic cryptographic algorithm application system in a communication process according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions of the embodiments of the present invention will be described below with reference to the drawings of the embodiments of the present invention, it is obvious that the described embodiments are some but not all embodiments of the present invention, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts based on the described embodiments of the present invention belong to the protection scope of the present invention.

In a traditional video monitoring terminal, a safety communication protocol and a cryptographic algorithm designed by foreigners are introduced to ensure the safety of video data transmission. However, in this solution, we face the safety risk caused by the "back door system" embedded by international code technology, and cannot guarantee the reliability of some important systems and instruments.

The cryptographic technology is a key for solving the problem of information security and is an important tool for realizing the secure transmission of video monitoring data. The domestic password algorithm application system of the video monitoring terminal provided by the embodiment of the invention builds the encryption communication channel by using the domestic password, thereby greatly improving the security of the video monitoring technology in China.

As shown in fig. 1, the method for applying a domestic cryptographic algorithm of a video monitoring terminal according to an embodiment of the present invention includes the following steps:

s1: and configuring a web server and building an encryption communication channel supporting the domestic cryptographic algorithm.

The method for configuring the web server comprises the following steps:

firstly, a camera is inserted into a router, IP configuration is carried out, the camera and a server are in the same local area network, and a firewall is configured according to the firewall condition and the rule of the server, so that the firewall can monitor an access request from a client;

installing a docker tool in a server, then executing a docker run-di-name web _ server-net host cdaa14a12dfc command at a terminal to generate a docker container web _ server required by the system, installing a gcc tool, a c + + compiler and a kernel file by using yum-y install gcc-c + + kernel-level command, and then installing a make tool by using a yum-y install autoconflue make command to complete the configuration of a compiling environment;

expanding an openssl library, configuring static compilation by using-/config-fPIC no-shared, performing compilation operation by using a make command, generating a static library file protocol library (libssl.a) and a cryptographic algorithm library (libcrypto.a) required by the system after the compilation is correct, putting the two static library files and an include file folder containing some necessary header files into a gmssl file folder, and completing the encryption part of the whole system;

copying the above mentioned encryption tool folder gmssl supporting the domestic cryptographic algorithm to a/usr/local directory, copying a web server to a system/root directory, and installing a pcre-level by using a yum install pcre-level command;

as shown in fig. 2, the server is configured to be installed, the http module is disabled, the ssl module is imported, then the encrypted transmission protocol defined in the protocol library (libssl.a) is called, and https is partially used in urls;

appointing an openssl library file path on which the NGINX ssl module depends, namely the path of the aforementioned encryption tool folder gmssl supporting the domestic cryptographic algorithm;

specifying a necessary include file path, namely a path of a header file in the aforementioned encryption tool folder gmssl supporting the domestic cryptographic algorithm;

finally, compiling and installing by using a make install command, and generating an NGINX folder under a/usr/loacl directory, wherein the NGINX folder comprises four subfolders: the conf folder is a configuration folder and is used for storing some configuration files; the html folder is a page folder and is used for storing default pages in some test cases, such as welcome pages of NGINX; the logs folder is a log folder and is used for storing error logs or other logs and the like generated in the running process; the sbin folder is an operation folder, and only one executable file NGINX is arranged under a directory of the sbin folder and used for starting the NGINX server, so that the installation of the web server supporting the domestic cryptographic algorithm is completed;

the authentication of a client and a server in information communication and the selection of related parameters to be used in communication are completed through a handshake layer protocol, and the establishment of an encrypted communication channel is completed; wherein the handshake protocol procedure includes: exchanging hello messages to negotiate to decide a cipher suite; exchanging necessary parameters to negotiate a master key; exchanging certificates to verify the identity of the other party; providing security parameters in a subsequent communication process to the recording layer;

the recording layer protocol encapsulates the data to be sent transmitted from the upper layer, then transmits the encapsulated data packet to the TCP layer protocol, and finally completes the end-to-end safe transmission of the video data at the bottom layer transmission layer.

S2: after receiving the real-time data transmitted by the camera, the shot video data is encrypted and transmitted through the encryption communication channel and uploaded to the server, and the proxy access function of the server is used for preparing for subsequent access of the client.

The method for realizing the proxy access function of the server specifically comprises the steps of restarting a web server built by the system by using an NGINX-s load command in the server, opening a related log debugging file in a configuration file, starting a debugging mode at a log level, and generating a log file to a usr/local/NGINX/logs directory;

the web server is accessed by a 360-security browser through a 443 port in the client, and the web server encrypts and forwards live data of the camera to the client;

The Client sends a Client Hello message to the server, wherein the Client Hello message carries information of the Client, and the information comprises a password suite list and the like supported by the Client;

the server side sends confirmation information to the Client side, confirms that the information sent by the Client side is received, and then sends a Client Hello message to the Client side, wherein the information carrying the server side comprises a password suite selected by the server side according to a password suite list provided by the Client side and used for subsequent communication;

the client sends confirmation information to the server to confirm the receipt of the information sent by the server.

The server side sends confirmation information to the client side, confirms that the information sent by the client side is received, and then sends a certificate, a secret key and handshake finishing information to the client side;

the client sends confirmation information to the server, confirms that the information sent by the server is received, and then sends information such as a master key of the client to the server;

the server side sends confirmation information to the client side, confirms that the information sent by the client side is received, and then sends encrypted data to the client side for data transmission.

As shown in fig. 3, the static library file protocol library (libssl.a) and the cryptographic algorithm library (libcrypto.a) support the secret transport protocol and the cryptographic suite required by the system, wherein the encrypted transport protocol includes a handshake protocol, a cryptographic specification change protocol, an alarm protocol, a gateway-to-gateway protocol and an underlying record layer protocol. The handshake layer protocol is responsible for completing the authentication of the client and the server in information communication, the selection of relevant parameters to be used in communication and the like; the password specification change protocol plays a role when related parameters in the communication process need to be sent and changed and is responsible for finishing informing the other party of new security parameters in communication; the alarm protocol service finishes the communication and sends out warning signals to problems generated in the communication process; the gateway-to-gateway protocol is responsible for building a transmission channel between a gateway of the client and a gateway of the server; the recording layer protocol is responsible for completing the tasks of splitting, compressing and decompressing information to be sent, encrypting and decrypting, verifying the accuracy of the information and the like.

As shown in fig. 4, the home-made cryptographic algorithm application system of the video monitoring terminal provided by the embodiment of the invention includes the following modules:

As shown in fig. 5, the encrypted communication channel provided by this example was tested using a panning website accessed by a web server proxy client, which would be accessed through an encrypted communication channel supporting a domestic cryptographic algorithm using the proxy pass http:// www.taobao.com command by changing the NGINX. conf file under the conf directory in the NGINX folder under the/usr/local directory of host 1.

As shown in fig. 6, through deep analysis of the data packet captured by the wires hark, the encrypted communication channel supporting the cryptographic key, which is set up in the above steps, basically meets the requirements of the system, can complete the task of encrypting and transmitting video data in the system, and meets the designed safety requirements.

Claims

Translated fromChinese

1.一种视频监控终端国产密码应用系统，包括：1. A domestic password application system for a video surveillance terminal, comprising:

路由器：用于搭建局域网环境，连接摄像头；Router: used to build a local area network environment and connect cameras;

网络摄像头：用于拍摄视频数据，连接路由器通过配置路由器IP地址，连接到web服务器；Network camera: used to shoot video data, connect to the router and connect to the web server by configuring the router IP address;

网络摄像头：用于拍摄视频数据，通过配置IP地址使其加入到由路由器构建的局域网中，与web服务器连接；Network camera: used to shoot video data, and add it to the local area network constructed by the router by configuring the IP address, and connect with the web server;

Web服务器：web服务器为NGINX、Apache、IIS三种web服务器之一，使用web服务器的代理转发功能，代理访问摄像头，将摄像头拍摄的视频数据加密传输，转发到客户端；Web server: The web server is one of the three web servers of NGINX, Apache, and IIS. It uses the proxy forwarding function of the web server to access the camera as a proxy, encrypts and transmits the video data captured by the camera, and forwards it to the client;

客户端：使用浏览器访问web服务器，与web服务器建立安全的通信信道，用来传输视频数据；Client: use a browser to access the web server and establish a secure communication channel with the web server to transmit video data;

加密通信信道：基于opensssl库，实现支持SM2、SM3、SM4的国产密码算法及支持SM2国密数字证书、基于SM2证书的加密传输协议的静态连接库，然后将其配置到web服务器上，由web服务器代理访问，完成支持国密的加密通信信道的搭建。Encrypted communication channel: Based on the opensssl library, it implements domestic cryptographic algorithms that support SM2, SM3, and SM4, as well as a static connection library that supports SM2 national secret digital certificates and SM2 certificate-based encrypted transmission protocols, and then configures it on the web server. Server proxy access to complete the construction of encrypted communication channels that support national secrets.

2.一种视频监控终端国产密码应用方法，包括：2. A domestic password application method for a video surveillance terminal, comprising:

S1：使用SM2椭圆曲线公钥密码算法、SM3杂凑密码算法、SM4对称密码算法这三种密码算法实现密码套件及加密传输协议，然后将其配置到web服务器上，搭建支持国产密码算法的加密通信信道；S1: Use SM2 elliptic curve public key cryptographic algorithm, SM3 hash cryptographic algorithm, SM4 symmetric cryptographic algorithm to implement cipher suite and encrypted transmission protocol, and then configure it on the web server to build encrypted communication that supports domestic cryptographic algorithms channel;

S2:在接收到摄像头传输过来的实时数据后，通过所述的加密通信信道对所拍摄的视频数据进行加密传输，并上传到服务器上；S2: after receiving the real-time data transmitted by the camera, encrypted transmission is performed to the captured video data through the encrypted communication channel, and uploaded to the server;

S3:使用浏览器，与web服务器建立安全的通信信道，访问web服务器及视频数据。S3: Use a browser to establish a secure communication channel with the web server, and access the web server and video data.

3.如权利要求2所述的一种视频监控终端国产密码应用方法，其中，步骤S1具体包括：3. a kind of video surveillance terminal domestic password application method as claimed in claim 2, wherein, step S1 specifically comprises:

S11:将摄像头插到路由器上，进行IP配置，使其与服务器处于同一局域网中；S11: Plug the camera into the router and configure the IP so that it is in the same local area network as the server;

S12:在服务器上安装docker容器web_server，完成编译环境的配置；S12: Install the docker container web_server on the server to complete the configuration of the compilation environment;

S13:将openssl库进行扩展，编译生成静态链接库文件协议库(libssl.a)、密码算法库(libcrypto.a)，并将这两个静态库文件和包含一些必要头文件的include文件夹一起放到gmssl文件夹，完成整个系统的加密部分；S13: Extend the openssl library, compile and generate the static link library file protocol library (libssl.a), cryptographic algorithm library (libcrypto.a), and combine these two static library files with the include folder that contains some necessary header files Put it in the gmssl folder to complete the encryption part of the entire system;

S14:将上述两个静态库文件及头文件配置到web服务器上，搭建一个支持国产密码算法的web服务器；S14: configure the above two static library files and header files on the web server, and build a web server that supports domestic cryptographic algorithms;

S15:通过握手层协议完成信息通信中客户端与服务端的身份验证、通信中要使用的相关参数的选择，完成加密通信信道的建立；其中，所述握手协议过程包括：交换hello消息来协商以决定密码套件；交换必要的参数以协商主密钥；交换证书以验证对方身份；向记录层提供后续通信过程中的安全参数；S15: Complete the identity verification of the client and the server in the information communication, the selection of the relevant parameters to be used in the communication through the handshake layer protocol, and complete the establishment of the encrypted communication channel; Wherein, the handshake protocol process includes: exchanging hello messages to negotiate to Decide on cipher suites; exchange necessary parameters to negotiate the master key; exchange certificates to verify the identity of the counterparty; provide the record layer with security parameters in the subsequent communication process;

S16：记录层协议将上层传递下来的要发送的数据进行封装，然后将封装好的数据包传输给TCP层协议，并最终在底层传输层完成视频数据端到端的安全传输。S16: The recording layer protocol encapsulates the data to be sent from the upper layer, and then transmits the encapsulated data packet to the TCP layer protocol, and finally completes the end-to-end secure transmission of video data at the bottom transport layer.

4.如权利要求2所述的一种视频监控终端国产密码应用方法，其中，步骤S3具体包括：4. a kind of video surveillance terminal domestic password application method as claimed in claim 2, wherein, step S3 specifically comprises:

S31:客户端向服务端发送Client Hello消息，其中携带客户端的信息，包括客户端所支持的密码套件列表等；S31: The client sends a Client Hello message to the server, which carries the information of the client, including a list of cipher suites supported by the client, etc.;

S32:服务端向客户端发送确认信息，确认收到客户端发送的信息，然后再向客户端发送Client Hello消息，其中携带服务端的信息，包括服务器根据客户端所提供的密码套件列表选择的用于后续通信的密码套件；S32: The server sends confirmation information to the client, confirms receipt of the information sent by the client, and then sends a Client Hello message to the client, which carries the information of the server, including the cipher suite selected by the server according to the cipher suite list provided by the client. cipher suites for subsequent communications;

S33:客户端向服务端发送确认信息，确认收到服务端发送的信息。S33: The client sends confirmation information to the server to confirm receipt of the information sent by the server.

S34:服务端向客户端发送确认信息，确认收到客户端发送的信息，然后再向客户端发送证书、密钥、握手结束信息；S34: The server sends confirmation information to the client, confirms receipt of the information sent by the client, and then sends the certificate, key, and handshake end information to the client;

S35:客户端向服务端发送确认信息，确认收到服务端发送的信息，然后再向服务端发送自己的主密钥等信息；S35: The client sends confirmation information to the server, confirms receipt of the information sent by the server, and then sends its own master key and other information to the server;

S36:服务端向客户端发送确认信息，确认收到客户端发送的信息，然后再向客户端发送加密数据，进行数据传输。S36: The server sends confirmation information to the client, confirms receipt of the information sent by the client, and then sends encrypted data to the client for data transmission.