US 12,316,779 B1
Safety management and control system for full lifecycle of industrial control data
Bingsheng Zhang, Hangzhou (CN); Haitao Wang, Hangzhou (CN); and Kui Ren, Hangzhou (CN)
Assigned to ZHEJIANG UNIVERSITY, Hangzhou (CN)
Filed by ZHEJIANG UNIVERSITY, Zhejiang (CN)
Filed on Nov. 8, 2024, as Appl. No. 18/940,845.
Claims priority of application No. 202410400448.6 (CN), filed on Apr. 3, 2024.
Int. Cl. H04L 9/32 (2006.01); H04L 9/08 (2006.01)
CPC H04L 9/3263 (2013.01) [H04L 9/0822 (2013.01)] 8 Claims
OG exemplary drawing
 
1. A safety management and control system for full lifecycle of industrial control data lifecycle, comprising:
an administrator terminal that holds an administrator public-private key pair and an administrator public key root certificate;
a server comprising an encrypted database kernel and an initializer, wherein the encrypted database kernel is located in a trusted execution environment and stores the industrial control data; and the initializer is configured to initialize the encrypted database kernel in combination with the administrator public key root certificate sent by the administrator terminal when the server is deployed for a first time, and return a self-signed certificate generated by the server to the administrator terminal; and
a client configured to access the system through a certificate issued by the administrator terminal, and interact with the server for the industrial control data within an authority configured by the administrator terminal;
wherein said the initializer is configured to initialize the encrypted database kernel in combination with the administrator public key root certificate sent by the administrator terminal when the server is deployed for the first time comprises:
receiving a remote authentication initiated by the administrator terminal, and generating an authentication digest in the trusted execution environment, wherein the authentication digest comprises an actual running environment of the server, a digest of actual execution codes, and a signature of trusted hardware using a preset key, such that the administrator terminal completes the remote authentication and establishes a communication channel with the server after receiving the authentication digest;
receiving the administrator public key root certificate and an initialized Structured Query Language (SQL) script sent by the administrator terminal through the communication channel, wherein an administrator account number, limits of authority and authentication rules are configured in the initialized SQL script;
generating a server public-private key pair and a self-signed certificate of a server public key in the trusted execution environment, saving the initialized SQL script into a temporary file, and generating a configuration file of the encrypted database kernel, wherein the configuration file comprises a server private key, the self-signed certificate, the administrator public key root certificate, configuration parameters and a path pointing to the initialized SQL script;
starting the encrypted database kernel, such that the encrypt database kernel completes an initialization of the encrypted database kernel and a respective account creation based on the initialized SQL script and the configuration file; and
sending the self-signed certificate to the administrator terminal, such that when a user intends to use the server, the administrator terminal sends the self-signed certificate to the user to complete authentication.