A fan operation and maintenance data dynamic encryption method for multiple regions and multiple clients

By dynamically generating terminal identity tokens and sensitivity mapping tables, combined with a policy matrix and a key derivation module within the TEE, the system addresses the security deficiencies and compliance issues of the static key system in wind turbine smart terminals. This achieves efficient multi-region, multi-customer data encryption, improving security and resource utilization efficiency.

CN122160122APending Publication Date: 2026-06-05FUJIAN HAIDIAN OPERATION & MAINTENANCE TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
FUJIAN HAIDIAN OPERATION & MAINTENANCE TECH CO LTD
Filing Date
2026-03-06
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

The existing static key system of wind turbine smart terminals has a single point of leakage risk, cannot meet the differentiated compliance requirements of multiple regions, does not classify data sensitivity, and lacks a dynamic binding mechanism, resulting in unreasonable security and resource utilization.

Method used

A dynamic encryption method is adopted, which generates a terminal identity token through SHA256 operation, combines a sensitivity mapping table and a policy matrix to dynamically match the encryption policy, and uses the key derivation module in the TEE to generate a session encryption key to ensure that the encryption and decryption process is completed locally on the client.

Benefits of technology

It achieves refined data protection with tailored policies for each customer and strict data security measures, significantly reducing the risk of global data leakage, optimizing resource utilization, meeting compliance requirements in multiple regions, and safeguarding data sovereignty.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160122A_ABST
    Figure CN122160122A_ABST
Patent Text Reader

Abstract

The application discloses a fan operation and maintenance data dynamic encryption method for multiple regions and multiple clients, belongs to the technical field of industrial data security and intelligent terminal protection, and is a method for differentiating and dynamically encrypting and protecting operation and maintenance data stored locally by a fan AI assistant client according to the region to which a client belongs, a permission level and data sensitive attributes, specifically comprising the following steps: according to a client region compliance requirement, a data sensitive level and a terminal identity, dynamically matching encryption parameters through a built-in strategy matrix, and completing fan operation and maintenance data protection in the whole encryption life cycle locally on the client, so that the problems of the fact that existing static encryption cannot meet the differentiated security requirements of multiple regions, key risks are concentrated, and resources are wasted are solved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of industrial data security and smart terminal protection technology, and mainly to a dynamic encryption method for wind turbine operation and maintenance data in multiple regions and for multiple customers. Background Technology

[0002] Existing wind turbine smart terminals generally use a unified static key to perform symmetric encryption such as AES on locally cached data. The key is uniformly distributed by the central server, and all customer terminals use the same or periodically fixed encryption strategy, without considering regional compliance differences and data classification requirements.

[0003] The aforementioned prior art has the following significant drawbacks: (1) Static key systems have a single point of leakage risk, and once cracked, all customer data will be exposed. (2) It cannot meet the different compliance requirements of different countries / regions regarding the localization and isolation of industrial data; (3) The data itself was not classified according to its sensitivity. High-value core parameters and ordinary logs were encrypted with the same strength, resulting in unreasonable resource utilization. (4) It lacks a dynamic binding mechanism with customer identity and project attributes, resulting in insufficient security and flexibility. Summary of the Invention

[0004] To address the above shortcomings, this invention provides a wind turbine operation and maintenance data protection method that dynamically matches encryption parameters based on customer regional compliance requirements, data sensitivity levels, and terminal identities using a built-in policy matrix, and completes the entire encryption lifecycle locally on the client side. This solves the problems of existing static encryption failing to meet the differentiated security needs of multiple regions, concentrated key risks, and resource waste. According to a first aspect of this invention, a dynamic encryption method for wind turbine operation and maintenance data across multiple regions and customers is proposed, specifically including: When receiving a client access request, the client ID and region code are obtained, the two are concatenated in a preset order and then subjected to SHA256 operation to generate a terminal identity token, and the token is written into the session context cache. Before writing the data, a preset sensitivity mapping table is loaded onto the target data, the sensitivity level is determined according to the field type, and the sensitivity level is written into the metadata area; The policy matrix addressing engine is invoked, using the region code as the row index and the sensitivity level as the column index, to retrieve the target encryption policy unit in the policy matrix and output the specified encryption algorithm, key length, and integrity verification parameters. The key derivation module deployed in the TEE generates a session encryption key SessionKey based on MasterSecret, Token and the current date and timestamp, and determines whether to generate an integrity verification key HMACKey synchronously according to the policy unit. Write the ciphertext, IV, authentication code and corresponding metadata to the local database, and execute memory clearing instructions on SessionKey and HMACKey within the TEE; When reading encrypted data, the corresponding sensitivity level and region code are reloaded based on the data storage metadata, and key derivation is performed again using the token. If the historical session key cannot be reproduced, the decryption request is rejected.

[0005] Preferably, the SHA256 operation is performed by an instruction-optimized hash module, using a 64-byte fixed buffer to ensure that the token remains unique and verifiable in the event of customer migration or network switching.

[0006] Preferably, the sensitivity level is determined by a hash mapping structure with field type as the key, and the sensitivity level is automatically raised to the highest level when a field is detected to contain model weights or key fragments.

[0007] Preferably, the strategy matrix is ​​implemented in the form of a memory-resident two-dimensional array, and the encryption strategy unit is directly addressed by calculating the row and column offsets, without any network dependency.

[0008] Preferably, the MasterSecret is written to the TEE by a security server and encrypted with the device's private key during the initial device activation phase, making it unreadable by any external process.

[0009] Preferably, the key derivation module uses HKDF-SHA256, and the timestamp in the input parameters is stored in YYYYMMDD format to realize automatic daily rotation of the session key.

[0010] Preferably, after the SessionKey and HMACKey are generated within the TEE, they exist only in the form of registers and are not written to RAM. Furthermore, a zero-filling clear instruction is executed after encryption is completed.

[0011] Preferably, when the region code is updated due to permission changes, the processor recalculates the token. Since the derived input has changed, the historical SessionKey cannot be reconstructed, thereby achieving automatic blocking of access to existing data.

[0012] According to a second aspect of the present invention, a computer program product is provided, on which one or more computer programs are stored, which, when executed by a computer processor, implement the method described above.

[0013] The above-described one or more technical solutions in the embodiments of this application have at least one of the following technical effects: Achieving refined data protection with one policy per customer and one password per data point: Through the policy matrix mechanism, for the first time in the field of wind turbine operation and maintenance, the encryption policy is automatically and refinedly matched with regional regulations and data sensitivity.

[0014] The dynamic key mechanism significantly reduces the risk of global data leakage: the key is dynamically derived from the KDF function within the TEE, has a short lifespan, and is strongly bound to identity and time.

[0015] Encryption is tiered based on data sensitivity to optimize the allocation of terminal computing and storage resources: ordinary logs are encrypted with lightweight encryption, while core data is encrypted with high-strength encryption, resulting in more rational resource utilization.

[0016] Fully localized execution fundamentally safeguards data sovereignty: policy matching, key generation, encryption and decryption are all completed locally on the client side, and the key never leaves the device, perfectly complying with the ironclad security rule of industrial data "not leaving the factory". Attached Figure Description

[0017] The accompanying drawings are included to provide a further understanding of the embodiments and are incorporated in and constitute a part of this specification. The drawings illustrate embodiments and, together with the description, serve to explain the principles of the invention. Other embodiments and many anticipated advantages of the embodiments will be readily recognized as they become better understood through reference to the following detailed description. Elements in the drawings are not necessarily to scale. The same reference numerals refer to corresponding similar parts.

[0018] Figure 1 A flowchart illustrating a dynamic encryption method for wind turbine operation and maintenance data across multiple regions and customers, according to an embodiment of the present invention, is shown.

[0019] Figure 2 This is a schematic diagram of the structure of a computer system suitable for implementing the electronic devices of the present application embodiments. Detailed Implementation

[0020] The present application will now be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and not intended to limit it. Furthermore, it should be noted that, for ease of description, only the parts relevant to the invention are shown in the accompanying drawings.

[0021] It should be noted that, unless otherwise specified, the embodiments and features described in this application can be combined with each other. This application will now be described in detail with reference to the accompanying drawings and embodiments.

[0022] Figure 1A flowchart illustrating a dynamic encryption method for wind turbine operation and maintenance data across multiple regions and customers, according to an embodiment of the present invention, is shown below. The specific steps are as follows: Upon receiving a client access request, the system obtains the client ID (ClientID) and region code (RegionCode), concatenates them in a preset order, and then performs a SHA256 operation to generate a terminal identity token. The formula is: Token = SHA256(ClientID||RegionCode). The SHA256 operation is performed by an instruction-optimized hash module, using a 64-byte fixed buffer to ensure the token maintains its uniqueness and verifiability during client migration or network switching. Furthermore, the token is written to the session context cache.

[0023] By employing instruction-level optimized SHA256 operations during the client access phase to concatenate and hash the ClientID and RegionCode to generate a Token, and completing the calculation and storage within a fixed-length buffer, high consistency, high reliability, and verifiability across network environments are achieved for terminal identity identification.

[0024] Before writing data, a preset sensitivity mapping table is loaded onto the target data, the sensitivity level is determined according to the field type, and the sensitivity level is written into the metadata area.

[0025] The predefined four-level data sensitivity labels include: L1 (Regular Log): Running status, timestamps, etc.; L2 (Equipment Parameters): Temperature, vibration values, etc.; L3 (Fault Analysis): Root cause diagnosis and handling recommendations; L4 (core algorithm): model weights, encryption key fragments.

[0026] Before the data is written to the local cache, it is automatically tagged by the business module and stored in the metadata field.

[0027] Sensitivity level is determined through a hash mapping structure with field type as the key. When a field is detected to contain model weights or key fragments, the sensitivity level is automatically raised to the highest level.

[0028] The policy matrix addressing engine is invoked, using the region code as the row index and the sensitivity level as the column index, to retrieve the target encryption policy unit in the policy matrix and output the specified encryption algorithm, key length, and integrity verification parameters.

[0029] The policy matrix is ​​specifically a built-in two-dimensional policy matrix M, whose row index is the region code r. {EU, CN, US}, column index is set to data sensitivity level l {1, 2, 3, 4}. Each element M(r, l) in the matrix is ​​a tuple of encryption policies, specifically expressed as: M(r, l) = (Algorithm, KeyLength, UseHMAC}.

[0030] Policy configuration example: M(EU,4)=(AES-256,256,True): The EU GDPR enforces the highest level of core data requirements; M(CN,3)=(SM4,128,False): Adaptation to Chinese national cryptographic algorithm; M(US,1)=(AES-128,128,False): Normal logs use basic encryption.

[0031] When a piece of data with the tag DataLevel=l needs to be encrypted, the system first determines the current customer's RegionCode=r, and then directly looks up the policy in the table (Alg, KL, HMAC). M(r,l) is a process that requires no network requests, has no external dependencies, makes decisions quickly, and conforms to the principle of "data not leaving the domain".

[0032] The key derivation module deployed in the TEE generates a session encryption key SessionKey based on MasterSecret, Token, and the current date and timestamp, and determines whether to synchronously generate an integrity verification key HMACKey according to the policy unit, where HMACKey = HKDF-SHA256(MasterSecret,Token||Timestamp,“HMAC_KEY”).

[0033] During the initial device activation phase, the MasterSecret is written to the TEE by a secure server and encrypted with the device's private key, making it unreadable by any external process.

[0034] The key derivation module uses HKDF-SHA256, and the timestamp in the input parameters is stored in YYYYMMDD format to realize automatic daily rotation of the session key; in: SessionKey=HKDF-SHA256(MasterSecret,Token||Timestamp,“ENC_KEY”) MasterSecret: Issued by a secure server when the device is activated and permanently stored in a TEE (Trusted Execution Environment), never leaving the device.

[0035] Timestamp: Retrieves the current date string (e.g., "20251128") to ensure that the key is automatically rotated every day at midnight.

[0036] ENC_KEY: A fixed context string that distinguishes encryption keys from keys used for other purposes.

[0037] Write the ciphertext, IV, authentication code and corresponding metadata to the local database, and execute memory clearing instructions on SessionKey and HMACKey within the TEE.

[0038] By collaborating with a dual-dimensional policy matrix based on regional sensitivity and a deterministic key derivation mechanism within the TEE, millisecond-level encryption decisions, consistent key generation, and strong isolation storage of wind turbine operation and maintenance data are achieved across multiple regions, levels, and operating conditions. The policy matrix allows for rapid local lookup of encryption algorithms and key lengths, eliminating the need for network requests and reducing latency while ensuring data remains within its domain. Within the TEE, HKDF-SHA256 generates a daily rotating SessionKey using MasterSecret, Token, and a date stamp, ensuring the key is unexportable, unreproducible, and time-bound, preventing cross-domain abuse and historical data replay at the source. Immediate key deletion after encryption prevents persistent attacks. Therefore, this invention provides a dynamic encryption system for wind turbine operation and maintenance data that offers cross-regional compliance, strong key security, and irreversible access without sacrificing real-time performance, significantly improving the security and reliability of high-frequency operation and maintenance data.

[0039] Specifically, according to a specific embodiment of the present invention, the encryption execution process is as follows: The business module sends the plaintext data and its DataLevel to the local encryption engine.

[0040] The encryption engine retrieves Alg, KL, and HMAC based on the DataLevel and Token query strategy matrix.

[0041] The encryption engine calls the KDF within the TEE to generate the SessionKey and HMACKey.

[0042] Perform encryption operations in TEE or secure memory: like Encryption is performed using SessionKey and a random IV in GCM or CBC mode.

[0043] If Alg=SM4, use SessionKey for ECB / CBC mode encryption.

[0044] If UseHMAC=True, calculate HMAC=HMAC-SHA256(HMACKey,Ciphertext||IV).

[0045] Store Ciphertext, IV, HMAC, and metadata [DataLevel, EncryptionTime] together in a local SQLite database.

[0046] After being generated within the TEE, SessionKey and HMACKey exist only as registers and are not written to RAM. Furthermore, a zero-filling clear instruction is executed after encryption is complete.

[0047] When reading encrypted data, the corresponding sensitivity level and region code are reloaded based on the data storage metadata, and key derivation is performed again using the token. If the historical session key cannot be reproduced, the decryption request is rejected.

[0048] When the region code is updated due to permission changes, the processor recalculates the token. Since the derived input has changed, the historical SessionKey cannot be reconstructed, thereby automatically blocking access to existing data.

[0049] Based on the dynamic encryption and decryption method of the present invention described above, the following is a specific embodiment with the following steps: Real-time sampling of high-frequency sensors such as vibration, temperature, and oil pressure at the edge nodes of the wind turbine is performed to form a continuous data stream indexed by millisecond-level timestamps; The processor slices the data stream into data blocks Slice(i) according to a preset window (e.g., 50ms, 100ms) and attaches a sensor type identifier when slicing.

[0050] The system automatically triggers sensitivity mapping based on sensor type, for example: Vibration spectrum - High sensitivity - L3; Temperature, oil pressure - medium sensitivity - L2; Run log - Low sensitivity - L1; Sensitivity levels are written to the metadata of each slice.

[0051] The processor uses the customer's compliance region code and sensitivity level as indexes to access the policy matrix M residing in memory to obtain the encryption policy parameters (Alg, KeyLength, UseHMAC, Mode) of the slice.

[0052] To reduce queuing latency of high-frequency sensor data in the CPU, the system establishes a streaming encrypted pipeline, StreamPipe, on the edge nodes: Pipe-In: Slice(i) enters the queue to be encrypted; Pipe-Enc: Distributes to parallel encryption units according to the policy matrix; Pipe-Out: Outputs the ciphertext stream CipherStream(i); The pipeline employs a lock-free ring buffer to prevent high-frequency data congestion.

[0053] Each data window corresponds to a unique SessionKey: SessionKey(i)=HKDF(MasterSecret,Token||WindowID,“SENSOR_KEY”); Perform the following for each Slice(i): Perform fast streaming encryption (AES-CTR / GCM or SM4-CTR) using SessionKey(i) and random IV(i); If UseHMAC=True, then calculate HMAC(i); The encryption process described above is performed in secure memory, and the key is stored only in a register-level cache.

[0054] The processor reassembles the CipherStream in slice order, appending SliceIndex(i), DataLevel, RegionCode, and EncryptionTime, and writes it to the local edge SQLite database.

[0055] During reading, the SessionKey(i) is regenerated within the TEE based on the WindowID of the time window to which the Slice belongs. If the SessionKey(i) cannot be reproduced, decryption is refused (e.g., region switching, permission revocation, token invalidation).

[0056] This invention incorporates the characteristics of high-frequency sensor data in wind turbine operation and maintenance scenarios into the overall security system, achieving the technical effects of data structure perception, condition-driven operation, and window-level dynamic encryption. At the edge, the system slices continuous data streams such as millisecond-level vibration and temperature, automatically determines sensitivity, and assigns independent encryption policies and TEE-derived keys to each window based on a policy matrix of region and sensitivity. A streaming encryption pipeline enables low-latency encryption processing of high-throughput sensor data while ensuring that keys are not written to disk or leaked. During the reading phase, the non-reproducibility of the window key achieves access isolation. Therefore, this invention significantly improves the security, policy adaptability, and cross-regional compliance of high-frequency data in wind turbine operation and maintenance without sacrificing real-time performance, forming a highly efficient dynamic encryption technology effect in the wind power industry scenario.

[0057] The following is for reference. Figure 2 It shows a schematic diagram of the structure of a computer system 200 suitable for implementing electronic devices according to embodiments of the present application. Figure 2The electronic device shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments of this application.

[0058] like Figure 2 As shown, the computer system 200 includes a central processing unit (CPU) 201, which can perform various appropriate actions and processes based on programs stored in read-only memory (ROM) 202 or programs loaded from storage section 208 into random access memory (RAM) 203. The RAM 203 also stores various programs and data required for the operation of the system 200. The CPU 201, ROM 202, and RAM 203 are interconnected via a bus 204. An input / output (I / O) interface 205 is also connected to the bus 204.

[0059] The following components are connected to I / O interface 205: an input section 206 including a keyboard, mouse, etc.; an output section 207 including a liquid crystal display (LCD) and speakers, etc.; a storage section 208 including a hard disk, etc.; and a communication section 209 including a network interface card such as a LAN card and a modem, etc. The communication section 209 performs communication processing via a network such as the Internet. A drive 210 is also connected to I / O interface 205 as needed. A removable medium 211, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on drive 210 as needed so that computer programs read from it can be installed into storage section 208 as needed.

[0060] Specifically, according to embodiments of this disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this disclosure include a computer program product comprising a computer program carried on a computer-readable storage medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 209, and / or installed from removable medium 211. When the computer program is executed by central processing unit (CPU) 201, it performs the functions defined in the methods of this application. It should be noted that the computer-readable storage medium of this application can be a computer-readable signal medium or a computer-readable storage medium or any combination thereof. The computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this application, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in connection with an instruction execution system, apparatus, or device. In this application, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium can also be any computer-readable storage medium other than a computer-readable storage medium that can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. Program code contained on a computer-readable storage medium may be transmitted using any suitable medium, including but not limited to: wireless, wire, optical fiber, RF, etc., or any suitable combination thereof.

[0061] Computer program code for performing the operations of this application can be written in one or more programming languages ​​or a combination thereof. Programming languages ​​include object-oriented programming languages—such as Java, Smalltalk, and C++—as well as conventional procedural programming languages—such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).

[0062] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0063] The modules described in the embodiments of this application can be implemented in software or in hardware.

[0064] On the other hand, this application also provides a computer-readable storage medium, which may be included in the electronic device described in the above embodiments; or it may exist independently and not assembled into the electronic device. The aforementioned computer-readable storage medium carries one or more programs. When the electronic device executes the aforementioned one or more programs, the electronic device: upon receiving a client access request, obtains the client identifier ClientID and the region code RegionCode, concatenates the two in a preset order, performs SHA256 calculation, generates a terminal identity token, and writes the token into the session context cache; before writing data, loads a preset sensitivity mapping table onto the target data, determines the sensitivity level according to the field type, and writes the sensitivity level into the metadata area; and calls the policy matrix addressing engine, using the region code as the row index and the sensitivity level as the column index, to retrieve the target encryption policy unit in the policy matrix. It outputs the specified encryption algorithm, key length, and integrity verification parameters; through the key derivation module deployed in the TEE, it generates a session encryption key SessionKey based on MasterSecret, Token, and the current date and timestamp, and determines whether to synchronously generate an integrity verification key HMACKey according to the policy unit; it writes the ciphertext, IV, authentication code, and corresponding metadata into the local database, and executes a memory clearing command on SessionKey and HMACKey in the TEE; when reading encrypted data, it reloads the corresponding sensitivity level and area code according to the data storage metadata, and performs key derivation again through Token; if the historical session key cannot be reproduced, the decryption request is rejected.

[0065] The above description is merely a preferred embodiment of this application and an explanation of the technical principles employed. Those skilled in the art should understand that the scope of the invention involved in this application is not limited to technical solutions formed by specific combinations of the above-described technical features, but should also cover other technical solutions formed by arbitrary combinations of the above-described technical features or their equivalents without departing from the above-described inventive concept. For example, technical solutions formed by substituting the above features with (but not limited to) technical features with similar functions disclosed in this application.

Claims

1. A dynamic encryption method for wind turbine operation and maintenance data across multiple regions and customers, characterized in that, include: When receiving a client access request, the client ID and region code are obtained, the two are concatenated in a preset order and then subjected to SHA256 operation to generate a terminal identity token, and the token is written into the session context cache. Before writing the data, a preset sensitivity mapping table is loaded onto the target data, the sensitivity level is determined according to the field type, and the sensitivity level is written into the metadata area; The policy matrix addressing engine is invoked, using the region code as the row index and the sensitivity level as the column index, to retrieve the target encryption policy unit in the policy matrix and output the specified encryption algorithm, key length, and integrity verification parameters. The key derivation module deployed in the TEE generates a session encryption key SessionKey based on MasterSecret, Token and the current date and timestamp, and determines whether to generate an integrity verification key HMACKey synchronously according to the policy unit. Write the ciphertext, IV, authentication code and corresponding metadata to the local database, and execute memory clearing instructions on SessionKey and HMACKey within the TEE; When reading encrypted data, the corresponding sensitivity level and region code are reloaded based on the data storage metadata, and key derivation is performed again using the token. If the historical session key cannot be reproduced, the decryption request is rejected.

2. The method for dynamic encryption of wind turbine operation and maintenance data according to claim 1, characterized in that, The SHA256 operation is performed by an instruction-optimized hash module, using a 64-byte fixed buffer to ensure that the token remains unique and verifiable in the event of customer migration or network switching.

3. The method for dynamic encryption of wind turbine operation and maintenance data according to claim 1, characterized in that, The sensitivity level is determined through a hash mapping structure with field type as the key. When a field is detected to contain model weights or key fragments, the sensitivity level is automatically raised to the highest level.

4. The method for dynamic encryption of wind turbine operation and maintenance data according to claim 1, characterized in that, The policy matrix is ​​implemented as a memory-resident two-dimensional array, and the encryption policy unit is directly addressed by calculating the row and column offsets, without any network dependency.

5. The method for dynamic encryption of wind turbine operation and maintenance data according to claim 1, characterized in that, The MasterSecret is written to the TEE by the security server during the initial device activation phase and encrypted with the device's private key, making it unreadable by any external process.

6. The method for dynamic encryption of wind turbine operation and maintenance data according to claim 1, characterized in that, The key derivation module uses HKDF-SHA256, and the timestamp in the input parameters is stored in YYYYMMDD format to realize automatic daily rotation of the session key.

7. The method for dynamic encryption of wind turbine operation and maintenance data according to claim 1, characterized in that, After being generated within the TEE, SessionKey and HMACKey exist only as registers and are not written to RAM. Furthermore, a zero-filling clear instruction is executed after encryption is complete.

8. The method for dynamic encryption of wind turbine operation and maintenance data according to claim 1, characterized in that, When the region code is updated due to permission changes, the processor recalculates the token. Since the derived input has changed, the historical SessionKey cannot be reconstructed, thereby automatically blocking access to existing data.

9. A computing system, characterized in that, It includes a processor and a memory, the processor being configured to perform the method as described in any one of claims 1-8.

10. A computer program product, characterized in that, It stores a computer program that, when executed by a processor, implements the method as described in any one of claims 1-8.