[go: up one dir, main page]

CN108810023A - Safe encryption method, key sharing method and safety encryption isolation gateway - Google Patents

Safe encryption method, key sharing method and safety encryption isolation gateway Download PDF

Info

Publication number
CN108810023A
CN108810023A CN201810794868.1A CN201810794868A CN108810023A CN 108810023 A CN108810023 A CN 108810023A CN 201810794868 A CN201810794868 A CN 201810794868A CN 108810023 A CN108810023 A CN 108810023A
Authority
CN
China
Prior art keywords
data packet
session key
key
mac
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810794868.1A
Other languages
Chinese (zh)
Inventor
樊琳
庞振江
杜君
陈奇辉
王辉
郭艳鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Information and Telecommunication Group Co Ltd
Beijing Smartchip Microelectronics Technology Co Ltd
Original Assignee
State Grid Information and Telecommunication Group Co Ltd
Beijing Smartchip Microelectronics Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Information and Telecommunication Group Co Ltd, Beijing Smartchip Microelectronics Technology Co Ltd filed Critical State Grid Information and Telecommunication Group Co Ltd
Priority to CN201810794868.1A priority Critical patent/CN108810023A/en
Publication of CN108810023A publication Critical patent/CN108810023A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明公开了一种安全加密方法、密钥共享方法以及安全加密隔离网关,该安全加密方法包括如下步骤:接收下行链路上的数据包;查询本地是否有接收数据包的接收方终端的会话密钥;如果本地没有会话密钥,则向密钥共享服务器查询是否有接收数据包的接收方终端的会话密钥;如果密钥共享服务器没有会话密钥,则启动会话密钥协商流程;如果经由会话密钥协商流程,判断接收方终端为合法用户,则使用会话密钥将数据包进行加密;对经过加密的数据包进行MAC运算,得到数据包的MAC部分;以及将经过加密的数据包以及数据包的MAC部分封装为SAL协议报文。本发明的安全加密方法能够有效防止来自外网的攻击和病毒渗透,安全性和可靠性高。

The invention discloses a security encryption method, a key sharing method and a security encryption isolation gateway. The security encryption method includes the following steps: receiving a data packet on the downlink; inquiring whether there is a session of a receiver terminal receiving the data packet locally key; if there is no session key locally, query the key sharing server for the session key of the receiver terminal receiving the data packet; if the key sharing server does not have a session key, start the session key negotiation process; if Through the session key negotiation process, it is judged that the receiving terminal is a legitimate user, and the data packet is encrypted using the session key; MAC operation is performed on the encrypted data packet to obtain the MAC part of the data packet; and the encrypted data packet is And the MAC part of the data packet is encapsulated into a SAL protocol message. The security encryption method of the invention can effectively prevent attacks from external networks and virus infiltration, and has high security and reliability.

Description

安全加密方法、密钥共享方法以及安全加密隔离网关Security encryption method, key sharing method and security encryption isolation gateway

技术领域technical field

本发明是关于电力信息系统领域,特别是关于一种电力专用的安全加密方法、密钥共享方法以及安全加密隔离网关。The invention relates to the field of electric power information systems, in particular to a power-specific security encryption method, a key sharing method and a security encryption isolation gateway.

背景技术Background technique

电信息采集系统(简称用采系统)是居民、企业用电基础设施中的关键业务系统,其包括:采集系统主站、通信信道、通信前置和终端设备。用采系统集中部署,终端设备通过运营商GPRS/CDMA/3G/4G无线APN专网、230无线专网、北斗网等无线专网和光纤专用通道接入用采系统主站。然而,用采系统主站容易受到来自公共网络的各种攻击,因此需要在用采系统主站的接入区加强安全防护,以达到对用采主站的网络隔离、终端身份认证、业务协议过滤以及业务报文传输保护等目的,从而降低用采主站系统接入边界的入侵风险。The electricity information collection system (referred to as the electricity collection system) is a key business system in the electricity infrastructure of residents and enterprises, which includes: the master station of the collection system, communication channels, communication front-end and terminal equipment. The mining system is deployed centrally, and the terminal equipment is connected to the master station of the mining system through the operator's GPRS/CDMA/3G/4G wireless APN private network, 230 wireless private network, Beidou network and other wireless private networks and optical fiber dedicated channels. However, the master station of the adoption system is vulnerable to various attacks from the public network, so it is necessary to strengthen security protection in the access area of the master station of the adoption system to achieve network isolation, terminal identity authentication, and business protocols for the master station of the adoption system. Filtering and business message transmission protection, etc., so as to reduce the risk of intrusion at the access boundary of the main station system.

从功能上看,传统安全接入网关设备主要实现终端经由安全通道层的安全认证、接入,建立双向加密隧道对应用系统数据加密等功能,密码算法一般采用国际通用算法,很少有支持国密算法SM1/SM2/SM3的安全接入网关设备。同时,传统的安全接入网关设备一般不具备网络安全隔离功能,也无法满足用采系统终端数量众多,设备性能较高的要求(SM1加密速率2.4Gbps,SM2签名速率20000TPS,SM2验签速率10000TPS,SM3运算速率8Gbps,终端接入量60万/台)。From a functional point of view, traditional security access gateway equipment mainly implements security authentication and access of terminals through the security channel layer, and establishes two-way encrypted tunnels to encrypt application system data. The security access gateway device of encryption algorithm SM1/SM2/SM3. At the same time, traditional security access gateway equipment generally does not have the function of network security isolation, nor can it meet the requirements of a large number of terminals in the mining system and high equipment performance (SM1 encryption rate 2.4Gbps, SM2 signature rate 20000TPS, SM2 signature rate 10000TPS , SM3 computing rate 8Gbps, terminal access capacity 600,000/set).

公开于该背景技术部分的信息仅仅旨在增加对本发明的总体背景的理解,而不应当被视为承认或以任何形式暗示该信息构成已为本领域一般技术人员所公知的现有技术。The information disclosed in this Background section is only for enhancing the understanding of the general background of the present invention and should not be taken as an acknowledgment or any form of suggestion that the information constitutes the prior art that is already known to those skilled in the art.

发明内容Contents of the invention

本发明的目的在于提供一种电力专用的安全加密方法,其能够有效防止来自外网的攻击,可靠性高。The purpose of the present invention is to provide a security encryption method dedicated to electric power, which can effectively prevent attacks from external networks and has high reliability.

本发明的另一目的在于提供一种密钥共享方法以及安全加密隔离网关。Another object of the present invention is to provide a key sharing method and a secure encryption isolation gateway.

为实现上述目的,本发明提供了一种电力专用的安全加密方法,包括如下步骤:接收下行链路上的数据包;查询本地是否有接收数据包的接收方终端的会话密钥;如果本地没有会话密钥,则向密钥共享服务器查询是否有接收数据包的接收方终端的会话密钥;如果密钥共享服务器没有会话密钥,则启动会话密钥协商流程;如果经由会话密钥协商流程,判断接收方终端为合法用户,则使用会话密钥将数据包进行加密;对经过加密的数据包进行MAC运算,得到数据包的MAC部分;以及将经过加密的数据包以及数据包的MAC部分封装为SAL协议报文。In order to achieve the above object, the present invention provides a power-specific security encryption method, comprising the following steps: receiving the data packet on the downlink; inquiring whether there is a session key of the receiver terminal receiving the data packet locally; session key, then query the key sharing server whether there is a session key of the receiver terminal receiving the data packet; if the key sharing server does not have a session key, start the session key negotiation process; if the session key negotiation process , to determine that the receiving terminal is a legitimate user, then use the session key to encrypt the data packet; perform a MAC operation on the encrypted data packet to obtain the MAC part of the data packet; and convert the encrypted data packet and the MAC part of the data packet Encapsulated into SAL protocol packets.

在一优选的实施方式中,其中,会话密钥协商流程包括如下步骤:向接收方终端发送会话建立请求报文;由接收方终端基于会话建立请求报文判断安全网关身份;如果判断安全网关是合法安全网关,由接收方终端发送会话建立响应报文;由安全网关对会话建立响应报文进行签名验证;如果判断接收方终端为合法用户,则向接收方终端发送密钥协商请求报文;以及在接收到密钥协商请求报文后,由接收方终端发送密钥协商响应报文。In a preferred embodiment, wherein, the session key negotiation process includes the following steps: sending a session establishment request message to the receiver terminal; judging the identity of the security gateway by the receiver terminal based on the session establishment request message; if it is judged that the security gateway is The legal security gateway sends a session establishment response message by the receiver terminal; the security gateway performs signature verification on the session establishment response message; if it judges that the receiver terminal is a legitimate user, then sends a key negotiation request message to the receiver terminal; And after receiving the key agreement request message, the receiver terminal sends a key agreement response message.

本发明还提供了一种电力专用的安全加密方法,包括如下步骤:接收上行链路上的数据包;对数据包进行头尾校验以及解封装;查询本地是否有发送数据包的发送方终端的会话密钥;如果本地没有会话密钥,则向密钥共享服务器查询是否有发送数据包的发送方终端的会话密钥;如果密钥共享服务器没有会话密钥,则启动会话密钥协商流程;如果经由会话密钥协商流程,判断发送方终端为合法用户,则利用经过协商得到的会话密钥对数据包进行解密;以及将解密之后的数据包发送给采集前置。The present invention also provides a security encryption method dedicated to electric power, which includes the following steps: receiving the data packet on the uplink; performing head and tail verification and decapsulation on the data packet; querying whether there is a sender terminal locally sending the data packet session key; if there is no session key locally, query the key sharing server for the session key of the sender terminal that sends the data packet; if the key sharing server does not have a session key, start the session key negotiation process ; If it is determined that the sender terminal is a legal user through the session key negotiation process, then use the negotiated session key to decrypt the data packet; and send the decrypted data packet to the collection front end.

在一优选的实施方式中,会话密钥协商流程包括如下步骤:向发送方终端发送会话建立请求报文;由发送方终端基于会话建立请求报文判断安全网关身份;如果判断安全网关是合法安全网关,由发送方终端发送会话建立响应报文;由安全网关对会话建立响应报文进行签名验证;如果判断发送方终端为合法用户,则向发送方终端发送密钥协商请求报文;在接收到密钥协商请求报文后,由发送方终端发送密钥协商响应报文。In a preferred embodiment, the session key negotiation process includes the following steps: sending a session establishment request message to the sender terminal; judging the identity of the security gateway by the sender terminal based on the session establishment request message; Gateway, the sender terminal sends a session establishment response message; the security gateway performs signature verification on the session establishment response message; if it is judged that the sender terminal is a legitimate user, it sends a key negotiation request message to the sender terminal; After receiving the key agreement request message, the sender terminal sends a key agreement response message.

在一优选的实施方式中,如果本地具有发送数据包的发送方终端的会话密钥,则执行以下操作:对解封装后的数据包进行MAC计算;比较所计算的MAC与解封装后的数据包中的MAC;如果所计算的MAC与解封装后的数据包中的MAC相同,则利用会话密钥对数据包进行解密;将解密之后的数据包发送给采集前置;如果所计算的MAC与解封装后的数据包中的MAC不相同,则生成错误响应数据包,并将错误响应数据包发送给采集前置。In a preferred embodiment, if there is a session key of the sender terminal that sends the data packet locally, the following operations are performed: MAC calculation is performed on the decapsulated data packet; the calculated MAC is compared with the decapsulated data MAC in the packet; if the calculated MAC is the same as the MAC in the decapsulated data packet, then use the session key to decrypt the data packet; send the decrypted data packet to the collection front; if the calculated MAC If it is different from the MAC in the decapsulated data packet, an error response data packet is generated, and the error response data packet is sent to the acquisition front end.

本发明还提供了一种安全加密隔离网关,其分别与采集前置和通信前置通信连接,采集前置被配置为接收下行链路上的数据包,安全加密隔离网关包括:内网处理单元;外网处理单元;和隔离交换单元,隔离交换单元被配置为:查询本地是否有接收数据包的接收方终端的会话密钥;如果本地没有会话密钥,则向密钥共享服务器查询是否有接收数据包的接收方终端的会话密钥;如果密钥共享服务器没有会话密钥,则启动会话密钥协商流程;如果经由会话密钥协商流程,判断接收方终端为合法用户,则控制密码运算单元使用会话密钥对数据包进行加密;对经过加密的数据包进行MAC运算,得到数据包的MAC部分;以及将经过加密的数据包以及数据包的MAC部分封装为SAL协议报文。The present invention also provides a security encryption isolation gateway, which is respectively connected to the acquisition front-end and communication front-end communication, the acquisition front-end is configured to receive data packets on the downlink, and the security encryption isolation gateway includes: an intranet processing unit ; the external network processing unit; and the isolation switching unit, the isolation switching unit is configured to: check whether there is a session key of the receiver terminal receiving the data packet locally; if there is no session key locally, then query the key sharing server for whether there is The session key of the receiving terminal receiving the data packet; if the key sharing server does not have a session key, start the session key negotiation process; if the receiving terminal is determined to be a legal user through the session key negotiation process, then control the cryptographic operation The unit uses the session key to encrypt the data packet; performs MAC operation on the encrypted data packet to obtain the MAC part of the data packet; and encapsulates the encrypted data packet and the MAC part of the data packet into a SAL protocol message.

本发明还提供了一种安全加密隔离网关,其分别与采集前置和通信前置通信连接,通信前置被配置为接收上行链路上的数据包,安全加密隔离网关包括:内网处理单元;外网处理单元;和隔离交换单元,隔离交换单元被配置为:对数据包进行头尾校验以及解封装;查询本地是否有发送数据包的发送方终端的会话密钥;如果本地没有会话密钥,则向密钥共享服务器查询是否有发送数据包的发送方终端的会话密钥;如果密钥共享服务器没有会话密钥,则启动会话密钥协商流程;如果经由会话密钥协商流程,判断发送方终端为合法用户,则利用经过协商得到的会话密钥对数据包进行解密;以及将解密之后的数据包发送给采集前置。The present invention also provides a security encryption isolation gateway, which is connected to the acquisition front-end and the communication front-end respectively. The communication front-end is configured to receive data packets on the uplink, and the security encryption isolation gateway includes: an intranet processing unit ; the external network processing unit; and the isolation switching unit, the isolation switching unit is configured to: perform head-to-tail verification and decapsulation on the data packet; query whether there is a session key of the sender terminal that sends the data packet locally; if there is no session locally Key, then query the key sharing server whether there is a session key of the sender terminal that sends the data packet; if the key sharing server does not have a session key, start the session key negotiation process; if via the session key negotiation process, If it is judged that the sender terminal is a legitimate user, then the data packet is decrypted by using the negotiated session key; and the decrypted data packet is sent to the acquisition front end.

在一优选的实施方式中,如果本地具有发送数据包的发送方终端的会话密钥,则执行以下操作:对解封装后的数据包进行MAC计算;比较所计算的MAC与解封装后的数据包中的MAC;如果所计算的MAC与解封装后的数据包中的MAC相同,则利用会话密钥对数据包进行解密;将解密之后的数据包发送给采集前置;以及如果所计算的MAC与解封装后的数据包中的MAC不相同,则生成错误响应数据包,并将错误响应数据包发送给采集前置。In a preferred embodiment, if there is a session key of the sender terminal that sends the data packet locally, the following operations are performed: MAC calculation is performed on the decapsulated data packet; the calculated MAC is compared with the decapsulated data MAC in the packet; if the calculated MAC is the same as the MAC in the decapsulated packet, then use the session key to decrypt the packet; send the decrypted packet to the acquisition front; and if the computed If the MAC is different from the MAC in the decapsulated data packet, an error response data packet is generated, and the error response data packet is sent to the acquisition front end.

本发明提供了一种电力专用的安全密钥共享方法,包括如下步骤:接收下行链路上的数据包;查询本地是否有接收数据包的接收方终端的会话密钥;如果本地没有会话密钥,则向密钥共享服务器查询是否有接收数据包的接收方终端的会话密钥;如果密钥共享服务器没有会话密钥,则启动会话密钥协商流程;在完成会话密钥协商流程之后,生成会话密钥;以及将所生成的会话密钥实时上传到共享服务器,其中,共享服务器能够将所存储的会话密钥共享到多个不同网关。The present invention provides a power-specific security key sharing method, comprising the following steps: receiving a data packet on the downlink; inquiring whether there is a session key of the receiver terminal receiving the data packet locally; if there is no session key locally , then query the key sharing server whether there is a session key of the receiver terminal receiving the data packet; if the key sharing server does not have a session key, start the session key negotiation process; after completing the session key negotiation process, generate session key; and uploading the generated session key to a shared server in real time, wherein the shared server can share the stored session key to multiple different gateways.

与现有技术相比,本发明的电力专用的安全加密方法、密钥共享方法以及安全加密隔离网关具有如下优点:本发明的安全加密隔离网关完全基于国密算法SM1/SM2/SM3,采用红黑隔离架构和基于密码的隔离技术实现系统内网和外网逻辑隔离,有效防止来自外网的攻击和病毒渗透;通过协议阻断、格式检查、协议分析等技术防止非法数据的跨网侵入;在网关与采集终端间构建安全通道,对数据加密封装并计算消息鉴别码,提供传输层的机密性和完整性;使用专用硬件密码处理单元和多核并发处理器提供海量终端接入支持以及高速报文加解密处理;通过会话密钥共享和分层密钥保护机制,提供高可靠性。本发明的安全加密隔离网关在算法性能、安全性、可靠性及可用性等方面均有显著提高,与用采系统的业务匹配性好,可以满足用采系统的业务安全需求和性能需求。Compared with the prior art, the power-specific security encryption method, key sharing method and security encryption isolation gateway of the present invention have the following advantages: the security encryption isolation gateway of the present invention is completely based on the national secret algorithm SM1/SM2/SM3, and adopts red The black isolation architecture and password-based isolation technology realize the logical isolation of the system's internal network and external network, effectively preventing attacks and virus penetration from the external network; preventing cross-network intrusion of illegal data through technologies such as protocol blocking, format checking, and protocol analysis; Build a secure channel between the gateway and the collection terminal, encrypt and encapsulate the data and calculate the message authentication code to provide the confidentiality and integrity of the transport layer; use a dedicated hardware cryptographic processing unit and a multi-core concurrent processor to provide massive terminal access support and high-speed reporting Text encryption and decryption processing; high reliability is provided through session key sharing and hierarchical key protection mechanisms. The secure encrypted isolation gateway of the present invention has significantly improved algorithm performance, security, reliability, availability, etc., has good business matching with the mining system, and can meet the business security requirements and performance requirements of the mining system.

附图说明Description of drawings

图1是根据本发明一优选实施方式的电力专用的安全加密方法的方法流程图。Fig. 1 is a method flowchart of a power-specific security encryption method according to a preferred embodiment of the present invention.

图2是根据本发明另一优选实施方式的电力专用的安全加密方法的方法流程图。Fig. 2 is a method flowchart of a power-specific security encryption method according to another preferred embodiment of the present invention.

图3是根据本发明另一优选实施方式的电力专用的安全密钥共享方法的方法流程图。Fig. 3 is a method flowchart of a power-specific security key sharing method according to another preferred embodiment of the present invention.

图4是根据本发明一优选实施方式的电力专用的安全加密隔离网关的组成逻辑图。Fig. 4 is a compositional logic diagram of a power-specific security encryption isolation gateway according to a preferred embodiment of the present invention.

图5是根据本发明一优选实施方式的隔离卡的物理组成示意图。Fig. 5 is a schematic diagram of the physical composition of an isolation card according to a preferred embodiment of the present invention.

图6是根据本发明一优选实施方式的SAL封装格式示意图。Fig. 6 is a schematic diagram of a SAL encapsulation format according to a preferred embodiment of the present invention.

图7是根据本发明一优选实施方式的终端身份认证及密钥协商处理的信息流程图。Fig. 7 is an information flowchart of terminal identity authentication and key agreement processing according to a preferred implementation manner of the present invention.

图8是根据本发明一优选实施方式的密钥共享系统的结构示意图。Fig. 8 is a schematic structural diagram of a key sharing system according to a preferred embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图,对本发明的具体实施方式进行详细描述,但应当理解本发明的保护范围并不受具体实施方式的限制。The specific embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings, but it should be understood that the protection scope of the present invention is not limited by the specific embodiments.

除非另有其它明确表示,否则在整个说明书和权利要求书中,术语“包括”或其变换如“包含”或“包括有”等等将被理解为包括所陈述的元件或组成部分,而并未排除其它元件或其它组成部分。Unless expressly stated otherwise, throughout the specification and claims, the term "comprise" or variations thereof such as "includes" or "includes" and the like will be understood to include the stated elements or constituents, and not Other elements or other components are not excluded.

如1图所示,本发明的一优选实施方式的安全加密方法包括如下步骤:步骤101:接收下行链路上的数据包;步骤102:查询本地是否有接收数据包的接收方终端的会话密钥;步骤103:如果本地没有会话密钥,则向密钥共享服务器查询是否有接收数据包的接收方终端的会话密钥;步骤104:如果密钥共享服务器没有会话密钥,则启动会话密钥协商流程;步骤105:如果经由会话密钥协商流程,判断接收方终端为合法用户,则使用会话密钥将数据包进行加密;步骤106:对经过加密的数据包进行MAC运算,得到数据包的MAC部分;以及步骤107:将经过加密的数据包以及数据包的MAC部分封装为SAL协议报文。As shown in Figure 1, the security encryption method of a preferred embodiment of the present invention includes the following steps: Step 101: receive the data packet on the downlink; key; Step 103: If there is no session key locally, then query the key sharing server whether there is a session key of the receiver terminal receiving the data packet; Step 104: If the key sharing server does not have a session key, start the session key Key negotiation process; Step 105: If the receiving terminal is determined to be a legal user through the session key negotiation process, then use the session key to encrypt the data packet; Step 106: Perform MAC operation on the encrypted data packet to obtain the data packet the MAC part of the packet; and step 107: encapsulating the encrypted data packet and the MAC part of the data packet into a SAL protocol message.

上述方案中,其中,会话密钥协商流程包括如下步骤:向接收方终端发送会话建立请求报文;由接收方终端基于会话建立请求报文判断安全网关身份;如果判断安全网关是合法安全网关,由接收方终端发送会话建立响应报文;由安全网关对会话建立响应报文进行签名验证;如果判断接收方终端为合法用户,则向接收方终端发送密钥协商请求报文;以及在接收到密钥协商请求报文后,由接收方终端发送密钥协商响应报文。In the above scheme, wherein, the session key negotiation process includes the following steps: sending a session establishment request message to the receiver terminal; judging the security gateway identity based on the session establishment request message by the receiver terminal; if it is judged that the security gateway is a legitimate security gateway, The session establishment response message is sent by the receiver terminal; the signature verification is performed on the session establishment response message by the security gateway; if it is determined that the receiver terminal is a legal user, a key negotiation request message is sent to the receiver terminal; and after receiving After the key agreement request message, the receiver terminal sends a key agreement response message.

如图2所示,本发明的一优选实施方式的安全加密方法包括如下步骤:步骤201:接收上行链路上的数据包;步骤202:对数据包进行头尾校验以及解封装;步骤203:查询本地是否有发送数据包的发送方终端的会话密钥;步骤204:如果本地没有会话密钥,则向密钥共享服务器查询是否有发送数据包的发送方终端的会话密钥;步骤205:如果密钥共享服务器没有会话密钥,则启动会话密钥协商流程;步骤206:如果经由会话密钥协商流程,判断发送方终端为合法用户,则利用经过协商得到的会话密钥对数据包进行解密;步骤207:将解密之后的数据包发送给采集前置。As shown in Figure 2, the security encryption method of a preferred embodiment of the present invention comprises the following steps: Step 201: receive the data packet on the uplink; Step 202: carry out head and tail verification and decapsulation to the data packet; Step 203 : inquire whether there is a session key of the sender terminal sending the data packet locally; step 204: if there is no session key locally, then query the key sharing server whether there is a session key of the sender terminal sending the data packet; step 205 : If the key sharing server does not have a session key, then start the session key negotiation process; Step 206: If it is determined that the sender terminal is a legitimate user through the session key negotiation process, then use the negotiated session key to pair the data packet Decryption; Step 207: Send the decrypted data packet to the acquisition front end.

如图3所示,本发明还提供了一种电力专用的安全密钥共享方法,该安全密钥共享方法包括如下步骤:步骤301:接收下行链路上的数据包;步骤302:查询本地是否有接收数据包的接收方终端的会话密钥;步骤303:如果本地没有会话密钥,则向密钥共享服务器查询是否有接收数据包的接收方终端的会话密钥;步骤304:如果密钥共享服务器没有会话密钥,则启动会话密钥协商流程;步骤305:在完成会话密钥协商流程之后,生成会话密钥;以及步骤306:将所生成的会话密钥实时上传到共享服务器,其中,共享服务器能够将所存储的会话密钥共享到多个不同网关。As shown in Figure 3, the present invention also provides a power-specific security key sharing method, the security key sharing method includes the following steps: Step 301: Receive the data packet on the downlink; Step 302: Query whether the local There is the session key of the receiver terminal receiving the data packet; step 303: if there is no session key locally, then query whether there is a session key of the receiver terminal receiving the data packet to the key sharing server; step 304: if the key If the shared server does not have a session key, then start the session key negotiation process; step 305: after completing the session key negotiation process, generate a session key; and step 306: upload the generated session key to the shared server in real time, wherein , the sharing server can share the stored session key to multiple different gateways.

如图4所示,本发明一实施方式的安全加密隔离网关分别与采集前置和通信前置通信连接,该安全加密隔离网关包括:内网处理单元;外网处理单元;和隔离交换单元以及密码处理单元。外网处理单元连接用采系统的外部网络,内网处理单元连接用采系统内网。外网处理单元和内网处理单元配置双网卡分别处于不同的VLAN,中间通过隔离交换单元进行应用层数据净荷的传递。从而使得用采系统内部重要网段与外部网络可靠地逻辑隔离,降低边界入侵的风险。电力专用安全加密隔离网关的密码运算单元提供基于国密算法的密码服务,并以此为基础实现装置对采集终端的身份认证、装置与采集终端之间的会话密钥协商、装置与采集终端之间敏感报文加密。As shown in Figure 4, the security encryption isolation gateway of an embodiment of the present invention is respectively connected with the acquisition front-end and the communication front-end communication, and the security encryption isolation gateway includes: an internal network processing unit; an external network processing unit; and an isolation exchange unit and Cryptographic processing unit. The external network processing unit is connected to the external network of the mining system, and the internal network processing unit is connected to the internal network of the mining system. The external network processing unit and the internal network processing unit are configured with dual network cards in different VLANs, and the application layer data payload is transmitted through the isolation switching unit in the middle. Therefore, the important internal network segments of the mining system are logically isolated from the external network, reducing the risk of border intrusion. The cryptographic operation unit of the power-specific security encryption isolation gateway provides cryptographic services based on the national secret algorithm, and based on this, realizes the identity authentication of the device to the collection terminal, the session key negotiation between the device and the collection terminal, and the communication between the device and the collection terminal. Sensitive message encryption.

隔离交换单元位于内网处理单元和外网处理单元之间,采用硬件实现确保内外网安全隔离;密码处理单元位于隔离交换单元上侧,为隔离交换单元流过式处理提供密码服务;外网数据经过密码处理单元密码校验及解密处理后才能进入内网单元,有效防止内网遭受来自外网的攻击。The isolation switching unit is located between the internal network processing unit and the external network processing unit, and hardware is used to ensure the security isolation of the internal and external network; the password processing unit is located on the upper side of the isolation switching unit, and provides password services for the flow-through processing of the isolation switching unit; external network data Only after password verification and decryption processing by the password processing unit can it enter the internal network unit, effectively preventing the internal network from being attacked from the external network.

为实现内外网物理隔离,内外网及各一个网络隔离接口,采用隔离卡实现,隔离卡通过PCIE8X接口与各自底板通信;隔离卡之间通过光口交互转发,转发速率为2.4Gbps;隔离卡采用FPGA设计,包括:硬件DMA控制器、隔离数据存储区、隔离交换控制单元、PCIE IP核心。图5是根据本发明一实施方式的隔离卡的物理组成示意图。如图所示,隔离卡包括:硬件DMA控制器501、隔离数据存储区502、隔离交换控制单元503、PCIE IP核心504。In order to realize the physical isolation of the internal and external networks, the internal and external networks and each network isolation interface are realized by isolation cards, which communicate with their respective backplanes through the PCIE8X interface; the isolation cards are forwarded interactively through the optical port, and the forwarding rate is 2.4Gbps; the isolation card adopts FPGA design, including: hardware DMA controller, isolated data storage area, isolated switch control unit, PCIE IP core. Fig. 5 is a schematic diagram of the physical composition of an isolation card according to an embodiment of the present invention. As shown in the figure, the isolation card includes: a hardware DMA controller 501 , an isolation data storage area 502 , an isolation exchange control unit 503 , and a PCIE IP core 504 .

网关和终端之间建立传输层加密通道,对采集服务器与终端交互的用电信息采集协议进行封装、加密和完整性防护,确保应用协议和业务数据对公网不可见,防止利用SAL协议对主站进行攻击。图6是根据本发明一实施方式的SAL封装格式示意图,如图6所示,封装和加密的步骤为:SAL封装;进行加密处理;密文前后添加SAL头和SAL尾;SAL尾对整个报文做完整性校验。解密和解封装的步骤为:对报头、报尾两次检验计算,验证报文的完整性;解密出应用数据,同时计算并验证应用数据CRC,验证通过既表明解密正确,又表明报文来自合法的终端。A transport layer encryption channel is established between the gateway and the terminal to encapsulate, encrypt and protect the integrity of the power consumption information collection protocol that the collection server and the terminal interact to ensure that the application protocol and business data are invisible to the public network and prevent the use of the SAL protocol to station to attack. Fig. 6 is a schematic diagram of a SAL encapsulation format according to an embodiment of the present invention. As shown in Fig. 6, the steps of encapsulation and encryption are: SAL encapsulation; encryption processing; adding a SAL header and a SAL tail before and after the ciphertext; The text is checked for integrity. The steps of decryption and decapsulation are: check and calculate the header and trailer twice to verify the integrity of the message; decrypt the application data, and calculate and verify the CRC of the application data at the same time. Passing the verification not only indicates that the decryption is correct, but also indicates that the message comes from a legal terminal.

如图7所示,本发明一实施方式的终端身份认证及密钥协商处理具体为:以上行链路通信过程为例,当终端需要向内网发送信息时,终端首先发送登陆报文701,采集装置在接收登陆报文之后,发送登陆响应报文702,终端在接收登陆响应报文702之后,开始握手过程。握手过程包括:向发送方终端发送会话建立请求报文703;由发送方终端基于会话建立请求报文判断安全网关身份;如果判断安全网关是合法安全网关,由发送方终端发送会话建立响应报文704;由安全网关对会话建立响应报文进行签名验证;如果判断发送方终端为合法用户,则向发送方终端发送密钥协商请求报文705;以及在接收到密钥协商请求报文后,由发送方终端发送密钥协商响应报文706。As shown in FIG. 7 , the terminal identity authentication and key negotiation processing in one embodiment of the present invention is specifically as follows: taking the uplink communication process as an example, when the terminal needs to send information to the intranet, the terminal first sends a login message 701, The acquisition device sends a login response message 702 after receiving the login message, and the terminal starts a handshake process after receiving the login response message 702 . The handshake process includes: sending a session establishment request message 703 to the sender terminal; judging the security gateway identity based on the session establishment request message by the sender terminal; if judging that the security gateway is a legitimate security gateway, sending a session establishment response message by the sender terminal 704; the security gateway performs signature verification on the session establishment response message; if it is determined that the sender terminal is a legitimate user, then send a key negotiation request message 705 to the sender terminal; and after receiving the key negotiation request message, The key negotiation response message 706 is sent by the sender terminal.

如图8所示,本发明一优选实施方式的密钥共享系统包括网关A、网关B、终端以及密钥共享服务器,其中,终端可以与网关A进行密钥协商,网关A可以将协商得到的密钥上传至密钥共享服务器。当网关A损坏时,可以由另外的网关B向密钥共享服务器请求密钥,并对终端进行验证。通过密钥共享机制实现网关服务的“均衡分流,备份共享,抗毁顽存,有效接续”,从而提高了系统整体的可用性和可靠性。As shown in Figure 8, a key sharing system in a preferred embodiment of the present invention includes a gateway A, a gateway B, a terminal, and a key sharing server, wherein the terminal can negotiate a key with gateway A, and gateway A can use the The key is uploaded to the key sharing server. When gateway A is damaged, another gateway B can request a key from the key sharing server and verify the terminal. Through the key sharing mechanism, the "balanced distribution, backup sharing, invulnerability and persistence, and effective connection" of gateway services are realized, thereby improving the overall availability and reliability of the system.

本发明的电力专用安全加密隔离网关采用自主设计的ASIC硬件隔离卡,通过隔离卡达到内外网网络物理隔离,为了高速实现大并发海量业务数据的安全保护和网络隔离功能,内外网主机采用INTEL的多CPU、多核高性能至强硬件平台,在软件架构设计上采用多线程并行运行机制适应多核硬件平台,采用线程池、多缓冲区和异步处理等技术实现业务数据的高速大并发处理。The power-specific security encryption isolation gateway of the present invention adopts an independently designed ASIC hardware isolation card, and achieves physical isolation of the internal and external network through the isolation card. Multi-CPU, multi-core high-performance Xeon hardware platform, adopts multi-thread parallel operation mechanism in software architecture design to adapt to multi-core hardware platform, adopts thread pool, multi-buffer and asynchronous processing technologies to realize high-speed and large concurrent processing of business data.

电力专用安全加密隔离网关采用最新的I/O技术,利用PCIE GEN3的高速数据交换能力达到大并发所需要数据处理速率,其中:网络接口采用光纤连接的万兆网卡与外部通信,隔离交换单元采用PCIE GEN3X8接口和内外网主机连接,实现了内外主机的高速数据摆渡,密码运算单元采用PCIE GEN3X8接口和内机连接,高速实现大并发数据的密码运算及处理。The power-specific security encryption isolation gateway adopts the latest I/O technology, and utilizes the high-speed data exchange capability of PCIE GEN3 to achieve the data processing rate required by large concurrency. Among them: the network interface uses a 10-gigabit network card connected by optical fiber to communicate with the outside, and the isolation exchange unit adopts The PCIE GEN3X8 interface is connected to the internal and external network hosts to realize high-speed data transfer between the internal and external hosts. The cryptographic operation unit uses the PCIE GEN3X8 interface to connect with the internal computer to realize high-speed cryptographic operations and processing of large concurrent data.

密码运算单元采用并行冗余设计,每台内网主机配置多路密码运算单元,采用面向大并发设计的调度算法调度多密码运算单元并行运算,充分利用密码运算单元的硬件计算能力。电力专用安全加密隔离装置配置了多片SM1算法芯片,同时在密码运算模块上开发了一个算法并行调用处理的软件模块,算法芯片采用异步调用方式工作,算法并行调用处理模块实时查询各个算法芯片的忙闲程度并根据其忙闲程度进行算法运算的分配,同时维护算法芯片响应报文和请求报文的对应关系。最终通过软硬件的配合实现SM1算法本地调用可达3Gbits左右。The cryptographic operation unit adopts a parallel redundant design. Each intranet host is equipped with a multi-channel cryptographic operation unit. The scheduling algorithm designed for large concurrency is used to schedule the parallel operation of multiple cryptographic operation units to make full use of the hardware computing power of the cryptographic operation unit. The security encryption isolation device dedicated to electric power is equipped with multiple SM1 algorithm chips. At the same time, a software module for algorithm parallel call processing is developed on the cryptographic operation module. The algorithm chip works in an asynchronous call mode, and the algorithm parallel call processing module queries each algorithm chip in real time. According to the busyness and idleness, the algorithm operation is allocated according to the busyness, and at the same time, the corresponding relationship between the response message and the request message of the algorithm chip is maintained. Finally, through the cooperation of software and hardware, the local call of SM1 algorithm can reach about 3Gbits.

本领域技术人员应当明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

前述对本发明的具体示例性实施方案的描述是为了说明和例证的目的。这些描述并非想将本发明限定为所公开的精确形式,并且很显然,根据上述教导,可以进行很多改变和变化。对示例性实施例进行选择和描述的目的在于解释本发明的特定原理及其实际应用,从而使得本领域的技术人员能够实现并利用本发明的各种不同的示例性实施方案以及各种不同的选择和改变。本发明的范围意在由权利要求书及其等同形式所限定。The foregoing descriptions of specific exemplary embodiments of the present invention have been presented for purposes of illustration and description. These descriptions are not intended to limit the invention to the precise form disclosed, and obviously many modifications and variations are possible in light of the above teaching. The exemplary embodiments were chosen and described in order to explain the specific principles of the invention and its practical application, thereby enabling others skilled in the art to make and use various exemplary embodiments of the invention, as well as various Choose and change. It is intended that the scope of the invention be defined by the claims and their equivalents.

Claims (9)

1. a kind of dedicated safe encryption method of electric power, which is characterized in that the safe encryption method includes the following steps:
Receive the data packet on downlink;
The local session key for whether having the receiving side terminal for receiving the data packet of inquiry;
If local without the session key, whether there is the reception for receiving the data packet to the inquiry of key shared server The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, the receiving side terminal is judged for validated user, then uses session key The data packet is encrypted;
To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And
By it is described by the MAC partial encapsulations of encrypted data packet and the data packet be SAL protocol massages.
2. safe encryption method as described in claim 1, which is characterized in that wherein, the session key agreement flow includes Following steps:
Session establishment request message is sent to the receiving side terminal;
Security gateway identity is judged based on the session establishment request message by the receiving side terminal;
If it is determined that the security gateway is legitimate secure gateway, session establishment response message is sent by the receiving side terminal;
Signature verification is carried out to the session establishment response message by the security gateway;
If it is determined that the receiving side terminal is validated user, then key negotiation request message is sent to the receiving side terminal; And
After receiving the key negotiation request message, key negotiation response message is sent by the receiving side terminal.
3. a kind of dedicated safe encryption method of electric power, which is characterized in that the safe encryption method includes the following steps:
Receive the data packet in uplink;
The data packet verify and decapsulate end to end;
The local session key for whether having the sending side terminal for sending the data packet of inquiry;
If local without the session key, whether there is the transmission for sending the data packet to the inquiry of key shared server The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, described sender terminal is judged for validated user, then using by negotiating The data packet is decrypted in obtained session key;And
It is preposition that data packet after decryption is sent to acquisition.
4. safe encryption method as claimed in claim 3, which is characterized in that the session key agreement flow includes following step Suddenly:
Session establishment request message is sent to described sender terminal;
Security gateway identity is judged based on the session establishment request message by described sender terminal;
If it is determined that the security gateway is legitimate secure gateway, session establishment response message is sent by described sender terminal;
Signature verification is carried out to the session establishment response message by the security gateway;
If it is determined that described sender terminal is validated user, then key negotiation request message is sent to described sender terminal; And
After receiving the key negotiation request message, key negotiation response message is sent by described sender terminal.
5. safe encryption method as claimed in claim 3, which is characterized in that if local have the hair for sending the data packet The session key of the side's of sending terminal then executes following operation:
MAC calculating is carried out to the data packet after decapsulation;
Compare the MAC in the data packet after calculated MAC and decapsulation;
If the MAC calculated is identical as the MAC in the data packet after decapsulation, using the session key to the data Packet is decrypted;
It is preposition that data packet after decryption is sent to acquisition;And
If the MAC in data packet after the MAC calculated and decapsulation is differed, generation error response data packet, and will It is preposition that the errored response data packet is sent to acquisition.
6. a kind of dedicated safety encryption isolation gateway of electric power, which is characterized in that the safety encryption isolation gateway respectively with adopt Collect preposition and communicate preposition communication connection, the acquisition is preposition to be configured as receiving the data packet on downlink, the safety Gateway is isolated in encryption:
Intranet processing unit;
Outer net processing unit;With
Crosspoint is isolated, the isolation crosspoint is configured as:
The local session key for whether having the receiving side terminal for receiving the data packet of inquiry;
If local without the session key, whether there is the reception for receiving the data packet to the inquiry of key shared server The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, judge that the receiving side terminal for validated user, then controls crypto-operation Unit is encrypted the data packet using session key;
To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And
By it is described by the MAC partial encapsulations of encrypted data packet and the data packet be SAL protocol massages.
7. a kind of dedicated safety encryption isolation gateway of electric power, which is characterized in that the safety encryption isolation gateway respectively with adopt Collect preposition and communicate preposition communication connection, the communication is preposition to be configured as receiving the data packet in uplink, the safety Gateway is isolated in encryption:
Intranet processing unit;
Outer net processing unit;With
Crosspoint is isolated, the isolation crosspoint is configured as:
The data packet verify and decapsulate end to end;
The local session key for whether having the sending side terminal for sending the data packet of inquiry;
If local without the session key, whether there is the transmission for sending the data packet to the inquiry of key shared server The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, described sender terminal is judged for validated user, then using by negotiating The data packet is decrypted in obtained session key;And
It is preposition that data packet after decryption is sent to acquisition.
8. safety encryption isolation gateway as claimed in claim 7, which is characterized in that send the data packet if locally had Sending side terminal session key, then execute following operation:
MAC calculating is carried out to the data packet after decapsulation;
Compare the MAC in the data packet after calculated MAC and decapsulation;
If the MAC calculated is identical as the MAC in the data packet after decapsulation, using the session key to the data Packet is decrypted;
It is preposition that data packet after decryption is sent to acquisition;And
If the MAC in data packet after the MAC calculated and decapsulation is differed, generation error response data packet, and will It is preposition that the errored response data packet is sent to acquisition.
9. a kind of dedicated security key sharing method of electric power, which is characterized in that the security key sharing method includes as follows Step:
Receive the data packet on downlink;
The local session key for whether having the receiving side terminal for receiving the data packet of inquiry;
If local without the session key, whether there is the reception for receiving the data packet to the inquiry of key shared server The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
After completing the session key agreement flow, session key is generated;And
The session key generated is uploaded into the shared server in real time, wherein the shared server can will be deposited The session key of storage shares to multiple and different gateways.
CN201810794868.1A 2018-07-19 2018-07-19 Safe encryption method, key sharing method and safety encryption isolation gateway Pending CN108810023A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810794868.1A CN108810023A (en) 2018-07-19 2018-07-19 Safe encryption method, key sharing method and safety encryption isolation gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810794868.1A CN108810023A (en) 2018-07-19 2018-07-19 Safe encryption method, key sharing method and safety encryption isolation gateway

Publications (1)

Publication Number Publication Date
CN108810023A true CN108810023A (en) 2018-11-13

Family

ID=64077492

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810794868.1A Pending CN108810023A (en) 2018-07-19 2018-07-19 Safe encryption method, key sharing method and safety encryption isolation gateway

Country Status (1)

Country Link
CN (1) CN108810023A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110267266A (en) * 2019-07-19 2019-09-20 中国铁路总公司 An Improved Safety Data Interaction Method of Train Control System
CN111294212A (en) * 2020-05-12 2020-06-16 广东纬德信息科技股份有限公司 Security gateway key negotiation method based on power distribution
CN112261041A (en) * 2020-10-21 2021-01-22 中国科学院信息工程研究所 A multi-level distributed monitoring and anti-penetration system for power terminals
CN112650990A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Method and system for signing artificial intelligence watermark using query
CN112953936A (en) * 2021-02-18 2021-06-11 泰州中科树人信息科技有限公司 Encrypted video playing technology based on ZKSR protocol
CN113746861A (en) * 2021-09-13 2021-12-03 南京首传信安科技有限公司 Data transmission encryption and decryption method and encryption and decryption system based on state encryption technology
CN114125027A (en) * 2021-11-24 2022-03-01 上海派拉软件股份有限公司 Communication establishing method and device, electronic equipment and storage medium
CN114389884A (en) * 2022-01-14 2022-04-22 北京光润通科技发展有限公司 Single-port Ethernet isolation card and isolation method thereof
CN114554485A (en) * 2021-12-22 2022-05-27 卓望数码技术(深圳)有限公司 Asynchronous session key negotiation and application method, system, electronic device and medium
CN114629746A (en) * 2022-03-21 2022-06-14 南京十方网络科技有限公司 Data security gateway based on hardware
CN115801388A (en) * 2022-11-11 2023-03-14 中国联合网络通信集团有限公司 Message transmission method, device and storage medium
CN118692638A (en) * 2024-06-04 2024-09-24 武汉美捷科技有限公司 A medical insurance communication gateway algorithm and system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102037707A (en) * 2008-04-07 2011-04-27 交互数字专利控股公司 Secure session key generation
CN102882688A (en) * 2012-10-24 2013-01-16 北京邮电大学 Lightweight authentication and key agreement protocol applicable to electric information acquisition
US20130145149A1 (en) * 2011-12-02 2013-06-06 Kabushiki Kaisha Toshiba Authentication device, authentication method and computer readable medium
CN104038931A (en) * 2014-05-23 2014-09-10 国家电网公司 LTE (Long Term Evolution) network based power distribution and utilization communication system and communication method thereof
CN105763542A (en) * 2016-02-02 2016-07-13 国家电网公司 Device and method of encryption and authentication for distribution terminal serial port communication
CN105871873A (en) * 2016-04-29 2016-08-17 国家电网公司 Security encryption authentication module for power distribution terminal communication and method thereof
CN106941494A (en) * 2017-03-30 2017-07-11 中国电力科学研究院 A kind of security isolation gateway and its application method suitable for power information acquisition system
CN107018134A (en) * 2017-04-06 2017-08-04 北京中电普华信息技术有限公司 A kind of distribution terminal secure accessing platform and its implementation

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102037707A (en) * 2008-04-07 2011-04-27 交互数字专利控股公司 Secure session key generation
US20130145149A1 (en) * 2011-12-02 2013-06-06 Kabushiki Kaisha Toshiba Authentication device, authentication method and computer readable medium
CN102882688A (en) * 2012-10-24 2013-01-16 北京邮电大学 Lightweight authentication and key agreement protocol applicable to electric information acquisition
CN104038931A (en) * 2014-05-23 2014-09-10 国家电网公司 LTE (Long Term Evolution) network based power distribution and utilization communication system and communication method thereof
CN105763542A (en) * 2016-02-02 2016-07-13 国家电网公司 Device and method of encryption and authentication for distribution terminal serial port communication
CN105871873A (en) * 2016-04-29 2016-08-17 国家电网公司 Security encryption authentication module for power distribution terminal communication and method thereof
CN106941494A (en) * 2017-03-30 2017-07-11 中国电力科学研究院 A kind of security isolation gateway and its application method suitable for power information acquisition system
CN107018134A (en) * 2017-04-06 2017-08-04 北京中电普华信息技术有限公司 A kind of distribution terminal secure accessing platform and its implementation

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110267266A (en) * 2019-07-19 2019-09-20 中国铁路总公司 An Improved Safety Data Interaction Method of Train Control System
CN112650990A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Method and system for signing artificial intelligence watermark using query
CN111294212A (en) * 2020-05-12 2020-06-16 广东纬德信息科技股份有限公司 Security gateway key negotiation method based on power distribution
CN112261041A (en) * 2020-10-21 2021-01-22 中国科学院信息工程研究所 A multi-level distributed monitoring and anti-penetration system for power terminals
CN112953936A (en) * 2021-02-18 2021-06-11 泰州中科树人信息科技有限公司 Encrypted video playing technology based on ZKSR protocol
CN113746861A (en) * 2021-09-13 2021-12-03 南京首传信安科技有限公司 Data transmission encryption and decryption method and encryption and decryption system based on state encryption technology
CN114125027A (en) * 2021-11-24 2022-03-01 上海派拉软件股份有限公司 Communication establishing method and device, electronic equipment and storage medium
CN114125027B (en) * 2021-11-24 2024-04-05 上海派拉软件股份有限公司 Communication establishment method and device, electronic equipment and storage medium
CN114554485A (en) * 2021-12-22 2022-05-27 卓望数码技术(深圳)有限公司 Asynchronous session key negotiation and application method, system, electronic device and medium
CN114554485B (en) * 2021-12-22 2024-03-12 卓望数码技术(深圳)有限公司 Asynchronous session key negotiation and application method, system, electronic equipment and medium
CN114389884B (en) * 2022-01-14 2023-11-24 北京光润通科技发展有限公司 Single-port Ethernet isolation card and isolation method thereof
CN114389884A (en) * 2022-01-14 2022-04-22 北京光润通科技发展有限公司 Single-port Ethernet isolation card and isolation method thereof
CN114629746A (en) * 2022-03-21 2022-06-14 南京十方网络科技有限公司 Data security gateway based on hardware
CN115801388A (en) * 2022-11-11 2023-03-14 中国联合网络通信集团有限公司 Message transmission method, device and storage medium
CN115801388B (en) * 2022-11-11 2024-04-09 中国联合网络通信集团有限公司 Message transmission method, device and storage medium
CN118692638A (en) * 2024-06-04 2024-09-24 武汉美捷科技有限公司 A medical insurance communication gateway algorithm and system

Similar Documents

Publication Publication Date Title
CN108810023A (en) Safe encryption method, key sharing method and safety encryption isolation gateway
CN112073375B (en) An isolation device and isolation method suitable for the client side of the power Internet of Things
CN109842585B (en) Network information security protection unit and protection method for industrial embedded system
EP3286896B1 (en) Scalable intermediate network device leveraging ssl session ticket extension
CN102801695B (en) Virtual private network communication device and data packet transmission method thereof
CN202856781U (en) Industrial control system main station safety device
CN111447276B (en) Encryption continuous transmission method with key agreement function
US9002016B2 (en) Rekey scheme on high speed links
CN106941494A (en) A kind of security isolation gateway and its application method suitable for power information acquisition system
CN110636052B (en) Electricity data transmission system
CN101651597B (en) A Deployment Method of IPSec-VPN in Address Separation Mapping Network
CN107172020A (en) A kind of network data security exchange method and system
CN101299665A (en) Message processing method, system and apparatus
CN108810011A (en) A kind of universal network secure accessing sound zone system and message processing method suitable for power private network
CN100499451C (en) Network communication safe processor and its data processing method
CN107181716A (en) A kind of secure communication of network system and method based on national commercial cipher algorithm
CN113572766A (en) Power data transmission method and system
CN110266725A (en) Password security isolation module and mobile office security system
CN110417706A (en) A kind of safety communicating method based on interchanger
CN211352206U (en) IPSec VPN cryptographic machine based on quantum key distribution
CN103763301A (en) System employing ppp protocol packaging-based IPsec frame structure and method
CN103139189A (en) Internet protocol security (IPSec) tunnel sharing method, IPSec tunnel sharing system and IPSec tunnel sharing equipment
CN117615371A (en) Safety communication system based on national cryptographic algorithm
CN114501143B (en) Video security access method and system based on port selective encryption
CN114007283A (en) A secure access gateway for smart community data security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20181113