CN109743174A - The monitoring and managing method that electric power monitoring security management and control system program updates - Google Patents
The monitoring and managing method that electric power monitoring security management and control system program updates Download PDFInfo
- Publication number
- CN109743174A CN109743174A CN201811568756.0A CN201811568756A CN109743174A CN 109743174 A CN109743174 A CN 109743174A CN 201811568756 A CN201811568756 A CN 201811568756A CN 109743174 A CN109743174 A CN 109743174A
- Authority
- CN
- China
- Prior art keywords
- network security
- monitoring
- security management
- file
- supervision
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The present invention relates to the monitoring and managing methods that a kind of electric power monitoring security management and control system program updates, and generate supervision data file in network security monitoring device side;By digital encryption, digital signature technology and two-way resisting denying algorithm, supervision data file is transferred to network security management platform in a manner of safe and reliable resisting denying bidirectional identity authentication;Checkout code file is generated in network security management platform side;It is calculated in the verification that network security management platform side carries out checkout code file, identifies the program of network security monitoring device, whether the update operation information of system configuration is legal and automatically records.The present invention realizes the supervision to program, configuration modification in network security monitoring device;It can need to carry out safety certification before verifying data transmission, improve to the device software of electric power monitoring security management and control system by the accuracy and safety of illegal or malicious modification monitoring result to avoid security risk of the network security monitoring device in system communication.
Description
Technical field
The invention belongs to electric system embedded device technology field more particularly to a kind of electric power monitoring security management and control systems
The monitoring and managing method that program updates.
Background technique
Electric power monitoring security management and control system specifically includes that network security management platform, network security monitoring device, monitoring pair
As monitoring object includes: Dispatching Control System, monitoring system of electric substation, power plant monitoring system, electrical power distribution automatization system, bears
Lotus control system etc..As shown in Figure 1, being the configuration diagram of electric power monitoring security management and control system.Felt by monitoring object itself
Know, the mode of the acquisition of network security monitoring device, network security management platform control, realizes electric system, equipment and communication network
The safe operation of network is managed.Network security monitoring device uses Embedded System Design, realize to the acquisition of the data of monitoring object,
Analysis processing, and processing result is notified into network security management platform.
Network attack person can method by distorting the program in network security monitoring device, insertion malicious code repairs
Change or delete safety monitoring program, obtains or modify the key message of user, bring peace to electric power monitoring security management and control system
Full hidden danger.In addition, in field of power system, to optimize equipment application software function, technical staff can often carry out program additions and deletions,
The operation that the programs such as system configuration update is modified, this artificial operation also lacks effective safety supervision mechanism, network security
Whether management platform can not be illegally modified when recognizer update, bring to power system stability operation greatly safe hidden
Suffer from.
For the safety for ensuring grid, avoids network security monitoring device configurator from being illegally modified, need to electricity
Power equipment application software version carries out regularly scanned for checkout.Simultaneously in order to ensure the safety of verification data, need to verification
Data are transferred to network security management platform in a secure manner.
Summary of the invention
In order to solve the above technical problems, the invention proposes the supervision that a kind of electric power monitoring security management and control system program updates
Method, by increasing the function of program periodic check, the verification of logging program and configuration file in network security monitoring device
Information of check code is transmitted to network security management platform by reliable transmission means and carries out check code verification, identification by code information
Program version is normal update or illegal or malicious modification, realizes anti-to the program in network security monitoring device illegal or evil
The purpose that meaning is distorted.The technical solution adopted in the present invention is as follows:
The monitoring and managing method that electric power monitoring security management and control system program updates, comprising the following steps:
Step 1 generates supervision data file in network security monitoring device side;
Step 2 passes through digital encryption, digital signature technology and two-way resisting denying algorithm, will supervise data file with safety
Reliable resisting denying bidirectional identity authentication mode is transferred to network security management platform;
Step 3 generates checkout code file in network security management platform side;
Step 4 is calculated in the verification that network security management platform side carries out checkout code file, identification network security monitoring dress
Whether the update operation information of the program, system configuration set is legal and automatically records.
Beneficial effects of the present invention:
1) supervision to program, configuration modification in network security monitoring device, monitoring network safety monitoring may be implemented
Whether device software program has update;
2) it can need to carry out before verifying data transmission to avoid security risk of the network security monitoring device in system communication
Safety certification, the authentication mode that first hash is signed again can guarantee integrality and non-repudiation simultaneously, in network security management platform
There is resisting denying evidence recording unit, each of communication process step all forms electronic evidence and records, and sender and connects
Debit extracts incidental information from the order and response message being respectively received respectively, extracts undeniably from incidental information again
Evidence, by resisting denying technology information of check code transmission in application, raising electric power monitoring security management and control system is set
Standby software is by the accuracy and safety of illegal or malicious modification monitoring result.
Detailed description of the invention
Fig. 1 is the configuration diagram of electric power monitoring security management and control system;
Fig. 2 is the overall logic flow diagram of the embodiment of the present invention;
Fig. 3 is the bidirectional safe identifying procedure schematic diagram of the embodiment of the present invention.
Specific embodiment
With reference to the accompanying drawing, embodiments of the present invention are illustrated.
As shown in Fig. 2, being the overall logic flow diagram of the embodiment of the present invention.Electric power monitoring security management and control system program is more
New monitoring and managing method, comprising the following steps:
Step 1 generates supervision data file in network security monitoring device side, and detailed process is as follows:
S1.1, network security management platform are sent to the version management module of network security monitoring device generates supervision data
The instruction of file;
S1.2, network security monitoring device side version management module read network security monitoring device system configuration text
Part, and single executable file, dynamic link library and system configuration file to be verified are scanned, generate supervision data text
Part.
Step 2 passes through digital encryption, digital signature technology and two-way resisting denying algorithm, will supervise data file with safety
Reliable resisting denying bidirectional identity authentication mode is transferred to network security management platform.After bidirectional identity authentication success, network peace
Full monitoring device transmits supervision data file to network security management platform.The concrete methods of realizing of resisting denying bidirectional identity authentication
It is as follows:
Encrypted card is integrated on network security monitoring device hardware, encrypted card supports data encryption, digital signature technology.For
It is more convenient, quickly and easily illustrate a specific embodiment of the invention, in the operating procedure of the present embodiment, network security is monitored
Device is named as A, and network security management platform is named as B, and supervision data file is named as data M.As shown in figure 3, being
The bidirectional safe identifying procedure schematic diagram of the embodiment of the present invention realizes the specific steps of resisting denying bidirectional identity authentication transmission such as
Under:
S2.1, A carry out SM3 to " data M " and " A abstract " are calculated, and carry out SM2 label using the private key of A to " A abstract "
Name, obtains " A signature value ".
SM3 is the hash algorithm standard of national Password Management office publication, is mainly used for digital signature and verifying, message authentication
Code generation and verifying, generating random number etc..SM2 is the ellipse curve public key cipher algorithm of national Password Management office publication.
S2.2, A carry out SM4 symmetric cryptography to " data M+A abstract+A signature value ", and encrypted data is sent to B.
SM4 in the close serial algorithm of state is symmetric block cipher algorithm, for carrying out to message in information security field
Encryption, protects the privacy of message.
After S2.3, B receive data, SM4 decryption is carried out, " data M+A abstract+A signature value " is obtained;
S2.4, B carry out SM3 abstract operation to " data M ", are verified with " A abstract ", verify its integrality;Integrality
After being verified, mirror label are carried out using the public key of A to " A abstract ";Confirm the identity of A;If verifying does not pass through, system output
Safety certification unsuccessfully alerts, and generation error log, supervision flow terminate.
After S2.5, B mirror are signed successfully, SM3 abstract operation is carried out to " A signature value " and obtains " B abstract ", uses the private key pair of B
" B abstract " carries out SM2 signature, obtains " B signature value ";
S2.6, B are sent to A after " A signature value+B abstract+B signature value " is carried out SM4 symmetric cryptography;
S2.7, A carry out SM4 decryption after receiving the data that B is sent, and obtain " A signature value+B abstract+B signature value ", A pairs
" A signature value " carries out SM3 abstract operation, is verified with " B abstract ", confirms integrality;After completeness check passes through, A uses B
Public key to " B abstract " carry out SM2 mirror label, confirm the identity of B;If verifying does not pass through, system output safety authentification failure
Alarm, and generation error log, supervision flow terminate.
If S2.8, A mirror signs successfully and to obtain the A signature value of foldback equal with oneself transmission A signature value before,
Bidirectional identity authentication success, A and B formally establish session, A and send supervision data file to B;Otherwise, system output safety authenticates
Failure alarm, simultaneously generation error log, supervision flow terminate.
Step 3 generates checkout code file in network security management platform side, and specific method is: starting calculation procedure module
It is calculated by MD5 hash algorithm and generates checkout code file.
The checkout code file is passed through as unit of single executable file, dynamic link library and system configuration file
MD5 hash algorithm, which calculates, to be generated.MD5 hash algorithm is by entire file as a big text information, irreversible by its
Character string converts algorithm, produces this unique MD5 informative abstract.MD5 algorithm is just as a function, any one binary system
String all can serve as independent variable into this " function ", then can come out the binary string for being fixed as 128.
The function of MD5 hash algorithm: inputting the information of random length, by processing, exports the information (number for 128
Fingerprint);The different results (uniqueness) that different inputs obtains;Input can not be instead released according to 128 output results
Information (irreversible).
The purposes of MD5 hash algorithm: the first, it prevents from being tampered: 1) such as sending an electronic document, before transmission, first
To the output result a of MD5.Then after other side receives electronic document, other side also obtains the output result b of a MD5.If a
Midway is just represented as b to be not tampered with.2) file download is such as provided, criminal adds in installation procedure in order to prevent
Wooden horse can be announced on website and export result by the MD5 that installation file obtains.3) SVN detection file whether
It is modified after CheckOut, and has used MD5.
The second, prevent from being immediately seen in plain text: many websites are all deposited when the password of database purchase user now
Store up the MD5 value of user password.Even if criminal obtains the MD5 value of the user password of database in this way, user can not be also known
Password.Such as in unix system user password be exactly with MD5 (or other similar algorithms) it is encrypted after be stored in text
In part system.When user logs in, then the cryptographic calculations that system inputs user remove and are stored in again text at MD5 value
MD5 value in part system is compared, and then determines whether the password of input is correct.In this way the step of, system is not
The legitimacy of logging in system by user is assured that in the case where the plain code for knowing user password.This not only can be to avoid user's
Password is known by the user with system manager's permission, but also increases the difficulty that password is cracked to a certain extent.
Third prevents from denying (digital signature): this needs a Third Party Authentication mechanism.Such as A has write a file, recognizes
Card mechanism generates summary info to this file MD5 algorithm and makes a record.If it is that he writes that later A, which says this file not, authority
Mechanism need to only regenerate summary info to this file, then be compared with recording summary info on the regular payroll, if identical, just
It is proved to be what A write.Here it is so-called " digital signature ".
Step 4 is calculated in the verification that network security management platform side carries out checkout code file, identification network security monitoring dress
Whether the update operation information of the program, system configuration set is legal and automatically records.
Checkout code file includes the program supervision code of A and the system configuration supervision code of A.After B receives checkout code file, point
It is not compared with the corresponding correct criteria check code being pre-stored in B, if the two is identical, illustrates the program of B
Or system configuration is not distorted illegally, if the two is different, illustrates that the program of B or system configuration are illegally distorted.Verification prison
Pipe result is achieved in B, and resisting denying evidence is saved in the resisting denying evidence recording unit of B.
Claims (8)
1. the monitoring and managing method that electric power monitoring security management and control system program updates, which comprises the following steps:
Step 1 generates supervision data file in network security monitoring device side;
Step 2 passes through digital encryption, digital signature technology and two-way resisting denying algorithm, will supervise data file with safe and reliable
Resisting denying bidirectional identity authentication mode be transferred to network security management platform;
Step 3 generates checkout code file in network security management platform side;
Step 4 is calculated in the verification that network security management platform side carries out checkout code file, identification network security monitoring device
Program, whether the update operation information of system configuration is legal and automatically records.
2. the monitoring and managing method that electric power monitoring security management and control system program according to claim 1 updates, which is characterized in that packet
The detailed process of generation supervision data file described in including 1 is as follows:
S1.1, network security management platform are sent to the version management module of network security monitoring device generates supervision data file
Instruction;
S1.2, network security monitoring device side version management module read network security monitoring device system configuration file,
And single executable file, dynamic link library and system configuration file to be verified are scanned, generate supervision data file.
3. the monitoring and managing method that electric power monitoring security management and control system program according to claim 1 or 2 updates, feature exist
In, network security monitoring device is named as A, network security management platform is named as B, will supervision data file be named as number
According to M, supervision data file is transferred to network security in a manner of safe and reliable resisting denying bidirectional identity authentication described in step 2
Managing platform, specific step is as follows:
S2.1, A carry out SM3 to data M and A abstract are calculated, and carry out SM2 signature using the private key of A to A abstract, obtain A signature
Value;
S2.2, A carry out SM4 symmetric cryptography to data M+A abstract+A signature value, and encrypted data is sent to B;
After S2.3, B receive data, SM4 decryption is carried out, data M+A abstract+A signature value is obtained;
S2.4, B carry out SM3 abstract operation to data M, carry out verification with A abstract and verify its integrality, integrity verification passes through
Afterwards, the identity made a summary to A and carry out mirror label using the public key of A, confirm A;If integrity verification does not pass through, system output safety
Authentification failure alarm, simultaneously generation error log, supervision flow terminate;
After S2.5, B mirror are signed successfully, SM3 abstract operation is carried out to A signature value and obtains B abstract, is made a summary and is carried out to B using the private key of B
SM2 signature, obtains B signature value;
S2.6, B are sent to A after A signature value+B abstract+B signature value is carried out SM4 symmetric cryptography;
S2.7, A carry out SM4 decryption after receiving the data that B is sent, and obtain A signature value+B abstract+B signature value, A is to A signature value
SM3 abstract operation is carried out, carries out verification confirmation integrality with B abstract, after completeness check passes through, A plucks B using the public key of B
SM2 mirror label are carried out, confirm the identity of B;If verifying does not pass through, system output safety authentification failure alerts and generates mistake
Accidentally log, supervision flow terminate;
If S2.8, A mirror signs successfully and to obtain the A signature value of foldback equal with oneself transmission A signature value before, two-way
Authentication success, A and B formally establish session, A and send supervision data file to B;Otherwise, system output safety authentification failure
Alarm and generation error log, supervision flow terminate.
4. the monitoring and managing method that electric power monitoring security management and control system program according to claim 3 updates, which is characterized in that net
Encrypted card is integrated on network safety monitoring assembly hardware, encrypted card supports data encryption, digital signature technology.
5. the monitoring and managing method that electric power monitoring security management and control system program according to claim 4 updates, which is characterized in that step
Generating checkout code file specific method in network security management platform side described in rapid 3 is: starting calculation procedure module passes through MD5
Hash algorithm, which calculates, generates checkout code file.
6. the monitoring and managing method that electric power monitoring security management and control system program according to claim 5 updates, which is characterized in that institute
The checkout code file stated passes through MD5 hash algorithm as unit of single executable file, dynamic link library and system configuration file
It calculates and generates.
7. the monitoring and managing method that electric power monitoring security management and control system program according to claim 6 updates, which is characterized in that step
It is in the specific method that the verification that network security management platform side carries out checkout code file calculates described in rapid 4:
Checkout code file includes the program supervision code of A and the system configuration supervision code of A, after B receives checkout code file, respectively will
It is compared with the corresponding correct criteria check code being pre-stored in B, if the two is identical, illustrates the program of B or is
Under unified central planning set is not distorted illegally, if the two is different, illustrates that the program of B or system configuration are illegally distorted.
8. the monitoring and managing method that electric power monitoring security management and control system program according to claim 7 updates, which is characterized in that school
It tests supervision result to achieve in B, resisting denying evidence is stored in the resisting denying evidence recording unit of B.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811568756.0A CN109743174A (en) | 2018-12-21 | 2018-12-21 | The monitoring and managing method that electric power monitoring security management and control system program updates |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811568756.0A CN109743174A (en) | 2018-12-21 | 2018-12-21 | The monitoring and managing method that electric power monitoring security management and control system program updates |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109743174A true CN109743174A (en) | 2019-05-10 |
Family
ID=66360988
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811568756.0A Pending CN109743174A (en) | 2018-12-21 | 2018-12-21 | The monitoring and managing method that electric power monitoring security management and control system program updates |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109743174A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110298145A (en) * | 2019-06-28 | 2019-10-01 | 兆讯恒达微电子技术(北京)有限公司 | A kind of firmware program loading guard method based on public key cryptography algorithm |
| CN110311889A (en) * | 2019-05-17 | 2019-10-08 | 中国电力科学研究院有限公司 | A method of verifying intelligent distribution transformer terminals APP validity |
| CN112613033A (en) * | 2020-12-15 | 2021-04-06 | 北京鼎普科技股份有限公司 | Method and device for safely calling executable file |
| WO2021184712A1 (en) * | 2020-03-20 | 2021-09-23 | 株洲中车时代电气股份有限公司 | Software upgrading method and device |
| CN114567668A (en) * | 2022-03-07 | 2022-05-31 | 桔帧科技(江苏)有限公司 | Data tampering monitoring method based on iNotify real-time response |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104298933A (en) * | 2014-10-17 | 2015-01-21 | 浪潮(北京)电子信息产业有限公司 | Configuration information safety processing method and system |
| CN105915347A (en) * | 2016-04-19 | 2016-08-31 | 梅照付 | Control method for power electric wireless transmission device |
| CN107046531A (en) * | 2017-03-06 | 2017-08-15 | 国网湖南省电力公司 | The data processing method and system of the data access Power Information Network of monitoring terminal |
| CN107147688A (en) * | 2017-03-17 | 2017-09-08 | 中国电力科学研究院 | A kind of system configuration utility and the two-way check interactive approach of model cloud system and system |
| CN107451468A (en) * | 2017-07-14 | 2017-12-08 | 杭州谷逸网络科技有限公司 | A kind of safety on line detection implementation method of control device |
| CN107656749A (en) * | 2017-09-26 | 2018-02-02 | 国网江苏省电力公司 | A kind of device version management-control method and device |
| CN107766724A (en) * | 2017-10-17 | 2018-03-06 | 华北电力大学 | A kind of construction method of trusted computer platform software stack function structure |
| US20180152463A1 (en) * | 2014-04-08 | 2018-05-31 | Capital One Financial Corporation | System and method for malware detection using hashing techniques |
| CN108270806A (en) * | 2016-12-30 | 2018-07-10 | 航天信息股份有限公司 | A kind of more application upgrade method and systems |
-
2018
- 2018-12-21 CN CN201811568756.0A patent/CN109743174A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180152463A1 (en) * | 2014-04-08 | 2018-05-31 | Capital One Financial Corporation | System and method for malware detection using hashing techniques |
| CN104298933A (en) * | 2014-10-17 | 2015-01-21 | 浪潮(北京)电子信息产业有限公司 | Configuration information safety processing method and system |
| CN105915347A (en) * | 2016-04-19 | 2016-08-31 | 梅照付 | Control method for power electric wireless transmission device |
| CN108270806A (en) * | 2016-12-30 | 2018-07-10 | 航天信息股份有限公司 | A kind of more application upgrade method and systems |
| CN107046531A (en) * | 2017-03-06 | 2017-08-15 | 国网湖南省电力公司 | The data processing method and system of the data access Power Information Network of monitoring terminal |
| CN107147688A (en) * | 2017-03-17 | 2017-09-08 | 中国电力科学研究院 | A kind of system configuration utility and the two-way check interactive approach of model cloud system and system |
| CN107451468A (en) * | 2017-07-14 | 2017-12-08 | 杭州谷逸网络科技有限公司 | A kind of safety on line detection implementation method of control device |
| CN107656749A (en) * | 2017-09-26 | 2018-02-02 | 国网江苏省电力公司 | A kind of device version management-control method and device |
| CN107766724A (en) * | 2017-10-17 | 2018-03-06 | 华北电力大学 | A kind of construction method of trusted computer platform software stack function structure |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110311889A (en) * | 2019-05-17 | 2019-10-08 | 中国电力科学研究院有限公司 | A method of verifying intelligent distribution transformer terminals APP validity |
| CN110298145A (en) * | 2019-06-28 | 2019-10-01 | 兆讯恒达微电子技术(北京)有限公司 | A kind of firmware program loading guard method based on public key cryptography algorithm |
| WO2021184712A1 (en) * | 2020-03-20 | 2021-09-23 | 株洲中车时代电气股份有限公司 | Software upgrading method and device |
| CN112613033A (en) * | 2020-12-15 | 2021-04-06 | 北京鼎普科技股份有限公司 | Method and device for safely calling executable file |
| CN114567668A (en) * | 2022-03-07 | 2022-05-31 | 桔帧科技(江苏)有限公司 | Data tampering monitoring method based on iNotify real-time response |
| CN114567668B (en) * | 2022-03-07 | 2024-05-07 | 桔帧科技(江苏)有限公司 | Data tampering monitoring method based on iNotify real-time response |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109743174A (en) | The monitoring and managing method that electric power monitoring security management and control system program updates | |
| CN106330850B (en) | Security verification method based on biological characteristics, client and server | |
| CN105099705B (en) | A kind of safety communicating method and its system based on usb protocol | |
| CN106416123A (en) | Password-based authentication | |
| CN103095456A (en) | Method and system for processing transaction messages | |
| CN103067402A (en) | Method and system for digital certificate generation | |
| CN107995148B (en) | File tamper-proofing method, system, terminal and trusted cloud platform | |
| TWM623435U (en) | System for verifying client identity and transaction services using multiple security levels | |
| CN109474419A (en) | A kind of living body portrait photo encryption and decryption method and encrypting and deciphering system | |
| CN111435913A (en) | Identity authentication method and device for terminal of Internet of things and storage medium | |
| CN111435390A (en) | Safety protection method for operation and maintenance tool of power distribution terminal | |
| US11743053B2 (en) | Electronic signature system and tamper-resistant device | |
| CN111540093A (en) | Access control system and control method thereof | |
| CN109829722B (en) | User identity real-name authentication method of electronic payment system | |
| CN112863017A (en) | Smart community building intercom system dynamic password unlocking device, method, equipment and storage medium | |
| CN110971593A (en) | Database secure network access method | |
| CN109285256A (en) | Computer room based on block chain authentication enter permission give method | |
| CN113518071B (en) | Robot sensor information security enhancing device and method | |
| CN111435389A (en) | Power distribution terminal operation and maintenance tool safety protection system | |
| CN102281510B (en) | Multi-factor credible identity authenticating method and system for mobile mailbox | |
| CN113869901B (en) | Key generation method, key generation device, computer-readable storage medium and computer equipment | |
| CN113676446B (en) | Communication network safety error-proof control method, system, electronic equipment and medium | |
| CN112202549B (en) | Charging management method, charging terminal data processing method and charging management platform data processing method | |
| CN114495352A (en) | Electronic fund payment system and method based on payment terminal identity authentication control mechanism | |
| CN113852628A (en) | Decentralized single sign-on method, decentralized single sign-on device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190510 |
|
| RJ01 | Rejection of invention patent application after publication |