CN110995427A - Control system key management method and device based on asymmetric encryption - Google Patents

Control system key management method and device based on asymmetric encryption Download PDF

Info

Publication number
CN110995427A
CN110995427A CN201911272040.0A CN201911272040A CN110995427A CN 110995427 A CN110995427 A CN 110995427A CN 201911272040 A CN201911272040 A CN 201911272040A CN 110995427 A CN110995427 A CN 110995427A
Authority
CN
China
Prior art keywords
public key
key
updating
updated
station device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911272040.0A
Other languages
Chinese (zh)
Inventor
陈兴华
李新超
黄立贤
陈锦昌
陈睿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electric Power Dispatch Control Center of Guangdong Power Grid Co Ltd
Original Assignee
Electric Power Dispatch Control Center of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electric Power Dispatch Control Center of Guangdong Power Grid Co Ltd filed Critical Electric Power Dispatch Control Center of Guangdong Power Grid Co Ltd
Priority to CN201911272040.0A priority Critical patent/CN110995427A/en
Publication of CN110995427A publication Critical patent/CN110995427A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a control system key management method and device based on asymmetric encryption, computer equipment and a storage medium. The method comprises the following steps: after a key updating condition is met, generating an updated key according to an asymmetric encryption algorithm; the updated key comprises a private key and a public key; storing the updated private key; signing the updated public key by using the private key before updating to generate a public key updating message; sending the public key updating message to the execution station device; and the execution station device performs signature verification on the public key updating message by using the public key before updating, replaces the public key before updating with the updated public key when the signature verification passes, and sends a confirmation message to the master station device. The scheme of the application can improve the safety of the control system.

Description

Control system key management method and device based on asymmetric encryption
Technical Field
The present application relates to the technical field of key security, and in particular, to a method and an apparatus for controlling system key management based on asymmetric encryption, a computer device, and a storage medium.
Background
With the development of key security technology, in a control system, when a master station apparatus transmits command information to an execution station apparatus, the transmitted command information is encrypted and signed by using a private key generated based on an asymmetric encryption algorithm, and after receiving the command information, the execution station apparatus decrypts the command information by using a public key transmitted by the master station apparatus and verifies the signature, and after the verification is passed, the action of the command information is executed. However, when the key is updated, it is easy for a third party platform to intrude into the control system, so that the master station apparatus pretends to transmit a key update command to the execution station apparatus, and the execution station apparatus has difficulty in finding that the command is from the third party platform, and thus the control system has a problem of low security.
Disclosure of Invention
In view of the above, it is necessary to provide a control system key management method, apparatus, computer device and storage medium based on asymmetric encryption, which can improve the security of the control system.
A control system key management method based on asymmetric encryption, which is executed in a master station device, comprises the following steps:
after a key updating condition is met, generating an updated key according to an asymmetric encryption algorithm; the updated key comprises a private key and a public key;
storing the updated private key;
signing the updated public key by using the private key before updating to generate a public key updating message;
sending the public key updating message to an execution station device; and the execution station device uses the public key before updating to carry out signature verification on the public key updating message, replaces the public key before updating with the updated public key when the signature verification is passed, and sends a confirmation message to the master station device.
In one embodiment, the method further comprises the following steps: receiving a public key application message sent by the execution station device when the signature verification fails; and regenerating the public key updating message and sending the public key updating message to the execution station device.
In one embodiment, the key update condition includes: when the status of the master station means and/or the execution station means changes.
In one embodiment, the key update condition includes: when the execution station device acts.
In one embodiment, the key update condition includes: when the state of the communication channel between the master station apparatus and the execution station apparatus changes.
In one embodiment, the key update condition includes: when a preset time is reached or an update command is acquired.
A control system key management method based on asymmetric encryption, which is executed in an executive station device, comprises the following steps:
receiving a public key updating message sent by a master station device; the public key updating message is generated by the master station device according to an asymmetric encryption algorithm after reaching a secret key updating condition, an updated secret key is stored, and the updated public key is signed by using the secret key before updating to generate the public key updating message, wherein the updated secret key comprises the secret key and the public key;
carrying out signature verification on the public key updating message by using a public key before updating;
and when the signature verification passes, replacing the public key before updating with the updated public key, and sending a confirmation message to the master station device.
In one embodiment, the method further comprises the following steps: when the signature verification fails, sending a public key application message to the master station device; and receiving a public key updating message which is regenerated and sent by the master station device.
In one embodiment, the method further comprises the following steps: and when the times of failing to pass the signature verification reach a preset value, using the public key before updating and giving an alarm.
A master station apparatus, characterized in that the apparatus comprises:
the key updating module is used for generating an updated key according to an asymmetric encryption algorithm after the key updating condition is met; the updated key comprises a private key and a public key; the device is also used for storing the updated private key;
the message generation module is used for signing the updated public key by using the private key before updating to generate a public key updating message;
the message sending module is used for sending the public key updating message to the execution station device; and the execution station device uses the public key before updating to carry out signature verification on the public key updating message, replaces the public key before updating with the updated public key when the signature verification is passed, and sends a confirmation message to the master station device.
An execution station apparatus, characterized in that the apparatus comprises:
a message receiving module, configured to receive a public key update message sent by a master station apparatus; the public key updating message is generated by the master station device according to an asymmetric encryption algorithm after reaching a secret key updating condition, an updated secret key is stored, and the updated public key is signed by using the secret key before updating to generate the public key updating message, wherein the updated secret key comprises the secret key and the public key;
the signature verification module is used for performing signature verification on the public key updating message by using a public key before updating;
and the public key replacing module is used for replacing the public key before updating with the public key after updating when the signature passes the verification, and sending a confirmation message to the master station device.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
after a key updating condition is met, generating an updated key according to an asymmetric encryption algorithm; the updated key comprises a private key and a public key;
storing the updated private key;
signing the updated public key by using the private key before updating to generate a public key updating message;
sending the public key updating message to an execution station device; and the execution station device uses the public key before updating to carry out signature verification on the public key updating message, replaces the public key before updating with the updated public key when the signature verification is passed, and sends a confirmation message to the master station device.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
receiving a public key updating message sent by a master station device; the public key updating message is generated by the master station device according to an asymmetric encryption algorithm after reaching a secret key updating condition, an updated secret key is stored, and the updated public key is signed by using the secret key before updating to generate the public key updating message, wherein the updated secret key comprises the secret key and the public key;
carrying out signature verification on the public key updating message by using a public key before updating;
and when the signature verification passes, replacing the public key before updating with the updated public key, and sending a confirmation message to the master station device.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
after a key updating condition is met, generating an updated key according to an asymmetric encryption algorithm; the updated key comprises a private key and a public key;
storing the updated private key;
signing the updated public key by using the private key before updating to generate a public key updating message;
sending the public key updating message to an execution station device; and the execution station device uses the public key before updating to carry out signature verification on the public key updating message, replaces the public key before updating with the updated public key when the signature verification is passed, and sends a confirmation message to the master station device.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
receiving a public key updating message sent by a master station device; the public key updating message is generated by the master station device according to an asymmetric encryption algorithm after reaching a secret key updating condition, an updated secret key is stored, and the updated public key is signed by using the secret key before updating to generate the public key updating message, wherein the updated secret key comprises the secret key and the public key;
carrying out signature verification on the public key updating message by using a public key before updating;
and when the signature verification passes, replacing the public key before updating with the updated public key, and sending a confirmation message to the master station device.
According to the control system key management method and device based on asymmetric encryption, after the key updating condition is met, the updated key is generated according to the asymmetric encryption algorithm, the updated private key is stored, the updated public key is signed by using the private key before updating, a public key updating message is generated and sent to the execution station device. And the execution station device performs signature verification on the public key updating message by using the public key before updating, replaces the public key before updating with the updated public key when the signature verification is passed, and sends a confirmation message to the master station device. In the method, the master station device signs the updated public key by using the private key before updating, and the executive station device verifies the signature of the public key to be issued by using the public key before updating, so that the updated public key is sent from the master station device for establishing communication connection instead of other third party platforms, the devices in the control system can be effectively prevented from being illegally identified or replaced, accidents caused by incorrect actions of the control system are avoided, and the safety of the control system is improved.
Drawings
FIG. 1 is a diagram of an embodiment of a control system;
FIG. 2 is a flow diagram illustrating a method for controlling system key management based on asymmetric encryption in one embodiment;
FIG. 3 is a flow chart illustrating a key management method for a control system based on asymmetric encryption according to another embodiment;
FIG. 4 is a flow chart illustrating a method for controlling system key management based on asymmetric encryption in another embodiment;
FIG. 5 is a timing diagram of a control system key management method based on asymmetric encryption in one embodiment;
FIG. 6 is a block diagram of the structure of a master station apparatus in one embodiment;
FIG. 7 is a block diagram of an execution station apparatus in one embodiment;
FIG. 8 is a diagram illustrating an internal structure of a computer device in one embodiment;
fig. 9 is an internal structural view of a computer device in another embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
In one embodiment, as shown in FIG. 1, a control system is provided that includes a master station apparatus 102 and an executive station apparatus 104, wherein the master station apparatus 102 is communicatively coupled to the executive station apparatus 104 via a network. In this embodiment, the master station apparatus 102 is a master station apparatus of the control system, and is responsible for managing a secret key, such as initialization of the secret key, generation, update, and distribution of the secret key, while the execution station apparatus 104 is an execution station apparatus of the control system, and is responsible for receiving the public key and executing command operations. Specifically, the master station apparatus 102 communicates with the execution station apparatus 104 via a network. Upon reaching the key update condition, the master station apparatus 102 generates an updated key, wherein the updated key includes a private key and a public key. The master station apparatus 102 stores the updated private key, signs the updated public key using the private key before updating, generates a public key update message, and sends the public key update message to the execution station apparatus 104. The execution station apparatus 104 receives the public key update message sent by the master station apparatus 102, performs signature verification on the public key update message using the public key before update, replaces the public key before update with the public key after update when the signature verification passes, and sends a confirmation message to the master station apparatus 102.
The control system is a control system composed of a safety automatic device and/or a relay protection device with remote communication and control functions, and includes, but is not limited to, a remote load switching system, a remote generator switching system, a remote backup power automatic switching system, a wide area out-of-step disconnection system, and the like, and the master station device 102 and the execution station device 104 may be safety automatic devices or relay protection devices disposed in different power plants or substations in the control system. Preferably, the number of the master station apparatus 102 and the number of the execution station apparatuses 104 may be plural or one, respectively.
In one embodiment, when the master station apparatus 102 and the execution station apparatus 104 initially establish a communication connection, the master station apparatus 102 performs key initialization, generates an initialized private key and a corresponding public key based on an asymmetric encryption algorithm, stores the initialized private key, and sends the corresponding public key to the execution station apparatus 104. Wherein, after the key initialization, the validity of the key needs to be confirmed manually.
In one embodiment, the number of executive station devices 104 is at least one; when the number of execution station apparatuses 104 is plural, the master station apparatus 102 establishes communication connections with the plural execution station apparatuses 104, and generates one or more sets of keys. For example, the master station device generates different sets of keys for different partitions, and the execution station device of the corresponding partition receives the public key of the corresponding set.
In one embodiment, as shown in fig. 2, there is provided a control system key management method based on asymmetric encryption, which is described by taking the method as an example applied to the primary station apparatus in fig. 1, and includes the following steps:
step S202, after the key updating condition is reached, generating an updated key according to an asymmetric encryption algorithm; the updated key includes a private key and a public key.
The key update condition refers to a specific condition that needs to be satisfied when the key is updated. Specifically, the master station apparatus generates an updated key, that is, one or more pairs of an updated private key and a public key, based on an asymmetric encryption algorithm when a key update condition is reached. The updated key comprises a private key and a public key, namely the updated private key and the updated public key, and the master station device can issue the updated public key to the execution station device. The asymmetric encryption algorithm may be the SM2 algorithm or the RSA algorithm, etc.
In one embodiment, the rekeying condition comprises when a state of the master device and/or the enforcement station device changes. For example, when the state of the master device transitions from normal to abnormal.
In one embodiment, the rekeying condition comprises when an action occurs at the enforcement station apparatus. For example, when the execution station apparatus receives a command to switch the generator set or the load from the master station apparatus, the execution station apparatus executes the command operation to switch the generator set or the load.
In one embodiment, the key update condition includes when a state of a communication channel between the master station apparatus and the execution station apparatus changes. For example, when the state of the communication channel between the master station apparatus and the execution station apparatus transits from a normal state to an abnormal state.
In one embodiment, the key update condition includes when a preset time is reached or an update command is acquired. For example, the key is updated manually or periodically, where the periodic update refers to that the master station device updates the key at a preset time, and the preset time can be selected according to actual operation requirements; the manual update means that the key update is started in response to a key update command input by the user to the master station apparatus.
Step S204, the updated private key is stored.
The master station device generates an updated key and stores the updated private key.
Step S206, the updated public key is signed by using the private key before updating, and a public key updating message is generated.
The public key updating message is used for notifying the execution station device of a message that the public key is updated and sending the updated public key to the execution station device, and comprises the updated public key and a private key signature of the master station device. Specifically, based on the asymmetric encryption algorithm, the master station device signs the public key to be issued, i.e., the updated public key, using the valid private key before update, and generates a public key update message.
Step S208, sending the public key updating message to the execution station device; and the execution station device performs signature verification on the public key updating message by using the public key before updating, replaces the public key before updating with the updated public key when the signature verification passes, and sends a confirmation message to the master station device.
In the control system key management method based on asymmetric encryption, the master station device updates the key under specific conditions, generates a new key according to an asymmetric encryption algorithm, stores the new private key, signs the new public key by using the last valid private key, and sends the new public key to the execution station device in the form of a public key updating message, and the execution station device verifies the signature of the public key updating message by using the last valid public key, so that the updated key is sent from the master station device for establishing communication connection and not from other third party platforms, the device in the control system can be effectively prevented from being illegally identified or replaced, accidents caused by incorrect actions of the control system are avoided, and the safety of the control system is improved.
In one embodiment, as shown in fig. 3, the asymmetric encryption based control system key management method further includes steps S210 to S212:
step S210, receiving a public key application message sent by the executive station device when the signature verification fails.
The public key application message is used for acquiring the updated public key from the master station device. Specifically, when the signature verification of the public key update message by the execution station apparatus fails, the master station apparatus receives the public key application message sent by the execution station apparatus.
In step S212, the public key update message is regenerated and sent to the execution station apparatus.
Specifically, when receiving the public key application message sent by the execution station apparatus, the master station apparatus re-uses the private key before update to sign the updated public key, generates a public key update message, and sends the public key update message to the execution station apparatus. And the content of the regenerated and sent public key updating message is consistent with that of the public key updating message sent before.
In another embodiment, as shown in fig. 4, there is provided a control system key management method based on asymmetric encryption, which is described by taking the application of the method to the enforcement station apparatus in fig. 1 as an example, and includes the following steps:
step S402, receiving a public key updating message sent by a master station device; and the public key updating message is generated by the master station device after the key updating condition is met, the updated private key is stored, and the updated public key is signed by using the private key before updating to generate the public key updating message, wherein the updated private key comprises the private key and the public key.
And step S404, signature verification is carried out on the public key updating message by using the public key before updating.
Specifically, based on the asymmetric encryption algorithm, the execution station apparatus verifies the signature of the received public key update message using the valid public key before update.
Step S406, when the signature verification passes, the public key before updating is replaced by the public key after updating, and a confirmation message is sent to the master station device.
The confirmation message is verification signature of the received public key updating message, is replaced by confirmation information of the updated public key after passing the verification, and is used for confirming that the updated public key is received to the master station device and replacing the received public key with the updated public key. Specifically, after verifying and signing the public key update message, the execution station device replaces the public key valid before updating with the updated public key in the public key update message, and simultaneously returns a confirmation message to the master station device.
In one embodiment, the asymmetric encryption based control system key management method further comprises: when the signature verification fails, sending a public key application message to the master station device; and receiving the public key updating message which is regenerated and sent by the master station device.
Specifically, when the signature verification fails, the execution station device retransmits a public key application message to the master station device, the master station device retransmits a public key update message to the execution station device after receiving the public key application message, the execution station device performs signature verification on the retransmitted public key update message by using the public key before updating after receiving the public key update message retransmitted by the master station device, and when the signature verification passes, the public key before updating is replaced by the updated public key, and a confirmation message is transmitted to the master station device.
In this embodiment, by sending the public key application message to the master station apparatus by the execution station apparatus, an occurrence of an abnormal situation in a one-time communication process can be avoided, and it is ensured that the execution station apparatus can receive the updated public key.
In one embodiment, the asymmetric encryption based control system key management method further comprises: and when the number of times of failing to pass the signature verification reaches a preset value, using the public key before updating and giving an alarm.
Specifically, the execution station device performs signature verification on the public key update message by using the valid public key before updating, returns to reissue the public key application message to the master station device when the signature verification fails, and retransmits the public key update message to the execution station device after the master station device receives the public key application message. And when the times of signature verification failure, namely the interaction times of the execution station device and the master station device reach a preset value, the execution station device gives an alarm. The preset value may be automatically set by the system or freely set by the user, for example, 5 times, that is, when the number of times of failed verification of the execution station apparatus reaches 5 times, an alarm is given.
In the embodiment, the verification failure times are limited by setting the preset value, and when the verification failure times reach the preset value, warning measures are taken, so that the safety of the communication process is ensured.
In one embodiment, as shown in fig. 5, a control system key management method is provided, which is described by taking the control system in fig. 1 as an example, and includes the following steps:
step S502 is that the master device generates an updated key according to the asymmetric cryptographic algorithm after reaching the key update condition.
In step S504, the master device stores the updated private key.
Step S506, the master device signs the updated public key using the private key before updating, and generates a public key update message.
In step S508, the master device transmits the public key update message to the execution station device.
Step S510 is executed when the execution station apparatus receives the public key update message sent by the master station apparatus.
Step S512, the execution station device uses the public key before updating to carry out signature verification on the public key updating message, if the verification is passed, the execution station device enters step S514, and then the control system key updating management process is ended; if the verification is not passed, the process proceeds to step S516.
Step S514, the execution station apparatus replaces the public key before updating with the updated public key, and sends a confirmation message to the master station apparatus.
Step S516, the execution station apparatus sends a public key application message to the master station apparatus.
In step S518, the master station apparatus receives the public key application packet transmitted by the execution station apparatus.
Step S520, the master device regenerates the public key update message and sends it to the execution station device.
In step S522, the execution station apparatus receives the public key update message retransmitted by the master station apparatus, and returns to the step in which the execution station apparatus performs signature verification on the public key update message using the public key before update.
In step S524, when the number of times of failing to verify the signature reaches a preset value, the execution station apparatus uses the public key before updating and gives an alarm.
In this embodiment, after the key update condition is met, according to the asymmetric encryption algorithm, the master station device generates an updated key, stores the updated private key, signs the updated public key with the private key before update, generates a public key update message, and sends the public key update message to the execution station device; after receiving the public key updating message sent by the master station device, the execution station device performs signature verification on the public key updating message by using the public key before updating, replaces the public key before updating with the public key after updating when the signature verification passes, and sends a confirmation message to the master station device; when the signature verification fails, the execution station device sends a public key application message to the master station device, the master station device regenerates a public key update message and sends the public key update message to the execution station device after receiving the public key application message, and the execution station device receives the public key update message sent again by the master station device and performs signature verification and public key replacement. The embodiment ensures that the updated key is sent from the master station device for establishing communication connection instead of other third party platforms, can effectively prevent the devices in the control system from being illegally identified or replaced, avoids accidents caused by incorrect actions of the control system, and improves the safety of the control system.
It should be understood that although the various steps in the flow charts of fig. 2-5 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2-5 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternating with other steps or at least some of the sub-steps or stages of other steps.
In one embodiment, as shown in fig. 6, there is provided a master station apparatus 600 including: a key updating module 602, a message generating module 604 and a message sending module 606, wherein:
a key updating module 602, configured to generate an updated key according to an asymmetric encryption algorithm after a key updating condition is met; the updated key comprises a private key and a public key; and also for storing the updated private key.
The message generating module 604 is configured to sign the updated public key by using the private key before updating, and generate a public key update message.
A message sending module 606, configured to send the public key update message to the execution station apparatus; and the execution station device performs signature verification on the public key updating message by using the public key before updating, replaces the public key before updating with the updated public key when the signature verification passes, and sends a confirmation message to the master station device.
In one embodiment, the message generating module 604 is further configured to receive a public key application message sent by the enforcement station apparatus when the signature verification fails; and regenerating a public key updating message and sending the public key updating message to the execution station device.
In one embodiment, the rekeying conditions in rekeying module 602 include when a change in the state of a master device and/or an executive device occurs.
In one embodiment, the rekeying conditions in rekeying module 602 include when an action occurs at the performing station apparatus.
In one embodiment, the rekeying condition in rekeying module 602 includes when a change occurs in the state of the communication channel between the master device and the enforcement station device.
In one embodiment, the key update condition in the key update module 602 includes when a predetermined time is reached or when an update command is acquired.
In one embodiment, as shown in fig. 7, there is provided an executive station apparatus 700 comprising: a message receiving module 702, a signature verification module 704 and a public key replacing module 706, wherein:
a message receiving module 702, configured to receive a public key update message sent by a master station apparatus; and the public key updating message is generated by the master station device according to an asymmetric encryption algorithm after reaching a secret key updating condition, the updated secret key is stored, and the updated public key is signed by using the secret key before updating to generate the public key updating message, wherein the updated secret key comprises the secret key and the public key.
And the signature verification module 704 is configured to perform signature verification on the public key update message by using the public key before update.
And a public key replacing module 706, configured to replace the public key before updating with the updated public key when the signature verification passes, and send a confirmation message to the master station apparatus.
In one embodiment, the signature verification module 704 is further configured to send a public key application message to the master device when the signature verification fails; and receiving the public key updating message which is regenerated and sent by the master station device.
In one embodiment, the signature verification module 704 is further configured to use the public key before updating and alarm when the number of times of failing to verify the signature reaches a preset value.
For specific limitations of the master station apparatus and the enforcement station apparatus, reference may be made to the above limitations of the asymmetric encryption-based key management method of the control system, and details thereof are not repeated here. The respective modules in the master station apparatus and the execution station apparatus may be wholly or partially implemented by software, hardware, or a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 8. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used to store control system key data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a control system key management method based on asymmetric encryption.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 9. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a control system key management method based on asymmetric encryption. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the configurations illustrated in fig. 8-9 are merely block diagrams of portions of configurations related to aspects of the present application, and do not constitute limitations on the computing devices to which aspects of the present application may be applied, as particular computing devices may include more or less components than those illustrated, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
after a key updating condition is met, generating an updated key according to an asymmetric encryption algorithm; the updated key comprises a private key and a public key;
storing the updated private key;
signing the updated public key by using the private key before updating to generate a public key updating message;
sending the public key updating message to the execution station device; and the execution station device performs signature verification on the public key updating message by using the public key before updating, replaces the public key before updating with the updated public key when the signature verification passes, and sends a confirmation message to the master station device.
In one embodiment, the processor, when executing the computer program, further performs the steps of: receiving a public key application message sent by an execution station device when the signature verification fails; and regenerating a public key updating message and sending the public key updating message to the execution station device.
In one embodiment, the processor, when executing the computer program, further performs the steps of: when the state of the master station apparatus and/or the execution station apparatus changes, key update is started.
In one embodiment, the processor, when executing the computer program, further performs the steps of: when the execution station device acts, the key update is started.
In one embodiment, the processor, when executing the computer program, further performs the steps of: when the state of a communication channel between a master station apparatus and an execution station apparatus changes, key update is started.
In one embodiment, the processor, when executing the computer program, further performs the steps of: and when the preset time is reached or an updating command is acquired, updating the key is started.
In one embodiment, a computer device is provided, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
receiving a public key updating message sent by a master station device; the method comprises the steps that after a master station device achieves a key updating condition, an updated key is generated according to an asymmetric encryption algorithm, the updated private key is stored, and the updated public key is signed by using the private key before updating to generate the updated public key, wherein the updated key comprises the private key and the public key;
carrying out signature verification on the public key updating message by using the public key before updating;
and when the signature passes the verification, replacing the public key before updating with the public key after updating, and sending a confirmation message to the master station device.
In one embodiment, the processor, when executing the computer program, further performs the steps of: when the signature verification fails, sending a public key application message to the master station device; and receiving the public key updating message which is regenerated and sent by the master station device.
In one embodiment, the processor, when executing the computer program, further performs the steps of: and when the number of times of failing to pass the signature verification reaches a preset value, using the public key before updating and giving an alarm.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
after a key updating condition is met, generating an updated key according to an asymmetric encryption algorithm; the updated key comprises a private key and a public key;
storing the updated private key;
signing the updated public key by using the private key before updating to generate a public key updating message;
sending the public key updating message to the execution station device; and the execution station device performs signature verification on the public key updating message by using the public key before updating, replaces the public key before updating with the updated public key when the signature verification passes, and sends a confirmation message to the master station device.
In one embodiment, the computer program when executed by the processor further performs the steps of: receiving a public key application message sent by an execution station device when the signature verification fails; and regenerating a public key updating message and sending the public key updating message to the execution station device.
In one embodiment, the computer program when executed by the processor further performs the steps of: when the state of the master station apparatus and/or the execution station apparatus changes, key update is started.
In one embodiment, the computer program when executed by the processor further performs the steps of: when the execution station device acts, the key update is started.
In one embodiment, the computer program when executed by the processor further performs the steps of: when the state of a communication channel between a master station apparatus and an execution station apparatus changes, key update is started.
In one embodiment, the computer program when executed by the processor further performs the steps of: and when the preset time is reached or an updating command is acquired, updating the key is started.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
receiving a public key updating message sent by a master station device; the method comprises the steps that after a master station device achieves a key updating condition, an updated key is generated according to an asymmetric encryption algorithm, the updated private key is stored, and the updated public key is signed by using the private key before updating to generate the updated public key, wherein the updated key comprises the private key and the public key;
carrying out signature verification on the public key updating message by using the public key before updating;
and when the signature passes the verification, replacing the public key before updating with the public key after updating, and sending a confirmation message to the master station device.
In one embodiment, the computer program when executed by the processor further performs the steps of: when the signature verification fails, sending a public key application message to the master station device; and receiving the public key updating message which is regenerated and sent by the master station device.
In one embodiment, the computer program when executed by the processor further performs the steps of: and when the number of times of failing to pass the signature verification reaches a preset value, using the public key before updating and giving an alarm.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A control system key management method based on asymmetric encryption, which is executed in a master station device, comprises the following steps:
after a key updating condition is met, generating an updated key according to an asymmetric encryption algorithm; the updated key comprises a private key and a public key;
storing the updated private key;
signing the updated public key by using the private key before updating to generate a public key updating message;
sending the public key updating message to an execution station device; and the execution station device uses the public key before updating to carry out signature verification on the public key updating message, replaces the public key before updating with the updated public key when the signature verification is passed, and sends a confirmation message to the master station device.
2. The method of claim 1, further comprising:
receiving a public key application message sent by the execution station device when the signature verification fails;
and regenerating the public key updating message and sending the public key updating message to the execution station device.
3. The method according to claim 1, wherein the key update condition comprises at least any one of the following:
the first item:
when the state of the master station device and/or the executive station device changes;
the second term is:
when the execution station device acts;
the third item:
when the state of a communication channel between the master station device and the execution station device changes;
the fourth item:
when a preset time is reached or an update command is acquired.
4. A control system key management method based on asymmetric encryption, which is executed in an executive station device, comprises the following steps:
receiving a public key updating message sent by a master station device; the public key updating message is generated by the master station device according to an asymmetric encryption algorithm after reaching a secret key updating condition, an updated secret key is stored, and the updated public key is signed by using the secret key before updating to generate the public key updating message, wherein the updated secret key comprises the secret key and the public key;
carrying out signature verification on the public key updating message by using a public key before updating;
and when the signature verification passes, replacing the public key before updating with the updated public key, and sending a confirmation message to the master station device.
5. The method of claim 4, further comprising:
when the signature verification fails, sending a public key application message to the master station device;
and receiving a public key updating message which is regenerated and sent by the master station device.
6. The method of claim 5, further comprising:
and when the times of failing to pass the signature verification reach a preset value, using the public key before updating and giving an alarm.
7. A master station apparatus, characterized in that the apparatus comprises:
the key updating module is used for generating an updated key according to an asymmetric encryption algorithm after the key updating condition is met; the updated key comprises a private key and a public key; the device is also used for storing the updated private key;
the message generation module is used for signing the updated public key by using the private key before updating to generate a public key updating message;
the message sending module is used for sending the public key updating message to the execution station device; and the execution station device uses the public key before updating to carry out signature verification on the public key updating message, replaces the public key before updating with the updated public key when the signature verification is passed, and sends a confirmation message to the master station device.
8. An execution station apparatus, characterized in that the apparatus comprises:
a message receiving module, configured to receive a public key update message sent by a master station apparatus; the public key updating message is generated by the master station device according to an asymmetric encryption algorithm after reaching a secret key updating condition, an updated secret key is stored, and the updated public key is signed by using the secret key before updating to generate the public key updating message, wherein the updated secret key comprises the secret key and the public key;
the signature verification module is used for performing signature verification on the public key updating message by using a public key before updating;
and the public key replacing module is used for replacing the public key before updating with the public key after updating when the signature passes the verification, and sending a confirmation message to the master station device.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 6 are implemented when the computer program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
CN201911272040.0A 2019-12-12 2019-12-12 Control system key management method and device based on asymmetric encryption Pending CN110995427A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911272040.0A CN110995427A (en) 2019-12-12 2019-12-12 Control system key management method and device based on asymmetric encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911272040.0A CN110995427A (en) 2019-12-12 2019-12-12 Control system key management method and device based on asymmetric encryption

Publications (1)

Publication Number Publication Date
CN110995427A true CN110995427A (en) 2020-04-10

Family

ID=70092635

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911272040.0A Pending CN110995427A (en) 2019-12-12 2019-12-12 Control system key management method and device based on asymmetric encryption

Country Status (1)

Country Link
CN (1) CN110995427A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112349003A (en) * 2020-11-17 2021-02-09 深圳Tcl新技术有限公司 Door lock password transmission method, lock body, server and readable storage medium
CN112671538A (en) * 2021-03-16 2021-04-16 北京翼辉信息技术有限公司 Key updating method, device, system, storage medium and computing equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111265A (en) * 2011-01-13 2011-06-29 中国电力科学研究院 Method for encrypting embedded secure access module (ESAM) of power system acquisition terminal
CN106878016A (en) * 2017-04-27 2017-06-20 上海木爷机器人技术有限公司 Data is activation, method of reseptance and device
US20180234237A1 (en) * 2016-01-08 2018-08-16 Tencent Technology (Shenzhen) Company Limited Key updating method, apparatus, and system
CN110557367A (en) * 2019-07-16 2019-12-10 如般量子科技有限公司 Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111265A (en) * 2011-01-13 2011-06-29 中国电力科学研究院 Method for encrypting embedded secure access module (ESAM) of power system acquisition terminal
US20180234237A1 (en) * 2016-01-08 2018-08-16 Tencent Technology (Shenzhen) Company Limited Key updating method, apparatus, and system
CN106878016A (en) * 2017-04-27 2017-06-20 上海木爷机器人技术有限公司 Data is activation, method of reseptance and device
CN110557367A (en) * 2019-07-16 2019-12-10 如般量子科技有限公司 Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112349003A (en) * 2020-11-17 2021-02-09 深圳Tcl新技术有限公司 Door lock password transmission method, lock body, server and readable storage medium
CN112671538A (en) * 2021-03-16 2021-04-16 北京翼辉信息技术有限公司 Key updating method, device, system, storage medium and computing equipment
CN112671538B (en) * 2021-03-16 2021-06-22 北京翼辉信息技术有限公司 Key updating method, device, system, storage medium and computing equipment

Similar Documents

Publication Publication Date Title
CN110995729B (en) Control system communication method and device based on asymmetric encryption and computer equipment
CN109257334B (en) Block chain-based data uplink system, method and storage medium
US20140173688A1 (en) Method and System for Providing Device-Specific Operator Data for an Automation Device in an Automation Installation
CN110535641B (en) Key management method and apparatus, computer device, and storage medium
CN108696356B (en) Block chain-based digital certificate deleting method, device and system
US10581811B2 (en) Method and system for asymmetric key derivation
CN102868526B (en) Method and system for protecting smart card or universal serial bus (USB) key
CN111147247B (en) Key updating method, device, computer equipment and storage medium
CN110995427A (en) Control system key management method and device based on asymmetric encryption
CN101600198A (en) Wireless sensor network security trust method based on identity
CN111786812A (en) Node management method, node management device, computer equipment and storage medium
CN101997681A (en) Authentication method and system for multi-node path and relevant node equipment
CN111614548A (en) Message pushing method and device, computer equipment and storage medium
CN112118245A (en) Key management method, system and equipment
CN111654503A (en) Remote control method, device, equipment and storage medium
CN110971610A (en) Control system identity verification method and device, computer equipment and storage medium
CN111344996B (en) Secret key generation method, secret key acquisition method, private key updating method, chip and server
CN111181730A (en) User identity generation and updating method and device, storage medium and node equipment
CN113791872B (en) Cloud computing-based authentication method and system
CN112469035B (en) Safe activation and control method and communication system of remote equipment of Internet of things
CN111932326B (en) Data processing method based on block chain network and related equipment
CN113014545B (en) Data processing method and device, computer equipment and storage medium
CN104486323A (en) POS (Point of Sale) terminal safety controlled networking activation method and device
CN111740954B (en) Elevator main controller and elevator board card communication encryption method
US20170142104A1 (en) Communication system, communication method, and management device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200410