CN111277594A - Power distribution master station test system and method suitable for network encryption authentication environment - Google Patents
Power distribution master station test system and method suitable for network encryption authentication environment Download PDFInfo
- Publication number
- CN111277594A CN111277594A CN202010063746.2A CN202010063746A CN111277594A CN 111277594 A CN111277594 A CN 111277594A CN 202010063746 A CN202010063746 A CN 202010063746A CN 111277594 A CN111277594 A CN 111277594A
- Authority
- CN
- China
- Prior art keywords
- data
- power distribution
- master station
- network
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention discloses a power distribution main station test system and a method suitable for a network encryption authentication environment, wherein the power distribution main station test system comprises hardware equipment and software equipment, wherein the hardware equipment comprises: the power supply module is used for providing a power supply for the whole device; the exchange interface module is used for finishing the data exchange between the external interface communication and the internal 6 ARM modules, and the internal exchange module is used for finishing the data exchange between the master station data and the 6 groups of ARM modules; the ARM module comprises 6 groups of ARM modules, each module can independently virtualize 8 power distribution terminals, and the software equipment consists of embedded platform software and debugging tool software. The invention enables the traditional master station injection test method to be equally applicable to the power distribution master station safety protection environment of bidirectional identity authentication and message encryption transmission, and provides a hardware virtualization method to solve the problems of safety chip integration and software and hardware fusion in multi-simulation power distribution terminal access.
Description
Technical Field
The invention relates to the technical field of power distribution automation systems, in particular to a power distribution master station testing system and method suitable for a network encryption authentication environment.
Background
With the requirement of the national grid company on the safety protection technology of the management information system, the safety protection of the power distribution automation system is comprehensively implemented, and the safety protection measures of a power distribution main station, communication and a power distribution terminal are key implementation objects. The original power distribution main station and feeder automation test method and equipment are not suitable for the new main station safety protection requirement, and bidirectional identity authentication and transmission content encryption and decryption between the terminal and the main station cannot be realized.
The original power distribution master station testing method and equipment are not suitable for the safety protection requirement of a new master station, and bidirectional identity authentication and transmission content encryption and decryption between the terminal and the master station cannot be realized. All systems are embarrassed by no effective field testing means at that time, and urgent needs are provided for new testing methods and testing means. Therefore, a new power distribution master station test system suitable for a network encryption authentication environment is urgently needed to be developed.
Disclosure of Invention
The invention aims to provide a power distribution master station test system and a power distribution master station test method suitable for a network encryption authentication environment, so that the traditional master station injection test method is also suitable for the power distribution master station safety protection environment with bidirectional identity authentication and message encryption transmission; by adopting a bidirectional protocol matching method in a 'middle agent' mode, a test system based on the original master station injection test method can be accessed to a power distribution master station for testing without modification; the method for virtualizing the hardware solves the problems of security chip integration and software and hardware integration in the access of the multi-simulation power distribution terminal, and passes the third-party verification test of China electric academy of sciences. A single device may emulate 48 encrypted channels and another at least 48 unencrypted channels; the test scale can be expanded through cascade connection between the system devices to solve the problems in the background technology.
In order to achieve the purpose, the invention provides the following technical scheme:
a power distribution main station test system suitable for a network encryption authentication environment comprises hardware equipment and software equipment, wherein the hardware equipment comprises:
the power supply module is used for providing power supply for the whole device, inputting AC220V, outputting DC5V, and respectively providing power for the ARM module and the exchange interface module;
and the exchange interface module is used for finishing data exchange between external interface communication and the internal 6 ARM modules, wherein the network port 1 is an external network port and is connected with the main station to finish data communication with the main station, and the network port 2 is an external management maintenance interface to finish functions of equipment parameter configuration, internal data import and export and the like. The internal exchange module completes the data exchange between the master station data and the 6 groups of ARM modules;
the ARM module comprises 6 groups of ARM modules, and each module can independently virtualize 8 power distribution terminals to complete 8 terminal data processing processes;
the software equipment consists of embedded platform software and debugging tool software, wherein:
the embedded platform software consists of a scheduling program, an uplink channel management program and a downlink channel management program.
Furthermore, the ARM module comprises an ARM main control module, a CPLD and 8 hardware encryption chips.
Furthermore, the ARM main control module is a core processing unit, and includes an external network port 1, which is connected to the exchange interface module for data interaction.
Furthermore, the CPLD is connected with the ARM main control module through a data bus and connected with the encryption chip through the SPI.
Further, hardware equipment still includes the switch, joins in marriage net terminal, encryption communication tester net gape, EM9278 board, encryption chip and backstage, and the switch passes through network connection and joins in marriage net terminal and backstage, and the encryption communication tester net gape of switch passes through inside IO and connects EM9278 board, EM9278 board passes through inside IO and connects encryption chip.
Furthermore, the embedded platform software is based on a Windows operating system, multiple IPs are bound through a network card of a PC, and a plurality of terminals are simulated to simulate a power distribution network feeder scene.
The other technical scheme to be solved by the invention is as follows: the method for testing the power distribution main station suitable for the network encryption authentication environment comprises the following steps:
s101: ARM host system receives the data that distribution main website sent through net gape 1, judges different terminal connections according to TCP link IP, sends data to the virtual terminal that corresponds and carries out the safety message analysis, and the data divide into after the analysis: the safety authentication message encrypts a data message and does not encrypt a short frame message;
s102: repackaging the security authentication message and the encrypted data message into an encrypted chip message format, sending the encrypted chip message format to the CPLD through the data interface, converting the data into an SPI data packet by the CPLD, sending the SPI data packet to an encrypted chip corresponding to the virtual terminal for security authentication analysis and data decryption, returning the SPI data packet to the CPLD after completion, sending the analyzed data to the ARM module by the CPLD, repackaging the returned data according to the master station security message format by the ARM, and sending the repackaged data to the power distribution master station through the network interface;
s103: for the short frame message which is not encrypted, ARM directly carries out protocol analysis, returns a confirmation frame, and directly sends the confirmation frame to the power distribution main station according to the safe message format packet.
Further, the power distribution main station communicates with the power distribution terminal through a 104 or 101 protocol, the content of a communication protocol message in the transmission process is encrypted, and the encryption algorithm is a national secret SM1 algorithm.
Compared with the prior art, the invention has the beneficial effects that: the power distribution master station test system and the method suitable for the network encryption authentication environment enable a traditional master station injection test method to be suitable for the power distribution master station safety protection environment with bidirectional identity authentication and message encryption transmission; by adopting a bidirectional protocol matching method in a 'middle agent' mode, a test system based on the original master station injection test method can be accessed to a power distribution master station for testing without modification; the method for virtualizing the hardware solves the problems of security chip integration and software and hardware integration in the access of the multi-simulation power distribution terminal, and passes the third-party verification test of China electric academy of sciences. A single device may emulate 48 encrypted channels and another at least 48 unencrypted channels; the test scale can be expanded among system devices through cascade connection.
Drawings
FIG. 1 is a block diagram of a power distribution main station test system of the present invention;
FIG. 2 is a diagram of an ARM module hardware configuration according to the present invention;
FIG. 3 is a diagram illustrating the connection of the single board hardware according to the present invention;
FIG. 4 is a diagram of the embedded platform software architecture of the present invention;
FIG. 5 is a flow chart of the embedded platform software of the present invention;
FIG. 6 is a diagram of a shared memory partition according to the present invention;
FIG. 7 is a diagram of the shared data structure of the present invention;
FIG. 8 is a detailed block diagram of a "message" of the present invention;
FIG. 9 is a main flow chart of the upstream channel of the present invention;
FIG. 10 is a main flow chart of the downstream channel of the present invention;
FIG. 11 is a system architecture diagram of the present invention;
FIG. 12 is a data flow architecture diagram of the present invention;
FIG. 13 is an intersystem link diagram of the present invention;
fig. 14 is a layout diagram of the internal board card of the test system of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a power distribution master station test system suitable for a network encryption certification environment includes a hardware device and a software device, wherein the hardware device includes:
the power module 1 provides power supply for the whole device, inputs AC220V and outputs DC5V, and respectively provides power for the ARM module 2 and the exchange interface module 3.
Exchange interface module 3 accomplishes data exchange between external interface communication and the inside 6 ARM modules 2, and wherein net gape 1 is the outside net gape, is connected with main website, accomplishes the data communication with main website, and net gape 2 is the external management maintenance interface, accomplishes equipment parameter configuration, functions such as inside data import export. Internal switching module 31 completes the data exchange between the master station data and the 6 sets of ARM modules 2.
ARM module 2, including 6 groups ARM modules, 8 distribution terminals can be virtualized alone to each module, accomplish 8 terminal data processing processes.
As shown in fig. 2, the ARM module 2 includes an ARM main control module, a CPLD, and 8 hardware encryption chips. The ARM main control module is a core processing unit and comprises an external network port 1 which is connected with an exchange interface module 3 for data interaction. The ARM main control module mainly completes virtualization of 8 paths of terminal equipment, analysis of a communication protocol and data processing. And the data bus is connected with the CPLD through a data bus, and the analyzed data needing to be encrypted and decrypted is sent to the CPLD.
The CPLD is connected with the ARM main control module through a data bus and connected with the encryption chip through the SPI. In general, an SPI interface is connected to a plurality of SPI devices on an SPI data line at the same time, and is selected by a chip select signal CS. However, in order to increase the encryption and decryption speed and enhance the data throughput of the ARM main control module, the invention independently simulates 8 paths of SPI and respectively carries out data communication with 8 encryption chips.
As shown in fig. 3, the hardware device further comprises a switch, a distribution network terminal, an encryption communication tester net port, an EM9278 board, an encryption chip and a background, wherein the switch is connected with the distribution network terminal and the background through a network, the encryption communication tester net port of the switch is connected with the EM9278 board through internal IO, and the EM9278 board is connected with the encryption chip through internal IO.
As shown in fig. 4, the software device is composed of two parts, namely embedded platform software and debugging tool software, wherein:
the embedded platform software consists of a scheduling program, an uplink channel management program and a downlink channel management program.
The scheduling program comprises a debugging program establishing subprocess, a hardware watchdog establishing subprocess, a downlink channel scheduling program, an uplink channel program start-stop and state monitoring, an uplink channel forwarding subprocess, a downlink channel forwarding subprocess and a timing sending total call.
The uplink channel management program comprises the steps of controlling and monitoring the connection of a TCP client program, controlling a link 104, reading buffer bytes in a socket, converting the buffer bytes into msg, storing the msg into a downlink channel shared memory, reading the msg from the uplink channel shared memory, converting the msg into 104 messages, and sending the socket buffer and the timing dog feeding. The uplink communication module is mainly responsible for interacting with a main station of the power distribution automation system, collecting and processing data received from the downlink channel, and then transmitting the data to the main station end, and the data transmitted by the main station end is analyzed and processed and then transmitted to the downlink channel. The data collection processing relates to data encryption, the data analysis processing relates to data decryption, and the uplink communication module defines and realizes an identity authentication interface and a data encryption and decryption interface. The communication between the uplink communication module and the main station terminal adopts a standard 104 protocol meeting the encryption requirement.
The downlink channel management program comprises a step of controlling a connection process to be initiated to a TCP server, a step of controlling a link 104, a step of reading msg from a downlink channel shared memory, a step of converting the msg into 104 messages to be issued to a socket, a step of reading original messages in the socket, a step of converting the original messages into msg and a step of storing the msg into an uplink channel shared memory. The downlink communication module is mainly responsible for interacting with the injection end, obtains a message by injecting a test system request power distribution network scene simulation data into the main station, and then transfers the message to the shared memory, and the downlink communication module and the injection end communicate by adopting a non-encryption standard 104 protocol.
The scheduling module, the uplink communication module and the downlink communication module are respectively realized in different processes. The communication between the processes adopts a mode of sharing a memory and a semaphore, and the shared memory is used as a cache at the same time. For convenience of management, the shared memory is partitioned into 4 parts of a debugging channel shared memory, an uplink channel shared memory, a downlink channel shared memory and a watchdog shared memory. The shared memory of the uplink channel and the shared memory of the downlink channel are mainly used for data forwarding service, the shared memory of the debugging channel is used for background debugging and configuration tool service, and the shared memory of the watchdog is used for communication with the hardware watchdog.
The scheduling program in the embedded platform software is the core software of the embedded platform of the system, and the main functions are as follows: the background debugging configuration tool establishes connection and communication, controls starting and stopping of a channel program, processes information of a hardware watchdog, establishes a shared memory and initializes other parameter information related to the system. Embedded platform software flow chart 5.
The shared memory of the system mainly comprises an uplink channel shared memory, a downlink channel shared memory, a debugging channel shared memory and a watchdog shared memory. The shared memory of the uplink channel and the shared memory of the downlink channel are mainly used for data forwarding service, the shared memory of the debugging channel is used for background debugging and configuration tool service, and the shared memory of the watchdog is mainly used for communication with the hardware watchdog. FIG. 6 is a diagram of shared memory partitioning.
The shared memory adopts a circular queue data structure, the buffer memory firstly defines a structure array, and simultaneously defines a write cursor (a queue head pointer) and a read cursor (a queue tail pointer), and the first-in first-out of data is realized by continuously moving the write cursor and the read cursor. The shared data structure is as in fig. 7.
All data storage units of the shared memory are 'messages', which are specially designed according to the characteristics of the system, and the specific structural body of the 'messages' is defined as the figure 8.
The main functions of the embedded platform software are that the data of the downlink channel is collected, the data is analyzed and transmitted by the background, and meanwhile, an interface is reserved to be responsible for encryption and decryption of the data. Up channel program and background interface: and the encryption standard 104 is adopted to communicate with the background, so that the communication between the data information and the background is realized. With shared internal interface: a custom message structure is employed. The main flow of the upstream channel is shown in fig. 9.
The downlink channel program in the embedded platform software is a main program interacting with the simulation tester, obtains data information by requesting data from the simulation tester, and then transfers the data information to the shared memory. Downlink channel program and emulation interface: standards 104 are used to communicate with the simulation tester. With shared internal interface: a custom message structure is employed. The main flow of the downlink channel is shown in fig. 10.
The software part of the system of the invention needs to be interfaced with the hardware part to carry out unified scheduling management on the virtualized digital terminal on the basis of realizing the core function of 'power distribution network scene simulation'.
Because the acquisition quantity and the control quantity of measurement, remote signaling and the like are simulated by the power distribution network scene simulator, the virtual terminal does not need to realize the acquisition, control and other parts of a real terminal, and only needs to be responsible for realizing bidirectional identity authentication and transmission content encryption and decryption between the virtual terminal and a power distribution master station (gateway) through a safety chip. The core unit of each device uniformly schedules the virtual terminals and one corresponding network interface thereof and is responsible for cascading with other devices. The system architecture is as shown in fig. 11.
The power distribution terminal and the power distribution main station communicate through a 104 or 101 protocol, under a new network security protection system, the message content of the communication protocol in the transmission process is encrypted, and the encryption algorithm is a national secret SM1 algorithm. The injection end is a DATS-1000 distribution automation main station injection test system, the system software is based on a Windows operating system, multiple IPs are bound through a network card of a PC, and a plurality of terminals are simulated to simulate a distribution network feeder scene. Each test system is internally provided with 48 safety chips and has double network ports. One of the network ports is responsible for being connected with an injection end, a test system simulates the side of a main station, the injection end monitors and connects for a service end at the moment, and a simulation main station side module of the device initiates connection for a client; and the other network port is responsible for being connected with the master station side, the test system simulates the terminal side, the module of the simulation terminal side of the device monitors and connects for the server side at the moment, and the master station side initiates connection for the client side. The communication between the device and the injection end and the communication between the device and the main station end adopt a 104 protocol. Data between the simulation master station side module and the simulation terminal side module in the system are exchanged internally without a network communication protocol. And the injection end injection data received by the analog terminal side module is authenticated, encrypted and decrypted by the security chip and then interacts with the master station. The test scale can be expanded from device to device through cascade connection. The data flow is as in fig. 12.
In the present invention, especially, three cryptographic algorithms are mainly involved in the security chip, namely SM1, SM2 and SM 3.
1) SM1 algorithm
The SM1 algorithm is used for encrypting and decrypting the content of a communication protocol message between a power distribution terminal and a power distribution main station.
The SM1 algorithm is a commercial cipher block standard symmetric algorithm programmed by the national cipher authority, with a block length and key length of 128 bits, and is not public, but exists only in the form of an IP Core (intelligent Property Core) in the chip. The security and secrecy strength of the algorithm and the implementation performance of related software and hardware are equivalent to those of AES (advanced encryption Standard).
2) SM2 algorithm
In the project, the SM2 algorithm uses a digital certificate to realize bidirectional identity authentication between an authentication gateway and a power distribution terminal on the side of a power distribution main station.
The SM2 algorithm is based on an ECC (Elliptic Curve Cryptography) asymmetric public key Cryptography, and generally adopts a 256-bit Elliptic Curve in an prime number domain, where y 2 is x 3+ ax + b. The SM2 algorithm is used instead of the RSA algorithm.
3) SM3 algorithm
The SM3 algorithm is applied to digital signature and verification, generation and verification of message authentication codes and generation of random numbers, the SM3 algorithm is a cipher hash algorithm, and a hash value is generated through filling and iterative compression, and the length of the hash value is 256 bits. The cryptographic hash function in the SM2 algorithm typically employs the SM3 algorithm.
If the adaptability of the test system in the access environment in which the MAC address and the IP address of the power distribution terminal are bound is considered, each hardware-simulated power distribution terminal needs to have a network interface controller (commonly called a network card) having both an MAC (link layer) and a PHY (physical layer) corresponding to the network interface controller. The MAC address of each terminal is different. Each terminal has a unique MAC address by using hardware, development difficulty of the test system is increased, and the size of the test system cannot be effectively controlled. A test system needs to simulate 48 terminals, a common development small board at present has 6 Ethernet ports at most, and 8 development boards need to be put into one device, and a 50-port switch (chip) needs to be integrated. However, after research, there is no compact switch product meeting the requirement in the market, and in addition, the problem of 48 network cards to switch connection needs to be solved.
Virtualization is a process of abstracting computer resources (including hardware and software) and then allocating the computer resources according to needs, and virtual resources have high scalability and availability. A plurality of terminals are virtualized through a small amount of computing resources, the terminals have the functions of acquisition and communication, and the number of the terminals can be increased or decreased according to needs.
The calling interface between the software and the hardware of the test system can be realized by two modes:
(1) direct call
The management and calling of the test system hardware are completely realized by the test system software. The hardware development difficulty is small and the workload is low. But the software side needs to be re-developed, for example, a new version protocol library supporting 104 protocol extension content is developed, and the authentication encryption content processing through the security chip is realized. The software development difficulty is high and the period is long.
(2) Protocol forwarding
And the hardware embedded program of the test system realizes the protocol forwarding from the simulation master station to the virtual terminal and then to the real master station.
a. And simulating the master station side. And the simulation master station front-end server is communicated with the software side simulation terminal through a 104 protocol.
The software can completely reuse the electric charge department main station to inject the test software, and the hardware of the test system can be regarded as the power distribution main station to be directly connected in a traditional mode. The 104 protocol adopted by the master station injection test software is a small subset, the supported protocol content is limited, and the master station side with the protocol forwarding function simulation only needs to realize the protocol content of the corresponding station side.
b. And a virtual terminal side. And the virtual terminal is connected with the real master station, and the contents received and sent from the simulation master station side are transferred to the real master station after conversion processing. The virtual terminal side of the protocol forwarding function is to implement 104 protocol terminal side content. The software side only needs to newly develop a terminal configuration function interface, and the cooperation unit has the experience of terminal development, so that the hardware development difficulty is relatively small. Therefore, the second mode, protocol forwarding, is finally determined.
When network communication is debugged, a communication process needs to be analyzed through network messages to determine which link a problem appears, and the network messages can be acquired by means of network monitoring. The carrier for injecting the test software into the electric academy master station is a PC (personal computer), and the SNiffer software is installed on the PC, so that the packet capturing and monitoring of the communication content between the test software and the test system can be realized. Because the mode of realizing protocol forwarding by the test system is adopted, the communication contents between the test system and the real master station and between the test systems cannot be directly monitored and obtained on the test software carrier. The switch module of the test system needs to support a port mirroring (PortMirroring) function, and copies the network packet of the port to be monitored to the designated port, and then the port is connected to obtain the network packet.
If the test scale is expanded in a parallel mode among the systems, switches with the number of interfaces matched with the number of the test systems need to be respectively placed at the injection end and the master station end of the test system and are respectively connected. The external wiring is complex, the internal implementation is complex, and the field implementation is difficult. For example, to test a 385-terminal-scale distribution network, assuming that each device simulates 48 terminals, 9 test systems, 2 16-port switches, and 20 network lines are required. The test scale is expanded by adopting a serial cascade mode, the wiring is convenient, and the field implementation is simple and easy, as shown in figure 13. The 385-terminal-scale power distribution network is tested in the same way, and only 9 test systems and 10 network cables are needed. The upper limit of the cascade expansion capability between the devices is independent of each test system and only depends on bottlenecks such as injection scale (number of analog terminals), access capability of the master station, and performance of network equipment on a communication path.
Each device simulates 48 terminals, and if all the terminals are realized by a large industrial main board, the requirements on performance and reliability are difficult to meet. From a design point of view, the way of stacking the small plates in the device is reasonable:
1) the device is internally provided with an exchange module, and an 8-port exchange module is selected, so that the device is more suitable than a 16-port exchange module in aspects of volume, weight, power consumption, performance, heat dissipation and the like;
2) in the 8 ports, 1 port is used for connection in the direction of an injection end, 1 port is used for connection in the direction of a main station, and the rest 6 ports are all used for connection of a virtual terminal board card (VTB);
3) each device can accommodate 6 VTBs at most, and each VTB is connected with an interface of a switching module;
4) each VTB needs to virtualize 8 terminals;
5) from market research, development boards meeting these requirements have a large choice.
The layout of the boards inside the test system is shown in fig. 14.
Each VTB in the test system should be independent, that is to say, when any one or more VTBs can not work normally, the rest VTBs can still work normally, thus the VTBs can be replaced on site and can be used in plug-and-play mode.
And a special scheduling management board card does not need to be additionally configured in the test system, and due to the independence of the VTB, simple copying can be performed only by realizing a uniform VTB software and hardware scheme from the development angle, so that the development difficulty is reduced, and the development efficiency is improved.
Virtual terminal: realize the virtual to the terminal through VTB, the realization based on independent platelet is favorable to the modularization of device, can improve stability, reliability, easy to maintain, the extension of being convenient for. The VTB can architecturally realize the same functions and performance as the core board of a real terminal, and functions and peripheral devices can be added as required in addition to virtual acquisition and network communication.
Injection end side: the injection end is original main station injection test software, and the software is connected with the power distribution main station through a TCP/IP protocol. Test software is injected into the power distribution terminal by the main station to simulate the power distribution terminal, the power distribution terminal is used as a server side to monitor (Listening) when network connection is established, and the power distribution main station is used as a client side to initiate connection to the server side. Normally, the terminal is in an n:1 relationship with the master station. When the master station employs a distributed preamble, this relationship becomes n: m (m ≧ 2). For a common terminal, the relation between the terminal and the master station is always 1:1, but for the master station to inject test software, the master station needs to have n: m connection capability because the master station simulates a plurality of terminals. The protocol ports of the terminals are fixed, and the terminals and the master station in the same network segment can establish Socket connection with Destination IP and Destination Port pairs through Source IP and Source Port pairs. Different Socket connections can have different source addresses or destination addresses, and for the existing master station injection test software, if the master station end address is not referred after Socket establishment, the connection with a plurality of master stations can be realized without changing codes. For the VTB, when the VTB is connected with the injection end as the emulated master station end, different VTBs emulate the master station by using different IP addresses, which is equivalent to the distributed preposed multiple access case. Thus, the problem that all VTBs cannot share one analog master station address is solved.
The VTB is connected to the master site, and can be regarded as a terminal for the master site:
(1) the primary station initiates a connection request with the VTB, the request arrives at the security gateway, and the gateway initiates a connection request with the VTB. And after the gateway establishes TCP connection with the VTB, starting bidirectional identity authentication.
(2) After the bidirectional identity authentication between the gateway and the VTB is passed, the gateway returns the successful authentication result with the VTB to the master station.
(3) The primary station directly establishes TCP connection with the VTB and initiates a bidirectional identity authentication request with the VTB.
(4) After the bidirectional identity authentication between the master station and the VTB is completed, the VTB returns the serial number of the simulated terminal (the serial number is in the security chip) and the current key version to the master station.
(5) The VTB is to sequentially implement bidirectional identity authentication with the gateway and bidirectional identity authentication with the power distribution master station according to the specification, and also to maintain normal traffic between the terminal and the master station.
In implementation, the VTB can be separated from the functions and traffic of the injection side and the master side, and synchronous blocking interaction is not needed. When the connection between the VTB and the injection end or between the VTB and either side of the main station end is not established and the service is not developed, the other side only needs to establish and maintain the connection, for example, effective connection is maintained by means of receiving and sending test frames, answering and calling, and after the connection between the two sides is established, the services on the two sides are synchronized.
Protocol forwarding: the communication between the test system and the main station injection test software and the communication between the test system and the main station distribution main station adopt a TCP/IP protocol and a 104 protocol. The primary station injection test software supports the 104 specification, and the Type Identifier (TI) and the transmission reason (COT) used for the I-Format (information transmit Format) message are shown in tables 2-1 and 2-2.
TABLE 2-1 type identifier
TABLE 2-2 reasons for delivery
| Numbering | Explanation of transmission reason | Direction of conveyance |
| 1(0x01) | Period, cycle | Monitoring direction |
| 2(0x02) | Burst (spontaneous) | Monitoring direction |
| 3(0x03) | Burst (spontaneous) | Controlling direction |
| 4(0x04) | Is initialized | Monitoring direction |
| 5(0x05) | Is requested to | Monitoring direction |
| 5(0x05) | Request for | Controlling direction |
| 6(0x06) | Activation | Controlling direction |
| 7(0x07) | Activation confirmation | Monitoring direction |
| 8(0x08) | Stop activation | Controlling direction |
| 9(0x09) | Stop activation confirmation | Monitoring direction |
| 10(0x0A) | Activation termination | Monitoring direction |
| 11(0x0B) | Return message caused by remote command | Monitoring direction |
| 12(0x0C) | Local command induced foldback information | Monitoring direction |
| 20(0x14) | Corresponding station callCall out | Monitoring direction |
| 44(0x67) | Unknown type identification | Monitoring direction |
| 45(0x2C) | Unknown reason for transmission | Monitoring direction |
| 46(0x2E) | Unknown application service data unit public address | Monitoring direction |
| 47(0x2F) | Unknown information object address | Monitoring direction |
The implementation rules of the distribution automation system application DL/T634.5104-2009 expand the contents specified by DL/T634.5104-2009, and mainly increase the specific processes of parameter setting, file transmission, electric quantity acquisition and the like. The communication between the test system and the power distribution main station adopts the extended version protocol, and when protocol conversion is carried out, the change of a remote signaling deflection process and a fault event process needs to be noticed.
Remote signaling deflection process: after a State displacement Event occurs at a power distribution terminal, a remote signaling message (TI is 30 or 31) with a time scale is transmitted to a power distribution master station, and after receiving the remote signaling message with the time scale, the power distribution master station automatically generates COS (Change of State) and SOE (Sequence of Event) data.
And (3) a fault event process: and when a fault occurs, fault event information is uploaded, and the fault event information mainly comprises a remote signaling number corresponding to the fault and relevant measured value information at the fault moment. The type identifier and the transmission reason newly added in the invention are shown in tables 2-3 and 2-4.
Table 2-3 new addition type identifier
Table 2-4 reasons for new delivery
The test system does not simply realize protocol forwarding, and the original main station injection test software cannot be directly connected with the power distribution main station encrypted by certification without modification. In order to reduce development difficulty and workload, an intermediate agent mode is adopted, a test system is used as an agent between injection test software and a power distribution main station, the test system is used as an agent main station to be connected and communicated with the injection software, and meanwhile the test system is also used as an agent terminal to be connected and communicated with the power distribution main station.
When the test system is connected with the power distribution main station, the test system meets the safety protection access requirement of authentication encryption, and when the test system is connected with the injection software, the test system is free of authentication encryption, and the injection software can be accessed according to the original working mode without any modification.
In order to better show the testing process of the power distribution master station applicable to the network encryption authentication environment, the embodiment now provides a method of a power distribution master station testing system applicable to the network encryption authentication environment, which includes the following steps:
s101: ARM host system receives the data that distribution main website sent through net gape 1, judges different terminal connections according to TCP link IP, sends data to the virtual terminal that corresponds and carries out the safety message analysis, and the data divide into after the analysis: the safety authentication message encrypts a data message and does not encrypt a short frame message;
s102: repackaging the security authentication message and the encrypted data message into an encrypted chip message format, sending the encrypted chip message format to the CPLD through the data interface, converting the data into an SPI data packet by the CPLD, sending the SPI data packet to an encrypted chip corresponding to the virtual terminal for security authentication analysis and data decryption, returning the SPI data packet to the CPLD after completion, sending the analyzed data to the ARM module by the CPLD, repackaging the returned data according to the master station security message format by the ARM, and sending the repackaged data to the power distribution master station through the network interface;
s103: for the short frame message which is not encrypted, ARM directly carries out protocol analysis, returns a confirmation frame, and directly sends the confirmation frame to the power distribution main station according to the safe message format packet.
The cascade expansion test scale is realized by the serial connection between the uplink port and the downlink port of the test system. When originally conceived, a 16-port switch chip is adopted inside the device to complete internal communication and bypass forwarding by dividing the VLAN. The test system has no special requirement on network bandwidth, the chip can support 100Base-TX, and in consideration of the future, if the safety protection measures increase the requirement on binding the port and the MAC address of the equipment, a switch chip of PHY + MAC of each port is adopted.
In the process of developing a test system, considering the requirements of different network segments and safety isolation of uplink and downlink communication IP, 2 IP178G chips are actually adopted to respectively bind uplink and downlink communication. The IP178G chip is an 8-port chip, supports the IEEE802.1Q protocol, and can realize VLAN based on ports or labels.
In order to simplify field test configuration to adapt to network access environments of different master stations, a test system realizes the VLAN in a port-based manner.
For IP178G, port 01 is connected to the upstream channel and the downstream channel, and port 02-0 is connected to the test system. Each VTB in the set, port 08 is connected to the 08 port of another IP178G in the set to cascade the test system internally.
The power distribution master station test system and the method suitable for the network encryption authentication environment enable a traditional master station injection test method to be suitable for the power distribution master station safety protection environment with bidirectional identity authentication and message encryption transmission; by adopting a bidirectional protocol matching method in a 'middle agent' mode, a test system based on the original master station injection test method can be accessed to a power distribution master station for testing without modification; the method for virtualizing the hardware solves the problems of security chip integration and software and hardware integration in the access of the multi-simulation power distribution terminal, and passes the third-party verification test of China electric academy of sciences. A single device may emulate 48 encrypted channels and another at least 48 unencrypted channels; the test scale can be expanded among system devices through cascade connection.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be able to cover the technical solutions and the inventive concepts of the present invention within the technical scope of the present invention.
Claims (8)
1. The utility model provides a distribution main website test system suitable for network encryption authentication environment which characterized in that, includes hardware equipment and software equipment, and wherein, hardware equipment includes:
the power supply module (1) is used for providing power supply for the whole device, inputting AC220V and outputting DC5V, and respectively provides power for the ARM module (2) and the exchange interface module (3);
the exchange interface module (3) completes external interface communication and data exchange between 6 internal ARM modules (2), wherein the network port 1 is an external network port and is connected with the master station to complete data communication with the master station, the network port 2 is an external management and maintenance interface to complete equipment parameter configuration, internal data is imported and exported, and the internal exchange module (31) completes data exchange between master station data and 6 groups of ARM modules (2);
the ARM module (2) comprises 6 groups of ARM modules, and each module can independently virtualize 8 power distribution terminals to complete the data processing process of 8 terminals;
the software equipment consists of embedded platform software and debugging tool software, wherein:
the embedded platform software consists of a scheduling program, an uplink channel management program and a downlink channel management program.
2. The power distribution master station test system suitable for the network encryption authentication environment as claimed in claim 1, wherein the ARM module (2) comprises an ARM main control module, a CPLD and 8 hardware encryption chips.
3. The power distribution master station test system suitable for the network encryption authentication environment as claimed in claim 2, wherein the ARM main control module is a core processing unit, and comprises an external network port 1 connected with the exchange interface module (3) for data interaction.
4. The power distribution master station test system suitable for the network encryption authentication environment as claimed in claim 2, wherein the CPLD is connected with the ARM main control module through a data bus and connected with the encryption chip through the SPI.
5. The power distribution main station testing system suitable for the network encryption authentication environment as claimed in claim 1, wherein the hardware device further comprises a switch, a distribution network terminal, an encryption communication tester network port, an EM9278 board, an encryption chip and a background, the switch is connected to the distribution network terminal and the background through a network, the encryption communication tester network port of the switch is connected to the EM9278 board through internal IO, and the EM9278 board is connected to the encryption chip through internal IO.
6. The power distribution master station test system suitable for the network encryption authentication environment as claimed in claim 1, wherein the embedded platform software is based on a Windows operating system, and simulates a plurality of terminals to simulate a power distribution network feeder scene by binding a plurality of IPs through a network card of a PC.
7. A method for testing a power distribution main station suitable for a network encryption certification environment according to any one of claims 1 to 6, characterized by comprising the following steps:
s101: ARM host system receives the data that distribution main website sent through net gape 1, judges different terminal connections according to TCP link IP, sends data to the virtual terminal that corresponds and carries out the safety message analysis, and the data divide into after the analysis: the safety authentication message encrypts a data message and does not encrypt a short frame message;
s102: repackaging the security authentication message and the encrypted data message into an encrypted chip message format, sending the encrypted chip message format to the CPLD through the data interface, converting the data into an SPI data packet by the CPLD, sending the SPI data packet to an encrypted chip corresponding to the virtual terminal for security authentication analysis and data decryption, returning the SPI data packet to the CPLD after completion, sending the analyzed data to the ARM module by the CPLD, repackaging the returned data according to the master station security message format by the ARM, and sending the repackaged data to the power distribution master station through the network interface;
s103: for the short frame message which is not encrypted, ARM directly carries out protocol analysis, returns a confirmation frame, and directly sends the confirmation frame to the power distribution main station according to the safe message format packet.
8. The method for testing the power distribution master station applicable to the network encryption authentication environment as claimed in claim 7, wherein the power distribution master station communicates with the power distribution terminal through a 104 or 101 protocol, the message content of the communication protocol in the transmission process is encrypted, and the encryption algorithm is the SM1 algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010063746.2A CN111277594B (en) | 2020-01-20 | 2020-01-20 | Power distribution master station test system and method suitable for network encryption authentication environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010063746.2A CN111277594B (en) | 2020-01-20 | 2020-01-20 | Power distribution master station test system and method suitable for network encryption authentication environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111277594A true CN111277594A (en) | 2020-06-12 |
| CN111277594B CN111277594B (en) | 2022-02-11 |
Family
ID=71001115
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010063746.2A Active CN111277594B (en) | 2020-01-20 | 2020-01-20 | Power distribution master station test system and method suitable for network encryption authentication environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111277594B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111913074A (en) * | 2020-08-06 | 2020-11-10 | 浙江华电器材检测研究所有限公司 | Power distribution automation equipment detection method and system |
| CN116506234A (en) * | 2023-06-29 | 2023-07-28 | 北京智芯微电子科技有限公司 | Security control method and device for power communication network, central coordinator and nodes |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101937599A (en) * | 2010-09-02 | 2011-01-05 | 浪潮齐鲁软件产业有限公司 | Network tax control encryption server based on ARM11 platform |
| US20160179646A1 (en) * | 2014-12-23 | 2016-06-23 | Michael Neve de Mevergnies | Delayed authentication debug policy |
| CN109257328A (en) * | 2017-07-14 | 2019-01-22 | 中国电力科学研究院 | A kind of safety interacting method and device of scene operation/maintenance data |
| CN109257327A (en) * | 2017-07-14 | 2019-01-22 | 中国电力科学研究院 | A kind of the communication message safety interacting method and device of electrical power distribution automatization system |
| CN109407604A (en) * | 2017-08-16 | 2019-03-01 | 西门子股份公司 | Processing module is coupled into the method and modular technology system of modular technology system |
| CN109560987A (en) * | 2018-11-27 | 2019-04-02 | 中国电力科学研究院有限公司 | A kind of method and system for electricity information acquisition system master station pressure test |
| US20190303846A1 (en) * | 2018-03-28 | 2019-10-03 | JW Colorado LLC | Methods, systems, apparatuses and devices for facilitating provisioning of an audit data corresponding to a biological target matter |
| CN110572352A (en) * | 2018-06-06 | 2019-12-13 | 国家电网公司 | intelligent distribution network security access platform and implementation method thereof |
-
2020
- 2020-01-20 CN CN202010063746.2A patent/CN111277594B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101937599A (en) * | 2010-09-02 | 2011-01-05 | 浪潮齐鲁软件产业有限公司 | Network tax control encryption server based on ARM11 platform |
| US20160179646A1 (en) * | 2014-12-23 | 2016-06-23 | Michael Neve de Mevergnies | Delayed authentication debug policy |
| CN109257328A (en) * | 2017-07-14 | 2019-01-22 | 中国电力科学研究院 | A kind of safety interacting method and device of scene operation/maintenance data |
| CN109257327A (en) * | 2017-07-14 | 2019-01-22 | 中国电力科学研究院 | A kind of the communication message safety interacting method and device of electrical power distribution automatization system |
| CN109407604A (en) * | 2017-08-16 | 2019-03-01 | 西门子股份公司 | Processing module is coupled into the method and modular technology system of modular technology system |
| US20190303846A1 (en) * | 2018-03-28 | 2019-10-03 | JW Colorado LLC | Methods, systems, apparatuses and devices for facilitating provisioning of an audit data corresponding to a biological target matter |
| CN110572352A (en) * | 2018-06-06 | 2019-12-13 | 国家电网公司 | intelligent distribution network security access platform and implementation method thereof |
| CN109560987A (en) * | 2018-11-27 | 2019-04-02 | 中国电力科学研究院有限公司 | A kind of method and system for electricity information acquisition system master station pressure test |
Non-Patent Citations (1)
| Title |
|---|
| 孙禄: "《电力行业应用综合业务接入测试平台》", 《华北电力大学》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111913074A (en) * | 2020-08-06 | 2020-11-10 | 浙江华电器材检测研究所有限公司 | Power distribution automation equipment detection method and system |
| CN116506234A (en) * | 2023-06-29 | 2023-07-28 | 北京智芯微电子科技有限公司 | Security control method and device for power communication network, central coordinator and nodes |
| CN116506234B (en) * | 2023-06-29 | 2023-08-18 | 北京智芯微电子科技有限公司 | Security control method and device for power communication network, central coordinator and nodes |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111277594B (en) | 2022-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112073375B (en) | Isolation device and isolation method suitable for client side of electric power Internet of things | |
| CN111277594B (en) | Power distribution master station test system and method suitable for network encryption authentication environment | |
| CN109274647B (en) | Distributed trusted memory exchange method and system | |
| CN102291745A (en) | Method and device for testing multiple access points (AP) | |
| CN113127914A (en) | Electric power Internet of things data security protection method | |
| CN108768669A (en) | Based on ASIC trusted remote memory switching cards and its method for interchanging data | |
| CN112769773B (en) | Railway security communication protocol simulation system based on state cryptographic algorithm | |
| CN105848145A (en) | WIFI intelligent configuration method and device | |
| CN106506182B (en) | A kind of method and system configuring PTN business | |
| CN109150829B (en) | Software-defined cloud network trusted data distribution method, readable storage medium and terminal | |
| CN106874065A (en) | A kind of system for supporting hardware virtualization | |
| CN108900518B (en) | Credible software-defined cloud network data distribution system | |
| CN105656633A (en) | Safety certification method for smart grid AMI system | |
| CN110768982A (en) | Network security interconnection device based on homemade SOC | |
| CN107104964B (en) | Network security terminal and use method | |
| CN206533391U (en) | Main website type special line encryption authentication device | |
| CN113839923B (en) | Multi-node-oriented high-performance processing method | |
| CN106878100A (en) | A kind of method of testing and system of ellipse curve public key cipher security coprocessor | |
| CN101958816A (en) | High speed core switching equipment testing system and testing method thereof | |
| Lv et al. | A highly reliable lightweight distribution network communication encryption scheme | |
| CN110505230A (en) | A kind of cipher machine connection control method and system for electric energy meter detection | |
| Hunter et al. | Authenticated encryption for time-sensitive critical infrastructure | |
| CN117318295B (en) | Comprehensive data sensing system and method for power distribution network | |
| CN114978591B (en) | Domain network data interaction system and method based on safety protection | |
| CN218183360U (en) | Wave recording data safety exchange circuit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 710000 Floor 9, Building 10, Qihang Xinyuan, Jianzhang Road, Fengdong New Town, Xixian New District, Xianyang City, Shaanxi Province Patentee after: Shaanxi Huatian Juneng Technology Co.,Ltd. Address before: 710000 room 402, building 8, Hongguang Avenue, Fengdong new town, Xixian new area, Xi'an City, Shaanxi Province Patentee before: SHAANXI ZHONGXING XIANGLIN ELECTRONIC TECHNOLOGY CO.,LTD. |
|
| CP03 | Change of name, title or address | ||
| CP02 | Change in the address of a patent holder |
Address after: 710000 9/F, Building 10, Qihang Xinyuan, Jianzhang Road, Fengdong New Town, Xixian New District, Xi'an, Shaanxi Province Patentee after: Shaanxi Huatian Juneng Technology Co.,Ltd. Address before: 710000 Floor 9, Building 10, Qihang Xinyuan, Jianzhang Road, Fengdong New Town, Xixian New District, Xianyang City, Shaanxi Province Patentee before: Shaanxi Huatian Juneng Technology Co.,Ltd. |
|
| CP02 | Change in the address of a patent holder |