CN115834026A - Safety encryption method based on industrial protocol - Google Patents
Safety encryption method based on industrial protocol Download PDFInfo
- Publication number
- CN115834026A CN115834026A CN202211512189.3A CN202211512189A CN115834026A CN 115834026 A CN115834026 A CN 115834026A CN 202211512189 A CN202211512189 A CN 202211512189A CN 115834026 A CN115834026 A CN 115834026A
- Authority
- CN
- China
- Prior art keywords
- data
- key
- data packet
- protocol
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a safety encryption method based on an industrial protocol. The invention uses the root key to carry out SM4 encryption operation on the HASH value, and hashes out three-level data encryption keys. Encrypting data by using an SM4 algorithm and a hashed three-level encryption key, and repackaging the protocol characteristic HASH data and the encrypted data into a data packet; and recalculating the checksum of the data packet, and sending the encrypted data packet. And carrying out state secret SM4 encryption operation on the HASH value by using the root key, and hashing to obtain a three-level data decryption key. And decrypting the data packet content by using the data decryption key through an SM4 cryptographic algorithm, re-encapsulating the data packet content, removing the HASH field of the coordination characteristic, and restoring the plaintext data packet. The invention solves the problem of safe encryption of data in an industrial environment, and realizes one packet and one cipher of encrypted data by participating in key hashing through characteristic parameters and time parameters coordinated by industry; the deployment is completely transparent, and the existing topological structure is not required to be modified.
Description
Technical Field
The invention belongs to the technical field of data encryption, and relates to a safety encryption method based on an industrial protocol.
Background
Currently, a market encryption product mainly uses a Virtual Private Network (VPN), VPN related technologies and products are very mature in the current market, currently, many VPN products mainly use IPSec VPN and SSLVPN, an IP security protocol (IPSec) performs key negotiation through an Internet key exchange protocol (IKE protocol) to generate a data encryption key, and the data is encapsulated and encrypted by using the key, SSL is generally used for mobile office staff, and in addition, client software or a client plug-in generally needs to be installed.
The current standard VPN technology and products also have certain deficiencies and defects, and some bugs and defects are often used by hackers, for example, because the IPSec VPN product adopts DH exchange, there is a bug that cannot resist "man in the middle" attack, the identity of a trader is leaked in the key negotiation process, the encryption algorithm is mainly international algorithm, and the algorithms are relatively open. In addition, the identity authentication mode of the pre-shared key used by IKE negotiation has the problems of low security, backward technology, no conformity with relevant cryptographic policies of China and the like, and with the rapid integration of informatization and industrialization, many national key infrastructures face security tests in the industrial business field.
Because the current VPN product has the problems as above, in addition, the traditional VPN has complex and tedious configuration, the industrial environment needs many interconnected nodes and small bandwidth, the traditional VPN needs to change the existing network topology structure, and additional bandwidth overhead is also increased by key agreement, so the traditional VPN product cannot be deployed in the industrial environment at all.
Therefore, the safety encryption method based on the industrial protocol is designed, deployment is carried out in a transparent mode, the existing network topology does not need to be modified, the encryption key is dynamically generated based on the characteristics of the industrial protocol, the device can carry out content deep analysis on the industrial protocol, a client can self-define the attributes of the industrial coordination characteristics participating in key operation, the encryption key is generated through hashing of the root key and a national secret algorithm based on a root key preset in factory, the key can be updated in real time, extra key negotiation data is not needed, network bandwidth overhead is reduced, the root key is preset, and absolute safety of the key is guaranteed.
Disclosure of Invention
The invention aims to provide a safety encryption method based on an industrial protocol, which comprises encryption key operation, data encryption and encapsulation, decryption key operation and data decryption.
The encryption key operation comprises the following specific steps:
the network card receives plaintext data packets, and the industrial protocol deep analysis module carries out deep analysis on the data packets, such as register types, function codes, access types, PLC addresses and register addresses of a modbus protocol.
Querying a predefined protocol feature library, namely contents required to participate in key operation, wherein the predefined protocol feature library can be any fields of a deep analysis result, calculating a HASH value (HASH value) of 256 bits of protocol feature data in a data packet by a cryptographic SM3 algorithm, then performing exclusive-or operation on the first 128 bits and the second 128 bits, and finally obtaining a protocol feature HASH value of 128 bits.
And acquiring the current time of the system and reading the root key.
Performing SM4 encryption operation on the calculated 128-bit HASH value by using the root key, and hashing to obtain a primary key; performing SM4 operation on the current time by using the root key, and hashing to obtain a secondary key; and performing XOR operation on the primary key and the secondary key to hash the three-level data encryption key.
The data encryption and encapsulation process is as follows:
and receiving a plaintext data packet and acquiring load data of the data packet.
The PKCS7Padding mode is used for filling alignment for data needing encryption, and because the SM4 algorithm is used, the length of encrypted data must be integral multiple of the key length of the SM4 algorithm.
Encrypting data by using an SM4 algorithm and a hashed three-level encryption key, and repackaging the protocol characteristic HASH data and the encrypted data into a data packet; recalculating the checksum of the data packet, including the IP header checksum and the TCP/UDP header checksum; and sending the encrypted data packet.
The decryption key operation comprises the following specific steps:
the network card receives the ciphertext data packet to acquire data packet load data, wherein the first 128 bits are protocol characteristic HASH values, and the later bits are encrypted data.
And acquiring the current time of the system and reading the root key.
Carrying out SM4 encryption operation on the HASH value of the first 128-bit protocol characteristic by using the root key, and hashing to obtain a primary key; performing SM4 operation on the current time by using the root key, and hashing a secondary key; and performing XOR operation on the primary key and the secondary key to hash the three-level data decryption key.
The data decryption process is as follows:
and the network card receives the ciphertext data packet and decrypts the content of the data packet by using the data decryption key through the SM4 cryptographic algorithm.
And the industrial protocol deep analysis module is used for deeply analyzing the decrypted data packet, such as the register type, the function code, the access type, the PLC address, the register address and the like of the modbus protocol.
Inquiring a predefined protocol feature library, namely contents needing to participate in key operation, wherein the predefined protocol feature library is any fields of a deep analysis result, calculating a HASH value of 256 bits for protocol feature data in a data packet through a cryptographic SM3 algorithm, then carrying out XOR operation on the first 128 bits and the second 128 bits, and finally obtaining the HASH value of the protocol feature of 128 bits.
And comparing the obtained HASH value of the protocol characteristic with the HASH value of the received data packet payload header, wherein the consistency of the comparison indicates that the data is correct, otherwise, the data can be tampered and is directly discarded.
Repackaging the data packet content, removing the HASH field of the coordination characteristic, and restoring the plaintext data packet; and forwarding the data packet.
The industrial network environment has the characteristics of more data nodes, complex network structure and lower bandwidth, and the traditional encryption product deployed in the industrial network environment has the defects of great network change, difficulty in deployment, increased bandwidth overhead, easiness in network attack and capability of bringing a plurality of unstable factors to services. The root key is solidified in the equipment, the external part of the equipment cannot be obtained, and the encryption of data is completed through a protocol characteristic and time parameter hash three-level key system, so that the problem of safe encryption of data in an industrial environment is solved; the key hashing is participated by characteristic parameters and time parameters which are coordinated industrially, so that the encryption data is packed in one packet; the SM3 cryptographic algorithm is adopted to ensure the integrity and correctness of the data; the deployment is completely transparent, and the existing topological structure is not required to be modified.
Drawings
FIG. 1 is a flow of encryption key calculation;
FIG. 2 is a flow of data encryption and encapsulation;
FIG. 3 is a flowchart of the operation of the decryption key;
FIG. 4 is a data decryption verification process;
fig. 5 is a diagram illustrating the contents of a data packet before and after encryption.
Detailed Description
A safety encryption method based on industrial protocol comprises encryption key operation, data encryption package, decryption key operation and data decryption:
as shown in fig. 1, the encryption key operation specifically includes the following steps:
the network card receives a plaintext data message;
sending the plaintext message to an industrial protocol deep analysis module for analysis, inquiring a predefined protocol feature library (data needing to participate in key operation is defined in advance by a user) needing to participate in key operation if the analysis is successful, and taking a data quintuple (source address, destination address, source port, destination port and protocol of the data) as protocol feature data if the data is not industrial protocol data or the deep analysis is failed;
calculating a HASH value of the protocol characteristic data through an SM3 algorithm, outputting 256 bits of HASH data, and then performing XOR operation on the first 128 bits and the second 128 bits to obtain the protocol characteristic HASH data which is used as a primary key HASH parameter;
using the root key to HASH the primary key for the HASH data of the protocol characteristic by SM4 algorithm;
hashing a secondary key of the current time of the system by using a root key through an SM4 algorithm;
hashing a three-level data encryption key through the XOR operation of the primary key and the secondary key;
as shown in fig. 2, the data encryption and encapsulation process specifically includes:
receiving a plaintext data packet;
acquiring data packet load data;
filling and aligning data to be encrypted by using a PKCS7Padding mode, wherein the encrypted data length is integral multiple of the SM4 algorithm key length because of using an SM4 algorithm;
the PKCS7Padding mode is specifically as follows: before data encryption, data needs to be aligned according to an integer of a key length, and if the data length needs to be aligned by filling n (n > 0) bytes, n bytes are filled, and each byte is n; if the data itself is already aligned, a block of data of block size is padded, each byte being of block size.
Encrypting the data by using an SM4 algorithm and a hashed three-level encryption key;
repackaging the protocol characteristic HASH data and the encrypted data into a data packet;
recalculating the checksum of the data packet, including the IP header checksum and the TCP/UDP header checksum;
sending the encrypted data packet;
as shown in fig. 3, the decryption key operation process specifically includes:
the network card receives the encrypted data message;
acquiring the first 128 bits of data of the load data, acquiring protocol characteristic HASH data, wherein the segment of data is the HASH value of the industrial protocol characteristic data of a plaintext, and hashing a decryption key through the segment of data;
using the root key to HASH the primary key for the HASH data of the protocol characteristic by SM4 algorithm;
hashing a secondary key of the current time of the system by using a root key through an SM4 algorithm;
hashing a third-level data decryption key through the XOR operation of the first-level key and the second-level key;
as shown in fig. 4, the data decryption specifically includes the following steps:
receiving an encrypted data packet;
extracting the HASH data of the first 128-bit protocol characteristics of the data packet load data;
hashing a decryption key through the protocol HASH data and the system time;
decrypting the encrypted payload data;
carrying out industrial protocol deep analysis on the decrypted data;
if the industrial protocol is successfully analyzed, inquiring a predefined protocol feature library needing to participate in key operation, then calculating the HASH value of the protocol feature data through an SM3 algorithm, and obtaining decrypted protocol feature HASH data by using XOR operation of the first 128 bits and the second 128 bits; if the analysis of the industrial protocol fails, quintuple data is used as characteristic data of the industrial protocol;
the decrypted HASH data is compared with the HASH or the quintuple HASH in the received payload data, and the comparison is successful, which indicates that the data is normal; the comparison failure indicates that the data is tampered or decrypted wrongly, and the data is directly discarded;
repackaging the plaintext data message, and recalculating the checksum of the message, including the checksum of the IP header and the TCP or UDP header;
sending the decrypted data packet;
as shown in FIG. 5, the payload data is actual industrial protocol data and is data behind a TCP or UDP header, and the data encryption of the invention does not modify the IP header and the TCP/UDP header data, so the prior topological structure is not required to be modified, and the direct transparent serial access is only required.
Claims (2)
1. A safety encryption method based on industrial protocol is characterized in that: the method comprises encryption key operation, data encryption packaging, decryption key operation and data decryption verification;
the encryption key operation comprises the following specific steps:
the network card receives a plaintext data packet, and the industrial protocol deep analysis module carries out deep analysis on the data packet; inquiring a predefined protocol feature library needing to participate in key operation, wherein the predefined protocol feature library is any fields of a deep analysis result, calculating a HASH value of 256 bits of protocol features in a data packet through a cryptographic SM3 algorithm, then carrying out exclusive or operation on the front 128 bits and the rear 128 bits, and finally obtaining a HASH value of the protocol features of 128 bits;
acquiring the current time of the system, and reading a root key;
carrying out SM4 encryption operation on the calculated 128-bit HASH value by using the root key, and hashing to obtain a primary key; performing SM4 operation on the current time by using the root key, and hashing to obtain a secondary key; performing XOR operation on the primary key and the secondary key to hash a three-level data encryption key;
the data encryption and encapsulation process is as follows:
receiving a plaintext data packet, and acquiring data packet load data; filling and aligning data to be encrypted in a PKCS7Padding mode, and encrypting the data by using an SM4 algorithm and a hashed three-level encryption key; repackaging the protocol characteristic HASH data and the encrypted data into a data packet; recalculating the checksum of the data packet, including the IP header checksum and the TCP/UDP header checksum; sending the encrypted data packet;
the data decryption key operation comprises the following specific steps:
the network card receives the ciphertext data packet and obtains data packet load data, wherein the first 128 bits are protocol characteristic HASH values, and the later bits are encrypted data;
acquiring the current time of the system, and reading a root key;
carrying out SM4 encryption operation on the HASH value with the first 128 bits as protocol characteristics by using the root key, and hashing to obtain a primary key; performing SM4 operation on the current time by using the root key, and hashing to obtain a secondary key; performing XOR operation on the primary key and the secondary key to hash a tertiary data decryption key;
the data decryption process is as follows:
the network card receives the ciphertext data packet, and decrypts the content of the data packet through an SM4 cryptographic algorithm by using a data decryption key;
the industrial protocol deep analysis module carries out deep analysis on the decrypted data packet, queries a predefined protocol feature library needing to participate in key operation, wherein the predefined protocol feature library is any fields of a deep analysis result, calculates a HASH value of 256 bits for the protocol feature library in the data packet through a SM3 algorithm of the national cipher, then carries out XOR operation on the front 128 bits positioned at the rear 128 bits, and finally obtains a HASH value of the protocol feature of 128 bits;
comparing the obtained protocol characteristic HASH value with the HASH value of the received data packet load header, wherein the comparison is consistent and shows that the data is correct, otherwise, the data is possible to be tampered and is directly discarded; repackaging the data packet content, removing the HASH field of the coordination characteristic, and restoring the plaintext data packet; and forwarding the data packet.
2. The industrial protocol-based secure encryption method of claim 1, wherein: the industrial protocol deep analysis module carries out deep analysis on the data packet and comprises register types, function codes, access types, PLC addresses and register addresses of the modbus protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211512189.3A CN115834026A (en) | 2022-11-29 | 2022-11-29 | Safety encryption method based on industrial protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211512189.3A CN115834026A (en) | 2022-11-29 | 2022-11-29 | Safety encryption method based on industrial protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115834026A true CN115834026A (en) | 2023-03-21 |
Family
ID=85532707
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211512189.3A Pending CN115834026A (en) | 2022-11-29 | 2022-11-29 | Safety encryption method based on industrial protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834026A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116489244A (en) * | 2023-06-25 | 2023-07-25 | 中电科网络安全科技股份有限公司 | Service data processing method and device, electronic equipment and storage medium |
-
2022
- 2022-11-29 CN CN202211512189.3A patent/CN115834026A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116489244A (en) * | 2023-06-25 | 2023-07-25 | 中电科网络安全科技股份有限公司 | Service data processing method and device, electronic equipment and storage medium |
| CN116489244B (en) * | 2023-06-25 | 2023-10-20 | 中电科网络安全科技股份有限公司 | Service data processing method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8379638B2 (en) | Security encapsulation of ethernet frames | |
| CN106357690B (en) | data transmission method, data sending device and data receiving device | |
| CN110535748B (en) | VPN tunnel mode optimization method and system | |
| US8281122B2 (en) | Generation and/or reception, at least in part, of packet including encrypted payload | |
| CN112422560A (en) | Lightweight substation secure communication method and system based on secure socket layer | |
| Cho et al. | Securing ethernet-based optical fronthaul for 5g network | |
| CN113572766A (en) | Power data transmission method and system | |
| CN111555859A (en) | SM4-GCM algorithm and application in network security protocol | |
| CN114024698A (en) | Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm | |
| CN112954048A (en) | Internet of things system based on internet of things encryption gateway | |
| CN115174520B (en) | Network address information hiding method and system | |
| CN115834026A (en) | Safety encryption method based on industrial protocol | |
| CN107276996A (en) | The transmission method and system of a kind of journal file | |
| CN115208615A (en) | Data encryption transmission method for numerical control system | |
| CN114244577A (en) | Message processing method based on ESP | |
| Cho et al. | Secure open fronthaul interface for 5G networks | |
| CN106101056B (en) | Data processing method and allow IE browser based on the method for the close ssl protocol communication of state in a kind of agent software software architecture | |
| CN114500013B (en) | Data encryption transmission method | |
| CN108111515B (en) | End-to-end secure communication encryption method suitable for satellite communication | |
| CN114826748A (en) | Audio and video stream data encryption method and device based on RTP, UDP and IP protocols | |
| Zuo et al. | A novel software-defined network packet security tunnel forwarding mechanism | |
| CN113950802B (en) | Gateway device and method for performing site-to-site communication | |
| CN111935112A (en) | Serial-based cross-network data safety ferrying equipment and method | |
| CN217240711U (en) | Lightweight end-to-end electric power Internet of things encryption system | |
| Bozkurt et al. | Exploring the Vulnerabilities and Countermeasures of SSL/TLS Protocols in Secure Data Transmission Over Computer Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |