WO2021012728A1 - Channel encryption method for fieldbus in water management automation control system - Google Patents

Channel encryption method for fieldbus in water management automation control system Download PDF

Info

Publication number
WO2021012728A1
WO2021012728A1 PCT/CN2020/085959 CN2020085959W WO2021012728A1 WO 2021012728 A1 WO2021012728 A1 WO 2021012728A1 CN 2020085959 W CN2020085959 W CN 2020085959W WO 2021012728 A1 WO2021012728 A1 WO 2021012728A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
module
key
serial communication
data unit
Prior art date
Application number
PCT/CN2020/085959
Other languages
French (fr)
Chinese (zh)
Inventor
傅晓
王志坚
Original Assignee
河海大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 河海大学 filed Critical 河海大学
Publication of WO2021012728A1 publication Critical patent/WO2021012728A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/38Information transfer, e.g. on bus
    • G06F13/42Bus transfer protocol, e.g. handshake; Synchronisation
    • G06F13/4282Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus
    • G06F13/4286Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus using a handshaking protocol, e.g. RS232C link
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0056Systems characterized by the type of code used
    • H04L1/0061Error detection codes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2213/00Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F2213/0002Serial port, e.g. RS232C

Definitions

  • the invention belongs to the field of information technology, and in particular relates to a field bus channel encryption method in a water conservancy automation control system.
  • Field Bus Field Bus
  • PLC programmable logic controller
  • the present invention proposes a fieldbus channel encryption method in a water conservancy automation control system to realize the functions of automatic control equipment identity verification, fieldbus communication data confidentiality, and protocol packet integrity verification.
  • the technical solution adopted by the present invention is: a hardware encryption gateway for fieldbus channel encryption, consisting of two serial communication modules, encryption modules, key storage modules, and power supply modules .
  • the two serial communication modules are respectively connected to the network physical interface of the automation control equipment and the field bus for receiving or sending serial communication protocol packets.
  • the two serial communication modules are respectively connected to the encryption module through a high-speed serial data bus interface.
  • the network physical interface used by the serial communication module includes, but is not limited to, an electrical interface that conforms to the RS485/232 standard.
  • the high-speed serial data bus interface used by the serial communication module includes, but is not limited to, bus interfaces that comply with UART, I2C, and SPI standards.
  • the encryption module is a single chip microcomputer system (SOC), which can realize asymmetric encryption algorithms, symmetric encryption algorithms, hash algorithms, and random key generation algorithms through software codes with built-in registers or arithmetic logic unit hardware devices.
  • SOC single chip microcomputer system
  • asymmetric encryption algorithms include but are not limited to SM2, ECC, and RSA algorithms
  • symmetric encryption algorithms include but are not limited to SM1, RC4, and AES algorithms
  • hash algorithms include but are not limited to SM3, MD5, and SHA-1 algorithms.
  • the encryption module is connected to the serial communication module through its high-speed serial data bus interface, is connected to the key storage module through its data bus and address bus interface, and is connected to the power supply module through its power cord interface.
  • the key storage module is a flash-write read-only memory.
  • the gateway stores the destination address code, and the corresponding public key and private key through the key storage module.
  • the key storage module is connected to the encryption module through its data bus and address bus interface, and the interface includes but is not limited to an expansion bus interface that conforms to eMMC and UFS standards.
  • the power supply module is a DC power supply.
  • the gateway is powered by a power supply module, and the power supply module converts the wide-voltage DC power input on the field bus into voltage and current that meet the requirements of the gateway's working conditions.
  • the power supply module is connected to the encryption module through a two-core (VCC, GND) power cord interface, and the input voltage is 12V to 24V.
  • the two serial communication modules of the hardware encryption gateway are respectively connected to the network physical interface of the automation control device and the field bus.
  • the serial communication module connected to the network physical interface of the automation control device is called the device end, and the serial communication module connected to the field bus network physical interface is called It is the field bus terminal.
  • the automation control equipment includes but not limited to PLC, lower computer, sensor, and controller.
  • step S2 After the power supply module of the hardware encryption gateway starts working, the hardware encryption gateway starts and initializes the key storage module of the hardware encryption gateway; if the initialization process is completed, go to step S3; if the initialization process is terminated, no subsequent operations are performed; the initialization process as follows:
  • At least one destination address code and the corresponding private key are stored in the key storage module; judge whether the number of private key records is unique, if the number of private key records is unique, go to step (2-3); otherwise , The initialization process is terminated and subsequent operations are not performed;
  • At least one destination address code and the corresponding public key are stored in the key storage module; judge whether the number of public key records is greater than or equal to 1, if the number of public key records is greater than or equal to 1, the initialization process is completed ; Otherwise, the initialization process is terminated and subsequent operations are not performed.
  • the monitoring process starts; the monitoring process includes two parts: one, on the serial communication module connected to the fieldbus side, for all serial communication application data incoming to the hardware encryption gateway Unit ADU monitors; second, monitor all serial communication application data unit ADUs incoming to the hardware encryption gateway on the serial communication module of the connected device; the steps are as follows:
  • (3-1) Monitor all the serial communication application data units ADUs incoming to the hardware encryption gateway on the serial communication module connected to the fieldbus end;
  • serial communication module of the hardware encryption gateway connected to the fieldbus side receives the incoming serial communication application data unit ADU, it sends an interrupt request to the encryption module.
  • the encryption module responds to the interrupt and enters the interrupt processing process, using the check code CRC at the end of the application data unit ADU to check the remaining part of the data in the unit except the CRC.
  • the check algorithm uses the hash algorithm preset in the encryption module , Including but not limited to SM3, MD5, SHA-1 algorithms.
  • ADDR hexadecimal
  • the encryption module interrupts and returns, and does not respond to the application data unit ADU; if the private key PRK or public key PUK exists, use the private key PRK or public key PUK , Decrypt the symmetric key ciphertext CK located at the header of the protocol data unit (Protocol Data Unit, PDU) in the application data unit ADU through the built-in asymmetric encryption algorithm in the encryption module to obtain the symmetric key RK.
  • Asymmetric encryption algorithms include but are not limited to SM2, ECC, and RSA algorithms.
  • the encryption module uses the data plaintext PD in the EP header, calculates the plaintext hash value PH through the built-in hash algorithm, and compares it with the hash data DH at the end of the EP.
  • Hash algorithms include but are not limited to SM3, MD5, and SHA-1 algorithms.
  • the encryption module interrupts and returns, discards the application data unit ADU, and does not respond; if the plaintext hash value PH is the same as the hash data DH, The data plaintext PD is used as the new protocol data unit PDU2.
  • the destination address code ADDR is appended to the header of PDU2, and the check code CRC2 of PDU2 is calculated and appended to the end of PDU2 as a new application data unit ADU2.
  • the verification algorithm uses the internal hash algorithm preset in the encryption module, including but not limited to SM3, MD5, and SHA-1 algorithms.
  • ADDR hexadecimal
  • the encryption module interrupts and returns, and does not respond to the application data unit ADU; if the public key PUK or private key PRK exists, use the application data unit ADU
  • the protocol data unit PDU is used as the data plaintext PD, the plaintext hash value PH is calculated through the built-in hash algorithm, and the PH is appended to the end of the data plaintext PD to form the encapsulated data payload EP.
  • Hash algorithms include but are not limited to SM3, MD5, and SHA-1 algorithms.
  • (3-2-4) Generate a random symmetric key RK through the built-in random key generation algorithm, use RK to encrypt the encapsulated data payload EP through the built-in symmetric encryption algorithm, and obtain the encapsulated data payload ciphertext EC.
  • Symmetric encryption algorithms include but are not limited to SM1, RC4, and AES algorithms.
  • Asymmetric encryption algorithms include but are not limited to SM2, ECC, and RSA algorithms.
  • (3-2-6) Attach the symmetric key ciphertext CK to the header of the encapsulated data payload ciphertext EC as a new protocol data unit PDU2.
  • the destination address code ADDR is appended to the header of PDU2, the check code CRC2 of PDU2 is calculated and appended to the end of PDU2 as a new application data unit ADU2.
  • the check algorithm uses the hash algorithm preset in the encryption module, including but not limited to SM3, MD5, SHA-1 algorithm.
  • step S4 After the hardware encryption gateway starts to execute the monitoring process, the monitoring process is terminated if and only when the power supply module stops supplying power. Otherwise, the monitoring process is always performed. After the power supply module stops supplying power, the hardware encryption gateway re-executes the initialization process in step S2 and the monitoring process in step S3 if and only when the power supply is performed again.
  • the present invention realizes the protocol data unit by deploying a hardware encryption gateway between the upper computer, lower computer and other automation control equipment of the water conservancy automation control system and the field bus, using public key encryption, private key encryption, random encryption and data hashing algorithms to realize the protocol data unit ( Protocol Data Unit (PDU) transparent encryption provides automatic control equipment authentication, fieldbus communication data confidentiality, and protocol packet integrity verification functions, which can effectively prevent unauthorized devices from monitoring and intercepting on the fieldbus channel , Tampering with data monitoring and control information, has a high resistance to man-in-the-middle attacks, and reduces the security risk caused by the intrusion of the field bus channel in the water conservancy automation control system.
  • PDU Protocol Data Unit
  • the invention Compared with the link layer plaintext data transmission method adopted in the existing fieldbus, it can provide reliable safety guarantee for the water conservancy automation control system as a key infrastructure in the national economy.
  • the invention has higher compatibility and versatility, does not need to change the field bus network topology and the physical layer transmission media, and can realize the low-cost transformation of the existing water conservancy automation control system.
  • Figure 1 is a structural diagram of a hardware encryption gateway
  • Figure 2 is a schematic diagram of device connection
  • Figure 3 is the communication packet data structure from the fieldbus end to the device end during the monitoring process
  • Figure 4 is the data structure of the communication packet from the device end to the fieldbus end during the monitoring process
  • FIG. 5 is a flowchart of the initialization process
  • Figure 6 is a flow chart of the fieldbus terminal monitoring process
  • Figure 7 is a flowchart of the device-side monitoring process.
  • the hardware encryption gateway used for field bus channel encryption of the present invention is composed of two serial communication modules, an encryption module, a key storage module, and a power supply module.
  • the gateway structure is shown in Figure 1, and the fieldbus and device connections are shown in Figure 2.
  • Each serial communication module is composed of a serial communication chip, the chip model is ADM485, which is connected to the encryption module through the UART bus interface, and the external device is connected through the RS485 interface;
  • the encryption module consists of a single-chip microcomputer system based on the ACH512 chip.
  • the hardware implementation of the internal preset SM1, SM2, SM3, SM4 algorithms is connected to the serial communication module through the UART bus interface, and the key storage module is connected through the address bus interface.
  • the VCC, GND) power cord interface is connected to the power supply module.
  • the key storage module is composed of a Flashrom chip, which is connected to the encryption module through the NAND Flash interface.
  • the power supply module is composed of a regulated DC circuit, which takes power from the field bus through the RS485 interface, and is connected to the encryption module through the two-core (VCC, GND) power cord interface to provide the standard working voltage and current of the encryption module.
  • D1 is the upper computer, set to master mode, and the address is 0x01; D2, D3 are lower computer, set to slave mode , The addresses are 0x02 and 0x03 respectively.
  • S1 Use the burning program in advance to write the key to the key storage module of the hardware encryption gateway G1, G2, G3 according to the following rules:
  • G2 write the address 0x02 of D2 and the private key of D2; write address 0x01 of D1 and the public key of D1.
  • G3 write the address 0x03 of D3 and the private key of D3; write address 0x01 of D1 and the public key of D1.
  • the device side serial communication module of G1 is connected to D1, the bus side serial communication module of G1 is connected to the field bus; the device side serial port of G2 The communication module is connected to D2, the bus end serial communication module of G2 is connected to the field bus; the device end serial communication module of G3 is connected to D3, and the bus end serial communication module of G3 is connected to the field bus.
  • step S1 Since the key written in the above step S1 meets the requirements of the initialization process, the initialization process is completed, and G1, G2, and G3 start to perform the monitoring process.
  • G2 When G2 receives the above-mentioned encrypted ADU sent by G1, G2's bus terminal serial communication module generates an interrupt, and its encryption module responds to the interrupt and begins to enter the interrupt processing process, as shown in Figure 6. Since the private key of D2 is written in G2, the ADU sent by G1 is processed by G2 and then restored to plaintext and transmitted to D2.
  • the communication packet data structure is shown in Figure 3. At this time, D2 receives the serial communication application data unit ADU sent by D1, can perform related operations, and can feed data back to D1.
  • the device-side serial communication module of G2 Since the ADU destination address returned by the slave device to the master in the Modbus protocol is always the device address, and the returned packet destination address is 0x02, the device-side serial communication module of G2 generates an interrupt, and its encryption module responds to the interrupt and begins to enter the interrupt processing process. As shown in Figure 7. Since the private key of D2 is written in G2, the original ADU sent by D2 is processed by G2 and becomes an encrypted ADU, which enters the field bus through the G2 terminal serial communication module. The communication packet data structure is shown in Figure 4. .
  • G1 When G1 receives the above-mentioned encrypted ADU sent by G2, G1's bus terminal serial communication module generates an interrupt, and G1's encryption module responds to the interrupt and begins to enter the interrupt processing process, as shown in Figure 6. Since the public key of D2 is written in G1, the ADU sent by G2 is processed by G1 and restored to plaintext, and transmitted to D1 through the device-side serial communication module of G1.
  • the communication packet data structure is shown in Figure 3.
  • the malicious attacker directly connects the malicious device D4 to the field bus without a hardware encryption gateway, and the address of D4 is 0x04.
  • the attacker knows that the address of the master device D1 is 0x01, and tries to send a malicious packet P to D1.
  • the ADU destination address returned by the slave device to the master is always the device address, and the destination address of P is 0x04.
  • G1 After G1 receives P, it checks whether the address 0x04 and its corresponding public key exist in the key storage module. Because the address and public key do not exist, G1 discards P and the attack fails.
  • a malicious attacker tries to use D4 to pretend to be D3 and send a malicious packet PP to D1. Because the ADU destination address returned by the slave device to the master in the Modbus protocol is always the device address, the destination address of PP is 0x03. After G1 receives the PP, it checks whether the address 0x03 and its corresponding public key exist in the key storage module. Because the address and public key exist, G1 uses D3's public key to decrypt PP. Since D4 cannot obtain the private key of D3 in the G3 key storage module, PP will inevitably fail in the verification process of G1, and G1 discards PP and the attack fails.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Power Engineering (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed is a channel encryption method for a fieldbus in a water management automation control system. By means of a hardware encryption gateway deployed between an automation control device and the fieldbus, transparent encryption of a protocol data unit is implemented. In the hardware encryption gateway, by means of a mixed encryption solution combining a domestic symmetric encryption algorithm and an asymmetric encryption algorithm, automation control device identity authentication, fieldbus communication data confidentiality, and protocol packet integrity check functions are implemented, an unauthorized invalid device is effectively prevented from listening to, intercepting, and tampering with data monitoring and control information on a channel of the fieldbus, increased resistance against a man-in-the-middle attack is provided, and security risks in the water management automation control system resulting from a fieldbus channel intrusion are reduced. The hardware encryption gateway is capable of seamlessly accessing a fieldbus of an existing water management automation control system and provides increased device compatibility and versatility.

Description

一种水利自动化控制系统中现场总线信道加密方法Method for encrypting field bus channel in water conservancy automation control system 技术领域Technical field
本发明属于信息技术领域,尤其涉及一种水利自动化控制系统中现场总线信道加密方法。The invention belongs to the field of information technology, and in particular relates to a field bus channel encryption method in a water conservancy automation control system.
背景技术Background technique
在我国目前部署的水利自动化控制系统中,绝大多数采用现场总线(Field Bus)网络对可编程逻辑控制器(PLC)与下位机进行组网。其原因是,计算机网络所使用的物理层媒体,如STP、单模或多模光纤等,其物理性质不能满足高耐候性、高强度的工业应用场景。RS232/485电缆以其优异的性能及价格优势,在工业自动化控制系统中具有二十余年的应用历史,短时间内无法被替代。而要对现有物理层进行更换,实施改造成本过高,甚至将高于当初部署系统的成本。如果使用无线组网,则会降低网络的可靠性与稳定性,且在信号屏蔽的场景中无法实施,具有较高的局限性。In the water conservancy automation control systems currently deployed in my country, most of them use Field Bus (Field Bus) network to network the programmable logic controller (PLC) and the lower computer. The reason is that the physical layer media used in computer networks, such as STP, single-mode or multi-mode fiber, etc., cannot meet the physical properties of high weather resistance and high strength industrial application scenarios. With its excellent performance and price advantage, RS232/485 cable has more than 20 years of application history in industrial automation control systems, and cannot be replaced in a short time. To replace the existing physical layer, the cost of implementing the transformation is too high, and will even be higher than the cost of the original deployment system. If wireless networking is used, the reliability and stability of the network will be reduced, and it cannot be implemented in a signal shielding scene, which has high limitations.
目前水利自动化控制系统所使用的PLC大多数不具备计算机网络通信能力,必须为其搭配相配套的硬件接口。对于现有设备的改造同样存在实施成本过高的情况,且要考虑不同厂家之间电气、接口规范的不同需求,性价比低。虽然Modbus TCP协议支持在计算机网络中实现透明传输,但是由于其实现较为简单,无法支持TCP/IP协议中的网络层、传输层安全特性,需要对网络模块进行特殊改造,通用性不强。At present, most PLCs used in water conservancy automation control systems do not have computer network communication capabilities, and must be equipped with matching hardware interfaces. For the transformation of existing equipment, the implementation cost is also too high, and the different electrical and interface specifications between different manufacturers must be considered, and the cost-effectiveness is low. Although the Modbus TCP protocol supports transparent transmission in computer networks, its implementation is relatively simple and cannot support the network layer and transport layer security features in the TCP/IP protocol. Special modifications to the network module are required, and the versatility is not strong.
电气工程师大多数仅具备现场总线网络中数据通信的开发经验,若使用计算机网络替代现场总线,必须具备足够的人员支撑,这意味着首先需要建立相关知识体系、培训教材、课程、实务、流程。由于目前电气工程师的培训周期较长,尚不具备实施计算机网络化改造的人员基础。Most electrical engineers only have the development experience of data communication in the fieldbus network. If a computer network is used to replace the fieldbus, there must be sufficient personnel support, which means that the relevant knowledge system, training materials, courses, practices, and processes need to be established first. Due to the long training period of electrical engineers, the personnel base for implementing computer network transformation is not yet available.
综上所述,复用计算机网络中相关理论及技术,用以解决水利自动化控制系统中现场总线网络安全性问题的思路,在目前人员及技术条件下,具有相当高的局限性。In summary, the idea of reusing relevant theories and technologies in computer networks to solve the security problems of fieldbus networks in water conservancy automation control systems has considerable limitations under current personnel and technical conditions.
因此,如何在降低改造成本的前提下,针对现场总线信道提出一套低成本、高适用性的加密方案,通过国产对称加密算法与非对称加密算法结合的混合加密方案(Hybrid Encryption Scheme),实现自动化控制设备身份验证、现场总线通信数据保密、协议分组完整性校验功能,是一个具有较高研究及应用价值的课题。Therefore, how to propose a low-cost, highly applicable encryption scheme for the fieldbus channel under the premise of reducing the cost of reconstruction, and realize it through a hybrid encryption scheme (Hybrid Encryption Scheme) combining domestic symmetric encryption algorithms and asymmetric encryption algorithms Automated control equipment identity verification, fieldbus communication data confidentiality, and protocol packet integrity verification functions are a subject with high research and application value.
发明内容Summary of the invention
发明目的:针对以上问题,本发明提出一种水利自动化控制系统中现场总线信道加密方法,实现自动化控制设备身份验证、现场总线通信数据保密、协议分组完整性校验功能。Purpose of the invention: In view of the above problems, the present invention proposes a fieldbus channel encryption method in a water conservancy automation control system to realize the functions of automatic control equipment identity verification, fieldbus communication data confidentiality, and protocol packet integrity verification.
技术方案:为实现本发明的目的,本发明所采用的技术方案是:一种用于现场总线信道加密的硬件加密网关,由两个串口通信模块、加密模块、密钥存储模块、供电模块组成。Technical solution: In order to achieve the purpose of the present invention, the technical solution adopted by the present invention is: a hardware encryption gateway for fieldbus channel encryption, consisting of two serial communication modules, encryption modules, key storage modules, and power supply modules .
两个串口通信模块分别连接自动化控制设备和现场总线的网络物理接口,用于接收或发送串口通信协议分组。两个串口通信模块分别通过高速串行数据总线接口与加密模 块连接。所述串口通信模块使用的网络物理接口包括但不限于符合RS485/232标准的电气接口。串口通信模块使用的高速串行数据总线接口包括但不限于符合UART、I2C、SPI标准的总线接口。The two serial communication modules are respectively connected to the network physical interface of the automation control equipment and the field bus for receiving or sending serial communication protocol packets. The two serial communication modules are respectively connected to the encryption module through a high-speed serial data bus interface. The network physical interface used by the serial communication module includes, but is not limited to, an electrical interface that conforms to the RS485/232 standard. The high-speed serial data bus interface used by the serial communication module includes, but is not limited to, bus interfaces that comply with UART, I2C, and SPI standards.
加密模块为一个单片机系统(SOC),能够通过内置寄存器的软件代码或算术逻辑单元硬件设备实现非对称加密算法、对称加密算法、散列算法、随机密钥生成算法。其中,非对称加密算法包括但不限于SM2、ECC、RSA算法,对称加密算法包括但不限于SM1、RC4、AES算法,散列算法包括但不限于SM3、MD5、SHA-1算法。加密模块通过其高速串行数据总线接口连接串口通信模块,通过其数据总线与地址总线接口连接密钥存储模块,通过其电源线接口连接供电模块。The encryption module is a single chip microcomputer system (SOC), which can realize asymmetric encryption algorithms, symmetric encryption algorithms, hash algorithms, and random key generation algorithms through software codes with built-in registers or arithmetic logic unit hardware devices. Among them, asymmetric encryption algorithms include but are not limited to SM2, ECC, and RSA algorithms, symmetric encryption algorithms include but are not limited to SM1, RC4, and AES algorithms, and hash algorithms include but are not limited to SM3, MD5, and SHA-1 algorithms. The encryption module is connected to the serial communication module through its high-speed serial data bus interface, is connected to the key storage module through its data bus and address bus interface, and is connected to the power supply module through its power cord interface.
密钥存储模块为一个快速擦写只读存储器。该网关通过密钥存储模块,存储目的地址编码,以及与之相对应的公钥、私钥。密钥存储模块通过其数据总线与地址总线接口与加密模块连接,接口包括但不限于符合eMMC、UFS标准的扩展总线接口。The key storage module is a flash-write read-only memory. The gateway stores the destination address code, and the corresponding public key and private key through the key storage module. The key storage module is connected to the encryption module through its data bus and address bus interface, and the interface includes but is not limited to an expansion bus interface that conforms to eMMC and UFS standards.
供电模块为一个直流电源。该网关通过供电模块进行供电,供电模块将现场总线上的宽压直流电源输入转换为符合网关工况需求的电压、电流。供电模块通过二芯(VCC,GND)电源线接口与加密模块连接,输入电压为12V至24V。The power supply module is a DC power supply. The gateway is powered by a power supply module, and the power supply module converts the wide-voltage DC power input on the field bus into voltage and current that meet the requirements of the gateway's working conditions. The power supply module is connected to the encryption module through a two-core (VCC, GND) power cord interface, and the input voltage is 12V to 24V.
硬件加密网关的两个串口通信模块分别连接自动化控制设备和现场总线的网络物理接口,其中连接自动化控制设备网络物理接口的串口通信模块称为设备端,连接现场总线网络物理接口的串口通信模块称为现场总线端。The two serial communication modules of the hardware encryption gateway are respectively connected to the network physical interface of the automation control device and the field bus. The serial communication module connected to the network physical interface of the automation control device is called the device end, and the serial communication module connected to the field bus network physical interface is called It is the field bus terminal.
一种水利自动化控制系统中现场总线信道加密方法,包括以下步骤:A field bus channel encryption method in a water conservancy automation control system includes the following steps:
S1:在连接至现场总线的每一台自动化控制设备与现场总线的网络物理接口之间,分别连接一台硬件加密网关,并在硬件加密网关的密钥存储模块中预先写入对应的密钥和目的地址编码。所述自动化控制设备包括但不限于PLC、下位机、传感器、控制器。S1: Connect a hardware encryption gateway between each automation control device connected to the field bus and the network physical interface of the field bus, and write the corresponding key in the key storage module of the hardware encryption gateway in advance And the destination address code. The automation control equipment includes but not limited to PLC, lower computer, sensor, and controller.
S2:硬件加密网关的供电模块开始工作后,硬件加密网关启动,对硬件加密网关的密钥存储模块执行初始化;若初始化过程完成,进入步骤S3;若初始化过程终止,不执行后继操作;初始化过程如下:S2: After the power supply module of the hardware encryption gateway starts working, the hardware encryption gateway starts and initializes the key storage module of the hardware encryption gateway; if the initialization process is completed, go to step S3; if the initialization process is terminated, no subsequent operations are performed; the initialization process as follows:
(2-1)查找密钥存储模块中所有已存储的目的地址编码,以及与之相对应的公钥、私钥记录;(2-1) Find all the stored destination address codes in the key storage module, and the corresponding public and private key records;
(2-2)密钥存储模块中至少存储一条目的地址编码,以及与之相对应的私钥;判断私钥记录数是否唯一,若私钥记录数唯一,进入步骤(2-3);否则,初始化过程终止,不执行后继操作;(2-2) At least one destination address code and the corresponding private key are stored in the key storage module; judge whether the number of private key records is unique, if the number of private key records is unique, go to step (2-3); otherwise , The initialization process is terminated and subsequent operations are not performed;
(2-3)密钥存储模块中至少存储一条目的地址编码,以及与之相对应的公钥;判断公钥记录数是否大于或等于1,若公钥记录数大于或等于1,初始化过程完成;否则,初始化过程终止,不执行后继操作。(2-3) At least one destination address code and the corresponding public key are stored in the key storage module; judge whether the number of public key records is greater than or equal to 1, if the number of public key records is greater than or equal to 1, the initialization process is completed ; Otherwise, the initialization process is terminated and subsequent operations are not performed.
S3:对硬件加密网关的密钥存储模块初始化完成后,开始执行监听过程;监听过程包括两部分:其一,在连接现场总线端的串口通信模块上对于所有传入硬件加密网关的串口通信应用数据单元ADU进行监听;其二,在连接设备端的串口通信模块上对于所有传入硬件加密网关的串口通信应用数据单元ADU进行监听;步骤如下:S3: After the initialization of the key storage module of the hardware encryption gateway is completed, the monitoring process starts; the monitoring process includes two parts: one, on the serial communication module connected to the fieldbus side, for all serial communication application data incoming to the hardware encryption gateway Unit ADU monitors; second, monitor all serial communication application data unit ADUs incoming to the hardware encryption gateway on the serial communication module of the connected device; the steps are as follows:
(3-1)在连接现场总线端的串口通信模块上对于所有传入硬件加密网关的串口通信应用数据单元ADU进行监听;(3-1) Monitor all the serial communication application data units ADUs incoming to the hardware encryption gateway on the serial communication module connected to the fieldbus end;
(3-1-1)当硬件加密网关连接现场总线端的串口通信模块收到传入的串口通信应用数据单元ADU时,向加密模块发送中断请求。加密模块响应中断,进入中断处理过程,使用应用数据单元ADU尾部的校验码CRC对于该单元中除CRC以外剩余部分的数据进行校验,校验算法使用加密模块中内部预置的散列算法,包括但不限于SM3、MD5、SHA-1算法。(3-1-1) When the serial communication module of the hardware encryption gateway connected to the fieldbus side receives the incoming serial communication application data unit ADU, it sends an interrupt request to the encryption module. The encryption module responds to the interrupt and enters the interrupt processing process, using the check code CRC at the end of the application data unit ADU to check the remaining part of the data in the unit except the CRC. The check algorithm uses the hash algorithm preset in the encryption module , Including but not limited to SM3, MD5, SHA-1 algorithms.
(3-1-2)若校验失败,加密模块中断返回,对于应用数据单元ADU不进行响应。若校验成功,加密模块通过应用数据单元ADU首部的目的地址编码ADDR,在密钥管理模块中查找与目的地址编码ADDR对应的私钥PRK或公钥PUK。ADDR为大于或等于1个字节的十六进制(HEX)数据。(3-1-2) If the verification fails, the encryption module interrupts and returns, and does not respond to the application data unit ADU. If the verification is successful, the encryption module uses the destination address code ADDR of the ADU header of the application data unit to find the private key PRK or the public key PUK corresponding to the destination address code ADDR in the key management module. ADDR is hexadecimal (HEX) data greater than or equal to 1 byte.
(3-1-3)若私钥PRK或公钥PUK不存在,加密模块中断返回,对于应用数据单元ADU不进行响应;若私钥PRK或公钥PUK存在,使用私钥PRK或公钥PUK,通过加密模块中内置的非对称加密算法,解密位于应用数据单元ADU中协议数据单元(Protocol Data Unit,PDU)首部的对称密钥密文CK,获得对称密钥RK。非对称加密算法包括但不限于SM2、ECC、RSA算法。(3-1-3) If the private key PRK or public key PUK does not exist, the encryption module interrupts and returns, and does not respond to the application data unit ADU; if the private key PRK or public key PUK exists, use the private key PRK or public key PUK , Decrypt the symmetric key ciphertext CK located at the header of the protocol data unit (Protocol Data Unit, PDU) in the application data unit ADU through the built-in asymmetric encryption algorithm in the encryption module to obtain the symmetric key RK. Asymmetric encryption algorithms include but are not limited to SM2, ECC, and RSA algorithms.
(3-1-4)使用对称密钥RK,通过加密模块中内置的对称加密算法,解密协议数据单元PDU中除首部以外部分的封装数据载荷密文EC,获得封装数据载荷EP。封装数据载荷EP由其首部的数据明文PD与其尾部的散列数据DH组成。对称加密算法包括但不限于SM1、RC4、AES算法。(3-1-4) Using the symmetric key RK, through the built-in symmetric encryption algorithm in the encryption module, decrypt the encapsulated data payload ciphertext EC in the protocol data unit PDU except for the header to obtain the encapsulated data payload EP. The encapsulated data payload EP is composed of the data plaintext PD at the head and the hash data DH at the tail. Symmetric encryption algorithms include but are not limited to SM1, RC4, and AES algorithms.
(3-1-5)加密模块使用EP首部的数据明文PD,通过内置的散列算法计算明文散列值PH,并与EP尾部的散列数据DH进行比较。散列算法包括但不限于SM3、MD5、SHA-1算法。(3-1-5) The encryption module uses the data plaintext PD in the EP header, calculates the plaintext hash value PH through the built-in hash algorithm, and compares it with the hash data DH at the end of the EP. Hash algorithms include but are not limited to SM3, MD5, and SHA-1 algorithms.
(3-1-6)若明文散列值PH与散列数据DH不同,加密模块中断返回,将应用数据单元ADU舍弃,不进行响应;若明文散列值PH与散列数据DH相同,将数据明文PD作为新的协议数据单元PDU2。将目的地址编码ADDR附加到PDU2首部,计算PDU2的校验码CRC2并附加到PDU2尾部,作为新的应用数据单元ADU2。校验算法使用加密模块中内部预置的散列算法,包括但不限于SM3、MD5、SHA-1算法。(3-1-6) If the plaintext hash value PH is different from the hash data DH, the encryption module interrupts and returns, discards the application data unit ADU, and does not respond; if the plaintext hash value PH is the same as the hash data DH, The data plaintext PD is used as the new protocol data unit PDU2. The destination address code ADDR is appended to the header of PDU2, and the check code CRC2 of PDU2 is calculated and appended to the end of PDU2 as a new application data unit ADU2. The verification algorithm uses the internal hash algorithm preset in the encryption module, including but not limited to SM3, MD5, and SHA-1 algorithms.
(3-1-7)将ADU2通过设备端的串口通信模块进行发送。(3-1-7) Send ADU2 through the serial communication module on the device side.
(3-2)在连接设备端的串口通信模块上对于所有传入硬件加密网关的串口通信应用数据单元ADU进行监听;(3-2) Monitor all the serial communication application data units ADU that are passed into the hardware encryption gateway on the serial communication module of the connected device;
(3-2-1)当该网关连接设备端的串口通信模块收到传入的串口通信应用数据单元ADU时,向加密模块发送中断请求。加密模块响应中断,进入中断处理过程,使用应用数据单元ADU尾部的校验码CRC对于该单元中除CRC以外剩余部分的数据进行校验,校验算法使用加密模块中内部预置的散列算法,包括但不限于SM3、MD5、SHA-1算法。(3-2-1) When the serial port communication module of the device connected to the gateway receives the incoming serial port communication application data unit ADU, it sends an interrupt request to the encryption module. The encryption module responds to the interrupt and enters the interrupt processing process, using the check code CRC at the end of the application data unit ADU to check the remaining part of the data in the unit except the CRC. The check algorithm uses the hash algorithm preset in the encryption module , Including but not limited to SM3, MD5, SHA-1 algorithms.
(3-2-2)若校验失败,加密模块中断返回,对于应用数据单元ADU不进行响应。若校验成功,加密模块通过应用数据单元ADU首部的目的地址编码ADDR,在密钥管理模块中查找与该目的地址编码ADDR对应的公钥PUK或私钥PRK。其中ADDR为大于或等于1个字节的十六进制(HEX)数据。(3-2-2) If the verification fails, the encryption module interrupts and returns, and does not respond to the application data unit ADU. If the verification is successful, the encryption module uses the destination address code ADDR of the ADU header of the application data unit to find the public key PUK or private key PRK corresponding to the destination address code ADDR in the key management module. Among them, ADDR is hexadecimal (HEX) data greater than or equal to 1 byte.
(3-2-3)若公钥PUK或私钥PRK不存在,加密模块中断返回,对于该应用数据单元ADU不进行响应;若公钥PUK或私钥PRK存在,使用应用数据单元ADU中的协议数据单元PDU作为数据明文PD,通过内置的散列算法计算明文散列值PH,并将PH附加到数据明文PD尾部,形成封装数据载荷EP。散列算法包括但不限于SM3、MD5、SHA-1算法。(3-2-3) If the public key PUK or private key PRK does not exist, the encryption module interrupts and returns, and does not respond to the application data unit ADU; if the public key PUK or private key PRK exists, use the application data unit ADU The protocol data unit PDU is used as the data plaintext PD, the plaintext hash value PH is calculated through the built-in hash algorithm, and the PH is appended to the end of the data plaintext PD to form the encapsulated data payload EP. Hash algorithms include but are not limited to SM3, MD5, and SHA-1 algorithms.
(3-2-4)通过内置的随机密钥生成算法,生成一个随机对称密钥RK,使用RK通过内 置的对称加密算法,加密封装数据载荷EP,获得封装数据载荷密文EC。对称加密算法包括但不限于SM1、RC4、AES算法。(3-2-4) Generate a random symmetric key RK through the built-in random key generation algorithm, use RK to encrypt the encapsulated data payload EP through the built-in symmetric encryption algorithm, and obtain the encapsulated data payload ciphertext EC. Symmetric encryption algorithms include but are not limited to SM1, RC4, and AES algorithms.
(3-2-5)使用公钥PUK或私钥PRK,通过内置的非对称加密算法加密随机对称密钥RK,获得对称密钥密文CK。非对称加密算法包括但不限于SM2、ECC、RSA算法。(3-2-5) Use the public key PUK or the private key PRK to encrypt the random symmetric key RK through the built-in asymmetric encryption algorithm to obtain the symmetric key ciphertext CK. Asymmetric encryption algorithms include but are not limited to SM2, ECC, and RSA algorithms.
(3-2-6)将对称密钥密文CK附加到封装数据载荷密文EC首部,作为新的协议数据单元PDU2。将目的地址编码ADDR附加到PDU2首部,计算PDU2的校验码CRC2并附加到PDU2尾部,作为新的应用数据单元ADU2,校验算法使用加密模块中内部预置的散列算法,包括但不限于SM3、MD5、SHA-1算法。(3-2-6) Attach the symmetric key ciphertext CK to the header of the encapsulated data payload ciphertext EC as a new protocol data unit PDU2. The destination address code ADDR is appended to the header of PDU2, the check code CRC2 of PDU2 is calculated and appended to the end of PDU2 as a new application data unit ADU2. The check algorithm uses the hash algorithm preset in the encryption module, including but not limited to SM3, MD5, SHA-1 algorithm.
(3-2-7)将ADU2通过现场总线端的串口通信模块进行发送。(3-2-7) Send ADU2 through the serial communication module on the fieldbus side.
S4:硬件加密网关开始执行监听过程之后,当且仅当供电模块停止供电时,监听过程终止。否则,始终执行监听过程。供电模块停止供电后,当且仅当再次进行供电时,硬件加密网关重新执行一次步骤S2所述初始化过程,以及步骤S3所述监听过程。S4: After the hardware encryption gateway starts to execute the monitoring process, the monitoring process is terminated if and only when the power supply module stops supplying power. Otherwise, the monitoring process is always performed. After the power supply module stops supplying power, the hardware encryption gateway re-executes the initialization process in step S2 and the monitoring process in step S3 if and only when the power supply is performed again.
有益效果:与现有技术相比,本发明的技术方案具有以下有益的技术效果:Beneficial effects: Compared with the prior art, the technical solution of the present invention has the following beneficial technical effects:
本发明通过在水利自动化控制系统的上位机、下位机等自动化控制设备与现场总线之间部署硬件加密网关,利用公钥加密、私钥加密、随机加密及数据散列算法实现了协议数据单元(Protocol Data Unit,PDU)的透明加密,提供了自动化控制设备身份验证、现场总线通信数据保密、协议分组完整性校验功能,能够有效预防未经授权的非法设备在现场总线的信道上监听、拦截、篡改数据监测及控制信息,对于中间人攻击具有较高的抵抗能力,降低在水利自动化控制系统中因现场总线信道受到侵入而产生的安全风险。与现有的现场总线中采用的链路层明文数据传输方式相比,能够对于作为国民经济领域中关键性基础设施的水利自动化控制系统提供可靠的安全保障。本发明具有较高兼容性与通用性,不需要改变现场总线网络拓扑及物理层传输媒体,能够实现现有水利自动化控制系统的低成本改造。The present invention realizes the protocol data unit by deploying a hardware encryption gateway between the upper computer, lower computer and other automation control equipment of the water conservancy automation control system and the field bus, using public key encryption, private key encryption, random encryption and data hashing algorithms to realize the protocol data unit ( Protocol Data Unit (PDU) transparent encryption provides automatic control equipment authentication, fieldbus communication data confidentiality, and protocol packet integrity verification functions, which can effectively prevent unauthorized devices from monitoring and intercepting on the fieldbus channel , Tampering with data monitoring and control information, has a high resistance to man-in-the-middle attacks, and reduces the security risk caused by the intrusion of the field bus channel in the water conservancy automation control system. Compared with the link layer plaintext data transmission method adopted in the existing fieldbus, it can provide reliable safety guarantee for the water conservancy automation control system as a key infrastructure in the national economy. The invention has higher compatibility and versatility, does not need to change the field bus network topology and the physical layer transmission media, and can realize the low-cost transformation of the existing water conservancy automation control system.
附图说明Description of the drawings
图1是硬件加密网关结构图;Figure 1 is a structural diagram of a hardware encryption gateway;
图2是设备连接示意图;Figure 2 is a schematic diagram of device connection;
图3是监听过程中现场总线端到设备端的通信分组数据结构;Figure 3 is the communication packet data structure from the fieldbus end to the device end during the monitoring process;
图4是监听过程中设备端到现场总线端的通信分组数据结构;Figure 4 is the data structure of the communication packet from the device end to the fieldbus end during the monitoring process;
图5是初始化过程流程图;Figure 5 is a flowchart of the initialization process;
图6是现场总线端监听过程流程图;Figure 6 is a flow chart of the fieldbus terminal monitoring process;
图7是设备端监听过程流程图。Figure 7 is a flowchart of the device-side monitoring process.
具体实施方式Detailed ways
下面结合附图和实施例对本发明的技术方案作进一步的说明。The technical scheme of the present invention will be further described below in conjunction with the drawings and embodiments.
本发明所述的一种用于现场总线信道加密的硬件加密网关,由两个串口通信模块、加密模块、密钥存储模块、供电模块组成。网关结构如图1所示,现场总线与设备连接如图2所示。The hardware encryption gateway used for field bus channel encryption of the present invention is composed of two serial communication modules, an encryption module, a key storage module, and a power supply module. The gateway structure is shown in Figure 1, and the fieldbus and device connections are shown in Figure 2.
每个串口通信模块都由一个串行通信芯片组成,芯片型号为ADM485,分别通过 UART总线接口连接加密模块,使用RS485接口连接外部设备;Each serial communication module is composed of a serial communication chip, the chip model is ADM485, which is connected to the encryption module through the UART bus interface, and the external device is connected through the RS485 interface;
加密模块由一个基于ACH512芯片的单片机系统组成,内部预置SM1、SM2、SM3、SM4算法的硬件实现,通过UART总线接口连接串口通信模块,通过地址总线接口连接密钥存储模块,通过二芯(VCC,GND)电源线接口连接供电模块。The encryption module consists of a single-chip microcomputer system based on the ACH512 chip. The hardware implementation of the internal preset SM1, SM2, SM3, SM4 algorithms is connected to the serial communication module through the UART bus interface, and the key storage module is connected through the address bus interface. The VCC, GND) power cord interface is connected to the power supply module.
密钥存储模块由一块Flashrom芯片组成,通过NAND Flash接口连接加密模块。The key storage module is composed of a Flashrom chip, which is connected to the encryption module through the NAND Flash interface.
供电模块由一个稳压直流电路组成,通过RS485接口从现场总线上取电,通过二芯(VCC,GND)电源线接口与加密模块连接,提供加密模块的标准工作电压与电流。The power supply module is composed of a regulated DC circuit, which takes power from the field bus through the RS485 interface, and is connected to the encryption module through the two-core (VCC, GND) power cord interface to provide the standard working voltage and current of the encryption module.
设某水利自动化控制系统中,同一条现场总线上分别存在自动化控制设备D1、D2、D3,其中D1为上位机,设为master模式,地址为0x01;D2、D3为下位机,设为slave模式,地址分别为0x02、0x03。Suppose that in a water conservancy automation control system, there are automation control devices D1, D2, and D3 on the same field bus. D1 is the upper computer, set to master mode, and the address is 0x01; D2, D3 are lower computer, set to slave mode , The addresses are 0x02 and 0x03 respectively.
本发明所述的一种水利自动化控制系统中现场总线信道加密方法,包括以下步骤:The method for encrypting a field bus channel in a water conservancy automation control system of the present invention includes the following steps:
S1:预先使用烧录程序按照以下规则向硬件加密网关G1、G2、G3的密钥存储模块写入密钥:S1: Use the burning program in advance to write the key to the key storage module of the hardware encryption gateway G1, G2, G3 according to the following rules:
在G1中,写入D1的地址0x01、D1的私钥;写入D2的地址0x02、D2的公钥;写入D3的地址0x03、D3的公钥。In G1, write D1 address 0x01, private key of D1; write D2 address 0x02, public key of D2; write D3 address 0x03, public key of D3.
在G2中,写入D2的地址0x02、D2的私钥;写入D1的地址0x01、D1的公钥。In G2, write the address 0x02 of D2 and the private key of D2; write address 0x01 of D1 and the public key of D1.
在G3中,写入D3的地址0x03、D3的私钥;写入D1的地址0x01、D1的公钥。In G3, write the address 0x03 of D3 and the private key of D3; write address 0x01 of D1 and the public key of D1.
分别将硬件加密网关G1、G2、G3部署在设备D1、D2、D3与现场总线之间:G1的设备端串口通信模块连接D1,G1的总线端串口通信模块连接现场总线;G2的设备端串口通信模块连接D2,G2的总线端串口通信模块连接现场总线;G3的设备端串口通信模块连接D3,G3的总线端串口通信模块连接现场总线。Deploy the hardware encryption gateways G1, G2, G3 between the devices D1, D2, D3 and the field bus respectively: the device side serial communication module of G1 is connected to D1, the bus side serial communication module of G1 is connected to the field bus; the device side serial port of G2 The communication module is connected to D2, the bus end serial communication module of G2 is connected to the field bus; the device end serial communication module of G3 is connected to D3, and the bus end serial communication module of G3 is connected to the field bus.
S2:G1、G2、G3的供电模块开始工作后,G1、G2、G3启动,开始对G1、G2、G3的密钥存储模块执行初始化过程,其过程如图5所示。初始化过程如下:S2: After the power supply modules of G1, G2, and G3 start to work, G1, G2, and G3 are started, and the initialization process of the key storage modules of G1, G2, and G3 is started. The process is shown in Figure 5. The initialization process is as follows:
查找密钥存储模块中所有已存储的目的地址编码,以及与之相对应的公钥、私钥记录;判断私钥记录数是否唯一,若不唯一,初始化过程终止,不执行后继操作;若唯一,判断公钥记录数是否大于或等于1,若公钥记录数大于或等于1,初始化过程完成;否则,初始化过程终止,不执行后继操作。Look up all the stored destination address codes in the key storage module, and the corresponding public key and private key records; determine whether the number of private key records is unique, if not, the initialization process is terminated, and no subsequent operations are performed; if it is unique , Determine whether the number of public key records is greater than or equal to 1. If the number of public key records is greater than or equal to 1, the initialization process is completed; otherwise, the initialization process is terminated and no subsequent operations are performed.
由于上述步骤S1写入的密钥符合初始化过程的要求,因此初始化过程完成,G1、G2、G3开始执行监听过程。Since the key written in the above step S1 meets the requirements of the initialization process, the initialization process is completed, and G1, G2, and G3 start to perform the monitoring process.
S3:当D1向D2发送串口通信应用数据单元ADU时,设该ADU目的地址编码为0x02,G1的设备端串口通信模块产生中断,其加密模块响应该中断,开始进入中断处理过程,如图7所示。由于G1中写入了D2的公钥,因此D1发出的原始ADU经过G1处理后,成为加密后的ADU,进入现场总线,其通信分组数据结构如图4所示。S3: When D1 sends a serial communication application data unit ADU to D2, set the destination address of the ADU to be 0x02, the device-side serial communication module of G1 generates an interrupt, and its encryption module responds to the interrupt and starts the interrupt processing process, as shown in Figure 7. Shown. Since the public key of D2 is written in G1, the original ADU sent by D1 is processed by G1 and becomes an encrypted ADU, which enters the field bus. The communication packet data structure is shown in Figure 4.
G2接收到G1发出的上述加密后的ADU时,G2的总线端串口通信模块产生中断,其加密模块响应该中断,开始进入中断处理过程,如图6所示。由于G2中写入了D2的私钥,因此G1发出的ADU经过G2处理后,恢复为明文,传输至D2,其通信分组数据结构如图3所示。此时,D2收到了D1发送串口通信应用数据单元ADU,可执行相关操作,并可将数据反馈至D1。When G2 receives the above-mentioned encrypted ADU sent by G1, G2's bus terminal serial communication module generates an interrupt, and its encryption module responds to the interrupt and begins to enter the interrupt processing process, as shown in Figure 6. Since the private key of D2 is written in G2, the ADU sent by G1 is processed by G2 and then restored to plaintext and transmitted to D2. The communication packet data structure is shown in Figure 3. At this time, D2 receives the serial communication application data unit ADU sent by D1, can perform related operations, and can feed data back to D1.
由于Modbus协议中slave设备向master返回的ADU目的地址总是为设备地址,返回 的分组目的地址为0x02,G2的设备端串口通信模块产生中断,其加密模块响应该中断,开始进入中断处理过程,如图7所示。由于G2中写入了D2的私钥,因此D2发出的原始ADU经过G2处理后,成为加密后的ADU,通过G2的总线端串口通信模块进入现场总线,其通信分组数据结构如图4所示。Since the ADU destination address returned by the slave device to the master in the Modbus protocol is always the device address, and the returned packet destination address is 0x02, the device-side serial communication module of G2 generates an interrupt, and its encryption module responds to the interrupt and begins to enter the interrupt processing process. As shown in Figure 7. Since the private key of D2 is written in G2, the original ADU sent by D2 is processed by G2 and becomes an encrypted ADU, which enters the field bus through the G2 terminal serial communication module. The communication packet data structure is shown in Figure 4. .
G1接收到G2发出的上述加密后的ADU时,G1的总线端串口通信模块产生中断,G1的加密模块响应该中断,开始进入中断处理过程,如图6所示。由于G1中写入了D2的公钥,因此G2发出的ADU经过G1处理后,恢复为明文,通过G1的设备端串口通信模块传输至D1,其通信分组数据结构如图3所示。When G1 receives the above-mentioned encrypted ADU sent by G2, G1's bus terminal serial communication module generates an interrupt, and G1's encryption module responds to the interrupt and begins to enter the interrupt processing process, as shown in Figure 6. Since the public key of D2 is written in G1, the ADU sent by G2 is processed by G1 and restored to plaintext, and transmitted to D1 through the device-side serial communication module of G1. The communication packet data structure is shown in Figure 3.
设恶意攻击者将恶意设备D4不通过硬件加密网关直接连接至该现场总线,D4地址为0x04。攻击者已知master设备D1的地址为0x01,试图向D1发送恶意分组P,由于Modbus协议中slave设备向master返回的ADU目的地址总是为设备地址,P的目的地址为0x04。G1收到P后,检查密钥存储模块中是否存在地址0x04及其对应的公钥。由于该地址及公钥不存在,G1将P舍弃,攻击失败。Suppose that the malicious attacker directly connects the malicious device D4 to the field bus without a hardware encryption gateway, and the address of D4 is 0x04. The attacker knows that the address of the master device D1 is 0x01, and tries to send a malicious packet P to D1. In the Modbus protocol, the ADU destination address returned by the slave device to the master is always the device address, and the destination address of P is 0x04. After G1 receives P, it checks whether the address 0x04 and its corresponding public key exist in the key storage module. Because the address and public key do not exist, G1 discards P and the attack fails.
恶意攻击者试图使用D4伪装为D3,向D1发送恶意分组PP,由于Modbus协议中slave设备向master返回的ADU目的地址总是为设备地址,PP的目的地址为0x03。G1收到PP后,检查密钥存储模块中是否存在地址0x03及其对应的公钥。由于该地址及公钥存在,G1使用D3的公钥解密PP。由于D4无法获取G3密钥存储模块中D3的私钥,PP在G1的校验过程中必然失败,G1将PP舍弃,攻击失败。A malicious attacker tries to use D4 to pretend to be D3 and send a malicious packet PP to D1. Because the ADU destination address returned by the slave device to the master in the Modbus protocol is always the device address, the destination address of PP is 0x03. After G1 receives the PP, it checks whether the address 0x03 and its corresponding public key exist in the key storage module. Because the address and public key exist, G1 uses D3's public key to decrypt PP. Since D4 cannot obtain the private key of D3 in the G3 key storage module, PP will inevitably fail in the verification process of G1, and G1 discards PP and the attack fails.
恶意攻击者将D3从G3上拆除后,使用D4连接G3的设备端串口通信模块,向D1发送恶意分组PPP。由于D3与D4的地址不同,G3在密钥存储模块中无法找到地址0x04及其对应的私钥,G3将PPP舍弃,攻击失败。After the malicious attacker removes D3 from G3, connects D4 to the device-side serial communication module of G3, and sends a malicious packet PPP to D1. Because the addresses of D3 and D4 are different, G3 cannot find the address 0x04 and its corresponding private key in the key storage module. G3 discards PPP and the attack fails.
实施例仅为说明本发明的技术思想,不能以此限定本发明的保护范围,凡是按照本发明提出的技术思想,在技术方案基础上所做的任何改动,均落入本发明保护范围之内。The embodiments are merely illustrative of the technical ideas of the present invention, and cannot be used to limit the scope of protection of the present invention. Any changes made on the basis of the technical solutions based on the technical ideas proposed by the present invention fall into the protection scope of the present invention. .

Claims (9)

  1. 一种用于现场总线信道加密的硬件加密网关,其特征在于:该网关由两个串口通信模块、加密模块、密钥存储模块、供电模块组成;两个串口通信模块分别连接自动化控制设备和现场总线的网络物理接口;两个串口通信模块分别通过高速串行数据总线接口与加密模块连接;加密模块为一个单片机系统(SOC),通过其数据总线与地址总线接口连接密钥存储模块,通过其电源线接口连接供电模块;密钥存储模块为一个快速擦写只读存储器,通过其数据总线与地址总线接口与加密模块连接;供电模块为一个直流电源,通过二芯(VCC,GND)电源线接口与加密模块连接。A hardware encryption gateway for fieldbus channel encryption, which is characterized in that the gateway is composed of two serial communication modules, an encryption module, a key storage module, and a power supply module; the two serial communication modules are respectively connected to the automation control equipment and the field The network physical interface of the bus; the two serial communication modules are respectively connected with the encryption module through the high-speed serial data bus interface; the encryption module is a single-chip microcomputer system (SOC), which connects the key storage module through its data bus and address bus interface, and The power cord interface is connected to the power supply module; the key storage module is a flash-write read-only memory, which is connected to the encryption module through its data bus and address bus interface; the power supply module is a DC power supply through a two-core (VCC, GND) power cord The interface is connected with the encryption module.
  2. 根据权利要求1所述的一种用于现场总线信道加密的硬件加密网关,其特征在于:所述串口通信模块使用的网络物理接口包括但不限于符合RS485/232标准的电气接口,串口通信模块使用的高速串行数据总线接口包括但不限于符合UART、I2C、SPI标准的总线接口;所述密钥存储模块的数据总线与地址总线接口包括但不限于符合eMMC、UFS标准的扩展总线接口。The hardware encryption gateway for fieldbus channel encryption according to claim 1, characterized in that: the network physical interface used by the serial communication module includes but is not limited to an electrical interface conforming to the RS485/232 standard, and a serial communication module The high-speed serial data bus interfaces used include but are not limited to bus interfaces that comply with UART, I2C, and SPI standards; the data bus and address bus interfaces of the key storage module include but are not limited to expansion bus interfaces that comply with eMMC and UFS standards.
  3. 根据权利要求1所述的一种用于现场总线信道加密的硬件加密网关,其特征在于:所述加密模块通过内置寄存器的软件代码或算术逻辑单元硬件设备实现非对称加密算法、对称加密算法、散列算法、随机密钥生成算法;其中,非对称加密算法包括但不限于SM2、ECC、RSA算法,对称加密算法包括但不限于SM1、RC4、AES算法,散列算法包括但不限于SM3、MD5、SHA-1算法。A hardware encryption gateway for fieldbus channel encryption according to claim 1, wherein the encryption module implements asymmetric encryption algorithms, symmetric encryption algorithms, and symmetric encryption algorithms through software codes in built-in registers or hardware devices of arithmetic logic units. Hash algorithm, random key generation algorithm; among them, asymmetric encryption algorithm includes but not limited to SM2, ECC, RSA algorithm, symmetric encryption algorithm includes but not limited to SM1, RC4, AES algorithm, hash algorithm includes but not limited to SM3, MD5, SHA-1 algorithm.
  4. 根据权利要求1所述的一种用于现场总线信道加密的硬件加密网关,其特征在于:每个串口通信模块都由一个串行通信芯片组成,芯片型号为ADM485,分别通过UART总线接口连接加密模块,使用RS485接口连接外部设备;加密模块由一个基于ACH512芯片的单片机系统组成;密钥存储模块由一块Flashrom芯片组成,通过NAND Flash接口连接加密模块。A hardware encryption gateway for fieldbus channel encryption according to claim 1, characterized in that: each serial communication module is composed of a serial communication chip, the chip model is ADM485, and the encryption is connected through a UART bus interface. The module uses the RS485 interface to connect to external equipment; the encryption module is composed of a single-chip microcomputer system based on the ACH512 chip; the key storage module is composed of a Flashrom chip, and the encryption module is connected through the NAND Flash interface.
  5. 根据权利要求1-4任一所述的硬件加密网关实现的一种水利自动化控制系统中现场总线信道加密方法,其特征在于:该方法包括以下步骤:A method for fieldbus channel encryption in a water conservancy automation control system implemented by the hardware encryption gateway of any one of claims 1-4, characterized in that: the method includes the following steps:
    S1:在连接至现场总线的每一台自动化控制设备与现场总线的网络物理接口之间,分别连接一台硬件加密网关,并在硬件加密网关的密钥存储模块中预先写入对应的密钥和目的地址编码;S1: Connect a hardware encryption gateway between each automation control device connected to the field bus and the network physical interface of the field bus, and write the corresponding key in the key storage module of the hardware encryption gateway in advance And destination address code;
    S2:硬件加密网关的供电模块开始工作后,硬件加密网关启动,对硬件加密网关的密钥存储模块执行初始化;若初始化过程完成,进入步骤S3;若初始化过程终止,不执行后继操作;S2: After the power supply module of the hardware encryption gateway starts working, the hardware encryption gateway is started, and the key storage module of the hardware encryption gateway is initialized; if the initialization process is completed, go to step S3; if the initialization process is terminated, no subsequent operations are performed;
    S3:对硬件加密网关的密钥存储模块初始化完成后,开始执行监听过程;S3: After the key storage module of the hardware encryption gateway is initialized, the monitoring process is started;
    S4:硬件加密网关开始执行监听过程之后,当且仅当供电模块停止供电时,监听过程终止;否则,始终执行监听过程;供电模块停止供电后,当且仅当再次进行供电时,硬件加密网关重新执行步骤S2所述初始化过程,以及步骤S3所述监听过程。S4: After the hardware encryption gateway starts to perform the monitoring process, the monitoring process is terminated if and only when the power supply module stops supplying power; otherwise, the monitoring process is always performed; after the power supply module stops supplying power, and only when power supply is performed again, the hardware encryption gateway Perform the initialization process described in step S2 and the monitoring process described in step S3 again.
  6. 根据权利要求5所述的一种水利自动化控制系统中现场总线信道加密方法,其特征在于:步骤S2所述初始化过程如下:The method for fieldbus channel encryption in a water conservancy automation control system according to claim 5, wherein the initialization process in step S2 is as follows:
    (2-1)查找密钥存储模块中所有已存储的目的地址编码,以及与之相对应的公钥、私钥记录;(2-1) Find all the stored destination address codes in the key storage module, and the corresponding public and private key records;
    (2-2)判断私钥记录数是否唯一,若私钥记录数唯一,进入步骤(2-3);否则,初始化过程终止,不执行后继操作;(2-2) Determine whether the number of private key records is unique, if the number of private key records is unique, go to step (2-3); otherwise, the initialization process is terminated and no subsequent operations are performed;
    (2-3)判断公钥记录数是否大于或等于1,若公钥记录数大于或等于1,初始化过程完成;否则,初始化过程终止,不执行后继操作。(2-3) Determine whether the number of public key records is greater than or equal to 1. If the number of public key records is greater than or equal to 1, the initialization process is completed; otherwise, the initialization process is terminated and no subsequent operations are performed.
  7. 根据权利要求5所述的一种水利自动化控制系统中现场总线信道加密方法,其特征在于:步骤S3所述监听过程包括两部分:其一,在连接现场总线端的串口通信模块上对于所有传入硬件加密网关的串口通信应用数据单元ADU进行监听;其二,在连接设备端的串口通信模块上对于所有传入硬件加密网关的串口通信应用数据单元ADU进行监听。The method for encrypting a fieldbus channel in a water conservancy automation control system according to claim 5, characterized in that: the monitoring process in step S3 includes two parts: one is that the serial port communication module connected to the fieldbus end is for all incoming The serial communication application data unit ADU of the hardware encryption gateway monitors; second, all the serial communication application data unit ADUs incoming to the hardware encryption gateway are monitored on the serial communication module of the connected device.
  8. 根据权利要求7所述的一种水利自动化控制系统中现场总线信道加密方法,其特征在于:在连接现场总线端的串口通信模块上对于所有传入硬件加密网关的串口通信应用数据单元ADU进行监听;步骤如下:A fieldbus channel encryption method in a water conservancy automation control system according to claim 7, characterized in that: the serial communication module connected to the fieldbus terminal monitors all serial communication application data units ADUs that are passed into the hardware encryption gateway; Proceed as follows:
    (3-1-1)当硬件加密网关连接现场总线端的串口通信模块收到传入的串口通信应用数据单元ADU时,向加密模块发送中断请求;加密模块响应中断,进入中断处理过程,使用应用数据单元ADU尾部的校验码CRC对于该单元中除CRC以外剩余部分的数据进行校验,校验算法使用加密模块中内部预置的散列算法;(3-1-1) When the serial communication module of the hardware encryption gateway connected to the fieldbus side receives the incoming serial communication application data unit ADU, it sends an interrupt request to the encryption module; the encryption module responds to the interrupt, enters the interrupt processing process, and uses the application The check code CRC at the end of the data unit ADU checks the rest of the data in the unit except the CRC, and the check algorithm uses the hash algorithm preset in the encryption module;
    (3-1-2)若校验失败,加密模块中断返回,对于应用数据单元ADU不进行响应;若校验成功,加密模块通过应用数据单元ADU首部的目的地址编码ADDR,在密钥管理模块中查找与目的地址编码ADDR对应的私钥PRK或公钥PUK;ADDR为大于或等于1个字节的十六进制(HEX)数据;(3-1-2) If the verification fails, the encryption module interrupts and returns, and does not respond to the application data unit ADU; if the verification is successful, the encryption module encodes ADDR through the destination address of the ADU header of the application data unit in the key management module Find the private key PRK or public key PUK corresponding to the destination address code ADDR; ADDR is greater than or equal to 1 byte of hexadecimal (HEX) data;
    (3-1-3)若私钥PRK或公钥PUK不存在,加密模块中断返回,对于应用数据单元ADU不进行响应;若私钥PRK或公钥PUK存在,使用私钥PRK或公钥PUK,通过加密模块中内置的非对称加密算法,解密位于应用数据单元ADU中协议数据单元(Protocol Data Unit,PDU)首部的对称密钥密文CK,获得对称密钥RK;(3-1-3) If the private key PRK or public key PUK does not exist, the encryption module interrupts and returns, and does not respond to the application data unit ADU; if the private key PRK or public key PUK exists, use the private key PRK or public key PUK , Through the built-in asymmetric encryption algorithm in the encryption module, decrypt the symmetric key ciphertext CK located in the protocol data unit (Protocol Data Unit, PDU) header of the application data unit ADU to obtain the symmetric key RK;
    (3-1-4)使用对称密钥RK,通过加密模块中内置的对称加密算法,解密协议数据单元PDU中除首部以外部分的封装数据载荷密文EC,获得封装数据载荷EP;封装数据载荷EP由其首部的数据明文PD与其尾部的散列数据DH组成;(3-1-4) Using the symmetric key RK, through the built-in symmetric encryption algorithm in the encryption module, decrypt the encapsulated data payload ciphertext EC in the protocol data unit PDU except for the header to obtain the encapsulated data payload EP; encapsulated data payload EP consists of the data plaintext PD at the head and the hash data DH at the tail;
    (3-1-5)加密模块使用EP首部的数据明文PD,通过内置的散列算法计算明文散列值PH,并与EP尾部的散列数据DH进行比较;(3-1-5) The encryption module uses the data plaintext PD in the EP header, calculates the plaintext hash value PH through the built-in hash algorithm, and compares it with the hash data DH at the end of the EP;
    (3-1-6)若明文散列值PH与散列数据DH不同,加密模块中断返回,将应用数据单元ADU舍弃,不进行响应;若明文散列值PH与散列数据DH相同,将数据明文PD作为新的协议数据单元PDU2;将目的地址编码ADDR附加到PDU2首部,计算PDU2的校验码CRC2并附加到PDU2尾部,作为新的应用数据单元ADU2;校验算法使用加密模块中内部预置的散列算法;(3-1-6) If the plaintext hash value PH is different from the hash data DH, the encryption module interrupts and returns, discards the application data unit ADU, and does not respond; if the plaintext hash value PH is the same as the hash data DH, The data plaintext PD is used as the new protocol data unit PDU2; the destination address code ADDR is appended to the header of PDU2, the check code CRC2 of PDU2 is calculated and appended to the end of PDU2, as the new application data unit ADU2; the check algorithm uses the internal encryption module The preset hash algorithm;
    (3-1-7)将ADU2通过设备端的串口通信模块进行发送。(3-1-7) Send ADU2 through the serial communication module on the device side.
  9. 根据权利要求7所述的一种水利自动化控制系统中现场总线信道加密方法,其特征在于:在连接设备端的串口通信模块上对于所有传入硬件加密网关的串口通信应用数据单元ADU进行监听;步骤如下:The method for fieldbus channel encryption in a water conservancy automation control system according to claim 7, characterized in that: all serial communication application data units (ADUs) of the incoming hardware encryption gateway are monitored on the serial communication module of the connected device; as follows:
    (3-2-1)当该网关连接设备端的串口通信模块收到传入的串口通信应用数据单元ADU时,向加密模块发送中断请求;加密模块响应中断,进入中断处理过程,使用应用数据单元ADU尾部的校验码CRC对于该单元中除CRC以外剩余部分的数据进行校验,校验算法使用加密模块中内部预置的散列算法;(3-2-1) When the serial communication module of the gateway connected to the device receives the incoming serial communication application data unit ADU, it sends an interrupt request to the encryption module; the encryption module responds to the interrupt, enters the interrupt processing process, and uses the application data unit The check code CRC at the end of the ADU checks the rest of the data in the unit except the CRC, and the check algorithm uses the hash algorithm preset in the encryption module;
    (3-2-2)若校验失败,加密模块中断返回,对于应用数据单元ADU不进行响应;若校验成 功,加密模块通过应用数据单元ADU首部的目的地址编码ADDR,在密钥管理模块中查找与该目的地址编码ADDR对应的公钥PUK或私钥PRK;其中ADDR为大于或等于1个字节的十六进制(HEX)数据;(3-2-2) If the verification fails, the encryption module interrupts and returns, and does not respond to the application data unit ADU; if the verification is successful, the encryption module encodes ADDR through the destination address of the ADU header of the application data unit in the key management module Find the public key PUK or private key PRK corresponding to the destination address code ADDR; where ADDR is greater than or equal to 1 byte of hexadecimal (HEX) data;
    (3-2-3)若公钥PUK或私钥PRK不存在,加密模块中断返回,对于该应用数据单元ADU不进行响应;若公钥PUK或私钥PRK存在,使用应用数据单元ADU中的协议数据单元PDU作为数据明文PD,通过内置的散列算法计算明文散列值PH,并将PH附加到数据明文PD尾部,形成封装数据载荷EP;(3-2-3) If the public key PUK or private key PRK does not exist, the encryption module interrupts and returns, and does not respond to the application data unit ADU; if the public key PUK or private key PRK exists, use the application data unit ADU The protocol data unit PDU is used as the data plaintext PD, the plaintext hash value PH is calculated through the built-in hash algorithm, and the PH is appended to the end of the data plaintext PD to form the encapsulated data payload EP;
    (3-2-4)通过内置的随机密钥生成算法,生成一个随机对称密钥RK,使用RK通过内置的对称加密算法,加密封装数据载荷EP,获得封装数据载荷密文EC;(3-2-4) Generate a random symmetric key RK through the built-in random key generation algorithm, use RK to encrypt the package data payload EP through the built-in symmetric encryption algorithm, and obtain the package data payload ciphertext EC;
    (3-2-5)使用公钥PUK或私钥PRK,通过内置的非对称加密算法加密随机对称密钥RK,获得对称密钥密文CK;(3-2-5) Use the public key PUK or the private key PRK to encrypt the random symmetric key RK through the built-in asymmetric encryption algorithm to obtain the symmetric key ciphertext CK;
    (3-2-6)将对称密钥密文CK附加到封装数据载荷密文EC首部,作为新的协议数据单元PDU2;将目的地址编码ADDR附加到PDU2首部,计算PDU2的校验码CRC2并附加到PDU2尾部,作为新的应用数据单元ADU2,校验算法使用加密模块中内部预置的散列算法;(3-2-6) Append the symmetric key ciphertext CK to the header of the encapsulated data payload ciphertext EC as a new protocol data unit PDU2; append the destination address code ADDR to the header of PDU2, calculate the check code CRC2 of PDU2 and Attached to the end of PDU2, as a new application data unit ADU2, the verification algorithm uses the hash algorithm preset in the encryption module;
    (3-2-7)将ADU2通过现场总线端的串口通信模块进行发送。(3-2-7) Send ADU2 through the serial communication module on the fieldbus side.
PCT/CN2020/085959 2019-07-19 2020-04-21 Channel encryption method for fieldbus in water management automation control system WO2021012728A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910653667.4 2019-07-19
CN201910653667.4A CN110430014B (en) 2019-07-19 2019-07-19 Hardware encryption gateway and encryption method for field bus channel encryption

Publications (1)

Publication Number Publication Date
WO2021012728A1 true WO2021012728A1 (en) 2021-01-28

Family

ID=68410080

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/085959 WO2021012728A1 (en) 2019-07-19 2020-04-21 Channel encryption method for fieldbus in water management automation control system

Country Status (2)

Country Link
CN (1) CN110430014B (en)
WO (1) WO2021012728A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112835841A (en) * 2021-03-05 2021-05-25 大唐半导体科技有限公司 ASIC data safe transmission and storage device and method based on serial port communication
CN113612757A (en) * 2021-07-29 2021-11-05 四川福泰美科技有限公司 Method and system for safely accessing industrial Internet of things terminal to network
CN114143013A (en) * 2021-12-16 2022-03-04 郑州轨道交通信息技术研究院 Gateway authorization method based on MD5, RC4 encryption and zmq communication
CN114938304A (en) * 2022-05-23 2022-08-23 贵州大学 Method and system for safely transmitting data of industrial Internet of things
TWI816418B (en) * 2021-06-29 2023-09-21 華邦電子股份有限公司 Semiconductor device and operation method
CN117459557A (en) * 2023-12-22 2024-01-26 广州晟能电子科技有限公司 Fusion method of low-code Internet of things multidimensional data
CN117828648A (en) * 2024-03-06 2024-04-05 湖南博匠信息科技有限公司 Method for implementing trusted bus interaction system
CN117828648B (en) * 2024-03-06 2024-05-28 湖南博匠信息科技有限公司 Method for implementing trusted bus interaction system

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110430014B (en) * 2019-07-19 2022-02-01 河海大学 Hardware encryption gateway and encryption method for field bus channel encryption
CN110557244B (en) * 2019-09-06 2021-12-28 江苏省水文水资源勘测局 Application data unit encryption method in water conservancy industrial control system
CN111526158A (en) * 2020-05-21 2020-08-11 无锡极地之光信息技术有限公司 Safety transmitter device for field bus
CN111885062B (en) * 2020-07-23 2022-06-24 湖南中车时代通信信号有限公司 RS485 bus-based communication system and method with authentication encryption function
CN115484131B (en) * 2022-08-31 2024-04-12 江苏奥立信数字科技有限公司 Internet of things gateway and equipment data storage system for same
CN115987688B (en) * 2023-03-20 2023-08-01 北京网藤科技有限公司 Method and system for guaranteeing safe communication between PLC and upper computer

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231690A (en) * 2011-03-31 2011-11-02 华立仪表集团股份有限公司 Remote meter reading method of public utility meter
CN106899404A (en) * 2017-02-15 2017-06-27 同济大学 Vehicle-mounted CAN FD bus communication systems and method based on wildcard
WO2018115378A1 (en) * 2016-12-22 2018-06-28 Phoenix Contact Gmbh & Co.Kg Security device and field bus system for supporting secure communication by means of a field bus
CN110430014A (en) * 2019-07-19 2019-11-08 河海大学 A kind of fieldbus single channel encryption method in water resources fund control system
CN110557244A (en) * 2019-09-06 2019-12-10 江苏省水文水资源勘测局 Application data unit encryption method in water conservancy industrial control system

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8363837B2 (en) * 2005-02-28 2013-01-29 HGST Netherlands B.V. Data storage device with data transformation capability
JP4843563B2 (en) * 2007-06-01 2011-12-21 日本電信電話株式会社 Information recording medium security method, information processing apparatus, and program
CN101799681A (en) * 2010-02-10 2010-08-11 刘文祥 Intelligent grid
CN102014015B (en) * 2010-06-29 2012-10-03 飞天诚信科技股份有限公司 Self-checking method of intelligent secret key equipment
CN102411352A (en) * 2011-11-02 2012-04-11 北京必创科技有限公司 Wireless analog control method, device and system
CN103679062B (en) * 2013-12-23 2017-02-08 上海贝岭股份有限公司 Intelligent electric meter main control chip and security encryption method
CN103872778B (en) * 2014-03-15 2016-03-02 内蒙古大唐国际新能源有限公司 The wind-powered electricity generation control centre device that a kind of redundancy is arranged
CN104092772A (en) * 2014-07-23 2014-10-08 江苏敏捷科技股份有限公司 High-speed and high-pass data security storage and transmission method
CN107566353B (en) * 2017-08-21 2019-08-30 浙江大学 A kind of industrial control system safety experiment platform for encrypted master experimental study
CN109639438B (en) * 2019-02-26 2021-08-27 燕山大学 SCADA network industrial information encryption method based on digital signature

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231690A (en) * 2011-03-31 2011-11-02 华立仪表集团股份有限公司 Remote meter reading method of public utility meter
WO2018115378A1 (en) * 2016-12-22 2018-06-28 Phoenix Contact Gmbh & Co.Kg Security device and field bus system for supporting secure communication by means of a field bus
CN106899404A (en) * 2017-02-15 2017-06-27 同济大学 Vehicle-mounted CAN FD bus communication systems and method based on wildcard
CN110430014A (en) * 2019-07-19 2019-11-08 河海大学 A kind of fieldbus single channel encryption method in water resources fund control system
CN110557244A (en) * 2019-09-06 2019-12-10 江苏省水文水资源勘测局 Application data unit encryption method in water conservancy industrial control system

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112835841A (en) * 2021-03-05 2021-05-25 大唐半导体科技有限公司 ASIC data safe transmission and storage device and method based on serial port communication
TWI816418B (en) * 2021-06-29 2023-09-21 華邦電子股份有限公司 Semiconductor device and operation method
CN113612757A (en) * 2021-07-29 2021-11-05 四川福泰美科技有限公司 Method and system for safely accessing industrial Internet of things terminal to network
CN114143013A (en) * 2021-12-16 2022-03-04 郑州轨道交通信息技术研究院 Gateway authorization method based on MD5, RC4 encryption and zmq communication
CN114938304A (en) * 2022-05-23 2022-08-23 贵州大学 Method and system for safely transmitting data of industrial Internet of things
CN117459557A (en) * 2023-12-22 2024-01-26 广州晟能电子科技有限公司 Fusion method of low-code Internet of things multidimensional data
CN117459557B (en) * 2023-12-22 2024-03-15 广州晟能电子科技有限公司 Fusion method of low-code Internet of things multidimensional data
CN117828648A (en) * 2024-03-06 2024-04-05 湖南博匠信息科技有限公司 Method for implementing trusted bus interaction system
CN117828648B (en) * 2024-03-06 2024-05-28 湖南博匠信息科技有限公司 Method for implementing trusted bus interaction system

Also Published As

Publication number Publication date
CN110430014A (en) 2019-11-08
CN110430014B (en) 2022-02-01

Similar Documents

Publication Publication Date Title
WO2021012728A1 (en) Channel encryption method for fieldbus in water management automation control system
US11134064B2 (en) Network guard unit for industrial embedded system and guard method
CN110996318A (en) Safety communication access system of intelligent inspection robot of transformer substation
CN202856781U (en) Industrial control system main station safety device
WO2021042736A1 (en) Encryption method for application data unit in water conservancy industrial control system
US11086810B2 (en) Intelligent controller and sensor network bus, system and method including multi-layer platform security architecture
CN205389215U (en) PLC data acquisition and encryption and decryption system based on two net gapes
CN110636052B (en) Power consumption data transmission system
CN114270328B (en) Intelligent controller and sensor network bus and system and method including multi-layered platform security architecture
CN101155092A (en) Wireless local area network access method, device and system
CN103281224A (en) CAN (Controller Area Network) bus safety communication method in intelligent illumination control system
CN112270020B (en) Terminal equipment safety encryption device based on safety chip
CN103441850A (en) Wireless security router, power distribution network data transmission system and operating method thereof
CN108092969A (en) The system and method for Intelligent Mobile Robot acquisition image access electric power Intranet
CN111541776A (en) Safe communication device and system based on Internet of things equipment
CN104506502A (en) Method for connecting converged communication network with master station
CN104253849A (en) Method and system for remotely accessing web camera
CN103441849B (en) Wireless security router, power distribution network data transmission system and method for work thereof
US20140059250A1 (en) Network system
CN111914267B (en) Soc framework data isolation system based on FPGA
JP6070280B2 (en) Network authentication system, network authentication apparatus, network authentication method, and network authentication program
CN101640677B (en) General Ethernet encryption interface module supporting IPv6
CN114338215A (en) Network link security encryption system
CN107819788B (en) Safety encryption system based on power production control and monitoring data
CN202713368U (en) Network security architecture applicable to electric information acquisition system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20843562

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20843562

Country of ref document: EP

Kind code of ref document: A1