WO2021042736A1 - Encryption method for application data unit in water conservancy industrial control system - Google Patents

Encryption method for application data unit in water conservancy industrial control system Download PDF

Info

Publication number
WO2021042736A1
WO2021042736A1 PCT/CN2020/085872 CN2020085872W WO2021042736A1 WO 2021042736 A1 WO2021042736 A1 WO 2021042736A1 CN 2020085872 W CN2020085872 W CN 2020085872W WO 2021042736 A1 WO2021042736 A1 WO 2021042736A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
data unit
application data
water conservancy
program
Prior art date
Application number
PCT/CN2020/085872
Other languages
French (fr)
Chinese (zh)
Inventor
陈宁
高祥涛
王美玲
朱月
曹晓宁
张磊
王培�
陈辉
陆明
赵峰
Original Assignee
江苏省水文水资源勘测局
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 江苏省水文水资源勘测局 filed Critical 江苏省水文水资源勘测局
Publication of WO2021042736A1 publication Critical patent/WO2021042736A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0056Systems characterized by the type of code used
    • H04L1/0061Error detection codes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • the invention belongs to the field of information technology, and particularly relates to an encryption method for application data units in a water conservancy industry control system.
  • Field Bus Field Bus
  • PLC programmable logic controller
  • the protocol packet integrity check function is a subject with high research and application value.
  • the present invention proposes a data unit encryption method in a water conservancy industrial control system to realize the functions of control equipment identity verification, fieldbus communication data confidentiality, and protocol packet integrity verification.
  • An encryption method for application data units in a water conservancy industry control system includes the following steps:
  • S1 Install a copy of the encryption agent program on each control device connected to the fieldbus. Once the encryption agent program starts to work, it is injected into the process of the water conservancy industry control system application program and the fieldbus communication program through a hook. Write the corresponding session key and destination address code in advance in the key configuration file of the encryption agent program.
  • the encryption function is preset in the encryption agent program to support common symmetric encryption and hash algorithms.
  • the symmetric encryption algorithms include but are not limited to SM1, RC4, and AES; the hash algorithms include but are not limited to SM3, MD5, and SHA- 1 algorithm.
  • the control equipment includes but is not limited to PLC, lower computer, sensor, and controller.
  • the encryption agent program is started through the script.
  • the encryption agent program starts to work, and is injected into the water conservancy industrial control system application program and the process of the fieldbus communication program through a hook, and initializes the key configuration file of the encryption agent program; if the initialization process is completed, go to step S3 ; If the initialization process is terminated, no subsequent operations are performed; the initialization process is as follows:
  • (2-2) Store at least one destination address code and the corresponding session key in the key configuration file; determine whether the number of session key records is greater than or equal to 1, if the number of session key records is greater than or equal to 1, The initialization process is complete; otherwise, the initialization process is terminated and no subsequent operations are performed.
  • the monitoring process begins; the monitoring process includes two parts: First, the serial communication application data unit for all incoming encryption agent programs on the interface of the fieldbus communication program ADU monitors; second, monitors all serial communication application data units ADUs of incoming encrypted agent programs on the interface of the water conservancy industrial control system application program; the steps are as follows:
  • the encryption agent program When the encryption agent program receives the incoming serial communication application data unit ADU from the interface of the fieldbus communication program, it sends an interrupt request to the encryption function.
  • the encryption function responds to the interrupt and enters the interrupt processing process.
  • the check code CRC at the end of the application data unit ADU is used to check the rest of the data in the unit except the CRC.
  • the check algorithm uses the internal preset hash algorithm in the encryption function. , Including but not limited to SM3, MD5, SHA-1 algorithms.
  • ADDR hexadecimal
  • the encryption function is interrupted and returned, and no response is made to the application data unit ADU; if the session key PK exists, the session key PK is used, and the symmetric encryption is built in the encryption function
  • the algorithm decrypts the ciphertext CK located in the header of the protocol data unit (Protocol Data Unit, PDU) in the application data unit ADU, and obtains the data plaintext PD.
  • Symmetric encryption algorithms include but are not limited to SM1, RC4, and AES algorithms.
  • the data plaintext PD is used as the new protocol data unit PDU2.
  • the destination address code ADDR is appended to the header of PDU2, and the check code CRC2 of PDU2 is calculated and appended to the end of PDU2 as a new application data unit ADU2.
  • the verification algorithm uses the internally preset hash algorithm in the encryption function, including but not limited to SM3, MD5, and SHA-1 algorithms.
  • the encryption agent program When the encryption agent program receives the incoming serial communication application data unit ADU from the interface of the water conservancy industry control system application program, it sends an interrupt request to the encryption function.
  • the encryption function responds to the interrupt and enters the interrupt processing process.
  • the check code CRC at the end of the application data unit ADU is used to check the rest of the data in the unit except the CRC.
  • the check algorithm uses the internal preset hash algorithm in the encryption function. , Including but not limited to SM3, MD5, SHA-1 algorithms.
  • ADDR hexadecimal
  • (3-2-4) Use the session key PK to encrypt the data plaintext PD through the built-in symmetric encryption algorithm to obtain the ciphertext CK.
  • Symmetric encryption algorithms include but are not limited to SM1, RC4, and AES algorithms.
  • the check algorithm uses the internally preset hash algorithm in the encryption function, including but not limited to SM3, MD5, SHA-1 algorithm.
  • step S4 After the encryption agent program starts to execute the monitoring process, the monitoring process is terminated if and only when the control device is turned off. Otherwise, the monitoring process is always performed. After the control device is turned off, and only when the control device is turned on again, the encryption agent program is started through the script, and the encryption agent program re-executes the initialization process described in step S2 and the monitoring process described in step S3.
  • the invention installs an encryption agent program between the application program of the upper computer, lower computer and other control equipment of the water conservancy industrial control system and the field bus communication program, and uses a symmetric encryption algorithm to realize the transparency of the protocol data unit (PDU) Encryption provides control equipment authentication, fieldbus communication data confidentiality, and protocol packet integrity verification functions, which can effectively prevent unauthorized and illegal equipment from monitoring, intercepting, and tampering with data monitoring and control information on the fieldbus channel.
  • the man-in-the-middle attack has high resistance and reduces the security risk caused by the intrusion of the field bus channel in the water conservancy industrial control system.
  • the invention Compared with the link layer plaintext data transmission method adopted in the existing fieldbus, it can provide reliable safety guarantee for the water conservancy industrial control system as a key infrastructure in the national economy.
  • the invention has higher compatibility and versatility, does not need to change the field bus network topology and the physical layer transmission media, and can realize the low-cost transformation of the existing water conservancy industrial control system.
  • Figure 1 is a schematic diagram of an encryption agent program module
  • Figure 2 is the data structure of the communication packet from the fieldbus communication program interface to the application program interface during the monitoring process
  • Figure 3 is the communication packet data structure from the application program interface to the fieldbus communication program interface during the monitoring process
  • Figure 4 is a flowchart of the initialization process
  • Figure 5 is a flow chart of the monitoring process of the fieldbus communication program interface
  • FIG. 6 is a flowchart of the application program interface monitoring process.
  • D1 is the upper computer, set to master mode, and the address is 0x01; D2, D3 are lower computers, set to slave mode,
  • the addresses are 0x02 and 0x03 respectively.
  • the method for encrypting application data units in a water conservancy industry control system includes the following steps:
  • S1 Use the configuration file in advance to write the key to the key configuration file of the encryption agent copy G1, G2, G3 according to the following rules:
  • G1 write the session key of address 0x01 and D1 of D1; write the session key of address 0x02 and D2 of D2; write the session key of address 0x03 and D3 of D3.
  • G2 write the address 0x02 of D2 and the session key of D2; write the address 0x01 of D1 and the session key of D1.
  • G3 write the address 0x03 of D3 and the session key of D3; write the address 0x01 of D1 and the session key of D1.
  • the initialization process is completed, and G1, G2, and G3 start to perform the monitoring process.
  • the encryption agent copy G2 When the encryption agent copy G2 receives the above-mentioned encrypted ADU sent by G1, G2 generates an interrupt, and its encryption function responds to the interrupt and begins to enter the interrupt processing process, as shown in Figure 5. Because the session key of D2 is written in G2, the ADU sent by G1 is processed by G2 and then restored to plaintext, and transmitted to D2 through the interface of the water conservancy industrial control system application program.
  • the communication packet data structure is shown in Figure 2. At this time, D2 receives the serial communication application data unit ADU sent by D1, can perform related operations, and can feed data back to D1.
  • the encryption agent copy G2 Since the ADU destination address returned by the slave device to the master in the Modbus protocol is always the device address, the returned packet destination address is 0x02, the encryption agent copy G2 generates an interrupt, and its encryption function responds to the interrupt and begins to enter the interrupt processing process, as shown in the figure 6 shown. Since the session key of D2 is written in G2, the original ADU sent by D2 is processed by G2 and becomes an encrypted ADU, which enters the field bus through the interface of the field bus communication program.
  • the communication packet data structure is shown in Figure 4. .
  • the encryption agent copy G1 When the encryption agent copy G1 receives the above-mentioned encrypted ADU sent by G2, G1 generates an interrupt, and the encryption function of G1 responds to the interrupt and begins to enter the interrupt processing process, as shown in Figure 5. Because the session key of D2 is written in G1, the ADU sent by G2 is processed by G1 and restored to plaintext, and transmitted to D1 through the interface of the water conservancy industrial control system application program.
  • the communication packet data structure is shown in Figure 2.
  • the malicious attacker sends the malicious device D4 directly to the interface of the fieldbus communication program without using the encryption agent program, and the address of D4 is 0x04.
  • the attacker knows that the address of the master device D1 is 0x01, and tries to send a malicious packet P to D1.
  • the ADU destination address returned by the slave device to the master is always the device address, and the destination address of P is 0x04.
  • G1 After G1 receives P, it checks whether the address 0x04 and its corresponding session key exist in the key configuration file. Since the address and session key do not exist, G1 discards P and the attack fails.
  • the malicious attacker copies the encrypted proxy program copy G3 from D3, and then copies it to D4 and runs it, trying to access the encrypted proxy program copy G3 on D4 through the water conservancy industrial control system application program interface, and send a malicious packet PP to D1. Because the addresses of D3 and D4 are different, G3 cannot find D4's address 0x04 and its corresponding session key in the key configuration file. G3 discards the PP and the attack fails.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

Disclosed is an encryption method for an application data unit in a water conservancy industrial control system. By means of installing an encryption proxy program between an application program of the water conservancy industrial control system and a field bus communication program, transparent encryption of the application data unit is realized. In the encryption proxy program, an encryption scheme based on a domestic symmetrical encryption algorithm is used to realize the functions of control device identity verification, field bus communication data secrecy, and protocol packet integrity checking, such that an unauthorized illegal device is effectively prevented from monitoring, intercepting and tampering with data monitoring and control information on a channel of the field bus, a high resistance to man-in-the-middle attacks is provided, and security risks caused by invasion into the channel of the field bus in a water conservancy automation control system are reduced. The encryption proxy program can seamlessly access current existing water conservancy industrial control systems, and has a high device compatibility and universality.

Description

一种水利工业控制系统中应用数据单元加密方法An encryption method for application data unit in water conservancy industry control system 技术领域Technical field
本发明属于信息技术领域,尤其涉及一种水利工业控制系统中应用数据单元加密方法。The invention belongs to the field of information technology, and particularly relates to an encryption method for application data units in a water conservancy industry control system.
背景技术Background technique
在我国目前部署的水利工业控制系统中,绝大多数采用现场总线(Field Bus)网络对可编程逻辑控制器(PLC)与下位机进行组网。其原因是,计算机网络所使用的物理层媒体,如STP、单模或多模光纤等,其物理性质不能满足高耐候性、高强度的工业应用场景。RS232/485电缆以其优异的性能及价格优势,在工业自动化控制系统中具有二十余年的应用历史,短时间内无法被替代。而要对现有物理层进行更换,实施改造成本过高,甚至将高于当初部署系统的成本。如果使用无线组网,则会降低网络的可靠性与稳定性,且在信号屏蔽的场景中无法实施,具有较高的局限性。In the water conservancy industrial control systems currently deployed in my country, most of them use Field Bus (Field Bus) network to network the programmable logic controller (PLC) and the lower computer. The reason is that the physical layer media used in computer networks, such as STP, single-mode or multi-mode fiber, etc., cannot meet the physical properties of high weather resistance and high strength industrial application scenarios. With its excellent performance and price advantage, RS232/485 cable has more than 20 years of application history in industrial automation control systems and cannot be replaced in a short time. To replace the existing physical layer, the cost of implementing the transformation is too high, and will even be higher than the cost of the original deployment system. If wireless networking is used, the reliability and stability of the network will be reduced, and it cannot be implemented in the signal shielding scene, which has high limitations.
目前水利自动化控制系统所使用的PLC大多数不具备计算机网络通信能力,必须为其搭配相配套的硬件接口。对于现有设备的改造同样存在实施成本过高的情况,且要考虑不同厂家之间电气、接口规范的不同需求,性价比低。虽然Modbus TCP协议支持在计算机网络中实现透明传输,但是由于其实现较为简单,无法支持TCP/IP协议中的网络层、传输层安全特性,需要对网络模块进行特殊改造,通用性不强。At present, most PLCs used in water conservancy automation control systems do not have computer network communication capabilities, and must be equipped with matching hardware interfaces. For the transformation of existing equipment, the implementation cost is also too high, and the different requirements of electrical and interface specifications between different manufacturers must be considered, and the cost-effectiveness is low. Although the Modbus TCP protocol supports transparent transmission in computer networks, its implementation is relatively simple and cannot support the security features of the network layer and transmission layer in the TCP/IP protocol. Special modifications to the network module are required, and the versatility is not strong.
电气工程师大多数仅具备现场总线网络中数据通信的开发经验,若使用计算机网络替代现场总线,必须具备足够的人员支撑,这意味着首先需要建立相关知识体系、培训教材、课程、实务、流程。由于目前电气工程师的培训周期较长,尚不具备实施计算机网络化改造的人员基础。Most electrical engineers only have the development experience of data communication in the field bus network. If a computer network is used to replace the field bus, there must be sufficient personnel support, which means that the relevant knowledge system, training materials, courses, practices, and processes need to be established first. Due to the long training period of electrical engineers at present, they do not yet have the personnel foundation to implement computer network transformation.
综上所述,复用计算机网络中相关理论及技术,用以解决水利工业控制系统中现场总线网络安全性问题的思路,在目前人员及技术条件下,具有相当高的局限性。In summary, the idea of reusing relevant theories and technologies in computer networks to solve the security problems of fieldbus networks in water conservancy industrial control systems has considerable limitations under the current personnel and technical conditions.
因此,如何在降低改造成本的前提下,针对现场总线信道提出一套低成本、高适用性的加密方案,通过基于国产对称加密算法的加密方案,实现控制设备身份验证、现场总线通信数据保密、协议分组完整性校验功能,是一个具有较高研究及应用价值的课题。Therefore, how to propose a low-cost and highly applicable encryption scheme for the fieldbus channel under the premise of reducing the cost of transformation, and realize the identity verification of the control equipment, the confidentiality of the fieldbus communication data, and the encryption scheme based on the domestic symmetric encryption algorithm. The protocol packet integrity check function is a subject with high research and application value.
发明内容Summary of the invention
发明目的:针对以上问题,本发明提出一种水利工业控制系统中应用数据单元加密方法,实现控制设备身份验证、现场总线通信数据保密、协议分组完整性校验功能。Purpose of the invention: In view of the above problems, the present invention proposes a data unit encryption method in a water conservancy industrial control system to realize the functions of control equipment identity verification, fieldbus communication data confidentiality, and protocol packet integrity verification.
技术方案:为实现本发明的目的,本发明所采用的技术方案是:Technical solution: In order to achieve the purpose of the present invention, the technical solution adopted by the present invention is:
一种水利工业控制系统中应用数据单元加密方法,包括以下步骤:An encryption method for application data units in a water conservancy industry control system includes the following steps:
S1:在连接至现场总线的每一台控制设备上分别安装一套加密代理程序的副本。所述加密代理程序一旦开始工作,即通过钩子(Hook)注入到水利工业控制系统应用程序与现场总线通信程序的进程之间。在加密代理程序的密钥配置文件中预先写入对应的会话密钥和目的地址编码。加密代理程序中预置加密函数,支持常见的对称加密与散列算法,所述 对称加密算法包括但不限于SM1、RC4、AES算法;所述散列算法包括但不限于SM3、MD5、SHA-1算法。所述控制设备包括但不限于PLC、下位机、传感器、控制器。S1: Install a copy of the encryption agent program on each control device connected to the fieldbus. Once the encryption agent program starts to work, it is injected into the process of the water conservancy industry control system application program and the fieldbus communication program through a hook. Write the corresponding session key and destination address code in advance in the key configuration file of the encryption agent program. The encryption function is preset in the encryption agent program to support common symmetric encryption and hash algorithms. The symmetric encryption algorithms include but are not limited to SM1, RC4, and AES; the hash algorithms include but are not limited to SM3, MD5, and SHA- 1 algorithm. The control equipment includes but is not limited to PLC, lower computer, sensor, and controller.
S2:控制设备开机后,通过脚本启动加密代理程序。加密代理程序开始工作,通过钩子(Hook)注入到水利工业控制系统应用程序与现场总线通信程序的进程之间,并对加密代理程序的密钥配置文件执行初始化;若初始化过程完成,进入步骤S3;若初始化过程终止,不执行后继操作;初始化过程如下:S2: After the control device is turned on, the encryption agent program is started through the script. The encryption agent program starts to work, and is injected into the water conservancy industrial control system application program and the process of the fieldbus communication program through a hook, and initializes the key configuration file of the encryption agent program; if the initialization process is completed, go to step S3 ; If the initialization process is terminated, no subsequent operations are performed; the initialization process is as follows:
(2-1)查找密钥配置文件中所有已存储的目的地址编码,以及与之相对应的会话密钥记录;(2-1) Find all the stored destination address codes in the key configuration file and the corresponding session key records;
(2-2)密钥配置文件中至少存储一条目的地址编码,以及与之相对应的会话密钥;判断会话密钥记录数是否大于或等于1,若会话密钥记录数大于或等于1,初始化过程完成;否则,初始化过程终止,不执行后继操作。(2-2) Store at least one destination address code and the corresponding session key in the key configuration file; determine whether the number of session key records is greater than or equal to 1, if the number of session key records is greater than or equal to 1, The initialization process is complete; otherwise, the initialization process is terminated and no subsequent operations are performed.
S3:对加密代理程序的密钥配置文件初始化完成后,开始执行监听过程;监听过程包括两部分:其一,在现场总线通信程序的接口上对于所有传入加密代理程序的串口通信应用数据单元ADU进行监听;其二,在水利工业控制系统应用程序的接口上对于所有传入加密代理程序的串口通信应用数据单元ADU进行监听;步骤如下:S3: After the initialization of the encryption agent's key configuration file is completed, the monitoring process begins; the monitoring process includes two parts: First, the serial communication application data unit for all incoming encryption agent programs on the interface of the fieldbus communication program ADU monitors; second, monitors all serial communication application data units ADUs of incoming encrypted agent programs on the interface of the water conservancy industrial control system application program; the steps are as follows:
(3-1)在现场总线通信程序的接口上对于所有传入加密代理程序的串口通信应用数据单元ADU进行监听;(3-1) On the interface of the fieldbus communication program, monitor all the serial communication application data units ADU passed into the encryption agent program;
(3-1-1)当加密代理程序从现场总线通信程序的接口收到传入的串口通信应用数据单元ADU时,向加密函数发送中断请求。加密函数响应中断,进入中断处理过程,使用应用数据单元ADU尾部的校验码CRC对于该单元中除CRC以外剩余部分的数据进行校验,校验算法使用加密函数中内部预置的散列算法,包括但不限于SM3、MD5、SHA-1算法。(3-1-1) When the encryption agent program receives the incoming serial communication application data unit ADU from the interface of the fieldbus communication program, it sends an interrupt request to the encryption function. The encryption function responds to the interrupt and enters the interrupt processing process. The check code CRC at the end of the application data unit ADU is used to check the rest of the data in the unit except the CRC. The check algorithm uses the internal preset hash algorithm in the encryption function. , Including but not limited to SM3, MD5, SHA-1 algorithms.
(3-1-2)若校验失败,加密函数中断返回,对于应用数据单元ADU不进行响应。若校验成功,加密函数通过应用数据单元ADU首部的目的地址编码ADDR,在密钥管理模块中查找与目的地址编码ADDR对应的会话密钥PK。ADDR为大于或等于1个字节的十六进制(HEX)数据。(3-1-2) If the verification fails, the encryption function is interrupted and returned, and there is no response to the application data unit ADU. If the verification is successful, the encryption function uses the destination address code ADDR of the ADU header of the application data unit to find the session key PK corresponding to the destination address code ADDR in the key management module. ADDR is hexadecimal (HEX) data greater than or equal to 1 byte.
(3-1-3)若会话密钥PK不存在,加密函数中断返回,对于应用数据单元ADU不进行响应;若会话密钥PK存在,使用会话密钥PK,通过加密函数中内置的对称加密算法,解密位于应用数据单元ADU中协议数据单元(Protocol Data Unit,PDU)首部的密文CK,获得数据明文PD。对称加密算法包括但不限于SM1、RC4、AES算法。(3-1-3) If the session key PK does not exist, the encryption function is interrupted and returned, and no response is made to the application data unit ADU; if the session key PK exists, the session key PK is used, and the symmetric encryption is built in the encryption function The algorithm decrypts the ciphertext CK located in the header of the protocol data unit (Protocol Data Unit, PDU) in the application data unit ADU, and obtains the data plaintext PD. Symmetric encryption algorithms include but are not limited to SM1, RC4, and AES algorithms.
(3-1-4)将数据明文PD作为新的协议数据单元PDU2。将目的地址编码ADDR附加到PDU2首部,计算PDU2的校验码CRC2并附加到PDU2尾部,作为新的应用数据单元ADU2。校验算法使用加密函数中内部预置的散列算法,包括但不限于SM3、MD5、SHA-1算法。(3-1-4) The data plaintext PD is used as the new protocol data unit PDU2. The destination address code ADDR is appended to the header of PDU2, and the check code CRC2 of PDU2 is calculated and appended to the end of PDU2 as a new application data unit ADU2. The verification algorithm uses the internally preset hash algorithm in the encryption function, including but not limited to SM3, MD5, and SHA-1 algorithms.
(3-1-5)将ADU2通过水利工业控制系统应用程序的接口进行发送。(3-1-5) Send ADU2 through the interface of the water conservancy industry control system application program.
(3-2)在水利工业控制系统应用程序的接口上对于所有传入加密代理程序的串口通信应用数据单元ADU进行监听;(3-2) Monitor all serial communication application data units ADU passed into the encrypted agent program on the interface of the water conservancy industrial control system application program;
(3-2-1)当加密代理程序从水利工业控制系统应用程序的接口收到传入的串口通信应用数据单元ADU时,向加密函数发送中断请求。加密函数响应中断,进入中断处理过程,使用应用数据单元ADU尾部的校验码CRC对于该单元中除CRC以外剩余部分的数据进行校验,校验算法使用加密函数中内部预置的散列算法,包括但不限于SM3、MD5、SHA-1算法。(3-2-1) When the encryption agent program receives the incoming serial communication application data unit ADU from the interface of the water conservancy industry control system application program, it sends an interrupt request to the encryption function. The encryption function responds to the interrupt and enters the interrupt processing process. The check code CRC at the end of the application data unit ADU is used to check the rest of the data in the unit except the CRC. The check algorithm uses the internal preset hash algorithm in the encryption function. , Including but not limited to SM3, MD5, SHA-1 algorithms.
(3-2-2)若校验失败,加密函数中断返回,对于应用数据单元ADU不进行响应。若校验成功,加密函数通过应用数据单元ADU首部的目的地址编码ADDR,在密钥管理模块中查找与该目的地址编码ADDR对应的会话密钥PK。其中ADDR为大于或等于1个字节的十六进制(HEX)数据。(3-2-2) If the verification fails, the encryption function is interrupted and returned, and there is no response to the application data unit ADU. If the verification is successful, the encryption function uses the destination address code ADDR of the ADU header of the application data unit to find the session key PK corresponding to the destination address code ADDR in the key management module. Among them, ADDR is hexadecimal (HEX) data greater than or equal to 1 byte.
(3-2-3)若会话密钥PK不存在,加密函数中断返回,对于该应用数据单元ADU不进行响应;若会话密钥PK存在,使用应用数据单元ADU中的协议数据单元PDU作为数据明文PD。(3-2-3) If the session key PK does not exist, the encryption function is interrupted and returned, and no response is made to the application data unit ADU; if the session key PK exists, the protocol data unit PDU in the application data unit ADU is used as the data Plain text PD.
(3-2-4)使用会话密钥PK,通过内置的对称加密算法加密数据明文PD,获得密文CK。对称加密算法包括但不限于SM1、RC4、AES算法。(3-2-4) Use the session key PK to encrypt the data plaintext PD through the built-in symmetric encryption algorithm to obtain the ciphertext CK. Symmetric encryption algorithms include but are not limited to SM1, RC4, and AES algorithms.
(3-2-5)将密文CK作为新的协议数据单元PDU2。将目的地址编码ADDR附加到PDU2首部,计算PDU2的校验码CRC2并附加到PDU2尾部,作为新的应用数据单元ADU2,校验算法使用加密函数中内部预置的散列算法,包括但不限于SM3、MD5、SHA-1算法。(3-2-5) Use the cipher text CK as the new protocol data unit PDU2. The destination address code ADDR is appended to the header of PDU2, the check code CRC2 of PDU2 is calculated and appended to the end of PDU2 as a new application data unit ADU2. The check algorithm uses the internally preset hash algorithm in the encryption function, including but not limited to SM3, MD5, SHA-1 algorithm.
(3-2-6)将ADU2通过现场总线通信程序的接口进行发送。(3-2-6) Send ADU2 through the interface of the fieldbus communication program.
S4:加密代理程序开始执行监听过程之后,当且仅当控制设备关机时,监听过程终止。否则,始终执行监听过程。控制设备关机后,当且仅当再次进行控制设备开机时,通过脚本启动加密代理程序,加密代理程序重新执行步骤S2所述初始化过程,以及步骤S3所述监听过程。S4: After the encryption agent program starts to execute the monitoring process, the monitoring process is terminated if and only when the control device is turned off. Otherwise, the monitoring process is always performed. After the control device is turned off, and only when the control device is turned on again, the encryption agent program is started through the script, and the encryption agent program re-executes the initialization process described in step S2 and the monitoring process described in step S3.
有益效果:与现有技术相比,本发明的技术方案具有以下有益的技术效果:Beneficial effects: Compared with the prior art, the technical solution of the present invention has the following beneficial technical effects:
本发明通过在水利工业控制系统的上位机、下位机等控制设备的应用程序与现场总线通信程序之间安装加密代理程序,利用对称加密算法实现了协议数据单元(Protocol Data Unit,PDU)的透明加密,提供了控制设备身份验证、现场总线通信数据保密、协议分组完整性校验功能,能够有效预防未经授权的非法设备在现场总线的信道上监听、拦截、篡改数据监测及控制信息,对于中间人攻击具有较高的抵抗能力,降低在水利工业控制系统中因现场总线信道受到侵入而产生的安全风险。与现有的现场总线中采用的链路层明文数据传输方式相比,能够对于作为国民经济领域中关键性基础设施的水利工业控制系统提供可靠的安全保障。本发明具有较高兼容性与通用性,不需要改变现场总线网络拓扑及物理层传输媒体,能够实现现有水利工业控制系统的低成本改造。The invention installs an encryption agent program between the application program of the upper computer, lower computer and other control equipment of the water conservancy industrial control system and the field bus communication program, and uses a symmetric encryption algorithm to realize the transparency of the protocol data unit (PDU) Encryption provides control equipment authentication, fieldbus communication data confidentiality, and protocol packet integrity verification functions, which can effectively prevent unauthorized and illegal equipment from monitoring, intercepting, and tampering with data monitoring and control information on the fieldbus channel. The man-in-the-middle attack has high resistance and reduces the security risk caused by the intrusion of the field bus channel in the water conservancy industrial control system. Compared with the link layer plaintext data transmission method adopted in the existing fieldbus, it can provide reliable safety guarantee for the water conservancy industrial control system as a key infrastructure in the national economy. The invention has higher compatibility and versatility, does not need to change the field bus network topology and the physical layer transmission media, and can realize the low-cost transformation of the existing water conservancy industrial control system.
附图说明Description of the drawings
图1是加密代理程序模块示意图;Figure 1 is a schematic diagram of an encryption agent program module;
图2是监听过程中现场总线通信程序接口到应用程序接口的通信分组数据结构;Figure 2 is the data structure of the communication packet from the fieldbus communication program interface to the application program interface during the monitoring process;
图3是监听过程中应用程序接口到现场总线通信程序接口的通信分组数据结构;Figure 3 is the communication packet data structure from the application program interface to the fieldbus communication program interface during the monitoring process;
图4是初始化过程流程图;Figure 4 is a flowchart of the initialization process;
图5是现场总线通信程序接口监听过程流程图;Figure 5 is a flow chart of the monitoring process of the fieldbus communication program interface;
图6是应用程序接口监听过程流程图。Figure 6 is a flowchart of the application program interface monitoring process.
具体实施方式detailed description
下面结合附图和实施例对本发明的技术方案作进一步的说明。The technical solution of the present invention will be further described below in conjunction with the drawings and embodiments.
设某水工业控制系统中,同一条现场总线上分别存在控制设备D1、D2、D3,其中D1为上位机,设为master模式,地址为0x01;D2、D3为下位机,设为slave模式,地址分别为 0x02、0x03。Suppose that in a water industry control system, there are control devices D1, D2, and D3 respectively on the same field bus, where D1 is the upper computer, set to master mode, and the address is 0x01; D2, D3 are lower computers, set to slave mode, The addresses are 0x02 and 0x03 respectively.
本发明所述的一种水利工业控制系统中应用数据单元加密方法,包括以下步骤:The method for encrypting application data units in a water conservancy industry control system according to the present invention includes the following steps:
S1:预先使用配置文件按照以下规则向加密代理程序的副本G1、G2、G3的密钥配置文件写入密钥:S1: Use the configuration file in advance to write the key to the key configuration file of the encryption agent copy G1, G2, G3 according to the following rules:
在G1中,写入D1的地址0x01、D1的会话密钥;写入D2的地址0x02、D2的会话密钥;写入D3的地址0x03、D3的会话密钥。In G1, write the session key of address 0x01 and D1 of D1; write the session key of address 0x02 and D2 of D2; write the session key of address 0x03 and D3 of D3.
在G2中,写入D2的地址0x02、D2的会话密钥;写入D1的地址0x01、D1的会话密钥。In G2, write the address 0x02 of D2 and the session key of D2; write the address 0x01 of D1 and the session key of D1.
在G3中,写入D3的地址0x03、D3的会话密钥;写入D1的地址0x01、D1的会话密钥。In G3, write the address 0x03 of D3 and the session key of D3; write the address 0x01 of D1 and the session key of D1.
分别将加密代理程序的副本G1、G2、G3安装在设备D1、D2、D3上。Install the copies G1, G2, and G3 of the encryption agent program on the devices D1, D2, and D3, respectively.
S2:D1、D2、D3开机后,通过脚本运行G1、G2、G3。G1、G2、G3启动后,分别通过钩子(Hook)注入到D1、D2、D2上的水利工业控制系统应用程序与现场总线通信程序的进程之间,并开始对密钥配置文件执行初始化过程,其过程如图4所示。初始化过程如下:S2: After D1, D2, and D3 are turned on, run G1, G2, and G3 through scripts. After G1, G2, and G3 are started, they are injected into the process of the water conservancy industrial control system application program and the fieldbus communication program on D1, D2, and D2 through hooks respectively, and the initialization process of the key configuration file is started. The process is shown in Figure 4. The initialization process is as follows:
查找密钥配置文件中所有已存储的目的地址编码,以及与之相对应的会话密钥记录;判断会话密钥记录数是否大于或等于1,若会话密钥记录数大于或等于1,初始化过程完成;否则,初始化过程终止,不执行后继操作。Find all the stored destination address codes in the key configuration file and the corresponding session key records; determine whether the number of session key records is greater than or equal to 1, if the number of session key records is greater than or equal to 1, the initialization process Complete; otherwise, the initialization process is terminated and no subsequent operations are performed.
由于上述步骤S1写入的会话密钥符合初始化过程的要求,因此初始化过程完成,G1、G2、G3开始执行监听过程。Since the session key written in the above step S1 meets the requirements of the initialization process, the initialization process is completed, and G1, G2, and G3 start to perform the monitoring process.
S3:当D1向D2发送串口通信应用数据单元ADU时,设该ADU目的地址编码为0x02,加密代理程序副本G1产生中断,其加密函数响应该中断,开始进入中断处理过程,如图6所示。由于G1中写入了D2的会话密钥,因此D1发出的原始ADU经过G1处理后,成为加密后的ADU,通过现场总线通信程序的接口进入现场总线,其通信分组数据结构如图3所示。S3: When D1 sends a serial communication application data unit ADU to D2, set the destination address of the ADU to be 0x02, the encryption agent copy G1 generates an interrupt, and its encryption function responds to the interrupt and starts the interrupt processing process, as shown in Figure 6. . Since the session key of D2 is written in G1, the original ADU sent by D1 is processed by G1 and becomes an encrypted ADU, which enters the field bus through the interface of the field bus communication program. The communication packet data structure is shown in Figure 3. .
加密代理程序副本G2接收到G1发出的上述加密后的ADU时,G2产生中断,其加密函数响应该中断,开始进入中断处理过程,如图5所示。由于G2中写入了D2的会话密钥,因此G1发出的ADU经过G2处理后,恢复为明文,通过水利工业控制系统应用程序的接口传输至D2,其通信分组数据结构如图2所示。此时,D2收到了D1发送串口通信应用数据单元ADU,可执行相关操作,并可将数据反馈至D1。When the encryption agent copy G2 receives the above-mentioned encrypted ADU sent by G1, G2 generates an interrupt, and its encryption function responds to the interrupt and begins to enter the interrupt processing process, as shown in Figure 5. Because the session key of D2 is written in G2, the ADU sent by G1 is processed by G2 and then restored to plaintext, and transmitted to D2 through the interface of the water conservancy industrial control system application program. The communication packet data structure is shown in Figure 2. At this time, D2 receives the serial communication application data unit ADU sent by D1, can perform related operations, and can feed data back to D1.
由于Modbus协议中slave设备向master返回的ADU目的地址总是为设备地址,返回的分组目的地址为0x02,加密代理程序副本G2产生中断,其加密函数响应该中断,开始进入中断处理过程,如图6所示。由于G2中写入了D2的会话密钥,因此D2发出的原始ADU经过G2处理后,成为加密后的ADU,通过现场总线通信程序的接口进入现场总线,其通信分组数据结构如图4所示。Since the ADU destination address returned by the slave device to the master in the Modbus protocol is always the device address, the returned packet destination address is 0x02, the encryption agent copy G2 generates an interrupt, and its encryption function responds to the interrupt and begins to enter the interrupt processing process, as shown in the figure 6 shown. Since the session key of D2 is written in G2, the original ADU sent by D2 is processed by G2 and becomes an encrypted ADU, which enters the field bus through the interface of the field bus communication program. The communication packet data structure is shown in Figure 4. .
加密代理程序副本G1接收到G2发出的上述加密后的ADU时,G1产生中断,G1的加密函数响应该中断,开始进入中断处理过程,如图5所示。由于G1中写入了D2的会话密钥,因此G2发出的ADU经过G1处理后,恢复为明文,通过水利工业控制系统应用程序的接口传输至D1,其通信分组数据结构如图2所示。When the encryption agent copy G1 receives the above-mentioned encrypted ADU sent by G2, G1 generates an interrupt, and the encryption function of G1 responds to the interrupt and begins to enter the interrupt processing process, as shown in Figure 5. Because the session key of D2 is written in G1, the ADU sent by G2 is processed by G1 and restored to plaintext, and transmitted to D1 through the interface of the water conservancy industrial control system application program. The communication packet data structure is shown in Figure 2.
设恶意攻击者将恶意设备D4不通过加密代理程序直接发送数据至现场总线通信程序的接口,D4地址为0x04。攻击者已知master设备D1的地址为0x01,试图向D1发送恶意分组P,由于Modbus协议中slave设备向master返回的ADU目的地址总是为设备地址,P的目的地址为0x04。G1收到P后,检查密钥配置文件中是否存在地址0x04及其对应的会话密钥。由 于该地址及会话密钥不存在,G1将P舍弃,攻击失败。Suppose that the malicious attacker sends the malicious device D4 directly to the interface of the fieldbus communication program without using the encryption agent program, and the address of D4 is 0x04. The attacker knows that the address of the master device D1 is 0x01, and tries to send a malicious packet P to D1. In the Modbus protocol, the ADU destination address returned by the slave device to the master is always the device address, and the destination address of P is 0x04. After G1 receives P, it checks whether the address 0x04 and its corresponding session key exist in the key configuration file. Since the address and session key do not exist, G1 discards P and the attack fails.
恶意攻击者将加密代理程序副本G3从D3上拷贝后,复制到D4上并运行,试图通过水利工业控制系统应用程序接口,访问D4上的加密代理程序副本G3,向D1发送恶意分组PP。由于D3与D4的地址不同,G3在密钥配置文件中无法找到D4的地址0x04及其对应的会话密钥,G3将PP舍弃,攻击失败。The malicious attacker copies the encrypted proxy program copy G3 from D3, and then copies it to D4 and runs it, trying to access the encrypted proxy program copy G3 on D4 through the water conservancy industrial control system application program interface, and send a malicious packet PP to D1. Because the addresses of D3 and D4 are different, G3 cannot find D4's address 0x04 and its corresponding session key in the key configuration file. G3 discards the PP and the attack fails.
实施例仅为说明本发明的技术思想,不能以此限定本发明的保护范围,凡是按照本发明提出的技术思想,在技术方案基础上所做的任何改动,均落入本发明保护范围之内。The embodiments are only to illustrate the technical ideas of the present invention, and cannot be used to limit the scope of protection of the present invention. Any changes made on the basis of the technical solutions based on the technical ideas proposed by the present invention fall into the protection scope of the present invention. .

Claims (6)

  1. 一种水利工业控制系统中应用数据单元加密方法,其特征在于:该方法包括以下步骤:An encryption method for application data units in a water conservancy industry control system is characterized in that the method includes the following steps:
    S1:在连接至现场总线的每一台控制设备上分别安装一套加密代理程序的副本,并在加密代理程序的密钥配置文件中预先写入对应的会话密钥和目的地址编码;所述加密代理程序中预置加密函数,支持对称加密与散列算法;S1: Install a copy of the encryption agent program on each control device connected to the field bus, and write the corresponding session key and destination address code in advance in the key configuration file of the encryption agent program; The encryption function is preset in the encryption agent program to support symmetric encryption and hashing algorithms;
    S2:控制设备开机后,通过脚本启动加密代理程序;加密代理程序开始工作,通过钩子注入到水利工业控制系统应用程序与现场总线通信程序的进程之间,并对加密代理程序的密钥配置文件执行初始化;若初始化过程完成,进入步骤S3;若初始化过程终止,不执行后继操作;S2: After the control device is turned on, the encryption agent program is started through the script; the encryption agent program starts to work, and is injected into the process of the water conservancy industrial control system application program and the fieldbus communication program through the hook, and configures the key configuration file of the encryption agent program Perform initialization; if the initialization process is completed, go to step S3; if the initialization process is terminated, do not perform subsequent operations;
    S3:对加密代理程序的密钥配置文件初始化完成后,开始执行监听过程;S3: After the key configuration file of the encryption agent is initialized, the monitoring process is started;
    S4:加密代理程序开始执行监听过程之后,当且仅当控制设备关机时,监听过程终止;否则,始终执行监听过程;控制设备关机后,当且仅当再次进行控制设备开机时,通过脚本启动加密代理程序,加密代理程序重新执行步骤S2所述初始化过程,以及步骤S3所述监听过程。S4: After the encryption agent starts to perform the monitoring process, the monitoring process is terminated if and only when the control device is turned off; otherwise, the monitoring process is always performed; after the control device is turned off, and only when the control device is turned on again, it is started by a script The encryption agent program re-executes the initialization process described in step S2 and the monitoring process described in step S3.
  2. 根据权利要求1所述的一种水利工业控制系统中应用数据单元加密方法,其特征在于:步骤S2所述初始化过程如下:The method for encrypting application data units in a water conservancy industry control system according to claim 1, wherein the initialization process in step S2 is as follows:
    (2-1)查找密钥配置文件中所有已存储的目的地址编码,以及与之相对应的会话密钥记录;(2-1) Find all the stored destination address codes in the key configuration file and the corresponding session key records;
    (2-2)判断会话密钥记录是否大于或等于1,若会话密钥记录大于或等于1,初始化过程完成;否则,初始化过程终止,不执行后继操作。(2-2) Determine whether the session key record is greater than or equal to 1. If the session key record is greater than or equal to 1, the initialization process is completed; otherwise, the initialization process is terminated and no subsequent operations are performed.
  3. 根据权利要求1所述的一种水利工业控制系统中应用数据单元加密方法,其特征在于:步骤S3所述监听过程包括两部分:其一,在现场总线通信程序的接口上对于所有传入加密代理程序的串口通信应用数据单元ADU进行监听;其二,在水利工业控制系统应用程序的接口上对于所有传入加密代理程序的串口通信应用数据单元ADU进行监听。The method for applying data unit encryption in a water conservancy industry control system according to claim 1, wherein the monitoring process in step S3 includes two parts: one is to encrypt all incoming data on the interface of the fieldbus communication program The serial communication application data unit ADU of the agent program monitors; secondly, the serial communication application data unit ADU of all incoming encrypted agent programs is monitored on the interface of the water conservancy industrial control system application program.
  4. 根据权利要求3所述的一种水利工业控制系统中应用数据单元加密方法,其特征在于:在现场总线通信程序的接口上对于所有传入加密代理程序的串口通信应用数据单元ADU进行监听;步骤如下:The method for applying data unit encryption in a water conservancy industry control system according to claim 3, characterized in that: monitoring all serial communication application data units ADUs passed into the encryption agent program on the interface of the field bus communication program; step as follows:
    (3-1-1)当加密代理程序从现场总线通信程序的接口收到传入的串口通信应用数据单元ADU时,向加密函数发送中断请求;加密函数响应中断,进入中断处理过程,使用应用数据单元ADU尾部的校验码CRC对于该单元中除CRC以外剩余部分的数据进行校验,校验算法使用加密函数中内部预置的散列算法;(3-1-1) When the encryption agent program receives the incoming serial communication application data unit ADU from the interface of the fieldbus communication program, it sends an interrupt request to the encryption function; the encryption function responds to the interrupt, enters the interrupt processing process, and uses the application The check code CRC at the end of the data unit ADU checks the rest of the data in the unit except the CRC, and the check algorithm uses the internally preset hash algorithm in the encryption function;
    (3-1-2)若校验失败,加密函数中断返回,对于应用数据单元ADU不进行响应;若校验成功,加密函数通过应用数据单元ADU首部的目的地址编码ADDR,在密钥管理模块中查找与目的地址编码ADDR对应的会话密钥PK;ADDR为大于或等于1个字节的十六进制数据;(3-1-2) If the verification fails, the encryption function interrupts and returns, and no response is made to the application data unit ADU; if the verification is successful, the encryption function encodes ADDR through the destination address of the application data unit ADU header, in the key management module Find the session key PK corresponding to the destination address code ADDR; ADDR is hexadecimal data greater than or equal to 1 byte;
    (3-1-3)若会话密钥PK不存在,加密函数中断返回,对于应用数据单元ADU不进行响应;若会话密钥PK存在,使用会话密钥PK,通过加密函数中内置的对称加密算法,解密位于应用数据单元ADU中协议数据单元PDU的密文CK,获得数据明文PD;(3-1-3) If the session key PK does not exist, the encryption function is interrupted and returned, and no response is made to the application data unit ADU; if the session key PK exists, the session key PK is used, and the symmetric encryption is built in the encryption function Algorithm to decrypt the ciphertext CK of the protocol data unit PDU in the application data unit ADU to obtain the data plaintext PD;
    (3-1-4)将数据明文PD作为新的协议数据单元PDU2;将目的地址编码ADDR附加到PDU2首部,计算PDU2的校验码CRC2并附加到PDU2尾部,作为新的应用数据单元ADU2;校验算法使 用加密函数中内部预置的散列算法;(3-1-4) The data plaintext PD is used as the new protocol data unit PDU2; the destination address code ADDR is appended to the header of PDU2, the check code CRC2 of PDU2 is calculated and appended to the end of PDU2 as the new application data unit ADU2; The verification algorithm uses the internally preset hash algorithm in the encryption function;
    (3-1-5)将ADU2通过水利工业控制系统应用程序的接口进行发送。(3-1-5) Send ADU2 through the interface of the water conservancy industry control system application program.
  5. 根据权利要求3所述的一种水利工业控制系统中现场总线信道加密方法,其特征在于:在水利工业控制系统应用程序的接口上对于所有传入加密代理程序的串口通信应用数据单元ADU进行监听;步骤如下:A method for fieldbus channel encryption in a water conservancy industry control system according to claim 3, characterized in that: all incoming serial communication application data units ADU of the encryption agent program are monitored on the interface of the water conservancy industry control system application program ;Proceed as follows:
    (3-2-1)当加密代理程序从水利工业控制系统应用程序的接口收到传入的串口通信应用数据单元ADU时,向加密函数发送中断请求;加密函数响应中断,进入中断处理过程,使用应用数据单元ADU尾部的校验码CRC对于该单元中除CRC以外剩余部分的数据进行校验,校验算法使用加密函数中内部预置的散列算法;(3-2-1) When the encryption agent program receives the incoming serial communication application data unit ADU from the interface of the water conservancy industry control system application program, it sends an interrupt request to the encryption function; the encryption function responds to the interrupt and enters the interrupt processing process, Use the check code CRC at the end of the application data unit ADU to check the rest of the data in the unit except the CRC, and the check algorithm uses the internally preset hash algorithm in the encryption function;
    (3-2-2)若校验失败,加密函数中断返回,对于应用数据单元ADU不进行响应;若校验成功,加密函数通过应用数据单元ADU首部的目的地址编码ADDR,在密钥管理模块中查找与该目的地址编码ADDR对应的会话密钥PK;其中ADDR为大于或等于1个字节的十六进制数据;(3-2-2) If the verification fails, the encryption function interrupts and returns, and no response is made to the application data unit ADU; if the verification is successful, the encryption function encodes ADDR through the destination address of the application data unit ADU header, in the key management module Find the session key PK corresponding to the destination address code ADDR in the ADDR; where ADDR is hexadecimal data greater than or equal to 1 byte;
    (3-2-3)若会话密钥PK不存在,加密函数中断返回,对于该应用数据单元ADU不进行响应;若会话密钥PK存在,使用应用数据单元ADU中的协议数据单元PDU作为数据明文PD;(3-2-3) If the session key PK does not exist, the encryption function is interrupted and returned, and no response is made to the application data unit ADU; if the session key PK exists, the protocol data unit PDU in the application data unit ADU is used as the data Plaintext PD;
    (3-2-4)使用会话密钥PK,通过内置的对称加密算法加密数据明文PD,获得密文CK;(3-2-4) Use the session key PK to encrypt the data plaintext PD through the built-in symmetric encryption algorithm to obtain the ciphertext CK;
    (3-2-5)将密文CK作为新的协议数据单元PDU2;将目的地址编码ADDR附加到PDU2首部,计算PDU2的校验码CRC2并附加到PDU2尾部,作为新的应用数据单元ADU2,校验算法使用加密函数中内部预置的散列算法;(3-2-5) The ciphertext CK is used as the new protocol data unit PDU2; the destination address code ADDR is appended to the header of PDU2, the check code CRC2 of PDU2 is calculated and appended to the end of PDU2, as the new application data unit ADU2, The verification algorithm uses the internally preset hash algorithm in the encryption function;
    (3-2-6)将ADU2通过现场总线通信程序的接口进行发送。(3-2-6) Send ADU2 through the interface of the fieldbus communication program.
  6. 根据权利要求1-5任一所述的一种水利工业控制系统中现场总线信道加密方法,其特征在于:所述对称加密算法包括但不限于SM1、RC4、AES算法;所述散列算法包括但不限于SM3、MD5、SHA-1算法。The method for fieldbus channel encryption in a water conservancy industry control system according to any one of claims 1-5, wherein the symmetric encryption algorithm includes but is not limited to SM1, RC4, and AES; and the hash algorithm includes But not limited to SM3, MD5, SHA-1 algorithms.
PCT/CN2020/085872 2019-09-06 2020-04-21 Encryption method for application data unit in water conservancy industrial control system WO2021042736A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910841122.6A CN110557244B (en) 2019-09-06 2019-09-06 Application data unit encryption method in water conservancy industrial control system
CN201910841122.6 2019-09-06

Publications (1)

Publication Number Publication Date
WO2021042736A1 true WO2021042736A1 (en) 2021-03-11

Family

ID=68739299

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/085872 WO2021042736A1 (en) 2019-09-06 2020-04-21 Encryption method for application data unit in water conservancy industrial control system

Country Status (2)

Country Link
CN (1) CN110557244B (en)
WO (1) WO2021042736A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110430014B (en) * 2019-07-19 2022-02-01 河海大学 Hardware encryption gateway and encryption method for field bus channel encryption
CN110557244B (en) * 2019-09-06 2021-12-28 江苏省水文水资源勘测局 Application data unit encryption method in water conservancy industrial control system
CN113746642B (en) * 2021-11-08 2022-02-11 西安热工研究院有限公司 Method and system for communication between computers

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231690A (en) * 2011-03-31 2011-11-02 华立仪表集团股份有限公司 Remote meter reading method of public utility meter
CN106899404A (en) * 2017-02-15 2017-06-27 同济大学 Vehicle-mounted CAN FD bus communication systems and method based on wildcard
WO2018115378A1 (en) * 2016-12-22 2018-06-28 Phoenix Contact Gmbh & Co.Kg Security device and field bus system for supporting secure communication by means of a field bus
CN110430014A (en) * 2019-07-19 2019-11-08 河海大学 A kind of fieldbus single channel encryption method in water resources fund control system
CN110557244A (en) * 2019-09-06 2019-12-10 江苏省水文水资源勘测局 Application data unit encryption method in water conservancy industrial control system

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2313242C (en) * 1997-12-19 2008-10-14 British Telecommunications Public Limited Company Data communications
US20130227286A1 (en) * 2006-04-25 2013-08-29 Andre Jacques Brisson Dynamic Identity Verification and Authentication, Dynamic Distributed Key Infrastructures, Dynamic Distributed Key Systems and Method for Identity Management, Authentication Servers, Data Security and Preventing Man-in-the-Middle Attacks, Side Channel Attacks, Botnet Attacks, and Credit Card and Financial Transaction Fraud, Mitigating Biometric False Positives and False Negatives, and Controlling Life of Accessible Data in the Cloud
CA2648780C (en) * 2006-04-25 2013-07-16 Stephen Laurence Boren Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks
CN101064671A (en) * 2006-04-29 2007-10-31 杨旭 Method for processing P2P technique based network video signal
CN102647711B (en) * 2011-02-17 2015-10-21 中兴通讯股份有限公司 A kind of data encryption system and method
US10285051B2 (en) * 2016-09-20 2019-05-07 2236008 Ontario Inc. In-vehicle networking
DE102017102677A1 (en) * 2017-02-10 2018-08-16 Endress+Hauser Conducta Gmbh+Co. Kg Method for authenticating a field device of automation technology
CN109472947B (en) * 2017-09-08 2021-12-31 北京京东振世信息技术有限公司 Method and device for sealing and unsealing articles
CN110190955B (en) * 2019-05-27 2022-05-24 新华三信息安全技术有限公司 Information processing method and device based on secure socket layer protocol authentication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231690A (en) * 2011-03-31 2011-11-02 华立仪表集团股份有限公司 Remote meter reading method of public utility meter
WO2018115378A1 (en) * 2016-12-22 2018-06-28 Phoenix Contact Gmbh & Co.Kg Security device and field bus system for supporting secure communication by means of a field bus
CN106899404A (en) * 2017-02-15 2017-06-27 同济大学 Vehicle-mounted CAN FD bus communication systems and method based on wildcard
CN110430014A (en) * 2019-07-19 2019-11-08 河海大学 A kind of fieldbus single channel encryption method in water resources fund control system
CN110557244A (en) * 2019-09-06 2019-12-10 江苏省水文水资源勘测局 Application data unit encryption method in water conservancy industrial control system

Also Published As

Publication number Publication date
CN110557244A (en) 2019-12-10
CN110557244B (en) 2021-12-28

Similar Documents

Publication Publication Date Title
WO2021012728A1 (en) Channel encryption method for fieldbus in water management automation control system
CN110996318B (en) Safety communication access system of intelligent inspection robot of transformer substation
WO2021042736A1 (en) Encryption method for application data unit in water conservancy industrial control system
US10728229B2 (en) Method and device for communicating securely between T-box device and ECU device in internet of vehicles system
CN106789015B (en) Intelligent power distribution network communication safety system
KR100980831B1 (en) Method and apparatus for deterrence of secure communication using One Time Password
Granzer et al. Security in networked building automation systems
CN111770092B (en) Numerical control system network security architecture and secure communication method and system
CN101602358A (en) A kind of engine anti-theft authentication method based on the AES128 cryptographic algorithm
CN101901318A (en) Trusted hardware equipment and using method thereof
CN110753344A (en) NB-IoT-based smart meter secure access system
CN112270020B (en) Terminal equipment safety encryption device based on safety chip
CN202759475U (en) Data transmission device, data reception device, data transmission system and server
WO2018076368A1 (en) Method and system for safely operating device in local area network, and device therefor
CN103281324A (en) Safety communication method for Android client side
CN102360407A (en) Communication method for mobile phone and computer
CN103338440B (en) Authentication method in Verification System and equipment end
WO2022110688A1 (en) Field bus-based data transmission method and system, and field bus-based identity verification method and system
KR101894062B1 (en) Distribution intelligence system with ip based security method
Li et al. Replay attack and Defense of electric vehicle charging on GB/T 27930-2015 communication protocol
CN201741156U (en) Trusted hardware equipment
CN104079535A (en) Method and device of transmitting power grid communication data as well as power grid communication system
CN102148704A (en) Software implementation method for universal network management interface of safe switch
US10855681B2 (en) Data communication method
CN105450418A (en) IKE authentication method, IKE initiating terminal, IKE response terminal and IKE authentication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20861276

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20861276

Country of ref document: EP

Kind code of ref document: A1