WO2024027070A1 - Terminal device authentication method and system based on identification public key, and computer-readable storage medium - Google Patents
Terminal device authentication method and system based on identification public key, and computer-readable storage medium Download PDFInfo
- Publication number
- WO2024027070A1 WO2024027070A1 PCT/CN2022/138445 CN2022138445W WO2024027070A1 WO 2024027070 A1 WO2024027070 A1 WO 2024027070A1 CN 2022138445 W CN2022138445 W CN 2022138445W WO 2024027070 A1 WO2024027070 A1 WO 2024027070A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal device
- key
- public key
- random
- identification
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 77
- 238000003860 storage Methods 0.000 title claims abstract description 16
- 238000012795 verification Methods 0.000 claims abstract description 27
- 238000013507 mapping Methods 0.000 claims description 27
- 230000005540 biological transmission Effects 0.000 claims description 18
- 230000015654 memory Effects 0.000 claims description 14
- 238000001514 detection method Methods 0.000 claims description 8
- 239000011159 matrix material Substances 0.000 claims description 8
- 238000007726 management method Methods 0.000 abstract description 20
- 238000010276 construction Methods 0.000 abstract description 10
- 238000012423 maintenance Methods 0.000 abstract description 5
- 230000008569 process Effects 0.000 description 24
- 238000010586 diagram Methods 0.000 description 14
- 238000005516 engineering process Methods 0.000 description 13
- 238000009826 distribution Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 230000003993 interaction Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 238000005259 measurement Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 238000010248 power generation Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 229910052799 carbon Inorganic materials 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000005265 energy consumption Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 230000007480 spreading Effects 0.000 description 2
- 238000003892 spreading Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
- G06Q50/06—Electricity, gas or water supply
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The present application discloses a terminal device authentication method and system based on an identification public key, and a computer-readable storage medium, the method comprising: determining an access demand and the type of a terminal device, and confirming an identification fingerprint of the terminal device on the basis of the access demand and the type; generating a public key and a private key of the terminal device by means of an identification key generation algorithm and on the basis of the identification fingerprint; and performing, on the basis of the public key and the private key, signing and signature verification on a data message which is sent by the terminal device, and realizing the authentication of the terminal device on the basis of the signature verification result. The identification public key technique used in the present application serves as a lightweight key generation and management method, realizes the binding of a terminal device identifier and a public key, reduces construction costs and operation and maintenance costs of a key system, and is suitable for mass key management of a distributed power source.
Description
相关申请的交叉引用Cross-references to related applications
本申请基于申请号为202210924400.6、申请日为2022年08月03日、发明名称为“一种基于标识公钥的终端设备认证方法及系统”的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。This application is filed based on the Chinese patent application with application number 202210924400.6, application date is August 3, 2022, and the invention name is "A terminal equipment authentication method and system based on identification public key", and requires the priority of this Chinese patent application The entire content of this Chinese patent application is hereby incorporated into this application as a reference.
本申请涉及分布式电源及其数据传输网络技术领域,尤其涉及一种基于标识公钥的终端设备认证方法、系统及计算机可读存储介质。This application relates to the technical field of distributed power sources and their data transmission networks, and in particular to a terminal equipment authentication method, system and computer-readable storage medium based on an identification public key.
当前的电网二次安全防护方案是以横向隔离、纵向加密为基础的边界安全防护体系。但随着分布式电源迅速发展,终端设备开放互动,电力监控系统暴露面显著增大,防护边界模糊,传统边界防护难以保证分布式电源的安全接入。The current secondary security protection solution for the power grid is a boundary security protection system based on horizontal isolation and vertical encryption. However, with the rapid development of distributed power sources and the open interaction of terminal equipment, the exposure surface of the power monitoring system has increased significantly, and the protection boundaries are blurred. Traditional boundary protection is difficult to ensure the safe access of distributed power sources.
分布式电源,如分布式光伏,可采用电力调度数据网、基于外部公用数据网的虚拟专用网络(Virtual Private Network,VPN)、无线网络三种方式接入调度机构,实现遥信、遥测数据等信息上送至调控机构主站,并能够接收调控机构主站下发的遥控、遥调命令。在分布式电源主体与电网进行交互时,需要对终端设备进行身份验证和访问控制,避免攻击者通过伪造或者控制分布式电源主体接入调度主站,实施对电网的网络攻击。Distributed power sources, such as distributed photovoltaics, can be connected to the dispatching organization through three methods: power dispatch data network, virtual private network (VPN) based on external public data network, and wireless network to achieve remote signaling, telemetry data, etc. The information is sent to the main station of the control agency, and it can receive remote control and remote adjustment commands issued by the main station of the control agency. When the distributed power source entity interacts with the power grid, it is necessary to perform identity authentication and access control on the terminal equipment to prevent attackers from forging or controlling the distributed power source entity to access the dispatching main station and implement network attacks on the power grid.
在进行身份认证过程中,现有基于公钥基础设施(Public Key Infrastructure,PKI)的电力调度数字证书体系,依赖成本高昂的证书授权(Certificate Authority,CA)中心,难以适用于分布式电源大规模终端设备安全接入和数据加解密的要求。In the process of identity authentication, the existing power dispatching digital certificate system based on Public Key Infrastructure (PKI) relies on the costly Certificate Authority (Certificate Authority, CA) center, which is difficult to apply to large-scale distributed power supplies. Requirements for secure access of terminal equipment and data encryption and decryption.
目前电力系统支持设备认证的主流方案是基于PKI的安全认证方案,即是将各个设备作为主体,在进行工作之前需要申请设备自身的设备证书,在与外界交互过程中使用证书来进行身份认证。并且当前电力调度数字证书系统仅为电力调度生产控制大区(I/II区)的系统、用户、关键网络设备、服务器提供数字证书服务,为三公调度安全Web服务、反向隔离装置、纵向加密装置、远程拨号访问系统等提供机密性、完整性、身份认证服务,尚未涉及到发电厂站终端安全服务。At present, the mainstream solution for supporting equipment authentication in power systems is a security authentication solution based on PKI, which uses each device as the subject. Before starting work, you need to apply for the device's own device certificate, and use the certificate for identity authentication during interaction with the outside world. And the current electric power dispatching digital certificate system only provides digital certificate services for systems, users, key network equipment, and servers in the electric power dispatching production control area (I/II area), and provides secure Web services, reverse isolation devices, and vertical encryption for the three public dispatching areas. Devices, remote dial-up access systems, etc. provide confidentiality, integrity, and identity authentication services, and have not yet been involved in power station terminal security services.
在使用PKI的情况下,系统可以较好的保证通信双方的身份可信,但由于公钥密码算法运算较多所以相对耗时。与此同时,由于各设备的证书 都需要同一个CA系统进行审核发放和查询,且证书存储会占用设备的空间,如果设备的数量规模达到千万级以上,系统性能会受到很大影响。分布式电源终端之间的通讯存在窄带通讯、低功耗等要求,同时终端还具有数量众多、广域分布等特点。海量网络末梢大大增加了终端设备在安全接入认证方面的风险管控难度,因此PKI的安全认证方案不适用于分布式电源接入场景下的大规模的终端设备身份认证,分布式电源终端侧接入区域面临的被攻击、被仿冒、被利用安全风险。When using PKI, the system can better ensure the trustworthiness of the identities of both communicating parties, but it is relatively time-consuming because the public key cryptography algorithm requires many operations. At the same time, since the certificates of each device require the same CA system for review, issuance and query, and certificate storage will occupy the space of the device, if the number of devices reaches tens of millions or more, system performance will be greatly affected. The communication between distributed power terminals has requirements such as narrow-band communication and low power consumption. At the same time, the terminals also have the characteristics of large number and wide area distribution. The massive number of network terminals greatly increases the difficulty of risk management and control of terminal equipment in secure access authentication. Therefore, the PKI security authentication scheme is not suitable for large-scale terminal equipment identity authentication in distributed power access scenarios. Distributed power terminal side connections The security risks of being attacked, counterfeited, and exploited when entering the area.
因此,需要一种技术,以实现基于标识公钥对终端设备进行认证。Therefore, a technology is needed to authenticate terminal devices based on identification public keys.
发明内容Contents of the invention
本申请实施例提供一种基于标识公钥的终端设备认证方法、系统及计算机可读存储介质,以解决如何基于标识公钥对终端设备进行认证的问题。Embodiments of the present application provide a terminal device authentication method, system and computer-readable storage medium based on an identification public key to solve the problem of how to authenticate a terminal device based on an identification public key.
为了解决上述问题,本申请实施例提供了一种基于标识公钥的终端设备认证方法,所述方法包括:In order to solve the above problems, embodiments of the present application provide a terminal device authentication method based on an identification public key. The method includes:
确定终端设备的接入需求与类型,基于所述接入需求与类型确认所述终端设备的标识指纹;Determine the access requirements and type of the terminal device, and confirm the identification fingerprint of the terminal device based on the access requirements and type;
基于所述标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥;Based on the identification fingerprint, generate the public key and private key of the terminal device through the identification key generation algorithm;
基于所述公钥和私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证。The data message sent by the terminal device is signed and verified based on the public key and the private key, and based on the signature verification result, the terminal device is authenticated.
上述方法中,所述标识指纹包括:终端设备的唯一序列号、通用参数、产品检测序列号、内嵌模块运行状态。In the above method, the identification fingerprint includes: the unique serial number of the terminal device, general parameters, product detection serial number, and the operating status of the embedded module.
上述方法中,基于所述标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥,包括:In the above method, based on the identification fingerprint, the public key and private key of the terminal device are generated through the identification key generation algorithm, including:
所述终端设备生成随机数,基于所述随机数、所述标识指纹生成第一随机公钥和第一随机私钥;The terminal device generates a random number, and generates a first random public key and a first random private key based on the random number and the identification fingerprint;
将所述第一随机公钥和所述标识指纹发送至设备密钥管理中心;Send the first random public key and the identification fingerprint to the device key management center;
所述设备密钥管理中心对所述第一随机公钥和所述标识指纹进行运算,获取映射序列;The device key management center performs operations on the first random public key and the identification fingerprint to obtain a mapping sequence;
基于所述映射序列与随机生成的第二随机公钥、第二随机私钥进行矩阵运算,生成终端设备的公钥和私钥;Perform matrix operations based on the mapping sequence and the randomly generated second random public key and second random private key to generate the public key and private key of the terminal device;
设备密钥管理中心通过第一随机公钥对所述私钥进行加密,将加密后的私钥发送至所述终端设备;The device key management center encrypts the private key through the first random public key and sends the encrypted private key to the terminal device;
所述终端设备通过第一随机私钥对所述加密的私钥进行解密,获取所述私钥;The terminal device decrypts the encrypted private key through the first random private key to obtain the private key;
设备密钥管理中心将所述公钥进行公布。The device key management center publishes the public key.
上述方法中,终端设备生成随机数,基于所述随机数、所述标识指纹 生成第一随机公钥和第一随机私钥,还包括:In the above method, the terminal device generates a random number, generates a first random public key and a first random private key based on the random number and the identification fingerprint, and also includes:
基于所述随机数、所述标识指纹通过SM9算法生成第一随机公钥和第一随机私钥。The first random public key and the first random private key are generated through the SM9 algorithm based on the random number and the identification fingerprint.
上述方法中,所述设备密钥管理中心对所述第一随机公钥和所述标识指纹进行运算,获取映射序列,还包括:In the above method, the device key management center operates on the first random public key and the identification fingerprint to obtain the mapping sequence, which also includes:
所述设备密钥管理中心对所述第一随机公钥和所述标识指纹进行哈希散列运算,获取32组映射序列。The device key management center performs a hash operation on the first random public key and the identification fingerprint to obtain 32 sets of mapping sequences.
上述方法中,所述基于所述公钥和私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证,包括:In the above method, the data message sent by the terminal device is signed and verified based on the public key and private key, and the authentication of the terminal device is implemented based on the signature verification result, including:
发送方的所述终端设备对所述数据消息与所述标识指纹进行运算,生成第一消息摘要;通过所述终端设备的私钥对所述第一消息摘要进行加密,获取数字签名;将所述数字签名、所述数据消息和所述标识指纹发送至接收方;The terminal device of the sender performs operations on the data message and the identification fingerprint to generate a first message digest; encrypts the first message digest using the private key of the terminal device to obtain a digital signature; The digital signature, the data message and the identification fingerprint are sent to the recipient;
所述接收方对所述数据消息和所述标识指纹进行运算,获取第二消息摘要;通过所述终端设备的公钥对所述数字签名进行解密,获取第一消息摘要;判断所述第一消息摘要和所述第二消息摘要是否一致,当判断结果为一致时,所述终端设备通过认证。The receiver performs operations on the data message and the identification fingerprint to obtain a second message digest; decrypts the digital signature through the public key of the terminal device to obtain a first message digest; and determines the first message digest. Whether the message digest and the second message digest are consistent, when the judgment result is consistent, the terminal device passes the authentication.
上述方法中,在实现对终端设备的认证后,还包括:In the above method, after realizing the authentication of the terminal device, it also includes:
所述终端设备通过接收方的公钥对数据明文基于随机数进行SM4算法加密,将加密后的数据发送至接收方;The terminal device uses the recipient's public key to encrypt the data plaintext based on the SM4 algorithm based on random numbers, and sends the encrypted data to the recipient;
所述接收方通过自身的私钥对接收到的加密的数据进行SM4算法解密,获取数据明文。The recipient uses its own private key to decrypt the received encrypted data using the SM4 algorithm to obtain the plain text of the data.
基于本申请的另一方面,本申请提供一种基于标识公钥的终端设备认证系统,所述系统包括:Based on another aspect of this application, this application provides a terminal device authentication system based on an identification public key. The system includes:
确定部分,配置为确定终端设备的接入需求与类型,基于所述接入需求与类型确认所述终端设备的标识指纹;The determining part is configured to determine the access requirement and type of the terminal device, and confirm the identification fingerprint of the terminal device based on the access requirement and type;
生成部分,配置为基于所述标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥;The generation part is configured to generate the public key and private key of the terminal device through the identification key generation algorithm based on the identification fingerprint;
验证部分,配置为基于所述公钥和私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证。The verification part is configured to sign and verify the data message sent by the terminal device based on the public key and the private key, and implement authentication of the terminal device based on the signature verification result.
上述装置中,所述标识指纹包括:终端设备的唯一序列号、通用参数、产品检测序列号、内嵌模块运行状态。In the above device, the identification fingerprint includes: the unique serial number of the terminal device, general parameters, product detection serial number, and the operating status of the embedded module.
上述装置中,所述生成部分,配置为基于所述标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥,还配置为:In the above device, the generation part is configured to generate the public key and private key of the terminal device through the identification key generation algorithm based on the identification fingerprint, and is also configured to:
所述终端设备生成随机数,基于所述随机数、所述标识指纹生成第一随机公钥和第一随机私钥;The terminal device generates a random number, and generates a first random public key and a first random private key based on the random number and the identification fingerprint;
将所述第一随机公钥和所述标识指纹发送至设备密钥管理中心;Send the first random public key and the identification fingerprint to the device key management center;
所述设备密钥管理中心对所述第一随机公钥和所述标识指纹进行运算, 获取映射序列;The device key management center operates on the first random public key and the identification fingerprint to obtain a mapping sequence;
基于所述映射序列与随机生成的第二随机公钥、第二随机私钥进行矩阵运算,生成终端设备的公钥和私钥;Perform matrix operations based on the mapping sequence and the randomly generated second random public key and second random private key to generate the public key and private key of the terminal device;
设备密钥管理中心通过第一随机公钥对所述私钥进行加密,将加密后的私钥发送至所述终端设备;The device key management center encrypts the private key through the first random public key and sends the encrypted private key to the terminal device;
所述终端设备通过第一随机私钥对所述加密的私钥进行解密,获取所述私钥;The terminal device decrypts the encrypted private key through the first random private key to obtain the private key;
设备密钥管理中心将所述公钥进行公布。The device key management center publishes the public key.
上述装置中,所述生成部分,配置为通过终端设备生成随机数,基于所述随机数、所述标识指纹生成第一随机公钥和第一随机私钥,还配置为:In the above device, the generating part is configured to generate a random number through the terminal device, generate a first random public key and a first random private key based on the random number and the identification fingerprint, and is also configured to:
基于所述随机数、所述标识指纹通过SM9算法生成第一随机公钥和第一随机私钥。The first random public key and the first random private key are generated through the SM9 algorithm based on the random number and the identification fingerprint.
上述装置中,所述生成部分,配置为设备密钥管理中心对所述第一随机公钥和所述标识指纹进行运算,获取映射序列,还配置为:In the above device, the generating part is configured such that the device key management center operates on the first random public key and the identification fingerprint to obtain the mapping sequence, and is further configured as:
所述设备密钥管理中心对所述第一随机公钥和所述标识指纹进行哈希散列运算,获取32组映射序列。The device key management center performs a hash operation on the first random public key and the identification fingerprint to obtain 32 sets of mapping sequences.
上述装置中,所述验证部分,配置为基于所述公钥和私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证,还配置为:In the above device, the verification part is configured to sign and verify the data message sent by the terminal device based on the public key and private key, and implement authentication of the terminal device based on the signature verification result. It is also configured to:
发送方的所述终端设备对所述数据消息与所述标识指纹进行运算,生成第一消息摘要;通过所述终端设备的私钥对所述第一消息摘要进行加密,获取数字签名;将所述数字签名、所述数据消息和所述标识指纹发送至接收方;The terminal device of the sender performs operations on the data message and the identification fingerprint to generate a first message digest; encrypts the first message digest using the private key of the terminal device to obtain a digital signature; The digital signature, the data message and the identification fingerprint are sent to the recipient;
所述接收方对所述数据消息和所述标识指纹进行运算,获取第二消息摘要;通过所述终端设备的公钥对所述数字签名进行解密,获取第一消息摘要;判断所述第一消息摘要和所述第二消息摘要是否一致,当判断结果为一致时,所述终端设备通过认证。The receiver performs operations on the data message and the identification fingerprint to obtain a second message digest; decrypts the digital signature through the public key of the terminal device to obtain a first message digest; and determines the first message digest. Whether the message digest and the second message digest are consistent, when the judgment result is consistent, the terminal device passes the authentication.
上述装置中,还包括传输部分,配置为通过所述终端设备通过接收方的公钥对数据明文基于随机数进行SM4算法加密,将加密后的数据发送至接收方;The above-mentioned device also includes a transmission part configured to encrypt the data plaintext based on the SM4 algorithm based on random numbers through the terminal device using the public key of the recipient, and send the encrypted data to the recipient;
所述接收方通过自身的私钥对接收到的加密的数据进行SM4算法解密,获取数据明文。The recipient uses its own private key to decrypt the received encrypted data using the SM4 algorithm to obtain the plain text of the data.
基于本申请的另一方面,本申请提供一种基于标识公钥的终端设备认证系统,所述系统包括存储器和处理器;其中,所述存储器,用于存储可执行指令;所述处理器,用于通过执行所述存储器中存储的可执行指令,实现上述任一项基于标识公钥的终端设备认证方法。Based on another aspect of this application, this application provides a terminal device authentication system based on an identification public key. The system includes a memory and a processor; wherein, the memory is used to store executable instructions; the processor, Used to implement any of the above terminal device authentication methods based on the identification public key by executing executable instructions stored in the memory.
基于本申请的另一方面,本申请提供一种计算机可读存储介质,所述计算机可读存储介质存储有可执行指令,所述可执行指令引起处理器执 行时实现上述任一项基于标识公钥的终端设备认证方法。Based on another aspect of the present application, the present application provides a computer-readable storage medium that stores executable instructions, and the executable instructions cause the processor to implement any of the above-mentioned identification-based public statements when executed. Key-based terminal device authentication method.
本申请实施例提供了一种基于标识公钥的终端设备认证方法、系统及计算机可读存储介质,其中方法包括:确定终端设备的接入需求与类型,基于接入需求与类型确认终端设备的标识指纹;基于标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥;基于公钥和私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证。本申请实施例采用的标识公钥技术作为一种轻量化的密钥生成与管理方法,实现终端设备标识与公钥的绑定,降低了密钥体系的建设成本与运维成本,适用于分布式电源海量的密钥管理。为分布式电源终端设备身份认证及安全通信提供基础,实现分布式电源并网安全,对公司新型电力系统建设及分布式电源发展应用提供了安全保障。Embodiments of the present application provide a terminal equipment authentication method, system and computer-readable storage medium based on an identification public key. The method includes: determining the access requirements and types of the terminal equipment, and confirming the access requirements and types of the terminal equipment based on the access requirements and types. Identification fingerprint; based on the identification fingerprint, the public key and private key of the terminal device are generated through the identification key generation algorithm; the data message sent by the terminal device is signed and verified based on the public key and private key, and based on the signature verification result, the Certification of terminal equipment. The identification public key technology used in the embodiment of this application serves as a lightweight key generation and management method to realize the binding of terminal device identification and public key, reducing the construction cost and operation and maintenance cost of the key system, and is suitable for distribution Massive key management for power supply. It provides a basis for identity authentication and secure communication of distributed power terminal equipment, realizes the safety of distributed power grid connection, and provides security guarantee for the company's new power system construction and the development and application of distributed power.
通过参考下面的附图,可以更为完整地理解本申请的示例性实施方式:Exemplary embodiments of the present application may be more fully understood by reference to the following drawings:
图1为本申请实施例提供的一种基于标识公钥的终端设备认证方法流程图;Figure 1 is a flow chart of a terminal device authentication method based on an identification public key provided by an embodiment of the present application;
图2为本申请实施例提供的一种基于标识公钥的零信任安全接入方法流程图;Figure 2 is a flow chart of a zero-trust secure access method based on an identification public key provided by an embodiment of the present application;
图3为本申请实施例提供的一种电力物联网标识公钥生成算法的用户私钥和公钥生成流程示意图;Figure 3 is a schematic diagram of the user private key and public key generation process of a power Internet of Things identification public key generation algorithm provided by the embodiment of the present application;
图4为本申请实施例提供的一种数字签名/验签流程示意图;Figure 4 is a schematic diagram of a digital signature/signature verification process provided by the embodiment of this application;
图5为本申请实施例提供的一种数据加密传输流程示意图;Figure 5 is a schematic diagram of a data encryption transmission process provided by an embodiment of the present application;
图6为本申请实施例提供的一种基于标识公钥的终端设备认证系统结构图一;Figure 6 is a structural diagram of a terminal device authentication system based on an identification public key provided by an embodiment of the present application;
图7为本申请实施例提供的一种基于标识公钥的终端设备认证系统结构图二。Figure 7 is a second structural diagram of a terminal device authentication system based on an identification public key provided by an embodiment of the present application.
现在参考附图介绍本申请的示例性实施方式,然而,本申请可以用许多不同的形式来实施,并且不局限于此处描述的实施例,提供这些实施例是为了详尽地且完全地公开本申请,并且向所属技术领域的技术人员充分传达本申请的范围。对于表示在附图中的示例性实施方式中的术语并不是对本申请的限定。在附图中,相同的单元/元件使用相同的附图标记。Exemplary embodiments of the present application will now be described with reference to the accompanying drawings. However, the present application may be embodied in many different forms and is not limited to the embodiments described herein. These embodiments are provided so that this disclosure will be thorough and complete. application, and fully convey the scope of this application to those skilled in the art. The terminology used in the exemplary embodiments represented in the drawings does not limit the application. In the drawings, identical units/elements use the same reference numerals.
除非另有说明,此处使用的术语(包括科技术语)对所属技术领域的技术人员具有通常的理解含义。另外,可以理解的是,以通常使用的词典限定的术语,应当被理解为与其相关领域的语境具有一致的含义,而不应该被理解为理想化的或过于正式的意义。Unless otherwise defined, the terms (including scientific and technical terms) used herein have the commonly understood meaning to one of ordinary skill in the art. In addition, it is understood that terms defined in commonly used dictionaries should be understood to have consistent meanings in the context of their relevant fields and should not be understood as having an idealized or overly formal meaning.
图1为根据本申请实施例提供的一种基于标识公钥的终端设备认证方法流程图。Figure 1 is a flow chart of a terminal device authentication method based on an identification public key according to an embodiment of the present application.
为确保分布式电源及其数据传输网络的安全运行,抵御黑客、恶意代码等通过各种形式利用分布式电源发起对电网监控系统的恶意破坏和攻击,以及其他非法操作,防止电力系统瘫痪和失控,并由此导致的电网一次系统事故,需要强化分布式电源与户外就地采集终端之间的安全防护,确保终端之间实现身份认证、数据加密、访问控制。In order to ensure the safe operation of distributed power sources and their data transmission networks, resist hackers, malicious codes, etc. who use distributed power sources in various forms to initiate malicious damage and attacks on the power grid monitoring system, as well as other illegal operations, and prevent the power system from being paralyzed and out of control. , and the resulting power grid system accident requires strengthening the security protection between distributed power sources and outdoor on-site collection terminals to ensure identity authentication, data encryption, and access control between terminals.
随着分布式电源发展以及电力物联网应用扩大,终端的认证要求使得传统的公钥基础设施PKI证书认证技术在物联网应用的不足逐步显现出来。标识公钥(Identity Public Key,IPK)基于标识对矩阵的映射关系,实现了标识与密钥的关系绑定,从而以标识替代公钥,简化了海量公钥的管理与分发。IPK签名短,存储和传输占用资源少,更适合于终端设备的窄带框通信。IPK所需的存储资源仅为PKI的1/10,更适合于边缘计算终端。在终端应用中,IPK轻量级密钥技术相比传统的PKI技术,具有更加明显的应用优势,可实现去中心化的、高效离线认证,为物联网终端的安全提供最佳体验,保证分布式电源的终端安全接入,避免攻击从终端蔓延到电网而对电网安全稳定运行造成威胁。With the development of distributed power sources and the expansion of power Internet of Things applications, terminal certification requirements have gradually revealed the shortcomings of traditional public key infrastructure PKI certificate authentication technology in Internet of Things applications. Identity Public Key (IPK) is based on the mapping relationship between the identity pair matrix and realizes the relationship binding between the identity and the key, thereby replacing the public key with the identity and simplifying the management and distribution of massive public keys. The IPK signature is short, takes up less resources for storage and transmission, and is more suitable for narrowband frame communication of terminal devices. The storage resources required by IPK are only 1/10 of PKI, which is more suitable for edge computing terminals. In terminal applications, IPK lightweight key technology has more obvious application advantages than traditional PKI technology. It can achieve decentralized and efficient offline authentication, provide the best experience for the security of IoT terminals, and ensure distribution The terminals of the power supply are securely connected to prevent attacks from spreading from the terminals to the power grid and posing a threat to the safe and stable operation of the power grid.
为避免依赖复杂昂贵的基于公钥基础设施的电力调度数据证书体系,本申请选择轻量级的适用于海量物联网终端的标识公钥密码算法,所以成本更低,更适合在大规模分布式电源推广应用,保证分布式能源接入安全,推进能源转型及新型电力系统建设。In order to avoid relying on the complex and expensive power dispatch data certificate system based on public key infrastructure, this application chooses a lightweight identification public key cryptographic algorithm suitable for massive IoT terminals, so the cost is lower and more suitable for large-scale distributed deployment. Promote the application of power sources, ensure the security of distributed energy access, and promote energy transformation and the construction of new power systems.
本申请分析了分布式电源物联网终端接入的风险,提出了基于标识公钥的分布式电源安全接入方法,实现对分布式电源终端设备的安全认证和数据的加密传输,保证终端接入的安全性以及数据传输不受非法入侵的威胁,提升电网的主动防御能力。This application analyzes the risks of distributed power Internet of Things terminal access, and proposes a distributed power secure access method based on identification public keys to achieve security authentication of distributed power terminal equipment and encrypted data transmission to ensure terminal access. The security and data transmission are not threatened by illegal intrusion, and the active defense capability of the power grid is improved.
基于标识公钥的零信任安全接入方法包括三个步骤。首先,分析分布式电源接入需要与电网交互的终端设备类型,提取设备指纹;其次,基于设备指纹设计电力物联网终端标识密钥生成算法,生成终端设备公私钥;最后,设计基于标识公钥的分布式电源安全接入方法,包括终端安全认证及数据加密传输。如图2所示。The zero-trust secure access method based on identification public keys includes three steps. First, analyze the types of terminal equipment that need to interact with the power grid for distributed power supply access, and extract device fingerprints; secondly, design a power Internet of Things terminal identification key generation algorithm based on equipment fingerprints to generate terminal equipment public and private keys; finally, design a power IoT terminal identification key generation algorithm based on identification public keys. The distributed power supply secure access method includes terminal security authentication and data encrypted transmission. as shown in picture 2.
如图1所示,本申请实施例提供一种基于标识公钥的终端设备认证方法,方法包括:As shown in Figure 1, this embodiment of the present application provides a terminal device authentication method based on an identification public key. The method includes:
步骤101:确定终端设备的接入需求与类型,基于接入需求与类型确认终端设备的标识指纹。Step 101: Determine the access requirements and type of the terminal device, and confirm the identification fingerprint of the terminal device based on the access requirements and type.
在一些实施例中,标识指纹包括:终端设备的唯一序列号、通用参数、产品检测序列号、内嵌模块运行状态。In some embodiments, the identification fingerprint includes: the unique serial number of the terminal device, general parameters, product detection serial number, and embedded module running status.
本申请实施例根据分布式电源并网的网络安全需求,确定涉控终端设备的类型,并以保证唯一性和低冗余性为目标确定设备标识指纹。The embodiment of this application determines the type of terminal equipment involved in the control according to the network security requirements of distributed power grid connection, and determines the device identification fingerprint with the goal of ensuring uniqueness and low redundancy.
(1)分布式电源并网的网络安全需求(1) Network security requirements for distributed power grid connection
分布式电源与调度主站交互需进行实时遥信、遥测数据信息、电能量计量等数据信息采集,需要满足电力监控系统安全防护要求。以分布式光伏并网为例,需要满足以下要求:The interaction between distributed power sources and the dispatching master station requires the collection of real-time remote signaling, telemetry data information, electric energy measurement and other data information, which needs to meet the security protection requirements of the power monitoring system. Taking distributed photovoltaic grid connection as an example, the following requirements need to be met:
10千伏及以上分布式光伏并网:分布式光伏站控系统数据采集服务器同户外就地采集终端(例如光伏发电单元测控终端等)之间网络通信应采取加密认证措施,实现身份认证、数据加密、访问控制等安全措施,禁止外部设备的接入,防止单一风机或光伏发电单元的安全风险扩散到站控系统。Distributed photovoltaic grid connection of 10 kV and above: The network communication between the data collection server of the distributed photovoltaic station control system and the outdoor on-site collection terminal (such as photovoltaic power generation unit measurement and control terminal, etc.) should adopt encryption authentication measures to achieve identity authentication, data Security measures such as encryption and access control prohibit the access of external equipment to prevent the security risks of a single wind turbine or photovoltaic power generation unit from spreading to the station control system.
低压分布式光伏并网Low voltage distributed photovoltaic grid connection
配电物联网接入:分布式光伏可部署融合终端,接入电网公司配电物联网平台,分布式光伏融合终端与电网公司配电物联网平台的数据交互应具备身份认证、访问控制、数据加密功能。Distribution Internet of Things access: Distributed photovoltaic deployable converged terminals are connected to the power grid company's distribution Internet of Things platform. The data interaction between distributed photovoltaic converged terminals and the power grid company's distribution Internet of Things platform should have identity authentication, access control, data Encryption function.
用电信息采集系统接入:分布式光伏能源控制器与电网公司配电物联网平台的数据交互应具备身份认证、访问控制、数据加密功能。Access to the power information collection system: The data interaction between the distributed photovoltaic energy controller and the power distribution Internet of Things platform of the power grid company should have identity authentication, access control, and data encryption functions.
公网云平台接入:分布式光伏聚合商与电网公司公网云平台的数据交互应具备身份认证、访问控制、数据加密功能。Public network cloud platform access: The data interaction between distributed photovoltaic aggregators and the power grid company's public network cloud platform should have identity authentication, access control, and data encryption functions.
(2)确定设备指纹类型(2) Determine the device fingerprint type
光伏发电单元测控终端等感知层终端通常需要获取的数据类型多种多样,如电气量感知、环境量感知、物理量感知、行为量感知等,涵盖了多种传感器、视频采集器、数据采集设备等,根据其功能的复杂程度不同,涵盖的特征标签也不尽相同,如设备编号、性能参数、运行环境参数。Perception layer terminals such as photovoltaic power generation unit measurement and control terminals usually need to obtain a variety of data types, such as electrical quantity sensing, environmental quantity sensing, physical quantity sensing, behavioral quantity sensing, etc., covering a variety of sensors, video collectors, data collection equipment, etc. , depending on the complexity of its functions, the feature labels covered are also different, such as device numbers, performance parameters, and operating environment parameters.
分布式光伏能源控制器及分布式光伏融合终端等智能设备还包含通信模块、计量模块、控制模块等,这些模块又有各自众多特征参数信息。Intelligent devices such as distributed photovoltaic energy controllers and distributed photovoltaic integration terminals also include communication modules, metering modules, control modules, etc., and these modules have their own numerous characteristic parameter information.
设备指纹特征信息提取,不仅应全面反映一个设备的特性,且能够唯一标识某设备,同时需要考虑设备算力及能耗等压力。因此,本申请实施例经过基于多变量互信息的多标记特征选择算法,从多维特征信息中筛选得到的特征子集为:设备/模块唯一序列号、通用参数、产品检测序列号、内嵌模块运行状态。The extraction of device fingerprint feature information should not only fully reflect the characteristics of a device, but also be able to uniquely identify a device. It also needs to consider pressures such as device computing power and energy consumption. Therefore, in the embodiment of this application, through a multi-mark feature selection algorithm based on multi-variable mutual information, the feature subsets screened from multi-dimensional feature information are: device/module unique serial number, general parameters, product detection serial number, embedded module Operating status.
其中,设备序列号/ID是生产厂商为设备分配的唯一标识符;设备通用参数,如类型、名称、型号、功能等;内嵌模块运行状态,如安全状态、存储状态等,由于模块的软硬件设计具有高安全等特点,安全性高,且这些状态不容易被复制,唯一性较好。该子集涵盖了尽可能多的类别信息,同时冗余性较小。Among them, the device serial number/ID is the unique identifier assigned to the device by the manufacturer; device general parameters, such as type, name, model, function, etc.; embedded module running status, such as security status, storage status, etc., due to the module’s software The hardware design has the characteristics of high security, high security, and these states are not easily copied and have good uniqueness. This subset covers as much category information as possible with less redundancy.
步骤102:基于标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥。Step 102: Based on the identification fingerprint, generate the public key and private key of the terminal device through the identification key generation algorithm.
在一些实施例中,基于标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥,包括:In some embodiments, based on the identification fingerprint, the public key and private key of the terminal device are generated through an identification key generation algorithm, including:
终端设备生成随机数,基于随机数、标识指纹生成第一随机公钥和第一随机私钥;The terminal device generates a random number, and generates a first random public key and a first random private key based on the random number and identification fingerprint;
将第一随机公钥和标识指纹发送至设备密钥管理中心;Send the first random public key and identification fingerprint to the device key management center;
设备密钥管理中心对第一随机公钥和标识指纹进行运算,获取映射序列;The device key management center operates the first random public key and the identification fingerprint to obtain the mapping sequence;
基于映射序列与随机生成的第二随机公钥、第二随机私钥进行矩阵运算,生成终端设备的公钥和私钥;Perform matrix operations based on the mapping sequence and the randomly generated second random public key and second random private key to generate the public key and private key of the terminal device;
设备密钥管理中心通过第一随机公钥对私钥进行加密,将加密后的私钥发送至终端设备;The device key management center encrypts the private key through the first random public key and sends the encrypted private key to the terminal device;
终端设备通过第一随机私钥对加密的私钥进行解密,获取私钥;The terminal device decrypts the encrypted private key through the first random private key to obtain the private key;
设备密钥管理中心将公钥进行公布。The device key management center publishes the public key.
在一些实施例中,终端设备生成随机数,基于随机数、标识指纹生成第一随机公钥和第一随机私钥,还包括:In some embodiments, the terminal device generates a random number, generates a first random public key and a first random private key based on the random number and the identification fingerprint, and further includes:
基于随机数、标识指纹通过SM9算法生成第一随机公钥和第一随机私钥。The first random public key and the first random private key are generated through the SM9 algorithm based on the random number and identification fingerprint.
在一些实施例中,设备密钥管理中心对第一随机公钥和标识指纹进行运算,获取映射序列,还包括:In some embodiments, the device key management center operates on the first random public key and the identification fingerprint to obtain the mapping sequence, which also includes:
设备密钥管理中心对第一随机公钥和标识指纹进行哈希散列运算,获取32组映射序列。The device key management center performs a hash operation on the first random public key and the identification fingerprint to obtain 32 sets of mapping sequences.
本申请实施例提供的电力物联网标识公钥生成算法以IPK标识公钥技术为基础,运用SM9算法设计标识密钥对生成方法,将现存的公钥体系转化为结合物联网设备标识的公钥体制,实现标识与公钥的关系绑定,将密钥的生成与分发结合起来,实现海量终端的密钥管理,作为一种轻量化的密钥生成与管理方法,直接简化了密钥生成的复杂度和管理难度,同时降低了密钥体系的建设成本与运维成本。电力物联网标识公钥生成算法的用户私钥和公钥生成流程如图3所示。The power Internet of Things identification public key generation algorithm provided by the embodiment of this application is based on IPK identification public key technology, using the SM9 algorithm to design an identification key pair generation method, and converts the existing public key system into a public key combined with the Internet of Things device identification. The system realizes the binding of identification and public key, combines the generation and distribution of keys, and realizes the key management of massive terminals. As a lightweight key generation and management method, it directly simplifies the key generation. complexity and management difficulty, while reducing the construction cost and operation and maintenance cost of the key system. The user private key and public key generation process of the power Internet of Things identification public key generation algorithm is shown in Figure 3.
本申请实施例提供的电力物联网标识公钥生成算法流程如下:The power Internet of Things identification public key generation algorithm process provided by the embodiment of this application is as follows:
终端设备提取指纹信息,形成指纹ID;The terminal device extracts fingerprint information and forms a fingerprint ID;
终端设备生成的随机数s,根据SM9算法生成用户的随机公私钥对(r,R),将R和指纹ID传递给设备密钥管理中心;The random number s generated by the terminal device generates the user's random public and private key pair (r, R) according to the SM9 algorithm, and passes R and the fingerprint ID to the device key management center;
设备密钥管理中心对设备发来的R和指纹ID进行哈希散列运算得到32组映射序列;The device key management center performs a hash operation on the R and fingerprint ID sent by the device to obtain 32 sets of mapping sequences;
根据32组映射序列与随机生成的公钥和私钥进行矩阵运算,得到公钥PSK(Pre-Shared Key)和设备的私钥ISK(Identity Secure Key);Perform matrix operations based on 32 sets of mapping sequences and randomly generated public keys and private keys to obtain the public key PSK (Pre-Shared Key) and the device's private key ISK (Identity Secure Key);
设备密钥管理中心再使用以R为公钥的加密算法加密ISK得到密文回传给设备;The device key management center then uses the encryption algorithm with R as the public key to encrypt the ISK to obtain the ciphertext and send it back to the device;
设备使用随机私钥r对密文解密,得到自己的私钥ISK;The device uses the random private key r to decrypt the ciphertext and obtain its own private key ISK;
设备密钥管理中心会将公钥PSK进行公布,其他用户可以根据设备的 公钥,解密设备发来的密文。The device key management center will publish the public key PSK, and other users can decrypt the ciphertext sent by the device based on the device's public key.
通过以上流程使得设备密钥管理中心无法得知设备的私钥,其他用户也不能对密文进行解密,保证了私钥和消息的安全性。Through the above process, the device key management center cannot know the private key of the device, and other users cannot decrypt the ciphertext, ensuring the security of the private key and message.
在本申请实施例的标识公钥生成过程中,终端的随机公私钥对生成采用的是SM9国密算法,替换了ECC等国外算法,性能更优更安全,处理速度快、机器性能消耗更小,摆脱对国外密码技术的依赖,实现从密码算法层面掌控核心的信息安全技术。In the identification public key generation process in the embodiment of this application, the SM9 national secret algorithm is used to generate the random public and private key pairs of the terminal, replacing ECC and other foreign algorithms. The performance is better and safer, the processing speed is fast, and the machine performance consumption is smaller. , get rid of the dependence on foreign cryptography technology, and realize the control of core information security technology from the cryptographic algorithm level.
步骤103:基于公钥和私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证。Step 103: Sign and verify the data message sent by the terminal device based on the public key and private key, and implement authentication of the terminal device based on the signature verification result.
在一些实施例中,基于公钥和私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证,包括:In some embodiments, the data message sent by the terminal device is signed and verified based on the public key and private key, and the authentication of the terminal device is implemented based on the signature verification result, including:
发送方的终端设备对数据消息与标识指纹进行运算,生成第一消息摘要;通过终端设备的私钥对第一消息摘要进行加密,获取数字签名;将数字签名、数据消息和标识指纹发送至接收方;The sender's terminal device calculates the data message and the identification fingerprint to generate a first message digest; encrypts the first message digest with the private key of the terminal device to obtain a digital signature; sends the digital signature, data message and identification fingerprint to the recipient square;
接收方对数据消息和标识指纹进行运算,获取第二消息摘要;通过终端设备的公钥对数字签名进行解密,获取第一消息摘要;判断第一消息摘要和第二消息摘要是否一致,当判断结果为一致时,终端设备通过认证。The receiver calculates the data message and the identification fingerprint to obtain the second message digest; decrypts the digital signature through the public key of the terminal device to obtain the first message digest; determines whether the first message digest and the second message digest are consistent. When the results are consistent, the terminal device is authenticated.
本申请实施例基于标识公钥的数字签名实现终端设备身份认证,本申请实施例的终端设备的身份认证是分布式电源安全接入的重要环节,本申请实施例在轻量级标识密钥体系基础上实现终端设备的数字签名,进行终端身份验证。在分布式电源终端设备与调控系统进行消息数据传输时,为了保证消息没有被篡改,需要对消息进行数字签名以及验签,其中边缘侧到终端侧采用轻量级SM2算法进行签名验证,使用电力物联网标识公钥生成算法进行密钥管理。数字签名以及验签过程如图4所示。The embodiment of this application implements terminal device identity authentication based on the digital signature of the identification public key. The identity authentication of the terminal device in this embodiment of the application is an important link in the secure access of distributed power sources. The embodiment of this application uses a lightweight identification key system. Basically, the digital signature of the terminal device is realized and the terminal identity is verified. When the distributed power terminal equipment and the control system transmit message data, in order to ensure that the message has not been tampered with, the message needs to be digitally signed and verified. The lightweight SM2 algorithm is used for signature verification from the edge side to the terminal side, using electricity. IoT identification public key generation algorithm for key management. The digital signature and signature verification process is shown in Figure 4.
数字签名过程:发送方终端设备首先拼接消息和设备标识进行Hash函数加密,得到加密后的消息摘要;然后将加密后的消息摘要和设备私钥ISK输入加密算法中进行签名运算,得到数字签名。将得到的数字签名和原本的消息标识放入数据包进行传输。Digital signature process: The sender's terminal device first splices the message and device identification and performs Hash function encryption to obtain the encrypted message digest; then inputs the encrypted message digest and the device private key ISK into the encryption algorithm for signature operation to obtain a digital signature. Put the obtained digital signature and the original message identifier into the data packet for transmission.
验签过程:接收方接收到数据包时要先进行数字签名信息的验证来保证数据包的真实性。使用公钥对接收的签名信息进行解密,将解密后得到的消息序列与传输过来的消息序列进行比对,若结果一致则签名有效,消息未被篡改,反之签名无效。Signature verification process: When the recipient receives the data packet, it must first verify the digital signature information to ensure the authenticity of the data packet. Use the public key to decrypt the received signature information, and compare the decrypted message sequence with the transmitted message sequence. If the results are consistent, the signature is valid and the message has not been tampered with. Otherwise, the signature is invalid.
在分布式电源终端设备的安全接入过程中,基于电力物联网标识公钥生成算法生成公私钥,基于SM2算法对消息进行数字签名,实现了以电力物联网标识公钥生成算法密钥管理与SM2数字签名的结合,保证相关数据是从合法的设备上获得的真实数据,实现了分布式电源终端设备的安全认证,防止假冒攻击。In the secure access process of distributed power terminal equipment, public and private keys are generated based on the power Internet of Things identification public key generation algorithm, and the message is digitally signed based on the SM2 algorithm. Key management and key management using the power Internet of Things identification public key generation algorithm are realized. The combination of SM2 digital signatures ensures that the relevant data is real data obtained from legal equipment, realizes the security authentication of distributed power terminal equipment, and prevents counterfeit attacks.
在一些实施例中,在实现对终端设备的认证后,还包括:In some embodiments, after implementing the authentication of the terminal device, it also includes:
终端设备通过接收方的公钥对数据明文基于随机数进行SM4算法加密,将加密后的数据发送至接收方;The terminal device uses the recipient's public key to encrypt the data plaintext based on the SM4 algorithm based on random numbers, and sends the encrypted data to the recipient;
接收方通过自身的私钥对接收到的加密的数据进行SM4算法解密,获取数据明文。The receiver uses its own private key to decrypt the received encrypted data using the SM4 algorithm to obtain the plain text of the data.
本申请实施例基于电力物联网标识公钥的SM4加解密实现终端数据的安全传输。本申请实施例的分布式电源终端设备在采集完数据信息后,将终端获取到的数据传输到电力物联网管理平台。在传输的过程中,对传输的信息数据采取加密的方式确保接收方收到的信息安全可靠。The embodiment of this application implements secure transmission of terminal data based on SM4 encryption and decryption of the power Internet of Things identification public key. After collecting data information, the distributed power supply terminal equipment in the embodiment of the present application transmits the data obtained by the terminal to the power Internet of Things management platform. During the transmission process, the transmitted information data is encrypted to ensure that the information received by the recipient is safe and reliable.
本申请实施例对于传输数据的加密方式,采用以电力物联网标识公钥生成算法产生的公私钥为密钥的SM4数据加解密算法保障其安全性,作为非对称椭圆曲线加密算法,SM4加密解密速度较快,机器性能消耗更小。在数据加密传输过程中,如图5所示,发送发使用接收方公钥对消息进行SM4加密,加密过程中使用了随机数,因此同样的明文数据每一次加密结果都不一样;接收方使用自身私钥对收到的加密数据包进行SM4解密,计算传递的消息明文,进行数据校验,保障了数据传输过程中的完整性,解决网络传输过程中的数据篡改问题,保证业务系统收到的数据是可靠的,即防止对数据的篡改攻击。For the encryption method of transmitted data, the embodiment of this application adopts the SM4 data encryption and decryption algorithm using the public and private keys generated by the power Internet of Things identification public key generation algorithm as the key to ensure its security. As an asymmetric elliptic curve encryption algorithm, SM4 encryption and decryption The speed is faster and the machine performance consumption is smaller. During the data encryption transmission process, as shown in Figure 5, the sender uses the receiver's public key to encrypt the message with SM4. Random numbers are used in the encryption process, so the same plaintext data has different encryption results every time; the receiver uses Its own private key performs SM4 decryption on the received encrypted data packets, calculates the plaintext of the transmitted message, and performs data verification to ensure the integrity of the data transmission process, solve the problem of data tampering during network transmission, and ensure that the business system receives The data is reliable, that is, data tampering attacks are prevented.
本申请实施例的分布式电源终端指纹提取技术,是根据分布式电源并网的网络安全需求,确定涉控终端类型,并以保证唯一性和低冗余性为目标确定设备指纹特征。本申请实施例的分布式电源与调度主站交互需要满足身份认证、访问控制、数据加密电力监控系统安全防护要求。光伏发电单元测控终端等感知层终端及分布式光伏能源控制器等智能设备包含众多特征参数信息。设备指纹特征信息提取,不仅应全面反映一个设备的特性,且能够唯一标识某设备,同时需要考虑设备算力及能耗等压力。因此,本申请实施例经过基于多变量互信息的多标记特征选择算法,从多维特征信息中筛选得到的特征子集为:设备/模块唯一序列号、通用参数、产品检测序列号、内嵌模块运行状态。The distributed power terminal fingerprint extraction technology in the embodiment of this application determines the type of terminal involved in the control based on the network security requirements of distributed power grid connection, and determines the device fingerprint characteristics with the goal of ensuring uniqueness and low redundancy. The interaction between the distributed power supply and the dispatching master station in the embodiment of this application needs to meet the security protection requirements of the power monitoring system for identity authentication, access control, and data encryption. Sensing layer terminals such as photovoltaic power generation unit measurement and control terminals and smart devices such as distributed photovoltaic energy controllers contain numerous characteristic parameter information. The extraction of device fingerprint feature information should not only fully reflect the characteristics of a device, but also be able to uniquely identify a device. It also needs to consider pressures such as device computing power and energy consumption. Therefore, in the embodiment of this application, through a multi-mark feature selection algorithm based on multi-variable mutual information, the feature subsets screened from multi-dimensional feature information are: device/module unique serial number, general parameters, product detection serial number, embedded module Operating status.
本申请实施例设计的电力物联网标识公钥生成算法是在IPK标识公钥技术基础上发展起来的,基于SM9的标识密钥对生成方法,将现存的公钥体系转化为结合物联网设备标识的公钥体制,实现标识与公钥的关系绑定,将密钥的生成与分发结合起来,为海量的密钥管理提供了思路,作为一种轻量化的密钥生成与管理方法,直接简化了密钥生成的复杂度和管理难度,采用国密算法提高了安全性和自主可控能力,同时降低了密钥体系的建设成本与运维成本。The electric power Internet of Things identification public key generation algorithm designed in the embodiment of this application is developed on the basis of IPK identification public key technology. Based on the SM9 identification key pair generation method, the existing public key system is transformed into a combination of Internet of Things device identification. The public key system realizes the binding of identification and public key, combines the generation and distribution of keys, and provides ideas for massive key management. As a lightweight key generation and management method, it directly simplifies It reduces the complexity and management difficulty of key generation, uses the national secret algorithm to improve security and independent controllability, and at the same time reduces the construction cost and operation and maintenance cost of the key system.
本申请实施例的终端设备的身份认证是分布式电源安全接入的重要环节,本申请实施例在轻量级标识密钥体系基础上实现终端设备的数字签名,进行终端身份验证。在分布式电源终端设备与调控系统进行消息数据传输时,为了保证消息没有被篡改,对消息进行数字签名以及验签,其中边缘 侧到终端侧采用轻量级SM2算法进行签名验证,使用电力物联网标识公钥生成算法进行密钥管理,保证相关数据是从合法的设备上获得的真实数据,实现了分布式电源终端设备的安全认证,防止假冒攻击。The identity authentication of the terminal equipment in the embodiment of this application is an important link in the secure access of distributed power sources. The embodiment of this application implements the digital signature of the terminal equipment based on the lightweight identification key system to perform terminal identity verification. When the distributed power terminal equipment and the control system transmit message data, in order to ensure that the message has not been tampered with, the message is digitally signed and verified. The lightweight SM2 algorithm is used for signature verification from the edge side to the terminal side. The network identification public key generation algorithm performs key management to ensure that the relevant data is real data obtained from legal equipment, realizes the security authentication of distributed power terminal equipment, and prevents counterfeit attacks.
本申请实施例的应用标识公钥带来的安全性高:PKI是采用单一根密钥的安全体制,IPK是以种子密钥为架构的多种算法的组合,更适用于分布式电源涉控终端的安全认证,能更有效地抵御云计算和量子计算的攻击;本申请实施例的兼容性强:IPK兼容PKI等主流安全应用,在不影响原有业务安全机制的基础上,融合原有业务安全机制,更好地满足分布式电源的安全建设与防御;本申请实施例的容灾性强:IPK认证过程不需要中心证书(公钥)库的支持,这样不仅有利于提高效率,减少资源消耗,而且不会因为由于中心系统的故障和意外灾害等导致系统的瘫痪,非常适合分布式电源并网场景;本申请实施例具有自主可控性:IPK轻量级密钥技术国产自主可控,国密算法支撑,可不依赖第三方,自主控制密钥,实现分布式电源并网进程中的主动安全防御机制;本申请实施例的适用性强:IPK技术对密钥的管理分发非常高效,易用性强,部署简单,完全满足分布式电源并网过程中的终端认证、数据传输等核心安全机制要求。The application identification public key in the embodiment of this application brings high security: PKI is a security system using a single root key, and IPK is a combination of multiple algorithms based on a seed key, which is more suitable for distributed power control. Terminal security authentication can more effectively resist cloud computing and quantum computing attacks; the embodiments of this application have strong compatibility: IPK is compatible with mainstream security applications such as PKI, and integrates the original business security mechanisms without affecting the original business security mechanism. Business security mechanism to better meet the security construction and defense of distributed power sources; the embodiment of this application is highly disaster-tolerant: the IPK authentication process does not require the support of a central certificate (public key) library, which not only helps improve efficiency but also reduces Resource consumption, and the system will not be paralyzed due to central system failures and unexpected disasters, which is very suitable for distributed power grid-connected scenarios; the embodiments of this application are autonomously controllable: IPK lightweight key technology is independently controllable in China Control, supported by the national secret algorithm, can independently control the key without relying on a third party, and realize an active security defense mechanism in the process of distributed power grid connection; the applicability of the embodiments of this application is strong: IPK technology is very efficient in the management and distribution of keys , easy to use, simple to deploy, and fully meets the requirements of core security mechanisms such as terminal authentication and data transmission in the process of distributed power grid connection.
本申请实施例基于标识公钥的分布式电源安全接入方法在成本节约和风险防范两个层面创造了显著的经济效益。(1)在成本节约层面,基于标识公钥的安全接入方法的成本相比传统电力调度数字证书大幅降低,在大规模部署中,经济效益显著,可大大降低成本;(2)在风险防范层面,由于网络攻击导致的大面积停电会给社会生产带来极大损失。基于标识公钥的分布式电源安全接入方法应用于风机、光伏电站的安全接入,可以实现分布式电源与电网调控系统之间的数据传输过程中的数据机密性、完整性和真实性,进而保护电网安全,从而减少电力突发事件带来的损失。The distributed power supply secure access method based on the identification public key in the embodiment of this application creates significant economic benefits in terms of cost saving and risk prevention. (1) In terms of cost saving, the cost of the secure access method based on identification public keys is significantly lower than that of traditional power dispatch digital certificates. In large-scale deployment, the economic benefits are significant and the cost can be greatly reduced; (2) In terms of risk prevention At the same level, large-scale power outages caused by cyber attacks will bring great losses to social production. The secure access method of distributed power sources based on identification public keys is applied to the secure access of wind turbines and photovoltaic power stations. It can achieve data confidentiality, integrity and authenticity in the data transmission process between distributed power sources and grid control systems. This further protects the security of the power grid and reduces losses caused by power emergencies.
随着国家“碳达峰、碳中和”战略目标的提出,电网开展新型电力系统建设,新能源占比将大幅提升,保证新能源厂站的入网安全尤为重要。基于标识公钥的分布式电源安全接入方法的应用,提升了新能源厂站与电网调度主站间纵向网络边界的攻击防范能力,避免分布式电源接入给电网带来安全威胁,保障了新能源电厂和国家电网的稳定运行,为经济社会发展提供可靠电力供应。同时,由于基于标识公钥的分布式电源安全接入方法提高了新能源厂站入网的安全性,必将推动清洁能源入网消纳,加速新能源厂站建设,推动能源绿色转型,助力国家实现双碳目标。With the national strategic goal of "carbon peaking and carbon neutrality" proposed, the power grid is developing a new power system, and the proportion of new energy will increase significantly. It is particularly important to ensure the safety of new energy plants and stations entering the grid. The application of the secure access method of distributed power sources based on identification public keys improves the attack prevention capabilities of the vertical network boundary between new energy plants and main grid dispatching stations, avoids security threats to the power grid caused by access to distributed power sources, and ensures The stable operation of new energy power plants and the national grid provides reliable power supply for economic and social development. At the same time, because the secure access method of distributed power sources based on identification public keys improves the security of new energy plants and stations entering the network, it will definitely promote the integration of clean energy into the network, accelerate the construction of new energy plants and stations, promote the green transformation of energy, and help the country achieve Two-carbon target.
在一些实施例中,图6为根据本申请实施例提供的一种基于标识公钥的终端设备认证系统结构图一。系统包括:In some embodiments, FIG. 6 is a structural diagram 1 of a terminal device authentication system based on an identity public key provided according to an embodiment of the present application. The system includes:
确定部分601,配置为确定终端设备的接入需求与类型,基于接入需求与类型确认终端设备的标识指纹;The determination part 601 is configured to determine the access requirements and type of the terminal device, and confirm the identification fingerprint of the terminal device based on the access requirements and type;
在一些实施例中,标识指纹包括:终端设备的唯一序列号、通用参数、产品检测序列号、内嵌模块运行状态。In some embodiments, the identification fingerprint includes: the unique serial number of the terminal device, general parameters, product detection serial number, and embedded module running status.
生成部分602,配置为基于标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥;The generation part 602 is configured to generate the public key and private key of the terminal device through the identification key generation algorithm based on the identification fingerprint;
在一些实施例中,生成部分602,配置为基于标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥,还配置为:In some embodiments, the generation part 602 is configured to generate the public key and private key of the terminal device through the identification key generation algorithm based on the identification fingerprint, and is also configured to:
终端设备生成随机数,基于随机数、标识指纹生成第一随机公钥和第一随机私钥;The terminal device generates a random number, and generates a first random public key and a first random private key based on the random number and identification fingerprint;
将第一随机公钥和标识指纹发送至设备密钥管理中心;Send the first random public key and identification fingerprint to the device key management center;
设备密钥管理中心对第一随机公钥和标识指纹进行运算,获取映射序列;The device key management center operates the first random public key and the identification fingerprint to obtain the mapping sequence;
基于映射序列与随机生成的第二随机公钥、第二随机私钥进行矩阵运算,生成终端设备的公钥和私钥;Perform matrix operations based on the mapping sequence and the randomly generated second random public key and second random private key to generate the public key and private key of the terminal device;
设备密钥管理中心通过第一随机公钥对私钥进行加密,将加密后的私钥发送至终端设备;The device key management center encrypts the private key through the first random public key and sends the encrypted private key to the terminal device;
终端设备通过第一随机私钥对加密的私钥进行解密,获取私钥;The terminal device decrypts the encrypted private key through the first random private key to obtain the private key;
设备密钥管理中心将公钥进行公布。The device key management center publishes the public key.
在一些实施例中,生成部分602,配置为通过终端设备生成随机数,基于随机数、标识指纹生成第一随机公钥和第一随机私钥,还配置为:In some embodiments, the generation part 602 is configured to generate random numbers through the terminal device, generate the first random public key and the first random private key based on the random number and identification fingerprint, and is also configured to:
基于随机数、标识指纹通过SM9算法生成第一随机公钥和第一随机私钥。The first random public key and the first random private key are generated through the SM9 algorithm based on the random number and identification fingerprint.
在一些实施例中,生成部分602,配置为设备密钥管理中心对第一随机公钥和标识指纹进行运算,获取映射序列,还配置为:In some embodiments, the generation part 602 is configured for the device key management center to operate the first random public key and the identification fingerprint to obtain the mapping sequence, and is also configured to:
设备密钥管理中心对第一随机公钥和标识指纹进行哈希散列运算,获取32组映射序列。The device key management center performs a hash operation on the first random public key and the identification fingerprint to obtain 32 sets of mapping sequences.
验证部分603,配置为基于公钥和私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证。The verification part 603 is configured to sign and verify the data message sent by the terminal device based on the public key and private key, and implement authentication of the terminal device based on the signature verification result.
在一些实施例中,验证部分603,配置为基于公钥和私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证,还配置为:In some embodiments, the verification part 603 is configured to sign and verify the data message sent by the terminal device based on the public key and private key, and implement authentication of the terminal device based on the signature verification result. It is also configured to:
发送方的终端设备对数据消息与标识指纹进行运算,生成第一消息摘要;通过终端设备的私钥对第一消息摘要进行加密,获取数字签名;将数字签名、数据消息和标识指纹发送至接收方;The sender's terminal device calculates the data message and the identification fingerprint to generate a first message digest; encrypts the first message digest with the private key of the terminal device to obtain a digital signature; sends the digital signature, data message and identification fingerprint to the recipient square;
接收方对数据消息和标识指纹进行运算,获取第二消息摘要;通过终端设备的公钥对数字签名进行解密,获取第一消息摘要;判断第一消息摘要和第二消息摘要是否一致,当判断结果为一致时,终端设备通过认证。The receiver calculates the data message and the identification fingerprint to obtain the second message digest; decrypts the digital signature through the public key of the terminal device to obtain the first message digest; determines whether the first message digest and the second message digest are consistent. When the results are consistent, the terminal device is authenticated.
在一些实施例中,终端设备认证系统还包括传输部分,配置为通过终端设备通过接收方的公钥对数据明文基于随机数进行SM4算法加密,将加密后的数据发送至接收方;In some embodiments, the terminal device authentication system also includes a transmission part configured to encrypt the data plaintext using the SM4 algorithm based on random numbers through the terminal device using the public key of the recipient, and send the encrypted data to the recipient;
接收方通过自身的私钥对接收到的加密的数据进行SM4算法解密,获 取数据明文。The recipient uses its own private key to decrypt the received encrypted data using the SM4 algorithm to obtain the plain text of the data.
需要说明的是,本申请实施例提供的基于标识公钥的终端设备认证系统600与本申请实施例提供的基于标识公钥的终端设备认证方法100相对应,在此不再进行赘述。It should be noted that the terminal device authentication system 600 based on the identity public key provided by the embodiment of the present application corresponds to the terminal device authentication method 100 based on the identity public key provided by the embodiment of the present application, and will not be described again here.
在一些实施例中,图7为根据本申请实施例提供的一种基于标识公钥的终端设备认证系统结构图二。系统包括:通信接口901、存储器902和处理器903;各个组件通过总线系统904耦合在一起。可理解,总线系统904用于实现这些组件之间的连接通信。总线系统904除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图9中将各种总线都标为总线系统904。其中,通信接口901,用于在与其他外部网元之间进行收发信息过程中,信号的接收和发送;In some embodiments, FIG. 7 is a structural diagram 2 of a terminal device authentication system based on an identification public key provided according to an embodiment of the present application. The system includes: communication interface 901, memory 902 and processor 903; various components are coupled together through a bus system 904. It can be understood that the bus system 904 is used to implement connection communication between these components. In addition to the data bus, the bus system 904 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, various buses are labeled as bus system 904 in FIG. 9 . Among them, the communication interface 901 is used for receiving and sending signals during the process of sending and receiving information with other external network elements;
存储器902,用于存储能够在处理器903上运行的可执行指令; Memory 902 for storing executable instructions that can be run on the processor 903;
处理器903,用于在运行所述可执行指令时,实现本申请实施例提供的任一种基于标识公钥的终端设备认证方法。The processor 903 is configured to implement any terminal device authentication method based on the identification public key provided by the embodiments of this application when running the executable instructions.
本申请实施例提供一种计算机可读存储介质,存储有可执行指令,用于引起处理器903执行时,实现本申请实施例提供的基于标识公钥的终端设备认证方法方法。Embodiments of the present application provide a computer-readable storage medium that stores executable instructions for causing the processor 903 to implement the terminal device authentication method based on the identification public key provided by the embodiments of the present application.
在本申请的一些实施例中,存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、闪存、磁表面存储器、光盘、或CD-ROM等存储器;也可以是包括上述存储器之一或任意组合的各种设备。In some embodiments of the present application, the storage medium may be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash memory, magnetic surface memory, optical disk, or CD-ROM; it may also include one or any combination of the above memories. Various equipment.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。本申请实施例中的方案可以采用各种计算机语言实现,例如,面向对象的程序设计语言Java和直译式脚本语言JavaScript等。Those skilled in the art will understand that embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. The solutions in the embodiments of this application can be implemented using various computer languages, such as the object-oriented programming language Java and the literal scripting language JavaScript.
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a use A device for realizing the functions specified in one process or multiple processes of the flowchart and/or one block or multiple blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个 流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions The device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device. Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.
尽管已描述了本申请的一些实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本申请范围的所有变更和修改。Although some embodiments of the present application have been described, additional changes and modifications to these embodiments may be made by those skilled in the art once the basic inventive concepts are understood. Therefore, it is intended that the appended claims be construed to include the preferred embodiments and all changes and modifications that fall within the scope of this application.
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. In this way, if these modifications and variations of the present application fall within the scope of the claims of the present application and equivalent technologies, the present application is also intended to include these modifications and variations.
已经通过参考少量实施方式描述了本申请。然而,本领域技术人员所公知的,正如附带的专利权利要求所限定的,除了本申请以上公开的其他的实施例等同地落在本申请的范围内。The application has been described with reference to a small number of embodiments. However, it is known to those skilled in the art that other embodiments than those disclosed above are equally within the scope of the present application, as defined by the appended patent claims.
通常地,在权利要求中使用的所有术语都根据他们在技术领域的通常含义被解释,除非在其中被另外明确地定义。所有的参考“一个//该[装置、组件等]”都被开放地解释为装置、组件等中的至少一个实例,除非另外明确地说明。这里公开的任何方法的步骤都没必要以公开的准确的顺序运行,除非明确地说明。Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless otherwise expressly defined therein. All references to "a//the [means, component, etc.]" are to be construed liberally to mean at least one instance of the means, component, etc., unless expressly stated otherwise. The steps of any method disclosed herein are not necessarily performed in the exact order disclosed unless explicitly stated.
本申请实施例采用的标识公钥技术作为一种轻量化的密钥生成与管理方法,实现终端设备标识与公钥的绑定,降低了密钥体系的建设成本与运维成本,适用于分布式电源海量的密钥管理。为分布式电源终端设备身份认证及安全通信提供基础,实现分布式电源并网安全,对公司新型电力系统建设及分布式电源发展应用提供了安全保障。The identification public key technology used in the embodiment of this application serves as a lightweight key generation and management method to realize the binding of terminal device identification and public key, reducing the construction cost and operation and maintenance cost of the key system, and is suitable for distribution Massive key management for power supply. It provides a basis for identity authentication and secure communication of distributed power terminal equipment, realizes the safety of distributed power grid connection, and provides security guarantee for the company's new power system construction and the development and application of distributed power.
Claims (16)
- 一种基于标识公钥的终端设备认证方法,所述方法包括:A terminal device authentication method based on an identification public key, the method includes:确定终端设备的接入需求与类型,基于所述接入需求与类型确认所述终端设备的标识指纹;Determine the access requirements and type of the terminal device, and confirm the identification fingerprint of the terminal device based on the access requirements and type;基于所述标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥;Based on the identification fingerprint, generate the public key and private key of the terminal device through the identification key generation algorithm;基于所述公钥和所述私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证。Sign and verify the data message sent by the terminal device based on the public key and the private key, and implement authentication of the terminal device based on the signature verification result.
- 根据权利要求1所述的方法,其中,所述标识指纹包括:终端设备的唯一序列号、通用参数、产品检测序列号、内嵌模块运行状态。The method according to claim 1, wherein the identification fingerprint includes: the unique serial number of the terminal device, general parameters, product detection serial number, and embedded module operating status.
- 根据权利要求1所述的方法,其中,所述基于所述标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥,包括:The method according to claim 1, wherein generating the public key and private key of the terminal device through an identification key generation algorithm based on the identification fingerprint includes:所述终端设备生成随机数,基于所述随机数、所述标识指纹生成第一随机公钥和第一随机私钥;The terminal device generates a random number, and generates a first random public key and a first random private key based on the random number and the identification fingerprint;将所述第一随机公钥和所述标识指纹发送至设备密钥管理中心;Send the first random public key and the identification fingerprint to the device key management center;所述设备密钥管理中心对所述第一随机公钥和所述标识指纹进行运算,获取映射序列;The device key management center performs operations on the first random public key and the identification fingerprint to obtain a mapping sequence;基于所述映射序列与随机生成的第二随机公钥、第二随机私钥进行矩阵运算,生成终端设备的公钥和私钥;Perform matrix operations based on the mapping sequence and the randomly generated second random public key and second random private key to generate the public key and private key of the terminal device;设备密钥管理中心通过第一随机公钥对所述私钥进行加密,将加密后的私钥发送至所述终端设备;The device key management center encrypts the private key through the first random public key and sends the encrypted private key to the terminal device;所述终端设备通过第一随机私钥对所述加密的私钥进行解密,获取所述私钥;The terminal device decrypts the encrypted private key through the first random private key to obtain the private key;设备密钥管理中心将所述公钥进行公布。The device key management center publishes the public key.
- 根据权利要求3所述的方法,其中,所述终端设备生成随机数,基于所述随机数、所述标识指纹生成第一随机公钥和第一随机私钥,还包括:The method according to claim 3, wherein the terminal device generates a random number, generates a first random public key and a first random private key based on the random number and the identification fingerprint, further comprising:基于所述随机数、所述标识指纹通过SM9算法生成第一随机公钥和第一随机私钥。The first random public key and the first random private key are generated through the SM9 algorithm based on the random number and the identification fingerprint.
- 根据权利要求3所述的方法,其中,所述设备密钥管理中心对所述第一随机公钥和所述标识指纹进行运算,获取映射序列,还包括:The method according to claim 3, wherein the device key management center operates on the first random public key and the identification fingerprint to obtain a mapping sequence, further comprising:所述设备密钥管理中心对所述第一随机公钥和所述标识指纹进行哈希散列运算,获取32组映射序列。The device key management center performs a hash operation on the first random public key and the identification fingerprint to obtain 32 sets of mapping sequences.
- 根据权利要求1所述的方法,其中,所述基于所述公钥和所述私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证,包括:The method according to claim 1, wherein the data message sent by the terminal device is signed and verified based on the public key and the private key, and the authentication of the terminal device is implemented based on the signature verification result, including:发送方的所述终端设备对所述数据消息与所述标识指纹进行运算,生 成第一消息摘要;通过所述终端设备的私钥对所述第一消息摘要进行加密,获取数字签名;将所述数字签名、所述数据消息和所述标识指纹发送至接收方;The terminal device of the sender performs operations on the data message and the identification fingerprint to generate a first message digest; encrypts the first message digest using the private key of the terminal device to obtain a digital signature; The digital signature, the data message and the identification fingerprint are sent to the recipient;所述接收方对所述数据消息和所述标识指纹进行运算,获取第二消息摘要;通过所述终端设备的公钥对所述数字签名进行解密,获取第一消息摘要;判断所述第一消息摘要和所述第二消息摘要是否一致,当判断结果为一致时,所述终端设备通过认证。The receiver performs operations on the data message and the identification fingerprint to obtain a second message digest; decrypts the digital signature through the public key of the terminal device to obtain a first message digest; and determines the first message digest. Whether the message digest and the second message digest are consistent, when the judgment result is consistent, the terminal device passes the authentication.
- 根据权利要求1所述的方法,其中,在实现对终端设备的认证后,还包括:The method according to claim 1, wherein after realizing the authentication of the terminal device, it further includes:所述终端设备通过接收方的公钥对数据明文基于随机数进行SM4算法加密,将加密后的数据发送至接收方;The terminal device uses the recipient's public key to encrypt the data plaintext based on the SM4 algorithm based on random numbers, and sends the encrypted data to the recipient;所述接收方通过自身的私钥对接收到的加密的数据进行SM4算法解密,获取数据明文。The recipient uses its own private key to decrypt the received encrypted data using the SM4 algorithm to obtain the plain text of the data.
- 一种基于标识公钥的终端设备认证系统,所述系统包括:A terminal device authentication system based on identification public key, the system includes:确定部分,配置为确定终端设备的接入需求与类型,基于所述接入需求与类型确认所述终端设备的标识指纹;The determining part is configured to determine the access requirement and type of the terminal device, and confirm the identification fingerprint of the terminal device based on the access requirement and type;生成部分,用于基于所述标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥;The generation part is used to generate the public key and private key of the terminal device through the identification key generation algorithm based on the identification fingerprint;验证部分,配置为基于所述公钥和所述私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证。The verification part is configured to sign and verify the data message sent by the terminal device based on the public key and the private key, and implement authentication of the terminal device based on the signature verification result.
- 根据权利要求8所述的系统,其中,所述标识指纹包括:终端设备的唯一序列号、通用参数、产品检测序列号、内嵌模块运行状态。The system according to claim 8, wherein the identification fingerprint includes: the unique serial number of the terminal device, general parameters, product detection serial number, and embedded module operating status.
- 根据权利要求8所述的系统,其中,所述生成部分,配置为基于所述标识指纹,通过标识密钥生成算法,生成终端设备的公钥和私钥,还配置为:The system according to claim 8, wherein the generating part is configured to generate the public key and private key of the terminal device through an identification key generation algorithm based on the identification fingerprint, and is further configured to:所述终端设备生成随机数,基于所述随机数、所述标识指纹生成第一随机公钥和第一随机私钥;The terminal device generates a random number, and generates a first random public key and a first random private key based on the random number and the identification fingerprint;将所述第一随机公钥和所述标识指纹发送至设备密钥管理中心;Send the first random public key and the identification fingerprint to the device key management center;所述设备密钥管理中心对所述第一随机公钥和所述标识指纹进行运算,获取映射序列;The device key management center performs operations on the first random public key and the identification fingerprint to obtain a mapping sequence;基于所述映射序列与随机生成的第二随机公钥、第二随机私钥进行矩阵运算,生成终端设备的公钥和私钥;Perform matrix operations based on the mapping sequence and the randomly generated second random public key and second random private key to generate the public key and private key of the terminal device;设备密钥管理中心通过第一随机公钥对所述私钥进行加密,将加密后的私钥发送至所述终端设备;The device key management center encrypts the private key through the first random public key and sends the encrypted private key to the terminal device;所述终端设备通过第一随机私钥对所述加密的私钥进行解密,获取所述私钥;The terminal device decrypts the encrypted private key through the first random private key to obtain the private key;设备密钥管理中心将所述公钥进行公布。The device key management center publishes the public key.
- 根据权利要求10所述的系统,其中,所述生成部分,配置为通过 终端设备生成随机数,基于所述随机数、所述标识指纹生成第一随机公钥和第一随机私钥,还配置为:The system according to claim 10, wherein the generating part is configured to generate a random number through a terminal device, and generate a first random public key and a first random private key based on the random number and the identification fingerprint, and is further configured to for:基于所述随机数、所述标识指纹通过SM9算法生成第一随机公钥和第一随机私钥。The first random public key and the first random private key are generated through the SM9 algorithm based on the random number and the identification fingerprint.
- 根据权利要求10所述的系统,其中,所述生成部分,配置为设备密钥管理中心对所述第一随机公钥和所述标识指纹进行运算,获取映射序列,还配置为:The system according to claim 10, wherein the generating part is configured for the device key management center to operate the first random public key and the identification fingerprint to obtain the mapping sequence, and is further configured to:所述设备密钥管理中心对所述第一随机公钥和所述标识指纹进行哈希散列运算,获取32组映射序列。The device key management center performs a hash operation on the first random public key and the identification fingerprint to obtain 32 sets of mapping sequences.
- 根据权利要求8所述的系统,其中,所述验证部分,配置为基于所述公钥和私钥对终端设备发送的数据消息进行签名及验签,基于验签结果,实现对终端设备的认证,还配置为:The system according to claim 8, wherein the verification part is configured to sign and verify the data message sent by the terminal device based on the public key and the private key, and implement authentication of the terminal device based on the signature verification result. , also configured as:发送方的所述终端设备对所述数据消息与所述标识指纹进行运算,生成第一消息摘要;通过所述终端设备的私钥对所述第一消息摘要进行加密,获取数字签名;将所述数字签名、所述数据消息和所述标识指纹发送至接收方;The terminal device of the sender performs operations on the data message and the identification fingerprint to generate a first message digest; encrypts the first message digest using the private key of the terminal device to obtain a digital signature; The digital signature, the data message and the identification fingerprint are sent to the recipient;所述接收方对所述数据消息和所述标识指纹进行运算,获取第二消息摘要;通过所述终端设备的公钥对所述数字签名进行解密,获取第一消息摘要;判断所述第一消息摘要和所述第二消息摘要是否一致,当判断结果为一致时,所述终端设备通过认证。The receiver performs operations on the data message and the identification fingerprint to obtain a second message digest; decrypts the digital signature through the public key of the terminal device to obtain a first message digest; and determines the first message digest. Whether the message digest and the second message digest are consistent, when the judgment result is consistent, the terminal device passes the authentication.
- 根据权利要求8所述的系统,其中,还包括传输部分,配置为通过所述终端设备通过接收方的公钥对数据明文基于随机数进行SM4算法加密,将加密后的数据发送至接收方;The system according to claim 8, further comprising a transmission part configured to encrypt the data plaintext using the SM4 algorithm based on random numbers through the public key of the recipient through the terminal device, and send the encrypted data to the recipient;所述接收方通过自身的私钥对接收到的加密的数据进行SM4算法解密,获取数据明文。The recipient uses its own private key to decrypt the received encrypted data using the SM4 algorithm to obtain the plain text of the data.
- 一种基于标识公钥的终端设备认证系统,所述系统包括存储器和处理器;其中,A terminal device authentication system based on identification public key, the system includes a memory and a processor; wherein,所述存储器,用于存储可执行指令;The memory is used to store executable instructions;所述处理器,用于通过执行所述存储器中存储的可执行指令,实现如权利要求1至7任一项所述的方法。The processor is configured to implement the method according to any one of claims 1 to 7 by executing executable instructions stored in the memory.
- 一种计算机可读存储介质,存储有可执行指令,所述可执行指令引起处理器执行时实现如权利要求1至7任一项所述的方法。A computer-readable storage medium stores executable instructions that cause a processor to implement the method according to any one of claims 1 to 7 when executed.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210924400.6 | 2022-08-03 | ||
| CN202210924400.6A CN115001717B (en) | 2022-08-03 | 2022-08-03 | Terminal equipment authentication method and system based on identification public key |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2024027070A1 true WO2024027070A1 (en) | 2024-02-08 |
Family
ID=83022034
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2022/138445 WO2024027070A1 (en) | 2022-08-03 | 2022-12-12 | Terminal device authentication method and system based on identification public key, and computer-readable storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115001717B (en) |
| WO (1) | WO2024027070A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115001717B (en) * | 2022-08-03 | 2022-10-25 | 中国电力科学研究院有限公司 | Terminal equipment authentication method and system based on identification public key |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018076365A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Key negotiation method and device |
| CN112311537A (en) * | 2020-10-30 | 2021-02-02 | 国网江苏省电力有限公司信息通信分公司 | Block chain-based equipment access authentication system and method |
| CN112887338A (en) * | 2021-03-18 | 2021-06-01 | 南瑞集团有限公司 | Identity authentication method and system based on IBC identification password |
| CN113704736A (en) * | 2021-07-22 | 2021-11-26 | 中国电力科学研究院有限公司 | Lightweight access authentication method and system for power Internet of things equipment based on IBC system |
| CN113872760A (en) * | 2021-11-03 | 2021-12-31 | 中电科鹏跃电子科技有限公司 | SM9 key infrastructure and security system |
| CN115001717A (en) * | 2022-08-03 | 2022-09-02 | 中国电力科学研究院有限公司 | Terminal equipment authentication method and system based on identification public key |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103490901B (en) * | 2013-09-30 | 2016-07-27 | 广东南方信息安全产业基地有限公司 | Key based on combination key system generates and distribution method |
| CN106161017A (en) * | 2015-03-20 | 2016-11-23 | 北京虎符科技有限公司 | ID authentication safety management system |
| JP6613909B2 (en) * | 2016-01-15 | 2019-12-04 | 富士通株式会社 | Mutual authentication method, authentication device, and authentication program |
-
2022
- 2022-08-03 CN CN202210924400.6A patent/CN115001717B/en active Active
- 2022-12-12 WO PCT/CN2022/138445 patent/WO2024027070A1/en unknown
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018076365A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Key negotiation method and device |
| CN112311537A (en) * | 2020-10-30 | 2021-02-02 | 国网江苏省电力有限公司信息通信分公司 | Block chain-based equipment access authentication system and method |
| CN112887338A (en) * | 2021-03-18 | 2021-06-01 | 南瑞集团有限公司 | Identity authentication method and system based on IBC identification password |
| CN113704736A (en) * | 2021-07-22 | 2021-11-26 | 中国电力科学研究院有限公司 | Lightweight access authentication method and system for power Internet of things equipment based on IBC system |
| CN113872760A (en) * | 2021-11-03 | 2021-12-31 | 中电科鹏跃电子科技有限公司 | SM9 key infrastructure and security system |
| CN115001717A (en) * | 2022-08-03 | 2022-09-02 | 中国电力科学研究院有限公司 | Terminal equipment authentication method and system based on identification public key |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115001717B (en) | 2022-10-25 |
| CN115001717A (en) | 2022-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111083131B (en) | Lightweight identity authentication method for power Internet of things sensing terminal | |
| WO2021203733A1 (en) | Power edge gateway device and device-based sensor data uplink storage method | |
| CN102983965B (en) | Transformer station's quantum communications model, quantum key distribution center and model implementation method | |
| CN106789015B (en) | Intelligent power distribution network communication safety system | |
| CN112118106B (en) | Lightweight end-to-end secure communication authentication method based on identification password | |
| CN103618610A (en) | Information safety algorithm based on energy information gateway in smart power grid | |
| CN103095696A (en) | Identity authentication and key agreement method suitable for electricity consumption information collection system | |
| CN111447067A (en) | Encryption authentication method for power sensing equipment | |
| CN113079215B (en) | Block chain-based wireless security access method for power distribution Internet of things | |
| CN111988328A (en) | Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station | |
| WO2024027070A1 (en) | Terminal device authentication method and system based on identification public key, and computer-readable storage medium | |
| CN103501293A (en) | Authentication method of terminal credible access in smart power grid | |
| Sinha et al. | Blockchain-based communication and data security framework for IoT-enabled micro solar inverters | |
| CN115549932A (en) | Safety access system and access method for massive heterogeneous Internet of things terminals | |
| CN112804356A (en) | Block chain-based networking equipment supervision authentication method and system | |
| Ao et al. | A secure identity authentication scheme based on blockchain and identity-based cryptography | |
| Zhang et al. | Identity authentication based on domestic commercial cryptography with blockchain in the heterogeneous alliance network | |
| CN112311553B (en) | Equipment authentication method based on challenge response | |
| CN111490874B (en) | Distribution network safety protection method, system, device and storage medium | |
| Siddiqui et al. | Hardware assisted security architecture for smart grid | |
| CN105656623A (en) | Device for enhancing security of intelligent substation IED | |
| Zhang et al. | Design and Implementation of IEC61850 Communication Security Protection Scheme for Smart Substation based on Bilinear Function | |
| Wang et al. | Analysis and Design of Identity Authentication for IoT Devices in the Blockchain Using Hashing and Digital Signature Algorithms | |
| Zhou et al. | Dynamic encryption of power internet of things data based on national secret algorithm | |
| Seo et al. | The green defenders |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22953858 Country of ref document: EP Kind code of ref document: A1 |