CN103716163B - SV message encryption and decryption method meeting IEC61850-9-2 (LE) standard - Google Patents
SV message encryption and decryption method meeting IEC61850-9-2 (LE) standard Download PDFInfo
- Publication number
- CN103716163B CN103716163B CN201310681442.2A CN201310681442A CN103716163B CN 103716163 B CN103716163 B CN 103716163B CN 201310681442 A CN201310681442 A CN 201310681442A CN 103716163 B CN103716163 B CN 103716163B
- Authority
- CN
- China
- Prior art keywords
- message
- ciphertext
- asdu
- critical data
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a SV message encryption and decryption method meeting the IEC61850-9-2 (LE) standard. The method comprises the following steps: extracting key data, reflecting an actual sampling value, in each ASDU of a SV message and combining the key data into a to-be-encrypted data block according to the sequence of the ASDUs; using a TEA algorithm to encrypt the to-be-encrypted data block to obtain an equal-length cipher text; cutting the cipher text and covering the position of the key data according to the sequence of the ASDUs to obtain an encrypted SV message; extracting a section of cipher text in the key data position of each ASDU of the encrypted SV message and combining the cipher text into a cipher text block according to the sequence of the ASDUs; using the TEA algorithm to decrypt the cipher text block to obtain an equal-length key data block; and cutting the key data block and covering the positions of the sections of cipher texts according to the sequence of the ASDUs to obtain a decrypted SV message. The integrity, confidentiality and real-time property of the SV message can be effectively guaranteed.
Description
Technical field
The present invention relates to power communication field of information security technology is and in particular to one kind meets iec61850 92 (le) mark
Accurate sv message encipher-decipher method.
Background technology
In electric power communication network, meet the sampled value transmitting message (sv message) of iec61850 92 (le) standard
In contain real-time electric quantity information, to the protection of power system, measurement and control be extremely important;And should
Frequently, data volume is big for message transmissions, in the case of the normal operation of power system, occupies most of band of powerline network
Width, its safety, accuracy and real-time largely affect the reliability of Operation of Electric Systems.
And, under the background being increasingly widely applied in the intelligent grid with digital transformer substation as representative,
Sv electric power message be possible to trans-regional, across electrical grid transmission so that it such as is more likely eavesdropped, is attacked, being distorted at intrusion event, its
Importance in terms of security information for power system is more prominent.
However, lacking the effective ways that the sv message information very high to requirement of real-time is encrypted in prior art.Cause
This, need the confidentiality strengthening sv electric power message using encryption and decryption technology badly;But message encryption and decryption generally requires larger time-consuming, and sv
Message has hard real time and requires.According to the regulation of iec61850 standard, the communication delay of sv signal should be less than 4ms.As
On the basis of where meeting sv message real-time performance, realize the integrity of sv message and confidentiality becomes the key of problem.
Content of the invention
It is an object of the invention to overcoming the deficiencies in the prior art, provide that a kind of privacy degrees are high, encryption and decryption take less and
What hardware adaptive mechanism was strong meets the sv message encipher-decipher method of iec61850 92 (le) standard.
In order to achieve the above object, the technical solution used in the present invention is, one kind meets iec61850 92 (le) standard
Sv message encipher-decipher method, comprise the following steps:
S1, encryption
Whether there is crc32 check code, if no, crc32 fortune is carried out to sv message in s11, the fcr block of inspection sv message
Calculate, the crc32 check code of gained is positioned in the fcr block of sv message;
Each asdu(Application service data unit in s12, extraction sv message) the interior key reflecting sampled value substantial numerical
Data, becomes be-encrypted data block by asdu sequential combination;
S13, treat encrypted data chunk using tea algorithm and be encrypted and obtain isometric ciphertext;
S14, ciphertext is cut, cover described critical data position by asdu order, obtain the sv message encrypted;
S2, deciphering
Each section of ciphertext of the critical data position of each asdu in s21, the sv message of extraction encryption, by asdu sequential combination
Become ciphertext blocks;
S22, described ciphertext blocks are decrypted with tea algorithm obtain isometric critical chunk;
S23, critical chunk is cut, cover described each section of ciphertext position, sv message after being deciphered by asdu order;
S24, to deciphering after sv message carry out crc32 verification, if verification pass through, retain described sv message, complete decipher;
Otherwise, abandon described sv message.
More specifically, described crc32 verification is CRC (cyclic redundancy check, crc) school
Test, for the mistake that is likely to occur after detecting or verify sv message encryption and decryption, transmission or preserving it is ensured that the integrity of message.
More specifically, the critical data of described sv message is the dataset(analog quantity sampled value in each asdu) in
Actual sample value (actualvalues).
In AES and key length one timing, reduce the time-consuming core of encryption and decryption sv message and be to reduce required encryption
Message length.By analyzing the information in each domain of sv message, extract the key message of message, in its real-time and confidentiality
Obtain balance.According to iec61850 standard, sv message adopts iso/iec802.3 agreement in data link layer, by mac address field,
Tpid(marker protocol identify) domain, tci(mark control information) domain, ethertype(Ethernet type of message) domain, appid(should
With mark) domain, length(length) domain, reserved1(retain 1) domain, reserved2(retain 2) domain and apdu(application protocol
Data cell, i.e. message content) domain composition.The frame structure of sv, as shown in table 1.Mac address field, tpid domain, tci domain,
Ethertype domain, appid domain, length domain, the content in reserved1, reserved2 domain mainly characterize the communication of sv message
Information and the related basic contents that communicate such as message length, do not comprise in the essence such as the analog quantity sampled value of sv message reflection
Hold, therefore keep the content of these content domain constant, be not encrypted.
The frame structure of table 1sv message
The power system flesh and blood such as analog quantity sampled value is concentrated mainly on apdu domain.Apdu domain is by noasdu(asdu number
Mesh) and sequenceofasdu(asdu data sequence) constitute.Sequenceofasdu is made up of multiple asdu orders
Sequence.The frame structure of the apdu of sv message, as shown in table 2.
The frame structure of the apdu of table 2sv message
Each asdu(Application service data unit) by svid, smpcnt(sample counter), confrev(configuration version
Number), smpsynch(synchronous mark) and dataset(sampled value) etc. domain constitute, its frame structure is as shown in table 3.
The asdu structure of table 3sv message
Asdu characterizes the analog quantity sampled value flesh and blood that sv message is comprised, and its confidentiality directly determines sv message
Overall confidentiality.Svid, smpcnt, confrev, smpsynch data content in asdu is not directed to analog quantity sampling
Value Data, need not be encrypted.So only place is encrypted to the dataset data of true storage analog quantity sampled value
Reason.In dataset, frame structure as shown in table 4, at most can comprise 8 tunnel analog quantity sampled values, the simulation of each road in each dataset
Amount is made up of the actual sample value (actualvalues) of 4 bytes and quality explanation (q) of 4 bytes, and q is only used for labelling
The quality of this sampled value need not participate in encrypting, therefore actual sample value (actualvalues) is the pass really needing to be encrypted
Key data.
Table 4dataset structure
More specifically, the step of s12: extract the critical data of first analog quantity of dataset of asdu1 first, and then
Extract the critical data of second analog quantity of dataset of asdu1, the critical data of asdu1 is extracted and completed followed by extract
The critical data of asdu2, in the above sequence until asdun, finally obtains the be-encrypted data block that length is 256*n bit.
More specifically, described tea algorithm is Tiny Encryption Algorithm (tiny encryption algorithm, tea), it
It is easy to describe and executes, the real-time of sv message can be met while ensureing sv message security;And, it adopts
128bit key is encrypted, to the data of 64bit length, the ciphertext obtaining 64bit, and sv message overall critical data length is
The integral multiple of 64bit, therefore be encrypted when encrypted data chunk is treated using tea algorithm, the meeting obtaining is and be-encrypted data block
Isometric ciphertext, need not be filled with to critical data.
More specifically, the step of s14: in units of 32bit, ciphertext is cut, each section of ciphertext after cutting is pressed asdu suitable
Sequence covers described critical data position, obtains the sv message encrypted.
More specifically, the step of s21: extract the critical data position of first analog quantity of dataset of asdu1 first
Ciphertext, and then extract the ciphertext of the critical data position of second analog quantity of dataset of asdu1, the critical data position of asdu1
The ciphertext put extracts the ciphertext of the critical data position completing followed by extract asdu2, in the above sequence up to asdun, finally
Obtain the ciphertext blocks that length is 256*n bit;
More specifically, the step of s23: in units of 32bit, critical chunk is cut, by each section of pass bond number after cutting
Cover described each section of ciphertext position, the sv message after being deciphered according to by asdu order.
With respect to prior art, the invention has the beneficial effects as follows:
(1) the sv message that efficient tea cryptographic algorithm is applied to reflect electrical quantity sampling value substantial numerical is closed by the present invention
In key data, both ensured the safety of critical data, and turn avoid in full application AES time-consuming and be difficult to meet electricity
The requirement of power real time information system;Can be illustrated with example below: assume that in sv message, 8 effective asdu(of presence are most
There may be 8 effective asdu), then the length of message original text full text (not including fcr block) is 34+751=785 byte, therein
Critical data is 8*8*4=256 byte, accounts for the 32.6% of full text, then the encryption and decryption data amount of the present invention is relative to full text encryption and decryption
Method decreases 67.4%;When the effective asdu number in sv message is less, the advantage of the present invention becomes apparent from, if in sv message
Only exist 1 effective asdu, then (not including fcr block) length is 34+124=158 byte to message original text in full, key therein
Data is 8*4=32 byte, accounts for the 20.25% of full text, then the encryption and decryption workload of this algorithm subtracts relative to the method for full text encryption and decryption
Lack 79.75%.
(2) present invention preserves the crc32 to message original text full text and verify (check code is positioned in fcr block), greatly
Ensure the integrity of message.
Brief description
Fig. 1 meets the sv message encryption method flow diagram of iec61850 92 (le) standard for the present invention.
Fig. 2 meets the sv message decryption method flow chart of iec61850 92 (le) standard for the present invention.
Specific embodiment
Further illustrate the present invention with reference to the accompanying drawings and examples, but the scope of protection of present invention is not limited to reality
Apply the scope of example statement.Those skilled in the art is made in the case of the spirit and scope without departing substantially from the present invention
Other changes and modifications, are included in the range of claims protection.
Embodiment
The present embodiment, one kind meets the sv message encipher-decipher method of iec61850 92 (le) standard, comprising:
As shown in figure 1, sv message encryption method has a step in detail below:
S 1, encryption
Whether there is crc32 check code, if no, crc32 fortune is carried out to sv message in s 11, the fcr block of inspection sv message
Calculate, the crc32 check code of gained is positioned in the fcr block of sv message;
The actualvalues data of first analog quantity in s 12, the first dataset of extraction asdu1, and then extract
The actualvalues data of second analog quantity in the dataset of asdu1, the critical data of asdu1 is extracted and is completed followed by
Extract the actualvalues data of asdu2, in the above sequence until asdun, finally obtaining length is the to be added of 256*n bit
Ciphertext data block;
S 13, treat encrypted data chunk using tea algorithm and be encrypted and obtain isometric ciphertext;
S 14, ciphertext is cut, cover described critical data position by asdu order, obtain the sv message encrypted;
As shown in Fig. 2 sv message decryption method has a step in detail below:
S 2, deciphering
The number of the actualvalues Data Position of first analog quantity in s 21, the first dataset of extraction asdu1
According to, so extract asdu1 dataset in second analog quantity actualvalues Data Position data, the pass of asdu1
Key data is extracted and is completed the data of the actualvalues Data Position followed by extracting asdu2, in the above sequence until
Asdun, finally obtains the ciphertext blocks that length is 256*n bit;
S 22, described ciphertext blocks are decrypted with tea algorithm obtain isometric critical chunk;
S 23, critical chunk is cut, cover described each section of ciphertext position by asdu order, after decipher, sv reports
Literary composition;
S 24, to deciphering after sv message carry out crc32 verification, if verification pass through, retain described sv message, complete solve
Close;Otherwise, abandon described sv message.
The present embodiment operation principle:
The sv message critical data content extracting reflection electrical quantity sampling value substantial numerical carries out encryption and decryption, and encryption adopts
Tea algorithm, and using crc32 technology, sv message is verified.
Above-described embodiment is the present invention preferably embodiment, but embodiments of the present invention are not subject to above-described embodiment
Limit, other any spirit without departing from the present invention and the change made under principle, modification, replacement, combine, simplify,
All should be equivalent substitute mode, be included within protection scope of the present invention.
Claims (5)
1. one kind meets the sv message encipher-decipher method of iec61850 92 (le) standard it is characterised in that comprising the following steps:
S1, encryption
Whether there is crc32 check code, if no, sv message is carried out with crc32 computing, institute in s11, the fcr block of inspection sv message
The crc32 check code obtaining is positioned in the fcr block of sv message;
In each asdu in s12, extraction sv message, the critical data of reflection sampled value substantial numerical, is become by asdu sequential combination
Be-encrypted data block;
S13, treat encrypted data chunk using tea algorithm and be encrypted and obtain isometric ciphertext;
S14, ciphertext is cut, cover described critical data position by asdu order, obtain the sv message encrypted, particularly as follows: with
Ciphertext is cut by 32bit for unit, each section of ciphertext after cutting is pressed asdu order and covers described critical data position, added
Close sv message;
S2, deciphering
Each section of ciphertext of the critical data position of each asdu in s21, the sv message of extraction encryption, by asdu sequential combination Cheng Mi
Civilian block;
S22, described ciphertext blocks are decrypted with tea algorithm obtain isometric critical chunk;
S23, critical chunk is cut, cover described each section of ciphertext position by asdu order, sv message after being deciphered, specifically
For: in units of 32bit, critical chunk is cut, each section of critical data after cutting is pressed asdu order and covers described each section
Ciphertext position, the sv message after being deciphered;
S24, to deciphering after sv message carry out crc32 verification, if verification pass through, retain described sv message, complete decipher;No
Then, abandon described sv message.
2. one kind according to claim 1 meets the sv message encipher-decipher method of iec61850 92 (le) standard, and it is special
Levy and be: described crc32 verification is CRC verification, for detect or verify sv message encryption and decryption, transmission or
The mistake that is likely to occur after preservation is it is ensured that the integrity of message.
3. one kind according to claim 1 meets the sv message encipher-decipher method of iec61850 92 (le) standard, and it is special
Levy and be: the critical data of described sv message is the actual sample value in the dataset in each asdu.
4. one kind according to claim 1 meets the sv message encipher-decipher method of iec61850 92 (le) standard, and it is special
Levy and be, the step of s12: extract the critical data of first analog quantity of dataset of asdu1 first, and then extract asdu1's
The critical data of second analog quantity of dataset, the critical data of asdu1 extracts the pass bond number completing followed by extract asdu2
According in the above sequence until asdun, finally obtaining the be-encrypted data block that length is 256*n bit.
5. one kind according to claim 1 meets the sv message encipher-decipher method of iec61850 92 (le) standard, and it is special
Levy and be, the step of s21: extract the ciphertext of the critical data position of first analog quantity of dataset of asdu1 first, and then
Extract the ciphertext of the critical data position of second analog quantity of dataset of asdu1, the ciphertext of the critical data position of asdu1
Extract the ciphertext completing the critical data position followed by extracting asdu2, in the above sequence until asdun, finally obtain length
Ciphertext blocks for 256*n bit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310681442.2A CN103716163B (en) | 2013-12-12 | 2013-12-12 | SV message encryption and decryption method meeting IEC61850-9-2 (LE) standard |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310681442.2A CN103716163B (en) | 2013-12-12 | 2013-12-12 | SV message encryption and decryption method meeting IEC61850-9-2 (LE) standard |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103716163A CN103716163A (en) | 2014-04-09 |
| CN103716163B true CN103716163B (en) | 2017-01-25 |
Family
ID=50408775
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310681442.2A Active CN103716163B (en) | 2013-12-12 | 2013-12-12 | SV message encryption and decryption method meeting IEC61850-9-2 (LE) standard |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103716163B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105099656B (en) * | 2015-08-20 | 2020-01-03 | 中国电力科学研究院 | Encrypted merging unit for metering |
| CN109040120A (en) * | 2018-09-13 | 2018-12-18 | 南京工程学院 | A kind of SV message encryption and decryption method based on IEC61850 standard |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007120172A2 (en) * | 2005-08-01 | 2007-10-25 | Asier Technology Corporation | Encrypting a plaintext message with authentication |
| CN102281203A (en) * | 2011-09-08 | 2011-12-14 | 航天科工深圳(集团)有限公司 | Method and system for transmitting IEC101 protocol message |
| CN102316107A (en) * | 2011-09-08 | 2012-01-11 | 航天科工深圳(集团)有限公司 | Method for IEC104 protocol message transmission and system |
| CN102377571A (en) * | 2011-11-15 | 2012-03-14 | 航天科工深圳(集团)有限公司 | Method and system for implementing IEC104 message transmission |
-
2013
- 2013-12-12 CN CN201310681442.2A patent/CN103716163B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007120172A2 (en) * | 2005-08-01 | 2007-10-25 | Asier Technology Corporation | Encrypting a plaintext message with authentication |
| CN102281203A (en) * | 2011-09-08 | 2011-12-14 | 航天科工深圳(集团)有限公司 | Method and system for transmitting IEC101 protocol message |
| CN102316107A (en) * | 2011-09-08 | 2012-01-11 | 航天科工深圳(集团)有限公司 | Method for IEC104 protocol message transmission and system |
| CN102377571A (en) * | 2011-11-15 | 2012-03-14 | 航天科工深圳(集团)有限公司 | Method and system for implementing IEC104 message transmission |
Non-Patent Citations (2)
| Title |
|---|
| 《A Comprehensive Investigation of Wireless LAN for IEC 61850–Based Smart Distribution Substation Applications》;Palak P. Parikh等;《IEEE transactions on industrial informatics》;20130831;第9卷(第3期);全文 * |
| 《电力系统实时数据通信加密方案》;宋磊等;《电力系统自动化》;20040725;第28卷(第14期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103716163A (en) | 2014-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104460657B (en) | A kind of method for realizing industrial control system movement O&M protection, apparatus and system | |
| CN111709038B (en) | File encryption and decryption method, distributed storage system, device and storage medium | |
| CN103746962B (en) | GOOSE electric real-time message encryption and decryption method | |
| CN106789015B (en) | Intelligent power distribution network communication safety system | |
| CN103888444B (en) | A kind of safe distribution of electric power authentication device and its method | |
| CN104702466B (en) | A kind of process layer safety test system and method based on IEC62351 | |
| CN105610953B (en) | A kind of distribution type data synchronous system and method | |
| CN105516204A (en) | Method for high-security network data storage | |
| Rodríguez et al. | A fixed-latency architecture to secure GOOSE and sampled value messages in substation systems | |
| CN205584238U (en) | Network data encryption equipment | |
| WO2005092001A3 (en) | Methods and apparatus for confidentiality protection for fibre channel common transport | |
| Coppolino et al. | Exposing vulnerabilities in electric power grids: An experimental approach | |
| CN104281815A (en) | Method and system for encrypting and decrypting file | |
| CN103716163B (en) | SV message encryption and decryption method meeting IEC61850-9-2 (LE) standard | |
| CN110912877B (en) | Data transmitting and receiving method and device based on IEC61850 model in transformer substation | |
| CN104639330A (en) | GOOSE (Generic Object Oriented Substation Event) message integrity authentication method | |
| CN103475482B (en) | A kind of scene based on field service terminal adds encapsulation method | |
| CN109040120A (en) | A kind of SV message encryption and decryption method based on IEC61850 standard | |
| CN104639328A (en) | GOOSE message authentication method and GOOSE (Generic Object Oriented Substation Event) message authentication system | |
| CN106850517A (en) | A kind of method, apparatus and system for solving intranet and extranet repeat logon | |
| CN102404324A (en) | System for sensing safety of node data of Internet of things | |
| CN105554138A (en) | Distributed data synchronization system and method | |
| CN107644169A (en) | A kind of data guard method and data protection system | |
| CN109255225A (en) | Hard disc data security control apparatus based on dual-identity authentication | |
| Qassim et al. | Securing IEC60870-5-101 communication protocol using SCADA cryptographic and device authentication gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |