CN105610837A - Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system - Google Patents

Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system Download PDF

Info

Publication number
CN105610837A
CN105610837A CN201511026877.9A CN201511026877A CN105610837A CN 105610837 A CN105610837 A CN 105610837A CN 201511026877 A CN201511026877 A CN 201511026877A CN 105610837 A CN105610837 A CN 105610837A
Authority
CN
China
Prior art keywords
main website
slave station
symmetric
station
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201511026877.9A
Other languages
Chinese (zh)
Other versions
CN105610837B (en
Inventor
陈秀真
陆越
金波
陈长松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Third Research Institute of the Ministry of Public Security
Original Assignee
Shanghai Jiaotong University
Third Research Institute of the Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University, Third Research Institute of the Ministry of Public Security filed Critical Shanghai Jiaotong University
Priority to CN201511026877.9A priority Critical patent/CN105610837B/en
Publication of CN105610837A publication Critical patent/CN105610837A/en
Application granted granted Critical
Publication of CN105610837B publication Critical patent/CN105610837B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption

Abstract

The invention provides a method and system for identity authentication between a master station and a slave station in an SCADA system. The method comprises following steps that: the master station A creates service and generates a symmetric polynomial coefficient aij; the slave station B builds connection with the master station A according to the IP address of the server of the master station A; after the connection is built successfully, the slave station B and the master station A share the symmetric multinomial parameter; both the master station and the slave station take the data frames of a communication protocol as own identity identifier IDA and IDB; the master station and the slave station exchange mutual identity identifiers; the identity identifiers are substituted into a symmetric polynomial for calculation; if f(IDA, IDB) is equal to f(IDB, IDA), the slave station B and the master station A realize two-way authentication; and a symmetric encryption key KAB is obtained through calculation and extension. According to the method and the system of the invention, the shared key is generated by the symmetric polynomial; the shared key is taken as the symmetric encryption key; a symmetric encryption algorithm is used in the message exchange process; and therefore, the calculation complexity is reduced.

Description

For the method and system of authentication between SCADA system main website and slave station
Technical field
What the present invention relates to is a kind of for the identity identifying technology between SCADA system master-salve station, especially a kind of baseIn the two-way authentication technology of symmetric polynomial encryption mechanism, be specifically related to the master-salve station communication security of SCADA systemEnsure.
Background technology
Along with the development of information technology, the modernization level of industry grows with each passing day, industrial control system (IndustryControlSystem, ICS) be widely used in the closely bound up industry of many and national economy, such as metallurgical,Water and electricity supply, oil gas conveying, Aero-Space, road traffic etc., it is in social production and protection infrastructure constructionBringing into play irreplaceable effect. Typical SCADA (SupervisoryControlandDataAcquisition)System is mainly used in remote monitoring and data acquisition, and the technology such as integrated use computer, control, communication and network, pass throughThe data of long-range dispersion measuring control point collection are monitored and analyzed, for scheduling, management, the fault of whole production process are examinedThe operation such as disconnected provides technology and Data support. By Ethernet, whole control system can with RTU easilyInterconnect. The factors such as the performance of industrial control system, reliability, flexibility are at present given shows great attention to, but its letterBreath safety problem does not but obtain enough attention.
Industrialization and the fusion of the informationalized degree of depth make the use of standard control protocol more and more extensive, industrial control systemOpening also promotes thereupon, and general agreement, soft hardware equipment, operating system etc. have been widely used, and this directly leadsCause for the attack of industrial control system and take place frequently, a series of network security problems come out gradually. With " shake net virus "For example, it utilize the leak of the Windows of Microsoft operating system and Siemens WinCC operating system realize to system directlyDestroy, hacker can control long-range infected main frame completely, makes it to become corpse computer. " shake net virus " is to public affairsAltogether institution and control system are started malicious attack, and various types of communication facility, civilian and industrial infrastructure etc. are all exposed toIts attack under, Iranian Bushire nuclear power station also could not be escaped by luck, in nuclear power station the control logic of uranium seperator by malicious modification,Cause motor speed extremely to produce serious loss. After " shake net virus " event occurs, all over the world forThe attack of industrial control system occurs again and again, and grows in intensity, and has caused serious destruction and loss, such as than " shakeNet virus " " the Flame flame virus " of powerful 20 times wreaks havoc Middle East. A succession of for industrial control systemAttack has caused serious consequence, and these network security problems have brought stern challenge to industrial control system,Push people to a new climax for the concern of industrial network safety.
In fact, a lot of industrial control networks are negligent of strict system management, may occur that internal staff accesses to infect diseaseThe mobile device of poison or external staff intercept and capture by illegal means and cause leakage of information, distort, thereby make some illegal pointSon is had an opportunity to take advantage of. The Information Security Mechanism of SCADA system imperfection, there is many leaks in authentication link, holds very muchEasily be exposed to assailant. Assailant can communicate by customer administrator's identity and the main website forged, illegally accesses workIn industry control network. Assailant also can, by the communication network between invasion main website and slave station, steal Content of Communication, shadowRing proper communication between master-salve station, cause infrastructure and industrial service interruption in SCADA system, produce serious destruction.Authentication is very important for realizing the safe Access Control of SCADA system, and it bears whole security system" gate inhibition " function, like the first gate of whole information security system, uses PLC control appliance node, keeperThe identity at family is checked, and has ensured the mutual unification of user's physics and digital identity. This link has realized systemEffective protection of resource, prevents that user identity from illegally being falsely used, the unauthorized access request of refusal to sensitive data. If bodyAuthentication link in system is challenged, and in system, other protectiving scheme also will be difficult to realize so. Due to control loopJoint in vital status, requires all access objects to carry out safety certification in industrial system, comprises that user connectsEnter and the access of the control appliance such as PLC, SCADA system has strict requirement for the communication certification between master-salve station.
But the demand for security of industrial control system is different from traditional Internet, height of attention location system is available more for itProperty, real-time and business continuance. In case of emergency, industrial control system needs emergency processing program to ring fastShould, to reduce due to the long loss causing of the time of dealing with an urgent situation. Therefore, existing maturation and healthy and strong cipher machineSystem can not directly be applied in the authentication of SCADA devices in system node, need to design the ID authentication mechanism of lightweight,With the speed of Guarantee control system emergency response. The present invention adopts the lightweight encryption mechanism that is applicable to SCADA system, ensuresMaster-salve station communication security, and realize the technical system of two-way authentication between master-salve station, realize the safe access control to systemSystem.
Find by literature search, the master-salve station authentication of existing SCADA system and the safety precautions of communication haveSeveral below:
(1) symmetric encipherment algorithm
In communication process, master-salve station is by communication line exchange message, and invader can be by stealing the side of communication lineFormula, obtains the communication data of master-salve station, realizes the attack to industrial control system, therefore need to be at the entrance of slave station and main websiteAdd encryption and decryption functions module with exit. Because SCADA system is for efficiency and the security of data transmission procedureHave high requirement, the encryption mechanism of therefore choosing lightweight can ensure fast quick-recovery after system break, reducesSystem loss. By analyzing the encryption and decryption time of symmetrical and asymmetric two kinds of AESs, by contrast, symmetry addsClose algorithm complex is lower, and the encryption and decryption time is shorter, and the number of keys producing is less. Therefore, symmetric cryptography is calculatedMethod is applied to the secure communication field of master-salve station, to ensure fast quick-recovery after system break, reduces system loss.Conventional symmetric encipherment algorithm has AES, DES, IDEA algorithm etc. Adopt symmetric cryptography cipher key node quantity withIn response time cost, there is superiority, meet the demand of system lightweight encryption mechanism, but in symmetric cryptography, add solutionDecryption key is unique, the security of key is difficult to be guaranteed.
(2) key updating mechanism
Introduce a kind of new encryption key management scheme, adopt the mode of key updating to reduce Key Exposure risk. MainStation be the promoter of communication be also session key maker, can be close by increase session in key production processKey is new stage and the more security of new stage enhancing key of master key more. Shared master key between main website and slave station,In the session key update stage, main website produces session key at random, uses master key encrypted session key, and encryptingAfter session key pass to corresponding slave station. Slave station receives key, is decrypted with master key, and passes to main websitePass confirmation. Master key is more in the new stage, and master station and follow station receives the master key after encrypting each other, uses respectivelySession key is decrypted, and master key is upgraded, and uses the master key after upgrading to send new session key.More in the new stage, by introducing Herman elliptic curve key agreement, reduce the possibility of Key Exposure at master keyProperty. Key updating mechanism has strengthened the security of key, but the also authentication between unrealized master-salve station, assailantCan, by usurping communication party's identity, steal shared key.
(3) be combined with hardware device
Protect the safety of encryption key distribution in communication process by hardware device, without SCADA node is modified,But adopt directly the mode mutually integrated with traditional equipment. This method is at SCADA system master-salve station communication loopThe authentication that joint is introduced, takes precautions against assailant and changes message or pretend to be communication party's identity. The method is simple to operate, closeKey memory device can directly be integrated in SCADA equipment, compatible very outstanding with portability, but upgrades hardPart equipment will increase lower deployment cost.
More than research shows, SCADA system mainly selects symmetric encipherment algorithm to realize encrypted transmission and the deciphering of dataProof procedure, but the security of session key needs to be strengthened, and the ID authentication mechanism of communicating pair is left to be desired, existingSome Security mechanisms can not effectively stop the illegal access of user and equipment.
Summary of the invention
For defect of the prior art, the object of this invention is to provide a kind of attention location system lightweight encryption mechanism needsWhen asking, taken into account the security of key, effectively realized two-way authentication between main website and slave station for SCADAThe method and system of authentication between system main website and slave station.
For solving the problems of the technologies described above, one provided by the invention is recognized for identity between SCADA system main website and slave stationThe method of card, comprises the steps:
Steps A: the A of main website creates service, produces symmetric polynomial coefficient aij, slave station B is according to the A of main website serverIP address and the A of main website connect, and connect and be successfully established rear slave station B and the shared binary symmetric polynomial parameters of the A of main website,The A of main website and slave station B all hold complete binary symmetric polynomial expression formula;
Step B: after connecting foundation, choose communication protocol in application layer, the A of main website, slave station B adopt respectively communicationThe Frame of agreement is as self identification identifier IDA、IDB
Step C: after connection setup, the A of main website and slave station B exchange identification identifier each other, the A of main website, slave station BBring both identification identifiers into binary symmetric multinomial respectively and calculate, obtain result of calculation f (IDA,IDB)、f(IDB,IDA);
Step D: the A of main website and slave station B exchange binary symmetric polynomial computation result each other, if f is (IDA,IDB)=f(IDB,IDA), the A of main website and slave station B realize two-way authentication, and calculating KAB=f(IDA,IDB)=f(IDB,IDA), enter step e and continue to carry out; Otherwise, return to step B;
Step e: expansion calculates encryption key KAB, make KABMeet AES key length requirement, and adopt encryption to calculateMethod is encrypted the data content transmitting between master-salve station.
Preferably, the binary symmetric multinomial in described step C is t symmetric polynomial of binary, meets:
f ( x , y ) = Σ i , j = 0 t a i j x i y j
Wherein, it is upper that t symmetric polynomial of binary is defined in finite field gf (q), and the value of q is for being greater than 10kPrime number, kFor the length of key; And for i, j arbitrarily, all meet equation aij=aji;aijRepresent symmetric polynomial coefficient; x,yRepresent two stochastic variables.
Preferably, the symmetric polynomial coefficient a of t symmetric polynomial of described binaryijBy the A of main website in connection setup processIn at random produce.
Preferably, in described step B, described communication protocol is ModbusTCP agreement.
Preferably, in described step e, described AES is AES symmetric encipherment algorithm.
A kind of system, described system adopts the method for authentication between the SCADA system A of main website and slave station B.
Compared with prior art, beneficial effect of the present invention is as follows:
1, the present invention select symmetric polynomial produce shared key, and by it as symmetric cryptographic key, MESSAGE EXCHANGE mistakeIn journey, select symmetric encipherment algorithm, reduced computation complexity, and the number of keys producing in whole process is than asymmetric sideFormula is few. The demand that meets the cipher mechanism of lightweight in the SCADA system A of main website and slave station B communication process, makes systemStill can fast reaction in the time of reply emergency.
2,, when attention location system of the present invention responds fast, taken into account the security of key. Due to traditional symmetric cryptographyThe key that algorithm encryption and decryption is used is identical, and therefore its security is not only subject to the impact of the complexity of AES own, keyThe safety issue of management is also particularly outstanding.
1) session key confidentiality strengthens
In symmetric polynomial ciphering process, set up the session key of key agreement stage use by symmetric polynomial,Wherein comprise the A of main website and slave station B identification information, effectively prevented key from stealing. Due at binary tIn order polynomial, need altogether the value of t+1 element could realize for polynomial reconstruct, so assailant needs extremelyThe node key value of intercepting and capturing less t+1 member could be by Polynomial Reconstructing. As can be seen here, whole even if assailant has obtainedIn communication system, all members' node key value, also cannot calculate the value of symmetric polynomial, thereby has ensured that session is closeThe security of key. And the shared key of calculating by node is independently, other nodes cannot obtain, and have goodConfidentiality and independence.
2) master-salve station bidirectional identity authentication
The A of main website and slave station B utilize self identify label IDAAnd IDBBuild polynomial f (ID of monobasicA, y) andf(IDB, y). By setting up session, the A of main website, slave station B calculate respectively KAB=f(IDA,y)|y=IDB、KBA=f(IDB,y)|y=IDA. Master-salve station exchanges the polynomial computation result that is mutually symmetrical, and compares KABWith KBAWhetherIdentical, complete the foundation of mutual certification and secure session key. In master-salve station symmetric polynomial value exchange process, realizeTo authentication each other, effectively prevented that illegal node from falsely using, ensured integrality and the availability of message transfer,Can effectively avoid message to be tampered and illegally obtain, can meet preferably the requirement of SCADA system encryption mechanism.
Brief description of the drawings
By reading the detailed description of non-limiting example being done with reference to the following drawings, further feature of the present invention,It is more obvious that object and advantage will become:
Fig. 1 is the present invention for identity between the method main website of authentication between SCADA system main website and slave station and slave stationThe general frame schematic diagram of Verification System;
Fig. 2 is that the present invention shows for the method master-salve station communication process of authentication between SCADA system main website and slave stationIntention;
Fig. 3 is the method ModbusTCP data of the present invention for authentication between SCADA system main website and slave stationFrame schematic diagram;
Fig. 4 is the method master-salve station symmetric polynomial of the present invention for authentication between SCADA system main website and slave stationSchematic diagram.
Detailed description of the invention
Below in conjunction with specific embodiment, the present invention is described in detail. Following examples will contribute to the technology people of this areaMember further understands the present invention, but does not limit in any form the present invention. It should be pointed out that the common skill to this areaArt personnel, without departing from the inventive concept of the premise, can also make some changes and improvements. These all belong toProtection scope of the present invention.
Because SCADA system need to be processed mass data at short notice, the therefore encryption mechanism energy guarantee system of lightweightIn have no progeny and recover fast, reduce system loss. Adopt symmetric cryptography to have in cipher key node quantity and response time costSuperiority, meets the demand of system lightweight encryption mechanism. But due to the encryption and decryption key using in symmetric cryptography process onlyOne, therefore the safety problem of session key can not be ignored, and key exists the hidden danger of revealing. Can reflect thus, in communication processThe secrecy transmission of key is very important. The present invention counts by produce link introducing binary symmetric multinomial at symmetric keyCalculate, solved the safety problem that single key is easily revealed in process of establishing, and ensured session key production process with thisIn security, realize the authentication of main website and slave station.
Particularly, the present invention encrypts symmetric polynomial for the method for authentication between SCADA system main website and slave stationMode introduce the authentication of main website and slave station in SCADA system. In ciphering process, use distributed key mechanism to set upAuthentication mechanism, has used taking identify label (ID) as basic key mechanism and symmetric polynomial algorithm. Based on communicationIn the key code system of both sides' identify label, session key is derivative from the unique identify label of correspondent. Master-salve station separatelyPreserve a binary symmetric multinomial, main website produces symmetric polynomial coefficient in connection setup process, and passes to slave station,Ensure that with this master-salve station has identical polynomial function. In communication process, master-salve station utilizes himself identify label value meterCalculate polynomial value, and exchange identify label value each other. Final master-salve station is multinomial both identify label value substitution symmetriesFormula is calculated, with this shared symmetric key. In this process, master-salve station all can be by use based on symmetric polynomialKey generation mechanism calculates session key, and from polynomial symmetry, both sides' result of calculation is identical.
As shown in Figure 1, be divided into 3 main stages according to the specific implementation process of method provided by the present invention, comprise masterSlave station connects, and stage, master-salve station authenticate mutually and arranging key stage and master-salve station coded communication stage. For moreBetween the clear A of main website that sets forth visually whole SCADA system and slave station B, the process of authentication, encloses relevant drawings alsoBe described.
Connect the stage at master-salve station, master-salve station selects ModbusTCP as application layer communication protocol, it be based onTCP/IP procotol is set up, and transport layer adopts TCP communication pattern. Port 502 is that ModbusTCP is for connectingPrivate port, realizes addressing process by IP address and port, and because TCP is connection-oriented reliable communication, it certainlyBody has comprised check part. In whole communication protocol, application layer is used Modbus agreement, so mainly useThe communication construction of Master/Slave. Before transfer of data, first should be by using sockets interface, client and masterStand and between A, set up TCP/IP and connect, once the communication connection between client and the A of main website set up, user and the A of main websiteBetween just can carry out MESSAGE EXCHANGE and transfer of data. ModbusTCP adopts the pattern of Master/Slave to carry out informationReal-time exchange, under this pattern, in master-salve station communication process, relate generally to four kinds of type of messages, that is: request, confirm,Instruction, response.
Particularly, adopt Winsock to build ModbusTCP communication between master-salve station, wherein Winsock socket canMark communication process, contains the information such as IP address, link situation at present of master-salve station in socket, can pass through agreement,Address, the unique definite socket of port, master-salve station transmit in network by ICP/IP protocol meet Modbus agreement wantThe information frame of asking. The A of main website adopts burse mode, by using the independently request of the each slave station B of thread process, realizesThe high efficiency of transmission of system, socket can be employed programmed request call, realizes system resource by calling socketDistribution according to need.
Connect in process of establishing, the operation that the A of main website carries out is as follows:
After socket has created, must first initialize socket character library, now its port numbers and IP address are equalFor sky. By calling bind () bound socket address, realize for communication port numbers (502) and local ip addressWrite operation, it is passive that the A of main website uses listen () function that socket model is arranged to, and realizes slave station B end is sent and askedThat asks intercepts, and the A of main website, by accept () function, extracts the linking request that slave station B process sends, and calls send ()Realize the transmitting-receiving process of information with recv () function, finally close socket by close () function, and utilizeCleanup () free system resources. Particularly, as shown in Figure 2.
The operation of carrying out in slave station B and the A of main website connection procedure is as follows:
First create socket by socket (), and send connection request by connect () function to the A of main website,Send () and recv () function can be realized the transmitting-receiving of information in communication process. Finally close socket by close (),And utilize cleanup () to realize the release of system resource. Particularly, as shown in Figure 2.
In communication process, adopt ModbusTCP Frame as master-salve station identify label, data frame format as shown in Figure 3.Wherein, MBAP represents the head of whole ModbusTCP, has contained front 7 Byte of whole Frame; Issued transactionIdentifier is used for representing the associative operation of Modbus request and response; It is logical that protocol identifier mainly represents that application layer is chosenLetter agreement, conventionally gets 0 expression application layer and has adopted and use Modbus communication protocol, get 1 expression other; Length is used for showingShow from current byte start calculate, the size of follow-up data amount; Element identifier (element ID) is mainly used in identifying serial link or itsHe is linked at the unit in other buses; Function code is used for indicating the concrete instruction mode of carrying out in communication process.
As can be seen here, ModbusTCP Frame has not only transmitted the communication information, and has uniqueness, can be used for markingKnow master-salve station identity. Therefore, the present invention uses ModbusTCP Frame as IDAWith IDB
Mutually authenticate and the arranging key stage at master-salve station, the A of main website and slave station B exchange identification identifier, and by identity markKnowledge symbol is brought multinomial into and is calculated. The A of main website and slave station B exchange symmetric polynomial result of calculation, if result is consistent,The A of main website and slave station B realize two-way authentication, and obtain the value of shared symmetric polynomial. Master-salve station symmetric polynomial meterCalculate flow process as shown in Figure 4.
Particularly, symmetric polynomial is defined as follows:
If f is (x1,x2,…,xn)∈P(x1,x2,…,xn), if to i arbitrarily, j (1≤i, j≤n) have:
f(x1,…,xi,…,xj,…,xn)=f(x1,…,xj,…,xi,…,xn)
Claim that this multinomial is symmetric polynomial.
A following n multinomial:
σ1=x1+x2+x3+…+xn
σ2=x1x2+x1x3+x1x4+…+xn-1xn
σn=x1x2x3…xn-1xn
Be called n unknown number x1,x2,…,xnElementary symmetric polynomial.
Symmetric polynomial and, long-pending be still symmetric polynomial, especially, the multinomial of elementary symmetric polynomial be still symmetryMultinomial. In a symmetric polynomial, the wherein value of any two variablees of exchange, the value of symmetric polynomial still keeps notBecome.
For binary t order polynomial f (x, y), x, y represent two stochastic variables, if any x, y are metF (x, y)=f (y, x), claims that binary polynomial f (x, y) is symmetrical binary polynomial. T symmetric polynomial of binary meets:
f ( x , y ) = Σ i j = 0 t a i j x i y j
Wherein, it is upper that t symmetric polynomial of binary is defined in finite field gf (q), and the value of q is for being greater than 10kPrime number, kFor the length of key, (for example, Password Length is 16, and q can get and be greater than 1016Large prime number). And for appointingI, the j of meaning, meet equation aij=aji
It is as follows that master-salve station adopts symmetric polynomial to set up session key process:
The A of main website creates service, produces symmetric polynomial coefficient aij(a00、a01、a11), slave station B inputs serverIP address be connected with the A of main website, connect and be successfully established the shared symmetric polynomial parameter of rear slave station B and the A of main website.After connecting foundation, the A of main website and slave station B exchange identification identifier, master-salve station all adopts MODBUSTCP FrameAs self identification identifier. Master-salve station is brought both identification identifiers into symmetric polynomial and is calculated, and obtainsf(IDA,IDB) and f (IDB,IDA). The A of main website and slave station B exchange symmetric polynomial result of calculation, if f is (IDA,IDB)= f(IDB,IDA), the A of main website and slave station B realize two-way authentication, and obtain KAB=f(IDA,IDB)=f(IDB,IDA)。Expansion is calculated to encryption key KABBe extended to AES key, and adopt AES symmetric encipherment algorithm to passing between master-salve stationThe data content sending is encrypted.
In the master-salve station coded communication stage, be expanded into 128 bits the value of the symmetric polynomial of consulting gained, makes it to meetAES key length standard, finally adopts aes algorithm to be encrypted and to transmit and decipher the data content transmitting between master-salve stationChecking.
Particularly, because AES cryptographic block is fixed, and key length is fixed (the present embodiment is selected 128 bits), Ying ShouThe result of first symmetric polynomial being calculated and obtain is expanded, and makes it to meet AES encryption requirements. AES encrypts mainly one" carrying out on state matrix " of individual 4 × 4, by " AddRoundKey, SubBytes, ShiftRows, MixColumns " four steps are encrypted. AES has the advantages that encryption and decryption is rapid, binary encoding density is high, and four metersCalculation link is short and sweet, is easy to implement on software and hardware, and whole process is also relatively little to the demand of memory, meets workThe demand that industry control system lightweight is encrypted.
What the present invention also provided the method for a kind of employing for authentication between the SCADA system A of main website and slave station B isSystem.
Above specific embodiments of the invention are described. It will be appreciated that, the present invention is not limited toState specific implementations, those skilled in the art can make a variety of changes within the scope of the claims or revise,This does not affect flesh and blood of the present invention. In the situation that not conflicting, in the application's embodiment and embodimentFeature can combine arbitrarily mutually.

Claims (6)

1. for a method for authentication between SCADA system main website and slave station, it is characterized in that, comprise as followsStep:
Steps A: the A of main website creates service, produces symmetric polynomial coefficient aij, slave station B is according to the A of main website serverIP address and the A of main website connect, and connect and be successfully established rear slave station B and the shared binary symmetric polynomial parameters of the A of main website,The A of main website and slave station B all hold complete binary symmetric polynomial expression formula;
Step B: after connecting foundation, choose communication protocol in application layer, the A of main website, slave station B adopt respectively communicationThe Frame of agreement is as self identification identifier IDA、IDB
Step C: after connection setup, the A of main website and slave station B exchange identification identifier each other, the A of main website, slave station BBring both identification identifiers into binary symmetric multinomial respectively and calculate, obtain result of calculation f (IDA,IDB)、f(IDB,IDA);
Step D: the A of main website and slave station B exchange binary symmetric polynomial computation result each other, if f is (IDA,IDB)=f(IDB,IDA), the A of main website and slave station B realize two-way authentication, and calculating KAB=f(IDA,IDB)=f(IDB,IDA), enter step e and continue to carry out; Otherwise, return to step B;
Step e: expansion calculates encryption key KAB, make KABMeet AES key length requirement, and adopt encryption to calculateMethod is encrypted the data content transmitting between master-salve station.
2. the method for authentication between SCADA system main website and slave station according to claim 1, its spyLevy and be, the binary symmetric multinomial in described step C is t symmetric polynomial of binary, meets:
f ( x , y ) = Σ i , j = 0 t a i j x i y j
Wherein, it is upper that t symmetric polynomial of binary is defined in finite field gf (q), and the value of q is for being greater than 10kPrime number, kFor the length of key; And for i, j arbitrarily, all meet equation aij=aji;aijRepresent symmetric polynomial coefficient; x,yRepresent two stochastic variables.
3. the method for authentication between SCADA system main website and slave station according to claim 2, its spyLevy and be, the symmetric polynomial coefficient a of t symmetric polynomial of described binaryijBy the A of main website in connection setup process withMachine produces.
4. the method for authentication between SCADA system main website and slave station according to claim 1, its spyLevy and be, in described step B, described communication protocol is ModbusTCP agreement.
5. the method for authentication between SCADA system main website and slave station according to claim 1, its spyLevy and be, in described step e, described AES is AES symmetric encipherment algorithm.
6. a system, is characterized in that, described system adopt described in claim 1 to 5 any one forThe method of authentication between SCADA system main website and slave station.
CN201511026877.9A 2015-12-31 2015-12-31 For identity authentication method and system between SCADA system main website and slave station Active CN105610837B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511026877.9A CN105610837B (en) 2015-12-31 2015-12-31 For identity authentication method and system between SCADA system main website and slave station

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511026877.9A CN105610837B (en) 2015-12-31 2015-12-31 For identity authentication method and system between SCADA system main website and slave station

Publications (2)

Publication Number Publication Date
CN105610837A true CN105610837A (en) 2016-05-25
CN105610837B CN105610837B (en) 2018-12-18

Family

ID=55990375

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511026877.9A Active CN105610837B (en) 2015-12-31 2015-12-31 For identity authentication method and system between SCADA system main website and slave station

Country Status (1)

Country Link
CN (1) CN105610837B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106301793A (en) * 2016-09-06 2017-01-04 中国电子技术标准化研究院 A kind of PLC certification and the method for secure communication
CN108965326A (en) * 2018-08-21 2018-12-07 南京国电南自电网自动化有限公司 A kind of boss's station secure communication control method and system based on user identity authentication
CN111865908A (en) * 2020-06-08 2020-10-30 杭州电子科技大学 Resource-constrained system secure communication method based on random encryption strategy
CN112242993A (en) * 2020-09-02 2021-01-19 海量安全技术有限公司 Bidirectional authentication method and system
CN112383916A (en) * 2020-11-12 2021-02-19 刘中亚 WSN key management method suitable for unicast communication
CN112468493A (en) * 2020-11-25 2021-03-09 上海电气风电集团股份有限公司 Data transmission method, identity recognition method and system based on field bus
CN113093678A (en) * 2021-04-07 2021-07-09 国能(泉州)热电有限公司 Data processing method for power plant DCS (distributed control System)
CN113285946A (en) * 2021-05-20 2021-08-20 中国联合网络通信集团有限公司 Equipment authentication method and device
CN113709184A (en) * 2021-10-08 2021-11-26 天津创发科技有限公司 Data encryption method and system applied to railway Internet of things

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140315518A1 (en) * 2013-04-19 2014-10-23 T-Mobile Usa, Inc. Dynamic distribution of authentication sessions
CN105049434A (en) * 2015-07-21 2015-11-11 中国科学院软件研究所 Identity authentication method and encryption communication method under peer-to-peer network environment
CN105162797A (en) * 2015-09-24 2015-12-16 广东工业大学 Bidirectional authentication method based on video surveillance system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140315518A1 (en) * 2013-04-19 2014-10-23 T-Mobile Usa, Inc. Dynamic distribution of authentication sessions
CN105049434A (en) * 2015-07-21 2015-11-11 中国科学院软件研究所 Identity authentication method and encryption communication method under peer-to-peer network environment
CN105162797A (en) * 2015-09-24 2015-12-16 广东工业大学 Bidirectional authentication method based on video surveillance system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
罗斌: "《电力SCADA系统网络安全技术与方法研究》", 《信息安全与通信保密》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106301793A (en) * 2016-09-06 2017-01-04 中国电子技术标准化研究院 A kind of PLC certification and the method for secure communication
CN108965326A (en) * 2018-08-21 2018-12-07 南京国电南自电网自动化有限公司 A kind of boss's station secure communication control method and system based on user identity authentication
CN111865908A (en) * 2020-06-08 2020-10-30 杭州电子科技大学 Resource-constrained system secure communication method based on random encryption strategy
CN112242993A (en) * 2020-09-02 2021-01-19 海量安全技术有限公司 Bidirectional authentication method and system
CN112383916A (en) * 2020-11-12 2021-02-19 刘中亚 WSN key management method suitable for unicast communication
CN112383916B (en) * 2020-11-12 2023-06-27 刘中亚 Key management method based on dynamic coefficient symmetric polynomial
WO2022110688A1 (en) * 2020-11-25 2022-06-02 上海电气风电集团股份有限公司 Field bus-based data transmission method and system, and field bus-based identity verification method and system
CN112468493A (en) * 2020-11-25 2021-03-09 上海电气风电集团股份有限公司 Data transmission method, identity recognition method and system based on field bus
CN113093678A (en) * 2021-04-07 2021-07-09 国能(泉州)热电有限公司 Data processing method for power plant DCS (distributed control System)
CN113093678B (en) * 2021-04-07 2022-12-20 国能(泉州)热电有限公司 Data processing method for power plant DCS (distributed control System)
CN113285946A (en) * 2021-05-20 2021-08-20 中国联合网络通信集团有限公司 Equipment authentication method and device
CN113285946B (en) * 2021-05-20 2023-08-15 中国联合网络通信集团有限公司 Equipment authentication method and device
CN113709184A (en) * 2021-10-08 2021-11-26 天津创发科技有限公司 Data encryption method and system applied to railway Internet of things
CN113709184B (en) * 2021-10-08 2023-03-24 天津创发科技有限公司 Data encryption method and system applied to railway Internet of things

Also Published As

Publication number Publication date
CN105610837B (en) 2018-12-18

Similar Documents

Publication Publication Date Title
Da Xu et al. Embedding blockchain technology into IoT for security: A survey
CN105610837A (en) Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system
Gaba et al. Robust and lightweight key exchange (LKE) protocol for industry 4.0
CN101409619B (en) Flash memory card and method for implementing virtual special network key exchange
CN110336774A (en) Hybrid Encryption decryption method, equipment and system
US11210658B2 (en) Constructing a distributed ledger transaction on a cold hardware wallet
CN107248994A (en) A kind of method for sending information, processing method and processing device
CN110753344B (en) NB-IoT-based smart meter secure access system
CN107172056A (en) A kind of channel safety determines method, device, system, client and server
CA3178180A1 (en) Constructing a distributed ledger transaction on a cold hardware wallet
CN107276752A (en) The methods, devices and systems that limitation key is decrypted are paid to cloud
CN103441983A (en) Information protection method and device based on link layer discovery protocol
CN109245894A (en) A kind of distributed cloud storage system based on intelligent contract
CN105471901A (en) Industrial information security authentication system
CN103378971A (en) Data encryption system and method
CN106712939A (en) Offline key transmission method and device
CN105610872B (en) Internet-of-things terminal encryption method and internet-of-things terminal encryption device
Puthal et al. Decision tree based user-centric security solution for critical IoT infrastructure
CN105162592B (en) A kind of method and system of certification wearable device
CN112865965B (en) Train service data processing method and system based on quantum key
CN110198320A (en) A kind of ciphered information transmission method
CN111490874B (en) Distribution network safety protection method, system, device and storage medium
CN109040120A (en) A kind of SV message encryption and decryption method based on IEC61850 standard
CN105915345B (en) The implementation method of licensed-type production and restructuring in a kind of family gateway equipment production test
Zou et al. Information Security Transmission Technology in Internet of Things Control System.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant