CN105610837B - For identity authentication method and system between SCADA system main website and slave station - Google Patents

For identity authentication method and system between SCADA system main website and slave station Download PDF

Info

Publication number
CN105610837B
CN105610837B CN201511026877.9A CN201511026877A CN105610837B CN 105610837 B CN105610837 B CN 105610837B CN 201511026877 A CN201511026877 A CN 201511026877A CN 105610837 B CN105610837 B CN 105610837B
Authority
CN
China
Prior art keywords
main website
slave station
symmetric
polynomial
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201511026877.9A
Other languages
Chinese (zh)
Other versions
CN105610837A (en
Inventor
陈秀真
陆越
金波
陈长松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Third Research Institute of the Ministry of Public Security
Original Assignee
Shanghai Jiaotong University
Third Research Institute of the Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University, Third Research Institute of the Ministry of Public Security filed Critical Shanghai Jiaotong University
Priority to CN201511026877.9A priority Critical patent/CN105610837B/en
Publication of CN105610837A publication Critical patent/CN105610837A/en
Application granted granted Critical
Publication of CN105610837B publication Critical patent/CN105610837B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption

Abstract

It is provided by the invention a kind of for identity authentication method and system between SCADA system main website and slave station, include the following steps: main website A creation service, generates symmetric polynomial coefficient aij, slave station B establishes connection according to the IP address of main website A server and main website A, and connection is successfully established rear slave station B and main website A shares symmetrical binary polynomial parameter;Master-salve station is all made of the data frame of communication protocol as own identification identifier IDAWith IDB;Main website A exchanges mutual identification identifier with slave station B, and brings the identification identifier of the two into symmetric polynomial and calculate;If f (IDA, IDB)=f (IDB, IDA), then main website A and slave station B realizes two-way authentication, and calculates, and extension obtains symmetric cryptographic key KAB.The present invention selects symmetric polynomial to generate shared key, and using it as symmetric cryptographic key, selects symmetric encipherment algorithm in message switching procedure, reduce computation complexity.

Description

For identity authentication method and system between SCADA system main website and slave station
Technical field
The present invention relates to the identity identifying technology between a kind of master-salve station for SCADA system, especially one kind is based on The two-way authentication technology of symmetric polynomial encryption mechanism, and in particular to the guarantee of the master-salve station communication security of SCADA system.
Background technique
With the continuous development of information technology, industrial modernization level is growing day by day, industrial control system (Industry Control System, ICS) it is widely used in many and closely bound up industry of national economy, such as metallurgy, water power supplies It answers, oil-gas transportation, aerospace, road traffic etc., playing in social production and protection infrastructure construction can not The effect of substitution.Typical SCADA (Supervisory Control and Data Acquisition) system is mainly used for Long-range supervisory control and data acquisition (SCADA), the technologies such as integrated use computer, control, communication and network, by long-range dispersion measuring control point The data of acquisition are monitored and analyze, and provide technology sum number for operations such as the scheduling, management, fault diagnosis of entire production process According to support.By Ethernet, entire control system can be easily connected with each other with remote terminal equipment.Industry Control system at present The factors such as performance, reliability, the flexibility of system are given highest attention, but its information security issue is not weighed enough Depending on.
Industrialization and information-based depth integration make standard control protocol using more and more extensive, industrial control system Opening also promoted therewith, general agreement, hardware and software device, operating system etc. have been widely used, this is directly resulted in It takes place frequently for the attack of industrial control system, a series of network security problems are gradually exposed.By taking " shake net virus " as an example, it The direct destruction to system, Hei Keneng are realized using the loophole of Microsoft's Windows operating system and Siemens WinCC operating system Long-range infected host is enough fully controlled, corpse computer is made." shake net virus " is to public works and control System mounts malicious attack, all kinds of communications facilitys, civilian and industrial infrastructure etc. are exposed under its attack, Iranian Bushire Nuclear power station could not also escape by luck, and the control logic of uranium seperator is caused motor speed abnormal and produced by malicious modification in nuclear power station Serious loss is given birth to.It is frequent for the attack of industrial control system all over the world after " shake net virus " event occurs Occur, and grow in intensity, causes serious destruction and loss, 20 times of " Flame flame disease such as more powerful than " shake net virus " Poison " wreaks havoc Middle East.Serious consequence is had resulted in for the attack of industrial control system in rapid succession, these networks Safety problem brings stern challenge to industrial control system, pushes people to one newly for the concern of industrial network security Climax.
In fact, many industrial control networks are negligent of stringent system administration, in fact it could happen that internal staff's access has been infected The mobile device of virus or external staff are intercepted and captured by illegal means to lead to leakage of information, distorts, to make some illegal points Son has an opportunity to take advantage of.The Information Security Mechanism of SCADA system is simultaneously not perfect, and there are many loopholes for authentication link, it is easy to sudden and violent Reveal to attacker.Attacker can be communicated by customer administrator's identity of forgery with main website, illegal access industrial control In network.Attacker can also steal Content of Communication by the communication network between invasion main website and slave station, influence between master-salve station Normal communication causes infrastructure and industrial service in SCADA system to interrupt, generates serious destruction.Authentication is for reality It is particularly significant for the secure accessing control of existing SCADA system, " gate inhibition " function of entire security system is undertaken, is cand be compared to entire The identity of PLC control device node, administrator are checked in first of gate of information security system, and having ensured makes The mutual unification of user's physics and digital identity.This link realizes the effective protection to system resource, prevents user identity It is illegally falsely used, refuses the unauthorized access to sensitive data and request.If the authentication link in system is challenged, Other protectiving schemes will be also difficult to realize in system.Since controlling unit is in vital status in industrial system, It is required that carry out safety certification to all access objects, including user's access and PLC etc. control equipment access, SCADA system for Communication certification between master-salve station has strict requirements.
However, the demand for security of industrial control system is different from traditional Internet, the height for focusing more on system can With property, real-time and business continuance.In case of emergency, industrial control system needs emergency processing program that can quickly ring It answers, to reduce due to the longer caused loss of processing emergency time.Therefore, existing mature and healthy and strong cipher mechanism is not It can be directly applied to device node authentication in SCADA system, need to design the ID authentication mechanism of lightweight, to guarantee to control The speed of system emergency response processed.The present invention guarantees master-salve station communication peace using the lightweight encryption mechanism for being suitble to SCADA system Entirely, it and realizes the technical system of two-way authentication between master-salve station, realizes the secure accessing access control to system.
Find by literature search, the safety precautions of master-salve station authentication and the communication of existing SCADA system have with Under it is several:
(1) symmetric encipherment algorithm
Master-salve station exchanges information by communication line in communication process, and invader can be by stealing the side of communication line Formula obtains the communication data of master-salve station, realizes the attack to industrial control system, therefore needs at the entrance and exit of slave station and main website Encryption and decryption functions module is added.Since SCADA system suffers from high want for the efficiency of data transmission procedure and safety The encryption mechanism asked, therefore choose lightweight can guarantee fast quick-recovery after system break, reduce system loss.It is symmetrical by analyzing With the encryption and decryption time of asymmetric two kinds of Encryption Algorithm, in contrast, symmetric encipherment algorithm complexity is lower, the encryption and decryption time compared with It is short, and the number of keys generated is less.Therefore, symmetric encipherment algorithm is applied to the secure communications of master-salve station, to guarantee Fast quick-recovery after system break reduces system loss.Common symmetric encipherment algorithm has AES, DES, IDEA algorithm etc..Using pair Title is encrypted in cipher key node quantity and the response time spends with superiority, meets the demand of system lightweight encryption mechanism, But encryption and decryption key is unique in symmetric cryptography, safety of key is difficult to be guaranteed.
(2) key updating mechanism
A kind of new encryption key management scheme is introduced, Key Exposure risk is reduced by the way of key updating.Main website It is both promoter and the session key generator of communication, the increase session key update rank in key generation procedure can be passed through The safety of section and master key more new stage enhancing key.The master key shared between main website and slave station, in session key update Session key is randomly generated in stage, main website, with master key encryption session key, and encrypted session key is passed to accordingly Slave station.Slave station receives key, is decrypted with master key, and to main website delivery confirmation information.It is main in the master key more new stage It stands and slave station receives encrypted master key each other, be decrypted, and master key is updated, made with session key respectively New session key is sent with updated master key.It is close by introducing Herman elliptic curve in master key more new stage Key agreement, a possibility that reducing Key Exposure.Key updating mechanism enhances the safety of key, but and master-salve station is not implemented Between authentication, attacker can steal shared key by usurping communication party identity.
(3) in conjunction with hardware device
The safety that encryption key distribution in communication process is protected by hardware device, without modifying to SCADA node, but In such a way that direct and traditional equipment is integrated.This method is the body introduced in SCADA system master-salve station communication links Part verifying, security from attacks person change message or pretend to be communication party identity.This method is easy to operate, and cipher key storage device can be direct It is integrated into SCADA equipment, compatibility and portability are very prominent, but update hardware device will increase lower deployment cost.
Above studies have shown that SCADA system mainly selects symmetric encipherment algorithm to realize that the encrypted transmission of data is tested with decryption Card process, but the safety of session key has to be reinforced, and the ID authentication mechanism of communicating pair is left to be desired, and existing safety is anti- Protection mechanism not can effectively prevent the illegal access of user and equipment.
Summary of the invention
For the defects in the prior art, the object of the present invention is to provide a kind of attention location system lightweight encryption mechanism demands While, the safety of key is taken into account, effectively realize the two-way authentication between main website and slave station is used for SCADA system main website Identity authentication method and system between slave station.
In order to solve the above technical problems, provided by the invention a kind of for authentication between SCADA system main website and slave station Method, include the following steps:
Step A: main website A creation service, generates symmetric polynomial coefficient aij, slave station B is according to the IP address of main website A server Connection is established with main website A, connection is successfully established rear slave station B and main website A and shares binary symmetric polynomial parameters, main website A and slave station B Hold complete binary symmetric polynomial expression;
Step B: after connection is established, communication protocol is chosen in application layer, communication protocol is respectively adopted in main website A, slave station B Data frame as own identification identifier IDA、IDB
Step C: after connection setup, main website A exchanges mutual identification identifier, main website A, slave station B difference with slave station B It brings the identification identifier of the two into binary symmetric multinomial to calculate, obtains calculated result f (IDA, IDB)、f(IDB, IDA);
Step D: main website A exchanges binary symmetric polynomial computation each other with slave station B as a result, if f (IDA, IDB)=f (IDB, IDA), then main website A and slave station B realizes two-way authentication, and calculates KAB=f (IDA, IDB)=f (IDB, IDA), enter step E It continues to execute;Otherwise, return step B;
Step E: encryption key K is calculated in extensionAB, make KABMeet AES key length requirement, and uses Encryption Algorithm The data content transmitted master-salve station is encrypted.
Preferably, the binary symmetric multinomial in the step C is binary t sub-symmetry multinomial, is met:
Wherein, for binary t sub-symmetry polynomial on finite field gf (q), the value of q is greater than 10kPrime number, k is The length of key;And for arbitrary i, j, all meet equation aij=aji;aijIndicate symmetric polynomial coefficient;X, y indicate two Stochastic variable.
Preferably, the polynomial symmetric polynomial coefficient a of the binary t sub-symmetryijBy main website A during connection setup It is randomly generated.
Preferably, in the step B, the communication protocol is Modbus Transmission Control Protocol.
Preferably, in the step E, the Encryption Algorithm is AES symmetric encipherment algorithm.
A kind of system, the system are used for identity authentication method between SCADA system main website A and slave station B.
Compared with prior art, beneficial effects of the present invention are as follows:
1, the present invention selects symmetric polynomial to generate shared key, and using it as symmetric cryptographic key, MESSAGE EXCHANGE mistake Symmetric encipherment algorithm is selected in journey, the number of keys for reducing computation complexity, and generating in whole process compares asymmetric manner It is few.Meet the demand of the cipher mechanism of lightweight in SCADA system main website A and slave station B communication process, so that system is tight in reply Fast reaction is remained to when anxious situation.
2, while attention location system quick response of the present invention, the safety of key has been taken into account.Due to traditional symmetric cryptography The key that algorithm encryption and decryption uses is identical, therefore its safety is not only influenced by Encryption Algorithm complexity itself, key pipe The safety issue of reason is also especially prominent.
1) session key confidentiality enhances
In symmetric polynomial ciphering process, it is close that the session that key agreement phase uses is established by symmetric polynomial Key is effectively prevented key from stealing wherein containing both main website A and slave station B identification information.Due at binary t times In multinomial, the value of t+1 element is needed just to be able to achieve for polynomial reconstruct altogether, so attacker needs at least to intercept and capture The node key value of t+1 member could be by Polynomial Reconstructing.It can be seen that even if attacker obtains in entire communication system The node key value of all members, can not also calculate the value of symmetric polynomial, to ensure that the safety of session key.And And by node calculate shared key be it is independent, other nodes can not obtain, have good confidentiality and independence.
2) master-salve station bidirectional identity authentication
Main website A and slave station B identifies ID using own identificationAAnd IDBConstruct polynomial f (ID of unitaryA, y) and f (IDB, y).By establishing session, main website A, slave station B calculate separately out KAB=f (IDA, y) | y=IDB、KBA=f (IDB, y) | y=IDA。 Master-salve station exchange is mutually symmetrical polynomial computation as a result, and comparing KABWith KBAWhether identical, completion is mutually authenticated and secured session The foundation of key.In master-salve station symmetric polynomial value exchange process, realizes to mutual authentication, effectively prevent Illegal node is falsely used, and ensure that the integrality and availability of transmission message, can effectively avoid message from being tampered and illegally obtain, energy Enough better meet the requirement of SCADA system encryption mechanism.
Detailed description of the invention
Upon reading the detailed description of non-limiting embodiments with reference to the following drawings, other feature of the invention, Objects and advantages will become more apparent upon:
Fig. 1 is the present invention for identity to be recognized between identity authentication method main website and slave station between SCADA system main website and slave station The general frame schematic diagram of card system;
Fig. 2 is that the present invention illustrates for identity authentication method master-salve station communication process between SCADA system main website and slave station Figure;
Fig. 3 is that the present invention shows for identity authentication method Modbus TCP data frame between SCADA system main website and slave station It is intended to;
Fig. 4 is that the present invention shows for identity authentication method master-salve station symmetric polynomial between SCADA system main website and slave station It is intended to.
Specific embodiment
The present invention is described in detail combined with specific embodiments below.Following embodiment will be helpful to the technology of this field Personnel further understand the present invention, but the invention is not limited in any way.It should be pointed out that the ordinary skill of this field For personnel, without departing from the inventive concept of the premise, several changes and improvements can also be made.These belong to the present invention Protection scope.
Since SCADA system needs to handle mass data in a short time, the encryption mechanism of lightweight, which can guarantee, is Fast quick-recovery after system interrupts reduces system loss.Being spent in cipher key node quantity with the response time using symmetric cryptography is had Superiority meets the demand of system lightweight encryption mechanism.But the encryption and decryption key as used in asymmetric encryption procedure is unique, Therefore the safety problem of session key can not be ignored, and key has the hidden danger of leakage.Thus it can reflect, the guarantor of key in communication process Close transmission is particularly significant.The present invention is calculated by generating link introducing binary symmetric multinomial in symmetric key, is solved Single key is easy the safety problem of leakage in establishment process, and guarantees the safety during session key generation with this, Realize the authentication of main website and slave station.
Specifically, the present invention encrypts symmetric polynomial for identity authentication method between SCADA system main website and slave station Mode be introduced into the authentication of main website and slave station in SCADA system.Recognize in ciphering process with distributed key Mechanism establishing Card mechanism has used key mechanism and symmetric polynomial algorithm based on identity (ID).It is being based on communicating pair body In the key code system of part mark, derived from session key from correspondent's unique identity.Master-salve station respectively saves one Binary symmetric multinomial, main website generates symmetric polynomial coefficient during connection setup, and passes to slave station, guarantees to lead with this Slave station possesses identical polynomial function.In communication process, master-salve station utilizes the value of its own identity value evaluator, And exchange identity value each other.The identity value of the two is substituted into symmetric polynomial and is calculated by final master-salve station, with this Shared symmetric key.In the process, master-salve station can be calculated by using the key generation mechanism based on symmetric polynomial Session key, and by polynomial symmetry it is found that both sides' calculated result is identical.
As shown in Figure 1, the specific implementation process of institute's providing method is divided into 3 main stages, including master according to the present invention Slave station establishes access phase, master-salve station is mutually authenticated and arranging key stage and master-salve station coded communication stage.In order to more clear The process of authentication between the clear main website A for visually illustrating entire SCADA system and slave station B, enclose relevant drawings and to its into Row explanation.
Access phase is established in master-salve station, master-salve station selects Modbus TCP as application layer communication protocol, it is to be based on TCP/IP network protocol is established, and transport layer uses TCP communication mode.Port 502 is dedicated end of the Modbus TCP for connection Mouthful, address procedures are realized by IP address and port, since TCP is connection-oriented reliable communication, its own contains verification Part.In entire communication protocol, application layer uses Modbus agreement, so mainly using the communication frame of Master/Slave Structure.Before data transmission, TCP/IP connection should be established between client and main website A by using sockets interface first, one Communication connection between denier client and main website A, which is established, to be completed, and can be carried out MESSAGE EXCHANGE between user and main website A and data pass It is defeated.Modbus TCP carries out the real-time exchange of information using the mode of Master/Slave, and in such a mode, master-salve station communicated Four kinds of type of messages are related generally in journey, it may be assumed that request, confirmation, instruction, response.
Specifically, Modbus TCP communication is constructed using Winsock between master-salve station, wherein Winsock socket can be marked Know communication process, the IP address of master-salve station is covered in socket, links the information such as situation at present, agreement, address, end can be passed through Mouth uniquely determines socket, and master-salve station transmits the information frame for meeting Modbus protocol requirement by ICP/IP protocol in a network. Main website A uses burse mode, by the request with each slave station B of independent thread process, realizes the high efficiency of transmission of system, Socket can be called by application requests, by calling socket to realize the distribution according to need of system resource.
It connects in establishment process, the operation that main website A is executed is as follows:
After the completion of socket creation, it is necessary to be initialized first to socket character library, its port numbers and IP address are equal at this time For sky.By calling bind () bound socket address, the write-in for communication port numbers (502) and local ip address is realized Socket model is arranged to passively, realize that sending request to the end slave station B detects using listen () function by operation, main website A It listens, main website A extracts the linking request that slave station B process is sent by accept () function, and calls send () and recv () letter Number realizes the transmitting-receiving process of information, closes socket eventually by close () function, and provide using cleanup () release system Source.Specifically, as shown in Figure 2.
The operation executed in slave station B and main website A connection procedure is as follows:
Socket is created by socket () first, and connection request is sent to main website A by connect () function, The transmitting-receiving of information in communication process may be implemented in send () and recv () function.Socket is closed eventually by close (), and The release of system resource is realized using cleanup ().Specifically, as shown in Figure 2.
Using Modbus TCP data frame as master-salve station identity in communication process, data frame format is as shown in Figure 3. Wherein, MBAP indicates the head of entire Modbus TCP, covers preceding 7 Byte of entire data frame;Transaction identifier For indicating the relevant operation of Modbus request and response;Protocol identifier mainly indicates the communication protocol that application layer is chosen, and leads to It often takes 0 expression application layer to adopt and uses Modbus communication protocol, take 1 to indicate other;Length is used to indicate opening from current byte Begin to calculate, the size of follow-up data amount;Element identifier (element ID) is mainly used for identification serial link or other are linked in other buses Unit;Function code is used to indicate the instruction mode specifically executed in communication process.
It can be seen that Modbus TCP data frame not only delivers the communication information, but also there is uniqueness, can be used to mark Know master-salve station identity.Therefore, the present invention uses Modbus TCP data frame as IDAWith IDB
It is mutually authenticated and the arranging key stage in master-salve station, main website A exchanges identification identifier with slave station B, and by identity mark Knowledge symbol is brought multinomial into and is calculated.Main website A exchanges symmetric polynomial calculated result with slave station B, if result is consistent, main website A and slave station B realizes two-way authentication, and obtains the value of shared symmetric polynomial.Master-salve station symmetric polynomial calculation process such as Fig. 4 It is shown.
Specifically, symmetric polynomial is defined as follows:
If f (x1,x2,…,xn)∈P(x1,x2,…,xn), if j (1≤i, j≤n) has to arbitrary i:
f(x1,…,xi,…,xj,…,xn)=f (x1,…,xj,…,xi,…,xn)
Then the multinomial is referred to as symmetric polynomial.
Following n multinomial:
σ1=x1+x2+x3+…+xn
σ2=x1x2+x1x3+x1x4+…+xn-1xn
σn=x1x2x3…xn-1xn
Referred to as n unknown number x1,x2,…,xnElementary symmetric polynomial.
Symmetric polynomial is still symmetric polynomial with product, and particularly, the multinomial of elementary symmetric polynomial is still symmetrical Multinomial.In a symmetric polynomial, the value of any two of them variable is exchanged, the value of symmetric polynomial still remains unchanged.
For binary t order polynomial f (x, y), x, y indicate two stochastic variables, if all meeting f (x, y)=f to any x, y (y, x), then binary polynomial f (x, y) is referred to as symmetrical binary polynomial.Binary t sub-symmetry multinomial meets:
Wherein, for binary t sub-symmetry polynomial on finite field gf (q), the value of q is greater than 10kPrime number, k is (for example, Password Length is 16, then q can take greater than 10 the length of key16Big prime).And for arbitrary i, j, all Meet equation aij=aji
It is as follows that master-salve station uses symmetric polynomial to establish session key process:
Main website A creation service, generates symmetric polynomial coefficient aij(a00、a01、a11), slave station B inputs the IP address of server It is attached with main website A, connection is successfully established rear slave station B and main website A and shares symmetric polynomial parameter.After connection is established, Main website A exchanges identification identifier with slave station B, and master-salve station is all made of MODBUS TCP data frame as own identification identifier.It is main Slave station is brought the identification identifier of the two into symmetric polynomial and is calculated, and f (ID is obtainedA,IDB) and f (IDB,IDA).Main website A Symmetric polynomial calculated result is exchanged with slave station B, if f (IDA,IDB)=f (IDB,IDA), then main website A and slave station B realizes double To certification, and obtain KAB=f (IDA,IDB)=f (IDB,IDA).Encryption key K is calculated in extensionABAES key is extended to, And the data content transmitted master-salve station is encrypted using AES symmetric encipherment algorithm.
The value for negotiating resulting symmetric polynomial is expanded into 128 bits, is allowed to meet by the master-salve station coded communication stage AES key length standard, it is final that the data content transmitted master-salve station is carried out encrypted transmission and decrypted to test using aes algorithm Card.
Specifically, since AES encryption block is fixed, and key length fixes (the present embodiment selects 128 bits), should be first The calculated result of symmetric polynomial is extended, is allowed to meet AES encryption demand.AES encryption is mainly at one 4 × 4 " being carried out on state matrix ", pass through " Add Round Key, Sub Bytes, Shift Rows, Mix Columns " four step Suddenly it is encrypted.AES has the characteristics that encryption and decryption is rapid, binary encoding density is high, and four calculating links are concise, are easy to Implement on software and hardware, demand of the whole process to memory is also relatively small, meets industrial control system lightweight encryption Demand.
The present invention also provides a kind of systems using for identity authentication method between SCADA system main website A and slave station B.
Specific embodiments of the present invention are described above.It is to be appreciated that the invention is not limited to above-mentioned Particular implementation, those skilled in the art can make a variety of changes or modify within the scope of the claims, this not shadow Ring substantive content of the invention.In the absence of conflict, the feature in embodiments herein and embodiment can any phase Mutually combination.

Claims (6)

1. one kind is for identity authentication method between SCADA system main website and slave station, which comprises the steps of:
Step A: main website A creation service, generates symmetric polynomial coefficient aij, IP address and master of the slave station B according to main website A server The A that stands establishes connection, and connection is successfully established rear slave station B and main website A and shares binary symmetric polynomial parameters, and main website A is held with slave station B There is complete binary symmetric polynomial expression;
Step B: after connection is established, communication protocol is chosen in application layer, the number of communication protocol is respectively adopted in main website A, slave station B According to frame as own identification identifier IDA、IDB
Step C: after connection setup, main website A exchanges mutual identification identifier with slave station B, and main website A, slave station B are respectively by two The identification identifier of person is brought binary symmetric multinomial into and is calculated, and calculated result f (ID is obtainedA, IDB)、f(IDB, IDA);
Step D: main website A exchanges binary symmetric polynomial computation each other with slave station B as a result, if f (IDA, IDB)=f (IDB, IDA), then main website A and slave station B realizes two-way authentication, and calculates KAB=f (IDA, IDB)=f (IDB, IDA), enter step E continuation It executes;Otherwise, return step B;
Step E: encryption key K is calculated in extensionAB, make KABMeet AES key length requirement, and using Encryption Algorithm to principal and subordinate The data content transmitted between standing is encrypted.
2. according to claim 1 for identity authentication method between SCADA system main website and slave station, which is characterized in that Binary symmetric multinomial in the step C is binary t sub-symmetry multinomial, is met:
Wherein, for binary t sub-symmetry polynomial on finite field gf (q), the value of q is greater than 10kPrime number, k is key Length;And for arbitrary i, j, all meet equation aij=aji;aijIndicate symmetric polynomial coefficient;X, y indicate that two become at random Amount.
3. according to claim 2 for identity authentication method between SCADA system main website and slave station, which is characterized in that The polynomial symmetric polynomial coefficient a of binary t sub-symmetryijIt is randomly generated during connection setup by main website A.
4. according to claim 1 for identity authentication method between SCADA system main website and slave station, which is characterized in that In the step B, the communication protocol is ModbusTCP agreement.
5. according to claim 1 for identity authentication method between SCADA system main website and slave station, which is characterized in that In the step E, the Encryption Algorithm is AES symmetric encipherment algorithm.
6. a kind of system for identity identifying method between SCADA system main website and slave station, which is characterized in that the system uses For identity authentication method between SCADA system main website and slave station described in claim 1 to 5 any one.
CN201511026877.9A 2015-12-31 2015-12-31 For identity authentication method and system between SCADA system main website and slave station Active CN105610837B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511026877.9A CN105610837B (en) 2015-12-31 2015-12-31 For identity authentication method and system between SCADA system main website and slave station

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511026877.9A CN105610837B (en) 2015-12-31 2015-12-31 For identity authentication method and system between SCADA system main website and slave station

Publications (2)

Publication Number Publication Date
CN105610837A CN105610837A (en) 2016-05-25
CN105610837B true CN105610837B (en) 2018-12-18

Family

ID=55990375

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511026877.9A Active CN105610837B (en) 2015-12-31 2015-12-31 For identity authentication method and system between SCADA system main website and slave station

Country Status (1)

Country Link
CN (1) CN105610837B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106301793B (en) * 2016-09-06 2018-04-10 中国电子技术标准化研究院 A kind of method of PLC certifications and secure communication
CN108965326A (en) * 2018-08-21 2018-12-07 南京国电南自电网自动化有限公司 A kind of boss's station secure communication control method and system based on user identity authentication
CN111865908B (en) * 2020-06-08 2022-05-17 杭州电子科技大学 Resource-constrained system secure communication method based on random encryption strategy
CN112242993B (en) * 2020-09-02 2022-10-21 海量安全技术有限公司 Bidirectional authentication method and system
CN112383916B (en) * 2020-11-12 2023-06-27 刘中亚 Key management method based on dynamic coefficient symmetric polynomial
CN112468493A (en) * 2020-11-25 2021-03-09 上海电气风电集团股份有限公司 Data transmission method, identity recognition method and system based on field bus
CN113093678B (en) * 2021-04-07 2022-12-20 国能(泉州)热电有限公司 Data processing method for power plant DCS (distributed control System)
CN113285946B (en) * 2021-05-20 2023-08-15 中国联合网络通信集团有限公司 Equipment authentication method and device
CN113709184B (en) * 2021-10-08 2023-03-24 天津创发科技有限公司 Data encryption method and system applied to railway Internet of things

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105049434A (en) * 2015-07-21 2015-11-11 中国科学院软件研究所 Identity authentication method and encryption communication method under peer-to-peer network environment
CN105162797A (en) * 2015-09-24 2015-12-16 广东工业大学 Bidirectional authentication method based on video surveillance system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9288670B2 (en) * 2013-04-19 2016-03-15 T-Mobile Usa, Inc. Dynamic distribution of authentication sessions

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105049434A (en) * 2015-07-21 2015-11-11 中国科学院软件研究所 Identity authentication method and encryption communication method under peer-to-peer network environment
CN105162797A (en) * 2015-09-24 2015-12-16 广东工业大学 Bidirectional authentication method based on video surveillance system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《电力SCADA系统网络安全技术与方法研究》;罗斌;《信息安全与通信保密》;20140630(第6期);全文 *

Also Published As

Publication number Publication date
CN105610837A (en) 2016-05-25

Similar Documents

Publication Publication Date Title
CN105610837B (en) For identity authentication method and system between SCADA system main website and slave station
CN105959111B (en) Information security big data resource access control system based on cloud computing and trust computing
JP2552061B2 (en) Method and apparatus for preventing network security policy violation in public key cryptosystem
CN110336774A (en) Hybrid Encryption decryption method, equipment and system
CN103427992A (en) Method for establishing secure communication between nodes in a network, network node, key manager, installation device and computer program product
CN107172056A (en) A kind of channel safety determines method, device, system, client and server
CN110889696A (en) Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology
CN110505055B (en) External network access identity authentication method and system based on asymmetric key pool pair and key fob
CN112818332A (en) Password management service platform for intelligent manufacturing
CN105099699A (en) Safe and high-efficiency communication method based on equipment of Internet of things and system
CN106657002A (en) Novel crash-proof base correlation time multi-password identity authentication method
CN112653664A (en) High-safety and reliable data exchange system and method between networks
CN105162592B (en) A kind of method and system of certification wearable device
CN110519222A (en) Outer net access identity authentication method and system based on disposable asymmetric key pair and key card
CN111212026A (en) Data processing method and device based on block chain and computer equipment
CN103684759A (en) Terminal data encrypting method and device
CN112865965B (en) Train service data processing method and system based on quantum key
CN105933117A (en) Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage
CN111490874B (en) Distribution network safety protection method, system, device and storage medium
CN108632295B (en) Method for preventing terminal from repeatedly attacking server
CN112995140B (en) Safety management system and method
CN113676446B (en) Communication network safety error-proof control method, system, electronic equipment and medium
CN116155483A (en) Block chain signing machine safety design method and signing machine
CN104780049B (en) A kind of method of safe read-write data
CN114553557A (en) Key calling method, key calling device, computer equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant