CN105610837B - For identity authentication method and system between SCADA system main website and slave station - Google Patents
For identity authentication method and system between SCADA system main website and slave station Download PDFInfo
- Publication number
- CN105610837B CN105610837B CN201511026877.9A CN201511026877A CN105610837B CN 105610837 B CN105610837 B CN 105610837B CN 201511026877 A CN201511026877 A CN 201511026877A CN 105610837 B CN105610837 B CN 105610837B
- Authority
- CN
- China
- Prior art keywords
- main website
- slave station
- symmetric
- polynomial
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
Abstract
It is provided by the invention a kind of for identity authentication method and system between SCADA system main website and slave station, include the following steps: main website A creation service, generates symmetric polynomial coefficient aij, slave station B establishes connection according to the IP address of main website A server and main website A, and connection is successfully established rear slave station B and main website A shares symmetrical binary polynomial parameter;Master-salve station is all made of the data frame of communication protocol as own identification identifier IDAWith IDB;Main website A exchanges mutual identification identifier with slave station B, and brings the identification identifier of the two into symmetric polynomial and calculate;If f (IDA, IDB)=f (IDB, IDA), then main website A and slave station B realizes two-way authentication, and calculates, and extension obtains symmetric cryptographic key KAB.The present invention selects symmetric polynomial to generate shared key, and using it as symmetric cryptographic key, selects symmetric encipherment algorithm in message switching procedure, reduce computation complexity.
Description
Technical field
The present invention relates to the identity identifying technology between a kind of master-salve station for SCADA system, especially one kind is based on
The two-way authentication technology of symmetric polynomial encryption mechanism, and in particular to the guarantee of the master-salve station communication security of SCADA system.
Background technique
With the continuous development of information technology, industrial modernization level is growing day by day, industrial control system (Industry
Control System, ICS) it is widely used in many and closely bound up industry of national economy, such as metallurgy, water power supplies
It answers, oil-gas transportation, aerospace, road traffic etc., playing in social production and protection infrastructure construction can not
The effect of substitution.Typical SCADA (Supervisory Control and Data Acquisition) system is mainly used for
Long-range supervisory control and data acquisition (SCADA), the technologies such as integrated use computer, control, communication and network, by long-range dispersion measuring control point
The data of acquisition are monitored and analyze, and provide technology sum number for operations such as the scheduling, management, fault diagnosis of entire production process
According to support.By Ethernet, entire control system can be easily connected with each other with remote terminal equipment.Industry Control system at present
The factors such as performance, reliability, the flexibility of system are given highest attention, but its information security issue is not weighed enough
Depending on.
Industrialization and information-based depth integration make standard control protocol using more and more extensive, industrial control system
Opening also promoted therewith, general agreement, hardware and software device, operating system etc. have been widely used, this is directly resulted in
It takes place frequently for the attack of industrial control system, a series of network security problems are gradually exposed.By taking " shake net virus " as an example, it
The direct destruction to system, Hei Keneng are realized using the loophole of Microsoft's Windows operating system and Siemens WinCC operating system
Long-range infected host is enough fully controlled, corpse computer is made." shake net virus " is to public works and control
System mounts malicious attack, all kinds of communications facilitys, civilian and industrial infrastructure etc. are exposed under its attack, Iranian Bushire
Nuclear power station could not also escape by luck, and the control logic of uranium seperator is caused motor speed abnormal and produced by malicious modification in nuclear power station
Serious loss is given birth to.It is frequent for the attack of industrial control system all over the world after " shake net virus " event occurs
Occur, and grow in intensity, causes serious destruction and loss, 20 times of " Flame flame disease such as more powerful than " shake net virus "
Poison " wreaks havoc Middle East.Serious consequence is had resulted in for the attack of industrial control system in rapid succession, these networks
Safety problem brings stern challenge to industrial control system, pushes people to one newly for the concern of industrial network security
Climax.
In fact, many industrial control networks are negligent of stringent system administration, in fact it could happen that internal staff's access has been infected
The mobile device of virus or external staff are intercepted and captured by illegal means to lead to leakage of information, distorts, to make some illegal points
Son has an opportunity to take advantage of.The Information Security Mechanism of SCADA system is simultaneously not perfect, and there are many loopholes for authentication link, it is easy to sudden and violent
Reveal to attacker.Attacker can be communicated by customer administrator's identity of forgery with main website, illegal access industrial control
In network.Attacker can also steal Content of Communication by the communication network between invasion main website and slave station, influence between master-salve station
Normal communication causes infrastructure and industrial service in SCADA system to interrupt, generates serious destruction.Authentication is for reality
It is particularly significant for the secure accessing control of existing SCADA system, " gate inhibition " function of entire security system is undertaken, is cand be compared to entire
The identity of PLC control device node, administrator are checked in first of gate of information security system, and having ensured makes
The mutual unification of user's physics and digital identity.This link realizes the effective protection to system resource, prevents user identity
It is illegally falsely used, refuses the unauthorized access to sensitive data and request.If the authentication link in system is challenged,
Other protectiving schemes will be also difficult to realize in system.Since controlling unit is in vital status in industrial system,
It is required that carry out safety certification to all access objects, including user's access and PLC etc. control equipment access, SCADA system for
Communication certification between master-salve station has strict requirements.
However, the demand for security of industrial control system is different from traditional Internet, the height for focusing more on system can
With property, real-time and business continuance.In case of emergency, industrial control system needs emergency processing program that can quickly ring
It answers, to reduce due to the longer caused loss of processing emergency time.Therefore, existing mature and healthy and strong cipher mechanism is not
It can be directly applied to device node authentication in SCADA system, need to design the ID authentication mechanism of lightweight, to guarantee to control
The speed of system emergency response processed.The present invention guarantees master-salve station communication peace using the lightweight encryption mechanism for being suitble to SCADA system
Entirely, it and realizes the technical system of two-way authentication between master-salve station, realizes the secure accessing access control to system.
Find by literature search, the safety precautions of master-salve station authentication and the communication of existing SCADA system have with
Under it is several:
(1) symmetric encipherment algorithm
Master-salve station exchanges information by communication line in communication process, and invader can be by stealing the side of communication line
Formula obtains the communication data of master-salve station, realizes the attack to industrial control system, therefore needs at the entrance and exit of slave station and main website
Encryption and decryption functions module is added.Since SCADA system suffers from high want for the efficiency of data transmission procedure and safety
The encryption mechanism asked, therefore choose lightweight can guarantee fast quick-recovery after system break, reduce system loss.It is symmetrical by analyzing
With the encryption and decryption time of asymmetric two kinds of Encryption Algorithm, in contrast, symmetric encipherment algorithm complexity is lower, the encryption and decryption time compared with
It is short, and the number of keys generated is less.Therefore, symmetric encipherment algorithm is applied to the secure communications of master-salve station, to guarantee
Fast quick-recovery after system break reduces system loss.Common symmetric encipherment algorithm has AES, DES, IDEA algorithm etc..Using pair
Title is encrypted in cipher key node quantity and the response time spends with superiority, meets the demand of system lightweight encryption mechanism,
But encryption and decryption key is unique in symmetric cryptography, safety of key is difficult to be guaranteed.
(2) key updating mechanism
A kind of new encryption key management scheme is introduced, Key Exposure risk is reduced by the way of key updating.Main website
It is both promoter and the session key generator of communication, the increase session key update rank in key generation procedure can be passed through
The safety of section and master key more new stage enhancing key.The master key shared between main website and slave station, in session key update
Session key is randomly generated in stage, main website, with master key encryption session key, and encrypted session key is passed to accordingly
Slave station.Slave station receives key, is decrypted with master key, and to main website delivery confirmation information.It is main in the master key more new stage
It stands and slave station receives encrypted master key each other, be decrypted, and master key is updated, made with session key respectively
New session key is sent with updated master key.It is close by introducing Herman elliptic curve in master key more new stage
Key agreement, a possibility that reducing Key Exposure.Key updating mechanism enhances the safety of key, but and master-salve station is not implemented
Between authentication, attacker can steal shared key by usurping communication party identity.
(3) in conjunction with hardware device
The safety that encryption key distribution in communication process is protected by hardware device, without modifying to SCADA node, but
In such a way that direct and traditional equipment is integrated.This method is the body introduced in SCADA system master-salve station communication links
Part verifying, security from attacks person change message or pretend to be communication party identity.This method is easy to operate, and cipher key storage device can be direct
It is integrated into SCADA equipment, compatibility and portability are very prominent, but update hardware device will increase lower deployment cost.
Above studies have shown that SCADA system mainly selects symmetric encipherment algorithm to realize that the encrypted transmission of data is tested with decryption
Card process, but the safety of session key has to be reinforced, and the ID authentication mechanism of communicating pair is left to be desired, and existing safety is anti-
Protection mechanism not can effectively prevent the illegal access of user and equipment.
Summary of the invention
For the defects in the prior art, the object of the present invention is to provide a kind of attention location system lightweight encryption mechanism demands
While, the safety of key is taken into account, effectively realize the two-way authentication between main website and slave station is used for SCADA system main website
Identity authentication method and system between slave station.
In order to solve the above technical problems, provided by the invention a kind of for authentication between SCADA system main website and slave station
Method, include the following steps:
Step A: main website A creation service, generates symmetric polynomial coefficient aij, slave station B is according to the IP address of main website A server
Connection is established with main website A, connection is successfully established rear slave station B and main website A and shares binary symmetric polynomial parameters, main website A and slave station B
Hold complete binary symmetric polynomial expression;
Step B: after connection is established, communication protocol is chosen in application layer, communication protocol is respectively adopted in main website A, slave station B
Data frame as own identification identifier IDA、IDB;
Step C: after connection setup, main website A exchanges mutual identification identifier, main website A, slave station B difference with slave station B
It brings the identification identifier of the two into binary symmetric multinomial to calculate, obtains calculated result f (IDA, IDB)、f(IDB,
IDA);
Step D: main website A exchanges binary symmetric polynomial computation each other with slave station B as a result, if f (IDA, IDB)=f
(IDB, IDA), then main website A and slave station B realizes two-way authentication, and calculates KAB=f (IDA, IDB)=f (IDB, IDA), enter step E
It continues to execute;Otherwise, return step B;
Step E: encryption key K is calculated in extensionAB, make KABMeet AES key length requirement, and uses Encryption Algorithm
The data content transmitted master-salve station is encrypted.
Preferably, the binary symmetric multinomial in the step C is binary t sub-symmetry multinomial, is met:
Wherein, for binary t sub-symmetry polynomial on finite field gf (q), the value of q is greater than 10kPrime number, k is
The length of key;And for arbitrary i, j, all meet equation aij=aji;aijIndicate symmetric polynomial coefficient;X, y indicate two
Stochastic variable.
Preferably, the polynomial symmetric polynomial coefficient a of the binary t sub-symmetryijBy main website A during connection setup
It is randomly generated.
Preferably, in the step B, the communication protocol is Modbus Transmission Control Protocol.
Preferably, in the step E, the Encryption Algorithm is AES symmetric encipherment algorithm.
A kind of system, the system are used for identity authentication method between SCADA system main website A and slave station B.
Compared with prior art, beneficial effects of the present invention are as follows:
1, the present invention selects symmetric polynomial to generate shared key, and using it as symmetric cryptographic key, MESSAGE EXCHANGE mistake
Symmetric encipherment algorithm is selected in journey, the number of keys for reducing computation complexity, and generating in whole process compares asymmetric manner
It is few.Meet the demand of the cipher mechanism of lightweight in SCADA system main website A and slave station B communication process, so that system is tight in reply
Fast reaction is remained to when anxious situation.
2, while attention location system quick response of the present invention, the safety of key has been taken into account.Due to traditional symmetric cryptography
The key that algorithm encryption and decryption uses is identical, therefore its safety is not only influenced by Encryption Algorithm complexity itself, key pipe
The safety issue of reason is also especially prominent.
1) session key confidentiality enhances
In symmetric polynomial ciphering process, it is close that the session that key agreement phase uses is established by symmetric polynomial
Key is effectively prevented key from stealing wherein containing both main website A and slave station B identification information.Due at binary t times
In multinomial, the value of t+1 element is needed just to be able to achieve for polynomial reconstruct altogether, so attacker needs at least to intercept and capture
The node key value of t+1 member could be by Polynomial Reconstructing.It can be seen that even if attacker obtains in entire communication system
The node key value of all members, can not also calculate the value of symmetric polynomial, to ensure that the safety of session key.And
And by node calculate shared key be it is independent, other nodes can not obtain, have good confidentiality and independence.
2) master-salve station bidirectional identity authentication
Main website A and slave station B identifies ID using own identificationAAnd IDBConstruct polynomial f (ID of unitaryA, y) and f (IDB,
y).By establishing session, main website A, slave station B calculate separately out KAB=f (IDA, y) | y=IDB、KBA=f (IDB, y) | y=IDA。
Master-salve station exchange is mutually symmetrical polynomial computation as a result, and comparing KABWith KBAWhether identical, completion is mutually authenticated and secured session
The foundation of key.In master-salve station symmetric polynomial value exchange process, realizes to mutual authentication, effectively prevent
Illegal node is falsely used, and ensure that the integrality and availability of transmission message, can effectively avoid message from being tampered and illegally obtain, energy
Enough better meet the requirement of SCADA system encryption mechanism.
Detailed description of the invention
Upon reading the detailed description of non-limiting embodiments with reference to the following drawings, other feature of the invention,
Objects and advantages will become more apparent upon:
Fig. 1 is the present invention for identity to be recognized between identity authentication method main website and slave station between SCADA system main website and slave station
The general frame schematic diagram of card system;
Fig. 2 is that the present invention illustrates for identity authentication method master-salve station communication process between SCADA system main website and slave station
Figure;
Fig. 3 is that the present invention shows for identity authentication method Modbus TCP data frame between SCADA system main website and slave station
It is intended to;
Fig. 4 is that the present invention shows for identity authentication method master-salve station symmetric polynomial between SCADA system main website and slave station
It is intended to.
Specific embodiment
The present invention is described in detail combined with specific embodiments below.Following embodiment will be helpful to the technology of this field
Personnel further understand the present invention, but the invention is not limited in any way.It should be pointed out that the ordinary skill of this field
For personnel, without departing from the inventive concept of the premise, several changes and improvements can also be made.These belong to the present invention
Protection scope.
Since SCADA system needs to handle mass data in a short time, the encryption mechanism of lightweight, which can guarantee, is
Fast quick-recovery after system interrupts reduces system loss.Being spent in cipher key node quantity with the response time using symmetric cryptography is had
Superiority meets the demand of system lightweight encryption mechanism.But the encryption and decryption key as used in asymmetric encryption procedure is unique,
Therefore the safety problem of session key can not be ignored, and key has the hidden danger of leakage.Thus it can reflect, the guarantor of key in communication process
Close transmission is particularly significant.The present invention is calculated by generating link introducing binary symmetric multinomial in symmetric key, is solved
Single key is easy the safety problem of leakage in establishment process, and guarantees the safety during session key generation with this,
Realize the authentication of main website and slave station.
Specifically, the present invention encrypts symmetric polynomial for identity authentication method between SCADA system main website and slave station
Mode be introduced into the authentication of main website and slave station in SCADA system.Recognize in ciphering process with distributed key Mechanism establishing
Card mechanism has used key mechanism and symmetric polynomial algorithm based on identity (ID).It is being based on communicating pair body
In the key code system of part mark, derived from session key from correspondent's unique identity.Master-salve station respectively saves one
Binary symmetric multinomial, main website generates symmetric polynomial coefficient during connection setup, and passes to slave station, guarantees to lead with this
Slave station possesses identical polynomial function.In communication process, master-salve station utilizes the value of its own identity value evaluator,
And exchange identity value each other.The identity value of the two is substituted into symmetric polynomial and is calculated by final master-salve station, with this
Shared symmetric key.In the process, master-salve station can be calculated by using the key generation mechanism based on symmetric polynomial
Session key, and by polynomial symmetry it is found that both sides' calculated result is identical.
As shown in Figure 1, the specific implementation process of institute's providing method is divided into 3 main stages, including master according to the present invention
Slave station establishes access phase, master-salve station is mutually authenticated and arranging key stage and master-salve station coded communication stage.In order to more clear
The process of authentication between the clear main website A for visually illustrating entire SCADA system and slave station B, enclose relevant drawings and to its into
Row explanation.
Access phase is established in master-salve station, master-salve station selects Modbus TCP as application layer communication protocol, it is to be based on
TCP/IP network protocol is established, and transport layer uses TCP communication mode.Port 502 is dedicated end of the Modbus TCP for connection
Mouthful, address procedures are realized by IP address and port, since TCP is connection-oriented reliable communication, its own contains verification
Part.In entire communication protocol, application layer uses Modbus agreement, so mainly using the communication frame of Master/Slave
Structure.Before data transmission, TCP/IP connection should be established between client and main website A by using sockets interface first, one
Communication connection between denier client and main website A, which is established, to be completed, and can be carried out MESSAGE EXCHANGE between user and main website A and data pass
It is defeated.Modbus TCP carries out the real-time exchange of information using the mode of Master/Slave, and in such a mode, master-salve station communicated
Four kinds of type of messages are related generally in journey, it may be assumed that request, confirmation, instruction, response.
Specifically, Modbus TCP communication is constructed using Winsock between master-salve station, wherein Winsock socket can be marked
Know communication process, the IP address of master-salve station is covered in socket, links the information such as situation at present, agreement, address, end can be passed through
Mouth uniquely determines socket, and master-salve station transmits the information frame for meeting Modbus protocol requirement by ICP/IP protocol in a network.
Main website A uses burse mode, by the request with each slave station B of independent thread process, realizes the high efficiency of transmission of system,
Socket can be called by application requests, by calling socket to realize the distribution according to need of system resource.
It connects in establishment process, the operation that main website A is executed is as follows:
After the completion of socket creation, it is necessary to be initialized first to socket character library, its port numbers and IP address are equal at this time
For sky.By calling bind () bound socket address, the write-in for communication port numbers (502) and local ip address is realized
Socket model is arranged to passively, realize that sending request to the end slave station B detects using listen () function by operation, main website A
It listens, main website A extracts the linking request that slave station B process is sent by accept () function, and calls send () and recv () letter
Number realizes the transmitting-receiving process of information, closes socket eventually by close () function, and provide using cleanup () release system
Source.Specifically, as shown in Figure 2.
The operation executed in slave station B and main website A connection procedure is as follows:
Socket is created by socket () first, and connection request is sent to main website A by connect () function,
The transmitting-receiving of information in communication process may be implemented in send () and recv () function.Socket is closed eventually by close (), and
The release of system resource is realized using cleanup ().Specifically, as shown in Figure 2.
Using Modbus TCP data frame as master-salve station identity in communication process, data frame format is as shown in Figure 3.
Wherein, MBAP indicates the head of entire Modbus TCP, covers preceding 7 Byte of entire data frame;Transaction identifier
For indicating the relevant operation of Modbus request and response;Protocol identifier mainly indicates the communication protocol that application layer is chosen, and leads to
It often takes 0 expression application layer to adopt and uses Modbus communication protocol, take 1 to indicate other;Length is used to indicate opening from current byte
Begin to calculate, the size of follow-up data amount;Element identifier (element ID) is mainly used for identification serial link or other are linked in other buses
Unit;Function code is used to indicate the instruction mode specifically executed in communication process.
It can be seen that Modbus TCP data frame not only delivers the communication information, but also there is uniqueness, can be used to mark
Know master-salve station identity.Therefore, the present invention uses Modbus TCP data frame as IDAWith IDB。
It is mutually authenticated and the arranging key stage in master-salve station, main website A exchanges identification identifier with slave station B, and by identity mark
Knowledge symbol is brought multinomial into and is calculated.Main website A exchanges symmetric polynomial calculated result with slave station B, if result is consistent, main website
A and slave station B realizes two-way authentication, and obtains the value of shared symmetric polynomial.Master-salve station symmetric polynomial calculation process such as Fig. 4
It is shown.
Specifically, symmetric polynomial is defined as follows:
If f (x1,x2,…,xn)∈P(x1,x2,…,xn), if j (1≤i, j≤n) has to arbitrary i:
f(x1,…,xi,…,xj,…,xn)=f (x1,…,xj,…,xi,…,xn)
Then the multinomial is referred to as symmetric polynomial.
Following n multinomial:
σ1=x1+x2+x3+…+xn;
σ2=x1x2+x1x3+x1x4+…+xn-1xn;
…
σn=x1x2x3…xn-1xn;
Referred to as n unknown number x1,x2,…,xnElementary symmetric polynomial.
Symmetric polynomial is still symmetric polynomial with product, and particularly, the multinomial of elementary symmetric polynomial is still symmetrical
Multinomial.In a symmetric polynomial, the value of any two of them variable is exchanged, the value of symmetric polynomial still remains unchanged.
For binary t order polynomial f (x, y), x, y indicate two stochastic variables, if all meeting f (x, y)=f to any x, y
(y, x), then binary polynomial f (x, y) is referred to as symmetrical binary polynomial.Binary t sub-symmetry multinomial meets:
Wherein, for binary t sub-symmetry polynomial on finite field gf (q), the value of q is greater than 10kPrime number, k is
(for example, Password Length is 16, then q can take greater than 10 the length of key16Big prime).And for arbitrary i, j, all
Meet equation aij=aji。
It is as follows that master-salve station uses symmetric polynomial to establish session key process:
Main website A creation service, generates symmetric polynomial coefficient aij(a00、a01、a11), slave station B inputs the IP address of server
It is attached with main website A, connection is successfully established rear slave station B and main website A and shares symmetric polynomial parameter.After connection is established,
Main website A exchanges identification identifier with slave station B, and master-salve station is all made of MODBUS TCP data frame as own identification identifier.It is main
Slave station is brought the identification identifier of the two into symmetric polynomial and is calculated, and f (ID is obtainedA,IDB) and f (IDB,IDA).Main website A
Symmetric polynomial calculated result is exchanged with slave station B, if f (IDA,IDB)=f (IDB,IDA), then main website A and slave station B realizes double
To certification, and obtain KAB=f (IDA,IDB)=f (IDB,IDA).Encryption key K is calculated in extensionABAES key is extended to,
And the data content transmitted master-salve station is encrypted using AES symmetric encipherment algorithm.
The value for negotiating resulting symmetric polynomial is expanded into 128 bits, is allowed to meet by the master-salve station coded communication stage
AES key length standard, it is final that the data content transmitted master-salve station is carried out encrypted transmission and decrypted to test using aes algorithm
Card.
Specifically, since AES encryption block is fixed, and key length fixes (the present embodiment selects 128 bits), should be first
The calculated result of symmetric polynomial is extended, is allowed to meet AES encryption demand.AES encryption is mainly at one 4 × 4
" being carried out on state matrix ", pass through " Add Round Key, Sub Bytes, Shift Rows, Mix Columns " four step
Suddenly it is encrypted.AES has the characteristics that encryption and decryption is rapid, binary encoding density is high, and four calculating links are concise, are easy to
Implement on software and hardware, demand of the whole process to memory is also relatively small, meets industrial control system lightweight encryption
Demand.
The present invention also provides a kind of systems using for identity authentication method between SCADA system main website A and slave station B.
Specific embodiments of the present invention are described above.It is to be appreciated that the invention is not limited to above-mentioned
Particular implementation, those skilled in the art can make a variety of changes or modify within the scope of the claims, this not shadow
Ring substantive content of the invention.In the absence of conflict, the feature in embodiments herein and embodiment can any phase
Mutually combination.
Claims (6)
1. one kind is for identity authentication method between SCADA system main website and slave station, which comprises the steps of:
Step A: main website A creation service, generates symmetric polynomial coefficient aij, IP address and master of the slave station B according to main website A server
The A that stands establishes connection, and connection is successfully established rear slave station B and main website A and shares binary symmetric polynomial parameters, and main website A is held with slave station B
There is complete binary symmetric polynomial expression;
Step B: after connection is established, communication protocol is chosen in application layer, the number of communication protocol is respectively adopted in main website A, slave station B
According to frame as own identification identifier IDA、IDB;
Step C: after connection setup, main website A exchanges mutual identification identifier with slave station B, and main website A, slave station B are respectively by two
The identification identifier of person is brought binary symmetric multinomial into and is calculated, and calculated result f (ID is obtainedA, IDB)、f(IDB, IDA);
Step D: main website A exchanges binary symmetric polynomial computation each other with slave station B as a result, if f (IDA, IDB)=f (IDB,
IDA), then main website A and slave station B realizes two-way authentication, and calculates KAB=f (IDA, IDB)=f (IDB, IDA), enter step E continuation
It executes;Otherwise, return step B;
Step E: encryption key K is calculated in extensionAB, make KABMeet AES key length requirement, and using Encryption Algorithm to principal and subordinate
The data content transmitted between standing is encrypted.
2. according to claim 1 for identity authentication method between SCADA system main website and slave station, which is characterized in that
Binary symmetric multinomial in the step C is binary t sub-symmetry multinomial, is met:
Wherein, for binary t sub-symmetry polynomial on finite field gf (q), the value of q is greater than 10kPrime number, k is key
Length;And for arbitrary i, j, all meet equation aij=aji;aijIndicate symmetric polynomial coefficient;X, y indicate that two become at random
Amount.
3. according to claim 2 for identity authentication method between SCADA system main website and slave station, which is characterized in that
The polynomial symmetric polynomial coefficient a of binary t sub-symmetryijIt is randomly generated during connection setup by main website A.
4. according to claim 1 for identity authentication method between SCADA system main website and slave station, which is characterized in that
In the step B, the communication protocol is ModbusTCP agreement.
5. according to claim 1 for identity authentication method between SCADA system main website and slave station, which is characterized in that
In the step E, the Encryption Algorithm is AES symmetric encipherment algorithm.
6. a kind of system for identity identifying method between SCADA system main website and slave station, which is characterized in that the system uses
For identity authentication method between SCADA system main website and slave station described in claim 1 to 5 any one.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511026877.9A CN105610837B (en) | 2015-12-31 | 2015-12-31 | For identity authentication method and system between SCADA system main website and slave station |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511026877.9A CN105610837B (en) | 2015-12-31 | 2015-12-31 | For identity authentication method and system between SCADA system main website and slave station |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105610837A CN105610837A (en) | 2016-05-25 |
CN105610837B true CN105610837B (en) | 2018-12-18 |
Family
ID=55990375
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201511026877.9A Active CN105610837B (en) | 2015-12-31 | 2015-12-31 | For identity authentication method and system between SCADA system main website and slave station |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105610837B (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106301793B (en) * | 2016-09-06 | 2018-04-10 | 中国电子技术标准化研究院 | A kind of method of PLC certifications and secure communication |
CN108965326A (en) * | 2018-08-21 | 2018-12-07 | 南京国电南自电网自动化有限公司 | A kind of boss's station secure communication control method and system based on user identity authentication |
CN111865908B (en) * | 2020-06-08 | 2022-05-17 | 杭州电子科技大学 | Resource-constrained system secure communication method based on random encryption strategy |
CN112242993B (en) * | 2020-09-02 | 2022-10-21 | 海量安全技术有限公司 | Bidirectional authentication method and system |
CN112383916B (en) * | 2020-11-12 | 2023-06-27 | 刘中亚 | Key management method based on dynamic coefficient symmetric polynomial |
CN112468493A (en) * | 2020-11-25 | 2021-03-09 | 上海电气风电集团股份有限公司 | Data transmission method, identity recognition method and system based on field bus |
CN113093678B (en) * | 2021-04-07 | 2022-12-20 | 国能(泉州)热电有限公司 | Data processing method for power plant DCS (distributed control System) |
CN113285946B (en) * | 2021-05-20 | 2023-08-15 | 中国联合网络通信集团有限公司 | Equipment authentication method and device |
CN113709184B (en) * | 2021-10-08 | 2023-03-24 | 天津创发科技有限公司 | Data encryption method and system applied to railway Internet of things |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105049434A (en) * | 2015-07-21 | 2015-11-11 | 中国科学院软件研究所 | Identity authentication method and encryption communication method under peer-to-peer network environment |
CN105162797A (en) * | 2015-09-24 | 2015-12-16 | 广东工业大学 | Bidirectional authentication method based on video surveillance system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9288670B2 (en) * | 2013-04-19 | 2016-03-15 | T-Mobile Usa, Inc. | Dynamic distribution of authentication sessions |
-
2015
- 2015-12-31 CN CN201511026877.9A patent/CN105610837B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105049434A (en) * | 2015-07-21 | 2015-11-11 | 中国科学院软件研究所 | Identity authentication method and encryption communication method under peer-to-peer network environment |
CN105162797A (en) * | 2015-09-24 | 2015-12-16 | 广东工业大学 | Bidirectional authentication method based on video surveillance system |
Non-Patent Citations (1)
Title |
---|
《电力SCADA系统网络安全技术与方法研究》;罗斌;《信息安全与通信保密》;20140630(第6期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN105610837A (en) | 2016-05-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105610837B (en) | For identity authentication method and system between SCADA system main website and slave station | |
CN105959111B (en) | Information security big data resource access control system based on cloud computing and trust computing | |
JP2552061B2 (en) | Method and apparatus for preventing network security policy violation in public key cryptosystem | |
CN110336774A (en) | Hybrid Encryption decryption method, equipment and system | |
CN103427992A (en) | Method for establishing secure communication between nodes in a network, network node, key manager, installation device and computer program product | |
CN107172056A (en) | A kind of channel safety determines method, device, system, client and server | |
CN110889696A (en) | Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology | |
CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
CN112818332A (en) | Password management service platform for intelligent manufacturing | |
CN105099699A (en) | Safe and high-efficiency communication method based on equipment of Internet of things and system | |
CN106657002A (en) | Novel crash-proof base correlation time multi-password identity authentication method | |
CN112653664A (en) | High-safety and reliable data exchange system and method between networks | |
CN105162592B (en) | A kind of method and system of certification wearable device | |
CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card | |
CN111212026A (en) | Data processing method and device based on block chain and computer equipment | |
CN103684759A (en) | Terminal data encrypting method and device | |
CN112865965B (en) | Train service data processing method and system based on quantum key | |
CN105933117A (en) | Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage | |
CN111490874B (en) | Distribution network safety protection method, system, device and storage medium | |
CN108632295B (en) | Method for preventing terminal from repeatedly attacking server | |
CN112995140B (en) | Safety management system and method | |
CN113676446B (en) | Communication network safety error-proof control method, system, electronic equipment and medium | |
CN116155483A (en) | Block chain signing machine safety design method and signing machine | |
CN104780049B (en) | A kind of method of safe read-write data | |
CN114553557A (en) | Key calling method, key calling device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |