CN108810023A - Safe encryption method, key sharing method and safety encryption isolation gateway - Google Patents

Safe encryption method, key sharing method and safety encryption isolation gateway Download PDF

Info

Publication number
CN108810023A
CN108810023A CN201810794868.1A CN201810794868A CN108810023A CN 108810023 A CN108810023 A CN 108810023A CN 201810794868 A CN201810794868 A CN 201810794868A CN 108810023 A CN108810023 A CN 108810023A
Authority
CN
China
Prior art keywords
data packet
session key
key
mac
side terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810794868.1A
Other languages
Chinese (zh)
Inventor
樊琳
庞振江
杜君
陈奇辉
王辉
郭艳鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Information and Telecommunication Co Ltd
Beijing Smartchip Microelectronics Technology Co Ltd
Original Assignee
State Grid Information and Telecommunication Co Ltd
Beijing Smartchip Microelectronics Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Information and Telecommunication Co Ltd, Beijing Smartchip Microelectronics Technology Co Ltd filed Critical State Grid Information and Telecommunication Co Ltd
Priority to CN201810794868.1A priority Critical patent/CN108810023A/en
Publication of CN108810023A publication Critical patent/CN108810023A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a kind of safe encryption method, key sharing method and safety encryption isolation gateway, the safe encryption methods to include the following steps:Receive the data packet on downlink;Whether inquiry locally has the session key of the receiving side terminal of received data packet;If local do not have session key, whether there is the session key of the receiving side terminal of received data packet to the inquiry of key shared server;If key shared server does not have session key, start session key agreement flow;If via session key agreement flow, judge that receiving side terminal for validated user, then data packet is encrypted using session key;To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And by the MAC partial encapsulations by encrypted data packet and data packet it is SAL protocol massages.The safe encryption method of the present invention can effectively prevent the attack from outer net and virus infiltration, safety and reliability high.

Description

Safe encryption method, key sharing method and safety encryption isolation gateway
Technical field
The present invention relates to power information system field, especially with regard to the dedicated safe encryption method of a kind of electric power, close Key sharing method and safety encryption isolation gateway.
Background technology
Power utilization information collection system is the key service system in resident, business electrical infrastructure (referred to as with extraction system), It includes:Acquisition system main website, communicates preposition and terminal device at communication channel.It is concentrated and is disposed with extraction system, terminal device passes through The wireless private networks such as operator GPRS/CDMA/3G/4G wireless aps N private networks, 230 wireless private networks, Big Dipper net and optical fiber designated lane connect Enter to use extraction system main website.However, being easy by the various attacks from public network with extraction system main website, it is therefore desirable to adopting Security protection is reinforced in the access area of system main website, to reach to adopting the Network Isolation of main website, terminal identity certification, service protocol The purpose of filtering and service message transmission protection, to reduce with the intrusion risk for adopting main station system and accessing boundary.
Functionally see, conventional security accessing gateway equipment mainly realize terminal via escape way layer safety certification, Access establishes two-way encryption tunnel to functions such as application system data encryptions, and cryptographic algorithm generally uses international algorithm, very The rare safe access gateway equipment for supporting national secret algorithm SM1/SM2/SM3.Meanwhile traditional safe access gateway equipment is general Do not have network security isolation features, cannot be satisfied, equipment performance higher requirement (SM1 numerous with extraction system terminal quantity yet Encryption rate 2.4Gbps, SM2 signature rate 20000TPS, SM2 sign test rate 10000TPS, SM3 arithmetic speed 8Gbps, terminal 600,000/platform of access amount).
Being disclosed in the information of the background technology part, it is only intended to increase understanding of the overall background of the invention, without answering It has been the prior art well known to persons skilled in the art when being considered as recognizing or imply that the information is constituted in any form.
Invention content
The purpose of the present invention is to provide a kind of dedicated safe encryption method of electric power, can effectively prevent coming from outer net Attack, reliability is high.
Another object of the present invention is to provide a kind of key sharing method and safety encryption isolation gateways.
To achieve the above object, the present invention provides a kind of dedicated safe encryption method of electric power, include the following steps:It connects Accept the data packet on line link;Whether inquiry locally has the session key of the receiving side terminal of received data packet;If local There is no session key, then whether has the session key of the receiving side terminal of received data packet to the inquiry of key shared server;Such as Fruit key shared server does not have session key, then starts session key agreement flow;If via session key agreement flow, Judge that receiving side terminal for validated user, then data packet is encrypted using session key;To by encrypted data packet into Row MAC operation obtains the parts MAC of data packet;And will be by the MAC partial encapsulations of encrypted data packet and data packet SAL protocol massages.
In a preferred embodiment, wherein session key agreement flow includes the following steps:It is sent out to receiving side terminal Send session establishment request message;Security gateway identity is judged by the dialogue-based request message of establishing of receiving side terminal;If it is determined that Security gateway is legitimate secure gateway, and session establishment response message is sent by receiving side terminal;By security gateway to session establishment Response message carries out signature verification;If it is determined that receiving side terminal is validated user, then key agreement is sent to receiving side terminal Request message;And after receiving key negotiation request message, key negotiation response message is sent by receiving side terminal.
The present invention also provides a kind of dedicated safe encryption methods of electric power, include the following steps:It receives in uplink Data packet;Data packet verify and decapsulate end to end;The local sending side terminal for whether having transmission data packet of inquiry Session key;If local do not have session key, whether there is the transmission of transmission data packet to the inquiry of key shared server The session key of square terminal;If key shared server does not have session key, start session key agreement flow;If through By session key agreement flow, sending side terminal is judged for validated user, then utilizes the session key logarithm obtained by negotiation It is decrypted according to packet;And by the data packet after decryption be sent to acquisition it is preposition.
In a preferred embodiment, session key agreement flow includes the following steps:Meeting is sent to sending side terminal Words establish request message;Security gateway identity is judged by the dialogue-based request message of establishing of sending side terminal;If it is determined that safety Gateway is legitimate secure gateway, and session establishment response message is sent by sending side terminal;Session establishment is responded by security gateway Message carries out signature verification;If it is determined that sending side terminal is validated user, then key negotiation request is sent to sending side terminal Message;After receiving key negotiation request message, key negotiation response message is sent by sending side terminal.
In a preferred embodiment, if the session key of the local sending side terminal with transmission data packet, Execute following operation:MAC calculating is carried out to the data packet after decapsulation;Compare the data packet after calculated MAC and decapsulation In MAC;If the MAC calculated is identical as the MAC in the data packet after decapsulation, using session key to data packet into Row decryption;It is preposition that data packet after decryption is sent to acquisition;If in the data packet after the MAC calculated and decapsulation MAC is differed, then generation error response data packet, and by errored response data packet be sent to acquisition it is preposition.
The present invention also provides a kind of safety encryption isolation gateways, respectively with acquire preposition and communicate preposition communication link It connects, acquisition is preposition to be configured as receiving the data packet on downlink, and safety encryption isolation gateway includes:Intranet processing unit; Outer net processing unit;With isolation crosspoint, isolation crosspoint is configured as:Whether inquiry is local connecing for received data packet The session key of debit's terminal;If local do not have session key, whether there are reception data to the inquiry of key shared server The session key of the receiving side terminal of packet;If key shared server does not have session key, start session key agreement stream Journey;If via session key agreement flow, receiving side terminal is judged for validated user, then controls crypto-operation unit and use meeting Words data key packet is encrypted;To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And It is SAL protocol massages by the MAC partial encapsulations by encrypted data packet and data packet.
The present invention also provides a kind of safety encryption isolation gateways, respectively with acquire preposition and communicate preposition communication link It connects, communication is preposition to be configured as receiving the data packet in uplink, and safety encryption isolation gateway includes:Intranet processing unit; Outer net processing unit;With isolation crosspoint, isolation crosspoint is configured as:Data packet verify and unseal end to end Dress;Whether inquiry locally has the session key of the sending side terminal of transmission data packet;If local do not have session key, to close Whether the inquiry of key shared server has the session key of the sending side terminal of transmission data packet;If key shared server does not have Session key then starts session key agreement flow;If via session key agreement flow, judge sending side terminal to be legal User is then decrypted data packet using the session key obtained by negotiation;And the data packet after decryption is sent It is preposition to acquiring.
In a preferred embodiment, if the session key of the local sending side terminal with transmission data packet, Execute following operation:MAC calculating is carried out to the data packet after decapsulation;Compare the data packet after calculated MAC and decapsulation In MAC;If the MAC calculated is identical as the MAC in the data packet after decapsulation, using session key to data packet into Row decryption;It is preposition that data packet after decryption is sent to acquisition;And if data packet after the MAC calculated and decapsulation In MAC differ, then generation error response data packet, and it is preposition that errored response data packet is sent to acquisition.
The present invention provides a kind of dedicated security key sharing methods of electric power, include the following steps:Receive downlink On data packet;Whether inquiry locally has the session key of the receiving side terminal of received data packet;If local close without session Whether key then has the session key of the receiving side terminal of received data packet to the inquiry of key shared server;If key is shared Server does not have session key, then starts session key agreement flow;After completing session key agreement flow, session is generated Key;And the session key generated is uploaded into shared server in real time, wherein shared server can will be stored Session key shares to multiple and different gateways.
Compared with prior art, the dedicated safe encryption method of electric power of the invention, key sharing method and safety add Close isolation gateway has the following advantages that:The safety encryption isolation gateway of the present invention is adopted based entirely on national secret algorithm SM1/SM2/SM3 With red-black isolation architecture and the isolation technology based on password realizes system Intranet and outer net logic isolation, effectively prevent coming from outer net Attack and virus infiltration;Prevent the inter-network of invalid data from invading by technologies such as agreement blocking, format checking, protocal analysis; Escape way is built between gateway and acquisition terminal, Message Authentication Code is encapsulated and calculated to data encryption, and the machine of transport layer is provided Close property and integrality;Using specialized hardware cryptography processing units and multinuclear concurrent processing device provide the access of magnanimity terminal support and The processing of high-speed message encryption and decryption;By the way that session key is shared and hierarchical encryption protection mechanism, high reliability is provided.The peace of the present invention Full encryption isolation gateway is significantly increased in algorithm performance, safety, reliability and availability etc., and with extraction system Business matching is good, can meet service security demand and performance requirement with extraction system.
Description of the drawings
Fig. 1 is the method flow diagram according to the dedicated safe encryption method of electric power of a preferred embodiment of the invention.
Fig. 2 is the method flow diagram according to the dedicated safe encryption method of electric power of another preferred embodiment of the present invention.
Fig. 3 is the method flow according to the dedicated security key sharing method of electric power of another preferred embodiment of the present invention Figure.
Fig. 4 is the composition logic according to the dedicated safety encryption isolation gateway of electric power of a preferred embodiment of the invention Figure.
Fig. 5 is the physical composition schematic diagram according to the isolation card of a preferred embodiment of the invention.
Fig. 6 is the SAL encapsulation format schematic diagrames according to a preferred embodiment of the invention.
Fig. 7 is according to the terminal identity certification of a preferred embodiment of the invention and the information flow of cipher key agreement processes Figure.
Fig. 8 is the structural schematic diagram according to the key sharing system of a preferred embodiment of the invention.
Specific implementation mode
Below in conjunction with the accompanying drawings, the specific implementation mode of the present invention is described in detail, it is to be understood that the guarantor of the present invention Shield range is not restricted by specific implementation.
Unless otherwise explicitly stated, otherwise in entire disclosure and claims, term " comprising " or its change It changes such as "comprising" or " including " etc. and will be understood to comprise stated element or component, and do not exclude other members Part or other component parts.
As shown in fig. 1, the safe encryption method of a preferred embodiment of the invention includes the following steps:Step 101:It connects Accept the data packet on line link;Step 102:Whether inquiry locally has the session key of the receiving side terminal of received data packet; Step 103:If local do not have session key, whether there is the recipient of received data packet whole to the inquiry of key shared server The session key at end;Step 104:If key shared server does not have session key, start session key agreement flow;Step Rapid 105:If via session key agreement flow, receiving side terminal is judged for validated user, then uses session key by data Packet is encrypted;Step 106:To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And step 107:It is SAL protocol massages by the MAC partial encapsulations by encrypted data packet and data packet.
In said program, wherein session key agreement flow includes the following steps:Session establishment is sent to receiving side terminal Request message;Security gateway identity is judged by the dialogue-based request message of establishing of receiving side terminal;If it is determined that security gateway is Legitimate secure gateway sends session establishment response message by receiving side terminal;By security gateway to session establishment response message into Row signature verification;If it is determined that receiving side terminal is validated user, then key negotiation request message is sent to receiving side terminal;With And after receiving key negotiation request message, key negotiation response message is sent by receiving side terminal.
As shown in Fig. 2, the safe encryption method of the preferred embodiment of the present invention includes the following steps:Step 201:It connects Receive the data packet in uplink;Step 202:Data packet verify and decapsulate end to end;Step 203:Inquiry is local Whether the session key of the sending side terminal of transmission data packet is had;Step 204:If local do not have session key, to key Whether shared server inquiry has the session key of the sending side terminal of transmission data packet;Step 205:If key shared service Device does not have session key, then starts session key agreement flow;Step 206:If via session key agreement flow, judge to send out The side's of sending terminal is validated user, then data packet is decrypted using the session key obtained by negotiation;Step 207:It will solution It is preposition that data packet after close is sent to acquisition.
As shown in figure 3, the present invention also provides a kind of dedicated security key sharing method of electric power, the security key is shared Method includes the following steps:Step 301:Receive the data packet on downlink;Step 302:Whether inquiry is local reception number According to the session key of the receiving side terminal of packet;Step 303:If local do not have session key, looked into key shared server Ask the session key for the receiving side terminal for whether having received data packet;Step 304:If key shared server does not have session close Key then starts session key agreement flow;Step 305:After completing session key agreement flow, session key is generated;With And step 306:The session key generated is uploaded into shared server in real time, wherein shared server can will be stored Session key share to multiple and different gateways.
As shown in figure 4, the safety encryption isolation gateway of an embodiment of the present invention respectively with acquire it is preposition and communicate preposition Communication connection, safety encryption isolation gateway include:Intranet processing unit;Outer net processing unit;With isolation crosspoint and Cryptography processing units.The external network of outer net processing unit connection extraction system, Intranet processing unit connection extraction system Intranet. Outer net processing unit and Intranet processing unit configuration double netcard are respectively at different VLAN, it is intermediate by be isolated crosspoint into The transmission of row application layer data payload.So that with the important network segment inside extraction system and external network reliably logic isolation, Reduce the risk of boundary invasion.The crypto-operation unit of electric power Special safety encryption isolation gateway is provided based on the close of national secret algorithm Code service, and session key of the realization device between the authentication of acquisition terminal, device and acquisition terminal based on this Negotiate, sensitive message encryption between device and acquisition terminal.
Crosspoint is isolated between Intranet processing unit and outer net processing unit, intranet and extranet are ensured using hardware realization Security isolation;Cryptography processing units are located on the upside of isolation crosspoint, and flowing through formula processing for isolation crosspoint provides password clothes Business;Outer network data could enter interior net unit after cryptography processing units cryptographic check and decryption processing, effectively prevent Intranet It is attacked by from outer net.
To realize inside and outside network physical isolation, intranet and extranet and each Network Isolation interface, realized using isolation card, isolation card Pass through PCIE8X interfaces and respective backplane communication;It is interacted and is forwarded by optical port between isolation card, forwarding rate 2.4Gbps;Every FPGA design is used from card, including:Hardware dma controller, isolated data memory block, isolation switching control unit, PCIE IP kernels The heart.Fig. 5 is the physical composition schematic diagram of isolation card according to an embodiment of the present invention.As shown, isolation card includes:Hardware Dma controller 501, isolated data memory block 502, isolation switching control unit 503, the PCIE IP kernels heart 504.
Transport layer encrypted tunnel is established between gateway and terminal, and the power information of acquisition server and terminal interaction is acquired Agreement is packaged, encrypts and integrity protection, it is ensured that application protocol and business datum are invisible to public network, prevent from utilizing SAL Agreement attacks main website.Fig. 6 is SAL encapsulation format schematic diagrames according to an embodiment of the present invention, as shown in fig. 6, envelope It fills and is the step of encryption:SAL is encapsulated;It is encrypted;Ciphertext front and back addition SAL and SAL tails;SAL tails are to entirely reporting Text does completeness check.It decrypts and is the step of decapsulation:Calculating is examined twice to header, telegram end, verifies the integrality of message; It decrypts and applies data, while calculating and verifying using data CRC, be verified and not only show that decryption is correct, but also show message From legal terminal.
As shown in fig. 7, the terminal identity certification of an embodiment of the present invention and cipher key agreement processes are specially:With uplink For the communication process of road, when terminal needs to send information to Intranet, terminal sends log in message 701 first, and harvester exists After reception logs in message, transmission logs in response message 702, and terminal starts to shake hands after reception logs in response message 702 Journey.Handshake procedure includes:Session establishment request message 703 is sent to sending side terminal;By the dialogue-based foundation of sending side terminal Request message judges security gateway identity;If it is determined that security gateway is legitimate secure gateway, session is sent by sending side terminal Establish response message 704;Signature verification is carried out to session establishment response message by security gateway;If it is determined that sending side terminal is Validated user then sends key negotiation request message 705 to sending side terminal;And receiving key negotiation request message Afterwards, key negotiation response message 706 is sent by sending side terminal.
As shown in figure 8, the key sharing system of an of the invention preferred embodiment include gateway A, gateway B, terminal and Key shared server, wherein terminal can carry out key agreement with gateway A, and gateway A can will negotiate obtained key and upload To key shared server.When gateway A is damaged, key can be asked from other gateway B to key shared server, and right Terminal is verified.By secret sharing scheme realize gateway service " equilibrium shunting, backup is shared, it is anti-ruin it is stupid deposit, effectively connect It is continuous ", to improve the availability and reliability of system entirety.
The electric power Special safety encryption isolation gateway of the present invention uses the ASIC hardware isolation card of autonomous Design, passes through isolation Card reaches the isolation of intranet and extranet network physical, the safeguard protection for realization of High Speed magnanimity business datum concurrent greatly and Network Isolation work( Can, intranet and extranet host uses the multi -CPU of INTEL, multinuclear high-performance to strong hardware platform, using multi-thread on Software Architecture Design Cheng Binghang operating mechanisms adapt to multinuclear hardware platform, and business number is realized using technologies such as thread pool, multiple buffer and asynchronous process According to the big concurrent processing of high speed.
Electric power Special safety encryption isolation gateway uses newest I/O technologies, is exchanged using the high-speed data of PCIE GEN3 Ability reaches big concurrent required data processing rate, wherein:Network interface is logical using ten thousand Broadcoms of optical fiber connection and outside Letter, isolation crosspoint are connected using PCIE GEN3X8 interfaces with intranet and extranet host, and the high-speed data pendulum of interior outdoor main unit is realized It crosses, crypto-operation unit is connected using PCIE GEN3X8 interfaces with interior machine, the crypto-operation of the big concurrent data of realization of High Speed and place Reason.
Crypto-operation unit is designed using parallel redundancy, and every intranet host configures multichannel crypto-operation unit, using face More crypto-operation unit concurrent operations are dispatched to the dispatching algorithm of big concurrent design, make full use of the hardware meter of crypto-operation unit Calculation ability.Electric power Special safety encryption isolating device is configured with multi-disc SM1 algorithm chips, while being developed in crypto-operation module The software module of one algorithm parallel calling processing, algorithm chip is worked using asynchronous call mode, at algorithm parallel calling It manages the busy degree of each algorithm chip of module real-time query and carries out the distribution of algorithm operation according to its busy degree, tie up simultaneously Protect the correspondence of algorithm chip response message and request message.Realize that SM1 algorithms are locally adjusted eventually by the cooperation of software and hardware With up to 3Gbits or so.
It will be appreciated by those skilled in the art that embodiments herein can be provided as method, system or computer program production Product.Therefore, complete hardware embodiment, complete software embodiment or implementation combining software and hardware aspects can be used in the application The form of example.Moreover, can be used can in the computer that one or more wherein includes computer usable program code by the application With the computer program product implemented on storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) Form.
The application is with reference to method, the flow of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a box or multiple boxes.
The description of the aforementioned specific exemplary embodiment to the present invention is in order to illustrate and illustration purpose.These descriptions It is not wishing to limit the invention to disclosed precise forms, and it will be apparent that according to the above instruction, can much be changed And variation.The purpose of selecting and describing the exemplary embodiment is that explaining the specific principle of the present invention and its actually answering With so that those skilled in the art can realize and utilize the present invention a variety of different exemplary implementation schemes and Various chooses and changes.The scope of the present invention is intended to be limited by claims and its equivalents.

Claims (9)

1. a kind of dedicated safe encryption method of electric power, which is characterized in that the safe encryption method includes the following steps:
Receive the data packet on downlink;
The local session key for whether having the receiving side terminal for receiving the data packet of inquiry;
If local without the session key, whether there is the reception for receiving the data packet to the inquiry of key shared server The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, the receiving side terminal is judged for validated user, then uses session key The data packet is encrypted;
To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And
By it is described by the MAC partial encapsulations of encrypted data packet and the data packet be SAL protocol massages.
2. safe encryption method as described in claim 1, which is characterized in that wherein, the session key agreement flow includes Following steps:
Session establishment request message is sent to the receiving side terminal;
Security gateway identity is judged based on the session establishment request message by the receiving side terminal;
If it is determined that the security gateway is legitimate secure gateway, session establishment response message is sent by the receiving side terminal;
Signature verification is carried out to the session establishment response message by the security gateway;
If it is determined that the receiving side terminal is validated user, then key negotiation request message is sent to the receiving side terminal; And
After receiving the key negotiation request message, key negotiation response message is sent by the receiving side terminal.
3. a kind of dedicated safe encryption method of electric power, which is characterized in that the safe encryption method includes the following steps:
Receive the data packet in uplink;
The data packet verify and decapsulate end to end;
The local session key for whether having the sending side terminal for sending the data packet of inquiry;
If local without the session key, whether there is the transmission for sending the data packet to the inquiry of key shared server The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, described sender terminal is judged for validated user, then using by negotiating The data packet is decrypted in obtained session key;And
It is preposition that data packet after decryption is sent to acquisition.
4. safe encryption method as claimed in claim 3, which is characterized in that the session key agreement flow includes following step Suddenly:
Session establishment request message is sent to described sender terminal;
Security gateway identity is judged based on the session establishment request message by described sender terminal;
If it is determined that the security gateway is legitimate secure gateway, session establishment response message is sent by described sender terminal;
Signature verification is carried out to the session establishment response message by the security gateway;
If it is determined that described sender terminal is validated user, then key negotiation request message is sent to described sender terminal; And
After receiving the key negotiation request message, key negotiation response message is sent by described sender terminal.
5. safe encryption method as claimed in claim 3, which is characterized in that if local have the hair for sending the data packet The session key of the side's of sending terminal then executes following operation:
MAC calculating is carried out to the data packet after decapsulation;
Compare the MAC in the data packet after calculated MAC and decapsulation;
If the MAC calculated is identical as the MAC in the data packet after decapsulation, using the session key to the data Packet is decrypted;
It is preposition that data packet after decryption is sent to acquisition;And
If the MAC in data packet after the MAC calculated and decapsulation is differed, generation error response data packet, and will It is preposition that the errored response data packet is sent to acquisition.
6. a kind of dedicated safety encryption isolation gateway of electric power, which is characterized in that the safety encryption isolation gateway respectively with adopt Collect preposition and communicate preposition communication connection, the acquisition is preposition to be configured as receiving the data packet on downlink, the safety Gateway is isolated in encryption:
Intranet processing unit;
Outer net processing unit;With
Crosspoint is isolated, the isolation crosspoint is configured as:
The local session key for whether having the receiving side terminal for receiving the data packet of inquiry;
If local without the session key, whether there is the reception for receiving the data packet to the inquiry of key shared server The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, judge that the receiving side terminal for validated user, then controls crypto-operation Unit is encrypted the data packet using session key;
To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And
By it is described by the MAC partial encapsulations of encrypted data packet and the data packet be SAL protocol massages.
7. a kind of dedicated safety encryption isolation gateway of electric power, which is characterized in that the safety encryption isolation gateway respectively with adopt Collect preposition and communicate preposition communication connection, the communication is preposition to be configured as receiving the data packet in uplink, the safety Gateway is isolated in encryption:
Intranet processing unit;
Outer net processing unit;With
Crosspoint is isolated, the isolation crosspoint is configured as:
The data packet verify and decapsulate end to end;
The local session key for whether having the sending side terminal for sending the data packet of inquiry;
If local without the session key, whether there is the transmission for sending the data packet to the inquiry of key shared server The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, described sender terminal is judged for validated user, then using by negotiating The data packet is decrypted in obtained session key;And
It is preposition that data packet after decryption is sent to acquisition.
8. safety encryption isolation gateway as claimed in claim 7, which is characterized in that send the data packet if locally had Sending side terminal session key, then execute following operation:
MAC calculating is carried out to the data packet after decapsulation;
Compare the MAC in the data packet after calculated MAC and decapsulation;
If the MAC calculated is identical as the MAC in the data packet after decapsulation, using the session key to the data Packet is decrypted;
It is preposition that data packet after decryption is sent to acquisition;And
If the MAC in data packet after the MAC calculated and decapsulation is differed, generation error response data packet, and will It is preposition that the errored response data packet is sent to acquisition.
9. a kind of dedicated security key sharing method of electric power, which is characterized in that the security key sharing method includes as follows Step:
Receive the data packet on downlink;
The local session key for whether having the receiving side terminal for receiving the data packet of inquiry;
If local without the session key, whether there is the reception for receiving the data packet to the inquiry of key shared server The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
After completing the session key agreement flow, session key is generated;And
The session key generated is uploaded into the shared server in real time, wherein the shared server can will be deposited The session key of storage shares to multiple and different gateways.
CN201810794868.1A 2018-07-19 2018-07-19 Safe encryption method, key sharing method and safety encryption isolation gateway Pending CN108810023A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810794868.1A CN108810023A (en) 2018-07-19 2018-07-19 Safe encryption method, key sharing method and safety encryption isolation gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810794868.1A CN108810023A (en) 2018-07-19 2018-07-19 Safe encryption method, key sharing method and safety encryption isolation gateway

Publications (1)

Publication Number Publication Date
CN108810023A true CN108810023A (en) 2018-11-13

Family

ID=64077492

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810794868.1A Pending CN108810023A (en) 2018-07-19 2018-07-19 Safe encryption method, key sharing method and safety encryption isolation gateway

Country Status (1)

Country Link
CN (1) CN108810023A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110267266A (en) * 2019-07-19 2019-09-20 中国铁路总公司 A kind of improved train control system secure data exchange method
CN111294212A (en) * 2020-05-12 2020-06-16 广东纬德信息科技股份有限公司 Security gateway key negotiation method based on power distribution
CN112261041A (en) * 2020-10-21 2021-01-22 中国科学院信息工程研究所 Multistage distributed monitoring and anti-seepage system for power terminal
CN112650990A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Method and system for signing artificial intelligence watermark using query
CN112953936A (en) * 2021-02-18 2021-06-11 泰州中科树人信息科技有限公司 Encrypted video playing technology based on ZKSR protocol
CN113746861A (en) * 2021-09-13 2021-12-03 南京首传信安科技有限公司 Data transmission encryption and decryption method and encryption and decryption system based on state encryption technology
CN114125027A (en) * 2021-11-24 2022-03-01 上海派拉软件股份有限公司 Communication establishing method and device, electronic equipment and storage medium
CN114389884A (en) * 2022-01-14 2022-04-22 北京光润通科技发展有限公司 Single-port Ethernet isolation card and isolation method thereof
CN114554485A (en) * 2021-12-22 2022-05-27 卓望数码技术(深圳)有限公司 Asynchronous session key negotiation and application method, system, electronic device and medium
CN114629746A (en) * 2022-03-21 2022-06-14 南京十方网络科技有限公司 Data security gateway based on hardware
CN115801388A (en) * 2022-11-11 2023-03-14 中国联合网络通信集团有限公司 Message transmission method, device and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102037707A (en) * 2008-04-07 2011-04-27 交互数字专利控股公司 Secure session key generation
CN102882688A (en) * 2012-10-24 2013-01-16 北京邮电大学 Lightweight authentication and key agreement protocol applicable to electric information acquisition
US20130145149A1 (en) * 2011-12-02 2013-06-06 Kabushiki Kaisha Toshiba Authentication device, authentication method and computer readable medium
CN104038931A (en) * 2014-05-23 2014-09-10 国家电网公司 LTE (Long Term Evolution) network based power distribution and utilization communication system and communication method thereof
CN105763542A (en) * 2016-02-02 2016-07-13 国家电网公司 Device and method of encryption and authentication for distribution terminal serial port communication
CN105871873A (en) * 2016-04-29 2016-08-17 国家电网公司 Security encryption authentication module for power distribution terminal communication and method thereof
CN106941494A (en) * 2017-03-30 2017-07-11 中国电力科学研究院 A kind of security isolation gateway and its application method suitable for power information acquisition system
CN107018134A (en) * 2017-04-06 2017-08-04 北京中电普华信息技术有限公司 A kind of distribution terminal secure accessing platform and its implementation

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102037707A (en) * 2008-04-07 2011-04-27 交互数字专利控股公司 Secure session key generation
US20130145149A1 (en) * 2011-12-02 2013-06-06 Kabushiki Kaisha Toshiba Authentication device, authentication method and computer readable medium
CN102882688A (en) * 2012-10-24 2013-01-16 北京邮电大学 Lightweight authentication and key agreement protocol applicable to electric information acquisition
CN104038931A (en) * 2014-05-23 2014-09-10 国家电网公司 LTE (Long Term Evolution) network based power distribution and utilization communication system and communication method thereof
CN105763542A (en) * 2016-02-02 2016-07-13 国家电网公司 Device and method of encryption and authentication for distribution terminal serial port communication
CN105871873A (en) * 2016-04-29 2016-08-17 国家电网公司 Security encryption authentication module for power distribution terminal communication and method thereof
CN106941494A (en) * 2017-03-30 2017-07-11 中国电力科学研究院 A kind of security isolation gateway and its application method suitable for power information acquisition system
CN107018134A (en) * 2017-04-06 2017-08-04 北京中电普华信息技术有限公司 A kind of distribution terminal secure accessing platform and its implementation

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110267266A (en) * 2019-07-19 2019-09-20 中国铁路总公司 A kind of improved train control system secure data exchange method
CN112650990A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Method and system for signing artificial intelligence watermark using query
CN111294212A (en) * 2020-05-12 2020-06-16 广东纬德信息科技股份有限公司 Security gateway key negotiation method based on power distribution
CN112261041A (en) * 2020-10-21 2021-01-22 中国科学院信息工程研究所 Multistage distributed monitoring and anti-seepage system for power terminal
CN112953936A (en) * 2021-02-18 2021-06-11 泰州中科树人信息科技有限公司 Encrypted video playing technology based on ZKSR protocol
CN113746861A (en) * 2021-09-13 2021-12-03 南京首传信安科技有限公司 Data transmission encryption and decryption method and encryption and decryption system based on state encryption technology
CN114125027A (en) * 2021-11-24 2022-03-01 上海派拉软件股份有限公司 Communication establishing method and device, electronic equipment and storage medium
CN114125027B (en) * 2021-11-24 2024-04-05 上海派拉软件股份有限公司 Communication establishment method and device, electronic equipment and storage medium
CN114554485A (en) * 2021-12-22 2022-05-27 卓望数码技术(深圳)有限公司 Asynchronous session key negotiation and application method, system, electronic device and medium
CN114554485B (en) * 2021-12-22 2024-03-12 卓望数码技术(深圳)有限公司 Asynchronous session key negotiation and application method, system, electronic equipment and medium
CN114389884A (en) * 2022-01-14 2022-04-22 北京光润通科技发展有限公司 Single-port Ethernet isolation card and isolation method thereof
CN114389884B (en) * 2022-01-14 2023-11-24 北京光润通科技发展有限公司 Single-port Ethernet isolation card and isolation method thereof
CN114629746A (en) * 2022-03-21 2022-06-14 南京十方网络科技有限公司 Data security gateway based on hardware
CN115801388A (en) * 2022-11-11 2023-03-14 中国联合网络通信集团有限公司 Message transmission method, device and storage medium
CN115801388B (en) * 2022-11-11 2024-04-09 中国联合网络通信集团有限公司 Message transmission method, device and storage medium

Similar Documents

Publication Publication Date Title
CN108810023A (en) Safe encryption method, key sharing method and safety encryption isolation gateway
US10547594B2 (en) Systems and methods for implementing data communication with security tokens
CN113783691B (en) Hardware accelerated payload filtering in secure communications
CN104067595B (en) For the system and method for the creative management of Transport Layer Security session ticket in a network environment
CN109088870B (en) Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform
US9002016B2 (en) Rekey scheme on high speed links
CN110996318A (en) Safety communication access system of intelligent inspection robot of transformer substation
CN111245862A (en) System for safely receiving and sending terminal data of Internet of things
CN110636052B (en) Power consumption data transmission system
JP2004524768A (en) System and method for distributing protection processing functions for network applications
CN109922047B (en) Image transmission system and method
CN107172020A (en) A kind of network data security exchange method and system
CN107078898A (en) A kind of method that the private interconnection of safety is set up on multi-path network
CN108134672A (en) Data transmission system and its transmission method based on quantum cryptography exchange apparatus
CN111800436B (en) IPSec isolation network card equipment and secure communication method
CN108810011A (en) A kind of universal network secure accessing sound zone system and message processing method suitable for power private network
CN112422560A (en) Lightweight substation secure communication method and system based on secure socket layer
CN108306853A (en) A kind of intelligent data acquisition unit that supporting block chain and IOT wireless telecommunications and encryption communication method
CN113572766A (en) Power data transmission method and system
CN110430178A (en) A kind of safety chip protected for network safety system and the network safety system using the chip
CN113950802B (en) Gateway device and method for performing site-to-site communication
WO2022161369A1 (en) Security management information processing method and apparatus for optical transport network
Xu et al. Research on network security of VPN technology
CN211352206U (en) IPSec VPN cryptographic machine based on quantum key distribution
US20040029562A1 (en) System and method for securing communications over cellular networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181113

RJ01 Rejection of invention patent application after publication