CN108810023A - Safe encryption method, key sharing method and safety encryption isolation gateway - Google Patents
Safe encryption method, key sharing method and safety encryption isolation gateway Download PDFInfo
- Publication number
- CN108810023A CN108810023A CN201810794868.1A CN201810794868A CN108810023A CN 108810023 A CN108810023 A CN 108810023A CN 201810794868 A CN201810794868 A CN 201810794868A CN 108810023 A CN108810023 A CN 108810023A
- Authority
- CN
- China
- Prior art keywords
- data packet
- session key
- key
- mac
- side terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a kind of safe encryption method, key sharing method and safety encryption isolation gateway, the safe encryption methods to include the following steps:Receive the data packet on downlink;Whether inquiry locally has the session key of the receiving side terminal of received data packet;If local do not have session key, whether there is the session key of the receiving side terminal of received data packet to the inquiry of key shared server;If key shared server does not have session key, start session key agreement flow;If via session key agreement flow, judge that receiving side terminal for validated user, then data packet is encrypted using session key;To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And by the MAC partial encapsulations by encrypted data packet and data packet it is SAL protocol massages.The safe encryption method of the present invention can effectively prevent the attack from outer net and virus infiltration, safety and reliability high.
Description
Technical field
The present invention relates to power information system field, especially with regard to the dedicated safe encryption method of a kind of electric power, close
Key sharing method and safety encryption isolation gateway.
Background technology
Power utilization information collection system is the key service system in resident, business electrical infrastructure (referred to as with extraction system),
It includes:Acquisition system main website, communicates preposition and terminal device at communication channel.It is concentrated and is disposed with extraction system, terminal device passes through
The wireless private networks such as operator GPRS/CDMA/3G/4G wireless aps N private networks, 230 wireless private networks, Big Dipper net and optical fiber designated lane connect
Enter to use extraction system main website.However, being easy by the various attacks from public network with extraction system main website, it is therefore desirable to adopting
Security protection is reinforced in the access area of system main website, to reach to adopting the Network Isolation of main website, terminal identity certification, service protocol
The purpose of filtering and service message transmission protection, to reduce with the intrusion risk for adopting main station system and accessing boundary.
Functionally see, conventional security accessing gateway equipment mainly realize terminal via escape way layer safety certification,
Access establishes two-way encryption tunnel to functions such as application system data encryptions, and cryptographic algorithm generally uses international algorithm, very
The rare safe access gateway equipment for supporting national secret algorithm SM1/SM2/SM3.Meanwhile traditional safe access gateway equipment is general
Do not have network security isolation features, cannot be satisfied, equipment performance higher requirement (SM1 numerous with extraction system terminal quantity yet
Encryption rate 2.4Gbps, SM2 signature rate 20000TPS, SM2 sign test rate 10000TPS, SM3 arithmetic speed 8Gbps, terminal
600,000/platform of access amount).
Being disclosed in the information of the background technology part, it is only intended to increase understanding of the overall background of the invention, without answering
It has been the prior art well known to persons skilled in the art when being considered as recognizing or imply that the information is constituted in any form.
Invention content
The purpose of the present invention is to provide a kind of dedicated safe encryption method of electric power, can effectively prevent coming from outer net
Attack, reliability is high.
Another object of the present invention is to provide a kind of key sharing method and safety encryption isolation gateways.
To achieve the above object, the present invention provides a kind of dedicated safe encryption method of electric power, include the following steps:It connects
Accept the data packet on line link;Whether inquiry locally has the session key of the receiving side terminal of received data packet;If local
There is no session key, then whether has the session key of the receiving side terminal of received data packet to the inquiry of key shared server;Such as
Fruit key shared server does not have session key, then starts session key agreement flow;If via session key agreement flow,
Judge that receiving side terminal for validated user, then data packet is encrypted using session key;To by encrypted data packet into
Row MAC operation obtains the parts MAC of data packet;And will be by the MAC partial encapsulations of encrypted data packet and data packet
SAL protocol massages.
In a preferred embodiment, wherein session key agreement flow includes the following steps:It is sent out to receiving side terminal
Send session establishment request message;Security gateway identity is judged by the dialogue-based request message of establishing of receiving side terminal;If it is determined that
Security gateway is legitimate secure gateway, and session establishment response message is sent by receiving side terminal;By security gateway to session establishment
Response message carries out signature verification;If it is determined that receiving side terminal is validated user, then key agreement is sent to receiving side terminal
Request message;And after receiving key negotiation request message, key negotiation response message is sent by receiving side terminal.
The present invention also provides a kind of dedicated safe encryption methods of electric power, include the following steps:It receives in uplink
Data packet;Data packet verify and decapsulate end to end;The local sending side terminal for whether having transmission data packet of inquiry
Session key;If local do not have session key, whether there is the transmission of transmission data packet to the inquiry of key shared server
The session key of square terminal;If key shared server does not have session key, start session key agreement flow;If through
By session key agreement flow, sending side terminal is judged for validated user, then utilizes the session key logarithm obtained by negotiation
It is decrypted according to packet;And by the data packet after decryption be sent to acquisition it is preposition.
In a preferred embodiment, session key agreement flow includes the following steps:Meeting is sent to sending side terminal
Words establish request message;Security gateway identity is judged by the dialogue-based request message of establishing of sending side terminal;If it is determined that safety
Gateway is legitimate secure gateway, and session establishment response message is sent by sending side terminal;Session establishment is responded by security gateway
Message carries out signature verification;If it is determined that sending side terminal is validated user, then key negotiation request is sent to sending side terminal
Message;After receiving key negotiation request message, key negotiation response message is sent by sending side terminal.
In a preferred embodiment, if the session key of the local sending side terminal with transmission data packet,
Execute following operation:MAC calculating is carried out to the data packet after decapsulation;Compare the data packet after calculated MAC and decapsulation
In MAC;If the MAC calculated is identical as the MAC in the data packet after decapsulation, using session key to data packet into
Row decryption;It is preposition that data packet after decryption is sent to acquisition;If in the data packet after the MAC calculated and decapsulation
MAC is differed, then generation error response data packet, and by errored response data packet be sent to acquisition it is preposition.
The present invention also provides a kind of safety encryption isolation gateways, respectively with acquire preposition and communicate preposition communication link
It connects, acquisition is preposition to be configured as receiving the data packet on downlink, and safety encryption isolation gateway includes:Intranet processing unit;
Outer net processing unit;With isolation crosspoint, isolation crosspoint is configured as:Whether inquiry is local connecing for received data packet
The session key of debit's terminal;If local do not have session key, whether there are reception data to the inquiry of key shared server
The session key of the receiving side terminal of packet;If key shared server does not have session key, start session key agreement stream
Journey;If via session key agreement flow, receiving side terminal is judged for validated user, then controls crypto-operation unit and use meeting
Words data key packet is encrypted;To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And
It is SAL protocol massages by the MAC partial encapsulations by encrypted data packet and data packet.
The present invention also provides a kind of safety encryption isolation gateways, respectively with acquire preposition and communicate preposition communication link
It connects, communication is preposition to be configured as receiving the data packet in uplink, and safety encryption isolation gateway includes:Intranet processing unit;
Outer net processing unit;With isolation crosspoint, isolation crosspoint is configured as:Data packet verify and unseal end to end
Dress;Whether inquiry locally has the session key of the sending side terminal of transmission data packet;If local do not have session key, to close
Whether the inquiry of key shared server has the session key of the sending side terminal of transmission data packet;If key shared server does not have
Session key then starts session key agreement flow;If via session key agreement flow, judge sending side terminal to be legal
User is then decrypted data packet using the session key obtained by negotiation;And the data packet after decryption is sent
It is preposition to acquiring.
In a preferred embodiment, if the session key of the local sending side terminal with transmission data packet,
Execute following operation:MAC calculating is carried out to the data packet after decapsulation;Compare the data packet after calculated MAC and decapsulation
In MAC;If the MAC calculated is identical as the MAC in the data packet after decapsulation, using session key to data packet into
Row decryption;It is preposition that data packet after decryption is sent to acquisition;And if data packet after the MAC calculated and decapsulation
In MAC differ, then generation error response data packet, and it is preposition that errored response data packet is sent to acquisition.
The present invention provides a kind of dedicated security key sharing methods of electric power, include the following steps:Receive downlink
On data packet;Whether inquiry locally has the session key of the receiving side terminal of received data packet;If local close without session
Whether key then has the session key of the receiving side terminal of received data packet to the inquiry of key shared server;If key is shared
Server does not have session key, then starts session key agreement flow;After completing session key agreement flow, session is generated
Key;And the session key generated is uploaded into shared server in real time, wherein shared server can will be stored
Session key shares to multiple and different gateways.
Compared with prior art, the dedicated safe encryption method of electric power of the invention, key sharing method and safety add
Close isolation gateway has the following advantages that:The safety encryption isolation gateway of the present invention is adopted based entirely on national secret algorithm SM1/SM2/SM3
With red-black isolation architecture and the isolation technology based on password realizes system Intranet and outer net logic isolation, effectively prevent coming from outer net
Attack and virus infiltration;Prevent the inter-network of invalid data from invading by technologies such as agreement blocking, format checking, protocal analysis;
Escape way is built between gateway and acquisition terminal, Message Authentication Code is encapsulated and calculated to data encryption, and the machine of transport layer is provided
Close property and integrality;Using specialized hardware cryptography processing units and multinuclear concurrent processing device provide the access of magnanimity terminal support and
The processing of high-speed message encryption and decryption;By the way that session key is shared and hierarchical encryption protection mechanism, high reliability is provided.The peace of the present invention
Full encryption isolation gateway is significantly increased in algorithm performance, safety, reliability and availability etc., and with extraction system
Business matching is good, can meet service security demand and performance requirement with extraction system.
Description of the drawings
Fig. 1 is the method flow diagram according to the dedicated safe encryption method of electric power of a preferred embodiment of the invention.
Fig. 2 is the method flow diagram according to the dedicated safe encryption method of electric power of another preferred embodiment of the present invention.
Fig. 3 is the method flow according to the dedicated security key sharing method of electric power of another preferred embodiment of the present invention
Figure.
Fig. 4 is the composition logic according to the dedicated safety encryption isolation gateway of electric power of a preferred embodiment of the invention
Figure.
Fig. 5 is the physical composition schematic diagram according to the isolation card of a preferred embodiment of the invention.
Fig. 6 is the SAL encapsulation format schematic diagrames according to a preferred embodiment of the invention.
Fig. 7 is according to the terminal identity certification of a preferred embodiment of the invention and the information flow of cipher key agreement processes
Figure.
Fig. 8 is the structural schematic diagram according to the key sharing system of a preferred embodiment of the invention.
Specific implementation mode
Below in conjunction with the accompanying drawings, the specific implementation mode of the present invention is described in detail, it is to be understood that the guarantor of the present invention
Shield range is not restricted by specific implementation.
Unless otherwise explicitly stated, otherwise in entire disclosure and claims, term " comprising " or its change
It changes such as "comprising" or " including " etc. and will be understood to comprise stated element or component, and do not exclude other members
Part or other component parts.
As shown in fig. 1, the safe encryption method of a preferred embodiment of the invention includes the following steps:Step 101:It connects
Accept the data packet on line link;Step 102:Whether inquiry locally has the session key of the receiving side terminal of received data packet;
Step 103:If local do not have session key, whether there is the recipient of received data packet whole to the inquiry of key shared server
The session key at end;Step 104:If key shared server does not have session key, start session key agreement flow;Step
Rapid 105:If via session key agreement flow, receiving side terminal is judged for validated user, then uses session key by data
Packet is encrypted;Step 106:To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And step
107:It is SAL protocol massages by the MAC partial encapsulations by encrypted data packet and data packet.
In said program, wherein session key agreement flow includes the following steps:Session establishment is sent to receiving side terminal
Request message;Security gateway identity is judged by the dialogue-based request message of establishing of receiving side terminal;If it is determined that security gateway is
Legitimate secure gateway sends session establishment response message by receiving side terminal;By security gateway to session establishment response message into
Row signature verification;If it is determined that receiving side terminal is validated user, then key negotiation request message is sent to receiving side terminal;With
And after receiving key negotiation request message, key negotiation response message is sent by receiving side terminal.
As shown in Fig. 2, the safe encryption method of the preferred embodiment of the present invention includes the following steps:Step 201:It connects
Receive the data packet in uplink;Step 202:Data packet verify and decapsulate end to end;Step 203:Inquiry is local
Whether the session key of the sending side terminal of transmission data packet is had;Step 204:If local do not have session key, to key
Whether shared server inquiry has the session key of the sending side terminal of transmission data packet;Step 205:If key shared service
Device does not have session key, then starts session key agreement flow;Step 206:If via session key agreement flow, judge to send out
The side's of sending terminal is validated user, then data packet is decrypted using the session key obtained by negotiation;Step 207:It will solution
It is preposition that data packet after close is sent to acquisition.
As shown in figure 3, the present invention also provides a kind of dedicated security key sharing method of electric power, the security key is shared
Method includes the following steps:Step 301:Receive the data packet on downlink;Step 302:Whether inquiry is local reception number
According to the session key of the receiving side terminal of packet;Step 303:If local do not have session key, looked into key shared server
Ask the session key for the receiving side terminal for whether having received data packet;Step 304:If key shared server does not have session close
Key then starts session key agreement flow;Step 305:After completing session key agreement flow, session key is generated;With
And step 306:The session key generated is uploaded into shared server in real time, wherein shared server can will be stored
Session key share to multiple and different gateways.
As shown in figure 4, the safety encryption isolation gateway of an embodiment of the present invention respectively with acquire it is preposition and communicate preposition
Communication connection, safety encryption isolation gateway include:Intranet processing unit;Outer net processing unit;With isolation crosspoint and
Cryptography processing units.The external network of outer net processing unit connection extraction system, Intranet processing unit connection extraction system Intranet.
Outer net processing unit and Intranet processing unit configuration double netcard are respectively at different VLAN, it is intermediate by be isolated crosspoint into
The transmission of row application layer data payload.So that with the important network segment inside extraction system and external network reliably logic isolation,
Reduce the risk of boundary invasion.The crypto-operation unit of electric power Special safety encryption isolation gateway is provided based on the close of national secret algorithm
Code service, and session key of the realization device between the authentication of acquisition terminal, device and acquisition terminal based on this
Negotiate, sensitive message encryption between device and acquisition terminal.
Crosspoint is isolated between Intranet processing unit and outer net processing unit, intranet and extranet are ensured using hardware realization
Security isolation;Cryptography processing units are located on the upside of isolation crosspoint, and flowing through formula processing for isolation crosspoint provides password clothes
Business;Outer network data could enter interior net unit after cryptography processing units cryptographic check and decryption processing, effectively prevent Intranet
It is attacked by from outer net.
To realize inside and outside network physical isolation, intranet and extranet and each Network Isolation interface, realized using isolation card, isolation card
Pass through PCIE8X interfaces and respective backplane communication;It is interacted and is forwarded by optical port between isolation card, forwarding rate 2.4Gbps;Every
FPGA design is used from card, including:Hardware dma controller, isolated data memory block, isolation switching control unit, PCIE IP kernels
The heart.Fig. 5 is the physical composition schematic diagram of isolation card according to an embodiment of the present invention.As shown, isolation card includes:Hardware
Dma controller 501, isolated data memory block 502, isolation switching control unit 503, the PCIE IP kernels heart 504.
Transport layer encrypted tunnel is established between gateway and terminal, and the power information of acquisition server and terminal interaction is acquired
Agreement is packaged, encrypts and integrity protection, it is ensured that application protocol and business datum are invisible to public network, prevent from utilizing SAL
Agreement attacks main website.Fig. 6 is SAL encapsulation format schematic diagrames according to an embodiment of the present invention, as shown in fig. 6, envelope
It fills and is the step of encryption:SAL is encapsulated;It is encrypted;Ciphertext front and back addition SAL and SAL tails;SAL tails are to entirely reporting
Text does completeness check.It decrypts and is the step of decapsulation:Calculating is examined twice to header, telegram end, verifies the integrality of message;
It decrypts and applies data, while calculating and verifying using data CRC, be verified and not only show that decryption is correct, but also show message
From legal terminal.
As shown in fig. 7, the terminal identity certification of an embodiment of the present invention and cipher key agreement processes are specially:With uplink
For the communication process of road, when terminal needs to send information to Intranet, terminal sends log in message 701 first, and harvester exists
After reception logs in message, transmission logs in response message 702, and terminal starts to shake hands after reception logs in response message 702
Journey.Handshake procedure includes:Session establishment request message 703 is sent to sending side terminal;By the dialogue-based foundation of sending side terminal
Request message judges security gateway identity;If it is determined that security gateway is legitimate secure gateway, session is sent by sending side terminal
Establish response message 704;Signature verification is carried out to session establishment response message by security gateway;If it is determined that sending side terminal is
Validated user then sends key negotiation request message 705 to sending side terminal;And receiving key negotiation request message
Afterwards, key negotiation response message 706 is sent by sending side terminal.
As shown in figure 8, the key sharing system of an of the invention preferred embodiment include gateway A, gateway B, terminal and
Key shared server, wherein terminal can carry out key agreement with gateway A, and gateway A can will negotiate obtained key and upload
To key shared server.When gateway A is damaged, key can be asked from other gateway B to key shared server, and right
Terminal is verified.By secret sharing scheme realize gateway service " equilibrium shunting, backup is shared, it is anti-ruin it is stupid deposit, effectively connect
It is continuous ", to improve the availability and reliability of system entirety.
The electric power Special safety encryption isolation gateway of the present invention uses the ASIC hardware isolation card of autonomous Design, passes through isolation
Card reaches the isolation of intranet and extranet network physical, the safeguard protection for realization of High Speed magnanimity business datum concurrent greatly and Network Isolation work(
Can, intranet and extranet host uses the multi -CPU of INTEL, multinuclear high-performance to strong hardware platform, using multi-thread on Software Architecture Design
Cheng Binghang operating mechanisms adapt to multinuclear hardware platform, and business number is realized using technologies such as thread pool, multiple buffer and asynchronous process
According to the big concurrent processing of high speed.
Electric power Special safety encryption isolation gateway uses newest I/O technologies, is exchanged using the high-speed data of PCIE GEN3
Ability reaches big concurrent required data processing rate, wherein:Network interface is logical using ten thousand Broadcoms of optical fiber connection and outside
Letter, isolation crosspoint are connected using PCIE GEN3X8 interfaces with intranet and extranet host, and the high-speed data pendulum of interior outdoor main unit is realized
It crosses, crypto-operation unit is connected using PCIE GEN3X8 interfaces with interior machine, the crypto-operation of the big concurrent data of realization of High Speed and place
Reason.
Crypto-operation unit is designed using parallel redundancy, and every intranet host configures multichannel crypto-operation unit, using face
More crypto-operation unit concurrent operations are dispatched to the dispatching algorithm of big concurrent design, make full use of the hardware meter of crypto-operation unit
Calculation ability.Electric power Special safety encryption isolating device is configured with multi-disc SM1 algorithm chips, while being developed in crypto-operation module
The software module of one algorithm parallel calling processing, algorithm chip is worked using asynchronous call mode, at algorithm parallel calling
It manages the busy degree of each algorithm chip of module real-time query and carries out the distribution of algorithm operation according to its busy degree, tie up simultaneously
Protect the correspondence of algorithm chip response message and request message.Realize that SM1 algorithms are locally adjusted eventually by the cooperation of software and hardware
With up to 3Gbits or so.
It will be appreciated by those skilled in the art that embodiments herein can be provided as method, system or computer program production
Product.Therefore, complete hardware embodiment, complete software embodiment or implementation combining software and hardware aspects can be used in the application
The form of example.Moreover, can be used can in the computer that one or more wherein includes computer usable program code by the application
With the computer program product implemented on storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Form.
The application is with reference to method, the flow of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or
The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
The description of the aforementioned specific exemplary embodiment to the present invention is in order to illustrate and illustration purpose.These descriptions
It is not wishing to limit the invention to disclosed precise forms, and it will be apparent that according to the above instruction, can much be changed
And variation.The purpose of selecting and describing the exemplary embodiment is that explaining the specific principle of the present invention and its actually answering
With so that those skilled in the art can realize and utilize the present invention a variety of different exemplary implementation schemes and
Various chooses and changes.The scope of the present invention is intended to be limited by claims and its equivalents.
Claims (9)
1. a kind of dedicated safe encryption method of electric power, which is characterized in that the safe encryption method includes the following steps:
Receive the data packet on downlink;
The local session key for whether having the receiving side terminal for receiving the data packet of inquiry;
If local without the session key, whether there is the reception for receiving the data packet to the inquiry of key shared server
The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, the receiving side terminal is judged for validated user, then uses session key
The data packet is encrypted;
To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And
By it is described by the MAC partial encapsulations of encrypted data packet and the data packet be SAL protocol massages.
2. safe encryption method as described in claim 1, which is characterized in that wherein, the session key agreement flow includes
Following steps:
Session establishment request message is sent to the receiving side terminal;
Security gateway identity is judged based on the session establishment request message by the receiving side terminal;
If it is determined that the security gateway is legitimate secure gateway, session establishment response message is sent by the receiving side terminal;
Signature verification is carried out to the session establishment response message by the security gateway;
If it is determined that the receiving side terminal is validated user, then key negotiation request message is sent to the receiving side terminal;
And
After receiving the key negotiation request message, key negotiation response message is sent by the receiving side terminal.
3. a kind of dedicated safe encryption method of electric power, which is characterized in that the safe encryption method includes the following steps:
Receive the data packet in uplink;
The data packet verify and decapsulate end to end;
The local session key for whether having the sending side terminal for sending the data packet of inquiry;
If local without the session key, whether there is the transmission for sending the data packet to the inquiry of key shared server
The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, described sender terminal is judged for validated user, then using by negotiating
The data packet is decrypted in obtained session key;And
It is preposition that data packet after decryption is sent to acquisition.
4. safe encryption method as claimed in claim 3, which is characterized in that the session key agreement flow includes following step
Suddenly:
Session establishment request message is sent to described sender terminal;
Security gateway identity is judged based on the session establishment request message by described sender terminal;
If it is determined that the security gateway is legitimate secure gateway, session establishment response message is sent by described sender terminal;
Signature verification is carried out to the session establishment response message by the security gateway;
If it is determined that described sender terminal is validated user, then key negotiation request message is sent to described sender terminal;
And
After receiving the key negotiation request message, key negotiation response message is sent by described sender terminal.
5. safe encryption method as claimed in claim 3, which is characterized in that if local have the hair for sending the data packet
The session key of the side's of sending terminal then executes following operation:
MAC calculating is carried out to the data packet after decapsulation;
Compare the MAC in the data packet after calculated MAC and decapsulation;
If the MAC calculated is identical as the MAC in the data packet after decapsulation, using the session key to the data
Packet is decrypted;
It is preposition that data packet after decryption is sent to acquisition;And
If the MAC in data packet after the MAC calculated and decapsulation is differed, generation error response data packet, and will
It is preposition that the errored response data packet is sent to acquisition.
6. a kind of dedicated safety encryption isolation gateway of electric power, which is characterized in that the safety encryption isolation gateway respectively with adopt
Collect preposition and communicate preposition communication connection, the acquisition is preposition to be configured as receiving the data packet on downlink, the safety
Gateway is isolated in encryption:
Intranet processing unit;
Outer net processing unit;With
Crosspoint is isolated, the isolation crosspoint is configured as:
The local session key for whether having the receiving side terminal for receiving the data packet of inquiry;
If local without the session key, whether there is the reception for receiving the data packet to the inquiry of key shared server
The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, judge that the receiving side terminal for validated user, then controls crypto-operation
Unit is encrypted the data packet using session key;
To carrying out MAC operation by encrypted data packet, the parts MAC of data packet are obtained;And
By it is described by the MAC partial encapsulations of encrypted data packet and the data packet be SAL protocol massages.
7. a kind of dedicated safety encryption isolation gateway of electric power, which is characterized in that the safety encryption isolation gateway respectively with adopt
Collect preposition and communicate preposition communication connection, the communication is preposition to be configured as receiving the data packet in uplink, the safety
Gateway is isolated in encryption:
Intranet processing unit;
Outer net processing unit;With
Crosspoint is isolated, the isolation crosspoint is configured as:
The data packet verify and decapsulate end to end;
The local session key for whether having the sending side terminal for sending the data packet of inquiry;
If local without the session key, whether there is the transmission for sending the data packet to the inquiry of key shared server
The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
If via the session key agreement flow, described sender terminal is judged for validated user, then using by negotiating
The data packet is decrypted in obtained session key;And
It is preposition that data packet after decryption is sent to acquisition.
8. safety encryption isolation gateway as claimed in claim 7, which is characterized in that send the data packet if locally had
Sending side terminal session key, then execute following operation:
MAC calculating is carried out to the data packet after decapsulation;
Compare the MAC in the data packet after calculated MAC and decapsulation;
If the MAC calculated is identical as the MAC in the data packet after decapsulation, using the session key to the data
Packet is decrypted;
It is preposition that data packet after decryption is sent to acquisition;And
If the MAC in data packet after the MAC calculated and decapsulation is differed, generation error response data packet, and will
It is preposition that the errored response data packet is sent to acquisition.
9. a kind of dedicated security key sharing method of electric power, which is characterized in that the security key sharing method includes as follows
Step:
Receive the data packet on downlink;
The local session key for whether having the receiving side terminal for receiving the data packet of inquiry;
If local without the session key, whether there is the reception for receiving the data packet to the inquiry of key shared server
The session key of square terminal;
If the key shared server does not have the session key, start session key agreement flow;
After completing the session key agreement flow, session key is generated;And
The session key generated is uploaded into the shared server in real time, wherein the shared server can will be deposited
The session key of storage shares to multiple and different gateways.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810794868.1A CN108810023A (en) | 2018-07-19 | 2018-07-19 | Safe encryption method, key sharing method and safety encryption isolation gateway |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810794868.1A CN108810023A (en) | 2018-07-19 | 2018-07-19 | Safe encryption method, key sharing method and safety encryption isolation gateway |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108810023A true CN108810023A (en) | 2018-11-13 |
Family
ID=64077492
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810794868.1A Pending CN108810023A (en) | 2018-07-19 | 2018-07-19 | Safe encryption method, key sharing method and safety encryption isolation gateway |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108810023A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110267266A (en) * | 2019-07-19 | 2019-09-20 | 中国铁路总公司 | A kind of improved train control system secure data exchange method |
CN111294212A (en) * | 2020-05-12 | 2020-06-16 | 广东纬德信息科技股份有限公司 | Security gateway key negotiation method based on power distribution |
CN112261041A (en) * | 2020-10-21 | 2021-01-22 | 中国科学院信息工程研究所 | Multistage distributed monitoring and anti-seepage system for power terminal |
CN112650990A (en) * | 2019-10-10 | 2021-04-13 | 百度(美国)有限责任公司 | Method and system for signing artificial intelligence watermark using query |
CN112953936A (en) * | 2021-02-18 | 2021-06-11 | 泰州中科树人信息科技有限公司 | Encrypted video playing technology based on ZKSR protocol |
CN113746861A (en) * | 2021-09-13 | 2021-12-03 | 南京首传信安科技有限公司 | Data transmission encryption and decryption method and encryption and decryption system based on state encryption technology |
CN114125027A (en) * | 2021-11-24 | 2022-03-01 | 上海派拉软件股份有限公司 | Communication establishing method and device, electronic equipment and storage medium |
CN114389884A (en) * | 2022-01-14 | 2022-04-22 | 北京光润通科技发展有限公司 | Single-port Ethernet isolation card and isolation method thereof |
CN114554485A (en) * | 2021-12-22 | 2022-05-27 | 卓望数码技术(深圳)有限公司 | Asynchronous session key negotiation and application method, system, electronic device and medium |
CN114629746A (en) * | 2022-03-21 | 2022-06-14 | 南京十方网络科技有限公司 | Data security gateway based on hardware |
CN115801388A (en) * | 2022-11-11 | 2023-03-14 | 中国联合网络通信集团有限公司 | Message transmission method, device and storage medium |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102037707A (en) * | 2008-04-07 | 2011-04-27 | 交互数字专利控股公司 | Secure session key generation |
CN102882688A (en) * | 2012-10-24 | 2013-01-16 | 北京邮电大学 | Lightweight authentication and key agreement protocol applicable to electric information acquisition |
US20130145149A1 (en) * | 2011-12-02 | 2013-06-06 | Kabushiki Kaisha Toshiba | Authentication device, authentication method and computer readable medium |
CN104038931A (en) * | 2014-05-23 | 2014-09-10 | 国家电网公司 | LTE (Long Term Evolution) network based power distribution and utilization communication system and communication method thereof |
CN105763542A (en) * | 2016-02-02 | 2016-07-13 | 国家电网公司 | Device and method of encryption and authentication for distribution terminal serial port communication |
CN105871873A (en) * | 2016-04-29 | 2016-08-17 | 国家电网公司 | Security encryption authentication module for power distribution terminal communication and method thereof |
CN106941494A (en) * | 2017-03-30 | 2017-07-11 | 中国电力科学研究院 | A kind of security isolation gateway and its application method suitable for power information acquisition system |
CN107018134A (en) * | 2017-04-06 | 2017-08-04 | 北京中电普华信息技术有限公司 | A kind of distribution terminal secure accessing platform and its implementation |
-
2018
- 2018-07-19 CN CN201810794868.1A patent/CN108810023A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102037707A (en) * | 2008-04-07 | 2011-04-27 | 交互数字专利控股公司 | Secure session key generation |
US20130145149A1 (en) * | 2011-12-02 | 2013-06-06 | Kabushiki Kaisha Toshiba | Authentication device, authentication method and computer readable medium |
CN102882688A (en) * | 2012-10-24 | 2013-01-16 | 北京邮电大学 | Lightweight authentication and key agreement protocol applicable to electric information acquisition |
CN104038931A (en) * | 2014-05-23 | 2014-09-10 | 国家电网公司 | LTE (Long Term Evolution) network based power distribution and utilization communication system and communication method thereof |
CN105763542A (en) * | 2016-02-02 | 2016-07-13 | 国家电网公司 | Device and method of encryption and authentication for distribution terminal serial port communication |
CN105871873A (en) * | 2016-04-29 | 2016-08-17 | 国家电网公司 | Security encryption authentication module for power distribution terminal communication and method thereof |
CN106941494A (en) * | 2017-03-30 | 2017-07-11 | 中国电力科学研究院 | A kind of security isolation gateway and its application method suitable for power information acquisition system |
CN107018134A (en) * | 2017-04-06 | 2017-08-04 | 北京中电普华信息技术有限公司 | A kind of distribution terminal secure accessing platform and its implementation |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110267266A (en) * | 2019-07-19 | 2019-09-20 | 中国铁路总公司 | A kind of improved train control system secure data exchange method |
CN112650990A (en) * | 2019-10-10 | 2021-04-13 | 百度(美国)有限责任公司 | Method and system for signing artificial intelligence watermark using query |
CN111294212A (en) * | 2020-05-12 | 2020-06-16 | 广东纬德信息科技股份有限公司 | Security gateway key negotiation method based on power distribution |
CN112261041A (en) * | 2020-10-21 | 2021-01-22 | 中国科学院信息工程研究所 | Multistage distributed monitoring and anti-seepage system for power terminal |
CN112953936A (en) * | 2021-02-18 | 2021-06-11 | 泰州中科树人信息科技有限公司 | Encrypted video playing technology based on ZKSR protocol |
CN113746861A (en) * | 2021-09-13 | 2021-12-03 | 南京首传信安科技有限公司 | Data transmission encryption and decryption method and encryption and decryption system based on state encryption technology |
CN114125027A (en) * | 2021-11-24 | 2022-03-01 | 上海派拉软件股份有限公司 | Communication establishing method and device, electronic equipment and storage medium |
CN114125027B (en) * | 2021-11-24 | 2024-04-05 | 上海派拉软件股份有限公司 | Communication establishment method and device, electronic equipment and storage medium |
CN114554485A (en) * | 2021-12-22 | 2022-05-27 | 卓望数码技术(深圳)有限公司 | Asynchronous session key negotiation and application method, system, electronic device and medium |
CN114554485B (en) * | 2021-12-22 | 2024-03-12 | 卓望数码技术(深圳)有限公司 | Asynchronous session key negotiation and application method, system, electronic equipment and medium |
CN114389884A (en) * | 2022-01-14 | 2022-04-22 | 北京光润通科技发展有限公司 | Single-port Ethernet isolation card and isolation method thereof |
CN114389884B (en) * | 2022-01-14 | 2023-11-24 | 北京光润通科技发展有限公司 | Single-port Ethernet isolation card and isolation method thereof |
CN114629746A (en) * | 2022-03-21 | 2022-06-14 | 南京十方网络科技有限公司 | Data security gateway based on hardware |
CN115801388A (en) * | 2022-11-11 | 2023-03-14 | 中国联合网络通信集团有限公司 | Message transmission method, device and storage medium |
CN115801388B (en) * | 2022-11-11 | 2024-04-09 | 中国联合网络通信集团有限公司 | Message transmission method, device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108810023A (en) | Safe encryption method, key sharing method and safety encryption isolation gateway | |
US10547594B2 (en) | Systems and methods for implementing data communication with security tokens | |
CN113783691B (en) | Hardware accelerated payload filtering in secure communications | |
CN104067595B (en) | For the system and method for the creative management of Transport Layer Security session ticket in a network environment | |
CN109088870B (en) | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform | |
US9002016B2 (en) | Rekey scheme on high speed links | |
CN110996318A (en) | Safety communication access system of intelligent inspection robot of transformer substation | |
CN111245862A (en) | System for safely receiving and sending terminal data of Internet of things | |
CN110636052B (en) | Power consumption data transmission system | |
JP2004524768A (en) | System and method for distributing protection processing functions for network applications | |
CN109922047B (en) | Image transmission system and method | |
CN107172020A (en) | A kind of network data security exchange method and system | |
CN107078898A (en) | A kind of method that the private interconnection of safety is set up on multi-path network | |
CN108134672A (en) | Data transmission system and its transmission method based on quantum cryptography exchange apparatus | |
CN111800436B (en) | IPSec isolation network card equipment and secure communication method | |
CN108810011A (en) | A kind of universal network secure accessing sound zone system and message processing method suitable for power private network | |
CN112422560A (en) | Lightweight substation secure communication method and system based on secure socket layer | |
CN108306853A (en) | A kind of intelligent data acquisition unit that supporting block chain and IOT wireless telecommunications and encryption communication method | |
CN113572766A (en) | Power data transmission method and system | |
CN110430178A (en) | A kind of safety chip protected for network safety system and the network safety system using the chip | |
CN113950802B (en) | Gateway device and method for performing site-to-site communication | |
WO2022161369A1 (en) | Security management information processing method and apparatus for optical transport network | |
Xu et al. | Research on network security of VPN technology | |
CN211352206U (en) | IPSec VPN cryptographic machine based on quantum key distribution | |
US20040029562A1 (en) | System and method for securing communications over cellular networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181113 |
|
RJ01 | Rejection of invention patent application after publication |