CN109088870A - A kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform - Google Patents
A kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform Download PDFInfo
- Publication number
- CN109088870A CN109088870A CN201810924796.8A CN201810924796A CN109088870A CN 109088870 A CN109088870 A CN 109088870A CN 201810924796 A CN201810924796 A CN 201810924796A CN 109088870 A CN109088870 A CN 109088870A
- Authority
- CN
- China
- Prior art keywords
- acquisition terminal
- user
- key
- authentication
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The invention discloses a kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform, include the following steps: 1) generator unit acquisition terminal request access station control system Intranet;2) safe access gateway of acquisition terminal and secure accessing platform carries out bidirectional identity authentication;3) identity authorization system of safe access gateway carries out security evaluation and identification to communicating pair, carries out access according to evaluation and identification result or refusal controls;4) after authentication success, acquisition terminal carries out secure data interaction by establishing communication channel with secure accessing platform.The present invention realizes the integrality and confidentiality of data transmission, ensure that channel protection safety when the various generator unit acquisition terminals of new energy plant stand access.
Description
Technical field
The present invention relates to a kind of methods of new energy plant stand generator unit acquisition terminal secure accessing platform, belong to distribution certainly
Dynamicization field.
Background technique
Virtual Private Network (Virtual Private Network, abbreviation VPN) refers to establishing in common network special
With the technology of network.Why it is known as virtual net, the connection being primarily due between any two node of entire VPN network
There is no physical links end to end needed for traditional private network, but framework network provided by common network service provider is flat
Logical network on platform, such as Internet (internet), ATM (asynchronous transfer mode), Frame Relay (frame relay),
User data transmits in logical links.It covers encapsulation, encryption and authentication chain across shared network or public network
The extension of the dedicated network connect.
The basic principle of VPN is to create a virtual network egress, you is allowed all data of access target to pass through this
Outlet is sent.It is commonly used in enterprise-level office system, due to being end-to-end transmission, facilitates user in different-place login company
Gateway has Intranet using right, and just because of this, and this method can also be to avoid the examination of mechanism.
But with VPN technologies, there is also some defects and risk, and main includes following several points:
1) enterprise cannot directly control the reliability and performance of VPN Internet-based, it is necessary to by the interconnection of offer VPN
Net the operation that service provider guarantees service;
2) enterprise's creation and deployment VPN route are not easy to, and this technology needs to understand at a high level that network and safety are asked
Topic, needs conscientious planning and configuration;
3) vpn products of different vendor and solution are always incompatible, because many manufacturers are unwilling or cannot
In accordance with VPN technologies standard;
4) when using wireless device, VPN has security risk, and roaming is particularly easy to go wrong between access points, when with
When family roams between access points, any solution using advanced encryption techniques may be all broken.
National Password Management office discloses " SM2 ellipse curve public key cipher algorithm ", SM2 algorithm sheet in December, 2010
It is a kind of elliptic curve (ECC) in matter, in detail, it is specific thin that SM2 algorithm defines signature, verifying, key exchange etc.
Section.SM2 algorithm is the ECC with independent intellectual property rights that China develops on the basis of absorbing international advanced achievements, it is in safety
Property with realize efficiency in terms of be equivalent to or slightly better than international similar ECC, RSA (public key encryption algorithm) can be replaced various to meet
Using the higher demand to public key algorithm safety and realization efficiency.Referring to " SM2 ellipse curve public key cipher algorithm " the
It is as follows that the step of Key Exchange Protocol of three parts, arranges ECDH Diffie-Hellman of the description based on SM2:
If the length that user A and B negotiate to obtain key data is klen bit, user A is initiator, and user B is response
Side, note
User A and B both sides should realize following calculation step to obtain identical key:
User A:
Step 1: generating random number r with randomizerA∈[[1,n-1];
Step 2: calculating elliptic curve point RA=[rA] G=(x1,y1);
Step 3: by RAIt is sent to user B;
User B:
Step 4: generating random number r with randomizerB∈[1,n-1];
Step 5: calculating elliptic curve point RB=[rB] G=(x2,y2);
Step 6: from RBMiddle taking-up field element x2, by x2Data type conversion be integer,
It calculates
Step 7: calculating
Step 8: verifying RAWhether meet elliptic curve equation, negotiates to fail if being unsatisfactory for;Otherwise from RAMiddle taking-up domain member
Plain x1, calculate
Step 9: calculating elliptic curve pointIf V is infinite point, B
Negotiate failure;
Step 10: calculating KB=KDF (xV||yv||ZA||ZB,klen);
Step 11: by RACoordinate x1、y1And RBCoordinate x2、y2Data type conversion be Bit String, calculate SB=
Hash(0x02||yV||Hash(xv||ZA||ZB||x1||y1||x2||y2));
Step 12: by RB, (option SB) it is sent to user A;
User A:
Step 13: from RAMiddle taking-up field element x1, calculate
Step 14: calculating
Step 15: verifying RBWhether meet elliptic curve equation, negotiates to fail if being unsatisfactory for;Otherwise from RBMiddle taking-up domain
Element x2,
It calculates
Step 16: calculating elliptic curve pointIf U is infinite point,
A negotiates failure;
Step 17: calculating KA=KDF (xU||yU||ZA||ZB,klen);
Step 18: by RACoordinate x1、y1And RBCoordinate x2、y2Data type conversion be Bit String, calculate
S1=Hash (0x02 | | yU||Hash(xU||ZA||ZB||x1||y1||x2||y2)), and examine S1=SBWhether at
It is vertical, the key confirmation failure if equation is invalid from B to A;
Step 19:(option) it calculates
SA=Hash (0x03 | | yU||Hash(xU||ZA||ZB||x1||y1||x2||y2)), and by SAIt is sent to user B.
User B:
Step 20:(option) it calculates
S2=Hash (0x03 | | yv||Hash(xv||ZA||ZB||x1||y1||x2||y2)), and examine S2=SAWhether at
It is vertical, the key confirmation failure if equation is invalid from A to B.
It is above-mentioned, rNIndicate the random number that user N is generated;K indicates session key;PNIndicate the public key (SM2 public key) of user N;
dNIndicate the private key (SM2 private key) of user N;EX(Y) it indicates to make cryptographic calculation to Y with X;H (Y) expression makees hash operations (SM3 to Y
Algorithm);‖ indicates connection;ZNIndicate that user N's distinguishes mark, part elliptical curve system parameter, user N public key and rNIt is miscellaneous
Gather value;Se indicates that session can distinguish mark;(n is #E (F to the rank of n expression basic point Gq) prime factor);H indicates cofactor, h=#E
(Fq)/n, wherein n is the rank of basic point G, KAIndicate the shared secret key that Key Exchange Protocol is decided through consultation;KBIndicate key exchange association
The shared secret key decided through consultation is discussed, it is a definite value that w, which indicates initial predetermined value,;tNIndicate the private key of N and the mould of random number operation
Value.
In above-mentioned algorithm, user A and user B can pass through ECDH (cipher key agreement algorithm) in unsafe communication channel
Exchange obtains a shared secret keys, but the computing capability of terminal is limited in capturing service, in key exchange process
Without mutually transmitting all information, safety is poor, and therefore, it is anti-that the present invention proposes a kind of capturing service that meets on this basis
The efficient key exchange agreement of shield demand.
Summary of the invention
The present invention provides a kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform, ensure that data
The confidentiality and integrality of transmission realize safety filtering and the exchange of business datum, realize the closed loop safe transmission of data.
In order to solve the above technical problems, the technical solution adopted in the present invention is as follows:
A kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform, includes the following steps:
1) generator unit acquisition terminal requests access station control system Intranet;
2) safe access gateway of acquisition terminal and secure accessing platform carries out bidirectional identity authentication;
3) identity authorization system of safe access gateway carries out security evaluation and identification to communicating pair, according to evaluation and mirror
Other result carries out access or refusal control;
4) after authentication success, acquisition terminal carries out secure data by establishing communication channel with secure accessing platform
Interaction.
In order to improve safety, above-mentioned steps 1) in, acquisition terminal by increasing safety chip, or pass through external encryption
The mode of authentication module realizes that terminal security enhancing, identity identifies and data encrypting and deciphering.
Encrypting authentication module includes safety check module, authentication module and secure communication module;
Safety check module is to the operating system version of acquisition terminal, the startup item of system, the disk file of specific position
It endures strict scrutiny, system can first check whether terminal has above-mentioned one or several features when handling acquisition terminal access
Parameter determines whether that the terminal and secure accessing platform establish connection according to inspection result, thoroughly prevents unsound adopt
Collect terminal and access Intranet, it is ensured that the safety of acquisition terminal prevents the generation threatened from source;
Authentication module is realized to the external encryption authentication module of acquisition terminal, and the digital certificate that authoritative institution is signed and issued
Be stored in encryption authentication module in, by design authentication exchange agreement, communicating pair respectively to incoming opposite end certificate into
Row verifying, acquisition terminal must carry out being total to by the CA authentication service device of encryption authentication module and secure accessing platform before accessing network
With the bidirectional identity authentication ensured, to guarantee the legitimacy of access terminal;
Secure communication module mainly serves for ensuring integrality and confidentiality of the data in transmission process.
Above-mentioned steps 2) in safe access gateway be responsible for establishing exit passageway and access control to acquisition terminal, energy
The safety of the enough safety for guaranteeing access transmission and internal accessed application system.
Above-mentioned steps 2) between acquisition terminal and the safe access gateway of secure accessing platform be equipped with data isolation group
Part, data isolation component use 2+1 system architecture, including intranet security host, outer net security host and dedicated physical isolation number
It according to 3 parts of Switching Module, is deployed between the network of different safety class, while realizing network security isolation, provides double
To functions such as access control, network security isolation, Intranet protection of resources, data exchange management, filtrating data contents, prevent illegal
Link penetrates Intranet and directly accesses, and provides the information exchange service of controllable precise.
Above-mentioned steps 3) in, acquisition terminal requests to access by safe access gateway, mutual according to identity authentication protocol first
The legitimacy for mutually verifying other side guarantees only have legal terminal that could establish communication channel, utilizes key exchange association on this basis
View is generated the symmetric cryptographic key of a safety and is encrypted using the key pair transmission channel of generation, prevents data from transmitting
It is ravesdropping, distorts in the process, destroying, being inserted into Replay Attack, guaranteeing the safety of data transmission.
The safety of above-mentioned communication channel is mainly by the ECDH security key exchange agreement based on SM2 and based on number card
The bidirectional identity authentication agreement of book technology guarantees that secure tunnel needs the both sides communicated to complete authentication first when establishing
And key agreement, the terminal of authentication is only completed, server-side just allows it to carry out next step operation, for being unsatisfactory for
Key agreement specification or the terminal of unfinished authentication, server-side need to will send error code to terminal, encrypt authentication device weight
It is new to carry out authentication.
The present patent application combination digital certificate technique is realized to the signature sign test function of transmitting message, guarantees access terminal
Identity legitimacy, by designing authentication exchange agreement, communicating pair respectively verifies incoming opposite end certificate.
In the ECDH Key Exchange Protocol of the SM2 of script, user A and user B can be in unsafe communication channels
It exchanges to obtain a shared key by ECDH, but the computing capability of terminal is limited in capturing service, exchanges in key
In the process without mutually transmitting all information, safety is poor, and the present patent application proposes a kind of satisfaction acquisition on this basis
The efficient key exchange agreement of business protection requirements, negotiations process are described in detail as follows:
User A:
Step 1: user A generates random number rA, session, which can distinguish, identifies Se;
Step 2: to rA, Se and IDAConnection operation is done, A2=r is obtainedA||Se||IDA;
Step 3: Hash operation being carried out to connection result, obtains A3=H (rA||Se||IDA);
Step 4: using dAIt signs, obtains to A3
Step 5: connection A2 | | A4 is obtained
Step 6: sending user B for A5;
User B:
Step 7: obtaining the message of user A, sign test obtains information rA, Se, IDA;
Step 8: user B generates random number rB;
Step 9: calculating ZA, ZB;
Step 10: generating session key K, SB, S2;
Step 11: connection rB、Se、IDBAnd SB, obtain B5=rB||Se||IDB||SB(96 byte);
Step 12: Hash operation being carried out to connection result, obtains B6=H (rB||Se||IDB||SB) (32 byte);
Step 13: using dBIt signs, obtains to B6(64 byte);
Step 14: connection B5 | | B7 is obtained
Step 15: sending user A for B8;
User A:
Step 16: obtaining the message of user B transmission, sign test obtains information: rB, IDB, SB;
Step 17: calculating ZA, ZB;
Step 18: generating session key K, S1;
Step 19: comparing S1And SB;
Step 20: generating SAAnd it is sent to B;
It is above-mentioned, rNIndicate the random number that user N (such as user A, user B) is generated;K indicates session key;PNIndicate user
The public key (SM2 public key) of N;dNIndicate the private key (SM2 private key) of user N;EX(Y) it indicates to make cryptographic calculation to Y with X;H (Y) is indicated
Hash operations (SM3 algorithm) is made to Y;‖ indicates connection;ZNIndicate that user N's distinguishes mark, part elliptical curve system ginseng
Number, user N public key and rNHash Value;Se indicates that session can distinguish mark;IDAIndicate the unique identification of user A;IDBIt indicates to use
The unique identification of family B;A2, A3 and A4 are the procedure parameter that user A is obtained, and A5 is the message of user A;B5, B6 and B7 are
The procedure parameter that user B is obtained, B8 are the message of user B;SA、SB、S1、S2Indicate corresponding Hash result.
The application secure communication protocols are a kind of new energy plant stand generator unit acquisition terminals under communication
Secure accessing protection structure, the network security for having studied the generator unit acquisition terminal based on national secret algorithm under real time environment connect
Enter and guard technology, including security hardening acquisition terminal, safe access gateway and data filtering component etc., realizing is not influencing
Under the premise of Real time Data Acquisition function, security protection is carried out from data source header.
Secure communication status of the application based on generation of electricity by new energy unit acquisition terminal simultaneously proposes one in conjunction with national secret algorithm
The improved secure communication protocols of kind, the agreement mainly increase message security protocol layer report on the basis of existing application layer protocol
Text, and encrypted using the close SM1 algorithm of state to using message, to guarantee the integrality and confidentiality of data.
It initiates that SM2 encryption can be done to the random number of generation using the private key of oneself.Oneself is used first with SM3 algorithm
Digital certificate in public key do HASH operation, signed to operation result using the SM2 private key of oneself, then by signature value
And digital certificate is sent to authentication responder.
After authentication responder receives the ID authentication request of initiator, its digital certificate is obtained from message, benefit
The public key in digital certificate is taken out with the X509 parsing API of openssl (security socket layer cryptographic libraries), using public key to transmission
Signature value carry out sign test, if sign test success, illustrate responder verify initiator's identity success, at this point, responder also should
The digital certificate of oneself is issued into initiator, guarantees bidirectional identity authentication success, the message of responder pieces together process and initiator
It is similar, it is not repeating here.
Above-mentioned steps 4) in, secure data interaction includes the following steps:
A, acquisition terminal carries out initialization connection with station control system via safe access gateway;
B, safe access gateway unlatching port is monitored and creates thread pool;
C, when receiving the data from acquisition terminal, received data are handled with regard to starting a sub thread, according to
The step of type of message received is come after determining goes to step D, if message if type of message is key agreement message
Type is ciphertext message, then goes to step E;
D, if key agreement message, then the process is the key agreement mistake that acquisition terminal and safe access gateway carry out
Journey, after key agreement success, safe access gateway connects interior website and controls system, and both sides carry out secure data interaction, otherwise, safety
Access gateway returns to error message and to acquisition terminal and closes connection;
E, if ciphertext message, safe access gateway then carries out ciphertext decryption, if successful decryption, will be sent in plain text interior
System is controlled in website, and otherwise, safe access gateway returns to error message and to acquisition terminal and closes connection.
The present invention accesses safety problem for new energy plant stand acquisition terminal, from terminal security protection, channel security protection
Security architecture design and research have been carried out with three aspects of station level security protection, has been adopted according to wind-powered electricity generation and photovoltaic generation unit
The business characteristic and data-transmission mode for collecting terminal, in conjunction with acquisition terminal security attack scene analysis, for wireless private network, wirelessly
The secure communication based on national secret algorithm is studied and devised to the communication modes such as public network, access via telephone line, intelligent acess, satellite communication
Agreement establishes two-way encryption tunnel between acquisition terminal and station level access platform, ensure that data transmission confidentiality and
Integrality realizes safety filtering and the exchange of business datum, realizes the closed loop safe transmission of data.
The unmentioned technology of the present invention is referring to the prior art.
The present invention has the beneficial effect that:
1) research is close based on state in terms of acquisition terminal safety, network access channel safety, station level system safety three
The network security access of generator unit acquisition terminal and guard technology, framework clear layer, from each under the real time environment of algorithm
Aspect realizes the integrality and confidentiality of data transmission;
2) it is directed to the particular surroundings of new energy plant stand generator unit acquisition terminal, by studying existing DH key exchange association
Negotiation ECDH Key Exchange Protocol, in the case where guaranteeing the safety of key exchange, propose a kind of suitable for new energy factory
It stands the improved Key Exchange Protocol based on SM2 algorithm of generator unit capturing service;
3) for the communications such as wireless private network, wireless public network, access via telephone line, intelligent acess, satellite communication, research
With secure communication protocols of the design based on national secret algorithm, ensure that when the various generator unit acquisition terminals of new energy plant stand access
Channel protection safety.
Detailed description of the invention
Fig. 1 is new energy plant stand generator unit acquisition terminal secure accessing protective frame composition;
Fig. 2 is acquisition terminal and secure accessing platform data interaction diagrams;
Fig. 3 is the cipher key agreement process figure of the improved ECDH Key Exchange Protocol based on SM2 of the present invention;
Specific embodiment
For a better understanding of the present invention, below with reference to the embodiment content that the present invention is furture elucidated, but it is of the invention
Content is not limited solely to the following examples.
The system architecture of new energy plant stand generator unit acquisition terminal secure accessing platform includes: the acquisition after security hardening
Terminal, safe access gateway and data barrier assembly, system architecture diagram are shown in attached drawing 1.
The method of new energy plant stand generator unit acquisition terminal secure accessing platform, includes the following steps:
1) generator unit acquisition terminal requests access station control system Intranet;
2) safe access gateway of acquisition terminal and secure accessing platform carries out bidirectional identity authentication;
3) identity authorization system of safe access gateway carries out security evaluation and identification to communicating pair, according to evaluation and mirror
Other result carries out access or refusal control;
4) after authentication success, acquisition terminal carries out secure data by establishing communication channel with secure accessing platform
Interaction.
In step 1), acquisition terminal is realized by increasing safety chip, or by way of external encryption authentication module
Terminal security enhancing, identity identifies and data encrypting and deciphering.
Encrypting authentication module includes safety check module, authentication module and secure communication module;
Safety check module is to the operating system version of acquisition terminal, the startup item of system, the disk file of specific position
It endures strict scrutiny, system can first check whether terminal has above-mentioned one or several features when handling acquisition terminal access
Parameter determines whether that the terminal and secure accessing platform establish connection according to inspection result, thoroughly prevents unsound adopt
Collect terminal and access Intranet, it is ensured that the safety of acquisition terminal prevents the generation threatened from source;
Authentication module is realized to the external encryption authentication module of acquisition terminal, and the digital certificate that authoritative institution is signed and issued
Be stored in encryption authentication module in, by design authentication exchange agreement, communicating pair respectively to incoming opposite end certificate into
Row verifying, acquisition terminal must carry out being total to by the CA authentication service device of encryption authentication module and secure accessing platform before accessing network
With the bidirectional identity authentication ensured, to guarantee the legitimacy of access terminal;
Secure communication module mainly serves for ensuring integrality and confidentiality of the data in transmission process.
Safe access gateway in step 2) is responsible for establishing exit passageway and accesses control to acquisition terminal, Neng Goubao
The safety of card access transmission and the safety of internal accessed application system.
Data isolation component, data isolation group are equipped between acquisition terminal and the safe access gateway of secure accessing platform
Part uses 2+1 system architecture, including intranet security host, outer net security host and physical isolation data exchange module 3 dedicated
Part is deployed between the network of different safety class, while realizing network security isolation, provides two-way access control, net
The functions such as network security isolation, Intranet protection of resources, data exchange management, filtrating data content prevent illegally link from penetrating Intranet
It directly accesses, the information exchange service of controllable precise is provided.
In step 3), acquisition terminal requests to access by safe access gateway, is tested mutually according to identity authentication protocol first
The legitimacy of other side is demonstrate,proved, guarantees only have legal terminal that could establish communication channel, it is raw using Key Exchange Protocol on this basis
Symmetric cryptographic key at a safety and key pair transmission channel using generation is encrypted, prevents data in transmission process
In be ravesdropping, distort, destroy, being inserted into Replay Attack, guarantee the safety of data transmission.
The safety of above-mentioned communication channel is mainly by the ECDH security key exchange agreement based on SM2 and based on number card
The bidirectional identity authentication agreement of book technology guarantees that secure tunnel needs the both sides communicated to complete authentication first when establishing
And key agreement, the terminal of authentication is only completed, server-side just allows it to carry out next step operation, for being unsatisfactory for
Key agreement specification or the terminal of unfinished authentication, server-side need to will send error code to terminal, encrypt authentication device weight
It is new to carry out authentication.
The present patent application combination digital certificate technique is realized to the signature sign test function of transmitting message, guarantees access terminal
Identity legitimacy, by designing authentication exchange agreement, communicating pair respectively verifies incoming opposite end certificate.
In the ECDH Key Exchange Protocol of the SM2 of script, user A and user B can be in unsafe communication channels
It exchanges to obtain a shared key by ECDH, but the computing capability of terminal is limited in capturing service, exchanges in key
In the process without mutually transmitting all information, safety is poor, proposes a kind of meet capturing service protection need on this basis
The efficient key exchange agreement asked, negotiations process are described in detail as follows:
User A:
Step 1: user A generates random number rA(32 byte), session can distinguish mark Se (16 byte);
Step 2: to rA, Se and IDAConnection operation is done, A2=r is obtainedA||Se||IDA(64 byte);
Step 3: Hash operation being carried out to connection result, obtains A3=H (rA||Se||IDA) (32 byte);
Step 4: using dAIt signs, obtains to A3(64 byte);
Step 5: connection A2 | | A4 is obtained(128 words
Section);
Step 6: sending user B for A5;
User B:
Step 7: obtaining the message of user A, sign test obtains information rA, Se, IDA;
Step 8: user B generates random number rB(32 byte);
Step 9: calculating ZA, ZB(being all 32 bytes);
Step 10: generating session key K (16 byte), SB(32 byte), S2(32 byte);
Step 11: connection rB、Se、IDBAnd SB, obtain B5=rB||Se||IDB||SB(96 byte);
Step 12: Hash operation being carried out to connection result, obtains B6=H (rB||Se||IDB||SB) (32 byte);
Step 13: using dBIt signs, obtains to B6(64 byte);
Step 14: connection B5 | | B7 is obtained
Step 15: sending user A for B8;
User A:
Step 16: obtaining the message of user B transmission, sign test obtains information: rB, IDB, SB;
Step 17: calculating ZA, ZB;
Step 18: generating session key K, S1;
Step 19: comparing S1And SB;
Step 20: generating SAAnd it is sent to B;
It is above-mentioned, rNIndicate random number (namely the r that user N is generatedAIndicate the random number that user A is generated, rBIndicate that user B is produced
Raw random number);K indicates session key;PNIndicate the public key (SM2 public key) of user N;dNIndicate private key (the SM2 private of user N
Key);EX(Y) it indicates to make cryptographic calculation to Y with X;H (Y) expression makees hash operations (SM3 algorithm) to Y;‖ indicates connection;ZNIt indicates
User N's distinguishes mark, part elliptical curve system parameter, user N public key and rNHash Value;Se indicates that session can distinguish
Mark;IDAIndicate the unique identification of user A;IDBIndicate the unique identification of user B;A2, A3 and A4 are the mistake that user A is obtained
Journey parameter, A5 are the message of user A;B5, B6 and B7 are the procedure parameter that user B is obtained, and B8 is the message of user B;SA、SB、
S1、S2Indicate corresponding Hash result.User N namely user A or user B.
The above-mentioned secure communication status based on generation of electricity by new energy unit acquisition terminal simultaneously proposes one kind in conjunction with national secret algorithm
Improved secure communication protocols, the agreement mainly increase message security protocol layer message on the basis of existing application layer protocol,
And encrypted using the close SM1 algorithm of state to using message, to guarantee the integrality and confidentiality of data.
It initiates that SM2 encryption can be done to the random number of generation using the private key of oneself.Oneself is used first with SM3 algorithm
Digital certificate in public key do HASH operation, signed to operation result using the SM2 private key of oneself, then by signature value
And digital certificate is sent to authentication responder.
After authentication responder receives the ID authentication request of initiator, its digital certificate is obtained from message, benefit
The public key in digital certificate is taken out with the X509 parsing API of openssl (security socket layer cryptographic libraries), using public key to transmission
Signature value carry out sign test, if sign test success, illustrate responder verify initiator's identity success, at this point, responder also should
The digital certificate of oneself is issued into initiator, guarantees bidirectional identity authentication success, the message of responder pieces together process and initiator
It is similar, it is not repeating here.
Secure data interaction in step 4) includes the following steps:
A, acquisition terminal carries out initialization connection with station control system via safe access gateway;
B, safe access gateway unlatching port is monitored and creates thread pool;
C, when receiving the data from acquisition terminal, received data are handled with regard to starting a sub thread, according to
The step of type of message received is come after determining goes to step D, if message if type of message is key agreement message
Type is ciphertext message, then goes to step E;
D, if key agreement message, then the process is the key agreement mistake that acquisition terminal and safe access gateway carry out
Journey, after key agreement success, safe access gateway connects interior website and controls system, and both sides carry out secure data interaction, otherwise, safety
Access gateway returns to error message and to acquisition terminal and closes connection;
E, if ciphertext message, safe access gateway then carries out ciphertext decryption, if successful decryption, will be sent in plain text interior
System is controlled in website, and otherwise, safe access gateway returns to error message and to acquisition terminal and closes connection.
It is above-mentioned for new energy plant stand acquisition terminal access safety problem, from terminal security protection, channel security protection and
Three aspects of station level security protection have carried out security architecture design and research, are acquired according to wind-powered electricity generation and photovoltaic generation unit
The business characteristic and data-transmission mode of terminal, in conjunction with acquisition terminal security attack scene analysis, for wireless private network, wireless public affairs
The secure communication association based on national secret algorithm is studied and devised to the communication modes such as net, access via telephone line, intelligent acess, satellite communication
View, establishes two-way encryption tunnel between acquisition terminal and station level access platform, ensure that the confidentiality and complete of data transmission
Whole property realizes safety filtering and the exchange of business datum, realizes the closed loop safe transmission of data.
Claims (9)
1. a kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform, it is characterised in that: including walking as follows
It is rapid:
1) generator unit acquisition terminal requests access station control system Intranet;
2) safe access gateway of acquisition terminal and secure accessing platform carries out bidirectional identity authentication;
3) identity authorization system of safe access gateway carries out security evaluation and identification to communicating pair, according to evaluation and identifies knot
Fruit carries out access or refusal control;
4) after authentication success, acquisition terminal carries out secure data interaction by establishing communication channel with secure accessing platform.
2. the method for new energy plant stand generator unit acquisition terminal secure accessing platform as described in claim 1, feature exist
In: in step 1), acquisition terminal realizes that terminal is pacified by increasing safety chip, or by way of external encryption authentication module
Full enhancing, identity identifies and data encrypting and deciphering.
3. the method for new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in claim 2, feature exist
In: encryption authentication module includes safety check module, authentication module and secure communication module;
Safety check module carries out the disk file of the operating system version of acquisition terminal, the startup item of system, specific position
Close inspection, system can first check whether terminal has above-mentioned one or several feature ginsengs when handling acquisition terminal access
Number determines whether that the terminal and secure accessing platform establish connection according to inspection result;
Authentication module is realized to the external encryption authentication module of acquisition terminal, and the digital certificate that authoritative institution is signed and issued is stored
In encryption authentication module, by designing authentication exchange agreement, communicating pair respectively tests incoming opposite end certificate
Card, acquisition terminal must carry out being protected jointly by the CA authentication service device of encryption authentication module and secure accessing platform before accessing network
The bidirectional identity authentication of barrier, to guarantee the legitimacy of access terminal;
Secure communication module is for guaranteeing integrality and confidentiality of the data in transmission process.
4. the side of new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in any one of claims 1-3
Method, it is characterised in that: the safe access gateway in step 2) is responsible for establishing exit passageway and accesses control to acquisition terminal.
5. the method for new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in claim 4, feature exist
In: in step 2) between acquisition terminal and the safe access gateway of secure accessing platform be equipped with data isolation component, data every
2+1 system architecture, including intranet security host, outer net security host and dedicated physical isolation data exchange module are used from component
3 parts.
6. the side of new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in any one of claims 1-3
Method, it is characterised in that: in step 3), acquisition terminal requests to access by safe access gateway, first according to identity authentication protocol
The legitimacy of verifying other side mutually is guaranteed only have legal terminal that could establish communication channel, is exchanged on this basis using key
Agreement is generated the symmetric cryptographic key of a safety and is encrypted using the key pair transmission channel of generation.
7. the method for new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in claim 6, feature exist
In ECDH security key exchange agreement based on SM2 of: the safety of communication channel and based on the two-way of digital certificate technique
Identity authentication protocol guarantees that the both sides that secure tunnel needs to communicate when establishing first complete authentication and key association
Quotient only completes the terminal of authentication, and server-side just allows it to carry out next step operation, for being unsatisfactory for key agreement rule
Model or the terminal of unfinished authentication, server-side need to will send error code to terminal, encrypt authentication device and re-start identity
Certification.
8. the method for new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in claim 7, feature exist
In: cipher key agreement process is as follows:
User A:
Step 1: user A generates random number rA, session, which can distinguish, identifies Se;
Step 2: to rA, Se and IDAConnection operation is done, A2=r is obtainedA||Se||IDA;
Step 3: Hash operation being carried out to connection result, obtains A3=H (rA||Se||IDA);
Step 4: using dAIt signs, obtains to A3
Step 5: connection A2 | | A4 is obtained
Step 6: sending user B for A5;
User B:
Step 7: obtaining the message of user A, sign test obtains information rA, Se, IDA;
Step 8: user B generates random number rB;
Step 9: calculating ZA, ZB;
Step 10: generating session key K, SB, S2;
Step 11: connection rB、Se、IDBAnd SB, obtain B5=rB||Se||IDB||SB;
Step 12: Hash operation being carried out to connection result, obtains B6=H (rB||Se||IDB||SB);
Step 13: using dBIt signs, obtains to B6
Step 14: connection B5 | | B7 is obtained
Step 15: sending user A for B8;
User A:
Step 16: obtaining the message of user B transmission, sign test obtains information: rB, IDB, SB;
Step 17: calculating ZA, ZB;
Step 18: generating session key K, S1;
Step 19: comparing S1And SB;
Step 20: generating SAAnd it is sent to user B;
It is above-mentioned, rNIndicate the random number that user N is generated;K indicates session key;PNIndicate the public key (SM2 public key) of user N;dNTable
Show the private key (SM2 private key) of user N;EX(Y) it indicates to make cryptographic calculation to Y with X;H (Y) indicates to make Y hash operations (SM3 calculation
Method);‖ indicates connection;ZNIndicate that user N's distinguishes mark, part elliptical curve system parameter, user N public key and rNHash
Value;Se indicates that session can distinguish mark;IDAIndicate the unique identification of user A;IDBIndicate the unique identification of user B;A2, A3 and
A4 is the procedure parameter that user A is obtained, and A5 is the message of user A;B5, B6 and B7 are the procedure parameter that user B is obtained, B8
For the message of user B;SA、SB、S1、S2Indicate corresponding Hash result.
9. the side of new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in any one of claims 1-3
Method, it is characterised in that: in step 4), secure data interaction includes the following steps:
A, acquisition terminal carries out initialization connection with station control system via safe access gateway;
B, safe access gateway unlatching port is monitored and creates thread pool;
C, when receiving the data from acquisition terminal, just start a sub thread to handle received data, according to reception
To type of message come after determining the step of, if type of message is key agreement message, step D is gone to, if type of message
For ciphertext message, then step E is gone to;
D, if key agreement message, then the process is the cipher key agreement process that acquisition terminal and safe access gateway carry out, close
After key is negotiated successfully, safe access gateway connects interior website and controls system, and both sides carry out secure data interaction, otherwise, secure accessing
Gateway returns to error message and to acquisition terminal and closes connection;
E, if ciphertext message, safe access gateway then carries out ciphertext decryption, if successful decryption, will be sent to interior website in plain text
Control system, otherwise, safe access gateway return to error message and to acquisition terminal and close connection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810924796.8A CN109088870B (en) | 2018-08-14 | 2018-08-14 | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810924796.8A CN109088870B (en) | 2018-08-14 | 2018-08-14 | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109088870A true CN109088870A (en) | 2018-12-25 |
CN109088870B CN109088870B (en) | 2021-05-04 |
Family
ID=64834674
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810924796.8A Active CN109088870B (en) | 2018-08-14 | 2018-08-14 | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109088870B (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110233735A (en) * | 2019-06-14 | 2019-09-13 | 全球能源互联网研究院有限公司 | A kind of grid-connected power station industrial control system comprehensive safety protecting method and system |
CN110572265A (en) * | 2019-10-24 | 2019-12-13 | 国网山东省电力公司信息通信公司 | terminal security access gateway method, device and system based on quantum communication |
CN110996318A (en) * | 2019-12-23 | 2020-04-10 | 广西电网有限责任公司电力科学研究院 | Safety communication access system of intelligent inspection robot of transformer substation |
CN111756627A (en) * | 2020-06-24 | 2020-10-09 | 广东电网有限责任公司电力科学研究院 | Cloud platform security access gateway of electric power monitored control system |
CN111953489A (en) * | 2020-08-31 | 2020-11-17 | 中国电力科学研究院有限公司 | SM2 algorithm-based key exchange device and method for collecting service of power generation unit |
CN111988328A (en) * | 2020-08-26 | 2020-11-24 | 中国电力科学研究院有限公司 | Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station |
CN112020037A (en) * | 2020-09-25 | 2020-12-01 | 卡斯柯信号(郑州)有限公司 | Domestic communication encryption method suitable for rail transit |
CN113783868A (en) * | 2021-09-08 | 2021-12-10 | 广西东信数建信息科技有限公司 | Method and system for protecting security of gate Internet of things based on commercial password |
CN114254373A (en) * | 2022-03-01 | 2022-03-29 | 中国电力科学研究院有限公司 | Encryption transmission method, device and system |
CN114546519A (en) * | 2022-01-26 | 2022-05-27 | 华北电力大学 | Industrial control safety data acquisition system and method |
CN114626956A (en) * | 2022-01-06 | 2022-06-14 | 北芯导航技术(南京)有限公司 | Energy information utilization platform based on Internet of things |
WO2022135404A1 (en) * | 2020-12-26 | 2022-06-30 | 西安西电捷通无线网络通信股份有限公司 | Identity authentication method and device, storage medium, program, and program product |
CN115277025A (en) * | 2022-08-26 | 2022-11-01 | 广州万协通信息技术有限公司 | Device authentication method for security chip, security chip device, and medium |
CN115622813A (en) * | 2022-12-19 | 2023-01-17 | 深圳市永达电子信息股份有限公司 | Remote access management method, system and electronic equipment |
US20230231712A1 (en) * | 2022-01-14 | 2023-07-20 | Micron Technology, Inc. | Embedded tls protocol for lightweight devices |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101951603A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Access control method and system for wireless local area network |
CN103037367A (en) * | 2012-12-27 | 2013-04-10 | 天津大学 | Cipher hash computing based authentication method in wireless sensor network |
CN104408371A (en) * | 2014-10-14 | 2015-03-11 | 中国科学院信息工程研究所 | Implementation method of high security application system based on trusted execution environment |
US9654466B1 (en) * | 2012-05-29 | 2017-05-16 | Citigroup Technology, Inc. | Methods and systems for electronic transactions using dynamic password authentication |
CN107018134A (en) * | 2017-04-06 | 2017-08-04 | 北京中电普华信息技术有限公司 | A kind of distribution terminal secure accessing platform and its implementation |
CN108055240A (en) * | 2017-11-15 | 2018-05-18 | 上海国际汽车城(集团)有限公司 | A kind of user authentication method of shared automobile |
-
2018
- 2018-08-14 CN CN201810924796.8A patent/CN109088870B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101951603A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Access control method and system for wireless local area network |
US9654466B1 (en) * | 2012-05-29 | 2017-05-16 | Citigroup Technology, Inc. | Methods and systems for electronic transactions using dynamic password authentication |
CN103037367A (en) * | 2012-12-27 | 2013-04-10 | 天津大学 | Cipher hash computing based authentication method in wireless sensor network |
CN104408371A (en) * | 2014-10-14 | 2015-03-11 | 中国科学院信息工程研究所 | Implementation method of high security application system based on trusted execution environment |
CN107018134A (en) * | 2017-04-06 | 2017-08-04 | 北京中电普华信息技术有限公司 | A kind of distribution terminal secure accessing platform and its implementation |
CN108055240A (en) * | 2017-11-15 | 2018-05-18 | 上海国际汽车城(集团)有限公司 | A kind of user authentication method of shared automobile |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110233735B (en) * | 2019-06-14 | 2024-04-16 | 全球能源互联网研究院有限公司 | Comprehensive safety protection method and system for grid-connected power station industrial control system |
CN110233735A (en) * | 2019-06-14 | 2019-09-13 | 全球能源互联网研究院有限公司 | A kind of grid-connected power station industrial control system comprehensive safety protecting method and system |
CN110572265A (en) * | 2019-10-24 | 2019-12-13 | 国网山东省电力公司信息通信公司 | terminal security access gateway method, device and system based on quantum communication |
CN110572265B (en) * | 2019-10-24 | 2022-04-05 | 国网山东省电力公司信息通信公司 | Terminal security access gateway method, device and system based on quantum communication |
CN110996318A (en) * | 2019-12-23 | 2020-04-10 | 广西电网有限责任公司电力科学研究院 | Safety communication access system of intelligent inspection robot of transformer substation |
CN111756627A (en) * | 2020-06-24 | 2020-10-09 | 广东电网有限责任公司电力科学研究院 | Cloud platform security access gateway of electric power monitored control system |
CN111988328A (en) * | 2020-08-26 | 2020-11-24 | 中国电力科学研究院有限公司 | Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station |
CN111953489A (en) * | 2020-08-31 | 2020-11-17 | 中国电力科学研究院有限公司 | SM2 algorithm-based key exchange device and method for collecting service of power generation unit |
CN112020037A (en) * | 2020-09-25 | 2020-12-01 | 卡斯柯信号(郑州)有限公司 | Domestic communication encryption method suitable for rail transit |
WO2022135404A1 (en) * | 2020-12-26 | 2022-06-30 | 西安西电捷通无线网络通信股份有限公司 | Identity authentication method and device, storage medium, program, and program product |
CN113783868A (en) * | 2021-09-08 | 2021-12-10 | 广西东信数建信息科技有限公司 | Method and system for protecting security of gate Internet of things based on commercial password |
CN113783868B (en) * | 2021-09-08 | 2023-09-01 | 广西东信数建信息科技有限公司 | Method and system for protecting Internet of things safety of gate based on commercial password |
CN114626956A (en) * | 2022-01-06 | 2022-06-14 | 北芯导航技术(南京)有限公司 | Energy information utilization platform based on Internet of things |
CN114626956B (en) * | 2022-01-06 | 2023-08-08 | 北芯导航技术(南京)有限公司 | Energy information utilization platform based on Internet of things |
US20230231712A1 (en) * | 2022-01-14 | 2023-07-20 | Micron Technology, Inc. | Embedded tls protocol for lightweight devices |
CN114546519A (en) * | 2022-01-26 | 2022-05-27 | 华北电力大学 | Industrial control safety data acquisition system and method |
CN114546519B (en) * | 2022-01-26 | 2023-10-03 | 华北电力大学 | Industrial control safety data acquisition system and method |
CN114254373B (en) * | 2022-03-01 | 2022-07-08 | 中国电力科学研究院有限公司 | Encryption transmission method, device and system |
CN114254373A (en) * | 2022-03-01 | 2022-03-29 | 中国电力科学研究院有限公司 | Encryption transmission method, device and system |
CN115277025B (en) * | 2022-08-26 | 2023-01-06 | 广州万协通信息技术有限公司 | Device authentication method for security chip, security chip apparatus, device, and medium |
CN115277025A (en) * | 2022-08-26 | 2022-11-01 | 广州万协通信息技术有限公司 | Device authentication method for security chip, security chip device, and medium |
CN115622813A (en) * | 2022-12-19 | 2023-01-17 | 深圳市永达电子信息股份有限公司 | Remote access management method, system and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN109088870B (en) | 2021-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109088870A (en) | A kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform | |
CN104702611B (en) | A kind of device and method for protecting Secure Socket Layer session key | |
CN103155512B (en) | System and method for providing secure access to service | |
CN103354498B (en) | A kind of file encryption transmission method of identity-based | |
CN107018134A (en) | A kind of distribution terminal secure accessing platform and its implementation | |
CN109347809A (en) | A kind of application virtualization safety communicating method towards under autonomous controllable environment | |
CN103491540B (en) | The two-way access authentication system of a kind of WLAN based on identity documents and method | |
CN105493453B (en) | It is a kind of to realize the method, apparatus and system remotely accessed | |
CN108270571A (en) | Internet of Things identity authorization system and its method based on block chain | |
CN103026657B (en) | For anti-manipulation key certificate is provided method and apparatus | |
CN101409619B (en) | Flash memory card and method for implementing virtual special network key exchange | |
US8417949B2 (en) | Total exchange session security | |
CN105119894B (en) | Communication system and communication means based on hardware security module | |
CN111245862A (en) | System for safely receiving and sending terminal data of Internet of things | |
CN104468126B (en) | A kind of safe communication system and method | |
CN106169952B (en) | A kind of authentication method that internet Key Management Protocol is negotiated again and device | |
CN107172020A (en) | A kind of network data security exchange method and system | |
CN107005534A (en) | Secure connection is set up | |
CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
CN104065485A (en) | Power grid dispatching mobile platform safety guaranteeing and controlling method | |
CN107040536A (en) | Data ciphering method, device and system | |
CN109951513A (en) | Anti- quantum calculation wired home quantum cloud storage method and system based on quantum key card | |
CN109714360A (en) | A kind of intelligent gateway and gateway communication processing method | |
CN110266725A (en) | Cryptosecurity isolation module and mobile office security system | |
CN102088699A (en) | Trust list-based system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |