CN109088870A - A kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform - Google Patents

A kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform Download PDF

Info

Publication number
CN109088870A
CN109088870A CN201810924796.8A CN201810924796A CN109088870A CN 109088870 A CN109088870 A CN 109088870A CN 201810924796 A CN201810924796 A CN 201810924796A CN 109088870 A CN109088870 A CN 109088870A
Authority
CN
China
Prior art keywords
acquisition terminal
user
key
authentication
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810924796.8A
Other languages
Chinese (zh)
Other versions
CN109088870B (en
Inventor
金国刚
崔阿军
付嘉渝
张鹏
张小敏
段军红
张宪康
赵博
龙杰
司晓峰
闫晓斌
牛磊
张炜明
赵德伟
庞晓东
吴克河
崔文超
李�瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
North China Electric Power University
State Grid Gansu Electric Power Co Ltd
Electric Power Research Institute of State Grid Gansu Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
North China Electric Power University
State Grid Gansu Electric Power Co Ltd
Electric Power Research Institute of State Grid Gansu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, North China Electric Power University, State Grid Gansu Electric Power Co Ltd, Electric Power Research Institute of State Grid Gansu Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201810924796.8A priority Critical patent/CN109088870B/en
Publication of CN109088870A publication Critical patent/CN109088870A/en
Application granted granted Critical
Publication of CN109088870B publication Critical patent/CN109088870B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The invention discloses a kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform, include the following steps: 1) generator unit acquisition terminal request access station control system Intranet;2) safe access gateway of acquisition terminal and secure accessing platform carries out bidirectional identity authentication;3) identity authorization system of safe access gateway carries out security evaluation and identification to communicating pair, carries out access according to evaluation and identification result or refusal controls;4) after authentication success, acquisition terminal carries out secure data interaction by establishing communication channel with secure accessing platform.The present invention realizes the integrality and confidentiality of data transmission, ensure that channel protection safety when the various generator unit acquisition terminals of new energy plant stand access.

Description

A kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform
Technical field
The present invention relates to a kind of methods of new energy plant stand generator unit acquisition terminal secure accessing platform, belong to distribution certainly Dynamicization field.
Background technique
Virtual Private Network (Virtual Private Network, abbreviation VPN) refers to establishing in common network special With the technology of network.Why it is known as virtual net, the connection being primarily due between any two node of entire VPN network There is no physical links end to end needed for traditional private network, but framework network provided by common network service provider is flat Logical network on platform, such as Internet (internet), ATM (asynchronous transfer mode), Frame Relay (frame relay), User data transmits in logical links.It covers encapsulation, encryption and authentication chain across shared network or public network The extension of the dedicated network connect.
The basic principle of VPN is to create a virtual network egress, you is allowed all data of access target to pass through this Outlet is sent.It is commonly used in enterprise-level office system, due to being end-to-end transmission, facilitates user in different-place login company Gateway has Intranet using right, and just because of this, and this method can also be to avoid the examination of mechanism.
But with VPN technologies, there is also some defects and risk, and main includes following several points:
1) enterprise cannot directly control the reliability and performance of VPN Internet-based, it is necessary to by the interconnection of offer VPN Net the operation that service provider guarantees service;
2) enterprise's creation and deployment VPN route are not easy to, and this technology needs to understand at a high level that network and safety are asked Topic, needs conscientious planning and configuration;
3) vpn products of different vendor and solution are always incompatible, because many manufacturers are unwilling or cannot In accordance with VPN technologies standard;
4) when using wireless device, VPN has security risk, and roaming is particularly easy to go wrong between access points, when with When family roams between access points, any solution using advanced encryption techniques may be all broken.
National Password Management office discloses " SM2 ellipse curve public key cipher algorithm ", SM2 algorithm sheet in December, 2010 It is a kind of elliptic curve (ECC) in matter, in detail, it is specific thin that SM2 algorithm defines signature, verifying, key exchange etc. Section.SM2 algorithm is the ECC with independent intellectual property rights that China develops on the basis of absorbing international advanced achievements, it is in safety Property with realize efficiency in terms of be equivalent to or slightly better than international similar ECC, RSA (public key encryption algorithm) can be replaced various to meet Using the higher demand to public key algorithm safety and realization efficiency.Referring to " SM2 ellipse curve public key cipher algorithm " the It is as follows that the step of Key Exchange Protocol of three parts, arranges ECDH Diffie-Hellman of the description based on SM2:
If the length that user A and B negotiate to obtain key data is klen bit, user A is initiator, and user B is response Side, note
User A and B both sides should realize following calculation step to obtain identical key:
User A:
Step 1: generating random number r with randomizerA∈[[1,n-1];
Step 2: calculating elliptic curve point RA=[rA] G=(x1,y1);
Step 3: by RAIt is sent to user B;
User B:
Step 4: generating random number r with randomizerB∈[1,n-1];
Step 5: calculating elliptic curve point RB=[rB] G=(x2,y2);
Step 6: from RBMiddle taking-up field element x2, by x2Data type conversion be integer,
It calculates
Step 7: calculating
Step 8: verifying RAWhether meet elliptic curve equation, negotiates to fail if being unsatisfactory for;Otherwise from RAMiddle taking-up domain member Plain x1, calculate
Step 9: calculating elliptic curve pointIf V is infinite point, B Negotiate failure;
Step 10: calculating KB=KDF (xV||yv||ZA||ZB,klen);
Step 11: by RACoordinate x1、y1And RBCoordinate x2、y2Data type conversion be Bit String, calculate SB= Hash(0x02||yV||Hash(xv||ZA||ZB||x1||y1||x2||y2));
Step 12: by RB, (option SB) it is sent to user A;
User A:
Step 13: from RAMiddle taking-up field element x1, calculate
Step 14: calculating
Step 15: verifying RBWhether meet elliptic curve equation, negotiates to fail if being unsatisfactory for;Otherwise from RBMiddle taking-up domain Element x2,
It calculates
Step 16: calculating elliptic curve pointIf U is infinite point, A negotiates failure;
Step 17: calculating KA=KDF (xU||yU||ZA||ZB,klen);
Step 18: by RACoordinate x1、y1And RBCoordinate x2、y2Data type conversion be Bit String, calculate
S1=Hash (0x02 | | yU||Hash(xU||ZA||ZB||x1||y1||x2||y2)), and examine S1=SBWhether at It is vertical, the key confirmation failure if equation is invalid from B to A;
Step 19:(option) it calculates
SA=Hash (0x03 | | yU||Hash(xU||ZA||ZB||x1||y1||x2||y2)), and by SAIt is sent to user B.
User B:
Step 20:(option) it calculates
S2=Hash (0x03 | | yv||Hash(xv||ZA||ZB||x1||y1||x2||y2)), and examine S2=SAWhether at It is vertical, the key confirmation failure if equation is invalid from A to B.
It is above-mentioned, rNIndicate the random number that user N is generated;K indicates session key;PNIndicate the public key (SM2 public key) of user N; dNIndicate the private key (SM2 private key) of user N;EX(Y) it indicates to make cryptographic calculation to Y with X;H (Y) expression makees hash operations (SM3 to Y Algorithm);‖ indicates connection;ZNIndicate that user N's distinguishes mark, part elliptical curve system parameter, user N public key and rNIt is miscellaneous Gather value;Se indicates that session can distinguish mark;(n is #E (F to the rank of n expression basic point Gq) prime factor);H indicates cofactor, h=#E (Fq)/n, wherein n is the rank of basic point G, KAIndicate the shared secret key that Key Exchange Protocol is decided through consultation;KBIndicate key exchange association The shared secret key decided through consultation is discussed, it is a definite value that w, which indicates initial predetermined value,;tNIndicate the private key of N and the mould of random number operation Value.
In above-mentioned algorithm, user A and user B can pass through ECDH (cipher key agreement algorithm) in unsafe communication channel Exchange obtains a shared secret keys, but the computing capability of terminal is limited in capturing service, in key exchange process Without mutually transmitting all information, safety is poor, and therefore, it is anti-that the present invention proposes a kind of capturing service that meets on this basis The efficient key exchange agreement of shield demand.
Summary of the invention
The present invention provides a kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform, ensure that data The confidentiality and integrality of transmission realize safety filtering and the exchange of business datum, realize the closed loop safe transmission of data.
In order to solve the above technical problems, the technical solution adopted in the present invention is as follows:
A kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform, includes the following steps:
1) generator unit acquisition terminal requests access station control system Intranet;
2) safe access gateway of acquisition terminal and secure accessing platform carries out bidirectional identity authentication;
3) identity authorization system of safe access gateway carries out security evaluation and identification to communicating pair, according to evaluation and mirror Other result carries out access or refusal control;
4) after authentication success, acquisition terminal carries out secure data by establishing communication channel with secure accessing platform Interaction.
In order to improve safety, above-mentioned steps 1) in, acquisition terminal by increasing safety chip, or pass through external encryption The mode of authentication module realizes that terminal security enhancing, identity identifies and data encrypting and deciphering.
Encrypting authentication module includes safety check module, authentication module and secure communication module;
Safety check module is to the operating system version of acquisition terminal, the startup item of system, the disk file of specific position It endures strict scrutiny, system can first check whether terminal has above-mentioned one or several features when handling acquisition terminal access Parameter determines whether that the terminal and secure accessing platform establish connection according to inspection result, thoroughly prevents unsound adopt Collect terminal and access Intranet, it is ensured that the safety of acquisition terminal prevents the generation threatened from source;
Authentication module is realized to the external encryption authentication module of acquisition terminal, and the digital certificate that authoritative institution is signed and issued Be stored in encryption authentication module in, by design authentication exchange agreement, communicating pair respectively to incoming opposite end certificate into Row verifying, acquisition terminal must carry out being total to by the CA authentication service device of encryption authentication module and secure accessing platform before accessing network With the bidirectional identity authentication ensured, to guarantee the legitimacy of access terminal;
Secure communication module mainly serves for ensuring integrality and confidentiality of the data in transmission process.
Above-mentioned steps 2) in safe access gateway be responsible for establishing exit passageway and access control to acquisition terminal, energy The safety of the enough safety for guaranteeing access transmission and internal accessed application system.
Above-mentioned steps 2) between acquisition terminal and the safe access gateway of secure accessing platform be equipped with data isolation group Part, data isolation component use 2+1 system architecture, including intranet security host, outer net security host and dedicated physical isolation number It according to 3 parts of Switching Module, is deployed between the network of different safety class, while realizing network security isolation, provides double To functions such as access control, network security isolation, Intranet protection of resources, data exchange management, filtrating data contents, prevent illegal Link penetrates Intranet and directly accesses, and provides the information exchange service of controllable precise.
Above-mentioned steps 3) in, acquisition terminal requests to access by safe access gateway, mutual according to identity authentication protocol first The legitimacy for mutually verifying other side guarantees only have legal terminal that could establish communication channel, utilizes key exchange association on this basis View is generated the symmetric cryptographic key of a safety and is encrypted using the key pair transmission channel of generation, prevents data from transmitting It is ravesdropping, distorts in the process, destroying, being inserted into Replay Attack, guaranteeing the safety of data transmission.
The safety of above-mentioned communication channel is mainly by the ECDH security key exchange agreement based on SM2 and based on number card The bidirectional identity authentication agreement of book technology guarantees that secure tunnel needs the both sides communicated to complete authentication first when establishing And key agreement, the terminal of authentication is only completed, server-side just allows it to carry out next step operation, for being unsatisfactory for Key agreement specification or the terminal of unfinished authentication, server-side need to will send error code to terminal, encrypt authentication device weight It is new to carry out authentication.
The present patent application combination digital certificate technique is realized to the signature sign test function of transmitting message, guarantees access terminal Identity legitimacy, by designing authentication exchange agreement, communicating pair respectively verifies incoming opposite end certificate.
In the ECDH Key Exchange Protocol of the SM2 of script, user A and user B can be in unsafe communication channels It exchanges to obtain a shared key by ECDH, but the computing capability of terminal is limited in capturing service, exchanges in key In the process without mutually transmitting all information, safety is poor, and the present patent application proposes a kind of satisfaction acquisition on this basis The efficient key exchange agreement of business protection requirements, negotiations process are described in detail as follows:
User A:
Step 1: user A generates random number rA, session, which can distinguish, identifies Se;
Step 2: to rA, Se and IDAConnection operation is done, A2=r is obtainedA||Se||IDA
Step 3: Hash operation being carried out to connection result, obtains A3=H (rA||Se||IDA);
Step 4: using dAIt signs, obtains to A3
Step 5: connection A2 | | A4 is obtained
Step 6: sending user B for A5;
User B:
Step 7: obtaining the message of user A, sign test obtains information rA, Se, IDA
Step 8: user B generates random number rB
Step 9: calculating ZA, ZB
Step 10: generating session key K, SB, S2
Step 11: connection rB、Se、IDBAnd SB, obtain B5=rB||Se||IDB||SB(96 byte);
Step 12: Hash operation being carried out to connection result, obtains B6=H (rB||Se||IDB||SB) (32 byte);
Step 13: using dBIt signs, obtains to B6(64 byte);
Step 14: connection B5 | | B7 is obtained
Step 15: sending user A for B8;
User A:
Step 16: obtaining the message of user B transmission, sign test obtains information: rB, IDB, SB
Step 17: calculating ZA, ZB
Step 18: generating session key K, S1
Step 19: comparing S1And SB
Step 20: generating SAAnd it is sent to B;
It is above-mentioned, rNIndicate the random number that user N (such as user A, user B) is generated;K indicates session key;PNIndicate user The public key (SM2 public key) of N;dNIndicate the private key (SM2 private key) of user N;EX(Y) it indicates to make cryptographic calculation to Y with X;H (Y) is indicated Hash operations (SM3 algorithm) is made to Y;‖ indicates connection;ZNIndicate that user N's distinguishes mark, part elliptical curve system ginseng Number, user N public key and rNHash Value;Se indicates that session can distinguish mark;IDAIndicate the unique identification of user A;IDBIt indicates to use The unique identification of family B;A2, A3 and A4 are the procedure parameter that user A is obtained, and A5 is the message of user A;B5, B6 and B7 are The procedure parameter that user B is obtained, B8 are the message of user B;SA、SB、S1、S2Indicate corresponding Hash result.
The application secure communication protocols are a kind of new energy plant stand generator unit acquisition terminals under communication Secure accessing protection structure, the network security for having studied the generator unit acquisition terminal based on national secret algorithm under real time environment connect Enter and guard technology, including security hardening acquisition terminal, safe access gateway and data filtering component etc., realizing is not influencing Under the premise of Real time Data Acquisition function, security protection is carried out from data source header.
Secure communication status of the application based on generation of electricity by new energy unit acquisition terminal simultaneously proposes one in conjunction with national secret algorithm The improved secure communication protocols of kind, the agreement mainly increase message security protocol layer report on the basis of existing application layer protocol Text, and encrypted using the close SM1 algorithm of state to using message, to guarantee the integrality and confidentiality of data.
It initiates that SM2 encryption can be done to the random number of generation using the private key of oneself.Oneself is used first with SM3 algorithm Digital certificate in public key do HASH operation, signed to operation result using the SM2 private key of oneself, then by signature value And digital certificate is sent to authentication responder.
After authentication responder receives the ID authentication request of initiator, its digital certificate is obtained from message, benefit The public key in digital certificate is taken out with the X509 parsing API of openssl (security socket layer cryptographic libraries), using public key to transmission Signature value carry out sign test, if sign test success, illustrate responder verify initiator's identity success, at this point, responder also should The digital certificate of oneself is issued into initiator, guarantees bidirectional identity authentication success, the message of responder pieces together process and initiator It is similar, it is not repeating here.
Above-mentioned steps 4) in, secure data interaction includes the following steps:
A, acquisition terminal carries out initialization connection with station control system via safe access gateway;
B, safe access gateway unlatching port is monitored and creates thread pool;
C, when receiving the data from acquisition terminal, received data are handled with regard to starting a sub thread, according to The step of type of message received is come after determining goes to step D, if message if type of message is key agreement message Type is ciphertext message, then goes to step E;
D, if key agreement message, then the process is the key agreement mistake that acquisition terminal and safe access gateway carry out Journey, after key agreement success, safe access gateway connects interior website and controls system, and both sides carry out secure data interaction, otherwise, safety Access gateway returns to error message and to acquisition terminal and closes connection;
E, if ciphertext message, safe access gateway then carries out ciphertext decryption, if successful decryption, will be sent in plain text interior System is controlled in website, and otherwise, safe access gateway returns to error message and to acquisition terminal and closes connection.
The present invention accesses safety problem for new energy plant stand acquisition terminal, from terminal security protection, channel security protection Security architecture design and research have been carried out with three aspects of station level security protection, has been adopted according to wind-powered electricity generation and photovoltaic generation unit The business characteristic and data-transmission mode for collecting terminal, in conjunction with acquisition terminal security attack scene analysis, for wireless private network, wirelessly The secure communication based on national secret algorithm is studied and devised to the communication modes such as public network, access via telephone line, intelligent acess, satellite communication Agreement establishes two-way encryption tunnel between acquisition terminal and station level access platform, ensure that data transmission confidentiality and Integrality realizes safety filtering and the exchange of business datum, realizes the closed loop safe transmission of data.
The unmentioned technology of the present invention is referring to the prior art.
The present invention has the beneficial effect that:
1) research is close based on state in terms of acquisition terminal safety, network access channel safety, station level system safety three The network security access of generator unit acquisition terminal and guard technology, framework clear layer, from each under the real time environment of algorithm Aspect realizes the integrality and confidentiality of data transmission;
2) it is directed to the particular surroundings of new energy plant stand generator unit acquisition terminal, by studying existing DH key exchange association Negotiation ECDH Key Exchange Protocol, in the case where guaranteeing the safety of key exchange, propose a kind of suitable for new energy factory It stands the improved Key Exchange Protocol based on SM2 algorithm of generator unit capturing service;
3) for the communications such as wireless private network, wireless public network, access via telephone line, intelligent acess, satellite communication, research With secure communication protocols of the design based on national secret algorithm, ensure that when the various generator unit acquisition terminals of new energy plant stand access Channel protection safety.
Detailed description of the invention
Fig. 1 is new energy plant stand generator unit acquisition terminal secure accessing protective frame composition;
Fig. 2 is acquisition terminal and secure accessing platform data interaction diagrams;
Fig. 3 is the cipher key agreement process figure of the improved ECDH Key Exchange Protocol based on SM2 of the present invention;
Specific embodiment
For a better understanding of the present invention, below with reference to the embodiment content that the present invention is furture elucidated, but it is of the invention Content is not limited solely to the following examples.
The system architecture of new energy plant stand generator unit acquisition terminal secure accessing platform includes: the acquisition after security hardening Terminal, safe access gateway and data barrier assembly, system architecture diagram are shown in attached drawing 1.
The method of new energy plant stand generator unit acquisition terminal secure accessing platform, includes the following steps:
1) generator unit acquisition terminal requests access station control system Intranet;
2) safe access gateway of acquisition terminal and secure accessing platform carries out bidirectional identity authentication;
3) identity authorization system of safe access gateway carries out security evaluation and identification to communicating pair, according to evaluation and mirror Other result carries out access or refusal control;
4) after authentication success, acquisition terminal carries out secure data by establishing communication channel with secure accessing platform Interaction.
In step 1), acquisition terminal is realized by increasing safety chip, or by way of external encryption authentication module Terminal security enhancing, identity identifies and data encrypting and deciphering.
Encrypting authentication module includes safety check module, authentication module and secure communication module;
Safety check module is to the operating system version of acquisition terminal, the startup item of system, the disk file of specific position It endures strict scrutiny, system can first check whether terminal has above-mentioned one or several features when handling acquisition terminal access Parameter determines whether that the terminal and secure accessing platform establish connection according to inspection result, thoroughly prevents unsound adopt Collect terminal and access Intranet, it is ensured that the safety of acquisition terminal prevents the generation threatened from source;
Authentication module is realized to the external encryption authentication module of acquisition terminal, and the digital certificate that authoritative institution is signed and issued Be stored in encryption authentication module in, by design authentication exchange agreement, communicating pair respectively to incoming opposite end certificate into Row verifying, acquisition terminal must carry out being total to by the CA authentication service device of encryption authentication module and secure accessing platform before accessing network With the bidirectional identity authentication ensured, to guarantee the legitimacy of access terminal;
Secure communication module mainly serves for ensuring integrality and confidentiality of the data in transmission process.
Safe access gateway in step 2) is responsible for establishing exit passageway and accesses control to acquisition terminal, Neng Goubao The safety of card access transmission and the safety of internal accessed application system.
Data isolation component, data isolation group are equipped between acquisition terminal and the safe access gateway of secure accessing platform Part uses 2+1 system architecture, including intranet security host, outer net security host and physical isolation data exchange module 3 dedicated Part is deployed between the network of different safety class, while realizing network security isolation, provides two-way access control, net The functions such as network security isolation, Intranet protection of resources, data exchange management, filtrating data content prevent illegally link from penetrating Intranet It directly accesses, the information exchange service of controllable precise is provided.
In step 3), acquisition terminal requests to access by safe access gateway, is tested mutually according to identity authentication protocol first The legitimacy of other side is demonstrate,proved, guarantees only have legal terminal that could establish communication channel, it is raw using Key Exchange Protocol on this basis Symmetric cryptographic key at a safety and key pair transmission channel using generation is encrypted, prevents data in transmission process In be ravesdropping, distort, destroy, being inserted into Replay Attack, guarantee the safety of data transmission.
The safety of above-mentioned communication channel is mainly by the ECDH security key exchange agreement based on SM2 and based on number card The bidirectional identity authentication agreement of book technology guarantees that secure tunnel needs the both sides communicated to complete authentication first when establishing And key agreement, the terminal of authentication is only completed, server-side just allows it to carry out next step operation, for being unsatisfactory for Key agreement specification or the terminal of unfinished authentication, server-side need to will send error code to terminal, encrypt authentication device weight It is new to carry out authentication.
The present patent application combination digital certificate technique is realized to the signature sign test function of transmitting message, guarantees access terminal Identity legitimacy, by designing authentication exchange agreement, communicating pair respectively verifies incoming opposite end certificate.
In the ECDH Key Exchange Protocol of the SM2 of script, user A and user B can be in unsafe communication channels It exchanges to obtain a shared key by ECDH, but the computing capability of terminal is limited in capturing service, exchanges in key In the process without mutually transmitting all information, safety is poor, proposes a kind of meet capturing service protection need on this basis The efficient key exchange agreement asked, negotiations process are described in detail as follows:
User A:
Step 1: user A generates random number rA(32 byte), session can distinguish mark Se (16 byte);
Step 2: to rA, Se and IDAConnection operation is done, A2=r is obtainedA||Se||IDA(64 byte);
Step 3: Hash operation being carried out to connection result, obtains A3=H (rA||Se||IDA) (32 byte);
Step 4: using dAIt signs, obtains to A3(64 byte);
Step 5: connection A2 | | A4 is obtained(128 words Section);
Step 6: sending user B for A5;
User B:
Step 7: obtaining the message of user A, sign test obtains information rA, Se, IDA
Step 8: user B generates random number rB(32 byte);
Step 9: calculating ZA, ZB(being all 32 bytes);
Step 10: generating session key K (16 byte), SB(32 byte), S2(32 byte);
Step 11: connection rB、Se、IDBAnd SB, obtain B5=rB||Se||IDB||SB(96 byte);
Step 12: Hash operation being carried out to connection result, obtains B6=H (rB||Se||IDB||SB) (32 byte);
Step 13: using dBIt signs, obtains to B6(64 byte);
Step 14: connection B5 | | B7 is obtained
Step 15: sending user A for B8;
User A:
Step 16: obtaining the message of user B transmission, sign test obtains information: rB, IDB, SB
Step 17: calculating ZA, ZB
Step 18: generating session key K, S1
Step 19: comparing S1And SB
Step 20: generating SAAnd it is sent to B;
It is above-mentioned, rNIndicate random number (namely the r that user N is generatedAIndicate the random number that user A is generated, rBIndicate that user B is produced Raw random number);K indicates session key;PNIndicate the public key (SM2 public key) of user N;dNIndicate private key (the SM2 private of user N Key);EX(Y) it indicates to make cryptographic calculation to Y with X;H (Y) expression makees hash operations (SM3 algorithm) to Y;‖ indicates connection;ZNIt indicates User N's distinguishes mark, part elliptical curve system parameter, user N public key and rNHash Value;Se indicates that session can distinguish Mark;IDAIndicate the unique identification of user A;IDBIndicate the unique identification of user B;A2, A3 and A4 are the mistake that user A is obtained Journey parameter, A5 are the message of user A;B5, B6 and B7 are the procedure parameter that user B is obtained, and B8 is the message of user B;SA、SB、 S1、S2Indicate corresponding Hash result.User N namely user A or user B.
The above-mentioned secure communication status based on generation of electricity by new energy unit acquisition terminal simultaneously proposes one kind in conjunction with national secret algorithm Improved secure communication protocols, the agreement mainly increase message security protocol layer message on the basis of existing application layer protocol, And encrypted using the close SM1 algorithm of state to using message, to guarantee the integrality and confidentiality of data.
It initiates that SM2 encryption can be done to the random number of generation using the private key of oneself.Oneself is used first with SM3 algorithm Digital certificate in public key do HASH operation, signed to operation result using the SM2 private key of oneself, then by signature value And digital certificate is sent to authentication responder.
After authentication responder receives the ID authentication request of initiator, its digital certificate is obtained from message, benefit The public key in digital certificate is taken out with the X509 parsing API of openssl (security socket layer cryptographic libraries), using public key to transmission Signature value carry out sign test, if sign test success, illustrate responder verify initiator's identity success, at this point, responder also should The digital certificate of oneself is issued into initiator, guarantees bidirectional identity authentication success, the message of responder pieces together process and initiator It is similar, it is not repeating here.
Secure data interaction in step 4) includes the following steps:
A, acquisition terminal carries out initialization connection with station control system via safe access gateway;
B, safe access gateway unlatching port is monitored and creates thread pool;
C, when receiving the data from acquisition terminal, received data are handled with regard to starting a sub thread, according to The step of type of message received is come after determining goes to step D, if message if type of message is key agreement message Type is ciphertext message, then goes to step E;
D, if key agreement message, then the process is the key agreement mistake that acquisition terminal and safe access gateway carry out Journey, after key agreement success, safe access gateway connects interior website and controls system, and both sides carry out secure data interaction, otherwise, safety Access gateway returns to error message and to acquisition terminal and closes connection;
E, if ciphertext message, safe access gateway then carries out ciphertext decryption, if successful decryption, will be sent in plain text interior System is controlled in website, and otherwise, safe access gateway returns to error message and to acquisition terminal and closes connection.
It is above-mentioned for new energy plant stand acquisition terminal access safety problem, from terminal security protection, channel security protection and Three aspects of station level security protection have carried out security architecture design and research, are acquired according to wind-powered electricity generation and photovoltaic generation unit The business characteristic and data-transmission mode of terminal, in conjunction with acquisition terminal security attack scene analysis, for wireless private network, wireless public affairs The secure communication association based on national secret algorithm is studied and devised to the communication modes such as net, access via telephone line, intelligent acess, satellite communication View, establishes two-way encryption tunnel between acquisition terminal and station level access platform, ensure that the confidentiality and complete of data transmission Whole property realizes safety filtering and the exchange of business datum, realizes the closed loop safe transmission of data.

Claims (9)

1. a kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform, it is characterised in that: including walking as follows It is rapid:
1) generator unit acquisition terminal requests access station control system Intranet;
2) safe access gateway of acquisition terminal and secure accessing platform carries out bidirectional identity authentication;
3) identity authorization system of safe access gateway carries out security evaluation and identification to communicating pair, according to evaluation and identifies knot Fruit carries out access or refusal control;
4) after authentication success, acquisition terminal carries out secure data interaction by establishing communication channel with secure accessing platform.
2. the method for new energy plant stand generator unit acquisition terminal secure accessing platform as described in claim 1, feature exist In: in step 1), acquisition terminal realizes that terminal is pacified by increasing safety chip, or by way of external encryption authentication module Full enhancing, identity identifies and data encrypting and deciphering.
3. the method for new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in claim 2, feature exist In: encryption authentication module includes safety check module, authentication module and secure communication module;
Safety check module carries out the disk file of the operating system version of acquisition terminal, the startup item of system, specific position Close inspection, system can first check whether terminal has above-mentioned one or several feature ginsengs when handling acquisition terminal access Number determines whether that the terminal and secure accessing platform establish connection according to inspection result;
Authentication module is realized to the external encryption authentication module of acquisition terminal, and the digital certificate that authoritative institution is signed and issued is stored In encryption authentication module, by designing authentication exchange agreement, communicating pair respectively tests incoming opposite end certificate Card, acquisition terminal must carry out being protected jointly by the CA authentication service device of encryption authentication module and secure accessing platform before accessing network The bidirectional identity authentication of barrier, to guarantee the legitimacy of access terminal;
Secure communication module is for guaranteeing integrality and confidentiality of the data in transmission process.
4. the side of new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in any one of claims 1-3 Method, it is characterised in that: the safe access gateway in step 2) is responsible for establishing exit passageway and accesses control to acquisition terminal.
5. the method for new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in claim 4, feature exist In: in step 2) between acquisition terminal and the safe access gateway of secure accessing platform be equipped with data isolation component, data every 2+1 system architecture, including intranet security host, outer net security host and dedicated physical isolation data exchange module are used from component 3 parts.
6. the side of new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in any one of claims 1-3 Method, it is characterised in that: in step 3), acquisition terminal requests to access by safe access gateway, first according to identity authentication protocol The legitimacy of verifying other side mutually is guaranteed only have legal terminal that could establish communication channel, is exchanged on this basis using key Agreement is generated the symmetric cryptographic key of a safety and is encrypted using the key pair transmission channel of generation.
7. the method for new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in claim 6, feature exist In ECDH security key exchange agreement based on SM2 of: the safety of communication channel and based on the two-way of digital certificate technique Identity authentication protocol guarantees that the both sides that secure tunnel needs to communicate when establishing first complete authentication and key association Quotient only completes the terminal of authentication, and server-side just allows it to carry out next step operation, for being unsatisfactory for key agreement rule Model or the terminal of unfinished authentication, server-side need to will send error code to terminal, encrypt authentication device and re-start identity Certification.
8. the method for new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in claim 7, feature exist In: cipher key agreement process is as follows:
User A:
Step 1: user A generates random number rA, session, which can distinguish, identifies Se;
Step 2: to rA, Se and IDAConnection operation is done, A2=r is obtainedA||Se||IDA
Step 3: Hash operation being carried out to connection result, obtains A3=H (rA||Se||IDA);
Step 4: using dAIt signs, obtains to A3
Step 5: connection A2 | | A4 is obtained
Step 6: sending user B for A5;
User B:
Step 7: obtaining the message of user A, sign test obtains information rA, Se, IDA
Step 8: user B generates random number rB
Step 9: calculating ZA, ZB
Step 10: generating session key K, SB, S2
Step 11: connection rB、Se、IDBAnd SB, obtain B5=rB||Se||IDB||SB
Step 12: Hash operation being carried out to connection result, obtains B6=H (rB||Se||IDB||SB);
Step 13: using dBIt signs, obtains to B6
Step 14: connection B5 | | B7 is obtained
Step 15: sending user A for B8;
User A:
Step 16: obtaining the message of user B transmission, sign test obtains information: rB, IDB, SB
Step 17: calculating ZA, ZB
Step 18: generating session key K, S1
Step 19: comparing S1And SB
Step 20: generating SAAnd it is sent to user B;
It is above-mentioned, rNIndicate the random number that user N is generated;K indicates session key;PNIndicate the public key (SM2 public key) of user N;dNTable Show the private key (SM2 private key) of user N;EX(Y) it indicates to make cryptographic calculation to Y with X;H (Y) indicates to make Y hash operations (SM3 calculation Method);‖ indicates connection;ZNIndicate that user N's distinguishes mark, part elliptical curve system parameter, user N public key and rNHash Value;Se indicates that session can distinguish mark;IDAIndicate the unique identification of user A;IDBIndicate the unique identification of user B;A2, A3 and A4 is the procedure parameter that user A is obtained, and A5 is the message of user A;B5, B6 and B7 are the procedure parameter that user B is obtained, B8 For the message of user B;SA、SB、S1、S2Indicate corresponding Hash result.
9. the side of new energy plant stand generator unit acquisition terminal secure accessing platform as claimed in any one of claims 1-3 Method, it is characterised in that: in step 4), secure data interaction includes the following steps:
A, acquisition terminal carries out initialization connection with station control system via safe access gateway;
B, safe access gateway unlatching port is monitored and creates thread pool;
C, when receiving the data from acquisition terminal, just start a sub thread to handle received data, according to reception To type of message come after determining the step of, if type of message is key agreement message, step D is gone to, if type of message For ciphertext message, then step E is gone to;
D, if key agreement message, then the process is the cipher key agreement process that acquisition terminal and safe access gateway carry out, close After key is negotiated successfully, safe access gateway connects interior website and controls system, and both sides carry out secure data interaction, otherwise, secure accessing Gateway returns to error message and to acquisition terminal and closes connection;
E, if ciphertext message, safe access gateway then carries out ciphertext decryption, if successful decryption, will be sent to interior website in plain text Control system, otherwise, safe access gateway return to error message and to acquisition terminal and close connection.
CN201810924796.8A 2018-08-14 2018-08-14 Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform Active CN109088870B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810924796.8A CN109088870B (en) 2018-08-14 2018-08-14 Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810924796.8A CN109088870B (en) 2018-08-14 2018-08-14 Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform

Publications (2)

Publication Number Publication Date
CN109088870A true CN109088870A (en) 2018-12-25
CN109088870B CN109088870B (en) 2021-05-04

Family

ID=64834674

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810924796.8A Active CN109088870B (en) 2018-08-14 2018-08-14 Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform

Country Status (1)

Country Link
CN (1) CN109088870B (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110233735A (en) * 2019-06-14 2019-09-13 全球能源互联网研究院有限公司 A kind of grid-connected power station industrial control system comprehensive safety protecting method and system
CN110572265A (en) * 2019-10-24 2019-12-13 国网山东省电力公司信息通信公司 terminal security access gateway method, device and system based on quantum communication
CN110996318A (en) * 2019-12-23 2020-04-10 广西电网有限责任公司电力科学研究院 Safety communication access system of intelligent inspection robot of transformer substation
CN111756627A (en) * 2020-06-24 2020-10-09 广东电网有限责任公司电力科学研究院 Cloud platform security access gateway of electric power monitored control system
CN111953489A (en) * 2020-08-31 2020-11-17 中国电力科学研究院有限公司 SM2 algorithm-based key exchange device and method for collecting service of power generation unit
CN111988328A (en) * 2020-08-26 2020-11-24 中国电力科学研究院有限公司 Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station
CN112020037A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic communication encryption method suitable for rail transit
CN113783868A (en) * 2021-09-08 2021-12-10 广西东信数建信息科技有限公司 Method and system for protecting security of gate Internet of things based on commercial password
CN114254373A (en) * 2022-03-01 2022-03-29 中国电力科学研究院有限公司 Encryption transmission method, device and system
CN114546519A (en) * 2022-01-26 2022-05-27 华北电力大学 Industrial control safety data acquisition system and method
CN114626956A (en) * 2022-01-06 2022-06-14 北芯导航技术(南京)有限公司 Energy information utilization platform based on Internet of things
WO2022135404A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and device, storage medium, program, and program product
CN115277025A (en) * 2022-08-26 2022-11-01 广州万协通信息技术有限公司 Device authentication method for security chip, security chip device, and medium
CN115622813A (en) * 2022-12-19 2023-01-17 深圳市永达电子信息股份有限公司 Remote access management method, system and electronic equipment
US20230231712A1 (en) * 2022-01-14 2023-07-20 Micron Technology, Inc. Embedded tls protocol for lightweight devices

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951603A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Access control method and system for wireless local area network
CN103037367A (en) * 2012-12-27 2013-04-10 天津大学 Cipher hash computing based authentication method in wireless sensor network
CN104408371A (en) * 2014-10-14 2015-03-11 中国科学院信息工程研究所 Implementation method of high security application system based on trusted execution environment
US9654466B1 (en) * 2012-05-29 2017-05-16 Citigroup Technology, Inc. Methods and systems for electronic transactions using dynamic password authentication
CN107018134A (en) * 2017-04-06 2017-08-04 北京中电普华信息技术有限公司 A kind of distribution terminal secure accessing platform and its implementation
CN108055240A (en) * 2017-11-15 2018-05-18 上海国际汽车城(集团)有限公司 A kind of user authentication method of shared automobile

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951603A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Access control method and system for wireless local area network
US9654466B1 (en) * 2012-05-29 2017-05-16 Citigroup Technology, Inc. Methods and systems for electronic transactions using dynamic password authentication
CN103037367A (en) * 2012-12-27 2013-04-10 天津大学 Cipher hash computing based authentication method in wireless sensor network
CN104408371A (en) * 2014-10-14 2015-03-11 中国科学院信息工程研究所 Implementation method of high security application system based on trusted execution environment
CN107018134A (en) * 2017-04-06 2017-08-04 北京中电普华信息技术有限公司 A kind of distribution terminal secure accessing platform and its implementation
CN108055240A (en) * 2017-11-15 2018-05-18 上海国际汽车城(集团)有限公司 A kind of user authentication method of shared automobile

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110233735B (en) * 2019-06-14 2024-04-16 全球能源互联网研究院有限公司 Comprehensive safety protection method and system for grid-connected power station industrial control system
CN110233735A (en) * 2019-06-14 2019-09-13 全球能源互联网研究院有限公司 A kind of grid-connected power station industrial control system comprehensive safety protecting method and system
CN110572265A (en) * 2019-10-24 2019-12-13 国网山东省电力公司信息通信公司 terminal security access gateway method, device and system based on quantum communication
CN110572265B (en) * 2019-10-24 2022-04-05 国网山东省电力公司信息通信公司 Terminal security access gateway method, device and system based on quantum communication
CN110996318A (en) * 2019-12-23 2020-04-10 广西电网有限责任公司电力科学研究院 Safety communication access system of intelligent inspection robot of transformer substation
CN111756627A (en) * 2020-06-24 2020-10-09 广东电网有限责任公司电力科学研究院 Cloud platform security access gateway of electric power monitored control system
CN111988328A (en) * 2020-08-26 2020-11-24 中国电力科学研究院有限公司 Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station
CN111953489A (en) * 2020-08-31 2020-11-17 中国电力科学研究院有限公司 SM2 algorithm-based key exchange device and method for collecting service of power generation unit
CN112020037A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic communication encryption method suitable for rail transit
WO2022135404A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and device, storage medium, program, and program product
CN113783868A (en) * 2021-09-08 2021-12-10 广西东信数建信息科技有限公司 Method and system for protecting security of gate Internet of things based on commercial password
CN113783868B (en) * 2021-09-08 2023-09-01 广西东信数建信息科技有限公司 Method and system for protecting Internet of things safety of gate based on commercial password
CN114626956A (en) * 2022-01-06 2022-06-14 北芯导航技术(南京)有限公司 Energy information utilization platform based on Internet of things
CN114626956B (en) * 2022-01-06 2023-08-08 北芯导航技术(南京)有限公司 Energy information utilization platform based on Internet of things
US20230231712A1 (en) * 2022-01-14 2023-07-20 Micron Technology, Inc. Embedded tls protocol for lightweight devices
CN114546519A (en) * 2022-01-26 2022-05-27 华北电力大学 Industrial control safety data acquisition system and method
CN114546519B (en) * 2022-01-26 2023-10-03 华北电力大学 Industrial control safety data acquisition system and method
CN114254373B (en) * 2022-03-01 2022-07-08 中国电力科学研究院有限公司 Encryption transmission method, device and system
CN114254373A (en) * 2022-03-01 2022-03-29 中国电力科学研究院有限公司 Encryption transmission method, device and system
CN115277025B (en) * 2022-08-26 2023-01-06 广州万协通信息技术有限公司 Device authentication method for security chip, security chip apparatus, device, and medium
CN115277025A (en) * 2022-08-26 2022-11-01 广州万协通信息技术有限公司 Device authentication method for security chip, security chip device, and medium
CN115622813A (en) * 2022-12-19 2023-01-17 深圳市永达电子信息股份有限公司 Remote access management method, system and electronic equipment

Also Published As

Publication number Publication date
CN109088870B (en) 2021-05-04

Similar Documents

Publication Publication Date Title
CN109088870A (en) A kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform
CN104702611B (en) A kind of device and method for protecting Secure Socket Layer session key
CN103155512B (en) System and method for providing secure access to service
CN103354498B (en) A kind of file encryption transmission method of identity-based
CN107018134A (en) A kind of distribution terminal secure accessing platform and its implementation
CN109347809A (en) A kind of application virtualization safety communicating method towards under autonomous controllable environment
CN103491540B (en) The two-way access authentication system of a kind of WLAN based on identity documents and method
CN105493453B (en) It is a kind of to realize the method, apparatus and system remotely accessed
CN108270571A (en) Internet of Things identity authorization system and its method based on block chain
CN103026657B (en) For anti-manipulation key certificate is provided method and apparatus
CN101409619B (en) Flash memory card and method for implementing virtual special network key exchange
US8417949B2 (en) Total exchange session security
CN105119894B (en) Communication system and communication means based on hardware security module
CN111245862A (en) System for safely receiving and sending terminal data of Internet of things
CN104468126B (en) A kind of safe communication system and method
CN106169952B (en) A kind of authentication method that internet Key Management Protocol is negotiated again and device
CN107172020A (en) A kind of network data security exchange method and system
CN107005534A (en) Secure connection is set up
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN104065485A (en) Power grid dispatching mobile platform safety guaranteeing and controlling method
CN107040536A (en) Data ciphering method, device and system
CN109951513A (en) Anti- quantum calculation wired home quantum cloud storage method and system based on quantum key card
CN109714360A (en) A kind of intelligent gateway and gateway communication processing method
CN110266725A (en) Cryptosecurity isolation module and mobile office security system
CN102088699A (en) Trust list-based system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant