CN109088870B - Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform - Google Patents
Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform Download PDFInfo
- Publication number
- CN109088870B CN109088870B CN201810924796.8A CN201810924796A CN109088870B CN 109088870 B CN109088870 B CN 109088870B CN 201810924796 A CN201810924796 A CN 201810924796A CN 109088870 B CN109088870 B CN 109088870B
- Authority
- CN
- China
- Prior art keywords
- security
- acquisition terminal
- user
- key
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000010248 power generation Methods 0.000 title claims abstract description 28
- 238000004891 communication Methods 0.000 claims abstract description 45
- 230000005540 biological transmission Effects 0.000 claims abstract description 25
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 15
- 230000003993 interaction Effects 0.000 claims abstract description 11
- 238000011156 evaluation Methods 0.000 claims abstract description 8
- 238000002955 isolation Methods 0.000 claims description 13
- 238000005516 engineering process Methods 0.000 claims description 10
- 230000026676 system process Effects 0.000 claims 1
- 239000003999 initiator Substances 0.000 description 13
- 238000001914 filtration Methods 0.000 description 5
- 238000012795 verification Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000007689 inspection Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 239000013307 optical fiber Substances 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 238000012790 confirmation Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The invention discloses a method for safely accessing a platform by a power generation unit acquisition terminal of a new energy plant station, which comprises the following steps of 1) requesting the power generation unit acquisition terminal to access an intranet of a station control system; 2) the acquisition terminal and a security access gateway of the security access platform perform bidirectional identity authentication; 3) the identity authentication system of the security access gateway carries out security evaluation and authentication on both communication parties and carries out admission or denial control according to the evaluation and authentication results; 4) and after the identity authentication is successful, the acquisition terminal establishes a communication channel with the security access platform to perform security data interaction. The invention realizes the integrity and confidentiality of data transmission and ensures the channel protection safety when the acquisition terminals of various power generation units of the new energy plant station are accessed.
Description
Technical Field
The invention relates to a method for safely accessing a new energy station power generation unit acquisition terminal to a platform, and belongs to the field of power distribution automation.
Background
Virtual Private Network (VPN) refers to a technology for establishing a Private Network on a public Network. The virtual network is mainly because the connection between any two nodes in the entire VPN network does not have an end-to-end physical link required by the conventional private network, but is configured on a network platform provided by a public network service provider, such as a logical network on the Internet, ATM (asynchronous transfer mode), Frame Relay, and the like, and user data is transmitted in the logical link. It covers the extension of private networks to encapsulate, encrypt, and authenticate links across shared or public networks.
The basic principle of VPN is to create a virtual network outlet through which all data you access to a destination is sent. The method is commonly used in an enterprise-level office system, and is convenient for users to log in a company gateway in different places due to end-to-end transmission, so that the method has the use right of an intranet, and the method can also avoid the examination of an organization.
However, there are some drawbacks and risks in using VPN technology, which mainly include the following points:
1) enterprises cannot directly control the reliability and performance of internet-based VPNs, and must rely on internet service providers that provide VPNs to ensure the operation of the services;
2) it is not easy for an enterprise to create and deploy VPN lines, and this technique requires a high level of understanding of network and security issues, requires careful planning and configuration;
3) VPN products and solutions from different vendors are always incompatible because many vendors are unwilling or unable to comply with VPN technology standards;
4) VPNs pose a security risk when using wireless devices, roaming between access points is particularly problematic, and any solution using advanced encryption techniques may be compromised when a user roams between access points.
The SM2 elliptic curve public key cryptography algorithm is published by the national crypto authority in 12 months in 2010, and the SM2 algorithm is essentially an elliptic curve algorithm (ECC), and in detail, the SM2 algorithm specifies specific details such as signature, verification, key exchange and the like. The SM2 algorithm is an ECC with independent intellectual property rights developed on the basis of absorbing international advanced achievements in China, is equivalent to or slightly superior to international similar ECC in the aspects of safety and implementation efficiency, and can replace RSA (public key encryption algorithm) to meet higher requirements of various applications on the safety and implementation efficiency of public key cryptographic algorithms. The SM 2-based ECDH key exchange algorithm is described with reference to the step arrangement of the key exchange protocol of the third section SM2 elliptic curve public key cryptography algorithm as follows:
let the length of the key data obtained by negotiation between users A and B be klen bit, user A be the initiator, user B be the responder, note that
In order to obtain the same key, both users a and B should implement the following operation steps:
the user A:
step 1: generating a random number r by a random number generatorA∈[[1,n-1];
Step 2: calculating elliptic curve point RA=[rA]G=(x1,y1);
And step 3: r is to beASending the data to a user B;
and a user B:
and 4, step 4: generating a random number r by a random number generatorB∈[1,n-1];
And 5: calculating elliptic curve point RB=[rB]G=(x2,y2);
And 8: verification of RAWhether or not the elliptic curve equation is satisfied, ifIf not, the negotiation fails; otherwise from RAMiddle out field element x1Calculating
step 10: calculating KB=KDF(xV||yv||ZA||ZB,klen);
Step 11: r is to beACoordinate x of1、y1And RBCoordinate x of2、y2Is converted into a bit string, S is calculatedB=Hash(0x02||yV||Hash(xv||ZA||ZB||x1||y1||x2||y2));
Step 12: r is to beB、(SB) Sending the data to a user A;
the user A:
Step 15: verification of RBWhether an elliptic curve equation is satisfied or not, and if not, negotiation fails; otherwise from RBMiddle out field element x2,
and step 17: calculating KA=KDF(xU||yU||ZA||ZB,klen);
Step 18: r is to beACoordinate x of1、y1And RBCoordinate x of2、y2Is converted into a bit string, calculated
S1=Hash(0x02||yU||Hash(xU||ZA||ZB||x1||y1||x2||y2) And checking S)1=SBIf the equation is not satisfied, the key confirmation from B to A fails;
step 19: computing
SA=Hash(0x03||yU||Hash(xU||ZA||ZB||x1||y1||x2||y2) And mixing S withAAnd sent to user B.
And a user B:
step 20: computing
S2=Hash(0x03||yv||Hash(xv||ZA||ZB||x1||y1||x2||y2) And checking S)2=SAAnd if the equation is not established, the key confirmation from A to B fails.
Above, rNRepresents a random number generated by user N; k represents a session key; pNA public key representing user N (SM2 public key); dNA private key representing user N (SM2 private key); eX(Y) means encrypting Y by X; h (Y) denotes hashing Y (SM3 algorithm); II denotes a connection; zNA distinguishable identifier representing the user N, partial elliptic curve system parameters, the user N public key and rNA hash value of; se represents session distinguishable identification; n represents the order of base point G (n is # E (F)q) Prime factor of (d); h denotes cofactor, h ═ E (F)q) N, where n is the order of the base point G, KARepresenting agreement of key exchange protocolsSharing a secret key; kBRepresents a shared secret key agreed upon by the key exchange protocol, w represents an initial predetermined value, which is a fixed value; t is tNThe modulus value of the private key and random number operation of N is represented.
In the above algorithm, the user a and the user B can exchange through an ECDH (key agreement algorithm) on an insecure communication channel to obtain a shared secret key, but the computing capability of the terminal in the acquisition service is limited, all information does not need to be mutually transmitted in the key exchange process, and the security is poor.
Disclosure of Invention
The invention provides a method for safely accessing a new energy plant station power generation unit acquisition terminal to a platform, which ensures the confidentiality and integrity of data transmission, realizes the safe filtration and exchange of service data, and realizes the closed-loop safe transmission of data.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows:
a method for safely accessing a new energy plant station power generation unit acquisition terminal to a platform comprises the following steps:
1) a power generation unit acquires a terminal request to access the intranet of the station control system;
2) the acquisition terminal and a security access gateway of the security access platform perform bidirectional identity authentication;
3) the identity authentication system of the security access gateway carries out security evaluation and authentication on both communication parties and carries out admission or denial control according to the evaluation and authentication results;
4) and after the identity authentication is successful, the acquisition terminal establishes a communication channel with the security access platform to perform security data interaction.
In order to improve the security, in the step 1), the security enhancement, the identity authentication and the data encryption and decryption of the terminal are realized by adding a security chip to the acquisition terminal or by using an external encryption authentication module.
The encryption authentication module comprises a security check module, an identity authentication module and a security communication module;
the security inspection module strictly inspects the version of an operating system of the acquisition terminal, the starting item of the system and the disk file at a special position, when the system is used for processing the access of the acquisition terminal, the system firstly inspects whether the terminal has one or more characteristic parameters, judges whether the terminal is allowed to be connected with the security access platform according to the inspection result, thoroughly prevents the unhealthy acquisition terminal from accessing an intranet, ensures the security of the acquisition terminal and prevents threats from the source;
the identity authentication module realizes that an encryption authentication module is externally arranged on the acquisition terminal, digital certificates signed and issued by an authority are stored in the encryption authentication module, two communication parties respectively verify the introduced opposite-end certificates by designing an identity authentication exchange protocol, and before the acquisition terminal accesses a network, bidirectional identity authentication jointly guaranteed by the encryption authentication module and a CA authentication server of a safety access platform is required to be carried out, so that the legality of the access terminal is ensured;
the safety communication module is mainly used for ensuring the integrity and confidentiality of data in the transmission process.
The security access gateway in the step 2) is responsible for establishing a security channel and performing access control on the acquisition terminal, and can ensure the security of access transmission and the security of an internally accessed application system.
In the step 2), a data isolation component is arranged between the acquisition terminal and a security access gateway of the security access platform, the data isolation component adopts a 2+1 system architecture and comprises 3 parts of an intranet security host, an extranet security host and a special physical isolation data exchange module, and the data isolation component is deployed between networks with different security levels, so that the functions of bidirectional access control, network security isolation, intranet resource protection, data exchange management, data content filtering and the like are provided while the network security isolation is realized, illegal links are prevented from penetrating through an intranet to directly access, and accurate and controllable information exchange service is provided.
In the step 3), the acquisition terminal requests access through the secure access gateway, firstly, the legitimacy of the opposite party is mutually verified according to the identity authentication protocol, and the communication channel can be established only by the legal terminal, on the basis, a secure symmetric encryption key is generated by using the key exchange protocol, and the transmission channel is encrypted by using the generated key, so that the data is prevented from being intercepted, tampered, damaged and inserted and replayed in the transmission process, and the security of data transmission is ensured.
The security of the communication channel is mainly ensured by an ECDH (electronic digital signature) secure key exchange protocol based on SM2 and a bidirectional identity authentication protocol based on a digital certificate technology, two parties needing communication when a secure tunnel is established firstly complete identity authentication and key agreement, a server side allows the next operation only when the terminal completes the identity authentication, and for the terminal which does not meet the key agreement specification or does not complete the identity authentication, the server side needs to send an error code to the terminal and the encryption authentication device needs to perform the identity authentication again.
The invention combines the digital certificate technology to realize the signature and signature checking function of the transmission message, ensures the identity validity of the access terminal, and the two communication parties respectively verify the transmitted opposite terminal certificate by designing the identity authentication exchange protocol.
In the original ECDH key exchange protocol of SM2, a user a and a user B can obtain a shared key through ECDH exchange on an insecure communication channel, but the computing power of a terminal in the collection service is limited, all information does not need to be transmitted to each other in the key exchange process, and the security is poor, on this basis, the application of the present invention provides an efficient key exchange protocol that meets the protection requirement of the collection service, and the detailed description of the negotiation process is as follows:
the user A:
step 1: user A generates a random number rAThe session can identify the identifier Se;
step 2: to rASe and IDAPerforming a join operation to obtain a2 ═ rA||Se||IDA;
And step 3: hash operation is performed on the concatenation result to obtain a3 ═ H (r)A||Se||IDA);
Step 6: sending a5 to user B;
and a user B:
and 7: obtaining the message of the user A, checking the label to obtain the information rA,Se,IDA;
And 8: user B generates a random number rB;
And step 9: calculating ZA,ZB;
Step 10: generating a session key K, SB,S2;
Step 11: connection rB、Se、IDBAnd SBObtaining B5 ═ rB||Se||IDB||SB(96 bytes);
step 12: hash operation is performed on the concatenation result to obtain B6 ═ H (r)B||Se||IDB||SB) (32 bytes);
step 14: joining B5| | B7 to give
Step 15: b8 is sent to user a;
the user A:
step 16: obtaining a message sent by a user B, and checking the label to obtain information: r isB,IDB,SB;
And step 17: calculating ZA,ZB;
Step 18: generating a session key K, S1;
Step 19: comparison S1And SB;
Step 20: generation of SAAnd sending to B;
above, rNRepresenting a random number generated by user N (e.g., user A, user B, etc.); k represents a session key; pNA public key representing user N (SM2 public key); dNA private key representing user N (SM2 private key); eX(Y) means encrypting Y by X; h (Y) denotes hashing Y (SM3 algorithm); II denotes a connection; zNA distinguishable identifier representing the user N, partial elliptic curve system parameters, the user N public key and rNA hash value of; se represents session distinguishable identification; IDAA unique identity representing user a; IDBA unique identity representing user B; a2, A3 and A4 are all process parameters obtained by the user A, and A5 is a message of the user A; b5, B6 and B7 are all process parameters obtained by the user B, and B8 is a message of the user B; sA、SB、S1、S2Each representing a corresponding hash result.
The safe communication protocol is a safe access protection framework of a new energy plant station power generation unit acquisition terminal under various communication modes, researches network safety access and protection technologies of the power generation unit acquisition terminal based on a state cryptographic algorithm under a real-time environment, and realizes safe protection from a data source on the premise of not influencing a real-time data acquisition function by including a safe reinforcing acquisition terminal, a safe access gateway, a data filtering component and the like.
The improved safe communication protocol is provided based on the safe communication current situation of the new energy power generation unit acquisition terminal and combined with a national secret algorithm, the protocol is mainly characterized in that an information safety protocol layer message is added on the basis of the existing application layer protocol, and the application message is encrypted by utilizing the national secret SM1 algorithm, so that the integrity and confidentiality of data are guaranteed.
The initiator can use its own private key to SM2 encrypt the generated random number. Firstly, the SM3 algorithm is used for carrying out HASH operation by using a public key in a digital certificate of the SM3 algorithm, the operation result is signed by using a private key of the SM2 algorithm of the SM3 algorithm, and then the signature value and the digital certificate are sent to an identity authentication responder.
After receiving an identity authentication request of an initiator, an identity authentication responder acquires a digital certificate of the initiator from a message, an X509 analysis API of an openssl (secure socket layer code library) is used for taking out a public key in the digital certificate, the public key is used for verifying a signature value sent, if the signature verification is successful, the responder verifies the identity of the initiator successfully, at the moment, the responder also sends the digital certificate of the responder to the initiator to ensure that bidirectional identity authentication is successful, and the message splicing process of the responder is similar to that of the initiator, and is not repeated here.
In the step 4), the secure data interaction includes the following steps:
A. the acquisition terminal is in initial connection with a station control system through a security access gateway;
B. the security access gateway starts a port to monitor and creates a thread pool;
C. when receiving data from the acquisition terminal, starting a sub-thread to process the received data, determining the subsequent steps according to the type of the received message, if the message type is a key negotiation message, turning to the step D, and if the message type is a ciphertext message, turning to the step E;
D. if the message is a key negotiation message, the process is a key negotiation process performed by the acquisition terminal and the security access gateway, after the key negotiation is successful, the security access gateway is connected with the internal website control system, the security data interaction is performed between the acquisition terminal and the security access gateway, and otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection;
E. if the message is a ciphertext message, the security access gateway decrypts the ciphertext, if the decryption is successful, the plaintext is sent to the intranet station control system, otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection.
The invention aims at the access security problem of a new energy plant station acquisition terminal, designs and researches a security protection architecture from three aspects of terminal security protection, channel security protection and station control layer security protection, researches and designs a security communication protocol based on a national secret algorithm according to the service characteristics and the data transmission mode of a wind power and photovoltaic power generation unit acquisition terminal, combines the security attack scene analysis of the acquisition terminal, and establishes a bidirectional encryption tunnel between the acquisition terminal and a station control layer access platform according to the communication modes such as a wireless private network, a wireless public network, a private line access, an optical fiber access, satellite communication and the like, thereby ensuring the confidentiality and the integrity of data transmission, realizing the security filtration and the exchange of service data and realizing the closed-loop security transmission of data.
The prior art is referred to in the art for techniques not mentioned in the present invention.
The invention has the following beneficial effects:
1) the network security access and protection technology of the power generation unit acquisition terminal in a real-time environment based on the state-secret algorithm is researched from the three aspects of acquisition terminal security, network access channel security and station control layer system security, the architecture level is clear, and the integrity and confidentiality of data transmission are realized from all aspects;
2) aiming at the special environment of the new energy station power generation unit acquisition terminal, by researching the existing DH key exchange protocol and ECDH key exchange protocol, under the condition of ensuring the security of key exchange, the improved key exchange protocol based on SM2 algorithm and suitable for the new energy station power generation unit acquisition service is provided;
3) aiming at various communication modes such as a wireless private network, a wireless public network, private line access, optical fiber access, satellite communication and the like, a safe communication protocol based on a state-secret algorithm is researched and designed, and the channel protection safety when the acquisition terminal of various power generation units of a new energy plant station is accessed is ensured.
Drawings
FIG. 1 is a diagram of a new energy plant station power generation unit acquisition terminal security access protection architecture;
FIG. 2 is a flow chart of data interaction between an acquisition terminal and a security access platform;
fig. 3 is a diagram of the key agreement process of the improved ECDH key exchange protocol based on SM 2;
Detailed Description
In order to better understand the present invention, the following examples are further provided to illustrate the present invention, but the present invention is not limited to the following examples.
The system architecture of the safe access platform of the new energy station power generation unit acquisition terminal comprises: the system architecture diagram of the safely reinforced acquisition terminal, the safety access gateway and the data isolation component is shown in the attached figure 1.
The method for safely accessing the acquisition terminal of the power generation unit of the new energy plant station to the platform comprises the following steps:
1) a power generation unit acquires a terminal request to access the intranet of the station control system;
2) the acquisition terminal and a security access gateway of the security access platform perform bidirectional identity authentication;
3) the identity authentication system of the security access gateway carries out security evaluation and authentication on both communication parties and carries out admission or denial control according to the evaluation and authentication results;
4) and after the identity authentication is successful, the acquisition terminal establishes a communication channel with the security access platform to perform security data interaction.
In the step 1), the security chip is added to the acquisition terminal, or the terminal security enhancement, the identity authentication and the data encryption and decryption are realized in an external encryption authentication module mode.
The encryption authentication module comprises a security check module, an identity authentication module and a security communication module;
the security inspection module strictly inspects the version of an operating system of the acquisition terminal, the starting item of the system and the disk file at a special position, when the system is used for processing the access of the acquisition terminal, the system firstly inspects whether the terminal has one or more characteristic parameters, judges whether the terminal is allowed to be connected with the security access platform according to the inspection result, thoroughly prevents the unhealthy acquisition terminal from accessing an intranet, ensures the security of the acquisition terminal and prevents threats from the source;
the identity authentication module realizes that an encryption authentication module is externally arranged on the acquisition terminal, digital certificates signed and issued by an authority are stored in the encryption authentication module, two communication parties respectively verify the introduced opposite-end certificates by designing an identity authentication exchange protocol, and before the acquisition terminal accesses a network, bidirectional identity authentication jointly guaranteed by the encryption authentication module and a CA authentication server of a safety access platform is required to be carried out, so that the legality of the access terminal is ensured;
the safety communication module is mainly used for ensuring the integrity and confidentiality of data in the transmission process.
The security access gateway in the step 2) is responsible for establishing a security channel and performing access control on the acquisition terminal, and can ensure the security of access transmission and the security of an internally accessed application system.
The data isolation assembly is arranged between the acquisition terminal and a safety access gateway of a safety access platform and adopts a 2+1 system architecture and comprises an internal network safety host, 3 parts of an external network safety host and a special physical isolation data exchange module, and the data isolation assembly is deployed between networks with different safety levels.
In step 3), the acquisition terminal requests access through the secure access gateway, firstly mutually verifies the legitimacy of the opposite party according to the identity authentication protocol, and ensures that only the legal terminal can establish a communication channel, on the basis, a secure symmetric encryption key is generated by using the key exchange protocol and the transmission channel is encrypted by using the generated key, so that data is prevented from being intercepted, tampered, damaged and inserted and replayed in the transmission process, and the security of data transmission is ensured.
The security of the communication channel is mainly ensured by an ECDH (electronic digital signature) secure key exchange protocol based on SM2 and a bidirectional identity authentication protocol based on a digital certificate technology, two parties needing communication when a secure tunnel is established firstly complete identity authentication and key agreement, a server side allows the next operation only when the terminal completes the identity authentication, and for the terminal which does not meet the key agreement specification or does not complete the identity authentication, the server side needs to send an error code to the terminal and the encryption authentication device needs to perform the identity authentication again.
The invention combines the digital certificate technology to realize the signature and signature checking function of the transmission message, ensures the identity validity of the access terminal, and the two communication parties respectively verify the transmitted opposite terminal certificate by designing the identity authentication exchange protocol.
In the original ECDH key exchange protocol of SM2, a user a and a user B can obtain a shared key through ECDH exchange on an insecure communication channel, but the computing power of a terminal in the collection service is limited, all information does not need to be transmitted to each other in the key exchange process, and the security is poor, and on this basis, an efficient key exchange protocol meeting the protection requirement of the collection service is provided, and the detailed description of the negotiation process is as follows:
the user A:
step 1: user A generates a random number rA(32 bytes), the session discernable identity Se (16 bytes);
step 2: to rASe and IDAPerforming a join operation to obtain a2 ═ rA||Se||IDA(64 bytes);
and step 3: hash operation is performed on the concatenation result to obtain a3 ═ H (r)A||Se||IDA) (32 bytes);
step 6: sending a5 to user B;
and a user B:
and 7: obtaining the message of the user A, checking the label to obtain the information rA,Se,IDA;
And 8: user B generates a random number rB(32 bytes);
and step 9: calculating ZA,ZB(both 32 bytes);
step 10: generation of the session key K (16 bytes), SB(32 bytes), S2(32 bytes);
step 11: connection rB、Se、IDBAnd SBObtaining B5 ═ rB||Se||IDB||SB(96 bytes);
step 12: hash operation is performed on the concatenation result to obtain B6 ═ H (r)B||Se||IDB||SB) (32 bytes);
step 14: joining B5| | B7 to give
Step 15: b8 is sent to user a;
the user A:
step 16: obtaining a message sent by a user B, and checking the label to obtain information: r isB,IDB,SB;
And step 17: calculating ZA,ZB;
Step 18: generating a session key K, S1;
Step 19: comparison S1And SB;
Step 20: generation of SAAnd sending to B;
above, rNRepresenting the random number (i.e. r) generated by user NARepresenting a random number, r, generated by user ABRepresenting a random number generated by user B); k represents a session key; pNA public key representing user N (SM2 public key); dNA private key representing user N (SM2 private key); eX(Y) means encrypting Y by X; h (Y) denotes hashing Y (SM3 algorithm); II denotes a connection; zNA distinguishable identifier representing the user N, partial elliptic curve system parameters, the user N public key and rNA hash value of; se represents session distinguishable identification; IDAA unique identity representing user a; IDBA unique identity representing user B; a2, A3 and A4 are all process parameters obtained by the user A, and A5 is a message of the user A; b5, B6 and B7 are all process parameters obtained by the user B, and B8 is a message of the user B; sA、SB、S1、S2Each representing a corresponding hash result. User N is also user a or user B.
The improved safe communication protocol is provided based on the safe communication status of the new energy power generation unit acquisition terminal and combined with a national secret algorithm, the protocol is mainly characterized in that an information safety protocol layer message is added on the basis of the existing application layer protocol, and the application message is encrypted by utilizing the national secret SM1 algorithm, so that the integrity and confidentiality of data are guaranteed.
The initiator can use its own private key to SM2 encrypt the generated random number. Firstly, the SM3 algorithm is used for carrying out HASH operation by using a public key in a digital certificate of the SM3 algorithm, the operation result is signed by using a private key of the SM2 algorithm of the SM3 algorithm, and then the signature value and the digital certificate are sent to an identity authentication responder.
After receiving an identity authentication request of an initiator, an identity authentication responder acquires a digital certificate of the initiator from a message, an X509 analysis API of an openssl (secure socket layer code library) is used for taking out a public key in the digital certificate, the public key is used for verifying a signature value sent, if the signature verification is successful, the responder verifies the identity of the initiator successfully, at the moment, the responder also sends the digital certificate of the responder to the initiator to ensure that bidirectional identity authentication is successful, and the message splicing process of the responder is similar to that of the initiator, and is not repeated here.
The safety data interaction in the step 4) comprises the following steps:
A. the acquisition terminal is in initial connection with a station control system through a security access gateway;
B. the security access gateway starts a port to monitor and creates a thread pool;
C. when receiving data from the acquisition terminal, starting a sub-thread to process the received data, determining the subsequent steps according to the type of the received message, if the message type is a key negotiation message, turning to the step D, and if the message type is a ciphertext message, turning to the step E;
D. if the message is a key negotiation message, the process is a key negotiation process performed by the acquisition terminal and the security access gateway, after the key negotiation is successful, the security access gateway is connected with the internal website control system, the security data interaction is performed between the acquisition terminal and the security access gateway, and otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection;
E. if the message is a ciphertext message, the security access gateway decrypts the ciphertext, if the decryption is successful, the plaintext is sent to the intranet station control system, otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection.
The safety protection architecture is designed and researched from the three aspects of terminal safety protection, channel safety protection and station control layer safety protection, according to the service characteristics and the data transmission mode of the wind power and photovoltaic power generation unit acquisition terminal, the scene analysis of the safety attack of the acquisition terminal is combined, a safety communication protocol based on a state secret algorithm is researched and designed aiming at communication modes such as a wireless private network, a wireless public network, a private line access, an optical fiber access and satellite communication, a bidirectional encryption tunnel is established between the acquisition terminal and a station control layer access platform, the confidentiality and the integrity of data transmission are guaranteed, the safety filtering and the exchange of service data are realized, and the closed-loop safety transmission of the data is realized.
Claims (6)
1. A method for safely accessing a new energy plant station power generation unit acquisition terminal to a platform is characterized by comprising the following steps: the method comprises the following steps:
1) a power generation unit acquires a terminal request to access the intranet of the station control system;
2) the acquisition terminal and the security access gateway of the security access platform perform bidirectional identity authentication;
3) the identity authentication system of the security access gateway carries out security evaluation and authentication on both communication parties and carries out admission or denial control according to the evaluation and authentication results;
4) after the identity authentication is successful, the acquisition terminal establishes a communication channel with the security access platform to perform security data interaction;
in step 3), the acquisition terminal requests access through the security access gateway, firstly mutually verifies the legitimacy of the opposite party according to the identity authentication protocol, ensures that only the legal terminal can establish a communication channel, generates a safe symmetric encryption key by using a key exchange protocol on the basis, and encrypts the transmission channel by using the generated key;
the safety of a communication channel is ensured by an ECDH (electronic digital signature) safety key exchange protocol based on SM2 and a bidirectional identity authentication protocol based on a digital certificate technology, when a safety tunnel is established, two parties needing to communicate firstly complete identity authentication and key agreement, only the terminal completing the identity authentication is allowed to perform the next operation by a server, and for the terminal which does not meet the key agreement specification or does not complete the identity authentication, the server needs to send an error code to the terminal, and an encryption authentication device carries out identity authentication again;
the key agreement procedure is as follows:
the user A:
step 1: user A generates a random number rAThe session can identify the identifier Se;
step 2: to rASe and IDAPerforming a join operation to obtain a2 ═ rA||Se||IDA;
And step 3: hash operation is performed on the concatenation result to obtain a3 ═ H (r)A||Se||IDA);
Step 6: sending a5 to user B;
and a user B:
and 7: obtaining the message of the user A, checking the label to obtain the information rA,Se,IDA;
And 8: user B generates a random number rB;
And step 9: calculating ZA,ZB;
Step 10: generating a session key K, SB,S2;
Step 11: connection rB、Se、IDBAnd SBObtaining B5 ═ rB||Se||IDB||SB;
Step 12: hash operation is performed on the concatenation result to obtain B6 ═ H (r)B||Se||IDB||SB);
Step 14: joining B5| | B7 to give
Step 15: b8 is sent to user a;
the user A:
step 16: obtaining a message sent by a user B, and checking the label to obtain information: r isB,IDB,SB;
And step 17: calculating ZA,ZB;
Step 18: generating a session key K, S1;
Step 19: comparison S1And SB;
Step 20: generation of SAAnd send to user B;
above, rNRepresents a random number generated by user N; k represents a session key; pNA public key representing user N (SM2 public key); dNA private key representing user N (SM2 private key); eX(Y) means encrypting Y by X; h (Y) denotes hashing Y (SM3 algorithm); II denotes a connection; zNA recognizable mark representing the user N,Partial elliptic curve system parameters, user N public key and rNA hash value of; se represents session distinguishable identification; IDAA unique identity representing user a; IDBA unique identity representing user B; a2, A3 and A4 are all process parameters obtained by the user A, and A5 is a message of the user A; b5, B6 and B7 are all process parameters obtained by the user B, and B8 is a message of the user B; sA、SB、S1、S2Each representing a corresponding hash result.
2. The method for the secure access of the acquisition terminal of the power generation unit of the new energy plant to the platform according to claim 1, wherein: in the step 1), the security chip is added to the acquisition terminal, or the terminal security enhancement, the identity authentication and the data encryption and decryption are realized in an external encryption authentication module mode.
3. The method for the secure access of the acquisition terminal of the power generation unit of the new energy plant to the platform as claimed in claim 2, wherein: the encryption authentication module comprises a security check module, an identity authentication module and a security communication module;
the security check module strictly checks the version of an operating system of the acquisition terminal, a starting item of the system and a disk file at a special position, when the system processes the access of the acquisition terminal, the system firstly checks whether the terminal has one or more characteristic parameters, and judges whether the terminal is allowed to establish connection with the security access platform according to the check result;
the identity authentication module realizes that an encryption authentication module is externally arranged on the acquisition terminal, digital certificates signed and issued by an authority are stored in the encryption authentication module, two communication parties respectively verify the introduced opposite-end certificates by designing an identity authentication exchange protocol, and before the acquisition terminal accesses a network, bidirectional identity authentication jointly guaranteed by the encryption authentication module and a CA authentication server of a safety access platform is required to be carried out, so that the legality of the access terminal is ensured;
the safety communication module is used for ensuring the integrity and confidentiality of data in the transmission process.
4. The method for the secure access of a new energy plant station power generating unit acquisition terminal to a platform according to any one of claims 1 to 3, characterized by: the safety access gateway in the step 2) is responsible for establishing a safety channel and carrying out access control on the acquisition terminal.
5. The method for the secure access of the acquisition terminal of the power generation unit of the new energy plant to the platform as claimed in claim 4, wherein: and 2) arranging a data isolation component between the acquisition terminal and a security access gateway of the security access platform, wherein the data isolation component adopts a 2+1 system architecture and comprises 3 parts of an intranet security host, an extranet security host and a special physical isolation data exchange module.
6. The method for the secure access of a new energy plant station power generating unit acquisition terminal to a platform according to any one of claims 1 to 3, characterized by: in step 4), the secure data interaction comprises the following steps:
A. the acquisition terminal is in initial connection with a station control system through a security access gateway;
B. the security access gateway starts a port to monitor and creates a thread pool;
C. when receiving data from the acquisition terminal, starting a sub-thread to process the received data, determining the subsequent steps according to the type of the received message, if the message type is a key negotiation message, turning to the step D, and if the message type is a ciphertext message, turning to the step E;
D. if the message is a key negotiation message, the process is a key negotiation process performed by the acquisition terminal and the security access gateway, after the key negotiation is successful, the security access gateway is connected with the internal website control system, the security data interaction is performed between the acquisition terminal and the security access gateway, and otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection;
E. if the message is a ciphertext message, the security access gateway decrypts the ciphertext, if the decryption is successful, the plaintext is sent to the intranet station control system, otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810924796.8A CN109088870B (en) | 2018-08-14 | 2018-08-14 | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810924796.8A CN109088870B (en) | 2018-08-14 | 2018-08-14 | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109088870A CN109088870A (en) | 2018-12-25 |
CN109088870B true CN109088870B (en) | 2021-05-04 |
Family
ID=64834674
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810924796.8A Active CN109088870B (en) | 2018-08-14 | 2018-08-14 | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109088870B (en) |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110233735B (en) * | 2019-06-14 | 2024-04-16 | 全球能源互联网研究院有限公司 | Comprehensive safety protection method and system for grid-connected power station industrial control system |
CN110572265B (en) * | 2019-10-24 | 2022-04-05 | 国网山东省电力公司信息通信公司 | Terminal security access gateway method, device and system based on quantum communication |
CN110996318B (en) * | 2019-12-23 | 2021-07-23 | 广西电网有限责任公司电力科学研究院 | Safety communication access system of intelligent inspection robot of transformer substation |
CN111756627A (en) * | 2020-06-24 | 2020-10-09 | 广东电网有限责任公司电力科学研究院 | Cloud platform security access gateway of electric power monitored control system |
CN111988328A (en) * | 2020-08-26 | 2020-11-24 | 中国电力科学研究院有限公司 | Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station |
CN111953489A (en) * | 2020-08-31 | 2020-11-17 | 中国电力科学研究院有限公司 | SM2 algorithm-based key exchange device and method for collecting service of power generation unit |
CN112020037A (en) * | 2020-09-25 | 2020-12-01 | 卡斯柯信号(郑州)有限公司 | Domestic communication encryption method suitable for rail transit |
CN114760042A (en) * | 2020-12-26 | 2022-07-15 | 西安西电捷通无线网络通信股份有限公司 | Identity authentication method and device |
CN113783868B (en) * | 2021-09-08 | 2023-09-01 | 广西东信数建信息科技有限公司 | Method and system for protecting Internet of things safety of gate based on commercial password |
CN114626956B (en) * | 2022-01-06 | 2023-08-08 | 北芯导航技术(南京)有限公司 | Energy information utilization platform based on Internet of things |
US20230231712A1 (en) * | 2022-01-14 | 2023-07-20 | Micron Technology, Inc. | Embedded tls protocol for lightweight devices |
CN114546519B (en) * | 2022-01-26 | 2023-10-03 | 华北电力大学 | Industrial control safety data acquisition system and method |
CN114254373B (en) * | 2022-03-01 | 2022-07-08 | 中国电力科学研究院有限公司 | Encryption transmission method, device and system |
CN115277025B (en) * | 2022-08-26 | 2023-01-06 | 广州万协通信息技术有限公司 | Device authentication method for security chip, security chip apparatus, device, and medium |
CN115622813A (en) * | 2022-12-19 | 2023-01-17 | 深圳市永达电子信息股份有限公司 | Remote access management method, system and electronic equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101951603A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Access control method and system for wireless local area network |
CN103037367A (en) * | 2012-12-27 | 2013-04-10 | 天津大学 | Cipher hash computing based authentication method in wireless sensor network |
CN104408371A (en) * | 2014-10-14 | 2015-03-11 | 中国科学院信息工程研究所 | Implementation method of high security application system based on trusted execution environment |
US9654466B1 (en) * | 2012-05-29 | 2017-05-16 | Citigroup Technology, Inc. | Methods and systems for electronic transactions using dynamic password authentication |
CN107018134A (en) * | 2017-04-06 | 2017-08-04 | 北京中电普华信息技术有限公司 | A kind of distribution terminal secure accessing platform and its implementation |
CN108055240A (en) * | 2017-11-15 | 2018-05-18 | 上海国际汽车城(集团)有限公司 | A kind of user authentication method of shared automobile |
-
2018
- 2018-08-14 CN CN201810924796.8A patent/CN109088870B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101951603A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Access control method and system for wireless local area network |
US9654466B1 (en) * | 2012-05-29 | 2017-05-16 | Citigroup Technology, Inc. | Methods and systems for electronic transactions using dynamic password authentication |
CN103037367A (en) * | 2012-12-27 | 2013-04-10 | 天津大学 | Cipher hash computing based authentication method in wireless sensor network |
CN104408371A (en) * | 2014-10-14 | 2015-03-11 | 中国科学院信息工程研究所 | Implementation method of high security application system based on trusted execution environment |
CN107018134A (en) * | 2017-04-06 | 2017-08-04 | 北京中电普华信息技术有限公司 | A kind of distribution terminal secure accessing platform and its implementation |
CN108055240A (en) * | 2017-11-15 | 2018-05-18 | 上海国际汽车城(集团)有限公司 | A kind of user authentication method of shared automobile |
Also Published As
Publication number | Publication date |
---|---|
CN109088870A (en) | 2018-12-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109088870B (en) | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform | |
US7584505B2 (en) | Inspected secure communication protocol | |
EP3073668B1 (en) | Apparatus and method for authenticating network devices | |
CN111416807B (en) | Data acquisition method, device and storage medium | |
CN100558035C (en) | A kind of mutual authentication method and system | |
US8281127B2 (en) | Method for digital identity authentication | |
CN101409619B (en) | Flash memory card and method for implementing virtual special network key exchange | |
US20170201382A1 (en) | Secure Endpoint Devices | |
US11736304B2 (en) | Secure authentication of remote equipment | |
WO2010078755A1 (en) | Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof | |
CN111245862A (en) | System for safely receiving and sending terminal data of Internet of things | |
KR20110113565A (en) | Secure access to a private network through a public wireless network | |
CN111756529B (en) | Quantum session key distribution method and system | |
CN101170413B (en) | A digital certificate and private key acquisition, distribution method and device | |
CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
Obert et al. | Recommendations for trust and encryption in DER interoperability standards | |
CN115085943B (en) | Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions | |
CN112804356A (en) | Block chain-based networking equipment supervision authentication method and system | |
CN114024698A (en) | Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm | |
CN210839642U (en) | Device for safely receiving and sending terminal data of Internet of things | |
CN113810422A (en) | Emqx browser architecture-based secure connection method for data of internet of things platform device | |
Niemiec et al. | Authentication in virtual private networks based on quantum key distribution methods | |
CN115835194B (en) | NB-IOT terminal safety access system and access method | |
WO2023130970A1 (en) | Trusted measurement-integrated communication method and apparatus | |
Patalbansi | Secure Authentication and Security System for Mobile Devices in Mobile Cloud Computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |