CN109088870B - Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform - Google Patents

Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform Download PDF

Info

Publication number
CN109088870B
CN109088870B CN201810924796.8A CN201810924796A CN109088870B CN 109088870 B CN109088870 B CN 109088870B CN 201810924796 A CN201810924796 A CN 201810924796A CN 109088870 B CN109088870 B CN 109088870B
Authority
CN
China
Prior art keywords
security
acquisition terminal
user
key
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810924796.8A
Other languages
Chinese (zh)
Other versions
CN109088870A (en
Inventor
金国刚
崔阿军
付嘉渝
张鹏
张小敏
段军红
张宪康
赵博
龙杰
司晓峰
闫晓斌
牛磊
张炜明
赵德伟
庞晓东
吴克河
崔文超
李�瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
North China Electric Power University
State Grid Gansu Electric Power Co Ltd
Electric Power Research Institute of State Grid Gansu Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
North China Electric Power University
State Grid Gansu Electric Power Co Ltd
Electric Power Research Institute of State Grid Gansu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, North China Electric Power University, State Grid Gansu Electric Power Co Ltd, Electric Power Research Institute of State Grid Gansu Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201810924796.8A priority Critical patent/CN109088870B/en
Publication of CN109088870A publication Critical patent/CN109088870A/en
Application granted granted Critical
Publication of CN109088870B publication Critical patent/CN109088870B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The invention discloses a method for safely accessing a platform by a power generation unit acquisition terminal of a new energy plant station, which comprises the following steps of 1) requesting the power generation unit acquisition terminal to access an intranet of a station control system; 2) the acquisition terminal and a security access gateway of the security access platform perform bidirectional identity authentication; 3) the identity authentication system of the security access gateway carries out security evaluation and authentication on both communication parties and carries out admission or denial control according to the evaluation and authentication results; 4) and after the identity authentication is successful, the acquisition terminal establishes a communication channel with the security access platform to perform security data interaction. The invention realizes the integrity and confidentiality of data transmission and ensures the channel protection safety when the acquisition terminals of various power generation units of the new energy plant station are accessed.

Description

Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform
Technical Field
The invention relates to a method for safely accessing a new energy station power generation unit acquisition terminal to a platform, and belongs to the field of power distribution automation.
Background
Virtual Private Network (VPN) refers to a technology for establishing a Private Network on a public Network. The virtual network is mainly because the connection between any two nodes in the entire VPN network does not have an end-to-end physical link required by the conventional private network, but is configured on a network platform provided by a public network service provider, such as a logical network on the Internet, ATM (asynchronous transfer mode), Frame Relay, and the like, and user data is transmitted in the logical link. It covers the extension of private networks to encapsulate, encrypt, and authenticate links across shared or public networks.
The basic principle of VPN is to create a virtual network outlet through which all data you access to a destination is sent. The method is commonly used in an enterprise-level office system, and is convenient for users to log in a company gateway in different places due to end-to-end transmission, so that the method has the use right of an intranet, and the method can also avoid the examination of an organization.
However, there are some drawbacks and risks in using VPN technology, which mainly include the following points:
1) enterprises cannot directly control the reliability and performance of internet-based VPNs, and must rely on internet service providers that provide VPNs to ensure the operation of the services;
2) it is not easy for an enterprise to create and deploy VPN lines, and this technique requires a high level of understanding of network and security issues, requires careful planning and configuration;
3) VPN products and solutions from different vendors are always incompatible because many vendors are unwilling or unable to comply with VPN technology standards;
4) VPNs pose a security risk when using wireless devices, roaming between access points is particularly problematic, and any solution using advanced encryption techniques may be compromised when a user roams between access points.
The SM2 elliptic curve public key cryptography algorithm is published by the national crypto authority in 12 months in 2010, and the SM2 algorithm is essentially an elliptic curve algorithm (ECC), and in detail, the SM2 algorithm specifies specific details such as signature, verification, key exchange and the like. The SM2 algorithm is an ECC with independent intellectual property rights developed on the basis of absorbing international advanced achievements in China, is equivalent to or slightly superior to international similar ECC in the aspects of safety and implementation efficiency, and can replace RSA (public key encryption algorithm) to meet higher requirements of various applications on the safety and implementation efficiency of public key cryptographic algorithms. The SM 2-based ECDH key exchange algorithm is described with reference to the step arrangement of the key exchange protocol of the third section SM2 elliptic curve public key cryptography algorithm as follows:
let the length of the key data obtained by negotiation between users A and B be klen bit, user A be the initiator, user B be the responder, note that
Figure BDA0001765097690000021
In order to obtain the same key, both users a and B should implement the following operation steps:
the user A:
step 1: generating a random number r by a random number generatorA∈[[1,n-1];
Step 2: calculating elliptic curve point RA=[rA]G=(x1,y1);
And step 3: r is to beASending the data to a user B;
and a user B:
and 4, step 4: generating a random number r by a random number generatorB∈[1,n-1];
And 5: calculating elliptic curve point RB=[rB]G=(x2,y2);
Step 6: from RBMiddle out field element x2X is to be2Is converted into an integer, and calculated
Figure BDA0001765097690000022
And 7: computing
Figure BDA0001765097690000023
And 8: verification of RAWhether or not the elliptic curve equation is satisfied, ifIf not, the negotiation fails; otherwise from RAMiddle out field element x1Calculating
Figure BDA0001765097690000026
And step 9: calculating points of an elliptic curve
Figure BDA0001765097690000024
If V is an infinite point, B negotiation fails;
step 10: calculating KB=KDF(xV||yv||ZA||ZB,klen);
Step 11: r is to beACoordinate x of1、y1And RBCoordinate x of2、y2Is converted into a bit string, S is calculatedB=Hash(0x02||yV||Hash(xv||ZA||ZB||x1||y1||x2||y2));
Step 12: r is to beB、(SB) Sending the data to a user A;
the user A:
step 13: from RAMiddle out field element x1Calculating
Figure BDA0001765097690000025
Step 14: computing
Figure BDA0001765097690000031
Step 15: verification of RBWhether an elliptic curve equation is satisfied or not, and if not, negotiation fails; otherwise from RBMiddle out field element x2
Computing
Figure BDA0001765097690000032
Step 16: calculating points of an elliptic curve
Figure BDA0001765097690000033
If U is an infinite point, the negotiation A fails;
and step 17: calculating KA=KDF(xU||yU||ZA||ZB,klen);
Step 18: r is to beACoordinate x of1、y1And RBCoordinate x of2、y2Is converted into a bit string, calculated
S1=Hash(0x02||yU||Hash(xU||ZA||ZB||x1||y1||x2||y2) And checking S)1=SBIf the equation is not satisfied, the key confirmation from B to A fails;
step 19: computing
SA=Hash(0x03||yU||Hash(xU||ZA||ZB||x1||y1||x2||y2) And mixing S withAAnd sent to user B.
And a user B:
step 20: computing
S2=Hash(0x03||yv||Hash(xv||ZA||ZB||x1||y1||x2||y2) And checking S)2=SAAnd if the equation is not established, the key confirmation from A to B fails.
Above, rNRepresents a random number generated by user N; k represents a session key; pNA public key representing user N (SM2 public key); dNA private key representing user N (SM2 private key); eX(Y) means encrypting Y by X; h (Y) denotes hashing Y (SM3 algorithm); II denotes a connection; zNA distinguishable identifier representing the user N, partial elliptic curve system parameters, the user N public key and rNA hash value of; se represents session distinguishable identification; n represents the order of base point G (n is # E (F)q) Prime factor of (d); h denotes cofactor, h ═ E (F)q) N, where n is the order of the base point G, KARepresenting agreement of key exchange protocolsSharing a secret key; kBRepresents a shared secret key agreed upon by the key exchange protocol, w represents an initial predetermined value, which is a fixed value; t is tNThe modulus value of the private key and random number operation of N is represented.
In the above algorithm, the user a and the user B can exchange through an ECDH (key agreement algorithm) on an insecure communication channel to obtain a shared secret key, but the computing capability of the terminal in the acquisition service is limited, all information does not need to be mutually transmitted in the key exchange process, and the security is poor.
Disclosure of Invention
The invention provides a method for safely accessing a new energy plant station power generation unit acquisition terminal to a platform, which ensures the confidentiality and integrity of data transmission, realizes the safe filtration and exchange of service data, and realizes the closed-loop safe transmission of data.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows:
a method for safely accessing a new energy plant station power generation unit acquisition terminal to a platform comprises the following steps:
1) a power generation unit acquires a terminal request to access the intranet of the station control system;
2) the acquisition terminal and a security access gateway of the security access platform perform bidirectional identity authentication;
3) the identity authentication system of the security access gateway carries out security evaluation and authentication on both communication parties and carries out admission or denial control according to the evaluation and authentication results;
4) and after the identity authentication is successful, the acquisition terminal establishes a communication channel with the security access platform to perform security data interaction.
In order to improve the security, in the step 1), the security enhancement, the identity authentication and the data encryption and decryption of the terminal are realized by adding a security chip to the acquisition terminal or by using an external encryption authentication module.
The encryption authentication module comprises a security check module, an identity authentication module and a security communication module;
the security inspection module strictly inspects the version of an operating system of the acquisition terminal, the starting item of the system and the disk file at a special position, when the system is used for processing the access of the acquisition terminal, the system firstly inspects whether the terminal has one or more characteristic parameters, judges whether the terminal is allowed to be connected with the security access platform according to the inspection result, thoroughly prevents the unhealthy acquisition terminal from accessing an intranet, ensures the security of the acquisition terminal and prevents threats from the source;
the identity authentication module realizes that an encryption authentication module is externally arranged on the acquisition terminal, digital certificates signed and issued by an authority are stored in the encryption authentication module, two communication parties respectively verify the introduced opposite-end certificates by designing an identity authentication exchange protocol, and before the acquisition terminal accesses a network, bidirectional identity authentication jointly guaranteed by the encryption authentication module and a CA authentication server of a safety access platform is required to be carried out, so that the legality of the access terminal is ensured;
the safety communication module is mainly used for ensuring the integrity and confidentiality of data in the transmission process.
The security access gateway in the step 2) is responsible for establishing a security channel and performing access control on the acquisition terminal, and can ensure the security of access transmission and the security of an internally accessed application system.
In the step 2), a data isolation component is arranged between the acquisition terminal and a security access gateway of the security access platform, the data isolation component adopts a 2+1 system architecture and comprises 3 parts of an intranet security host, an extranet security host and a special physical isolation data exchange module, and the data isolation component is deployed between networks with different security levels, so that the functions of bidirectional access control, network security isolation, intranet resource protection, data exchange management, data content filtering and the like are provided while the network security isolation is realized, illegal links are prevented from penetrating through an intranet to directly access, and accurate and controllable information exchange service is provided.
In the step 3), the acquisition terminal requests access through the secure access gateway, firstly, the legitimacy of the opposite party is mutually verified according to the identity authentication protocol, and the communication channel can be established only by the legal terminal, on the basis, a secure symmetric encryption key is generated by using the key exchange protocol, and the transmission channel is encrypted by using the generated key, so that the data is prevented from being intercepted, tampered, damaged and inserted and replayed in the transmission process, and the security of data transmission is ensured.
The security of the communication channel is mainly ensured by an ECDH (electronic digital signature) secure key exchange protocol based on SM2 and a bidirectional identity authentication protocol based on a digital certificate technology, two parties needing communication when a secure tunnel is established firstly complete identity authentication and key agreement, a server side allows the next operation only when the terminal completes the identity authentication, and for the terminal which does not meet the key agreement specification or does not complete the identity authentication, the server side needs to send an error code to the terminal and the encryption authentication device needs to perform the identity authentication again.
The invention combines the digital certificate technology to realize the signature and signature checking function of the transmission message, ensures the identity validity of the access terminal, and the two communication parties respectively verify the transmitted opposite terminal certificate by designing the identity authentication exchange protocol.
In the original ECDH key exchange protocol of SM2, a user a and a user B can obtain a shared key through ECDH exchange on an insecure communication channel, but the computing power of a terminal in the collection service is limited, all information does not need to be transmitted to each other in the key exchange process, and the security is poor, on this basis, the application of the present invention provides an efficient key exchange protocol that meets the protection requirement of the collection service, and the detailed description of the negotiation process is as follows:
the user A:
step 1: user A generates a random number rAThe session can identify the identifier Se;
step 2: to rASe and IDAPerforming a join operation to obtain a2 ═ rA||Se||IDA
And step 3: hash operation is performed on the concatenation result to obtain a3 ═ H (r)A||Se||IDA);
And 4, step 4: by dASigning A3 to obtain
Figure BDA0001765097690000051
And 5: ligation of A2. ltoreq.A 4 gives
Figure BDA0001765097690000052
Step 6: sending a5 to user B;
and a user B:
and 7: obtaining the message of the user A, checking the label to obtain the information rA,Se,IDA
And 8: user B generates a random number rB
And step 9: calculating ZA,ZB
Step 10: generating a session key K, SB,S2
Step 11: connection rB、Se、IDBAnd SBObtaining B5 ═ rB||Se||IDB||SB(96 bytes);
step 12: hash operation is performed on the concatenation result to obtain B6 ═ H (r)B||Se||IDB||SB) (32 bytes);
step 13: by dBSigning B6 to obtain
Figure BDA0001765097690000061
(64 bytes);
step 14: joining B5| | B7 to give
Figure BDA0001765097690000062
Step 15: b8 is sent to user a;
the user A:
step 16: obtaining a message sent by a user B, and checking the label to obtain information: r isB,IDB,SB
And step 17: calculating ZA,ZB
Step 18: generating a session key K, S1
Step 19: comparison S1And SB
Step 20: generation of SAAnd sending to B;
above, rNRepresenting a random number generated by user N (e.g., user A, user B, etc.); k represents a session key; pNA public key representing user N (SM2 public key); dNA private key representing user N (SM2 private key); eX(Y) means encrypting Y by X; h (Y) denotes hashing Y (SM3 algorithm); II denotes a connection; zNA distinguishable identifier representing the user N, partial elliptic curve system parameters, the user N public key and rNA hash value of; se represents session distinguishable identification; IDAA unique identity representing user a; IDBA unique identity representing user B; a2, A3 and A4 are all process parameters obtained by the user A, and A5 is a message of the user A; b5, B6 and B7 are all process parameters obtained by the user B, and B8 is a message of the user B; sA、SB、S1、S2Each representing a corresponding hash result.
The safe communication protocol is a safe access protection framework of a new energy plant station power generation unit acquisition terminal under various communication modes, researches network safety access and protection technologies of the power generation unit acquisition terminal based on a state cryptographic algorithm under a real-time environment, and realizes safe protection from a data source on the premise of not influencing a real-time data acquisition function by including a safe reinforcing acquisition terminal, a safe access gateway, a data filtering component and the like.
The improved safe communication protocol is provided based on the safe communication current situation of the new energy power generation unit acquisition terminal and combined with a national secret algorithm, the protocol is mainly characterized in that an information safety protocol layer message is added on the basis of the existing application layer protocol, and the application message is encrypted by utilizing the national secret SM1 algorithm, so that the integrity and confidentiality of data are guaranteed.
The initiator can use its own private key to SM2 encrypt the generated random number. Firstly, the SM3 algorithm is used for carrying out HASH operation by using a public key in a digital certificate of the SM3 algorithm, the operation result is signed by using a private key of the SM2 algorithm of the SM3 algorithm, and then the signature value and the digital certificate are sent to an identity authentication responder.
After receiving an identity authentication request of an initiator, an identity authentication responder acquires a digital certificate of the initiator from a message, an X509 analysis API of an openssl (secure socket layer code library) is used for taking out a public key in the digital certificate, the public key is used for verifying a signature value sent, if the signature verification is successful, the responder verifies the identity of the initiator successfully, at the moment, the responder also sends the digital certificate of the responder to the initiator to ensure that bidirectional identity authentication is successful, and the message splicing process of the responder is similar to that of the initiator, and is not repeated here.
In the step 4), the secure data interaction includes the following steps:
A. the acquisition terminal is in initial connection with a station control system through a security access gateway;
B. the security access gateway starts a port to monitor and creates a thread pool;
C. when receiving data from the acquisition terminal, starting a sub-thread to process the received data, determining the subsequent steps according to the type of the received message, if the message type is a key negotiation message, turning to the step D, and if the message type is a ciphertext message, turning to the step E;
D. if the message is a key negotiation message, the process is a key negotiation process performed by the acquisition terminal and the security access gateway, after the key negotiation is successful, the security access gateway is connected with the internal website control system, the security data interaction is performed between the acquisition terminal and the security access gateway, and otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection;
E. if the message is a ciphertext message, the security access gateway decrypts the ciphertext, if the decryption is successful, the plaintext is sent to the intranet station control system, otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection.
The invention aims at the access security problem of a new energy plant station acquisition terminal, designs and researches a security protection architecture from three aspects of terminal security protection, channel security protection and station control layer security protection, researches and designs a security communication protocol based on a national secret algorithm according to the service characteristics and the data transmission mode of a wind power and photovoltaic power generation unit acquisition terminal, combines the security attack scene analysis of the acquisition terminal, and establishes a bidirectional encryption tunnel between the acquisition terminal and a station control layer access platform according to the communication modes such as a wireless private network, a wireless public network, a private line access, an optical fiber access, satellite communication and the like, thereby ensuring the confidentiality and the integrity of data transmission, realizing the security filtration and the exchange of service data and realizing the closed-loop security transmission of data.
The prior art is referred to in the art for techniques not mentioned in the present invention.
The invention has the following beneficial effects:
1) the network security access and protection technology of the power generation unit acquisition terminal in a real-time environment based on the state-secret algorithm is researched from the three aspects of acquisition terminal security, network access channel security and station control layer system security, the architecture level is clear, and the integrity and confidentiality of data transmission are realized from all aspects;
2) aiming at the special environment of the new energy station power generation unit acquisition terminal, by researching the existing DH key exchange protocol and ECDH key exchange protocol, under the condition of ensuring the security of key exchange, the improved key exchange protocol based on SM2 algorithm and suitable for the new energy station power generation unit acquisition service is provided;
3) aiming at various communication modes such as a wireless private network, a wireless public network, private line access, optical fiber access, satellite communication and the like, a safe communication protocol based on a state-secret algorithm is researched and designed, and the channel protection safety when the acquisition terminal of various power generation units of a new energy plant station is accessed is ensured.
Drawings
FIG. 1 is a diagram of a new energy plant station power generation unit acquisition terminal security access protection architecture;
FIG. 2 is a flow chart of data interaction between an acquisition terminal and a security access platform;
fig. 3 is a diagram of the key agreement process of the improved ECDH key exchange protocol based on SM 2;
Detailed Description
In order to better understand the present invention, the following examples are further provided to illustrate the present invention, but the present invention is not limited to the following examples.
The system architecture of the safe access platform of the new energy station power generation unit acquisition terminal comprises: the system architecture diagram of the safely reinforced acquisition terminal, the safety access gateway and the data isolation component is shown in the attached figure 1.
The method for safely accessing the acquisition terminal of the power generation unit of the new energy plant station to the platform comprises the following steps:
1) a power generation unit acquires a terminal request to access the intranet of the station control system;
2) the acquisition terminal and a security access gateway of the security access platform perform bidirectional identity authentication;
3) the identity authentication system of the security access gateway carries out security evaluation and authentication on both communication parties and carries out admission or denial control according to the evaluation and authentication results;
4) and after the identity authentication is successful, the acquisition terminal establishes a communication channel with the security access platform to perform security data interaction.
In the step 1), the security chip is added to the acquisition terminal, or the terminal security enhancement, the identity authentication and the data encryption and decryption are realized in an external encryption authentication module mode.
The encryption authentication module comprises a security check module, an identity authentication module and a security communication module;
the security inspection module strictly inspects the version of an operating system of the acquisition terminal, the starting item of the system and the disk file at a special position, when the system is used for processing the access of the acquisition terminal, the system firstly inspects whether the terminal has one or more characteristic parameters, judges whether the terminal is allowed to be connected with the security access platform according to the inspection result, thoroughly prevents the unhealthy acquisition terminal from accessing an intranet, ensures the security of the acquisition terminal and prevents threats from the source;
the identity authentication module realizes that an encryption authentication module is externally arranged on the acquisition terminal, digital certificates signed and issued by an authority are stored in the encryption authentication module, two communication parties respectively verify the introduced opposite-end certificates by designing an identity authentication exchange protocol, and before the acquisition terminal accesses a network, bidirectional identity authentication jointly guaranteed by the encryption authentication module and a CA authentication server of a safety access platform is required to be carried out, so that the legality of the access terminal is ensured;
the safety communication module is mainly used for ensuring the integrity and confidentiality of data in the transmission process.
The security access gateway in the step 2) is responsible for establishing a security channel and performing access control on the acquisition terminal, and can ensure the security of access transmission and the security of an internally accessed application system.
The data isolation assembly is arranged between the acquisition terminal and a safety access gateway of a safety access platform and adopts a 2+1 system architecture and comprises an internal network safety host, 3 parts of an external network safety host and a special physical isolation data exchange module, and the data isolation assembly is deployed between networks with different safety levels.
In step 3), the acquisition terminal requests access through the secure access gateway, firstly mutually verifies the legitimacy of the opposite party according to the identity authentication protocol, and ensures that only the legal terminal can establish a communication channel, on the basis, a secure symmetric encryption key is generated by using the key exchange protocol and the transmission channel is encrypted by using the generated key, so that data is prevented from being intercepted, tampered, damaged and inserted and replayed in the transmission process, and the security of data transmission is ensured.
The security of the communication channel is mainly ensured by an ECDH (electronic digital signature) secure key exchange protocol based on SM2 and a bidirectional identity authentication protocol based on a digital certificate technology, two parties needing communication when a secure tunnel is established firstly complete identity authentication and key agreement, a server side allows the next operation only when the terminal completes the identity authentication, and for the terminal which does not meet the key agreement specification or does not complete the identity authentication, the server side needs to send an error code to the terminal and the encryption authentication device needs to perform the identity authentication again.
The invention combines the digital certificate technology to realize the signature and signature checking function of the transmission message, ensures the identity validity of the access terminal, and the two communication parties respectively verify the transmitted opposite terminal certificate by designing the identity authentication exchange protocol.
In the original ECDH key exchange protocol of SM2, a user a and a user B can obtain a shared key through ECDH exchange on an insecure communication channel, but the computing power of a terminal in the collection service is limited, all information does not need to be transmitted to each other in the key exchange process, and the security is poor, and on this basis, an efficient key exchange protocol meeting the protection requirement of the collection service is provided, and the detailed description of the negotiation process is as follows:
the user A:
step 1: user A generates a random number rA(32 bytes), the session discernable identity Se (16 bytes);
step 2: to rASe and IDAPerforming a join operation to obtain a2 ═ rA||Se||IDA(64 bytes);
and step 3: hash operation is performed on the concatenation result to obtain a3 ═ H (r)A||Se||IDA) (32 bytes);
and 4, step 4: by dASigning A3 to obtain
Figure BDA0001765097690000101
(64 bytes);
and 5: ligation of A2. ltoreq.A 4 gives
Figure BDA0001765097690000102
(128 bytes);
step 6: sending a5 to user B;
and a user B:
and 7: obtaining the message of the user A, checking the label to obtain the information rA,Se,IDA
And 8: user B generates a random number rB(32 bytes);
and step 9: calculating ZA,ZB(both 32 bytes);
step 10: generation of the session key K (16 bytes), SB(32 bytes), S2(32 bytes);
step 11: connection rB、Se、IDBAnd SBObtaining B5 ═ rB||Se||IDB||SB(96 bytes);
step 12: hash operation is performed on the concatenation result to obtain B6 ═ H (r)B||Se||IDB||SB) (32 bytes);
step 13: by dBSigning B6 to obtain
Figure BDA0001765097690000103
(64 bytes);
step 14: joining B5| | B7 to give
Figure BDA0001765097690000104
Step 15: b8 is sent to user a;
the user A:
step 16: obtaining a message sent by a user B, and checking the label to obtain information: r isB,IDB,SB
And step 17: calculating ZA,ZB
Step 18: generating a session key K, S1
Step 19: comparison S1And SB
Step 20: generation of SAAnd sending to B;
above, rNRepresenting the random number (i.e. r) generated by user NARepresenting a random number, r, generated by user ABRepresenting a random number generated by user B); k represents a session key; pNA public key representing user N (SM2 public key); dNA private key representing user N (SM2 private key); eX(Y) means encrypting Y by X; h (Y) denotes hashing Y (SM3 algorithm); II denotes a connection; zNA distinguishable identifier representing the user N, partial elliptic curve system parameters, the user N public key and rNA hash value of; se represents session distinguishable identification; IDAA unique identity representing user a; IDBA unique identity representing user B; a2, A3 and A4 are all process parameters obtained by the user A, and A5 is a message of the user A; b5, B6 and B7 are all process parameters obtained by the user B, and B8 is a message of the user B; sA、SB、S1、S2Each representing a corresponding hash result. User N is also user a or user B.
The improved safe communication protocol is provided based on the safe communication status of the new energy power generation unit acquisition terminal and combined with a national secret algorithm, the protocol is mainly characterized in that an information safety protocol layer message is added on the basis of the existing application layer protocol, and the application message is encrypted by utilizing the national secret SM1 algorithm, so that the integrity and confidentiality of data are guaranteed.
The initiator can use its own private key to SM2 encrypt the generated random number. Firstly, the SM3 algorithm is used for carrying out HASH operation by using a public key in a digital certificate of the SM3 algorithm, the operation result is signed by using a private key of the SM2 algorithm of the SM3 algorithm, and then the signature value and the digital certificate are sent to an identity authentication responder.
After receiving an identity authentication request of an initiator, an identity authentication responder acquires a digital certificate of the initiator from a message, an X509 analysis API of an openssl (secure socket layer code library) is used for taking out a public key in the digital certificate, the public key is used for verifying a signature value sent, if the signature verification is successful, the responder verifies the identity of the initiator successfully, at the moment, the responder also sends the digital certificate of the responder to the initiator to ensure that bidirectional identity authentication is successful, and the message splicing process of the responder is similar to that of the initiator, and is not repeated here.
The safety data interaction in the step 4) comprises the following steps:
A. the acquisition terminal is in initial connection with a station control system through a security access gateway;
B. the security access gateway starts a port to monitor and creates a thread pool;
C. when receiving data from the acquisition terminal, starting a sub-thread to process the received data, determining the subsequent steps according to the type of the received message, if the message type is a key negotiation message, turning to the step D, and if the message type is a ciphertext message, turning to the step E;
D. if the message is a key negotiation message, the process is a key negotiation process performed by the acquisition terminal and the security access gateway, after the key negotiation is successful, the security access gateway is connected with the internal website control system, the security data interaction is performed between the acquisition terminal and the security access gateway, and otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection;
E. if the message is a ciphertext message, the security access gateway decrypts the ciphertext, if the decryption is successful, the plaintext is sent to the intranet station control system, otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection.
The safety protection architecture is designed and researched from the three aspects of terminal safety protection, channel safety protection and station control layer safety protection, according to the service characteristics and the data transmission mode of the wind power and photovoltaic power generation unit acquisition terminal, the scene analysis of the safety attack of the acquisition terminal is combined, a safety communication protocol based on a state secret algorithm is researched and designed aiming at communication modes such as a wireless private network, a wireless public network, a private line access, an optical fiber access and satellite communication, a bidirectional encryption tunnel is established between the acquisition terminal and a station control layer access platform, the confidentiality and the integrity of data transmission are guaranteed, the safety filtering and the exchange of service data are realized, and the closed-loop safety transmission of the data is realized.

Claims (6)

1. A method for safely accessing a new energy plant station power generation unit acquisition terminal to a platform is characterized by comprising the following steps: the method comprises the following steps:
1) a power generation unit acquires a terminal request to access the intranet of the station control system;
2) the acquisition terminal and the security access gateway of the security access platform perform bidirectional identity authentication;
3) the identity authentication system of the security access gateway carries out security evaluation and authentication on both communication parties and carries out admission or denial control according to the evaluation and authentication results;
4) after the identity authentication is successful, the acquisition terminal establishes a communication channel with the security access platform to perform security data interaction;
in step 3), the acquisition terminal requests access through the security access gateway, firstly mutually verifies the legitimacy of the opposite party according to the identity authentication protocol, ensures that only the legal terminal can establish a communication channel, generates a safe symmetric encryption key by using a key exchange protocol on the basis, and encrypts the transmission channel by using the generated key;
the safety of a communication channel is ensured by an ECDH (electronic digital signature) safety key exchange protocol based on SM2 and a bidirectional identity authentication protocol based on a digital certificate technology, when a safety tunnel is established, two parties needing to communicate firstly complete identity authentication and key agreement, only the terminal completing the identity authentication is allowed to perform the next operation by a server, and for the terminal which does not meet the key agreement specification or does not complete the identity authentication, the server needs to send an error code to the terminal, and an encryption authentication device carries out identity authentication again;
the key agreement procedure is as follows:
the user A:
step 1: user A generates a random number rAThe session can identify the identifier Se;
step 2: to rASe and IDAPerforming a join operation to obtain a2 ═ rA||Se||IDA
And step 3: hash operation is performed on the concatenation result to obtain a3 ═ H (r)A||Se||IDA);
And 4, step 4: by dASigning A3 to obtain
Figure FDA0002846141980000011
And 5: ligation of A2. ltoreq.A 4 gives
Figure FDA0002846141980000012
Step 6: sending a5 to user B;
and a user B:
and 7: obtaining the message of the user A, checking the label to obtain the information rA,Se,IDA
And 8: user B generates a random number rB
And step 9: calculating ZA,ZB
Step 10: generating a session key K, SB,S2
Step 11: connection rB、Se、IDBAnd SBObtaining B5 ═ rB||Se||IDB||SB
Step 12: hash operation is performed on the concatenation result to obtain B6 ═ H (r)B||Se||IDB||SB);
Step 13: by dBSigning B6 to obtain
Figure FDA0002846141980000021
Step 14: joining B5| | B7 to give
Figure FDA0002846141980000022
Step 15: b8 is sent to user a;
the user A:
step 16: obtaining a message sent by a user B, and checking the label to obtain information: r isB,IDB,SB
And step 17: calculating ZA,ZB
Step 18: generating a session key K, S1
Step 19: comparison S1And SB
Step 20: generation of SAAnd send to user B;
above, rNRepresents a random number generated by user N; k represents a session key; pNA public key representing user N (SM2 public key); dNA private key representing user N (SM2 private key); eX(Y) means encrypting Y by X; h (Y) denotes hashing Y (SM3 algorithm); II denotes a connection; zNA recognizable mark representing the user N,Partial elliptic curve system parameters, user N public key and rNA hash value of; se represents session distinguishable identification; IDAA unique identity representing user a; IDBA unique identity representing user B; a2, A3 and A4 are all process parameters obtained by the user A, and A5 is a message of the user A; b5, B6 and B7 are all process parameters obtained by the user B, and B8 is a message of the user B; sA、SB、S1、S2Each representing a corresponding hash result.
2. The method for the secure access of the acquisition terminal of the power generation unit of the new energy plant to the platform according to claim 1, wherein: in the step 1), the security chip is added to the acquisition terminal, or the terminal security enhancement, the identity authentication and the data encryption and decryption are realized in an external encryption authentication module mode.
3. The method for the secure access of the acquisition terminal of the power generation unit of the new energy plant to the platform as claimed in claim 2, wherein: the encryption authentication module comprises a security check module, an identity authentication module and a security communication module;
the security check module strictly checks the version of an operating system of the acquisition terminal, a starting item of the system and a disk file at a special position, when the system processes the access of the acquisition terminal, the system firstly checks whether the terminal has one or more characteristic parameters, and judges whether the terminal is allowed to establish connection with the security access platform according to the check result;
the identity authentication module realizes that an encryption authentication module is externally arranged on the acquisition terminal, digital certificates signed and issued by an authority are stored in the encryption authentication module, two communication parties respectively verify the introduced opposite-end certificates by designing an identity authentication exchange protocol, and before the acquisition terminal accesses a network, bidirectional identity authentication jointly guaranteed by the encryption authentication module and a CA authentication server of a safety access platform is required to be carried out, so that the legality of the access terminal is ensured;
the safety communication module is used for ensuring the integrity and confidentiality of data in the transmission process.
4. The method for the secure access of a new energy plant station power generating unit acquisition terminal to a platform according to any one of claims 1 to 3, characterized by: the safety access gateway in the step 2) is responsible for establishing a safety channel and carrying out access control on the acquisition terminal.
5. The method for the secure access of the acquisition terminal of the power generation unit of the new energy plant to the platform as claimed in claim 4, wherein: and 2) arranging a data isolation component between the acquisition terminal and a security access gateway of the security access platform, wherein the data isolation component adopts a 2+1 system architecture and comprises 3 parts of an intranet security host, an extranet security host and a special physical isolation data exchange module.
6. The method for the secure access of a new energy plant station power generating unit acquisition terminal to a platform according to any one of claims 1 to 3, characterized by: in step 4), the secure data interaction comprises the following steps:
A. the acquisition terminal is in initial connection with a station control system through a security access gateway;
B. the security access gateway starts a port to monitor and creates a thread pool;
C. when receiving data from the acquisition terminal, starting a sub-thread to process the received data, determining the subsequent steps according to the type of the received message, if the message type is a key negotiation message, turning to the step D, and if the message type is a ciphertext message, turning to the step E;
D. if the message is a key negotiation message, the process is a key negotiation process performed by the acquisition terminal and the security access gateway, after the key negotiation is successful, the security access gateway is connected with the internal website control system, the security data interaction is performed between the acquisition terminal and the security access gateway, and otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection;
E. if the message is a ciphertext message, the security access gateway decrypts the ciphertext, if the decryption is successful, the plaintext is sent to the intranet station control system, otherwise, the security access gateway returns error information to the acquisition terminal and closes the connection.
CN201810924796.8A 2018-08-14 2018-08-14 Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform Active CN109088870B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810924796.8A CN109088870B (en) 2018-08-14 2018-08-14 Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810924796.8A CN109088870B (en) 2018-08-14 2018-08-14 Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform

Publications (2)

Publication Number Publication Date
CN109088870A CN109088870A (en) 2018-12-25
CN109088870B true CN109088870B (en) 2021-05-04

Family

ID=64834674

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810924796.8A Active CN109088870B (en) 2018-08-14 2018-08-14 Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform

Country Status (1)

Country Link
CN (1) CN109088870B (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110233735B (en) * 2019-06-14 2024-04-16 全球能源互联网研究院有限公司 Comprehensive safety protection method and system for grid-connected power station industrial control system
CN110572265B (en) * 2019-10-24 2022-04-05 国网山东省电力公司信息通信公司 Terminal security access gateway method, device and system based on quantum communication
CN110996318B (en) * 2019-12-23 2021-07-23 广西电网有限责任公司电力科学研究院 Safety communication access system of intelligent inspection robot of transformer substation
CN111756627A (en) * 2020-06-24 2020-10-09 广东电网有限责任公司电力科学研究院 Cloud platform security access gateway of electric power monitored control system
CN111988328A (en) * 2020-08-26 2020-11-24 中国电力科学研究院有限公司 Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station
CN111953489A (en) * 2020-08-31 2020-11-17 中国电力科学研究院有限公司 SM2 algorithm-based key exchange device and method for collecting service of power generation unit
CN112020037A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic communication encryption method suitable for rail transit
CN114760042A (en) * 2020-12-26 2022-07-15 西安西电捷通无线网络通信股份有限公司 Identity authentication method and device
CN113783868B (en) * 2021-09-08 2023-09-01 广西东信数建信息科技有限公司 Method and system for protecting Internet of things safety of gate based on commercial password
CN114626956B (en) * 2022-01-06 2023-08-08 北芯导航技术(南京)有限公司 Energy information utilization platform based on Internet of things
US20230231712A1 (en) * 2022-01-14 2023-07-20 Micron Technology, Inc. Embedded tls protocol for lightweight devices
CN114546519B (en) * 2022-01-26 2023-10-03 华北电力大学 Industrial control safety data acquisition system and method
CN114254373B (en) * 2022-03-01 2022-07-08 中国电力科学研究院有限公司 Encryption transmission method, device and system
CN115277025B (en) * 2022-08-26 2023-01-06 广州万协通信息技术有限公司 Device authentication method for security chip, security chip apparatus, device, and medium
CN115622813A (en) * 2022-12-19 2023-01-17 深圳市永达电子信息股份有限公司 Remote access management method, system and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951603A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Access control method and system for wireless local area network
CN103037367A (en) * 2012-12-27 2013-04-10 天津大学 Cipher hash computing based authentication method in wireless sensor network
CN104408371A (en) * 2014-10-14 2015-03-11 中国科学院信息工程研究所 Implementation method of high security application system based on trusted execution environment
US9654466B1 (en) * 2012-05-29 2017-05-16 Citigroup Technology, Inc. Methods and systems for electronic transactions using dynamic password authentication
CN107018134A (en) * 2017-04-06 2017-08-04 北京中电普华信息技术有限公司 A kind of distribution terminal secure accessing platform and its implementation
CN108055240A (en) * 2017-11-15 2018-05-18 上海国际汽车城(集团)有限公司 A kind of user authentication method of shared automobile

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951603A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Access control method and system for wireless local area network
US9654466B1 (en) * 2012-05-29 2017-05-16 Citigroup Technology, Inc. Methods and systems for electronic transactions using dynamic password authentication
CN103037367A (en) * 2012-12-27 2013-04-10 天津大学 Cipher hash computing based authentication method in wireless sensor network
CN104408371A (en) * 2014-10-14 2015-03-11 中国科学院信息工程研究所 Implementation method of high security application system based on trusted execution environment
CN107018134A (en) * 2017-04-06 2017-08-04 北京中电普华信息技术有限公司 A kind of distribution terminal secure accessing platform and its implementation
CN108055240A (en) * 2017-11-15 2018-05-18 上海国际汽车城(集团)有限公司 A kind of user authentication method of shared automobile

Also Published As

Publication number Publication date
CN109088870A (en) 2018-12-25

Similar Documents

Publication Publication Date Title
CN109088870B (en) Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform
US7584505B2 (en) Inspected secure communication protocol
EP3073668B1 (en) Apparatus and method for authenticating network devices
CN111416807B (en) Data acquisition method, device and storage medium
CN100558035C (en) A kind of mutual authentication method and system
US8281127B2 (en) Method for digital identity authentication
CN101409619B (en) Flash memory card and method for implementing virtual special network key exchange
US20170201382A1 (en) Secure Endpoint Devices
US11736304B2 (en) Secure authentication of remote equipment
WO2010078755A1 (en) Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof
CN111245862A (en) System for safely receiving and sending terminal data of Internet of things
KR20110113565A (en) Secure access to a private network through a public wireless network
CN111756529B (en) Quantum session key distribution method and system
CN101170413B (en) A digital certificate and private key acquisition, distribution method and device
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
Obert et al. Recommendations for trust and encryption in DER interoperability standards
CN115085943B (en) Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions
CN112804356A (en) Block chain-based networking equipment supervision authentication method and system
CN114024698A (en) Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm
CN210839642U (en) Device for safely receiving and sending terminal data of Internet of things
CN113810422A (en) Emqx browser architecture-based secure connection method for data of internet of things platform device
Niemiec et al. Authentication in virtual private networks based on quantum key distribution methods
CN115835194B (en) NB-IOT terminal safety access system and access method
WO2023130970A1 (en) Trusted measurement-integrated communication method and apparatus
Patalbansi Secure Authentication and Security System for Mobile Devices in Mobile Cloud Computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant