CN110830301B - Power secondary system station control layer topology scanning method and device based on safety encryption - Google Patents

Power secondary system station control layer topology scanning method and device based on safety encryption Download PDF

Info

Publication number
CN110830301B
CN110830301B CN201911094793.7A CN201911094793A CN110830301B CN 110830301 B CN110830301 B CN 110830301B CN 201911094793 A CN201911094793 A CN 201911094793A CN 110830301 B CN110830301 B CN 110830301B
Authority
CN
China
Prior art keywords
switch
certificate
mapping relation
scanning device
topology
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911094793.7A
Other languages
Chinese (zh)
Other versions
CN110830301A (en
Inventor
张云飞
勇明
侯永春
徐行之
施雅媛
陈晓强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maintenance Branch of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
Maintenance Branch of State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maintenance Branch of State Grid Jiangsu Electric Power Co Ltd filed Critical Maintenance Branch of State Grid Jiangsu Electric Power Co Ltd
Priority to CN201911094793.7A priority Critical patent/CN110830301B/en
Publication of CN110830301A publication Critical patent/CN110830301A/en
Application granted granted Critical
Publication of CN110830301B publication Critical patent/CN110830301B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention discloses a method and a device for scanning the topology of a station control layer of a secondary power system based on safety encryption, which comprises the following steps: establishing connection with a switch; requesting the mapping relation between the port and the MAC address from the switch, and responding and returning the mapping relation between the port and the MAC address of the switch by the switch; and the request and response interaction process adopts a symmetric key for encryption; acquiring the mapping relation between the IP and the MAC of each terminal device from each terminal device; and acquiring the mapping relation between the switch and the terminal equipment IP according to the mapping relation between the port of each switch and the MAC address of the terminal equipment and the mapping relation between the IP of each terminal equipment and the MAC. When the invention interacts with the switch, the invention can verify whether the certificate of the other party is the certificate issued by the certificate management center and generate the symmetric key, thereby ensuring the security of data transmission, preventing tampering, eavesdropping, man-in-the-middle attack and replay attack.

Description

Power secondary system station control layer topology scanning method and device based on safety encryption
Technical Field
The invention belongs to the technical field of power systems, and particularly relates to a method and a device for scanning a station control layer topology of a power secondary system based on security encryption.
Background
In the secondary power system, a station control layer network is a very important component, and mainly comprises an exchange and terminal devices, wherein the terminal devices generally comprise: the connection relation between terminal equipment and a switch in a station control layer network is known in real time, and the connection relation is particularly important for various monitoring systems, protection measurement and control devices, telecontrol devices, protocol conversion devices and the like. When the network topology changes, the new topological relation and the change of the topological relation are output at the first time, so that operation and maintenance personnel can be well helped to master the connection relation of the total station equipment, network problems can be quickly checked, and illegal equipment access can be positioned.
In the existing topology scanning technology, most of the obtained topology relations are the connection relations between the routers and the terminal devices, in a power secondary system station control layer network, the routers are generally arranged at the positions from an outlet to a main station, the routers are mainly connected by using a switch, and the connection relations between the routers and the terminal devices are not of practical value.
In the existing topology scanning technology based on the switch, the related information of the switch is mainly obtained through an SNMP (simple network management protocol) protocol to establish a topology relation, if SNMPv1 or SNMPv2c is used, a group name is adopted for simple authentication, but the message is completely a plaintext, the group name can be obtained directly through packet capture, and the method is very unsafe; if SNMPv3 is used, the user password is used for authentication, namely, the symmetric key generated by the user password is used for data encryption and decryption, the method is safer than SNMPv1 or SNMPv2c, but the security depends on the user password, the sender of the SNMP request needs to configure the user password of the switch in advance, the user password is similar to a dummy in an actual production environment and is easy to leak, the password of the switch is often a default value, and the password of the same manufacturer equipment is the same. The authentication of the SNMPv3 is one-way, only authenticates a snmp request sender, does not authenticate the legality of the switch, and has weak defense capability to attack means such as replay attack, man-in-the-middle attack and the like.
In summary, the security of the station control layer network of the power secondary system is very important, and a safer means is needed for the interaction between the topology scanning device and the switch.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides a method and a device for scanning the topology of a station control layer of a secondary power system based on safety encryption, and solves the problem that the acquisition of information of a switch in the prior topology scanning technology is unsafe.
In order to solve the technical problem, the invention provides a power secondary system station control layer topology scanning method based on safety encryption, which is characterized by comprising the following steps of:
establishing connection with a switch; requesting the mapping relation between the port and the MAC address from the switch, and responding and returning the mapping relation between the port and the MAC address of the switch by the switch; and the request and response interaction process adopts a symmetric key for encryption;
executing the above process with all the switches to obtain the mapping relation between the ports of all the switches and the MAC address of the terminal equipment;
acquiring the mapping relation between the IP and the MAC of each terminal device from each terminal device;
and acquiring the mapping relation between the switch and the terminal equipment IP according to the mapping relation between the port of each switch and the MAC address of the terminal equipment and the mapping relation between the IP of each terminal equipment and the MAC.
Further, the process of establishing connection with the switch is as follows:
the switch obtains a root certificate and a switch certificate;
when a connection is requested to the switch, the topology scanning apparatus certificate is sent to the switch, the switch verifies the validity of the topology scanning apparatus certificate with the root certificate, if valid, the switch certificate is returned,
and verifying the validity of the switch certificate by using the root certificate, and if the root certificate is valid, establishing connection with the switch.
Further, the process of the switch obtaining the root certificate and the switch certificate is as follows:
the local certificate management center generates a root certificate, the switch generates a certificate request and a private key, the local certificate management center signs the certificate request of the switch to generate a switch certificate, and the switch stores the switch certificate, the root certificate and the private key.
Further, the generating process of the topology scanning device certificate is as follows:
the local certificate management center generates a root certificate, generates a topology scanning device certificate request and a private key, signs the certificate request to generate a topology scanning device certificate, and stores the topology scanning device certificate, the root certificate and the private key.
Further, the generation process of the symmetric key is as follows:
generating a random number A, encrypting the A by using a public key in a switch certificate, signing by using a private key of a topology scanning device, and sending a result after encrypted signing to a switch;
the switch checks the signature by using the public key in the topology scanning device certificate, and if the signature is successfully checked, the switch private key is used for decryption to obtain a random number A;
the switch generates a random number B, a public key in a topology scanning device certificate is used for encrypting the random number B, a private key of the switch is used for signing, and a result after encrypted signing is returned;
verifying the signature by using a public key in the switch certificate, and if the signature verification is successful, decrypting by using a private key of the switch certificate to obtain a random number B;
from the random numbers a and B, a symmetric key C is generated.
Further, the method also includes periodic topology scanning, the mapping relationship between the switch and the terminal device IP obtained by each round of topology scanning is compared with the previous result, and a comparison result is output, where the comparison result at least includes: the reduced switch management IP, the increased switch management IP, the reduced IP of the terminal equipment accessed by each switch and the increased IP of the terminal equipment accessed by each switch.
Correspondingly, the invention also provides a safety encryption-based power secondary system station control layer topology scanning device, which is characterized by comprising an exchanger mapping relation acquisition module, a terminal equipment mapping relation acquisition module and an exchanger and terminal equipment mapping relation acquisition module;
the switch mapping relation obtaining module is used for establishing connection with a switch; requesting the mapping relation between the port and the MAC address from the switch, and responding and returning the mapping relation between the port and the MAC address of the switch by the switch; and the request and response interaction process adopts a symmetric key for encryption;
executing the above process with all the switches to obtain the mapping relation between the ports of all the switches and the MAC address of the terminal equipment;
the terminal equipment mapping relation obtaining module is used for obtaining the mapping relation between the IP and the MAC of each terminal equipment from each terminal equipment;
and the module for acquiring the mapping relation between the switch and the terminal equipment acquires the mapping relation between the switch and the IP of the terminal equipment according to the mapping relation between the port of each switch and the MAC address of the terminal equipment and the mapping relation between the IP of each terminal equipment and the MAC.
Further, in the module for obtaining a mapping relationship between switches, the process of establishing a connection with a switch is as follows:
the switch obtains a root certificate and a switch certificate;
when a connection is requested to the switch, the topology scanning apparatus certificate is sent to the switch, the switch verifies the validity of the topology scanning apparatus certificate with the root certificate, if valid, the switch certificate is returned,
and verifying the validity of the switch certificate by using the root certificate, and if the root certificate is valid, establishing connection with the switch.
Further, in the switch mapping relationship obtaining module, the process of the switch obtaining the root certificate and the switch certificate is as follows:
the local certificate management center generates a root certificate, the switch generates a certificate request and a private key, the local certificate management center signs the certificate request of the switch to generate a switch certificate, and the switch stores the switch certificate, the root certificate and the private key.
Further, in the module for obtaining a mapping relationship between switches, the process of generating the topology scanning device certificate is as follows:
the local certificate management center generates a root certificate, generates a topology scanning device certificate request and a private key, signs the certificate request to generate a topology scanning device certificate, and stores the topology scanning device certificate, the root certificate and the private key.
Further, in the module for obtaining a mapping relationship between switches, the generation process of the symmetric key is as follows:
generating a random number A, encrypting the A by using a public key in a switch certificate, signing by using a private key of a topology scanning device, and sending a result after encrypted signing to a switch;
the switch checks the signature by using the public key in the topology scanning device certificate, and if the signature is successfully checked, the switch private key is used for decryption to obtain a random number A;
the switch generates a random number B, a public key in a topology scanning device certificate is used for encrypting the random number B, a private key of the switch is used for signing, and a result after encrypted signing is returned;
verifying the signature by using a public key in the switch certificate, and if the signature verification is successful, decrypting by using a private key of the switch certificate to obtain a random number B;
from the random numbers a and B, a symmetric key C is generated.
Compared with the prior art, the invention has the following beneficial effects:
(1) and a local certificate management center is established, the certificates are managed uniformly, and the certificate interaction is safe and quick.
(2) The switchboard and the topology scanning device preset a certificate management center root certificate and uniformly apply for signing and issuing a certificate to the certificate management center, so that the certificate can be prevented from being forged.
(3) When the topology scanning device interacts with the switch, whether the certificate of the other party is the certificate issued by the certificate management center or not can be verified, and a symmetric key is generated, so that the safety, the tampering prevention, the eavesdropping prevention, the man-in-the-middle attack prevention and the replay attack prevention of data transmission are ensured.
(4) The mapping relation and the change of the mapping relation scanned each time are stored in a persistent memory, so that the change condition of the topology is clearer, and the history can be traced.
Drawings
FIG. 1 is a flow chart of the topology scanning process of the present invention;
FIG. 2 is a table of IP-MAC, port-IP, topology relationship change, according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
The invention discloses a safety encryption-based power secondary system station control layer topology scanning method, which is shown in a figure 1 and specifically comprises the following contents:
step 1: the local certificate management center generates a root certificate (mainly comprising a public key of the local certificate management center), the station control layer switch generates a certificate request and a private key, the local certificate management center signs the certificate request of the switch to generate a switch certificate, the switch stores the switch certificate, the root certificate and the private key in a persistent memory, and the local certificate management center stores the corresponding relation between the switch management IP address and the switch certificate in the persistent memory;
the generation of the private key depends on the used asymmetric algorithm, when the private key is generated, the corresponding public key is generated together, and the public key is packaged into a certificate request and stored in a persistent memory.
The encryption algorithm used by the digital certificate may be any asymmetric algorithm, including but not limited to: RSA, Elgamal, SM2, the hash algorithm used may be any hash algorithm including, but not limited to, MD5, SHA1, SHA256, SM 3.
Step 2: the topology scanning device generates a certificate request and a private key, the local certificate management center signs the certificate request of the topology scanning device to generate a topology scanning device certificate, the topology scanning device stores the topology scanning device certificate, a root certificate and the private key in a persistent memory, and the local certificate management center stores the corresponding relation between the IP address of the topology scanning device and the topology scanning device certificate in the persistent memory;
and step 3: the topology scanning device sets the IP address range of the terminal equipment to be scanned;
and 4, step 4: when scanning starts each time, the topology scanning device requests the corresponding relation between the switch management IP address and the switch certificate from the local certificate management center;
and 5: when the topology scanning device interacts with the switch, the topology scanning device establishes TCP connection with the switch according to the switch management IP, the topology scanning device sends a topology scanning device certificate to the switch, the switch verifies the validity of the certificate by using a root certificate, if the topology scanning device is invalid, the connection is disconnected, if the topology scanning device is valid, the switch certificate of the topology scanning device is sent to the topology scanning device, the topology scanning device verifies the validity of the switch certificate by using the root certificate, if the topology scanning device is invalid, the connection is disconnected, and if the topology scanning device is valid, the step 6 is carried out;
the root certificate is used for verification in order to ensure that the certificate is indeed issued by a certificate management center corresponding to the root certificate, but is not forged, and the verification process is the prior art.
Step 6: the topology scanning device generates a random number A, a public key in a switch certificate is used for encrypting the A, a private key of the topology scanning device is used for signing, the result after the encrypted signing is sent to the switch, the switch uses the public key in the topology scanning device certificate for signing, if the signing fails, the connection is broken, if the signing succeeds, the private key of the switch is used for decrypting to obtain the random number A, the switch generates a random number B, the public key in the topology scanning device certificate is used for encrypting the B, the private key of the switch is used for signing, the result after the encrypted signing is sent to the topology scanning device, the topology scanning device uses the public key in the switch certificate for signing checking, if the signing fails, the connection is broken, if the signing succeeds, the private key of the topology scanning device is used for decrypting to obtain the random number B, and the topology scanning device and the switch calculate the XOR A B, generating a symmetric key C;
the private key signature can query the related data of the private key signature by self, and generally comprises the following steps: 1. and carrying out hash on the data X to be signed to obtain Y, and encrypting the Y by using a private key to obtain Z, wherein the Z is a signature result.
The process of using the public key in the certificate to verify the signature is as follows: and decrypting the signature value Z by using the public key of the signer to obtain a hash value Y, hashing the signed data X to obtain Y1, and comparing whether the results of Y and Y1 are the same, if so, the signature passes, and if not, the signature fails.
And 7: the topology scanning device requests the mapping relation between the port of the switch and the MAC address from the switch, the requested data is encrypted by using a symmetric key C, and a signature is carried out by using a private key of the topology scanning device; when the switch returns the mapping relation to the topology scanning device, the symmetric key C is used for encryption, and the private key of the switch is used for signature.
And 8: the topology scanning device performs the steps 5 to 7 for each switch until all switches are traversed, and obtains the mapping relation between the ports of all switches and the MAC addresses to form a port-MAC table;
fig. 2 depicts the structure of a port-MAC table, which is a table indicating the correspondence of each port of a switch with an end device MAC address.
And step 9: the topology scanning device acquires the mapping relation between the IP and the MAC of the terminal equipment by using an ARP (Address Resolution Protocol) Protocol according to the set IP Address range of the terminal equipment needing to be scanned to form an IP-MAC table;
the topology scanning device constructs an ARP request message for each IP according to the set IP address range of the terminal equipment needing to be scanned, the content of the request message is to inquire the MAC address of the IP, the specific format can be referred to relevant data, the terminal equipment receives the ARP request and then carries out ARP response, and the response content is the MAC address corresponding to the IP.
Fig. 2 depicts an IP-MAC table, which is a table of terminal device IP to MAC address correspondence.
Step 10: the topology scanning device combines the mapping relation between the port of the switch and the MAC address and the mapping relation between the terminal equipment IP and the MAC, outputs the mapping relation between the switch and the terminal equipment IP to form a port-IP table, and stores the mapping relation and the change of the mapping relation of each scanning into a persistent memory.
If the station control layer network needs to add a new switch, the switch needs to perform the step 1, if the station control layer network needs to reduce the switches, the local certificate management center revokes the certificate of the switch, and deletes the management IP of the switch and the mapping of the certificate from the corresponding relation between the management IP address of the switch and the certificate of the switch.
The topology scanning device access position is any switch in the station control layer network. The device installed with the topology scanning program is called a topology scanning device.
The topology scanning device periodically performs topology scanning, the topology scanning device needs to perform steps 4 to 10 for each round of topology scanning, the mapping relationship between the switch and the terminal device IP output each time is compared with the last result, and a comparison result is output, wherein the comparison result at least comprises: the reduced switch management IP, the increased switch management IP, the reduced IP of the terminal equipment accessed by each switch and the increased IP of the terminal equipment accessed by each switch.
The switch may have a plurality of switches, each switch may have access to a plurality of terminal devices, and when one terminal device is removed from one switch, the terminal device is detected, and the IP of the terminal device that each switch has access to is reduced.
Fig. 2 depicts the structure of the port-IP table, which is the output of the final scan, and depicts the correspondence of each port of the switch to the IP of the end device.
Correspondingly, the invention also provides a safety encryption-based power secondary system station control layer topology scanning device, which is characterized by comprising an exchanger mapping relation acquisition module, a terminal equipment mapping relation acquisition module and an exchanger and terminal equipment mapping relation acquisition module;
the switch mapping relation obtaining module is used for establishing connection with a switch; requesting the mapping relation between the port and the MAC address from the switch, and responding and returning the mapping relation between the port and the MAC address of the switch by the switch; and the request and response interaction process adopts a symmetric key for encryption;
executing the above process with all the switches to obtain the mapping relation between the ports of all the switches and the MAC address of the terminal equipment;
the terminal equipment mapping relation obtaining module is used for obtaining the mapping relation between the IP and the MAC of each terminal equipment from each terminal equipment;
and the module for acquiring the mapping relation between the switch and the terminal equipment acquires the mapping relation between the switch and the IP of the terminal equipment according to the mapping relation between the port of each switch and the MAC address of the terminal equipment and the mapping relation between the IP of each terminal equipment and the MAC.
Further, in the module for obtaining a mapping relationship between switches, the process of establishing a connection with a switch is as follows:
the switch obtains a root certificate and a switch certificate;
when a connection is requested to the switch, the topology scanning apparatus certificate is sent to the switch, the switch verifies the validity of the topology scanning apparatus certificate with the root certificate, if valid, the switch certificate is returned,
and verifying the validity of the switch certificate by using the root certificate, and if the root certificate is valid, establishing connection with the switch.
Further, in the switch mapping relationship obtaining module, the process of the switch obtaining the root certificate and the switch certificate is as follows:
the local certificate management center generates a root certificate, the switch generates a certificate request and a private key, the local certificate management center signs the certificate request of the switch to generate a switch certificate, and the switch stores the switch certificate, the root certificate and the private key.
Further, in the module for obtaining a mapping relationship between switches, the process of generating the topology scanning device certificate is as follows:
the local certificate management center generates a root certificate, generates a topology scanning device certificate request and a private key, signs the certificate request to generate a topology scanning device certificate, and stores the topology scanning device certificate, the root certificate and the private key.
Further, in the module for obtaining a mapping relationship between switches, the generation process of the symmetric key is as follows:
generating a random number A, encrypting the A by using a public key in a switch certificate, signing by using a private key of a topology scanning device, and sending a result after encrypted signing to a switch;
the switch checks the signature by using the public key in the topology scanning device certificate, and if the signature is successfully checked, the switch private key is used for decryption to obtain a random number A;
the switch generates a random number B, a public key in a topology scanning device certificate is used for encrypting the random number B, a private key of the switch is used for signing, and a result after encrypted signing is returned;
verifying the signature by using a public key in the switch certificate, and if the signature verification is successful, decrypting by using a private key of the switch certificate to obtain a random number B;
from the random numbers a and B, a symmetric key C is generated.
After the scheme is adopted, the invention has the beneficial effects that:
(1) and a local certificate management center is established, the certificates are managed uniformly, and the certificate interaction is safe and quick.
(2) The switchboard and the topology scanning device preset a certificate management center root certificate and uniformly apply for signing and issuing a certificate to the certificate management center, so that the certificate can be prevented from being forged. Because the root certificate is preset in advance, when an illegal device uses the certificate issued by the illegal certificate management center for interaction, the preset root certificate is used for verification, the verification fails, and the fact that the device is illegal is known.
(3) When the topology scanning device interacts with the switch, whether the certificate of the other party is the certificate issued by the certificate management center or not can be verified, and a symmetric key is generated, so that the safety, the tampering prevention, the eavesdropping prevention, the man-in-the-middle attack prevention and the replay attack prevention of data transmission are ensured.
(4) The mapping relation and the change of the mapping relation scanned each time are stored in a persistent memory, so that the change condition of the topology is clearer, and the history can be traced.
Examples
Taking a typical power secondary system station control layer topology scanning process based on security encryption as an example, the method comprises the following steps:
step 1: 3 switches 1, 2 and 3 are not provided, the management IPs are 192.168.1.1, 192.168.1.2 and 192.168.1.3 respectively, the local certificate management center generates a root certificate root.crt, the switch1 generates a certificate request switch1.csr and a private key 1.key, the local certificate management center signs the certificate request switch1.csr of the switch1 to generate a switch certificate switch1.crt, the switch1 stores the switch certificate switch1.crt, the root certificate root.crt and the private key 1.key in a persistent memory, the local certificate management center stores the corresponding relation between the switch1 management IP address 192.168.1.1 and the switch certificate switch1.crt in the persistent memory, and the switches 2 and 3 do the same;
step 2: the method comprises the steps that a topology scanning device X generates a certificate request x.csr and a private key x.key, a local certificate management center issues the certificate request x.csr of the topology scanning device X to generate a topology scanning device X certificate x.crt, the topology scanning device stores the certificate x.crt, a root certificate root.crt and the private key x.key of the topology scanning device X in a persistent memory, and the local certificate management center stores the corresponding relation between an IP address 192.168.1.200 of the topology scanning device X and the certificate x.crt of the topology scanning device X in the persistent memory;
and step 3: the topology scanning device X sets IP addresses 192.168.1.50-192.168.1.100 of terminal equipment needing scanning, 6 terminal equipment are not arranged, t1, t2, t3, t4, t5 and t6 are respectively provided with 192.168.1.51, 192.168.1.52, 192.168.1.53, 192.168.1.54, 192.168.1.55 and 192.168.1.56, MAC addresses are respectively 6C:77:22: D7:55:51, 6C:77:22: D53: 55:52, 6C:77:22: D7:55:53, 6C:77:22: D7:55:54, 6C:77:22: D7:55, 6C:77:22: D7:55:56, t1 and t1 are connected with 1 port and 2 port of the switch1, and t1 are connected with 1 port and 362 port of the switch 1;
and 4, step 4: at the beginning of each scan, the topology scanning device X requests the local certificate management center for the correspondence between the switch management IP address and the switch certificate, that is, (192.168.1.1: switch1. crt), (192.168.1.2: switch2. crt), (192.168.1.3: switch3. crt);
and 5: taking the interaction of the topology scanning device X and the switch1 as an example, the topology scanning device X establishes TCP connection with the switch1, the topology scanning device X sends x.crt to the switch1, the switch1 verifies the validity of the x.crt by using a root certificate, if the x.crt is invalid, the connection is disconnected, if the x.crt is valid, the self switch1.crt is sent to the topology scanning device X, the topology scanning device X verifies the validity of the switch1.crt by using the root certificate, if the x.crt is invalid, the connection is disconnected, and if the x.crt is valid, the step 6 is executed;
step 6: taking the interaction between the topology scanning device X and the switch1 as an example, the topology scanning device X generates a random number A, the public key in switch1.crt is used for encrypting A, the private key of the topology scanning device X is used for signing, the result after encrypted signing is sent to the switch1, the switch1 uses the public key in x.crt for signature checking, if signature checking fails, connection is broken, if signature checking succeeds, private1.key is used for decryption, the random number A is obtained, the switch generates a random number B, the public key in x.crt is used for encrypting B, private1.key is used for signing, the result after encrypted signing is sent to the topology scanning device X, the topology scanning device X uses the public key in switch1.crt for signature checking, if signature checking fails, connection is broken, if signature checking succeeds, x.key is used for decryption, the random number B is obtained, the topology scanning device X and the switch1 respectively combine the random number A and the random number B to generate a symmetric key C7, encrypting the data by using the C, and signing by using a private key of the C;
and 7: taking the interaction between the topology scanning device X and the switch1 as an example, the topology scanning device X requests the switch1 for the mapping relationship between the port and the MAC address, the request needs to be encrypted by using the symmetric key C, then signed by using the private key of the topology scanning device X, when the switch1 returns the mapping relationship to the topology scanning device X, the mapping relationship needs to be encrypted by using the symmetric key C, and signed by using the private key of the switch1, that is, the port is (port 1: 6C:77:22: D7:55:51), (port 2: 6C:77:22: D7:55: 52);
and 8: the topology scanning device X performs steps 5 to 7 on the switches 1, 2, 3, and obtains the mapping relationship between the ports and the MAC addresses of all the switches, that is, the switch 1: (Port 1: 6C:77:22: D7:55:51), (Port 2: 6C:77:22: D7:55:52), switch 2: (Port 1: 6C:77:22: D7:55:53), (Port 2: 6C:77:22: D7:55:54), switch 3: (Port 1: 6C:77:22: D7:55:55), (Port 2: 6C:77:22: D7:55: 56);
and step 9: the topology scanning device X uses ARP protocol to obtain the mapping relation between the IP and MAC of the terminal equipment according to the set IP address range of the terminal equipment needing to be scanned, namely (192.168.1.51: 6C:77:22: D7:55:51), (192.168.1.52: 6C:77:22: D7:55:52), (192.168.1.53: 6C:77:22: D7:55:53), (192.168.1.54: 6C:77:22: D7:55:54), (192.168.1.55: 6C:77:22: D7:55:55), (192.168.1.56: 6C:77:22: D7:55: 56);
step 10: the topology scanning device outputs the mapping relation between the switch and the terminal device IP by combining the mapping relation between the port of the switch and the MAC address and the mapping relation between the terminal device IP and the MAC, that is, the switch 1: (Port 1: 192.168.1.51), (Port 2: 192.168.1.52), switch 2: (Port 1: 192.168.1.53), (Port 2: 192.168.1.54), switch 3: (Port 1: 192.168.1.55), (Port 2: 192.168.1.56), and stores the scanned mapping relationship in persistent memory, if the second scan t1 is removed from port 1 of switch1 and accessed to port 3 of switch2, the comparison results in a mapping relationship change (switch 1, port 1,192.168.1.51, removal), (switch 2, port 3,192.168.1.51, access), and stores in persistent memory.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (8)

1. The method for scanning the topology of the station control layer of the power secondary system based on the security encryption is characterized by comprising the following steps of:
establishing connection with a switch; requesting the mapping relation between the port and the MAC address from the switch, and responding and returning the mapping relation between the port and the MAC address of the switch by the switch; and the request and response interaction process adopts a symmetric key for encryption;
executing the above process with all the switches to obtain the mapping relation between the ports of all the switches and the MAC address of the terminal equipment;
acquiring the mapping relation between the IP and the MAC of each terminal device from each terminal device;
acquiring the mapping relation between the switch and the terminal equipment IP according to the mapping relation between the port of each switch and the MAC address of the terminal equipment and the mapping relation between the IP of each terminal equipment and the MAC,
the process of establishing connection with the switch is as follows:
the switch obtains a root certificate and a switch certificate;
when a connection is requested to the switch, the topology scanning apparatus certificate is sent to the switch, the switch verifies the validity of the topology scanning apparatus certificate with the root certificate, if valid, the switch certificate is returned,
and verifying the validity of the switch certificate by using the root certificate, and if the root certificate is valid, establishing connection with the switch.
2. The method for scanning the topology of the station control layer of the electric power secondary system based on the security encryption as claimed in claim 1, wherein the process of the switch obtaining the root certificate and the switch certificate is as follows:
the local certificate management center generates a root certificate, the switch generates a certificate request and a private key, the local certificate management center signs the certificate request of the switch to generate a switch certificate, and the switch stores the switch certificate, the root certificate and the private key.
3. The safety encryption-based power secondary system station control layer topology scanning method according to claim 2, wherein the generation process of the topology scanning device certificate is as follows:
the local certificate management center generates a root certificate, generates a topology scanning device certificate request and a private key, signs the certificate request to generate a topology scanning device certificate, and stores the topology scanning device certificate, the root certificate and the private key.
4. The method for scanning the topology of the station control layer of the electric power secondary system based on the secure encryption as claimed in claim 3, wherein the generation process of the symmetric key is as follows:
generating a random number A, encrypting the A by using a public key in a switch certificate, signing by using a private key of a topology scanning device, and sending a result after encrypted signing to a switch;
the switch checks the signature by using the public key in the topology scanning device certificate, and if the signature is successfully checked, the switch private key is used for decryption to obtain a random number A;
the switch generates a random number B, a public key in a topology scanning device certificate is used for encrypting the random number B, a private key of the switch is used for signing, and a result after encrypted signing is returned;
verifying the signature by using a public key in the switch certificate, and if the signature verification is successful, decrypting by using a private key of the switch certificate to obtain a random number B;
from the random numbers a and B, a symmetric key C is generated.
5. The power secondary system station control layer topology scanning device based on the safety encryption is characterized by comprising an exchanger mapping relation obtaining module, a terminal equipment mapping relation obtaining module and an exchanger and terminal equipment mapping relation obtaining module;
the switch mapping relation obtaining module is used for establishing connection with a switch; requesting the mapping relation between the port and the MAC address from the switch, and responding and returning the mapping relation between the port and the MAC address of the switch by the switch; and the request and response interaction process adopts a symmetric key for encryption;
executing the above process with all the switches to obtain the mapping relation between the ports of all the switches and the MAC address of the terminal equipment;
the terminal equipment mapping relation obtaining module is used for obtaining the mapping relation between the IP and the MAC of each terminal equipment from each terminal equipment;
a module for obtaining the mapping relation between the switch and the terminal equipment, which obtains the mapping relation between the switch and the terminal equipment IP according to the mapping relation between the port of each switch and the terminal equipment MAC address and the mapping relation between the IP of each terminal equipment and the MAC,
in the module for obtaining the mapping relationship of the switch, the process of establishing connection with the switch is as follows:
the switch obtains a root certificate and a switch certificate;
when a connection is requested to the switch, the topology scanning apparatus certificate is sent to the switch, the switch verifies the validity of the topology scanning apparatus certificate with the root certificate, if valid, the switch certificate is returned,
and verifying the validity of the switch certificate by using the root certificate, and if the root certificate is valid, establishing connection with the switch.
6. The secondary electric power system station control layer topology scanning device based on security encryption of claim 5, wherein in the switch mapping relationship obtaining module, the process of the switch obtaining the root certificate and the switch certificate is as follows:
the local certificate management center generates a root certificate, the switch generates a certificate request and a private key, the local certificate management center signs the certificate request of the switch to generate a switch certificate, and the switch stores the switch certificate, the root certificate and the private key.
7. The safety encryption-based power secondary system station control layer topology scanning device according to claim 6, wherein in the switch mapping relationship obtaining module, the generation process of the topology scanning device certificate is as follows:
the local certificate management center generates a root certificate, generates a topology scanning device certificate request and a private key, signs the certificate request to generate a topology scanning device certificate, and stores the topology scanning device certificate, the root certificate and the private key.
8. The safety encryption-based power secondary system station control layer topology scanning device as claimed in claim 7, wherein in the switch mapping relationship obtaining module, the generation process of the symmetric key is as follows:
generating a random number A, encrypting the A by using a public key in a switch certificate, signing by using a private key of a topology scanning device, and sending a result after encrypted signing to a switch;
the switch checks the signature by using the public key in the topology scanning device certificate, and if the signature is successfully checked, the switch private key is used for decryption to obtain a random number A;
the switch generates a random number B, a public key in a topology scanning device certificate is used for encrypting the random number B, a private key of the switch is used for signing, and a result after encrypted signing is returned;
verifying the signature by using a public key in the switch certificate, and if the signature verification is successful, decrypting by using a private key of the switch certificate to obtain a random number B;
from the random numbers a and B, a symmetric key C is generated.
CN201911094793.7A 2019-11-11 2019-11-11 Power secondary system station control layer topology scanning method and device based on safety encryption Active CN110830301B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911094793.7A CN110830301B (en) 2019-11-11 2019-11-11 Power secondary system station control layer topology scanning method and device based on safety encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911094793.7A CN110830301B (en) 2019-11-11 2019-11-11 Power secondary system station control layer topology scanning method and device based on safety encryption

Publications (2)

Publication Number Publication Date
CN110830301A CN110830301A (en) 2020-02-21
CN110830301B true CN110830301B (en) 2022-04-22

Family

ID=69553883

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911094793.7A Active CN110830301B (en) 2019-11-11 2019-11-11 Power secondary system station control layer topology scanning method and device based on safety encryption

Country Status (1)

Country Link
CN (1) CN110830301B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103856579A (en) * 2014-03-03 2014-06-11 国家电网公司 Dynamic recognition method for intelligent substation network device topology based on MAC address matching

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7302700B2 (en) * 2001-09-28 2007-11-27 Juniper Networks, Inc. Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device
WO2007030970A1 (en) * 2005-09-12 2007-03-22 Zte Corporation A system for cluster managing in the ethernet switch layer and the method thereof
CN102307129A (en) * 2011-09-09 2012-01-04 南京邮电大学 Real-time network element topology discovery method for IP (internet protocol) metropolitan area network
CN105812318B (en) * 2014-12-30 2019-02-12 中国电信股份有限公司 For preventing method, controller and the system of attack in a network
CN105450442B (en) * 2015-11-06 2019-02-15 广东电网有限责任公司电力科学研究院 A kind of network topology investigation method and its system
CN105721317B (en) * 2016-02-25 2019-09-13 上海斐讯数据通信技术有限公司 A kind of data stream encryption method and system based on SDN
US10419421B2 (en) * 2016-08-11 2019-09-17 Big Switch Networks, Inc. Systems and methods to securely construct a network fabric
CN106506534B (en) * 2016-12-09 2019-09-27 河南工业大学 A kind of ARP attack detection method of SDN network
CN106850443A (en) * 2017-02-10 2017-06-13 济南浪潮高新科技投资发展有限公司 A kind of SDN flow table issuance methods based on TPM
US11075907B2 (en) * 2017-12-20 2021-07-27 Korea University Research And Business Foundation End-to-end security communication method based on mac protocol using software defined-networking, and communication controller and computer program for the same
CN108429637B (en) * 2018-02-05 2021-05-07 国电南瑞科技股份有限公司 System and method for dynamically detecting process layer network topology of intelligent substation
CN108769988A (en) * 2018-05-07 2018-11-06 国网浙江省电力有限公司温州供电公司 A kind of local mesh wireless networks of the certificate verification security mechanism based on 802.1x

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103856579A (en) * 2014-03-03 2014-06-11 国家电网公司 Dynamic recognition method for intelligent substation network device topology based on MAC address matching

Also Published As

Publication number Publication date
CN110830301A (en) 2020-02-21

Similar Documents

Publication Publication Date Title
CN111835752B (en) Lightweight authentication method based on equipment identity and gateway
CN108092776B (en) System based on identity authentication server and identity authentication token
CN111416807B (en) Data acquisition method, device and storage medium
CN110267270B (en) Identity authentication method for sensor terminal access edge gateway in transformer substation
CN105721153B (en) Key exchange system and method based on authentication information
TWI772006B (en) Bluetooth device connection method and Bluetooth device
CN103095696A (en) Identity authentication and key agreement method suitable for electricity consumption information collection system
CN111970699B (en) Terminal WIFI login authentication method and system based on IPK
CN110300287B (en) Access authentication method for public safety video monitoring networking camera
CN112887282A (en) Identity authentication method, device and system and electronic equipment
CN111711625A (en) Power system information security encryption system based on power distribution terminal
CN112804356B (en) Block chain-based networking equipment supervision authentication method and system
CN111163470B (en) Core network element communication method and device, computer storage medium and electronic equipment
CN110049045B (en) Safety certification system for power line carrier
CN110830301B (en) Power secondary system station control layer topology scanning method and device based on safety encryption
CN111490874A (en) Distribution network safety protection method, system, device and storage medium
CN114091009A (en) Method for establishing secure link by using distributed identity
CN107835196B (en) HDLC-based secure communication method
CN112468983A (en) Low-power-consumption access authentication method for intelligent equipment of power internet of things and auxiliary device thereof
Zhang et al. Design and Implementation of IEC61850 Communication Security Protection Scheme for Smart Substation based on Bilinear Function
Yang et al. Authentication technology in industrial control system based on identity password
CN117278330B (en) Lightweight networking and secure communication method for electric power Internet of things equipment network
CN115835194B (en) NB-IOT terminal safety access system and access method
CN115208696B (en) Remote communication method and device for substation telecontrol device
CN116582277B (en) Identity authentication method based on BACnet/IP protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant