CN111343164A - Data encryption method and device applied to electric energy meter and storage medium - Google Patents

Data encryption method and device applied to electric energy meter and storage medium Download PDF

Info

Publication number
CN111343164A
CN111343164A CN202010093609.3A CN202010093609A CN111343164A CN 111343164 A CN111343164 A CN 111343164A CN 202010093609 A CN202010093609 A CN 202010093609A CN 111343164 A CN111343164 A CN 111343164A
Authority
CN
China
Prior art keywords
public key
management module
random number
ciphertext
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010093609.3A
Other languages
Chinese (zh)
Other versions
CN111343164B (en
Inventor
张敏
王柯童
李双全
朱程鹏
王宏飞
舒元康
陈昌首
史少岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Haixing Power Grid Technology Co Ltd
Hangzhou Hexing Electrical Co Ltd
Ningbo Henglida Technology Co Ltd
Original Assignee
Nanjing Haixing Power Grid Technology Co Ltd
Hangzhou Hexing Electrical Co Ltd
Ningbo Henglida Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Haixing Power Grid Technology Co Ltd, Hangzhou Hexing Electrical Co Ltd, Ningbo Henglida Technology Co Ltd filed Critical Nanjing Haixing Power Grid Technology Co Ltd
Priority to CN202010093609.3A priority Critical patent/CN111343164B/en
Publication of CN111343164A publication Critical patent/CN111343164A/en
Application granted granted Critical
Publication of CN111343164B publication Critical patent/CN111343164B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a data encryption method, a device and a storage medium applied to an electric energy meter, comprising the following steps: and acquiring a public key ciphertext, and decrypting the public key ciphertext by using the authentication public key to obtain the public key of the management module. And then the random number generated by the random number generator is encrypted by the public key to obtain a random number ciphertext, and the random number ciphertext is sent to the management module, so that the management module can decrypt the random number ciphertext by the private key of the management module to obtain the random number to realize the synchronization of the encryption key. Finally, the communication data is encrypted or decrypted by using the random number as an encryption key. Therefore, the data volume of the public key and the random number of the management module is small, so that the public key and the random number are subjected to asymmetric encryption, the problem of large calculation amount can be solved, and the safety is high; the data volume of the communication data is large, so that the communication data is symmetrically encrypted, and the used encryption key is a random number, so that a key management large database is not needed, and the problem that an electric power company needs to additionally increase the key management large database can be solved.

Description

Data encryption method and device applied to electric energy meter and storage medium
Technical Field
The present disclosure relates to the field of power technologies, and in particular, to a data encryption method and apparatus applied to an electric energy meter, and a storage medium.
Background
The electric energy meter in the application mainly refers to a multi-core multi-module intelligent electric energy meter, and can include but is not limited to an IR46 electric energy meter, wherein the electric energy meter is composed of a metering module, a management module, a communication module, an expansion module and the like, so that the electric energy meter with the functions of electric energy metering, data processing, real-time monitoring, automatic control, information interaction and the like is realized.
The IR46 standard divides a software part into legal measurement part software and illegal measurement part software, and clearly proposes that an electric energy meter can protect legal measurement information and isolate the measurement part from the illegal measurement part. If the metering part needs to communicate with the non-metering part, a specific communication interface is set, and all information is transmitted through the interface. Therefore, the metering module and the management module of the current electric energy meter are physically separated. Fig. 1 is a structural diagram of an IR46 multi-core multi-module intelligent electric energy meter provided by the prior art. As shown in fig. 1, the electric energy meter includes a communication module, a metering module and a management module. The metering module is provided with a metering MCU and used for providing legal data such as basic electric energy, electric energy instantaneous quantity, clock and the like and storing basic total electric energy every minute; the management module is provided with a management MCU, the total electric quantity (including forward active power, reverse active power, I/II/III/IV quadrant reactive total electric energy and the like) of the management module and the clock are based on the metering module and are synchronized in real time. For brevity of the application document, details of the communication module, the management module, and the metering module in fig. 1 are not repeated, and reference may be made to the prior art.
The physical separation scheme is more beneficial to testing and problem tracing, but brings risks that data transmitted between double cores (a metering MCU and a management MCU) is easier to intercept and tamper, so that a set of data security algorithm is required between the double cores of the electric energy meter.
In the prior art, the following three schemes are provided:
scheme 1: data between the double cores are transmitted in a plaintext mode, a receiving end (a management module and a metering module can be used as the receiving end, and the other end is the sending end) verifies and passes through a received data communication protocol link protocol format to serve as a data validity judgment basis, if a data frame received by the receiving end conforms to the link protocol format, the data is considered to be valid, and otherwise, the data is invalid. Fig. 2 is a schematic diagram of a man-in-the-middle attack process provided in the prior art. The sending end sends the plaintext data to the receiving end, the plaintext data is intercepted, and after the intercepted plaintext data is tampered, the obtained data is packaged again and sent to the receiving end. However, the receiving end does not know that the obtained data is tampered, so that the data is processed according to a normal processing flow, and potential safety hazards are caused.
Scheme 2: the communication data transmission protection is carried out between the double cores by adopting a symmetric encryption and decryption algorithm, the management module and the metering module respectively store symmetric encryption algorithm keys, and the communication data between the double cores are transmitted to the opposite party after all the communication data adopt the symmetric encryption algorithm.
Scheme 3: the communication data transmission protection is carried out between the double cores by adopting an asymmetric encryption and decryption algorithm, the management module and the metering module respectively store an asymmetric encryption and decryption public key and a private key of the asymmetric encryption algorithm, and the communication data between the double cores are transmitted after all adopting the asymmetric encryption algorithm.
Although the above three schemes can ensure the security of the communication data to some extent, all have certain disadvantages, which are as follows:
disadvantages of scheme 1: because a double-core physical separation scheme is adopted and a double-core link communication protocol is disclosed, if a third party illegal man-in-the-middle intercepts communication data by an illegal means, modifies the communication data and reuses the double-core link communication protocol format combination to send the communication data to a receiving end, the receiving end cannot know whether the data source is legal or not, and once the data is processed by legal data, the data and the operation of the electric energy meter are abnormal, and the errors of legal measurement and measurement data are influenced.
The disadvantage of scheme 2: the electric power company is required to carry out large database management on the encryption key of the electric energy meter, when the field management module is damaged and needs to be replaced, the electric power company is required to obtain the encryption key between the double cores of the electric energy meter by acquiring the asset information of the electric energy meter and then set the encryption key to a new management module, and the new management module can be used for replacing the fault management module. Because the management of the key database is complex and the management module needs to be replaced on site, the operation and maintenance workload is huge and the operation is inconvenient.
Disadvantage of scheme 3: firstly, the asymmetric encryption and decryption consumes time, large data are not suitable to be transmitted, and the communication transmission efficiency between the double cores is influenced; in addition, the asymmetric encryption and decryption also need a power company to perform large database management on the key of the electric energy meter, when the field management module is damaged and needs to be replaced, the power company needs to obtain the key of the electric energy meter management module through acquiring the asset information of the electric energy meter and then set the key to a new management module, and then the new management module can be used for replacing the fault management module. Because the management of the key database is complex and the management module needs to be replaced on site, the operation and maintenance workload is huge and the operation is inconvenient.
Therefore, the three data security algorithms have defects in the field implementation process, and cannot fundamentally solve the data transmission security problem, so that how to ensure the security of the communication data between the double cores of the electric energy meter is a problem to be solved urgently by the technical staff in the field.
Disclosure of Invention
The application aims to provide a data encryption method, a data encryption device and a storage medium applied to an electric energy meter, which are used for ensuring the safe transmission of communication data between double cores, do not need the management of a large database required by a symmetric encryption algorithm, and avoid the problem of large calculation amount caused by an asymmetric encryption algorithm.
In order to solve the technical problem, the present application provides a data encryption method applied to an electric energy meter, which is applied to a metering module, and the method includes:
initiating an acquisition request to a management module to acquire a public key ciphertext of the management module; the public key ciphertext is obtained by encrypting the public key of the management module through an authentication private key of an authentication terminal;
decrypting the public key ciphertext by using the authentication public key of the authentication terminal to obtain a public key of the management module;
triggering a random number generator to generate a random number;
encrypting the random number through a public key of the management module to obtain a random number ciphertext, and sending the random number ciphertext to the management module so that the management module decrypts the random number ciphertext through a private key of the management module to obtain the random number;
when a communication data transmission request is generated, communication data is encrypted or decrypted by using the random number as an encryption key.
Preferably, when obtaining the public key cryptograph of the management module, the method further includes:
acquiring a digital signature certificate of the management module; the digital signature certificate is generated by the authentication terminal and is sent to the management module;
checking the digital signature certificate according to the authentication public key, and judging whether the digital signature certificate passes the checking;
if so, the step of decrypting the public key ciphertext by using the authentication public key of the authentication terminal to obtain the public key of the management module is carried out.
Preferably, the encrypting the public key of the management module by the public key cryptograph through the authentication private key of the authentication terminal specifically includes:
the authentication terminal acquires a public key of the management module;
the authentication terminal encrypts the public key of the management module through the authentication private key to obtain the public key ciphertext;
the generating, by the authentication terminal, the digital signature certificate specifically includes:
performing Hash operation on the public key ciphertext to obtain a public key ciphertext abstract;
encrypting the public key ciphertext abstract through the authentication private key to obtain the digital signature;
and forming a digital signature certificate through the public key ciphertext and the digital signature.
Preferably, when the communication data transmission request is to send data, the method further includes:
and accumulating and checking the communication data.
Preferably, initiating the acquisition request to the management module specifically includes: and initiating the acquisition request when the metering module detects power-on or detects replacement of the management module.
In order to solve the above technical problem, the present application provides a data encryption method applied to an electric energy meter, which is applied to a management module, and the method includes:
sending the public key ciphertext of the management module to the metering module according to an acquisition request initiated by the metering module; the public key ciphertext is obtained by encrypting the public key of the management module through an authentication private key of an authentication terminal;
receiving a random number ciphertext sent by the metering module; the random number ciphertext is obtained by encrypting the random number generated by the random number generator by the metering module through the public key of the management module, and the public key of the management module is obtained by decrypting the public key ciphertext through the authentication public key of the authentication terminal by the metering module;
decrypting the random number ciphertext through a private key of the management module to obtain the random number;
when a communication data transmission request is generated, communication data is encrypted or decrypted by using the random number as an encryption key.
Preferably, when the private key of the management module and the public key of the management module are stored in an off-chip memory, the method further includes:
and encrypting the private key of the management module and the public key of the management module.
For solving above-mentioned technical problem, the application provides a be applied to data encryption device of electric energy meter, is applied to the measurement module, and the device includes:
the request module is used for initiating an acquisition request to the management module so as to acquire the public key ciphertext of the management module; the public key ciphertext is obtained by encrypting the public key of the management module through an authentication private key of an authentication terminal;
the decryption module is used for decrypting the public key ciphertext by using the authentication public key of the authentication terminal to obtain the public key of the management module;
the trigger module is used for triggering the random number generator to generate a random number;
the encryption module is used for encrypting the random number through the public key of the management module to obtain a random number ciphertext and sending the random number ciphertext to the management module so that the management module can decrypt the random number ciphertext through the private key of the management module to obtain the random number;
and the transceiving module is used for encrypting or decrypting the communication data by using the random number as an encryption key when the communication data transmission request is generated.
For solving above-mentioned technical problem, the application provides a be applied to data encryption device of electric energy meter, is applied to the management module, and the device includes:
the sending module is used for sending the public key ciphertext of the management module to the metering module according to the acquisition request initiated by the metering module; the public key ciphertext is obtained by encrypting the public key of the management module through an authentication private key of an authentication terminal;
the receiving module is used for receiving the random number ciphertext sent by the metering module; the random number ciphertext is obtained by encrypting the random number generated by the random number generator by the metering module through the public key of the management module, and the public key of the management module is obtained by decrypting the public key ciphertext through the authentication public key of the authentication terminal by the metering module;
the decryption module is used for decrypting the random number ciphertext through a private key of the management module to obtain the random number;
and the transceiving module is used for encrypting or decrypting the communication data by using the random number as an encryption key when the communication data transmission request is generated.
In order to solve the above technical problem, the present application provides a computer-readable storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the data encryption method applied to the electric energy meter as described.
The application provides a be applied to electric energy meter's data encryption method is realized by the measurement module, specifically includes: initiating an acquisition request to a management module to acquire a public key ciphertext of the management module; and after the public key ciphertext is obtained, the public key ciphertext is decrypted by using the authentication public key of the authentication terminal to obtain the public key of the management module. And then the random number generated by the random number generator is encrypted by the public key of the management module to obtain a random number ciphertext, and the random number ciphertext is sent to the management module, so that the management module can decrypt the random number ciphertext by the private key of the management module to obtain the random number to realize the synchronization of the encryption key. Finally, when a communication data transmission request is generated, the communication data is encrypted or decrypted by using the random number as an encryption key. Therefore, in the technical scheme, the data volume of the public key and the random number of the management module is small, so that the public key and the random number are subjected to asymmetric encryption, the problem of large calculation amount caused by asymmetric encryption can be solved, and the security is high; the data volume of the communication data is large, so that the communication data is symmetrically encrypted, and the encryption key used by the symmetric encryption is a random number and is randomly generated, so that a large database does not need to be managed, and the problem that a large database needs to be managed by a symmetric encryption algorithm can be solved.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a structural diagram of an IR46 multi-core multi-module intelligent electric energy meter provided by the prior art;
FIG. 2 is a diagram illustrating a man-in-the-middle attack process provided in the prior art;
fig. 3 is a flowchart of a data encryption method applied to an electric energy meter according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an algorithm package library according to an embodiment of the present application;
fig. 5 is a schematic diagram of an off-chip memory of an MCU according to an embodiment of the present application storing an asymmetric encryption key;
fig. 6 is a schematic diagram illustrating generation of a digitally signed certificate according to an embodiment of the present application;
fig. 7 is a schematic diagram of a metering module according to an embodiment of the present disclosure for performing digital signature verification;
fig. 8 is a flowchart of another data encryption method applied to an electric energy meter according to an embodiment of the present application;
FIG. 9 is a schematic diagram illustrating an interaction between a metering module and a management module according to an embodiment of the present disclosure;
fig. 10 is a structural diagram of a data encryption device applied to an electric energy meter according to an embodiment of the present application;
fig. 11 is a block diagram of another data encryption device applied to an electric energy meter according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
The core of the application is to provide a data encryption method and device applied to an electric energy meter and a storage medium.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings.
Two encryption algorithms are referred to in this application, one being a symmetric encryption algorithm and the other being an asymmetric encryption algorithm.
Symmetric encryption means that: encryption and decryption use the same key algorithm. It requires the sender and receiver to agree on a symmetric key before secure communication. The security of symmetric algorithms relies entirely on keys, and key leakage means that anyone can decrypt messages they send or receive, so the confidentiality of keys is critical to communications.
Symmetric encryption is divided into two modes: stream encryption and packet encryption. Stream encryption treats a message as a stream of bytes and uses a mathematical function to act on each byte bit separately. When stream encryption is used, the same plaintext bits are converted into different ciphertext bits each time the stream is encrypted. Stream encryption uses a key stream generator that generates a byte stream that is xored with a plaintext byte stream to generate a ciphertext. Packet encryption is the division of a message into packets that are then processed through a mathematical function, one packet at a time. Assuming a 64-bit block cipher is used, if the message length is 640 bits, the message is divided into 10 64-bit blocks (if the last block is less than 64 bits, then 0 is used to complement the block and then 64 bits are added), and each block is processed by a series of mathematical formulas to obtain 10 encrypted text blocks. This ciphertext message is then sent to the peer. The opposite end must have the same block cipher and decrypt the 10 ciphertext blocks in reverse order using the previous algorithm, resulting in the plaintext message. The more commonly used block encryption algorithms are DES, 3DES, AES. Where DES is a relatively old encryption algorithm that has now proven insecure. The 3DES is a transitional encryption algorithm, which is equivalent to performing triple operations on the basis of DES to improve the security, but is essentially consistent with the DES algorithm. AES is a replacement algorithm of DES algorithm and is one of the most secure symmetric encryption algorithms
The symmetric encryption algorithm has the advantages that: the calculated amount is small, the encryption speed is high, and the encryption efficiency is high; the disadvantages of symmetric encryption algorithms: (1) both parties of the transaction use the same key, so that the security cannot be guaranteed; (2) each time a symmetric encryption algorithm is used, a unique key which is unknown to others needs to be used, so that the number of keys owned by both the sender and the receiver increases in a geometric progression, and key management becomes a burden.
Asymmetric encryption algorithm
Before the advent of asymmetric key exchange algorithms, the most important drawback of symmetric encryption was the inability to know how to transmit symmetric keys between two communicating parties without being stolen by intermediaries. After the asymmetric key exchange algorithm is born, encryption and decryption are specially performed on symmetric key transmission, so that interactive transmission of the symmetric key becomes very safe.
The asymmetric key exchange algorithm is very complex, the key exchange process involves a series of extremely complex processes such as random number generation, modular exponentiation, blank complement, encryption, signature and the like, and common key exchange algorithms include algorithms such as RSA, ECDHE, DH, DHE and the like. More complex mathematical problems are involved. Among them, the RSA algorithm is most classical and most commonly used.
RSA: since the birth was in 1977, after a long-time cracking test, the algorithm safety is very high, and most importantly, the algorithm is very simple to implement. The disadvantage is that a relatively large prime number (2048 bits are commonly used at present) is needed to ensure the security strength, and the CPU computing resource is extremely consumed. RSA is currently the only algorithm that can be used for both key exchange and certificate signing, and is the most classical and most commonly also an asymmetric encryption/decryption algorithm.
Asymmetric encryption is more secure than symmetric encryption, but there are two fatal drawbacks:
(1) CPU computational resource consumption is very large. While the computation of symmetric encryption amounts to only 0.1% of asymmetric encryption. If the subsequent application layer data transmission process also uses asymmetric encryption and decryption, the performance overhead of the CPU is too large, and the server cannot bear the overhead at all. Experimental data given by Sametak shows that the CPU resource consumed by the asymmetric algorithm is more than 1000 times that consumed by the symmetric algorithm when the same number of files are encrypted and decrypted.
(2) The asymmetric encryption algorithm has a limit on the length of the encrypted content, and cannot exceed the length of the public key. For example, the length of the public key commonly used at present is 2048 bits, which means that the content to be encrypted cannot exceed 256 bytes.
Therefore, asymmetric encryption and decryption (extremely consuming CPU resources) can only be used for symmetric key exchange or EPCA signature at present, and is not suitable for encryption and decryption of content transmission of an application layer
It should be noted that, in the technical solution of the present application, both a symmetric encryption algorithm, for example, encrypting or decrypting communication data by using a random number as an encryption key, and an asymmetric encryption algorithm, for example, encrypting a public key of the management module by using an authentication private key, and decrypting a public key ciphertext of the management module by using an authentication public key, are used.
The present application describes embodiments of a data encryption method applied to an electric energy meter from two different execution entities, one of which uses a metering module as an execution entity and the other of which uses a management module as an execution entity. The processes of the two are mutually corresponding.
Fig. 3 is a flowchart of a data encryption method applied to an electric energy meter according to an embodiment of the present application. As shown in fig. 3, the method applied to the metrology module specifically includes the following steps:
s10: initiating an acquisition request to a management module to acquire a public key ciphertext of the management module; and the public key ciphertext is obtained by encrypting the public key of the management module by the authentication private key of the authentication terminal.
S11: and decrypting the public key ciphertext by using the authentication public key of the authentication terminal to obtain the public key of the management module.
S12: the random number generator is triggered to generate a random number.
S13: and encrypting the random number through the public key of the management module to obtain a random number ciphertext, and sending the random number ciphertext to the management module so that the management module decrypts the random number ciphertext through the private key of the management module to obtain the random number.
S14: when a communication data transmission request is generated, communication data is encrypted or decrypted by using a random number as an encryption key.
Fig. 4 is a schematic diagram of an algorithm package library according to an embodiment of the present application. It should be noted that various programs and related algorithms related in the present application document can be implemented by LIB library, specifically, the related algorithms in LIB library are private EPCA (electric power company digital signature Certificate Authority, EPCA for short) and are packaged as LIB library after anti-compilation and confusion prevention processing, EPCA provides LIB library to electric energy meter manufacturer and provides API interface description document; the steps are as follows:
1) generating a library function;
2) anti-decompilation confusion design processing of library functions is carried out;
3) packaging library functions to form a LIB file (the LIB library in the whole text is the LIB file);
4) the LIB library is issued by EPCA to various electric energy meter manufacturers.
The management module supplies goods manufacturers to embed an LIB library in a Main Control Unit (MCU) or a security chip of the management module, and when encryption key synchronization and data encryption and decryption operations are carried out between the double chips, if the MCU of the management module is embedded into the LIB library, the MCU of the management module directly calls an API function in the LIB library; if the safety chip in the management module is embedded into the LIB library, the management module MCU is communicated with the safety chip through the physical data bus and then calls the API function embedded into the LIB library by the safety chip.
Fig. 5 is a schematic diagram of an off-chip memory of an MCU according to an embodiment of the present application storing an asymmetric encryption key. The management module is embedded with a pair of asymmetric encryption KEYs, namely a public KEY _ M of the management module and a private KEY _ M' of the management module, the management module manufacturer calls an asymmetric encryption algorithm KEY in an LIB library to generate the KEY, the public KEY _ M of the management module is issued to the management module during production, the management module can store the asymmetric encryption KEYs in an on-chip memory of a management module MCU or an off-chip memory of the MCU, and the following three points are met:
1) if the asymmetric encryption key is stored in the MCU off-chip memory, the MCU calls the disorder algorithm in the LIB library to execute the disorder algorithm on the key to be stored, and then the key to be stored is stored in the MCU off-chip memory. For example, if the public key of the management module before executing the disorder algorithm is X and the private key of the management module is X ', after executing the disorder algorithm operation, the public key of the management module in the off-chip memory becomes Y and the private key of the management module becomes Y'. If Y and Y 'are illegally intercepted, after Y' is used for encryption or a digital signature is generated, Y cannot be used for correct decryption or signature verification is successful; after being encrypted by Y, it cannot be correctly decrypted by Y'. When the system is needed to be used, the MCU acquires Y and Y 'in the off-chip memory through the bus, and then can calculate back to obtain X and X' through a positive sequence algorithm.
2) If the asymmetric encryption key is stored in the MCU off-chip memory, the MCU calls the confusion algorithm in the LIB library to execute the confusion algorithm on the key to be stored, and then the key to be stored is stored in the MCU off-chip memory. For example, if the public key is X and the private key is X 'before the obfuscation algorithm is performed, the public key in the memory is changed to Y and the private key is changed to Y' after the obfuscation algorithm is performed. If Y and Y 'are illegally intercepted, after Y' is used for encryption or a digital signature is generated, Y cannot be used for correct decryption or signature verification is successful; after being encrypted by Y, it cannot be correctly decrypted by Y'. When the method is needed, the MCU acquires Y and Y 'in the off-chip memory through the bus, and then the X and X' can be obtained through the operation of the confusion reduction algorithm.
3) If the asymmetric encryption key is stored in an on-chip memory of the MCU, the key can only be accessed through an on-chip program or a data bus of the MCU, and an off-chip device which does not support the MCU reads the key through IO and an external bus.
The metering module supply manufacturer embeds LIB library in metering module main control chip or metering chip, SOC and other metering module subsidiary chips, when encryption key synchronization and data encryption and decryption operations are carried out between double chips, if MCU of the metering module is embedded in LIB library, the MCU directly calls API function in LIB library; if the metering module internal metering chip, SOC and other metering module auxiliary chips are embedded into the LIB library, the MCU is communicated with the metering chip or SOC and other auxiliary chips through the physical data bus to call the API function embedded into the LIB library by the auxiliary chips.
The authentication terminal is a device used by the EPCA for directly communicating with the metering module or the management module, and can be a metering center cipher machine, a meter checking platform body or a power master station device and the like. The authentication public key is transmitted by the authentication terminal, so the authentication public key of the authentication terminal is called in the application and represents EPCA, the authentication public key is stored in the metering module in advance, and the authentication public key in the metering module is subjected to initialization assignment operation in two steps, namely:
1) the metering module supply manufacturer initializes the certification public key as a testing key disclosed by EPCA in the production process of the metering module, and the key is matched for use in the verification process of the electric energy meter;
2) after the metering module supplies goods and verifies, the certification public key is set as a formal key during field operation, and after delivery, the certification public key can be set only once in the life cycle of the metering module of the IR46 electric energy meter and is set by EPCA under the safety environment of a verification room and the like.
The basic functions of the management module, the metering module and the authentication terminal are explained in the above steps, and hereinafter, each step in the data encryption process will be explained in detail again.
In the above, it is mentioned that the metering module already stores the authentication public key, and the authentication terminal encrypts the public key of the management module through the authentication private key to obtain a public key ciphertext and transmits the public key ciphertext to the management module, and because the public key is encrypted, the public key is safe. The management module stores a public key ciphertext corresponding to the public key, and the metering module generates a subsequent encryption key through the public key of the management module, so that the metering module needs to know the public key of the management module, and the metering module has an authentication public key, and the public key ciphertext is encrypted through the authentication private key, so that the metering module can obtain the public key of the management module only by acquiring the public key ciphertext. Specifically, the metering module actively initiates an acquisition request to the management module, the content corresponding to the request is to acquire a public key ciphertext, and after the public key ciphertext is acquired, the ciphertext is asymmetrically decrypted by using a pre-stored authentication public key of the authentication terminal, so that the public key is acquired. It can be understood that, since the third party cannot obtain the authentication public key of the authentication terminal, even if the third party intercepts the authentication public key, the public key of the management module cannot be obtained, so that the security of the public key of the management module is ensured. In addition, in the process, an asymmetric encryption method is adopted, the safety performance is high, and the public key is much smaller than the communication data, so that the consumed time is limited in the encryption and decryption processes, and the communication efficiency is not obviously influenced. It can be understood that, in order to reduce unnecessary communication, the initiating of the acquisition request by the metering module to the management module is specifically: and initiating an acquisition request when the metering module detects power-on or detects replacement of the management module.
The metering module is added with a random number generator which is used for generating random numbers, so that the random numbers are selected to be generated instead of a fixed number, and the safety of communication data can be ensured in the subsequent symmetrical encryption process. Because the random number is used as the encryption key in the symmetric encryption algorithm to symmetrically encrypt the communication data, the security of the random number needs to be ensured in the process of transmitting the random number to the management module. Therefore, after the random number is obtained, the metering module carries out asymmetric encryption on the random number by using the obtained public key of the management module to obtain a random number ciphertext. The security is higher by transmitting the random number cipher text than by directly transmitting the random number. After the management module obtains the random number ciphertext, the random number ciphertext is asymmetrically decrypted through the private key of the management module, so that the random number is obtained, and the management module and the metering module realize the synchronization of the encryption key. When a communication data transmission request is generated between the management module and the metering module, the management module and the metering module can encrypt or decrypt communication data by using a random number as an encryption key. In one scenario, the management module serves as a sending end, the metering module serves as a receiving end, and then the management module encrypts the communication data through the random number to obtain a communication data ciphertext, and then the communication data ciphertext is sent to the metering module. And after the metering module obtains the communication data ciphertext, the metering module decrypts the communication data ciphertext by using the random number to obtain the communication data plaintext. It can be understood that, for the management module and the metering module, both can be used as a sending end and a receiving end, and accordingly, both can encrypt the communication data and decrypt the communication data.
The data encryption method applied to the electric energy meter provided by the embodiment is realized by the metering module, and specifically comprises the following steps: initiating an acquisition request to a management module to acquire a public key ciphertext of the management module; and after the public key ciphertext is obtained, the public key ciphertext is decrypted by using the authentication public key of the authentication terminal to obtain the public key of the management module. And then the random number generated by the random number generator is encrypted by the public key of the management module to obtain a random number ciphertext, and the random number ciphertext is sent to the management module, so that the management module can decrypt the random number ciphertext by the private key of the management module to obtain the random number to realize the synchronization of the encryption key. Finally, when a communication data transmission request is generated, the communication data is encrypted or decrypted by using the random number as an encryption key. Therefore, in the technical scheme, the data volume of the public key and the random number of the management module is small, so that the public key and the random number are subjected to asymmetric encryption, the problem of large calculation amount caused by asymmetric encryption can be solved, and the security is high; the data volume of the communication data is large, so that the communication data is symmetrically encrypted, and the encryption key used by the symmetric encryption is a random number and is randomly generated, so that a large database does not need to be managed, and the problem that a large database needs to be managed by a symmetric encryption algorithm can be solved.
On the basis of the foregoing embodiment, as a preferred implementation manner, when obtaining the public key ciphertext of the management module, the metering module further includes:
acquiring a digital signature certificate of a management module;
and checking the digital signature certificate according to the authentication public key, judging whether the digital signature certificate passes the checking, and if so, entering the step S11.
In this embodiment, when the metering module initiates the acquisition request, the metering module acquires the public key digital signature certificate of the management module. The digital signature certificate is used for verifying the validity of the management module. Specifically, the digital signature certificate is generated by the authentication terminal and is sent to the management module.
By using the digital signature certificate in the embodiment, the security of the communication data transmission between the two cores can be further improved.
In order to make the present solution more clear to those skilled in the art, the generation and issuance process of the digital signature certificate will be described. Fig. 6 is a schematic diagram of digital signature certificate generation according to an embodiment of the present application.
1) Generation process of digital signature certificate
In the supply verification process of the IR46 electric energy meter management module, EPCA performs the following steps in the safe environment such as a verification room:
s100: the authentication terminal acquires a public KEY (KEY _ M) of the management module;
s101: the authentication terminal uses the public KEY (KEY _ M) of the authentication private KEY encryption management module to obtain a public KEY ciphertext C _ KEY _ M;
s102: the authentication terminal uses a hash function to carry out hash operation on the public KEY ciphertext C _ KEY _ M to generate a public KEY ciphertext abstract;
s103: and the authentication terminal uses the authentication private key to call a digital signature algorithm to the public key ciphertext abstract to encrypt the public key ciphertext abstract so as to obtain a digital signature.
S104: and the authentication terminal forms a digital signature certificate through the public key ciphertext and the digital signature.
2) Process for issuing digitally signed certificates
The digital signature certificate issuing is uniquely executed by an EPCA (electronic product Access control) mechanism, and the EPCA performs security authentication by an embedded security control module (ESAM) through an authentication terminal and a management module;
the authentication terminal encrypts and signs the generated digital signature certificate of the management module in an ESAM ciphertext and MAC mode and then issues the encrypted and signed digital signature certificate to the management module;
the management module receives the ciphertext and the MAC data and then performs ESAM decryption and signature verification;
if the management module is successful in decryption and signature verification, receiving the current digital signature certificate and storing the current digital signature certificate in the nonvolatile memory; otherwise, discard and report an error.
Fig. 7 is a schematic diagram of a metering module for performing digital signature verification according to an embodiment of the present disclosure. At the side of the metering module, the verification of the digital signature certificate needs to be performed by the authentication public key pre-stored by the metering module, and the method comprises the following steps:
s110: whether the metering module detects power-on or management module replacement or not is judged, and if yes, S111 is entered;
s111: acquiring a digital signature certificate;
s112: verifying the digital signature certificate by using the authentication public key, and judging whether the verification passes, if so, entering S113, otherwise, entering S114;
s113: a digitally signed certificate is received.
S114: and reporting an error.
It can be understood that if the signature verification is enabled to pass, the public key ciphertext obtained together is also legal, and if the signature verification is not enabled to pass, the public key ciphertext obtained together is also illegal, and the processing is directly discarded. It can be understood that, after the signature verification passes, S11 and subsequent steps are continuously performed, and details are not described in this embodiment.
On the basis of the above embodiment, when the communication data transmission request is to send data, the method further includes:
and accumulating and checking the communication data.
It should be noted that, it is possible to accumulate and verify the communication data first or encrypt the communication data line, and the implementation of the scheme of the present application is not affected.
For the key interactive data between the two cores, the types of the communication data comprise: the key parameters of the running parameters, the electric energy, the clock, the instantaneous quantity, the running state quantity and the like. For example, the following steps are carried out: assuming that the communication data of the sending end is X, the communication data becomes Y after symmetric encryption, but Y generates displacement of certain data bits due to bus interference in the transmission process, so that the ciphertext data received by the receiving end becomes Z, and when the receiving end decrypts by using the same symmetric encryption algorithm and encryption key as the sending end, the correct data X cannot be obtained.
In order to solve the problem, communication data are used for calculating accumulation SUM SUM, the communication data and SUM are encrypted and transmitted together, after a server receives ciphertext data, the CHECK SUM CHECK _ SUM is recalculated by using plaintext communication data after decryption, whether the SUM is consistent with the CHECK _ SUM or not is compared, if yes, the data are received, and if not, discarding processing is carried out. In other embodiments, if the frame is inconsistent with the frame, the sending end may also respond abnormally, and the sending end performs fault-tolerant retransmission processing after receiving the abnormal response frame. A specific implementation mode is given as follows, and the steps comprise the following steps:
1) the sending end calculates communication DATA (DATA) accumulated SUM (SUM), the accumulated SUM is the SUM of all modulo 256 of each byte of the DATA, namely binary arithmetic SUM of each byte, and overflow values exceeding 256 are not counted;
2) the sending end calls an encryption key encryption DATA and an accumulation SUM SUM of a symmetric encryption algorithm in the LIB library and a symmetric encryption algorithm after double-core synchronization;
3) the sending end sends the encrypted ciphertext to the receiving end;
4) after receiving the ciphertext, the receiving end calls an encryption key of a symmetric encryption algorithm in the LIB library and an encryption key of the symmetric encryption algorithm after the double-core synchronization to decrypt the received ciphertext;
5) the receiving end recalculates the cumulative SUM (CHECK _ SUM) by using the decrypted DATA DATA;
6) the receiving end compares whether the decrypted SUM is consistent with the CHECK _ SUM or not;
7) if the SUM is consistent with the CHECK _ SUM, the receiving end receives the DATA and normally responds to the transmitting end;
8) if the SUM is inconsistent with the CHECK _ SUM, the receiving end discards the DATA and abnormally responds to the transmitting end.
In other embodiments, after receiving the abnormal response from the receiving end, the sending end re-initiates the previous frame data retransmission mechanism, and the number of retransmissions may be determined according to actual situations, for example, may be 3 times.
Therefore, the problem that the communication data cannot be known due to errors in the transmission process can be prevented by accumulating and checking the communication data, and the accuracy of data transmission is improved.
The above embodiments have been described in detail with respect to the embodiments on the metering module side, and the present application also provides embodiments on the management module side. Fig. 8 is a flowchart of another data encryption method applied to an electric energy meter according to an embodiment of the present application. As shown in fig. 8, the method is applied to a management module, and includes:
s20: sending the public key ciphertext of the management module to the metering module according to the acquisition request initiated by the metering module; the public key ciphertext is obtained by encrypting the public key of the management module by the authentication private key of the authentication terminal;
s21: receiving a random number ciphertext sent by the metering module; the random number ciphertext is obtained by encrypting the random number generated by the random number generator by using the public key of the management module for the metering module, and the public key of the management module is obtained by decrypting the public key ciphertext by using the authentication public key of the authentication terminal for the metering module;
s22: decrypting the random number ciphertext through a private key of the management module to obtain a random number;
s23: when a communication data transmission request is generated, communication data is encrypted or decrypted by using a random number as an encryption key.
It can be understood that, the private key of the management module and the public key of the management module can be stored in the on-chip memory or the off-chip memory, as a preferred embodiment, when the private key of the management module and the public key of the management module are stored in the off-chip memory, the method further includes:
and encrypting the private key of the management module and the public key of the management module.
In the above embodiments, the management module, the authentication terminal, and the like are all described, so the description of this embodiment is omitted.
The data encryption method applied to the electric energy meter provided by the embodiment is realized by a management module, and specifically comprises the following steps: and sending the public key ciphertext to the metering module, and then receiving the random number ciphertext sent by the metering module, wherein the random number ciphertext is obtained by encrypting the random number generated by the random number generator by using the public key of the management module for the metering module, and the public key of the management module is obtained by decrypting the public key ciphertext by using the authentication public key of the authentication terminal for the metering module. And finally, decrypting the random number ciphertext through a private key of the management module to obtain a random number, and encrypting or decrypting the communication data by using the random number as an encryption key. Therefore, in the technical scheme, the data volume of the public key and the random number of the management module is small, so that the public key and the random number are subjected to asymmetric encryption, the problem of large calculation amount caused by asymmetric encryption can be solved, and the security is high; the data volume of the communication data is large, so that the communication data is symmetrically encrypted, and the encryption key used by the symmetric encryption is a random number and is randomly generated, so that a large database does not need to be managed, and the problem that a large database needs to be managed by a symmetric encryption algorithm can be solved.
Fig. 9 is a schematic diagram illustrating an interaction between a metering module and a management module according to an embodiment of the present disclosure. Both of them use LIB library to hold the algorithms, programs, etc. used. In the aspect of a memory, the metering module stores an authentication public key, and the management module stores a public key of the management module, a private key of the management module and a digital signature certificate. In the key synchronization process, the metering module generates a random number on the one hand, acquires a digital signature certificate of the management module on the other hand, verifies the signature by using an authentication public key, encrypts the random number by using the public key of the management module after the signature passes the verification to obtain a random number ciphertext, acquires the random number ciphertext by using a private key of the management module, decrypts the random number ciphertext by using a private key of the management module, if the decryption is successful, the source of the random number is legal, caches the random number as an encryption key and correctly answers the metering module, and after the metering module receives a correct answer frame of the management module, the metering module also caches the current random number as the encryption key; if the random number is unsuccessful, the source of the random number is not legal, and a warning is given. In the aspect of data transmission, the metering module serves as a sending end, and the management module serves as a receiving end to transmit communication data.
Fig. 10 is a structural diagram of a data encryption device applied to an electric energy meter according to an embodiment of the present application. As shown in fig. 10, the apparatus is applied to a metrology module, and includes:
the request module 10 is configured to initiate an acquisition request to the management module to acquire a public key ciphertext of the management module; the public key ciphertext is obtained by encrypting the public key of the management module by the authentication private key of the authentication terminal;
the decryption module 11 is configured to decrypt the public key ciphertext with the authentication public key of the authentication terminal to obtain a public key of the management module;
a triggering module 12, configured to trigger the random number generator to generate a random number;
the encryption module 13 is used for encrypting the random number through the public key of the management module to obtain a random number ciphertext and sending the random number ciphertext to the management module so that the management module decrypts the random number ciphertext through the private key of the management module to obtain the random number;
and a transceiver module 14 for encrypting or decrypting the communication data by using the random number as an encryption key when the communication data transmission request is generated.
Since the embodiments of the apparatus portion and the method portion correspond to each other, please refer to the description of the embodiments of the method portion for the embodiments of the apparatus portion, which is not repeated here.
The data encryption device that is applied to electric energy meter that this embodiment provided realizes by the measurement module, specifically includes: initiating an acquisition request to a management module to acquire a public key ciphertext of the management module; and after the public key ciphertext is obtained, the public key ciphertext is decrypted by using the authentication public key of the authentication terminal to obtain the public key of the management module. And then the random number generated by the random number generator is encrypted by the public key of the management module to obtain a random number ciphertext, and the random number ciphertext is sent to the management module, so that the management module can decrypt the random number ciphertext by the private key of the management module to obtain the random number to realize the synchronization of the encryption key. Finally, when a communication data transmission request is generated, the communication data is encrypted or decrypted by using the random number as an encryption key. Therefore, in the technical scheme, the data volume of the public key and the random number of the management module is small, so that the public key and the random number are subjected to asymmetric encryption, the problem of large calculation amount caused by asymmetric encryption can be solved, and the security is high; the data volume of the communication data is large, so that the communication data is symmetrically encrypted, and the encryption key used by the symmetric encryption is a random number and is randomly generated, so that a large database does not need to be managed, and the problem that a large database needs to be managed by a symmetric encryption algorithm can be solved.
Fig. 11 is a block diagram of another data encryption device applied to an electric energy meter according to an embodiment of the present application. As shown in fig. 11, the apparatus is applied to a management module, and includes:
the sending module 20 is configured to send the public key ciphertext of the management module to the metering module according to the acquisition request initiated by the metering module; the public key ciphertext is obtained by encrypting the public key of the management module by the authentication private key of the authentication terminal;
the receiving module 21 is configured to receive a random number ciphertext sent by the metering module; the random number ciphertext is obtained by encrypting the random number generated by the random number generator by using the public key of the management module for the metering module, and the public key of the management module is obtained by decrypting the public key ciphertext by using the authentication public key of the authentication terminal for the metering module;
the decryption module 22 is used for decrypting the random number ciphertext through the private key of the management module to obtain a random number;
the transceiving module 23 is configured to encrypt or decrypt the communication data by using the random number as an encryption key when the communication data transmission request is generated.
Since the embodiments of the apparatus portion and the method portion correspond to each other, please refer to the description of the embodiments of the method portion for the embodiments of the apparatus portion, which is not repeated here.
The data encryption device applied to the electric energy meter provided by the embodiment is realized by the management module, and specifically comprises: and sending the public key ciphertext to the metering module, and then receiving the random number ciphertext sent by the metering module, wherein the random number ciphertext is obtained by encrypting the random number generated by the random number generator by using the public key of the management module for the metering module, and the public key of the management module is obtained by decrypting the public key ciphertext by using the authentication public key of the authentication terminal for the metering module. And finally, decrypting the random number ciphertext through a private key of the management module to obtain a random number, and encrypting or decrypting the communication data by using the random number as an encryption key. Therefore, in the technical scheme, the data volume of the public key and the random number of the management module is small, so that the public key and the random number are subjected to asymmetric encryption, the problem of large calculation amount caused by asymmetric encryption can be solved, and the security is high; the data volume of the communication data is large, so that the communication data is symmetrically encrypted, and the encryption key used by the symmetric encryption is a random number and is randomly generated, so that a large database does not need to be managed, and the problem that a large database needs to be managed by a symmetric encryption algorithm can be solved.
Finally, the application also provides a corresponding embodiment of the computer readable storage medium. The computer-readable storage medium stores thereon a computer program that, when executed by a processor, implements the steps described in the above-described method embodiments (which may be a method for managing the module side, a method for metering the module side, or a method for managing the module side and metering the module side).
It is to be understood that if the method in the above embodiments is implemented in the form of software functional units and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium and executes all or part of the steps of the methods described in the embodiments of the present application, or all or part of the technical solutions. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The data encryption method, device and storage medium applied to the electric energy meter provided by the present application are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A data encryption method applied to an electric energy meter is characterized in that the method is applied to a metering module and comprises the following steps:
initiating an acquisition request to a management module to acquire a public key ciphertext of the management module; the public key ciphertext is obtained by encrypting the public key of the management module through an authentication private key of an authentication terminal;
decrypting the public key ciphertext by using the authentication public key of the authentication terminal to obtain a public key of the management module;
triggering a random number generator to generate a random number;
encrypting the random number through a public key of the management module to obtain a random number ciphertext, and sending the random number ciphertext to the management module so that the management module decrypts the random number ciphertext through a private key of the management module to obtain the random number;
when a communication data transmission request is generated, communication data is encrypted or decrypted by using the random number as an encryption key.
2. The data encryption method according to claim 1, when obtaining the public key cryptograph of the management module, further comprising:
acquiring a digital signature certificate of the management module; the digital signature certificate is generated by the authentication terminal and is sent to the management module;
checking the digital signature certificate according to the authentication public key, and judging whether the digital signature certificate passes the checking;
if so, the step of decrypting the public key ciphertext by using the authentication public key of the authentication terminal to obtain the public key of the management module is carried out.
3. The data encryption method according to claim 2, wherein the encrypting the public key of the management module by the public key cryptograph through the authentication private key of the authentication terminal specifically comprises:
the authentication terminal acquires a public key of the management module;
the authentication terminal encrypts the public key of the management module through the authentication private key to obtain the public key ciphertext;
the generating, by the authentication terminal, the digital signature certificate specifically includes:
performing Hash operation on the public key ciphertext to obtain a public key ciphertext abstract;
encrypting the public key ciphertext abstract through the authentication private key to obtain the digital signature;
and forming a digital signature certificate through the public key ciphertext and the digital signature.
4. The data encryption method according to any one of claims 1 to 3, wherein when the communication data transmission request is transmission data, further comprising:
and accumulating and checking the communication data.
5. The data encryption method according to claim 1, wherein the sending the acquisition request to the management module specifically comprises: and initiating the acquisition request when the metering module detects power-on or detects replacement of the management module.
6. A data encryption method applied to an electric energy meter is characterized by being applied to a management module, and the method comprises the following steps:
sending the public key ciphertext of the management module to the metering module according to an acquisition request initiated by the metering module; the public key ciphertext is obtained by encrypting the public key of the management module through an authentication private key of an authentication terminal;
receiving a random number ciphertext sent by the metering module; the random number ciphertext is obtained by encrypting the random number generated by the random number generator by the metering module through the public key of the management module, and the public key of the management module is obtained by decrypting the public key ciphertext through the authentication public key of the authentication terminal by the metering module;
decrypting the random number ciphertext through a private key of the management module to obtain the random number;
when a communication data transmission request is generated, communication data is encrypted or decrypted by using the random number as an encryption key.
7. The data encryption method of claim 6, wherein when the private key of the management module and the public key of the management module are stored in an off-chip memory, further comprising:
and encrypting the private key of the management module and the public key of the management module.
8. The utility model provides a be applied to data encryption device of electric energy meter which characterized in that is applied to the measurement module, and the device includes:
the request module is used for initiating an acquisition request to the management module so as to acquire the public key ciphertext of the management module; the public key ciphertext is obtained by encrypting the public key of the management module through an authentication private key of an authentication terminal;
the decryption module is used for decrypting the public key ciphertext by using the authentication public key of the authentication terminal to obtain the public key of the management module;
the trigger module is used for triggering the random number generator to generate a random number;
the encryption module is used for encrypting the random number through the public key of the management module to obtain a random number ciphertext and sending the random number ciphertext to the management module so that the management module can decrypt the random number ciphertext through the private key of the management module to obtain the random number;
and the transceiving module is used for encrypting or decrypting the communication data by using the random number as an encryption key when the communication data transmission request is generated.
9. The utility model provides a be applied to data encryption device of electric energy meter which characterized in that is applied to the management module, and the device includes:
the sending module is used for sending the public key ciphertext of the management module to the metering module according to the acquisition request initiated by the metering module; the public key ciphertext is obtained by encrypting the public key of the management module through an authentication private key of an authentication terminal;
the receiving module is used for receiving the random number ciphertext sent by the metering module; the random number ciphertext is obtained by encrypting the random number generated by the random number generator by the metering module through the public key of the management module, and the public key of the management module is obtained by decrypting the public key ciphertext through the authentication public key of the authentication terminal by the metering module;
the decryption module is used for decrypting the random number ciphertext through a private key of the management module to obtain the random number;
and the transceiving module is used for encrypting or decrypting the communication data by using the random number as an encryption key when the communication data transmission request is generated.
10. A computer-readable storage medium, characterized in that a computer program is stored thereon, which, when being executed by a processor, carries out the steps of the data encryption method applied to an electric energy meter according to any one of claims 1 to 7.
CN202010093609.3A 2020-02-14 2020-02-14 Data encryption method and device applied to electric energy meter and storage medium Active CN111343164B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010093609.3A CN111343164B (en) 2020-02-14 2020-02-14 Data encryption method and device applied to electric energy meter and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010093609.3A CN111343164B (en) 2020-02-14 2020-02-14 Data encryption method and device applied to electric energy meter and storage medium

Publications (2)

Publication Number Publication Date
CN111343164A true CN111343164A (en) 2020-06-26
CN111343164B CN111343164B (en) 2022-07-01

Family

ID=71186907

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010093609.3A Active CN111343164B (en) 2020-02-14 2020-02-14 Data encryption method and device applied to electric energy meter and storage medium

Country Status (1)

Country Link
CN (1) CN111343164B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111768608A (en) * 2020-07-16 2020-10-13 南方电网数字电网研究院有限公司 Data transmission method and device based on double-core intelligent electric meter and computer equipment
CN112202549A (en) * 2020-09-02 2021-01-08 深圳市车电网络有限公司 Charging management method, charging terminal data processing method and charging management platform data processing method
CN112507359A (en) * 2020-12-08 2021-03-16 湖南炬神电子有限公司 Shared charger encryption and decryption method and system
CN112769764A (en) * 2020-12-23 2021-05-07 南方电网电力科技股份有限公司 Metering data transmission key storage method of instrument and transmission method and device thereof
CN115201561A (en) * 2021-04-09 2022-10-18 浙江正泰仪器仪表有限责任公司 Electric energy meter data transmission system, control method and electric energy meter

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060206433A1 (en) * 2005-03-11 2006-09-14 Elster Electricity, Llc. Secure and authenticated delivery of data from an automated meter reading system
CN103201979A (en) * 2010-09-07 2013-07-10 费伯普恩特有限公司 A modular combined optical data network and independent DC power distribution system
CN103679062A (en) * 2013-12-23 2014-03-26 上海贝岭股份有限公司 Intelligent electric meter main control chip and security encryption method
CN106501599A (en) * 2016-10-17 2017-03-15 国家电网公司 Twin-core electric energy meter data exchange validity determines method and system and twin-core electric energy meter

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060206433A1 (en) * 2005-03-11 2006-09-14 Elster Electricity, Llc. Secure and authenticated delivery of data from an automated meter reading system
CN103201979A (en) * 2010-09-07 2013-07-10 费伯普恩特有限公司 A modular combined optical data network and independent DC power distribution system
CN103679062A (en) * 2013-12-23 2014-03-26 上海贝岭股份有限公司 Intelligent electric meter main control chip and security encryption method
CN106501599A (en) * 2016-10-17 2017-03-15 国家电网公司 Twin-core electric energy meter data exchange validity determines method and system and twin-core electric energy meter

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111768608A (en) * 2020-07-16 2020-10-13 南方电网数字电网研究院有限公司 Data transmission method and device based on double-core intelligent electric meter and computer equipment
CN111768608B (en) * 2020-07-16 2021-06-04 南方电网数字电网研究院有限公司 Data transmission method and device based on double-core intelligent electric meter and computer equipment
CN112202549A (en) * 2020-09-02 2021-01-08 深圳市车电网络有限公司 Charging management method, charging terminal data processing method and charging management platform data processing method
CN112507359A (en) * 2020-12-08 2021-03-16 湖南炬神电子有限公司 Shared charger encryption and decryption method and system
CN112507359B (en) * 2020-12-08 2021-09-07 湖南炬神电子有限公司 Shared charger encryption and decryption method and system
CN112769764A (en) * 2020-12-23 2021-05-07 南方电网电力科技股份有限公司 Metering data transmission key storage method of instrument and transmission method and device thereof
CN115201561A (en) * 2021-04-09 2022-10-18 浙江正泰仪器仪表有限责任公司 Electric energy meter data transmission system, control method and electric energy meter
CN115201561B (en) * 2021-04-09 2023-10-24 浙江正泰仪器仪表有限责任公司 Electric energy meter data transmission system, control method and electric energy meter

Also Published As

Publication number Publication date
CN111343164B (en) 2022-07-01

Similar Documents

Publication Publication Date Title
CN111343164B (en) Data encryption method and device applied to electric energy meter and storage medium
JP3858527B2 (en) Data generation apparatus, data verification apparatus and method
EP2291787B1 (en) Techniques for ensuring authentication and integrity of communications
CN103716321B (en) A kind of terminal master key TMK safety downloading method and systems
KR101752083B1 (en) Device authenticity determination system and device authenticity determination method
CN111147225A (en) Credible measurement and control network authentication method based on double secret values and chaotic encryption
CN111131278B (en) Data processing method and device, computer storage medium and electronic equipment
CN111614621B (en) Internet of things communication method and system
CN107094108A (en) The method for being connected to the part of data/address bus and encryption function being realized in the part
CN112702318A (en) Communication encryption method, decryption method, client and server
CN110149209A (en) Internet of things equipment and its method and apparatus of improve data transfer safety
CN113612610B (en) Session key negotiation method
KR102017758B1 (en) Health device, gateway device and method for securing protocol using the same
JP2022521525A (en) Cryptographic method for validating data
CN114553416A (en) Data encryption processing method for signature verification of application program interface
CN109951276A (en) Embedded device remote identity authentication method based on TPM
CN114448641A (en) Privacy encryption method, electronic equipment, storage medium and chip
CN113312608A (en) Electric power metering terminal identity authentication method and system based on timestamp
CN110049045B (en) Safety certification system for power line carrier
CN114726536A (en) Timestamp generation method and device, electronic equipment and storage medium
CN113784342B (en) Encryption communication method and system based on Internet of things terminal
CN112787990B (en) Power terminal trusted access authentication method and system
CN114448607A (en) Offline device security authentication system based on PUF technology and implementation method
CN113691376A (en) Key management method and device
JP2004274134A (en) Communication method, communication system using the communication method, server and client

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant