CN111654378B - Data security self-checking method based on electric power security gateway - Google Patents

Data security self-checking method based on electric power security gateway Download PDF

Info

Publication number
CN111654378B
CN111654378B CN202010467023.9A CN202010467023A CN111654378B CN 111654378 B CN111654378 B CN 111654378B CN 202010467023 A CN202010467023 A CN 202010467023A CN 111654378 B CN111654378 B CN 111654378B
Authority
CN
China
Prior art keywords
preset
security gateway
self
data
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010467023.9A
Other languages
Chinese (zh)
Other versions
CN111654378A (en
Inventor
尹健
张春
郑东曦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Weide Information Technology Co ltd
Original Assignee
Guangdong Weide Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Weide Information Technology Co ltd filed Critical Guangdong Weide Information Technology Co ltd
Priority to CN202010467023.9A priority Critical patent/CN111654378B/en
Publication of CN111654378A publication Critical patent/CN111654378A/en
Application granted granted Critical
Publication of CN111654378B publication Critical patent/CN111654378B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Abstract

The invention discloses a data security self-checking method based on an electric power security gateway, which comprises the following steps: setting preset plaintext data, a secret key and preset ciphertext data, calling an SM1 password module of a security gateway, and calculating the preset plaintext data and the preset ciphertext data to determine the correctness of the SM1 password module; setting a preset public and private key pair, a preset message to be signed and preset signature data, calling an SM2 password module of a security gateway, and verifying the preset message to be signed and the preset signature data through the preset public and private key pair to determine the correctness of the SM2 password module; signing a preset message to be signed through a preset private key to obtain preset signature data; setting a preset message and a preset hash value, calling an SM3 cryptographic module of a security gateway, performing hash operation on the preset message, and determining the correctness of the SM3 cryptographic module; and randomly generating a plurality of groups of random number data, calling a random number generation module of the security gateway, carrying out self-inspection on the random number data, and determining the correctness of the random number generation module.

Description

Data security self-checking method based on electric power security gateway
Technical Field
The invention relates to the field of data self-inspection of an electric power security gateway, in particular to a data security self-inspection method based on the electric power security gateway.
Background
The security gateway is widely applied in the power distribution industry, the security, confidentiality and integrity of cross-network information transmission are ensured by deploying the security gateway at a network boundary, and the effective authentication, authorization and data transmission security of the identity between a client and a server are realized; therefore, the access method of the security gateway is an important link in the gateway technology.
The traditional security gateway uses a common encryption application mode, the security of the device is not self-checked before data is transmitted, and when configuration parameters of the security gateway device have errors, the security gateway can generate operation errors when the transmitted data is encrypted or decrypted, so that encryption failure or decryption failure is caused, and irreparable loss is caused.
Therefore, a data security self-checking strategy based on an electric power security gateway is urgently needed in the market at present, self-checking can be performed before data is transmitted, errors of configuration parameters of security gateway equipment are avoided, and stability of encryption processing and decryption processing of the security gateway is improved.
Disclosure of Invention
The invention provides a data security self-checking method based on an electric power security gateway, which can carry out self-checking before data is transmitted, avoid errors of configuration parameters of security gateway equipment and improve the stability of encryption processing and decryption processing of the security gateway.
In order to solve the above technical problem, an embodiment of the present invention provides a data security self-checking method based on an electric power security gateway, including:
setting preset plaintext data, a secret key and preset ciphertext data, calling an SM1 password module in a security gateway, calculating the preset plaintext data and the preset ciphertext data, and determining the correctness of the SM1 password module in the security gateway according to the calculation result; the preset plaintext data is subjected to the secret key encryption operation to obtain the preset ciphertext data;
setting a preset public and private key pair, a preset message to be signed and preset signature data, calling an SM2 password module in a security gateway, verifying the preset message to be signed and the preset signature data through the preset public and private key pair, and determining the correctness of the SM2 password module in the security gateway according to a verification result; the preset public and private key pair comprises a preset public key and a corresponding preset private key; signing a preset message to be signed through a preset private key to obtain preset signature data;
setting a preset message and a corresponding preset hash value, calling an SM3 cryptographic module in a security gateway, carrying out hash operation on the preset message, and determining the correctness of the SM3 cryptographic module in the security gateway according to an operation result;
randomly generating a plurality of groups of random number data, calling a random number generation module in the security gateway, carrying out power-on self-test on the random number data, and determining the correctness of the random number generation module in the security gateway according to a self-test result;
and when the correctness of the SM1 cryptographic module, the SM2 cryptographic module, the SM3 cryptographic module and the random number generation module are all determined to be successful in self-checking, determining that the security gateway is successful in self-checking.
As a preferred scheme, the step of performing an operation on the preset plaintext data and the preset ciphertext data and determining the correctness of the SM1 cryptographic module in the security gateway according to an operation result specifically includes:
carrying out encryption operation on the preset plaintext data according to a secret key to obtain actual ciphertext data, and when the actual ciphertext data is determined to be consistent with the preset ciphertext data, determining that an SM1 password module in the security gateway succeeds in self-checking; when the actual ciphertext data is determined to be inconsistent with the preset ciphertext data, determining that the SM1 password module in the security gateway fails to perform self-checking;
or, carrying out decryption operation on the preset ciphertext data according to a secret key to obtain actual plaintext data, and when the actual plaintext data is determined to be consistent with the preset plaintext data, determining that the SM1 password module in the security gateway succeeds in self-checking; determining that the SM1 cryptographic module in the security gateway fails the self-test when it is determined that the actual plaintext data is inconsistent with the pre-set plaintext data.
As a preferred scheme, the step of verifying the preset message to be signed and the preset signature data through the preset public-private key pair and determining the correctness of the SM2 cryptographic module in the security gateway according to the verification result specifically includes:
verifying the preset signature data through a preset public key, and when the preset signature data passes the verification, determining that the self-checking of an SM2 cryptographic module in the security gateway is successful; when the verification fails, determining that the SM2 password module in the security gateway fails to self-check;
or, signing the preset message to be signed through a preset private key to obtain actual signature data, verifying the actual signature data through a preset public key, and determining that the SM2 cryptographic module in the security gateway succeeds in self-checking when the verification is passed; when the authentication fails, it is determined that the SM2 cryptographic module in the security gateway failed the self-test.
Preferably, the step of determining the correctness of the SM2 cryptographic module in the security gateway further includes:
setting SM2 plaintext data and corresponding SM2 ciphertext data, calling an SM2 cipher module in the security gateway, verifying the SM2 plaintext data and the corresponding SM2 ciphertext data through the preset public and private key pair, and determining that the self-checking of the SM2 cipher module in the security gateway is successful when the verification is passed.
Preferably, the step of determining the correctness of the SM2 cryptographic module in the security gateway further includes:
and generating an SM2 public and private key pair, calling an SM2 password module in the security gateway, verifying the preset message to be signed and the preset signature data through the SM2 public and private key pair, and determining that the self-checking of the SM2 password module in the security gateway is successful when the verification is passed.
As a preferred scheme, the step of performing hash operation on the preset message and determining the correctness of the SM3 cryptographic module in the security gateway according to the operation result specifically includes:
performing hash operation on the first 3 bytes in the preset message to obtain a first actual hash value, and when the first actual hash value is determined to be consistent with the preset hash value, determining that the self-checking of the SM3 cryptographic module in the security gateway is successful; when the first actual hash value is determined to be inconsistent with the preset hash value, determining that the SM3 cryptographic module in the security gateway fails to perform self-checking;
or, performing hash operation on the first 64 bytes in the preset message to obtain a second actual hash value, and when it is determined that the second actual hash value is consistent with the preset hash value, determining that the self-checking of the SM3 cryptographic module in the security gateway is successful; determining that the SM3 cryptographic module in the security gateway fails the self-test when it is determined that the second actual hash value is inconsistent with the pre-set hash value.
As a preferred scheme, the step of performing power-on self-test on the random number data and determining the correctness of the random number generation module in the security gateway according to a self-test result specifically includes:
random number data is subjected to randomness detection through a random quality detection algorithm, and when the random number data are determined to pass detection completely, the random number generation module in the security gateway is determined to be successful in self-checking; otherwise, the self-checking fails and gives an alarm, and the security gateway is controlled to stop working.
Preferably, the step of determining the correctness of the random number generation module in the security gateway further includes:
setting a self-checking period, carrying out periodic randomness detection on random number data through a random quality detection algorithm, and determining that a random number generation module in the security gateway successfully carries out self-checking when the random number data is determined to completely pass the detection in the self-checking period; otherwise, the self-checking fails and gives an alarm, and the security gateway is controlled to stop working.
Preferably, the step of determining the correctness of the random number generation module in the security gateway further includes:
randomly generating 256 bytes of random number data, carrying out single randomness detection on the 256 bytes of random number data through a random quality detection algorithm, and when the random number data is determined to pass through the detection for a single time, determining that a random number generation module in the security gateway is successfully self-checked; otherwise, the self-checking fails and gives an alarm, and the security gateway is controlled to stop working.
Preferably, before the determination that the self-check of the security gateway is successful, the method further includes: verifying the sensitive data in the security gateway, and when the verification is passed, determining that the self-inspection of the sensitive data in the security gateway is successful;
when the correctness of all the SM1 cryptographic module, the SM2 cryptographic module, the SM3 cryptographic module and the random number generation module is determined to be successful in self-checking, the step of determining that the security gateway is successful in self-checking specifically comprises the following steps:
determining that the security gateway self-tests successfully when the correctness of the SM1 cryptographic module, the SM2 cryptographic module, the SM3 cryptographic module, and the random number generation module are all determined to be successful, and when the sensitive data is determined to be successful.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
according to the technical scheme, the security gateway correctness self-checking is carried out by calling the SM1 password module, the SM2 password module, the SM3 password module and the random number generation module in the security gateway, the correctness of the security gateway is determined, the self-checking is carried out before data transmission, errors of configuration parameters of security gateway equipment are avoided, and the stability of encryption processing and decryption processing of the security gateway is improved.
Drawings
FIG. 1: the invention provides a flow diagram of an embodiment of a data security self-checking method based on an electric power security gateway;
FIG. 2: the invention provides a flow diagram of another embodiment of a data security self-checking method based on a power security gateway.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Fig. 1 is a schematic flow chart of an embodiment of a data security self-inspection method based on an electric power security gateway, the method includes steps S101 to S105, and the steps are as follows:
step S101, setting preset plaintext data, a secret key and preset ciphertext data, calling an SM1 password module in a security gateway, performing operation on the preset plaintext data and the preset ciphertext data, and determining the correctness of the SM1 password module in the security gateway according to an operation result; and obtaining the preset ciphertext data after the preset plaintext data is subjected to the secret key encryption operation.
In this embodiment, the step of performing an operation on the preset plaintext data and the preset ciphertext data and determining the correctness of the SM1 cryptographic module in the security gateway according to the operation result specifically includes:
carrying out encryption operation on the preset plaintext data according to a secret key to obtain actual ciphertext data, and when the actual ciphertext data is determined to be consistent with the preset ciphertext data, determining that an SM1 password module in the security gateway succeeds in self-checking; when the actual ciphertext data is determined to be inconsistent with the preset ciphertext data, determining that the SM1 password module in the security gateway fails to perform self-checking;
or, carrying out decryption operation on the preset ciphertext data according to a secret key to obtain actual plaintext data, and when the actual plaintext data is determined to be consistent with the preset plaintext data, determining that the SM1 password module in the security gateway succeeds in self-checking; determining that the SM1 cryptographic module in the security gateway fails the self-test when it is determined that the actual plaintext data is inconsistent with the pre-set plaintext data.
And (3) repeatedly executing the self-checking process of the algorithm for 50 times, if all the algorithm passes 50 times, the self-checking of the algorithm passes, otherwise, the self-checking of the algorithm fails and alarms, and the IPSEC VPN gateway stops working.
Step S102, setting a preset public and private key pair, a preset message to be signed and preset signature data, calling an SM2 password module in a security gateway, verifying the preset message to be signed and the preset signature data through the preset public and private key pair, and determining the correctness of the SM2 password module in the security gateway according to a verification result; the preset public and private key pair comprises a preset public key and a corresponding preset private key; and signing the preset message to be signed through a preset private key to obtain preset signature data.
In this embodiment, the step of verifying the preset message to be signed and the preset signature data through the preset public and private key pair and determining the correctness of the SM2 cryptographic module in the secure gateway according to the verification result specifically includes:
verifying the preset signature data through a preset public key, and when the preset signature data passes the verification, determining that the self-checking of an SM2 cryptographic module in the security gateway is successful; when the verification fails, determining that the SM2 password module in the security gateway fails to self-check;
or, signing the preset message to be signed through a preset private key to obtain actual signature data, verifying the actual signature data through a preset public key, and determining that the SM2 cryptographic module in the security gateway succeeds in self-checking when the verification is passed; when the authentication fails, it is determined that the SM2 cryptographic module in the security gateway failed the self-test.
In another embodiment, the step of determining the correctness of the SM2 cryptographic module in the security gateway further comprises:
setting SM2 plaintext data and corresponding SM2 ciphertext data, calling an SM2 cipher module in the security gateway, verifying the SM2 plaintext data and the corresponding SM2 ciphertext data through the preset public and private key pair, and determining that the self-checking of the SM2 cipher module in the security gateway is successful when the verification is passed.
Specifically, an SM2 algorithm module of the SJK1538 password card is called, a preset private key is used for decrypting preset ciphertext data, whether the decrypted plaintext data are consistent with preset plaintext data or not is judged, and self-checking fails if the decrypted plaintext data are inconsistent with the preset plaintext data. And encrypting the preset plaintext data by using the public key, decrypting the encrypted result by using the private key, judging whether the decrypted plaintext result is consistent with the preset plaintext data or not, and if the decrypted plaintext result is inconsistent with the preset plaintext data, failing to perform self-checking.
In another embodiment, the step of determining the correctness of the SM2 cryptographic module in the security gateway further comprises:
and generating an SM2 public and private key pair, calling an SM2 password module in the security gateway, verifying the preset message to be signed and the preset signature data through the SM2 public and private key pair, and determining that the self-checking of the SM2 password module in the security gateway is successful when the verification is passed.
Specifically, an SM2 algorithm module of an SJK1538 password card is called to generate a pair of SM2 public and private keys, then a preset message to be signed is used to call an SM2 algorithm module in equipment, the message to be signed is signed by a private key, a signature result is checked by a public key, whether the signature result passes or not is judged, and self-checking fails if the signature result does not pass.
And (3) repeatedly executing the self-checking process of the algorithm for 50 times, wherein if the algorithm passes all 50 times, the self-checking of the algorithm passes, otherwise, the self-checking of the algorithm fails and alarms, and the IPSEC VPN gateway stops working.
Step S103, setting a preset message and a corresponding preset hash value, calling an SM3 cryptographic module in the security gateway, performing hash operation on the preset message, and determining the correctness of the SM3 cryptographic module in the security gateway according to an operation result.
In this embodiment, the step of performing hash operation on the preset message and determining the correctness of the SM3 cryptographic module in the security gateway according to the operation result specifically includes:
performing hash operation on the first 3 bytes in the preset message to obtain a first actual hash value, and when the first actual hash value is determined to be consistent with the preset hash value, determining that the self-checking of the SM3 cryptographic module in the security gateway is successful; when the first actual hash value is determined to be inconsistent with the preset hash value, determining that the SM3 cryptographic module in the security gateway fails to perform self-checking;
or, performing hash operation on the first 64 bytes in the preset message to obtain a second actual hash value, and when it is determined that the second actual hash value is consistent with the preset hash value, determining that the self-checking of the SM3 cryptographic module in the security gateway is successful; determining that the SM3 cryptographic module in the security gateway fails the self-test when it is determined that the second actual hash value is inconsistent with the pre-set hash value.
And (3) repeatedly executing the self-checking process of the algorithm for 50 times, if all the algorithm passes 50 times, the self-checking of the algorithm passes, otherwise, the self-checking of the algorithm fails and alarms, and the IPSECVPN gateway stops working.
And S104, randomly generating a plurality of groups of random number data, calling a random number generation module in the security gateway, carrying out power-on self-test on the random number data, and determining the correctness of the random number generation module in the security gateway according to a self-test result.
In this embodiment, the step of performing power-on self-test on the random number data and determining the correctness of the random number generation module in the security gateway according to the self-test result specifically includes:
random number data is subjected to randomness detection through a random quality detection algorithm, and when the random number data are determined to pass detection completely, the random number generation module in the security gateway is determined to be successful in self-checking; otherwise, the self-checking fails and gives an alarm, and the security gateway is controlled to stop working.
Specifically, a random number generation module in the SJK1538 password card is called to generate 20 groups of 128K bytes of random number data, a random property detection algorithm is used to perform the randomness detection of GM/T0005 + 2012 on the 20 groups of random number data, if all the 20 groups of data are detected by the random property detection algorithm, the random number is powered on and passes the self-test, otherwise the random number self-test fails and gives an alarm, and the IPSEC VPN gateway stops working.
In another embodiment, the step of determining the correctness of the random number generation module in the security gateway further includes: setting a self-checking period, carrying out periodic randomness detection on random number data through a random quality detection algorithm, and determining that a random number generation module in the security gateway successfully carries out self-checking when the random number data is determined to completely pass the detection in the self-checking period; otherwise, the self-checking fails and gives an alarm, and the security gateway is controlled to stop working.
Specifically, setting a period self-check period to be 10 minutes, calling a random number generation module in an SJK1538 password card, generating 20 groups of 2500-byte random number data, and performing single-bit frequency detection, block frequency detection, poker detection, overlapping subsequence detection and total run number detection of GM/T0005-plus-2012 on the 20 groups of random number data by using a random quality detection algorithm, wherein if all the 20 groups of data pass the single-bit frequency detection, the block frequency detection, the poker detection, the overlapping subsequence detection and the total run number detection, the random number period self-check is passed, otherwise, the random number self-check fails and gives an alarm, and the IPSEC VPN gateway stops working.
In another embodiment, the step of determining the correctness of the random number generation module in the security gateway further includes: randomly generating 256 bytes of random number data, carrying out single randomness detection on the 256 bytes of random number data through a random quality detection algorithm, and when the random number data is determined to pass through the detection for a single time, determining that a random number generation module in the security gateway is successfully self-checked; otherwise, the self-checking fails and gives an alarm, and the security gateway is controlled to stop working.
Specifically, a random number generation module in the SJK1538 password card is called to generate 256 bytes of random number data, a random quality detection algorithm is used for carrying out randomness detection on the 256 bytes of random number data by GM/T0005 + 2012, if all the 256 bytes pass the poker detection, the random number passes the single self-check, otherwise, the random number fails the self-check and gives an alarm, and the IPSec VPN gateway stops working.
And S105, when the correctness of the SM1 password module, the SM2 password module, the SM3 password module and the random number generation module is determined to be all successful in self-checking, the security gateway is determined to be successful in self-checking.
Example 2
Referring to fig. 2, which is a schematic flow chart of another embodiment of the data security self-inspection method based on the power security gateway provided in the present invention, the areas of the embodiment 2 and the embodiment 1 are that before the determining that the self-inspection of the security gateway is successful, the method further includes: step S205, verifying the sensitive data in the security gateway, and when the verification is passed, determining that the self-checking of the sensitive data in the security gateway is successful;
in step 105, when it is determined that all the correctness of the SM1 cryptographic module, the SM2 cryptographic module, the SM3 cryptographic module and the random number generation module are successfully self-checked, the step of determining that the security gateway is successfully self-checked is replaced by: and S206, when the correctness of the SM1 cryptographic module, the SM2 cryptographic module, the SM3 cryptographic module and the random number generation module is determined to be all successful in self-checking, and when the sensitive data is determined to be successful in self-checking, the security gateway is determined to be successful in self-checking.
Particularly, the sensitive data in the security gateway comprises a signature private key, an encryption private key, a signature certificate, an encryption certificate and a security gateway configuration file. The power-on self-test method and the periodic self-test method of the sensitive data self-test are the same.
And for the signature private key and the encryption private key, calling a master key in the SJK1538 password card to decrypt the signature private key and the encryption private key, calling an SM3 algorithm module in the SJK1538 password card to check the integrity of the signature private key and the encryption private key, if the check is successful, the self-check of the signature private key and the encryption private key is successful, otherwise, the self-check of the signature private key and the encryption private key is failed and an alarm is given, and the IPSEC VPN gateway is stopped working.
And for the signature certificate and the encryption certificate, checking whether the signature certificate and the encryption certificate are in the valid period, calling a root certificate of a certificate chain to verify whether the signature of the signature certificate and the signature of the encryption certificate are correct, if the signature is correct in the valid period, the self-checking of the signature certificate and the encryption certificate is successful, otherwise, the self-checking of the signature certificate and the encryption certificate is failed and an alarm is given, and the working of the IPSEC VPN gateway is stopped.
And for the security gateway configuration file, calling an SM3 algorithm module in the SJK1538 password card, checking the integrity of the security gateway configuration file, if the checking is successful, the self-checking of the security gateway configuration file is successful, otherwise, the self-checking of the security gateway configuration file is failed and an alarm is given, and the IPSEC VPN gateway is stopped working.
The above-mentioned embodiments are provided to further explain the objects, technical solutions and advantages of the present invention in detail, and it should be understood that the above-mentioned embodiments are only examples of the present invention and are not intended to limit the scope of the present invention. It should be understood that any modifications, equivalents, improvements and the like, which come within the spirit and principle of the invention, may occur to those skilled in the art and are intended to be included within the scope of the invention.

Claims (8)

1. A data security self-checking method based on an electric power security gateway is characterized by comprising the following steps:
setting preset plaintext data, a secret key and preset ciphertext data, calling an SM1 password module in a security gateway, calculating the preset plaintext data and the preset ciphertext data, and determining the correctness of the SM1 password module in the security gateway according to the calculation result; the preset plaintext data is subjected to the secret key encryption operation to obtain the preset ciphertext data;
setting a preset public and private key pair, a preset message to be signed and preset signature data, calling an SM2 password module in a security gateway, verifying the preset message to be signed and the preset signature data through the preset public and private key pair, and determining the correctness of the SM2 password module in the security gateway according to a verification result; the preset public and private key pair comprises a preset public key and a corresponding preset private key; signing a preset message to be signed through a preset private key to obtain preset signature data;
setting a preset message and a corresponding preset hash value, calling an SM3 cryptographic module in a security gateway, carrying out hash operation on the preset message, and determining the correctness of the SM3 cryptographic module in the security gateway according to an operation result;
randomly generating a plurality of groups of random number data, calling a random number generation module in the security gateway, carrying out power-on self-test on the random number data, and determining the correctness of the random number generation module in the security gateway according to a self-test result;
when the correctness of the SM1 cryptographic module, the SM2 cryptographic module, the SM3 cryptographic module and the random number generation module is determined to be all successful in self-checking, determining that the self-checking of the security gateway is successful;
the step of calculating the preset plaintext data and the preset ciphertext data and determining the correctness of the SM1 cryptographic module in the security gateway according to the calculation result specifically includes:
carrying out encryption operation on the preset plaintext data according to a secret key to obtain actual ciphertext data, and when the actual ciphertext data is determined to be consistent with the preset ciphertext data, determining that an SM1 password module in the security gateway succeeds in self-checking; when the actual ciphertext data is determined to be inconsistent with the preset ciphertext data, determining that the SM1 password module in the security gateway fails to perform self-checking;
or, carrying out decryption operation on the preset ciphertext data according to a secret key to obtain actual plaintext data, and when the actual plaintext data is determined to be consistent with the preset plaintext data, determining that the SM1 password module in the security gateway succeeds in self-checking; when the actual plaintext data is determined to be inconsistent with the preset plaintext data, determining that a self-checking failure of an SM1 cryptographic module in the security gateway is determined;
the step of performing power-on self-test on the random number data and determining the correctness of the random number generation module in the security gateway according to a self-test result specifically comprises the following steps:
random number data is subjected to randomness detection through a random quality detection algorithm, and when the random number data are determined to pass detection completely, the random number generation module in the security gateway is determined to be successful in self-checking; otherwise, the self-checking fails and gives an alarm, and the security gateway is controlled to stop working.
2. The data security self-checking method based on the power security gateway as claimed in claim 1, wherein the step of verifying the preset message to be signed and the preset signature data through the preset public-private key pair and determining the correctness of the SM2 cryptographic module in the security gateway according to the verification result specifically comprises:
verifying the preset signature data through a preset public key, and when the preset signature data passes the verification, determining that the self-checking of an SM2 cryptographic module in the security gateway is successful; when the verification fails, determining that the SM2 password module in the security gateway fails to self-check;
or, signing the preset message to be signed through a preset private key to obtain actual signature data, verifying the actual signature data through a preset public key, and determining that the SM2 cryptographic module in the security gateway succeeds in self-checking when the verification is passed; when the authentication fails, it is determined that the SM2 cryptographic module in the security gateway failed the self-test.
3. The power security gateway-based data security self-checking method of claim 1, wherein the step of determining the correctness of the SM2 cryptographic module in the security gateway further comprises:
setting SM2 plaintext data and corresponding SM2 ciphertext data, calling an SM2 cipher module in the security gateway, verifying the SM2 plaintext data and the corresponding SM2 ciphertext data through the preset public and private key pair, and determining that the self-checking of the SM2 cipher module in the security gateway is successful when the verification is passed.
4. The power security gateway-based data security self-checking method of claim 1, wherein the step of determining the correctness of the SM2 cryptographic module in the security gateway further comprises:
and generating an SM2 public and private key pair, calling an SM2 password module in the security gateway, verifying the preset message to be signed and the preset signature data through the SM2 public and private key pair, and determining that the self-checking of the SM2 password module in the security gateway is successful when the verification is passed.
5. The data security self-checking method based on the power security gateway as claimed in claim 1, wherein the step of performing a hash operation on the preset message and determining the correctness of the SM3 cryptographic module in the security gateway according to the operation result specifically comprises:
performing hash operation on the first 3 bytes in the preset message to obtain a first actual hash value, and when the first actual hash value is determined to be consistent with the preset hash value, determining that the self-checking of the SM3 cryptographic module in the security gateway is successful; when the first actual hash value is determined to be inconsistent with the preset hash value, determining that the SM3 cryptographic module in the security gateway fails to perform self-checking;
or, performing hash operation on the first 64 bytes in the preset message to obtain a second actual hash value, and when it is determined that the second actual hash value is consistent with the preset hash value, determining that the self-checking of the SM3 cryptographic module in the security gateway is successful; determining that the SM3 cryptographic module in the security gateway fails the self-test when it is determined that the second actual hash value is inconsistent with the pre-set hash value.
6. The power security gateway-based data security self-checking method as claimed in claim 1, wherein the step of determining the correctness of the random number generation module in the security gateway further comprises:
setting a self-checking period, carrying out periodic randomness detection on random number data through a random quality detection algorithm, and determining that a random number generation module in the security gateway successfully carries out self-checking when the random number data is determined to completely pass the detection in the self-checking period; otherwise, the self-checking fails and gives an alarm, and the security gateway is controlled to stop working.
7. The power security gateway-based data security self-checking method as claimed in claim 1, wherein the step of determining the correctness of the random number generation module in the security gateway further comprises:
randomly generating 256 bytes of random number data, carrying out single randomness detection on the 256 bytes of random number data through a random quality detection algorithm, and when the random number data is determined to pass through the detection for a single time, determining that a random number generation module in the security gateway is successfully self-checked; otherwise, the self-checking fails and gives an alarm, and the security gateway is controlled to stop working.
8. A data security self-checking method based on a power security gateway as claimed in claim 1, wherein before the determination that the security gateway self-checking is successful, further comprising: verifying the sensitive data in the security gateway, and when the verification is passed, determining that the self-inspection of the sensitive data in the security gateway is successful;
when the correctness of all the SM1 cryptographic module, the SM2 cryptographic module, the SM3 cryptographic module and the random number generation module is determined to be successful in self-checking, the step of determining that the security gateway is successful in self-checking specifically comprises the following steps:
determining that the security gateway self-tests successfully when the correctness of the SM1 cryptographic module, the SM2 cryptographic module, the SM3 cryptographic module, and the random number generation module are all determined to be successful, and when the sensitive data is determined to be successful.
CN202010467023.9A 2020-05-28 2020-05-28 Data security self-checking method based on electric power security gateway Active CN111654378B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010467023.9A CN111654378B (en) 2020-05-28 2020-05-28 Data security self-checking method based on electric power security gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010467023.9A CN111654378B (en) 2020-05-28 2020-05-28 Data security self-checking method based on electric power security gateway

Publications (2)

Publication Number Publication Date
CN111654378A CN111654378A (en) 2020-09-11
CN111654378B true CN111654378B (en) 2021-01-05

Family

ID=72348898

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010467023.9A Active CN111654378B (en) 2020-05-28 2020-05-28 Data security self-checking method based on electric power security gateway

Country Status (1)

Country Link
CN (1) CN111654378B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112241527B (en) * 2020-12-15 2021-04-27 杭州海康威视数字技术股份有限公司 Secret key generation method and system of terminal equipment of Internet of things and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532710A (en) * 2013-09-26 2014-01-22 中国科学院数据与通信保护研究教育中心 Implementation method and device for GPU (Graphics Processing Unit)-based SM2 (Streaming Multiprocessor 2) algorithm
CN108306737A (en) * 2017-12-21 2018-07-20 中国科学院信息工程研究所 A kind of method of ether mill cryptographic algorithm production domesticization
CN108667626A (en) * 2018-07-20 2018-10-16 陕西师范大学 The two sides cooperation SM2 endorsement methods of safety

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104639534B (en) * 2014-12-30 2019-02-12 北京奇虎科技有限公司 The loading method and browser device of web portal security information
CN108234501B (en) * 2018-01-11 2020-12-11 北京中电普华信息技术有限公司 Quantum key fusion-based virtual power plant secure communication method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532710A (en) * 2013-09-26 2014-01-22 中国科学院数据与通信保护研究教育中心 Implementation method and device for GPU (Graphics Processing Unit)-based SM2 (Streaming Multiprocessor 2) algorithm
CN108306737A (en) * 2017-12-21 2018-07-20 中国科学院信息工程研究所 A kind of method of ether mill cryptographic algorithm production domesticization
CN108667626A (en) * 2018-07-20 2018-10-16 陕西师范大学 The two sides cooperation SM2 endorsement methods of safety

Also Published As

Publication number Publication date
CN111654378A (en) 2020-09-11

Similar Documents

Publication Publication Date Title
CN110519260B (en) Information processing method and information processing device
US7724905B2 (en) Method and arrangement for generation of a secret session key
WO2020087805A1 (en) Trusted authentication method employing two cryptographic values and chaotic encryption in measurement and control network
CN106612180B (en) Method and device for realizing session identification synchronization
US9338004B2 (en) Method and system for smart card chip personalization
CN110401615B (en) Identity authentication method, device, equipment, system and readable storage medium
CN111740844A (en) SSL communication method and device based on hardware cryptographic algorithm
CN111614621B (en) Internet of things communication method and system
CN103095456A (en) Method and system for processing transaction messages
US10547451B2 (en) Method and device for authentication
CN110971593B (en) Database secure network access method
CN111526007B (en) Random number generation method and system
CN108551391B (en) Authentication method based on USB-key
CN110990814A (en) Trusted digital identity authentication method, system, equipment and medium
CN111654378B (en) Data security self-checking method based on electric power security gateway
CN113890768A (en) Equipment authentication method and system, Internet of things equipment and authentication server
CN113849797A (en) Method, device, equipment and storage medium for repairing data security vulnerability
CN104883260B (en) Certificate information processing and verification method, processing terminal and authentication server
CN113297563B (en) Method and device for accessing privileged resources of system on chip and system on chip
CN115766192A (en) UKEY-based offline security authentication method, device, equipment and medium
CN107343276B (en) Method and system for protecting SIM card locking data of terminal
CN114679299A (en) Communication protocol encryption method, device, computer equipment and storage medium
CN116633530A (en) Quantum key transmission method, device and system
CN108242997A (en) The method and apparatus of secure communication
CN110572257A (en) Anti-quantum computing data source identification method and system based on identity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant