CN112270020A - Terminal equipment safety encryption device based on safety chip - Google Patents

Terminal equipment safety encryption device based on safety chip Download PDF

Info

Publication number
CN112270020A
CN112270020A CN202011164098.6A CN202011164098A CN112270020A CN 112270020 A CN112270020 A CN 112270020A CN 202011164098 A CN202011164098 A CN 202011164098A CN 112270020 A CN112270020 A CN 112270020A
Authority
CN
China
Prior art keywords
message
encryption
communication
security chip
chip
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011164098.6A
Other languages
Chinese (zh)
Other versions
CN112270020B (en
Inventor
杨庆胜
蒋超
徐妍
葛永高
李军
钟巍峰
包正君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Fangtian Power Technology Co Ltd
Original Assignee
Jiangsu Fangtian Power Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Fangtian Power Technology Co Ltd filed Critical Jiangsu Fangtian Power Technology Co Ltd
Priority to CN202011164098.6A priority Critical patent/CN112270020B/en
Publication of CN112270020A publication Critical patent/CN112270020A/en
Application granted granted Critical
Publication of CN112270020B publication Critical patent/CN112270020B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Mathematical Physics (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a terminal equipment safety encryption device based on a safety chip, which comprises a main controller, an encryption chip, a communication unit and a signal indicating unit, wherein the main controller is used for controlling the encryption chip to encrypt a signal; the main controller is respectively connected with the terminal equipment and the main station through the communication unit to realize data transmission between the main controller and the terminal equipment; the encryption chip is embedded in the encryption device of the security chip, an encryption algorithm and a communication module are integrated on the encryption chip, the encryption algorithm is used for encrypting and decrypting data input by the terminal equipment and the master station respectively, and the communication module is used for transmitting the data; the signal indication unit is in signal connection with the main controller and prompts the result of the bidirectional authentication between the terminal equipment and the main station. The safety chip encryption device designed by the invention has the advantages of strong safety, rich interfaces, high encryption and decryption speed, low power consumption and extremely high cost performance.

Description

Terminal equipment safety encryption device based on safety chip
Technical Field
The invention relates to the technical field of power equipment, in particular to a terminal equipment safety encryption device based on a safety chip.
Background
The power distribution network is the last link of the power system supplying power to users, the coverage range is wide, the vital interests of thousands of households are involved, and the probability of faults is far higher than that of a high-voltage transmission network. The distribution network automation organically combines the modern electronic technology, communication technology and computer network technology with the power distribution equipment, effectively monitors, protects, controls and manages the distribution network, improves the power quality, facilitates the management of a power grid company and obtains good economic benefit. However, computer networks widely used in the current distribution network automation system have many insecurity factors, and the design of network security protection is weak, and the computer networks are easy to be attacked from the outside. The national security ministry of America information shows that through a simulation attack test, the distribution network automation system has the risk of large-area power failure caused by starting attack after the RTU/FTU is simulated to be accessed. Therefore, powerful measures are made to ensure the safety of the power distribution network, ensure the power utilization quality of power utilization customers and reduce the loss caused by power failure, which is a problem that power grid companies need to solve urgently.
Compared with the encryption authentication of a traditional computer system, the encryption authentication implemented in the power distribution network has the following differences and design difficulties: the distribution terminal equipment is arranged outdoors and unattended, the equipment automatically finishes data acquisition and remote control operation interaction with a main station, and no personnel is needed to operate at the side of the distribution terminal; therefore, the traditional computer system cannot be applied to the encryption authentication based on password and password interaction, and the traditional computer system also cannot be applied to the encryption technology based on USB KEY because the traditional computer system is easy to be stolen and the main station is subjected to illegal invasion. Based on the above background situation, the present invention provides a terminal device security encryption apparatus based on a security chip.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a terminal equipment safety encryption device based on a safety chip, which can independently generate a secret key and encrypt and decrypt; the encryption and decryption device has an independent processor and a storage unit, can store keys and characteristic data, provides encryption and security authentication services for equipment, and has the advantages of strong security, rich interfaces, high encryption and decryption speed, low power consumption and extremely high cost performance.
The technical scheme adopted by the invention is as follows:
a terminal equipment security encryption device based on a security chip comprises a main controller, an encryption chip, a communication unit and a signal indication unit; the main controller is respectively connected with the terminal equipment and the main station through the communication unit to realize data transmission between the main controller and the terminal equipment; the encryption chip is embedded in the encryption device of the security chip, an encryption algorithm and a communication module are integrated on the encryption chip, the encryption algorithm is used for encrypting and decrypting data input by the terminal equipment and the master station respectively, and the communication module is used for transmitting the data; and the signal indication unit is in signal connection with the main controller and prompts the result of the bidirectional authentication between the terminal equipment and the main station.
Further, the communication unit comprises a wired connection interface and a wireless connection interface of the main controller, and the wired connection interface comprises an RS232 communication interface, an RS485 communication interface and an Ethernet interface; the RS232 interface and the RS485 interface share a wiring terminal, and the Ethernet interface comprises an Ethernet master device interface and an Ethernet slave device interface; the wireless transmission connection interface adopts a 4G communication module.
Further, the data transmission method between the terminal device and the master station comprises the following steps:
the master station signs the message through a pre-installed private key to obtain a digital signature, encrypts the digital signature by using the private key, loads the encrypted digital signature into the message and a timestamp, and sends the message and the timestamp to the security chip encryption device through the communication unit; the security chip encryption device decrypts the received message by using the secret key, firstly verifies the signature by using the public key, judges the legality of the message, and discards the message if the message is illegal; then the security chip encryption device sends the decrypted plaintext to the terminal equipment; the data is sent from the terminal equipment, the data is encrypted by an encryption chip in the encryption device of the security chip, the encrypted data is sent to the master station through a data network, and the master station decrypts the received data through the built-in software.
Further, the method for mutual authentication between the terminal device and the master station comprises:
step 1, judging whether the system is normal in operation, and if the system is abnormal, lighting an abnormal indicating lamp;
step 2, if the operation is normal, judging whether the upper computer configuration command is initiated, if not, executing the default configuration of the system, and if the configuration command is initiated, configuring the communication connection between the host computer and the slave computer;
step 3, judging whether to establish TCP connection, if not, lighting an abnormal indicator light, and if so, judging whether to initiate bidirectional identity authentication successfully;
and 4, starting service communication if the authentication is successful, and lighting an abnormal indicator lamp if the authentication is not successful.
Further, the security chip encryption device receives a message sent by the master station, and needs to perform integrity check and identity verification on the message, and the message verification steps are as follows:
step 1, the master station signs the message C by using a private key to obtain a digital signature SC, and then encrypts the message C by using a symmetric key to obtain an encrypted digital signature ESC;
step 2, the master station combines the message C and the digital signature SC and sends the combined message C and the digital signature SC to a security chip encryption device through a communication channel;
and 3, after the security chip encryption device receives the message, performing digital signature operation on the message C through a public key of the master station to obtain a digital signature SC1, and then decrypting the digital signature ESC through a symmetric key to obtain a digital signature SC2, wherein the SC1 is obtained through the public key, the SC2 is obtained through a private key of the master station, if the identity of the master station is legal, the SC1 should be equal to the SC2, and any tampering on the message C and the ESC can cause the SC1 not to be equal to the SC 2.
Further, the time stamp check is used for dealing with retransmission attack, in order to prevent illegal eavesdropping and intercepting the message, the message is repeatedly sent to the security chip encryption device, and the time stamp check method in the security chip encryption device compares the time difference delta T with the time delay threshold TthresholdObtaining; the specific process is as follows:
Δt=T1-Tc
wherein, Δ T is the time T of the encryption device of the security chip receiving the command sent by the master station1And timestamp T in messagecDifference between, delay threshold TthresholdShould be based on the time offset T between the security chip encryption device and the master stationbIn the process of re-communication between the encryption device of the security chip and the main station, the transmission time of the communication is TtThe delay of the data transmission of the communication network is TdThe time of the master station encrypting the message is TeThe time for the encryption device of the security chip to decrypt the message is TjThus, TthresholdIs calculated as follows
Tthreshold=Tb+Tt+Td+Te+Tj
If Δ T ≦ TthresholdAnd if the message received by the security chip encryption device is the message sent by the normal master station, the security chip encryption device decrypts the message and sends the decrypted message to the terminal. If Δ T > TthresholdIf the message is overtime, the message is very likely to be replayed and is risky, and the security chip encryption device should discard the message and then store the data for later analysis risk.
Furthermore, in order to meet the support of multiple communication protocols, corresponding configuration management needs to be designed, and the security chip encryption device packages and sends a message to the master station according to a fixed communication protocol through the configuration management of the PC terminal. In this embodiment, the configuration management of the security chip encryption apparatus mainly includes functions such as communication IP configuration, communication port input/output stream configuration, certificate management configuration, and tunnel configuration. The communication IP configuration mainly configures the communication IP and the port number from the terminal equipment to the service end so as to establish normal communication. The input and output stream configuration of the communication port mainly comprises the steps of carrying out data inflow and outflow configuration on two Ethernet interfaces, two RS232 interfaces and two RS485 interfaces, and constraining the input port of data and the output port of the data. The certificate management configuration is used to update the certificate document of the device for authentication with the primary site. The tunnel configuration management is mainly used for completing the constraints on the tunnel, including the constraints on encryption and decryption or plain text communication of tunnel data.
The invention has the beneficial effects that:
1. the security chip encryption device is a trusted platform module, is a device capable of independently generating, encrypting and decrypting a key, is internally provided with an independent processor and a storage unit, can store the key and characteristic data, and provides encryption and security authentication services for equipment. The encryption chip is used for encryption, the secret key is stored in hardware, and stolen data cannot be decrypted, so that the data security is protected.
2. The safety chip encryption device designed by the invention has the advantages of strong safety, rich interfaces, high encryption and decryption speed, low power consumption and extremely high cost performance. And corresponding configuration management is designed, so that the correctness of communication can be ensured according to different communication transmission protocols, and the support to various communication protocols is met.
Drawings
FIG. 1 is a position diagram of a secure chip encryption apparatus;
FIG. 2 is a hardware overview block diagram of a secure chip encryption apparatus;
FIG. 3 is a flow chart of the secure chip encryption apparatus;
FIG. 4 is a schematic diagram of an application of the encryption device of the security chip;
FIG. 5 is a process for verifying a message of a secure chip encryption apparatus;
figure 6 an alternative schematic of a master.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 2, the terminal device security encryption apparatus based on the security chip includes a main controller, an encryption chip, a communication unit and a signal indication unit; the main controller is respectively connected with the terminal equipment and the main station through the communication unit to realize data transmission between the main controller and the terminal equipment; the encryption chip is embedded in the encryption device of the security chip, an encryption algorithm and a communication module are integrated on the encryption chip, the encryption algorithm is used for encrypting and decrypting data input by the terminal equipment and the master station respectively, and the communication module is used for transmitting the data; and the signal indication unit is in signal connection with the main controller and prompts the result of the bidirectional authentication between the terminal equipment and the main station. The encryption algorithm of the encryption chip comprises a national password symmetric cryptographic algorithm, an asymmetric cryptographic algorithm and a hash algorithm, and also supports other international universal cryptographic algorithms; such as symmetric cryptographic algorithms: SM 1; asymmetric cryptographic algorithm: SM 2; hash algorithm and hash algorithm: SM 3; the requirement of bidirectional identity authentication can be met.
The communication unit comprises a wired connection interface and a wireless transmission connection interface, wherein the wired connection interface comprises an RS232 communication interface, an RS485 communication interface and an Ethernet interface, more specifically, the RS232 interface and the RS485 interface share a wiring terminal, and the Ethernet interface comprises an Ethernet master device interface and an Ethernet slave device interface and supports adaptive 10M/100M bandwidth transmission. The wireless connection of the security chip encryption device adopts a 4G communication module, and mobile, communication and telecommunication operators are supported. Therefore, the communication mode of the encryption device of the security chip of the invention supports RS232, RS485, Ethernet communication and 4G network communication. Because different communication modes need to ensure the correctness of communication according to different communication transmission protocols, in order to meet the support of various communication protocols, corresponding configuration management needs to be designed, and the security chip encryption device packages a message according to a fixed communication protocol and sends the message to the master station through the configuration management of the PC terminal. In this embodiment, the configuration management of the security chip encryption apparatus mainly includes functions such as communication IP configuration, communication port input/output stream configuration, certificate management configuration, and tunnel configuration. The communication IP configuration mainly configures the communication IP and the port number from the terminal equipment to the service end so as to establish normal communication. The input and output stream configuration of the communication port mainly comprises the steps of carrying out data inflow and outflow configuration on two Ethernet interfaces, two RS232 interfaces and two RS485 interfaces, and constraining the input port of data and the output port of the data. The certificate management configuration is used to update the certificate document of the device for authentication with the primary site. The tunnel configuration management is mainly used for completing the constraints on the tunnel, including the constraints on encryption and decryption or plain text communication of tunnel data.
In this embodiment, as shown in fig. 2, the main controller adopts an MCU, and the adopted embedded operating system is a Linux operating system. The encryption device also considers risk factors, so that an alternative scheme of the device is introduced, the main controller is provided with a flash of 3072K and an RAM of 256K, the working dominant frequency of the system is up to 200MHz, 4 USARTs and 4 UART interfaces, 3I 2C interfaces and 6 SPI interfaces, and the encryption device is provided with on-chip resources such as an Ethernet MAC controller and the like. The chip is used as the main control of the encryption terminal equipment. An alternative master solution is shown in fig. 6. The terminal of the equipment adopts two controllers, one controller is a Media Access Controller (MAC) supporting 10/100Mbps Ethernet, adopts DMA to optimize the sending and receiving performance of data frames, and supports two standard interfaces of MII (media independent interface) and RMII (simplified media independent interface) and physical layer (PHY) communication, thereby realizing the sending and receiving of Ethernet data frames. The other is an ethernet controller using an integrated MAC and 10BASE-T physical layer, and the ethernet controller IC used is ENC28J 60.
As shown in fig. 1, the data transmission method between the terminal device and the master station is as follows: the data is sent from the terminal equipment, the data is encrypted by an encryption chip in the encryption device of the security chip, the encrypted data is sent to the master station through a data network, and the master station decrypts the received data through the built-in software; as shown in fig. 4, the master station signs the message by using a pre-installed private key to obtain a digital signature, encrypts the digital signature by using the private key, loads the encrypted digital signature in the message and the timestamp, and sends the message and the timestamp together to the security chip encryption device through a communication network, a wireless network or an optical fiber network. After receiving the message, the security chip encryption device decrypts the message by using the secret key, verifies the signature by using the public key, judges the legality of the message, and discards the message if the message is illegal; and then the security chip encryption device sends the decrypted plaintext to the terminal equipment.
The main service of the terminal device is power on self-test, then bidirectional authentication between the terminal device and the master station is performed, service communication is performed after normal authentication is passed, the service communication includes service operations such as encryption and decryption operations of normal data, transmission of data, and the like, as shown in fig. 3, the bidirectional authentication flow is as follows:
step 1, judging whether the system is normal in operation, and if the system is abnormal, lighting an abnormal indicating lamp;
step 2, if the operation is normal, judging whether the upper computer configuration command is initiated, if not, executing the default configuration of the system, and if the configuration command is initiated, configuring the communication connection between the host computer and the slave computer;
step 3, judging whether to establish TCP connection, if not, lighting an abnormal indicator light, and if so, judging whether to initiate bidirectional identity authentication successfully;
and 4, starting service communication if the authentication is successful, and lighting an abnormal indicator lamp if the authentication is not successful.
The security chip encryption device receives the message sent by the master station, and firstly, integrity check and identity verification are required to be performed on the message, and the message verification process is shown in fig. 5. C is a command message, ESC is an encrypted digital signature, and SC is a digital signature. The message verification steps are as follows:
step 1, the master station signs the message C by using a private key to obtain a digital signature SC, and then encrypts the message C by using a symmetric key to obtain an encrypted digital signature ESC;
step 2, the master station combines the message C and the digital signature SC and sends the combined message C and the digital signature SC to a security chip encryption device through a communication channel;
and 3, after the security chip encryption device receives the message, performing digital signature operation on the message C through a public key of the master station to obtain a digital signature SC1, and then decrypting the digital signature ESC through a symmetric key to obtain a digital signature SC2, wherein the SC1 is obtained through the public key, the SC2 is obtained through a private key of the master station, if the identity of the master station is legal, the SC1 should be equal to the SC2, and any tampering on the message C and the ESC can cause the SC1 not to be equal to the SC 2.
The time stamp check is used for dealing with the retransmission attack, and in order to prevent the illegal interception of the intercepted message, the message is repeatedly sent to the security chip encryption device. The time stamp checking method in the encryption device of the security chip is to compare the time difference value delta T with the time delay threshold value TthresholdAnd (4) obtaining. The specific process is as follows:
Δt=|T1-Tc|
wherein, Δ T is the time T of the encryption device of the security chip receiving the command sent by the master station1And timestamp T in messagecDifference between, delay threshold TthresholdShould be based on the time offset T between the security chip encryption device and the master stationbIn the process of re-communication between the encryption device of the security chip and the main station, the transmission time of the communication is TtThe delay of the data transmission of the communication network is TdThe time of the master station encrypting the message is TeThe time for the encryption device of the security chip to decrypt the message is TjThus, TthresholdIs calculated as follows
Tthreshold=Tb+Tt+Td+Te+Tj
If Δ T ≦ TthresholdAnd if the message received by the security chip encryption device is the message sent by the normal master station, the security chip encryption device decrypts the message and sends the decrypted message to the terminal. If Δ T > TthresholdIf the message is expired, the message is likely to be replayed and is risky, and the security chip encryption device should discard the message and store the data for later analysisAnd (4) risk use. In time stamp checking, TthresholdThe value is most critical, TthresholdIf the value of (a) is too small, overtime is caused, and a normal message is also judged to be a retransmission message, while if the value of (b) is too large, risk is increased, and the retransmission message cannot be judged. In combination with the actual conditions of the distribution terminals, TthresholdIs 15 seconds.
The software module of the security encryption chip device comprises a connection management module, a configuration management module, a system monitoring module, a configuration recovery module and a software management module; wherein the management module is connected. After logging in, the administrator establishes connection, manages the connection state, receives various JASON messages, distributes delivery messages through connection words and session IDs and provides a query interface for other modules to use.
A configuration management module: and processing configuration information delivered by the connection management module, processing various commands such as IP address configuration, routing and the like, and returning a result.
A system monitoring module: and processing the monitoring message delivered by the connection management module, and performing alarm processing, log downloading and operation record query operation.
A configuration recovery module: and processing configuration saving and restoring operations delivered by the connection management module, saving the configuration saving and restoring operations as configuration files, processing configuration restoring operations after the system is restarted, and the like.
A software management module: and the software upgrading and rollback and restarting operations are carried out.
The above embodiments are only used for illustrating the design idea and features of the present invention, and the purpose of the present invention is to enable those skilled in the art to understand the content of the present invention and implement the present invention accordingly, and the protection scope of the present invention is not limited to the above embodiments. Therefore, all equivalent changes and modifications made in accordance with the principles and concepts disclosed herein are intended to be included within the scope of the present invention.

Claims (7)

1. A terminal equipment security encryption device based on a security chip is characterized in that the security chip encryption device comprises a main controller, an encryption chip, a communication unit and a signal indication unit; the main controller is respectively connected with the terminal equipment and the main station through the communication unit to realize data transmission between the main controller and the terminal equipment; the encryption chip is embedded in the encryption device of the security chip, an encryption algorithm and a communication module are integrated on the encryption chip, the encryption algorithm is used for encrypting and decrypting data input by the terminal equipment and the master station respectively, and the communication module is used for transmitting the data; and the signal indication unit is in signal connection with the main controller and prompts the result of the bidirectional authentication between the terminal equipment and the main station.
2. The terminal equipment security encryption device based on the security chip as claimed in claim 1, wherein the communication unit comprises a wired connection interface and a wireless connection interface of the main controller, the wired connection interface comprises an RS232 communication interface, an RS485 communication interface and an ethernet interface; the RS232 interface and the RS485 interface share a wiring terminal, and the Ethernet interface comprises an Ethernet master device interface and an Ethernet slave device interface; the wireless transmission connection interface adopts a 4G communication module.
3. The terminal device security encryption apparatus based on the security chip as claimed in claim 2, wherein the data transmission method between the terminal device and the master station is: the master station signs the message through a pre-installed private key to obtain a digital signature, encrypts the digital signature by using the private key, loads the encrypted digital signature into the message and a timestamp, and sends the message and the timestamp to the security chip encryption device through the communication unit; the security chip encryption device decrypts the received message by using the secret key, firstly verifies the signature by using the public key, judges the legality of the message, and discards the message if the message is illegal; then the security chip encryption device sends the decrypted plaintext to the terminal equipment; the data is sent from the terminal equipment, the data is encrypted by an encryption chip in the encryption device of the security chip, the encrypted data is sent to the master station through a data network, and the master station decrypts the received data through the built-in software.
4. The terminal device security encryption apparatus based on security chip of claim 3, wherein the method of mutual authentication between the terminal device and the master station is:
step 1, judging whether the system is normal in operation, and if the system is abnormal, lighting an abnormal indicating lamp;
step 2, if the operation is normal, judging whether the upper computer configuration command is initiated, if not, executing the default configuration of the system, and if the configuration command is initiated, configuring the communication connection between the host computer and the slave computer;
step 3, judging whether to establish TCP connection, if not, lighting an abnormal indicator light, and if so, judging whether to initiate bidirectional identity authentication successfully;
and 4, starting service communication if the authentication is successful, and lighting an abnormal indicator lamp if the authentication is not successful.
5. The security chip-based terminal device security encryption apparatus according to claim 3, wherein the security chip encryption apparatus receives a message sent by the master station, and needs to perform integrity check and identity verification on the message, and the message verification step is as follows:
step 1, the master station signs the message C by using a private key to obtain a digital signature SC, and then encrypts the message C by using a symmetric key to obtain an encrypted digital signature ESC;
step 2, the master station combines the message C and the digital signature SC and sends the combined message C and the digital signature SC to a security chip encryption device through a communication channel;
and 3, after the security chip encryption device receives the message, performing digital signature operation on the message C through a public key of the master station to obtain a digital signature SC1, and then decrypting the digital signature ESC through a symmetric key to obtain a digital signature SC2, wherein the SC1 is obtained through the public key, the SC2 is obtained through a private key of the master station, if the identity of the master station is legal, the SC1 should be equal to the SC2, and any tampering on the message C and the ESC can cause the SC1 not to be equal to the SC 2.
6. The terminal equipment security encryption device based on the security chip as claimed in claim 3, wherein the security chip is installed in the terminal equipmentThe timestamp verification method in the full-chip encryption device is to compare the time difference value delta T with the delay threshold value TthresholdObtaining; the specific process is as follows:
Δt=|T1-Tc|
wherein, Δ T is the time T of the encryption device of the security chip receiving the command sent by the master station1And timestamp T in messagecDifference between, delay threshold TthresholdShould be based on the time offset T between the security chip encryption device and the master stationbIn the process of re-communication between the encryption device of the security chip and the main station, the transmission time of the communication is TtThe delay of the data transmission of the communication network is TdThe time of the master station encrypting the message is TeThe time for the encryption device of the security chip to decrypt the message is TjThus, TthresholdIs calculated as follows
Tthreshold=Tb+Tt+Td+Te+Tj
If Δ T ≦ TthresholdIf the message received by the security chip encryption device is the message sent by the normal master station, the security chip encryption device decrypts the message and sends the decrypted message to the terminal, and if delta T is more than T, the security chip encryption device sends the decrypted message to the terminalthresholdIf the message is overtime, the message is very likely to be replayed and is risky, and the security chip encryption device should discard the message and then store the data for later analysis risk.
7. The security chip-based terminal device security encryption apparatus according to any one of claims 1 to 6, wherein the security chip encryption apparatus is enabled to package a message according to a fixed communication protocol and send the message to the master station through configuration management of the PC terminal, and the configuration management of the security chip encryption apparatus mainly includes functions of communication IP configuration, communication port input/output stream configuration, certificate management configuration, tunnel configuration, and the like; the communication IP configuration mainly configures the communication IP and the port number from the terminal equipment to the service end so as to establish normal communication; the input and output flow configuration of the communication port mainly comprises the steps of carrying out data inflow and outflow configuration on two Ethernet interfaces, two RS232 interfaces and two RS485 interfaces, and constraining the input port of data and the output port of the data; the certificate management configuration is used for updating the certificate document of the device so as to be needed when the device is verified with the main station; the tunnel configuration management is mainly used for completing the constraints on the tunnel, including the constraints on encryption and decryption or plain text communication of tunnel data.
CN202011164098.6A 2020-10-27 2020-10-27 Terminal equipment safety encryption device based on safety chip Active CN112270020B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011164098.6A CN112270020B (en) 2020-10-27 2020-10-27 Terminal equipment safety encryption device based on safety chip

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011164098.6A CN112270020B (en) 2020-10-27 2020-10-27 Terminal equipment safety encryption device based on safety chip

Publications (2)

Publication Number Publication Date
CN112270020A true CN112270020A (en) 2021-01-26
CN112270020B CN112270020B (en) 2022-06-21

Family

ID=74342027

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011164098.6A Active CN112270020B (en) 2020-10-27 2020-10-27 Terminal equipment safety encryption device based on safety chip

Country Status (1)

Country Link
CN (1) CN112270020B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114745137A (en) * 2022-05-10 2022-07-12 山东鲁软数字科技有限公司 Method for realizing secure communication and block link Internet of things agent device
CN115022078A (en) * 2022-06-28 2022-09-06 杭州康吉森自动化科技有限公司 Controller built-in network safety protection method and device and electronic equipment
CN115694945A (en) * 2022-10-25 2023-02-03 北京珞安科技有限责任公司 Industrial terminal host maintenance method, system and equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763542A (en) * 2016-02-02 2016-07-13 国家电网公司 Device and method of encryption and authentication for distribution terminal serial port communication
CN105871873A (en) * 2016-04-29 2016-08-17 国家电网公司 Security encryption authentication module for power distribution terminal communication and method thereof
CN111711625A (en) * 2020-06-15 2020-09-25 江苏方天电力技术有限公司 Power system information security encryption system based on power distribution terminal

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763542A (en) * 2016-02-02 2016-07-13 国家电网公司 Device and method of encryption and authentication for distribution terminal serial port communication
CN105871873A (en) * 2016-04-29 2016-08-17 国家电网公司 Security encryption authentication module for power distribution terminal communication and method thereof
CN111711625A (en) * 2020-06-15 2020-09-25 江苏方天电力技术有限公司 Power system information security encryption system based on power distribution terminal

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114745137A (en) * 2022-05-10 2022-07-12 山东鲁软数字科技有限公司 Method for realizing secure communication and block link Internet of things agent device
CN115022078A (en) * 2022-06-28 2022-09-06 杭州康吉森自动化科技有限公司 Controller built-in network safety protection method and device and electronic equipment
CN115694945A (en) * 2022-10-25 2023-02-03 北京珞安科技有限责任公司 Industrial terminal host maintenance method, system and equipment
CN115694945B (en) * 2022-10-25 2023-05-23 北京珞安科技有限责任公司 Industrial terminal host maintenance method and equipment

Also Published As

Publication number Publication date
CN112270020B (en) 2022-06-21

Similar Documents

Publication Publication Date Title
CN112270020B (en) Terminal equipment safety encryption device based on safety chip
KR100980831B1 (en) Method and apparatus for deterrence of secure communication using One Time Password
CN106789015B (en) Intelligent power distribution network communication safety system
CN1949765B (en) Method and system for obtaining SSH host computer public key of device being managed
CN112073375A (en) Isolation device and isolation method suitable for power Internet of things client side
CN210719302U (en) Safety communication system of gas meter
CN111711625A (en) Power system information security encryption system based on power distribution terminal
CN110636052B (en) Power consumption data transmission system
CN103297429A (en) Embedded upgrading file transmission method
CN113127914A (en) Electric power Internet of things data security protection method
KR20130013588A (en) System for protecting information and method thereof
CN212486798U (en) Electric power sensing equipment based on block chain technology
CN115549932B (en) Security access system and access method for massive heterogeneous Internet of things terminals
CN111988328A (en) Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station
JP2016535884A (en) Securing communications within network endpoints
CN108184091B (en) Video monitoring equipment deployment method and device
CN112202773B (en) Computer network information security monitoring and protection system based on internet
CN110417706A (en) A kind of safety communicating method based on interchanger
CN108989302B (en) OPC proxy connection system and connection method based on secret key
CN115174071A (en) Safe transmission method and system for remote upgrading scene of train-mounted software
CN115086085A (en) New energy platform terminal security access authentication method and system
CN114859810A (en) System and method for safely downloading configuration engineering
CN110995726B (en) Network isolation system of FPGA chip based on embedded ARM
CN115623013A (en) Strategy information synchronization method, system and related product
CN113051548A (en) Industrial safety control system of light-weight undisturbed formula

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant