CN112350826A - Industrial control system digital certificate issuing management method and encrypted communication method - Google Patents

Industrial control system digital certificate issuing management method and encrypted communication method Download PDF

Info

Publication number
CN112350826A
CN112350826A CN202110020753.9A CN202110020753A CN112350826A CN 112350826 A CN112350826 A CN 112350826A CN 202110020753 A CN202110020753 A CN 202110020753A CN 112350826 A CN112350826 A CN 112350826A
Authority
CN
China
Prior art keywords
client device
certificate
client
server
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110020753.9A
Other languages
Chinese (zh)
Inventor
褚健
章维
马纳
张高达
陈银桃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Supcon Technology Co Ltd
Original Assignee
Zhejiang Supcon Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Supcon Technology Co Ltd filed Critical Zhejiang Supcon Technology Co Ltd
Priority to CN202110020753.9A priority Critical patent/CN112350826A/en
Publication of CN112350826A publication Critical patent/CN112350826A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Abstract

The invention provides a digital certificate issuing management method for an industrial control system, which is based on a certificate management system of a Public Key Infrastructure (PKI) and combines the network environment characteristics of the industrial control system to realize the issuing and management of digital certificates of engineer stations, controllers and operator stations in the industrial control system. When each communication between the first client device and the second client device is started, the first client device and the second client device perform identity authentication and dynamic key agreement based on digital certificates of both communication parties, a root certificate of a CA server and a national cryptographic algorithm, and if the identity authentication is passed, the first client device and the second client device perform encrypted communication according to a session key obtained after the national cryptographic algorithm and the key agreement. The communication safety of the whole industrial control system is improved, and the risk of hijacking or malicious tampering of communication is effectively reduced.

Description

Industrial control system digital certificate issuing management method and encrypted communication method
Technical Field
The invention relates to the technical field of industrial control system safety, in particular to an industrial control system digital certificate issuing management method and an encryption communication method.
Background
The industrial control system is used as the core of industrial production, the network environment of the industrial control system is complex, the traditional industrial communication protocol does not consider the safety at the beginning of design, and the communication between devices has many potential safety hazards such as plaintext transmission, identity incapability of being confirmed and the like.
With the continuous advance of industrial 4.0 and digital factory processes, the network security protection of the industrial control system is more and more not neglected. The existing industrial control system is widely used for communication and password technology is widely used for verifying equipment identity, however, the safety intensity of password passwords is relatively limited, the division of responsibility authority is not clear enough, the unified management and one-to-one pairing of the equipment and the system are lacked, and management holes are easy to appear, so that the equipment identity is easy to crack. When the existing industrial control system carries out service communication, service data is usually carried out by adopting modes such as plaintext transmission, fixed transmission, universal protocol and the like, the identity of a communication party cannot be effectively verified, the configuration of a controller and the service data are easy to be tampered, hijacked and forged, and a large safety risk is caused; or the existing industrial control system continues to use the international general cryptographic algorithm systems such as 3DES, SHA-1, RSA and the like and related standards for encryption transmission for a long time, however, with the computer power, the proposal of various high-quality algorithms and the emergence of new technologies such as quantum computers, the mainstream algorithm in foreign countries is not unbreakable any more, for example, the quantum computer based on the Xiuer algorithm can quickly decompose the common divisor by using the parallelism of quantum computing, thereby breaking the safety foundation of the RSA algorithm in principle.
Therefore, a more secure, practical and reliable technique for device authentication and encrypted communication is urgently needed for industrial control systems.
Disclosure of Invention
Technical problem to be solved
In view of the problems in the art described above, the present invention is at least partially addressed. Therefore, an object of the present invention is to provide a method for issuing and managing digital certificates of an industrial control system, which implements issuing and managing digital certificates of engineer stations, controllers and operator stations in the industrial control system.
The second objective of the present invention is to provide an industrial control system encryption communication method, which can improve the communication security of the entire industrial control system and effectively reduce the risk of hijacking or malicious tampering of communication.
(II) technical scheme
In order to achieve the above object, an aspect of the present invention provides a method for issuing and managing a digital certificate of an industrial control system, including:
when the industrial control system leaves a factory, data interaction for authenticating the identity of the other party is carried out between the client equipment and the CA server;
if the identity authentication between the client device and the CA server passes, the client device generates a self key pair and a certificate signing and issuing request according to a national cryptographic algorithm, and sends the certificate signing and issuing request and a self public key to the CA server; the CA server generates a digital certificate according to a state cryptographic algorithm, a certificate signing request and public key information, and sends the digital certificate to the client equipment;
if the client device verifies that the digital certificate passes the validity according to the own key pair and the root certificate, the digital certificate is stored to be used as the own digital certificate;
wherein the client device includes an engineer station, a controller, and an operator station.
Further, the industrial control system digital certificate issuing management method further comprises the following steps:
the client equipment generates a shadow certificate signing and issuing request at a preset moment before the digital certificate of the client equipment expires, and sends the shadow certificate signing and issuing request and a public key of the client equipment to a CA server;
the CA server generates a shadow certificate according to the shadow certificate issuing request and the public key information, and sends the shadow certificate to the client equipment;
if the client device verifies that the validity of the shadow certificate passes according to the own key pair and the root certificate, storing the shadow certificate;
and when the self digital certificate expires, the client device takes the shadow certificate as the self digital certificate.
Further, the data interaction of the identity of the authentication party is performed between the client device and the CA server, and the data interaction comprises the following steps:
the client equipment sends a certificate request and self equipment information to a CA server;
the CA server verifies the information of the client equipment after receiving the certificate request, and if the verification is passed, the CA server sends a digital certificate of the CA server to the client equipment;
and the client equipment verifies the validity of the digital certificate of the CA server according to the root certificate, and if the verification is passed, the identity authentication between the client equipment and the CA server is passed.
Another aspect of the present invention provides an industrial control system encryption communication method, including:
when each communication between the first client device and the second client device is started, the first client device and the second client device perform identity authentication and dynamic key agreement based on digital certificates of both communication parties, a root certificate of a CA server and a national cryptographic algorithm;
if the identity authentication is passed, encrypted communication is carried out between the first client equipment and the second client equipment according to a session key obtained after the national cryptographic algorithm and the key negotiation;
the digital certificates of both communication parties are obtained according to the industrial control system digital certificate issuing management method.
Further, the session key is a symmetric key.
Further, the identity authentication and dynamic key agreement between the first client device and the second client device based on the digital certificates of both communication parties, the root certificate of the CA server and the cryptographic algorithm, includes:
the first client equipment generates a connection request and a first random number, and encrypts the first random number according to a private key of the first client equipment and a national cryptographic algorithm;
the first client device sends a connection request, a digital certificate of the first client device and the encrypted first random number to the second client device;
according to a root certificate of a CA server, the second client equipment verifies the validity of a digital certificate of the first client equipment, if the verification is passed, the second client equipment generates a second random number, decrypts the encrypted first random number according to a public key carried in the digital certificate of the first client equipment, generates a session key according to the first random number and the second random number, and encrypts the second random number according to a private key of the second client equipment and a national encryption algorithm;
the second client device sends the digital certificate of the second client device, the session key, the decrypted first random number and the encrypted second random number to the first client device;
according to the root certificate of the CA server, the first client side equipment verifies the validity of the digital certificate of the second client side equipment and the decrypted first random number, if the verification is passed, the first client side equipment decrypts the encrypted second random number according to a public key carried in the digital certificate of the second client side equipment, and encrypts the decrypted second random number according to a session key;
the first client device sends the second random number encrypted by the session key to the second client device;
and the second client equipment decrypts the second random number encrypted by the session key according to the session key, verifies the validity of the second random number decrypted by the session key, and sends a communication start notification to the first client equipment if the verification is passed.
Further, according to the cryptographic algorithm and the session key obtained after the key agreement, the encrypted communication between the first client device and the second client device includes: the first client device encrypts the service data according to the session key and the national cryptographic algorithm, and then sends the encrypted service data to the second client device.
Further, the national password algorithm comprises a national password asymmetric encryption algorithm, a national password symmetric encryption algorithm and a national password hash algorithm.
Further, the national password asymmetric encryption algorithm is an elliptic curve encryption algorithm; the symmetric encryption algorithm of the national password is a block cipher algorithm.
(III) advantageous effects
The invention has the beneficial effects that:
1. the method for issuing and managing the digital certificate of the industrial control system realizes the application of a PKI certificate management system in the industrial control system, can uniformly issue and manage the digital certificates of an engineer station, a controller and an operator station in the industrial control system, realizes the efficient, safe and flexible management of the equipment certificate of the industrial control system, prepares for using the digital certificate in the communication process of the industrial control system, improves the communication safety of the whole industrial control system, and effectively reduces the risk of hijacking or malicious tampering of communication.
2. The encrypted communication method of the industrial control system effectively utilizes the characteristics that the digital certificate cannot be repudiated and cannot be forged, limits unauthorized operation behaviors and ensures the safety of equipment communication identity authentication; meanwhile, the encryption and decryption in the key negotiation process and the business communication process of the method are based on the national encryption algorithm, the advantages of strong attack resistance, high encryption speed, low system resource occupation and strong safety of the national encryption algorithm are fully utilized, the communication safety of the whole industrial control system is improved, and the industrial communication data is effectively prevented from being attacked such as falsified and seized.
3. In the encrypted communication method of the industrial control system, the dynamic key negotiation is carried out by adopting a mode of combining asymmetric encryption and symmetric encryption, keys are different and cannot be forged in each interaction process, all communication data are encrypted and transmitted by a national encryption algorithm, even if the communication data are intercepted, an intercepting party can crack the communication data by spending exponential time, and the communication safety of the industrial control system is greatly ensured.
Drawings
The invention is described with the aid of the following figures:
FIG. 1 is a flow diagram of a method for industrial control system digital certificate issuance management in accordance with one embodiment of the present invention;
FIG. 2 is a flow diagram of an industrial control system encrypted communication method according to one embodiment of the invention.
Detailed Description
For the purpose of better explaining the present invention and to facilitate understanding, the present invention will be described in detail by way of specific embodiments with reference to the accompanying drawings.
Public Key Infrastructure (PKI), a set of infrastructures consisting of hardware, software, participants, management policies and procedures, is aimed at uniformly creating, managing, distributing, using, storing and revoking digital certificates. The digital certificate is used as the core of a PKI framework, a data signature is similar to an encryption process, after data is encrypted, only a receiving party can open or change data information, the data information is added with a signature of the receiving party and then is transmitted to a transmitting party, and a private key of the receiving party has uniqueness and privacy, so that the authenticity and reliability of the signature are guaranteed, and the safety of the information is further guaranteed.
Therefore, the embodiment of the invention provides a digital certificate issuing management method for an industrial control system, which is based on a certificate management system of a Public Key Infrastructure (PKI) and combines the network environment characteristics of the industrial control system to realize the digital certificate issuing and management of an engineer station, a controller and an operator station in the industrial control system, and prepares for utilizing a digital certificate in the communication process of the industrial control system so as to improve the communication safety of the whole industrial control system.
In order to better understand the above technical solutions, exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The following describes a digital certificate issuance management method for an industrial control system according to an embodiment of the present invention with reference to the accompanying drawings.
Fig. 1 is a flowchart illustrating a digital certificate issuance management method for an industrial control system according to an embodiment of the present invention.
As shown in fig. 1, the method for issuing and managing the digital certificate of the industrial control system includes the following steps:
step 101, when the industrial control system leaves the factory, data interaction for authenticating the identity of the other party is performed between the client device and the CA server.
Specifically, as one embodiment, the client devices include an engineer station, a controller, and an operator station in an industrial control system.
Specifically, as an embodiment, the data interaction of authenticating the identity of the other party between the client device and the CA server includes:
101-1, the client device sends a certificate request and self device information Info to the CA server.
101-2, after receiving the certificate request, the CA server verifies the information Info of the client device, if the verification fails, the CA server discards the message, and if the verification passes, the CA server sends the digital certificate to the client device.
101-3, the client device verifies the validity of the digital certificate of the CA server according to the root certificate, if the verification fails, the client device discards the message, and if the verification passes, the identity authentication between the client device and the CA server passes.
And 102, if the identity authentication between the client equipment and the CA server is passed, the client equipment generates a self key pair and a certificate signing and issuing request according to a national cryptographic algorithm, and sends the certificate signing and issuing request and a self public key to the CA server.
And 103, the CA server generates a digital certificate according to the national cryptographic algorithm, the certificate issuing request and the public key information, and sends the digital certificate to the client equipment.
And step 104, the client device verifies the validity of the digital certificate according to the self key pair and the root certificate, if the verification fails, the client device discards the message, and if the verification passes, the client device stores the digital certificate as the self digital certificate.
Therefore, the method for issuing and managing the digital certificate of the industrial control system, provided by the embodiment of the invention, realizes the application of the PKI certificate management system in the industrial control system, and can uniformly issue the digital certificates of engineer stations, controllers and operator stations in the industrial control system.
Because the digital certificate has the validity period, the industrial control system digital certificate issuing management method provided by the embodiment of the invention further comprises the following steps:
and 105, the client device generates a shadow certificate signing and issuing request at a preset time before the self digital certificate expires, and sends the shadow certificate signing and issuing request and the self public key to the CA server.
Wherein the shadow certificate is a new digital certificate.
And 106, the CA server generates a shadow certificate according to the shadow certificate issuing request and the public key information and sends the shadow certificate to the client equipment.
And 107, the client device verifies the validity of the shadow certificate according to the key pair and the root certificate, if the verification fails, the client device discards the message, and if the verification passes, the client device stores the shadow certificate.
And step 108, when the digital certificate of the client device expires, the client device takes the shadow certificate as the digital certificate of the client device. This completes the update of the client device digital certificate.
In summary, the method for issuing and managing digital certificates of an industrial control system according to the embodiment of the present invention realizes application of a PKI certificate management system to the industrial control system, can uniformly issue and manage digital certificates of engineer stations, controllers, and operator stations in the industrial control system, and realizes efficient, safe, and flexible management of equipment certificates of the industrial control system, so as to prepare for using digital certificates in a communication process of the industrial control system, improve communication security of the entire industrial control system, and effectively reduce risks of hijacking or malicious tampering of communication.
Compared with a mainstream algorithm in foreign countries, the national cryptographic algorithm improves the safety and complexity of the whole algorithm on the cryptographic principle, has the advantages of strong attack resistance, high encryption speed, low system resource occupation, strong safety and the like, and meets the information safety requirements of an industrial control system.
Therefore, an embodiment of the present invention further provides an encrypted communication method for an industrial control system, where when each communication between a first client device and a second client device is started, the first client device and the second client device perform identity authentication and dynamic key agreement based on a digital certificate of both parties of communication, a root certificate of a CA server, and a national cryptographic algorithm, and if the identity authentication passes, perform encrypted communication between the first client device and the second client device according to a session key obtained after the national cryptographic algorithm and the key agreement. The method utilizes the characteristics that the digital certificate can not be forged and repudiated, and combines the advantages of the national cryptographic algorithm, such as strong attack resistance, high encryption speed, low system resource occupation and strong safety, to perform equipment identity authentication and dynamic key negotiation, thereby improving the communication safety of the whole industrial control system and effectively reducing the risk of hijacking or malicious tampering of communication.
An industrial control system encrypted communication method proposed according to an embodiment of the present invention is described below with reference to the accompanying drawings.
Fig. 2 is a flowchart illustrating an industrial control system encryption communication method according to an embodiment of the present invention.
As shown in fig. 2, the industrial control system encryption communication method includes the following steps:
step 201, when each communication between the first client device and the second client device is started, the first client device and the second client device perform identity authentication and dynamic key agreement based on the digital certificates of both communication parties, the root certificate of the CA server and the cryptographic algorithm. The client device certificate is obtained according to the industrial control system digital certificate issuing management method.
Specifically, as one embodiment, the session key is a symmetric key.
Specifically, as an embodiment, the identity authentication and dynamic key agreement between the first client device and the second client device based on the digital certificates of both parties of communication, the root certificate of the CA server, and the cryptographic algorithm includes:
201-1, the first client device generates a connection request and a first random number, and encrypts the first random number according to a private key and a national cryptographic algorithm of the first client device; the first client device sends the connection request, its digital certificate and the encrypted first random number to the second client device.
201-2, according to the root certificate of the CA server, the second client device verifies the validity of the digital certificate of the first client device, if the verification fails, the second client device discards the message, and returns to step 201, if the verification passes, the second client device generates a second random number, decrypts the encrypted first random number according to the public key carried in the digital certificate of the first client device, generates a session key according to the first random number and the second random number, and encrypts the second random number according to the private key of the second client device and a national encryption algorithm; the second client device sends its digital certificate, the session key, the decrypted first random number and the encrypted second random number to the first client device.
201-3, according to the root certificate of the CA server, the first client device verifies the validity of the digital certificate of the second client device and the decrypted first random number, if the verification fails, the first client device discards the message, and returns to step 201, if the verification passes, the first client device decrypts the encrypted second random number according to the public key carried in the digital certificate of the second client device, and encrypts the decrypted second random number according to the session key; the first client device sends the second random number encrypted by the session key to the second client device.
201-4, the second client device decrypts the second random number encrypted by the session key according to the session key, verifies the validity of the second random number decrypted by the session key, discards the message if the verification fails, returns to step 201, and sends a communication start notification to the first client device if the verification passes.
By adopting the mode of combining asymmetric encryption and symmetric encryption to carry out dynamic key negotiation, keys are different and cannot be forged in each interaction process, all communication data are encrypted and transmitted through a national cryptographic algorithm, even if the communication data are intercepted, an intercepting party can crack the communication data by spending exponential time, and the communication safety of the industrial control system is greatly ensured.
Specifically, the national secret algorithms include a national secret asymmetric encryption algorithm SM2, a national secret symmetric encryption algorithm SM4 and a national secret code hash algorithm SM 3. The national password asymmetric encryption algorithm is an elliptic curve encryption algorithm, and the national password symmetric encryption algorithm is a block cipher algorithm.
Step 202, if the identity authentication is passed, performing encrypted communication between the first client device and the second client device according to a session key obtained after a national cryptographic algorithm and key agreement.
Specifically, as an embodiment, performing encrypted communication between a first client device and a second client device according to a cryptographic algorithm and a session key obtained after key agreement includes: the first client device encrypts the service data according to the session key and the national cryptographic algorithm, and then sends the encrypted service data to the second client device.
In summary, the encrypted communication method for the industrial control system provided by the embodiment of the invention effectively utilizes the characteristics that the digital certificate cannot be repudiated or forged, limits unauthorized operation behaviors, and ensures the security of the communication identity authentication of the equipment; meanwhile, the encryption and decryption in the key negotiation process and the business communication process of the method are based on the national encryption algorithm, the advantages of strong attack resistance, high encryption speed, low system resource occupation and strong safety of the national encryption algorithm are fully utilized, the communication safety of the whole industrial control system is improved, and the industrial communication data is effectively prevented from being attacked such as falsified and seized.
It should be understood that the above description of specific embodiments of the present invention is only for the purpose of illustrating the technical lines and features of the present invention, and is intended to enable those skilled in the art to understand the contents of the present invention and to implement the present invention, but the present invention is not limited to the above specific embodiments. It is intended that all such changes and modifications as fall within the scope of the appended claims be embraced therein.

Claims (9)

1. A method for issuing and managing a digital certificate of an industrial control system is characterized by comprising the following steps:
when the industrial control system leaves a factory, data interaction for authenticating the identity of the other party is carried out between the client equipment and the CA server;
if the identity authentication between the client device and the CA server passes, the client device generates a self key pair and a certificate signing and issuing request according to a national cryptographic algorithm, and sends the certificate signing and issuing request and a self public key to the CA server; the CA server generates a digital certificate according to a state cryptographic algorithm, a certificate signing request and public key information, and sends the digital certificate to the client equipment;
if the client device verifies that the digital certificate passes the validity according to the own key pair and the root certificate, the digital certificate is stored to be used as the own digital certificate;
the client device includes an engineer station, a controller, and an operator station.
2. The method of claim 1, further comprising:
the client equipment generates a shadow certificate signing and issuing request at a preset moment before the digital certificate of the client equipment expires, and sends the shadow certificate signing and issuing request and a public key of the client equipment to a CA server;
the CA server generates a shadow certificate according to the shadow certificate issuing request and the public key information, and sends the shadow certificate to the client equipment;
if the client device verifies that the validity of the shadow certificate passes according to the own key pair and the root certificate, storing the shadow certificate;
and when the self digital certificate expires, the client device takes the shadow certificate as the self digital certificate.
3. The method of claim 1, wherein the data interaction between the client device and the CA server for authenticating the identity of the other party comprises:
the client equipment sends a certificate request and self equipment information to a CA server;
the CA server verifies the information of the client equipment after receiving the certificate request, and if the verification is passed, the CA server sends a digital certificate of the CA server to the client equipment;
and the client equipment verifies the validity of the digital certificate of the CA server according to the root certificate, and if the verification is passed, the identity authentication between the client equipment and the CA server is passed.
4. An industrial control system encrypted communication method, comprising:
when each communication between the first client device and the second client device is started, the first client device and the second client device perform identity authentication and dynamic key agreement based on digital certificates of both communication parties, a root certificate of a CA server and a national cryptographic algorithm;
if the identity authentication is passed, encrypted communication is carried out between the first client equipment and the second client equipment according to a session key obtained after the national cryptographic algorithm and the key negotiation;
the digital certificates of both communication parties are obtained according to the industrial control system digital certificate issuing management method of any one of claims 1 to 3.
5. The method of claim 4, wherein the session key is a symmetric key.
6. The method of claim 4, wherein the performing identity authentication and dynamic key agreement between the first client device and the second client device based on the digital certificates of both parties of communication, the root certificate of the CA server, and the cryptographic algorithm comprises:
the first client equipment generates a connection request and a first random number, and encrypts the first random number according to a private key of the first client equipment and a national cryptographic algorithm;
the first client device sends a connection request, a digital certificate of the first client device and the encrypted first random number to the second client device;
according to a root certificate of a CA server, the second client equipment verifies the validity of a digital certificate of the first client equipment, if the verification is passed, the second client equipment generates a second random number, decrypts the encrypted first random number according to a public key carried in the digital certificate of the first client equipment, generates a session key according to the first random number and the second random number, and encrypts the second random number according to a private key of the second client equipment and a national encryption algorithm;
the second client device sends the digital certificate of the second client device, the session key, the decrypted first random number and the encrypted second random number to the first client device;
according to the root certificate of the CA server, the first client side equipment verifies the validity of the digital certificate of the second client side equipment and the decrypted first random number, if the verification is passed, the first client side equipment decrypts the encrypted second random number according to a public key carried in the digital certificate of the second client side equipment, and encrypts the decrypted second random number according to a session key;
the first client device sends the second random number encrypted by the session key to the second client device;
and the second client equipment decrypts the second random number encrypted by the session key according to the session key, verifies the validity of the second random number decrypted by the session key, and sends a communication start notification to the first client equipment if the verification is passed.
7. The method of claim 6, wherein the encrypted communication between the first client device and the second client device according to the cryptographic algorithm and the session key obtained after the key agreement comprises:
the first client device encrypts the service data according to the session key and the national cryptographic algorithm, and then sends the encrypted service data to the second client device.
8. The method of claim 4, wherein the national secret algorithm comprises a national secret asymmetric encryption algorithm, a national secret symmetric encryption algorithm and a national secret code hash algorithm.
9. The method of claim 8, wherein the cryptographic asymmetric encryption algorithm is an elliptic curve encryption algorithm; the national password symmetric encryption algorithm is a block cipher algorithm.
CN202110020753.9A 2021-01-08 2021-01-08 Industrial control system digital certificate issuing management method and encrypted communication method Pending CN112350826A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110020753.9A CN112350826A (en) 2021-01-08 2021-01-08 Industrial control system digital certificate issuing management method and encrypted communication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110020753.9A CN112350826A (en) 2021-01-08 2021-01-08 Industrial control system digital certificate issuing management method and encrypted communication method

Publications (1)

Publication Number Publication Date
CN112350826A true CN112350826A (en) 2021-02-09

Family

ID=74427472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110020753.9A Pending CN112350826A (en) 2021-01-08 2021-01-08 Industrial control system digital certificate issuing management method and encrypted communication method

Country Status (1)

Country Link
CN (1) CN112350826A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112731897A (en) * 2021-04-06 2021-04-30 浙江中控技术股份有限公司 Industrial control system communication method and system based on tunnel encryption and decryption
CN113364582A (en) * 2021-05-11 2021-09-07 国网浙江省电力有限公司电力科学研究院 Method for communication key configuration and update management in transformer substation
CN113810411A (en) * 2021-09-17 2021-12-17 公安部交通管理科学研究所 Traffic control facility digital certificate management method and system
CN113905359A (en) * 2021-08-24 2022-01-07 福建升腾资讯有限公司 Bluetooth safety communication method, device, equipment and medium for bank peripheral
CN114070649A (en) * 2021-12-15 2022-02-18 武汉天喻信息产业股份有限公司 Method and system for secure communication between devices
CN114172740A (en) * 2021-12-16 2022-03-11 广州城市理工学院 Distribution network certificate verification-based power distribution network secure access method
CN114710289A (en) * 2022-06-02 2022-07-05 确信信息股份有限公司 Internet of things terminal secure registration and access method and system
CN114745134A (en) * 2022-03-30 2022-07-12 恒玄科技(上海)股份有限公司 Method, system, equipment and computer readable medium for transferring media data stream
CN115664648A (en) * 2022-10-17 2023-01-31 山东新一代信息产业技术研究院有限公司 Dynamic key generation method without manual input in IROS

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106936790A (en) * 2015-12-30 2017-07-07 上海格尔软件股份有限公司 The method that client and server end carries out two-way authentication is realized based on digital certificate
CN110099072A (en) * 2019-05-21 2019-08-06 唯伊云(武汉)科技有限公司 A kind of safety protecting method being directed to industrial data transmission of internet of things
CN111614637A (en) * 2020-05-08 2020-09-01 郑州信大捷安信息技术股份有限公司 Secure communication method and system based on software cryptographic module

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106936790A (en) * 2015-12-30 2017-07-07 上海格尔软件股份有限公司 The method that client and server end carries out two-way authentication is realized based on digital certificate
CN110099072A (en) * 2019-05-21 2019-08-06 唯伊云(武汉)科技有限公司 A kind of safety protecting method being directed to industrial data transmission of internet of things
CN111614637A (en) * 2020-05-08 2020-09-01 郑州信大捷安信息技术股份有限公司 Secure communication method and system based on software cryptographic module

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022213535A1 (en) * 2021-04-06 2022-10-13 浙江中控技术股份有限公司 Industrial control system communication method and system based on tunnel encryption and decryption
CN112731897A (en) * 2021-04-06 2021-04-30 浙江中控技术股份有限公司 Industrial control system communication method and system based on tunnel encryption and decryption
CN113364582B (en) * 2021-05-11 2022-07-12 国网浙江省电力有限公司电力科学研究院 Method for communication key configuration and update management in transformer substation
CN113364582A (en) * 2021-05-11 2021-09-07 国网浙江省电力有限公司电力科学研究院 Method for communication key configuration and update management in transformer substation
CN113905359A (en) * 2021-08-24 2022-01-07 福建升腾资讯有限公司 Bluetooth safety communication method, device, equipment and medium for bank peripheral
CN113905359B (en) * 2021-08-24 2023-11-10 福建升腾资讯有限公司 Bluetooth safety communication method, device, equipment and medium for bank peripheral equipment
CN113810411A (en) * 2021-09-17 2021-12-17 公安部交通管理科学研究所 Traffic control facility digital certificate management method and system
CN113810411B (en) * 2021-09-17 2023-02-14 公安部交通管理科学研究所 Traffic control facility digital certificate management method and system
CN114070649A (en) * 2021-12-15 2022-02-18 武汉天喻信息产业股份有限公司 Method and system for secure communication between devices
CN114172740A (en) * 2021-12-16 2022-03-11 广州城市理工学院 Distribution network certificate verification-based power distribution network secure access method
CN114745134A (en) * 2022-03-30 2022-07-12 恒玄科技(上海)股份有限公司 Method, system, equipment and computer readable medium for transferring media data stream
CN114710289A (en) * 2022-06-02 2022-07-05 确信信息股份有限公司 Internet of things terminal secure registration and access method and system
CN115664648A (en) * 2022-10-17 2023-01-31 山东新一代信息产业技术研究院有限公司 Dynamic key generation method without manual input in IROS

Similar Documents

Publication Publication Date Title
CN112350826A (en) Industrial control system digital certificate issuing management method and encrypted communication method
CN108390851B (en) Safe remote control system and method for industrial equipment
US9979553B2 (en) Secure certificate distribution
US9043598B2 (en) Systems and methods for providing secure multicast intra-cluster communication
US20200358764A1 (en) System and method for generating symmetric key to implement media access control security check
US6839841B1 (en) Self-generation of certificates using secure microprocessor in a device for transferring digital information
CN104506534A (en) Safety communication secret key negotiation interaction scheme
CN105790938A (en) System and method for generating safety unit key based on reliable execution environment
EP1151579A2 (en) Self-generation of certificates using a secure microprocessor in a device for transferring digital information
US20160344725A1 (en) Signal haystacks
CN113572601B (en) VNC remote safety communication method based on national secret TLS
CN110300287B (en) Access authentication method for public safety video monitoring networking camera
CN105162808A (en) Safety login method based on domestic cryptographic algorithm
CN108632251A (en) Authentic authentication method based on cloud computing data service and its Encryption Algorithm
CN111010399A (en) Data transmission method and device, electronic equipment and storage medium
KR101481403B1 (en) Data certification and acquisition method for vehicle
CN111654503A (en) Remote control method, device, equipment and storage medium
CN110519222B (en) External network access identity authentication method and system based on disposable asymmetric key pair and key fob
CN113221136B (en) AIS data transmission method, AIS data transmission device, electronic equipment and storage medium
CN102739660B (en) Key exchange method for single sign on system
CN103856463A (en) Lightweight directory access protocol realizing method and device based on key exchange protocol
CN107276755B (en) Security association method, device and system
US11570008B2 (en) Pseudonym credential configuration method and apparatus
CN116633530A (en) Quantum key transmission method, device and system
EP3133766B1 (en) Communication device and method for performing encrypted communication in multipoint networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210209