CN112422223A - TCP/IP-based time synchronization device, time synchronization method and time mark monitoring system - Google Patents
TCP/IP-based time synchronization device, time synchronization method and time mark monitoring system Download PDFInfo
- Publication number
- CN112422223A CN112422223A CN202011227032.7A CN202011227032A CN112422223A CN 112422223 A CN112422223 A CN 112422223A CN 202011227032 A CN202011227032 A CN 202011227032A CN 112422223 A CN112422223 A CN 112422223A
- Authority
- CN
- China
- Prior art keywords
- time
- time synchronization
- synchronization device
- tcp
- instruction sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04J—MULTIPLEX COMMUNICATION
- H04J3/00—Time-division multiplex systems
- H04J3/02—Details
- H04J3/06—Synchronising arrangements
- H04J3/0635—Clock or time synchronisation in a network
- H04J3/0638—Clock or time synchronisation among nodes; Internode synchronisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The invention discloses a TCP/IP-based time synchronization device, a time synchronization method and a time mark monitoring system. The device includes: the time mark request terminal comprises a time mark request terminal service module, a time service module and a relay module; the time mark request end service module interacts with a time service module of a previous time synchronization device through an encryption security instruction sequence, so that the time mark of the current time synchronization device is adjusted; and the time service module sends a time scale adjusting instruction to the next-stage time synchronization device after decrypting the encrypted safety instruction sequence sent by the next-stage time synchronization device. The invention adopts an active mode under the conditions of not crossing a safety device and not purchasing an additional hardware satellite clock, actively initiates the time setting requirement from a high-safety area, realizes reverse time scale transmission, solves the time setting problem of subordinate accessed sub-stations, reduces the cost, improves the safety and is convenient for centralized management.
Description
Technical Field
The invention relates to the technical field of network time synchronization, in particular to a TCP/IP-based time synchronization device, a time synchronization method and a time mark monitoring system.
Background
The existing NTP/PPT and other related network time synchronization protocol systems need bidirectional data stream interaction to realize accurate time synchronization, a physical single isolation device does not allow a common TCP/UDP network message to reversely pass through a network gate, so that the NTP time synchronization protocol cannot safely issue a time mark from an outer network side to an inner network side of the physical isolation device, a center satellite clock and core services of the existing information system are intensively deployed at the outer network side of a substation isolation device, and the general time synchronization protocol cannot meet the time synchronization requirement of the network structure.
As shown in fig. 1, the master station side clock is deployed at L4 level, and through firewalls and other network security device configurations, NTP/PPT pair messages can be allowed to pass backward between L4 and L2 (collecting data stream is directed to the master station from the slave station), but cannot pass through L2 to L1.
The conventional hardware solution needs to adopt unsafe cross-region time service or increase clock hardware (for example, a clock is installed on each substation on an L1 layer, or reverse isolation is installed on each substation between L1-L2), but the conventional hardware solution has the problems that the basic requirements of network security protection cannot be met or a large amount of capital investment is required, and the system is complicated and network weak links are increased.
Disclosure of Invention
The invention aims to provide a TCP/IP-based time setting device, a time setting method and a time scale monitoring system, which adopt an active mode to actively initiate time setting requirements from a high-safety area under the conditions of not crossing a safety device and not purchasing an additional hardware satellite clock, realize reverse time scale transmission, solve the time setting problem of subordinate accessed sub-stations, reduce the cost, improve the safety and facilitate centralized management.
In order to achieve the purpose, the invention provides the following scheme:
a time synchronization device based on TCP/IP reverse unidirectional isolation is arranged in each hierarchical structure of TCP/IP;
the time setting device comprises:
the time mark request terminal comprises a time mark request terminal service module, a time service module and a relay module;
the time mark request end service module is used for generating a safety instruction sequence, encrypting the safety instruction sequence and interacting with the time service module of the previous time synchronization device through the encrypted safety instruction sequence so as to adjust the time mark of the current time synchronization device;
the time service module is used for sending a time mark adjusting instruction to the time mark request service module of the next-stage time synchronization device after decrypting the encrypted safety instruction sequence sent by the time mark request end service module of the next-stage time synchronization device;
the relay module is used for receiving and storing the time mark data sent by the time mark request end service module of the next-stage time synchronization device, combining the time mark data with the time mark data of the current time synchronization device and then sending the time mark data to the relay module of the previous-stage time synchronization device.
Optionally, the relay module is further configured to perform identity verification on time stamp data sent by a time stamp request end service module of the next-stage time comparison device, delete data that does not pass identity verification, and store data that passes identity verification.
Optionally, the time mark request service is further configured to stop interoperation with the time service module of the previous time mark comparison device after a preset time for waiting for the time mark adjustment instruction is exceeded, or update the safety instruction sequence when the received time mark adjustment instruction is not satisfactory.
Optionally, the time service module is further configured to identify an identity of a next-stage time synchronization device through the identity information of the current time synchronization device, and further configured to perform an encryption or decryption operation through a key of the current time synchronization device.
Alternatively to this, the first and second parts may,
the security level of the TCP/IP level of the next time tick device is higher than that of the TCP/IP level of the current time tick device;
the security level of the TCP/IP level of the current time tick device is higher than that of the TCP/IP level of the last time tick device;
the safety instruction sequence is a binary sequence with the length being larger than N; wherein N is an integer greater than 3;
the time mark adjusting instruction is a 1bit instruction.
The invention also provides a time synchronization method based on TCP/IP reverse unidirectional isolation, which is applied to the time synchronization device based on TCP/IP reverse unidirectional isolation;
the time setting method comprises the following steps:
acquiring an encrypted security instruction sequence sent by a next-stage time synchronization device;
and after the encrypted safety instruction sequence is decrypted, a time mark adjusting instruction is sent to a time mark request service module of the next-stage time-setting device.
Optionally, before the obtaining of the encrypted secure instruction sequence sent by the next-stage time synchronization device, the method further includes:
acquiring and verifying identity verification information sent by a next-stage time synchronization device; if the verification is successful, executing the step of obtaining the encrypted security instruction sequence sent by the next-stage time synchronization device; and if the verification fails, stopping time synchronization.
Optionally, the time scale adjustment instruction is a 1-bit instruction.
The invention also provides a time synchronization method based on the TCP/IP reverse unidirectional isolation, which is applied to the time synchronization device based on the TCP/IP reverse unidirectional isolation;
the time setting method comprises the following steps:
generating a secure instruction sequence and encrypting the secure instruction sequence;
sending an encryption safety instruction sequence to an upper-level time synchronization device;
receiving a time scale adjusting instruction sent by the upper-stage time synchronization device;
and carrying out time scale adjustment according to the time scale adjustment instruction.
Optionally, before the generating a secure instruction sequence and encrypting the secure instruction sequence, the method further includes:
and sending identity authentication information to the last-stage time synchronization device.
Optionally, after receiving the time scale adjustment instruction sent by the previous-stage time-synchronizing device, the method further includes:
judging whether the timing time exceeds the preset time of the waiting time scale adjustment instruction; the timing time is the time after the encryption safety instruction sequence is sent and before the time scale adjustment instruction is received;
if the current time synchronization rate exceeds the preset time synchronization rate, stopping time synchronization operation with the previous-stage time synchronization device;
if not, continuing to receive the time scale adjustment instruction sent by the last-stage time-setting device.
Optionally, after receiving the time scale adjustment instruction sent by the previous-stage time-synchronizing device, the method further includes:
judging whether the time scale adjusting instruction meets the requirement or not; if the time mark is in accordance with the requirement, executing the step of carrying out time mark adjustment according to the time mark adjustment instruction; if the safety instruction sequence does not meet the requirement, updating the safety instruction sequence, and returning to the step of sending the encrypted safety instruction sequence to the upper-level time synchronization device after encrypting the updated safety instruction sequence.
Optionally, the time scale adjustment instruction is a 1-bit instruction.
The invention also provides a time scale monitoring system, comprising:
the top monitoring module and the time synchronization device based on the TCP/IP reverse unidirectional isolation; the top monitoring module is positioned at a network interface layer of the TCP/IP; the number of the time synchronization devices is multiple;
the plurality of time synchronization devices are cascaded, and the top monitoring module is connected with a relay module in the top time synchronization device; the top time synchronization device is positioned at a network interface layer of the TCP/IP;
and the top monitoring module is used for receiving the time scale data transmitted by the relay module in the top time alignment device and performing time difference analysis according to the time scale data.
Optionally, the method further includes:
a human-machine data interface;
the human-computer data interface is connected with the top layer monitoring module;
and the man-machine data interface is used for receiving the time difference analysis result transmitted by the top layer monitoring module and sending an alarm signal when the time difference exceeds a preset time difference.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a time synchronization device and a time synchronization method based on TCP/IP, wherein the time synchronization device comprises a time mark request terminal service module, a time service module and a relay module; the time mark request end service module interacts with a time service module of a previous time synchronization device through an encryption security instruction sequence, so that the time mark of the current time synchronization device is adjusted; and the time service module sends a time scale adjusting instruction to the next-stage time synchronization device after decrypting the encrypted safety instruction sequence sent by the next-stage time synchronization device. The invention adopts an active mode under the conditions of not crossing a safety device and not purchasing an additional hardware satellite clock, actively initiates the time setting requirement from a high-safety area, realizes reverse time scale transmission, solves the time setting problem of subordinate accessed sub-stations, reduces the cost, improves the safety and is convenient for centralized management.
In addition, the time mark request end service stops the interactive operation with the time service module of the previous time mark device after the preset time of the waiting time mark adjusting instruction is exceeded, and by setting response overtime monitoring, after the connection is hijacked or the middle link artificially grabs a packet, even if the original safety instruction sequence is monitored or leaked, the unsafe connection can be abandoned due to overtime or error instructions, and the safety instruction sequence is exchanged again, so that the identity attack cannot be forged. Meanwhile, the time mark request end service updates the safety instruction sequence when the received time mark adjusting instruction does not meet the requirement, so that the low-safety area is prevented from transmitting the malicious time mark instruction to the high-safety area.
The invention also provides a time scale monitoring system, which comprises a top monitoring module and a plurality of time-setting devices, wherein the time-setting devices are cascaded, and a relay module of the time-setting device receives and stores the time scale data sent by the time scale request end service module of the next time-setting device, combines the time scale data with the time scale data of the current time-setting device and then sends the time scale data to the relay module of the previous time-setting device; and the top monitoring module receives the time mark data transmitted by the relay module in the time device and performs time difference analysis according to the time mark data, so that the time mark data of each TCP/IP hierarchy can be monitored through the top.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a schematic diagram of a prior art NTP/PPT system;
FIG. 2 is a diagram of a time synchronization apparatus according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a time scale delivery process according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a TCP/IP-based time setting device, a time setting method and a time scale monitoring system, which adopt an active mode to actively initiate time setting requirements from a high-safety area under the conditions of not crossing a safety device and not purchasing an additional hardware satellite clock, realize reverse time scale transmission, solve the time setting problem of subordinate accessed sub-stations, reduce the cost, improve the safety and facilitate centralized management.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Examples
Fig. 2 is a schematic diagram of a time synchronization device according to an embodiment of the present invention, and as shown in fig. 2, the time synchronization device is based on reverse unidirectional isolation of TCP/IP and is disposed in each hierarchical structure of TCP/IP.
The time synchronization device comprises:
the system comprises a time mark request terminal service module, a time service module and a relay module.
The time mark request end service module is used for generating a safety instruction sequence and encrypting the safety instruction sequence, and the time mark of the current time synchronization device is adjusted through interaction of the encrypted safety instruction sequence and the time service module of the previous time synchronization device. The time mark request end service is also used for stopping the interactive operation with the time service module of the previous time mark device after the preset time for waiting the time mark adjusting instruction is exceeded, or updating the safety instruction sequence when the received time mark adjusting instruction is not in accordance with the requirement. Wherein, the time mark adjusting instruction is a 1bit instruction; the safety instruction sequence is a binary sequence with the length larger than N, and N is an integer larger than 3.
The time service module is used for sending a time mark adjusting instruction to the time mark request service module of the next-stage time synchronization device after decrypting the encrypted security instruction sequence sent by the time mark request service module of the next-stage time synchronization device. The time service module is also used for identifying the identity of the next-level time synchronization device through the identity information of the current time synchronization device and carrying out encryption or decryption operation through the key of the current time synchronization device.
The relay module is used for receiving and storing the time mark data sent by the time mark request end service module of the next-stage time synchronization device, combining the time mark data with the time mark data of the current time synchronization device and then sending the time mark data to the relay module of the previous-stage time synchronization device. The relay module is also used for carrying out identity verification on the time mark data sent by the time mark request end service module of the next-stage time synchronization device, deleting the data which does not pass the identity verification, and storing the data which passes the identity verification.
The security level of the TCP/IP layer of the next time-tick device (device 1, the installation position is at the L1 layer) is higher than that of the current time-tick device. The security level of the TCP/IP layer of the current time tick device (device 2, the installation position is at the L2 layer) is higher than that of the TCP/IP layer of the last time tick device.
A schematic diagram of the time stamp delivery process is shown in fig. 3.
In fig. 3, the dotted line is a security boundary to be passed through in the time scale transmission process, the dark arrow indicates the data flow in the outflow direction, and the light arrow indicates the reverse single-bit response; the time mark request end service, the relay module and the time service module form one layer in the longitudinal direction, and the top layer monitoring is the highest layer in the longitudinal direction; the safety instruction sequence is dynamically generated when communication is established, and is a rule that a sending end and a receiving end must obey, otherwise, the time synchronization connection is abandoned; the whole time synchronization system can longitudinally extend among multiple isolation layers and is synchronous step by step, but a human-computer interface is only opened at the top layer, service is provided for third-party general applications (Web, APP and the like), and time scale monitoring and early warning of the whole system are achieved.
Specific functional description of each module:
each level (level, represented by capital L) of the time synchronization system consists of four parts, namely a time scale request end service part, a relay module, a time service module, a local id and a public key. These parts are deployed collectively in one device, where:
the time mark request end service has three functions, namely, synchronizing a local current time mark and legal data received by a current-stage relay module to the previous-stage relay module under the condition of having an identity mark, generating a safety instruction sequence before starting time setting, sending the safety instruction sequence to the previous-stage time service module in a ciphertext mode, and interacting with the previous-stage time service module to safely adjust the local time mark.
And the relay module is responsible for receiving and storing the time mark from the next stage of synchronization, judging whether the corresponding time mark identity is correct, and sharing the received data with the service of the time mark request terminal to finally realize the stage-by-stage synchronization.
And the time service module responds to the time synchronization request and the safety request sent by the next-stage time scale request end service, receives the time synchronization request and verifies whether the next-stage request is reasonable or not according to the safety instruction sequence.
The local id and public key, static data, are used to indicate identity and provide encryption and decryption keys.
The whole system applies the 1bit safety response message of the existing physical one-way isolating device, collects the safe transmission time scale of the host from the outside of the one-way isolating device to the inside of the one-way isolating device in the same time zone, realizes time synchronization error control, and meets the requirement of second-level real-time monitoring on the safety time synchronization of the database system.
Different from the existing passive time service system in the time synchronization stage, the system always adopts an active mode, the high-security area actively initiates the demand and provides a security rule (a security instruction sequence), the low-security area must follow the corresponding rule, and the identity is reliable (a private key is held), so that the reverse-threading of the physical isolation device can be started for time synchronization. On one hand, the cost is reduced and the safety is improved under the existing condition, and on the other hand, zero-cost time scale transmission is realized when the long-term substation is subjected to extended access, so that the long-term and universal significance is achieved.
The invention provides a time synchronization method based on TCP/IP reverse unidirectional isolation, which is applied to a time synchronization device based on TCP/IP reverse unidirectional isolation.
The time synchronization method comprises the following steps:
1) acquiring and verifying identity verification information sent by a next-stage time synchronization device; if the verification is successful, executing the step of obtaining an encrypted security instruction sequence sent by the next-stage time synchronization device; and if the verification fails, stopping time synchronization.
2) And acquiring an encrypted security instruction sequence sent by the next-stage time synchronization device.
3) And after the encrypted safety instruction sequence is decrypted, a time mark adjusting instruction is sent to a time mark request service module of the next-stage time setting device.
Wherein the content of the first and second substances,
after decrypting the encrypted security instruction sequence, sending a time mark adjustment instruction to a time mark request service module of a next-stage time setting device, specifically comprising:
a. the current time setting device acquires an allowable time error and a safety instruction sequence; the secure instruction sequence is a binary sequence.
b. The current time synchronization device divides the safety instruction sequence into a plurality of feedback instructions; each feedback command is a single bit of data.
c. The current time synchronization device selects a feedback instruction, sends the selected feedback instruction to the next-stage time synchronization device, and records a first time point.
d. And the current time synchronization device receives the next-level time synchronization device time mark sent by the next-level time synchronization device, and records a second time point and the current time synchronization device time when receiving the next-level time synchronization device time mark.
e. And the current time setting device determines the communication error according to the first time point, the second time point and the length of the safety command sequence.
The communication error is determined according to the following formula:
ttl=(∑△tn)/(2*N)
wherein the content of the first and second substances,
△tn=t2-t1
wherein ttl represents a communication error,. DELTA.tnIndicating the time difference, t1 indicating a first point in time, t2 indicating a second point in time, N indicating the length of the sequence of safety instructions, N ≧ 3.
f. And the current time synchronization device generates a time mark adjusting instruction according to the communication error, the allowable time error, the next-stage time synchronization device time mark and the current time synchronization device time, and sends the time mark adjusting instruction to the next-stage time synchronization device.
The step f specifically comprises the following steps:
calculating the difference between the sum of the time scale and the communication error of the next-stage time setting device and the time of the current time setting device to obtain a calculated value;
judging whether the calculated value is larger than the allowable time error or smaller than the negative value of the allowable time error to obtain a second judgment result;
if the second judgment result is negative, the time scale adjustment instruction is not generated;
if the second judgment result is yes, judging whether the calculated value is larger than the allowable time error or not to obtain a third judgment result;
if the third judgment result is yes, judging that the time advance of the next-stage time synchronization device is obtained, and sending the selected feedback instruction to the next-stage time synchronization device after negating the feedback instruction;
if the third judgment result is negative, the time lag of the next-stage time synchronization device is judged, and the selected feedback instruction is sent to the next-stage time synchronization device.
g. The current time synchronization device judges whether all feedback instructions are selected or not to obtain a first judgment result; if the first judgment result is negative, returning to the step d.
The invention also provides a time synchronization method based on the TCP/IP reverse unidirectional isolation, which is applied to a time synchronization device based on the TCP/IP reverse unidirectional isolation.
The time synchronization method comprises the following steps:
1) and sending authentication information to the upper-level time synchronization device.
2) A sequence of secure instructions is generated and encrypted.
3) And sending an encryption safety instruction sequence to the upper-level time synchronization device.
4) And receiving a time scale adjusting instruction sent by the upper-level time synchronization device.
After receiving the time scale adjustment instruction sent by the previous time comparison device, the method further comprises the following steps:
judging whether the timing time exceeds the preset time of the waiting time scale adjustment instruction; the timing time is the time after the encryption safety command sequence is sent and before the time mark adjusting command is received;
if the current time synchronization rate exceeds the preset time synchronization rate, stopping time synchronization operation with the previous-stage time synchronization device;
if not, continuing to receive the time scale adjustment instruction sent by the last-stage time-setting device.
In addition, after receiving the time scale adjustment instruction sent by the previous time scale device, the method further includes:
judging whether the time scale adjusting instruction meets the requirement or not; if the time mark meets the requirement, executing the step of performing time mark adjustment according to the time mark adjustment instruction; if the safety instruction sequence does not meet the requirement, updating the safety instruction sequence, and returning to the step of sending the encrypted safety instruction sequence to the upper-level time synchronization device after encrypting the updated safety instruction sequence.
5) And performing time scale adjustment according to the time scale adjustment instruction.
Wherein the content of the first and second substances,
performing time scale adjustment according to the time scale adjustment instruction, specifically including:
a. judging whether the received time scale adjustment instruction is the same as the safety instruction sequence or not to obtain a first judgment result; if the first judgment result is yes, executing the step b; if the first judgment result is negative, executing the step c.
b. And the timed end adjusts the time scale positively.
c. The time service end judges whether the received time scale adjustment instruction is opposite to the safety instruction sequence or not to obtain a fifth judgment result; if the second judgment result is yes, executing the step d; and if the second judgment result is negative, executing the step e.
And d, carrying out negative timing adjustment on the time-service end.
And e, the time service end updates the safety instruction sequence and sends the updated safety instruction sequence to the time service end.
Wherein, the adjustment quantity of the positive adjustment time scale and the negative adjustment time scale are both D/D; wherein D represents the allowable time error, D represents the time scale adjustment step size, and D > 2.
As shown in fig. 2, the time scale calibration steps provided by the present invention are as follows:
s0, preparing, time mark requesting server to read the information stored by local id, private key, for encryption and decryption and identity indication in following communication.
S1, device 1 issues a handshake message to device 2 indicating the identity.
S2, the device 2 reads the local id and the private key to identify the identity of the other party, if the identity is correct, the device continues, and if the identity is incorrect, the time setting process is abandoned.
The steps S3 and S3 are triggered only when two devices communicate for the first time, wherein one part is that the device 1 generates a safety command sequence through encryption and sends the safety command sequence to the device 2, and the other part is that the local safety command sequence is synchronously updated, so that the command sequences of the two devices are synchronous.
S4 and S4 are triggered only when two devices communicate for the first time, and the device 2 queries and decrypts a private key by using an id to obtain a correct security instruction sequence on the opposite side and stores the correct security instruction sequence.
S5, device 2 loops through the secure command sequence and resolves to a 1bit command (AdjustCMD).
S6, the device 2 feeds back adjust cmd to the device 1, and if the device 1 does not acquire the packet for a long time, the connection is abandoned and the time synchronization is terminated.
S7, device 1 receives the instruction, compares it with the sequence of the safety instruction, and confirms the direction of the time mark adjustment (positive or negative).
Then, repeating S1 to S7 (S3 and S4 are not included any more unless the communication is reestablished after abnormality), the time scale adjustment can be completed, and the time difference between S1 and S6 can be calculated for errors caused by communication delay in the transmission process.
As shown in fig. 3, the present invention further provides a time scale monitoring system, including:
the system comprises a top monitoring module, a time synchronization device based on TCP/IP reverse unidirectional isolation and a human-computer data interface.
The top monitoring module is positioned at a network interface layer of the TCP/IP; the number of the time synchronization devices is multiple. The system comprises a plurality of time synchronization devices, a top monitoring module and a relay module, wherein the time synchronization devices are cascaded, and the top monitoring module is connected with the relay module in the top time synchronization device; the top time tick device is located at the network interface layer of TCP/IP. And the top monitoring module is used for receiving the time mark data transmitted by the relay module in the top time device and carrying out time difference analysis according to the time mark data.
The human-computer data interface is connected with the top layer monitoring module; and the man-machine data interface is used for receiving the time difference analysis result transmitted by the top monitoring module and sending an alarm signal when the time difference exceeds a preset time difference.
In particular, the method comprises the following steps of,
when the time is synchronized to the top and monitoring needs to be carried out, a top monitoring module, a man-machine data interface and an id _ list are introduced. The introduced functions of the modules are as follows:
and the top monitoring module receives the data uploaded step by step, analyzes the time difference and provides the analysis result for the man-machine data interface.
And the human-computer data interface provides a monitoring auxiliary function, reads the analysis result of the top monitoring module, gives an alarm when the time difference is too large, performs unified processing on the data, and facilitates the reading of the visual application of a third party.
id _ list, white list, time mark from multi-stage synchronization, and adding data from device synchronization with only verifiable identity into analysis list to avoid malicious interference.
As shown in fig. 2, the time scale monitoring steps provided by the present invention are as follows:
k0, the device 1 reads the local relay module, tests whether there is data from the next synchronization stage, and merges the data.
K1, device 1 sends the local timestamp and the data combined by the relay module to device 2.
K2, device 2 checks the data sent by device 1, if the identity is reasonable, if it is not reasonable, then the data is merged and stored in the relay module.
And K3, the device 2 reads the local relay module, tests whether the next level of synchronous data exists, and merges the data, which is actually the K0 link of the device 2, thereby realizing cascade connection and being capable of transmitting the time mark data to be monitored step by step.
In the process, only one link of S6 needs reverse communication, and only 1bit instruction needs to be used, and the reverse transmission can be carried out on the physical isolation device, so that the system has the capability of being deployed on a power physical isolation network.
The invention applies the 1bit safety response message of the existing physical one-way isolating device, collects the safe transmission time scale of the host from the outside of the one-way isolating device to the inside of the one-way isolating device in the same time zone, realizes the time synchronization error control, and meets the requirement of the second-level real-time monitoring for the safety time synchronization of the database system.
Different from the existing passive time service system in the time synchronization stage, the system always adopts an active mode, the high-security area actively initiates the demand and provides a security rule (a security instruction sequence), the low-security area must follow the corresponding rule, and the identity is reliable (a private key is held), so that the reverse-threading of the physical isolation device can be started for time synchronization. On one hand, the cost is reduced and the safety is improved under the existing condition, and on the other hand, zero-cost time scale transmission is realized when the long-term substation is subjected to extended access, so that the long-term and universal significance is achieved.
From the security aspect:
a. the MAC/port binding technology of the isolation device and the hardware security brought by virtual address communication are fully utilized.
b. Secure instruction sequence rules and encrypted delivery. The safety instruction sequence is generated by the high safety area, encrypted by the public key and transmitted to the server side of the second safety area in a one-way mode, the low safety area obtains an available safety instruction sequence after being decrypted by the private key, during response, the response is regulated according to the safety instruction sequence, and the time mark request module of the high safety area can analyze the meaning of the adjustment instruction by the same instruction sequence and adjust the local time. Any illegal command which is not in accordance with the safety command sequence is terminated to carry out time setting, so that the low-safety area is prevented from transmitting a malicious time setting command to the high-safety area.
c. Dynamic instruction sequencing and response monitoring. Another measure for ensuring the security is that the security instruction sequence is dynamically generated each time when handshake is established for the time synchronization connection, response overtime monitoring is set, and even if the original security instruction sequence is monitored or leaked after the connection is hijacked or the intermediate link artificially grabs a packet, the insecure connection can be abandoned due to overtime or wrong instructions, and the security instruction sequence is exchanged again, so that identity attack cannot be forged.
d. All time synchronization terminals need to be manually allocated with ids and statically stored in the time synchronization terminal, and the difference from the conventional time synchronization is that the relay module and the time service module both check whether the requested ids are in a list, so as to ensure that no malicious attack facing the connection exists.
From the portability aspect:
a. the user side adjusts the time stamp based on the libc interface, adopts cross-platform language compilation and supports linux or linux-like systems on various hardware platforms such as ARM, X86 and AMD 64.
b. Low cost hardware modularization
All levels of time setting functions can be modularized into an embedded time setting device, and even if a target system is a one-way network system of a non-linux system, the device can provide safe and universal time setting service.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In summary, this summary should not be construed to limit the present invention.
Claims (13)
1. A time synchronization device based on TCP/IP reverse unidirectional isolation is characterized in that the time synchronization device is arranged in each hierarchical structure of TCP/IP;
the time setting device comprises:
the time mark request terminal comprises a time mark request terminal service module, a time service module and a relay module;
the time mark request end service module is used for generating a safety instruction sequence, encrypting the safety instruction sequence and interacting with the time service module of the previous time synchronization device through the encrypted safety instruction sequence so as to adjust the time mark of the current time synchronization device;
the time service module is used for sending a time mark adjusting instruction to the time mark request service module of the next-stage time synchronization device after decrypting the encrypted safety instruction sequence sent by the time mark request end service module of the next-stage time synchronization device;
the relay module is used for receiving and storing the time mark data sent by the time mark request end service module of the next-stage time synchronization device, combining the time mark data with the time mark data of the current time synchronization device and then sending the time mark data to the relay module of the previous-stage time synchronization device.
2. The TCP/IP reverse unidirectional isolation based time synchronization device according to claim 1, wherein the relay module is further configured to perform identity verification on the time stamp data sent by the time stamp request end service module of the next time synchronization device, delete data that does not pass identity verification, and store data that passes identity verification.
3. The TCP/IP reverse unidirectional isolation based time synchronization device according to claim 2, wherein the time mark request service is further configured to stop interoperation with the time service module of the previous time synchronization device after a preset time for waiting for the time mark adjustment instruction is exceeded, or update the security instruction sequence when the received time mark adjustment instruction is not satisfactory.
4. The TCP/IP inverse unidirectional isolation-based time synchronization device according to claim 3, wherein the time service module is further configured to identify the identity of the next-stage time synchronization device through the identity information of the current time synchronization device, and further configured to perform an encryption or decryption operation through the key of the current time synchronization device.
5. The TCP/IP inverse unidirectional isolation based time synchronization device according to claim 1,
the security level of the TCP/IP level of the next time tick device is higher than that of the TCP/IP level of the current time tick device;
the security level of the TCP/IP level of the current time tick device is higher than that of the TCP/IP level of the last time tick device;
the safety instruction sequence is a binary sequence with the length being larger than N; wherein N is an integer greater than 3;
the time mark adjusting instruction is a 1bit instruction.
6. A time synchronization method based on TCP/IP inverse unidirectional isolation, which is applied to the time synchronization device based on TCP/IP inverse unidirectional isolation according to any one of claims 1-5;
the time setting method comprises the following steps:
acquiring an encrypted security instruction sequence sent by a next-stage time synchronization device;
and after the encrypted safety instruction sequence is decrypted, a time mark adjusting instruction is sent to a time mark request service module of the next-stage time-setting device.
7. The TCP/IP inverse unidirectional isolation based time synchronization method according to claim 6, wherein before the obtaining of the encrypted security instruction sequence sent by the next stage time synchronization device, the method further comprises:
acquiring and verifying identity verification information sent by a next-stage time synchronization device; if the verification is successful, executing the step of obtaining the encrypted security instruction sequence sent by the next-stage time synchronization device; and if the verification fails, stopping time synchronization.
8. A time synchronization method based on TCP/IP inverse unidirectional isolation, which is applied to the time synchronization device based on TCP/IP inverse unidirectional isolation according to any one of claims 1-5;
the time setting method comprises the following steps:
generating a secure instruction sequence and encrypting the secure instruction sequence;
sending an encryption safety instruction sequence to an upper-level time synchronization device;
receiving a time scale adjusting instruction sent by the upper-stage time synchronization device;
and carrying out time scale adjustment according to the time scale adjustment instruction.
9. A TCP/IP inverse unidirectional isolation based time synchronization method as claimed in claim 8, wherein before said generating a secure instruction sequence and encrypting said secure instruction sequence, further comprising:
and sending identity authentication information to the last-stage time synchronization device.
10. The TCP/IP reverse unidirectional isolation based time synchronization method according to claim 8, wherein after receiving the time-scale adjustment instruction sent by the previous time synchronization apparatus, the method further comprises:
judging whether the timing time exceeds the preset time of the waiting time scale adjustment instruction; the timing time is the time after the encryption safety instruction sequence is sent and before the time scale adjustment instruction is received;
if the current time synchronization rate exceeds the preset time synchronization rate, stopping time synchronization operation with the previous-stage time synchronization device;
if not, continuing to receive the time scale adjustment instruction sent by the last-stage time-setting device.
11. The TCP/IP reverse unidirectional isolation based time synchronization method according to claim 10, wherein after receiving the time-scale adjustment instruction sent by the previous time synchronization apparatus, the method further comprises:
judging whether the time scale adjusting instruction meets the requirement or not; if the time mark is in accordance with the requirement, executing the step of carrying out time mark adjustment according to the time mark adjustment instruction; if the safety instruction sequence does not meet the requirement, updating the safety instruction sequence, and returning to the step of sending the encrypted safety instruction sequence to the upper-level time synchronization device after encrypting the updated safety instruction sequence.
12. A time scale monitoring system, comprising:
a top monitoring module and the time synchronization device based on TCP/IP reverse unidirectional isolation according to any one of claims 1-5; the top monitoring module is positioned at a network interface layer of the TCP/IP; the number of the time synchronization devices is multiple;
the plurality of time synchronization devices are cascaded, and the top monitoring module is connected with a relay module in the top time synchronization device; the top time synchronization device is positioned at a network interface layer of the TCP/IP;
and the top monitoring module is used for receiving the time scale data transmitted by the relay module in the top time alignment device and performing time difference analysis according to the time scale data.
13. The time scale monitoring system of claim 12, further comprising:
a human-machine data interface;
the human-computer data interface is connected with the top layer monitoring module;
and the man-machine data interface is used for receiving the time difference analysis result transmitted by the top layer monitoring module and sending an alarm signal when the time difference exceeds a preset time difference.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011227032.7A CN112422223B (en) | 2020-11-06 | 2020-11-06 | TCP/IP-based time synchronization device, time synchronization method and time mark monitoring system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011227032.7A CN112422223B (en) | 2020-11-06 | 2020-11-06 | TCP/IP-based time synchronization device, time synchronization method and time mark monitoring system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112422223A true CN112422223A (en) | 2021-02-26 |
| CN112422223B CN112422223B (en) | 2022-06-03 |
Family
ID=74827724
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011227032.7A Active CN112422223B (en) | 2020-11-06 | 2020-11-06 | TCP/IP-based time synchronization device, time synchronization method and time mark monitoring system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112422223B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114157407A (en) * | 2021-11-16 | 2022-03-08 | 北京华能新锐控制技术有限公司 | Cross-safety zone clock synchronization system and method under one-way isolation condition |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7069434B1 (en) * | 2000-06-13 | 2006-06-27 | Hewlett-Packard Development Company, L.P. | Secure data transfer method and system |
| CN103209042A (en) * | 2012-01-12 | 2013-07-17 | 横河电机株式会社 | Time synchronization system |
| US20150055780A1 (en) * | 2013-08-21 | 2015-02-26 | International Business Machines Corporation | Event-driven, asset-centric key management in a smart grid |
| WO2017181518A1 (en) * | 2016-04-22 | 2017-10-26 | 中兴通讯股份有限公司 | Method, apparatus and system for encrypting communication |
| CN108336826A (en) * | 2018-04-09 | 2018-07-27 | 厦门远通电子技术有限公司 | A kind of power distribution network synthesis distribution terminal |
| CN110611371A (en) * | 2018-06-15 | 2019-12-24 | 中国电力科学研究院有限公司 | System and method for testing time setting and timekeeping of distribution automation equipment |
| CN110798276A (en) * | 2018-08-02 | 2020-02-14 | 全球能源互联网研究院有限公司 | Time synchronization method and system for SDN (software defined network) of intelligent substation |
| CN111586073A (en) * | 2020-05-20 | 2020-08-25 | 广东电网有限责任公司电力调度控制中心 | Standard signal transmission method and device of safety automatic device |
| CN111698052A (en) * | 2020-06-12 | 2020-09-22 | 四川革什扎水电开发有限责任公司 | Homologous time synchronization system crossing power safety zone |
-
2020
- 2020-11-06 CN CN202011227032.7A patent/CN112422223B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7069434B1 (en) * | 2000-06-13 | 2006-06-27 | Hewlett-Packard Development Company, L.P. | Secure data transfer method and system |
| CN103209042A (en) * | 2012-01-12 | 2013-07-17 | 横河电机株式会社 | Time synchronization system |
| US20150055780A1 (en) * | 2013-08-21 | 2015-02-26 | International Business Machines Corporation | Event-driven, asset-centric key management in a smart grid |
| WO2017181518A1 (en) * | 2016-04-22 | 2017-10-26 | 中兴通讯股份有限公司 | Method, apparatus and system for encrypting communication |
| CN108336826A (en) * | 2018-04-09 | 2018-07-27 | 厦门远通电子技术有限公司 | A kind of power distribution network synthesis distribution terminal |
| CN110611371A (en) * | 2018-06-15 | 2019-12-24 | 中国电力科学研究院有限公司 | System and method for testing time setting and timekeeping of distribution automation equipment |
| CN110798276A (en) * | 2018-08-02 | 2020-02-14 | 全球能源互联网研究院有限公司 | Time synchronization method and system for SDN (software defined network) of intelligent substation |
| CN111586073A (en) * | 2020-05-20 | 2020-08-25 | 广东电网有限责任公司电力调度控制中心 | Standard signal transmission method and device of safety automatic device |
| CN111698052A (en) * | 2020-06-12 | 2020-09-22 | 四川革什扎水电开发有限责任公司 | Homologous time synchronization system crossing power safety zone |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114157407A (en) * | 2021-11-16 | 2022-03-08 | 北京华能新锐控制技术有限公司 | Cross-safety zone clock synchronization system and method under one-way isolation condition |
| CN114157407B (en) * | 2021-11-16 | 2023-09-19 | 北京华能新锐控制技术有限公司 | System and method for synchronizing clocks across secure areas under unidirectional isolation condition |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112422223B (en) | 2022-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109981689B (en) | Cross-domain logic strong isolation and security access control method and device in scene of Internet of things | |
| US10462153B2 (en) | Peer-to-peer network and node of a peer-to-peer network | |
| CN112422532B (en) | Service communication method, system and device and electronic equipment | |
| CN110267270B (en) | Identity authentication method for sensor terminal access edge gateway in transformer substation | |
| US20070257813A1 (en) | Secure network bootstrap of devices in an automatic meter reading network | |
| CN105873031B (en) | Distributed unmanned plane cryptographic key negotiation method based on credible platform | |
| CN104851174A (en) | High-reliability machine room intelligent entrance guard opening method and opening system | |
| CN110598375B (en) | Data processing method, device and storage medium | |
| CN111107085A (en) | Safety communication method based on publish-subscribe mode | |
| CN111164933A (en) | Method for ensuring communication safety without state management | |
| CN109587142A (en) | A kind of the data safety AM access module and equipment of service-oriented stream | |
| CN112422223B (en) | TCP/IP-based time synchronization device, time synchronization method and time mark monitoring system | |
| CN1791098B (en) | Method for realizing safety coalition synchronization | |
| CN108924161A (en) | A kind of encrypted transaction data communication means and system | |
| CN116647326A (en) | Block chain-based embedded gateway system | |
| CN113676446B (en) | Communication network safety error-proof control method, system, electronic equipment and medium | |
| CN116433240A (en) | Cross-chain system based on trusted execution environment and cross-chain transaction realization method | |
| CN104135358A (en) | A method for executing an SNTP clock calibration on a power distribution terminal based on an asymmetric digital signature | |
| CN115909560A (en) | Data encryption method, data decryption method and door lock system | |
| CN101478428B (en) | Software and hardware cooperative Ethernet failure security communication system and data transmission method | |
| CN112182551B (en) | PLC equipment identity authentication system and PLC equipment identity authentication method | |
| CN106657028A (en) | Implementation method of Android mobile phone data encryption export technology | |
| CN115277125B (en) | Substation remote control method and system with bidirectional credibility and safety | |
| CN113645623B (en) | Remote fee control system, security authentication method and fee control device | |
| US9350746B2 (en) | Transmission network system, transmission method, and authentication information device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220907 Address after: Yudaokou Ranch, Weichang County, Chengde City, Hebei Province, 067000 Patentee after: Huaneng Chengde Wind Power Co.,Ltd. Address before: 050000 2 / F and 3 / F, Huashi Hotel, No.52, Hongqi Street, Qiaoxi District, Shijiazhuang City, Hebei Province Patentee before: Hebei Branch of Huaneng new energy Co.,Ltd. |
|
| TR01 | Transfer of patent right |