CN112615841A - Layered security management and control system and method based on trusted computing - Google Patents

Layered security management and control system and method based on trusted computing Download PDF

Info

Publication number
CN112615841A
CN112615841A CN202011458326.0A CN202011458326A CN112615841A CN 112615841 A CN112615841 A CN 112615841A CN 202011458326 A CN202011458326 A CN 202011458326A CN 112615841 A CN112615841 A CN 112615841A
Authority
CN
China
Prior art keywords
terminal
trusted
master station
distribution
trusted computing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011458326.0A
Other languages
Chinese (zh)
Inventor
苏畅
金成明
刚毅凝
卞生华
刘雪松
同东辉
丁一
李崇
陈智勇
张磊
宋鸽
周吉赞
唐宝瑜
孙建航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Liaoning Power Energy Development Group Co ltd
Original Assignee
Liaoning Power Energy Development Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Liaoning Power Energy Development Group Co ltd filed Critical Liaoning Power Energy Development Group Co ltd
Priority to CN202011458326.0A priority Critical patent/CN112615841A/en
Publication of CN112615841A publication Critical patent/CN112615841A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The application provides a layered security management and control system and a method based on trusted computing, the layered security management and control system is applied to an energy Internet system, the energy Internet system comprises a power distribution main station, a distribution network substation and a terminal which are associated based on information flow and energy flow, the layered safety control system comprises a main station credible subsystem and an edge credible subsystem, wherein the main station credible subsystem is responsible for the safety control of the main station, the edge credible subsystem is responsible for the safety control of the substation and the terminal, wherein the trusted network connection comprises a trusted network connection of a distribution main station and a distribution network substation, a trusted network connection of a distribution network substation and wireless terminal equipment in a terminal, and a trusted network connection of a distribution transformer monitoring terminal in a terminal and node equipment, the wireless terminal equipment comprises wireless terminal equipment which converts serial port data into IP data or converts the IP data into the serial port data. The application can effectively guarantee the safety and stability of the power distribution Internet of things.

Description

Layered security management and control system and method based on trusted computing
Technical Field
The disclosure relates to the technical field of energy Internet, in particular to a hierarchical security management and control system and method based on trusted computing.
Background
At present, safety protection measures for the power distribution internet of things are concentrated on three links of data acquisition safety, data transmission safety and data processing safety, and traditional information safety protection measures are adopted. However, the fragmentation isolation division of the network environment by the traditional information security protection means is not favorable for wide interconnection and open interaction of the power distribution internet of things. Therefore, the information security of the power distribution internet of things needs external security defense, and is better in the robustness and immunity of the power distribution internet of things, the external defense can effectively reduce attack hazards and is a 'quantity' problem, and the internal security determines the safety immunity of the system and is a 'quality' problem. Therefore, how to construct a hierarchical trusted immune control strategy of a main station end and an edge end of the power distribution internet of things based on a trusted computing technology of autonomous controllable, safe, trusted and active immunity and guarantee endogenous safety and active immunity of a running environment of the power distribution internet of things is a technical problem facing at present.
Disclosure of Invention
It is an object of the present disclosure to address at least one of the technical problems noted in the background, by providing a hierarchical security management system and method based on trusted computing.
In order to achieve the above object, according to one aspect of the present disclosure, a hierarchical security management and control system based on trusted computing is provided, where the hierarchical security management and control system is applied to an energy internet system, the energy internet system includes a distribution master station, a distribution network substation, and a terminal, the distribution network substation is associated based on information flow and energy flow, the hierarchical security management and control system includes a master station trusted subsystem and an edge trusted subsystem, the master station trusted subsystem is responsible for security control of the master station, and the edge trusted subsystem is responsible for security control of the substation and the terminal, where the trusted network connection includes a trusted network connection between the distribution master station and the distribution network substation, a trusted network connection between the distribution network substation and a wireless terminal device in the terminal, and a trusted network connection between a distribution transformer monitoring terminal in the terminal and a node device, where the wireless terminal device includes a wireless terminal device that converts serial data into IP data or converts IP data into serial data.
Optionally, a three-layer power distribution network architecture formed by the power distribution master station, the distribution network substation and the terminal corresponds to three logic layer architectures formed by a sensing layer, a network transmission layer and a processing application layer, wherein the sensing layer is a transmitter node and a sensor network gateway node, the network transmission layer is a network for remotely transmitting sensing data to a processing center, and the processing application layer is a platform for storing, intelligently processing and serving the sensing data.
Optionally, the sensing layer is divided into a unit sensing layer and a system sensing layer, the unit sensing layer is included in the system sensing layer, the unit sensing layer includes a distribution transformer monitoring terminal and a node device in the terminal, and the system sensing layer includes the unit sensing layer and a distribution network substation, a distribution switch monitoring terminal and a wireless terminal device.
Optionally, the network transport layer includes a remote communication network between the master station and the slave station, and a local communication network between the slave station and the terminal.
Optionally, the processing application layer comprises an application server of the master station.
Optionally, the hierarchical security management and control includes local trusted verification of a terminal based on edge computing, and remote trusted verification of a terminal or a distribution network substation based on a cloud or a distribution master station.
Optionally, the trusted computing comprises one or more of: collecting credible evidence and integrity measurement information of the terminal node equipment or/and the wireless terminal equipment; and carrying out terminal credible evidence statistical examination or/and integrity measurement verification on the terminal distribution transformer monitoring terminal or/and the distribution network substation and the distribution main station.
Optionally, trusted computing chips in the power distribution master station and the terminal store respective trusted certificates and keys.
Optionally, the power distribution master station and the terminal implement mutual trusted authentication by performing the following operations: the master station takes the current time T1, the master station trusted computing chip takes a random number R1, and the trusted computing chip is used for signing (T1| | | R1) to obtain a signature result S1; the master station transmits (T1, R1, S1) to the terminal; after receiving the signature, the terminal gives the signature to a trusted computing chip to verify the signature, meanwhile, the terminal takes the current time T2 to verify whether | T2-T1| is in the validity period, if so, the trusted computing chip generates a random number R2, the trusted computing chip signs (T1| | R1| | R2) to obtain S2, and the authentication sub-key stored by the trusted computing chip is used for encrypting the R1; the terminal transmits (T2, closed (R1), R2 and S2) to the master station; the master station trusted computing chip decrypts Enc (R1) by using the verification sub-key, verifies whether the Enc is equal to R1 or not, verifies the correctness of the signature S2 by using the trusted computing chip, takes the current time T3, verifies whether the absolute value of T3-T1 and the absolute value of T3-T2 are in the valid period or not, if the decryption result is equal to R1, the signature S2 verifies the correctness, and the T1 and the T2 are in the valid period, the master station completes the authentication of the terminal; the master station encrypts R2 in the trusted computing chip by using the authentication subkey and transmits Enc (R2) to the terminal; the terminal decrypts Enc (R2) in the trusted computing chip by using the authentication sub-key pair, verifies whether the Enc is equal to R2, and if the Enc is equal to R2, the terminal completes authentication of the master station. The encapsulated data may refer to encapsulated data, which is abbreviated as enc.
According to another aspect of the present disclosure, a hierarchical security management and control method based on trusted computing is provided, and the hierarchical security management and control method is applied to any one of the hierarchical security management and control systems.
The embodiment of the present disclosure can achieve the following advantageous effects: according to the method and the device, by constructing the hierarchical credible immune management and control strategy of the main station end and the edge end of the power distribution Internet of things, the three hierarchical functions of node credibility, network connection credibility, application credibility and the like of credible calculation are realized at each level, and the safety and stability of the power distribution Internet of things can be effectively guaranteed. And moreover, the characteristics of computing power, safety protection capability, data importance and the like of each node in the power distribution network and the power distribution internet of things are respectively mapped into a full node or a main node, a light node or a slave node, so that an endogenous safety immune model of the power distribution internet of things is constructed based on a trusted computing technology in combination with the requirements of power distribution business sensing equipment and network safety management, and a manageable, controllable, accurate protection, visual credibility and intelligent defense safety protection model of the power distribution internet of things is established.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 is a schematic diagram illustrating the basic principles of trusted computing provided by one embodiment of the present application;
fig. 2 is a power distribution internet of things endogenous safety protection model based on trusted computing according to a preferred embodiment of the present application;
FIG. 3 provides a schematic diagram of a hierarchy of embedded trusted modules in accordance with a preferred embodiment of the present application;
fig. 4 provides a schematic interaction flow diagram of a power distribution master station and a terminal for storing a trusted certificate and a key according to an embodiment of the present application;
the same or similar reference numbers in the drawings identify the same or similar structures.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and includes any and all possible combinations of one or more of the associated listed items.
According to one aspect of the application, a hierarchical security management system based on trusted computing is provided. Before describing the hierarchical security management system, details of relevant contents of trusted computing are described in order to better understand the technical solution of the present invention.
The basic principle of trusted computing is: establishing a trust root which is ensured to be safe and reliable by three aspects of physical security, management security and technical security, and then establishing a reliable trust chain. Which extends throughout the computer system to ensure the trustworthiness of the entire computer system. The measurement authentication is carried out step by step from the trust root, the hardware platform, the whole operating system and the application user, and the trust is carried out step by step, so that the whole computer system runs in a credible state, and a credible computing environment is created for the whole computer system. The trust root, the hardware platform, the operating system and the application user are integrally formed into a trusted computer system. The basic principle of trusted computing is shown in fig. 1.
The credible calculation is to establish an immune system for the computer, and the credible calculation refers to safety protection while calculation is carried out, so that the calculation result is always consistent with expectation, and the whole calculation process can be measured and controlled without interference. Trusted computing operations coexist with safeguards. Has the functions of identity identification, state measurement, secret storage and the like, and can identify 'self' and 'non-self' components in time, thereby destroying and repelling harmful substances entering organisms. The trusted computing environment hierarchy may be described as: the method comprises the steps of constructing trusted computing nodes by taking a password as a basis (comprising a password algorithm, a password protocol, certificate management and the like), taking a chip as a support column, taking a mainboard as a flat plate and taking trusted basic support software as a core, enabling a plurality of trusted computing nodes to form a trusted information system based on a network, and further constructing a trusted application support environment based on an application system.
Specifically, the trusted computing environment hierarchy includes several aspects:
(1) bottom hardware layer: in the bottom layer hardware level, a trusted cryptography module (TCM/TPM) is added to a basic hardware platform, and a Core Root of Trust (CRTM) is implanted into a BOOT ROM of the hardware platform, so that the bottom layer can be safely and controllably started.
(2) Secure operating system level: in the secure operating system level, the provision of trusted services is done by a Trusted Services Module (TSM). The password module in the trusted computing system is used as a software module for supporting the inside of the trusted computing system, so that the adaptation of an operating system and the TCM is realized, and meanwhile, the TCM is reinforced.
(3) The application level is as follows: in the application layer, specific application services are realized in the application layer. To ensure that all application services can run in a secure trusted environment, the trusted computing environment architecture must ensure a trusted environment from the underlying hardware to the upper layer applications. The trusted root must be associated with all application services, and the chain of trust is thus authenticated, so that the whole environment is trusted and the secure and stable operation of all services can be realized in the environment.
The trusted computing module may be embedded in the hierarchical security management system in software, hardware, or a combination of both.
Referring to fig. 2, fig. 2 is a schematic diagram illustrating a power distribution internet of things endogenous safety protection model based on trusted computing according to a preferred embodiment of the present application, where the layered safety management system is implemented based on the protection model.
The devices in the distribution internet of things include, but are not limited to, a power grid device, a network device and related terminal devices, wherein the power grid device includes a transformer, an electric energy meter and the like, the core network device includes a switch, a router, an intelligent gateway, a data acquisition system for acquiring power system data and the like, the related terminal devices include, but are not limited to, a sensor, an intelligent device and an intelligent terminal device, and the related devices can be connected with an object device (edge computing device for short) with certain computing capability at the edge of the energy internet through a short-distance communication means, so that the edge computing device can perform near processing and analysis by receiving the data of the related devices, extract key data in the data of the related devices, and upload the key data to a cloud server or a cloud platform for centralized processing. The edge computing device may include, but is not limited to, an intelligent internet of things gateway and other devices or modules capable of performing edge computing analysis tasks.
The trusted computing based hierarchical security management system of the present application can be applied to systems including but not limited to the energy internet system, the energy Internet system comprises a power distribution main station, a distribution network substation and a terminal which are associated based on information flow and energy flow, the layered safety control system comprises a main station credible subsystem and an edge credible subsystem, wherein the main station credible subsystem is responsible for the safety control of the main station, the edge credible subsystem is responsible for the safety control of the substation and the terminal, wherein the trusted network connection comprises a trusted network connection of a distribution main station and a distribution network substation, a trusted network connection of a distribution network substation and wireless terminal equipment in a terminal, and a trusted network connection of a distribution transformer monitoring terminal in a terminal and node equipment, the wireless terminal equipment comprises wireless terminal equipment which converts serial port data into IP data or converts the IP data into the serial port data.
Such as, but not limited to, an electric vehicle, an energy storage device, an electric meter, a fault indicator, or/and an electric meter.
Optionally, a three-layer power distribution network architecture formed by the power distribution master station, the distribution network substation and the terminal corresponds to three logic layer architectures formed by a sensing layer, a network transmission layer and a processing application layer, wherein the sensing layer is a transmitter node and a sensor network gateway node, the network transmission layer is a network for remotely transmitting sensing data to a processing center, and the processing application layer is a platform for storing, intelligently processing and serving the sensing data.
Optionally, the sensing layer is divided into a unit sensing layer and a system sensing layer, the unit sensing layer is included in the system sensing layer, the unit sensing layer includes a distribution transformer monitoring terminal (TTU) and a node device in a terminal, and the system sensing layer includes the unit sensing layer and a distribution network substation, a distribution switch monitoring terminal (FTU) and a wireless terminal Device (DTU). The characteristics of computing power, safety protection capability, data importance and the like of each node in the power distribution network and the power distribution internet of things are respectively mapped to be a full node or a master node, a light node or a slave node, wherein TTU, DTU and FTU in the terminal can be the master node, and node equipment such as an electric automobile, energy storage equipment, an electric meter, a fault indicator or/and the electric meter is the slave node.
Optionally, the network transport layer includes a remote communication network between the master station and the slave station, and a local communication network between the slave station and the terminal.
Optionally, the processing application layer comprises an application server of the master station.
Optionally, the hierarchical security management and control includes local trusted verification of a terminal based on edge computing, and remote trusted verification of a terminal or a distribution network substation based on a cloud or a distribution master station.
Optionally, the trusted computing comprises one or more of: collecting credible evidence and integrity measurement information of the terminal node equipment or/and the wireless terminal equipment; and carrying out terminal credible evidence statistical examination or/and integrity measurement verification on the terminal distribution transformer monitoring terminal or/and the distribution network substation and the distribution main station.
Optionally, trusted computing chips in the power distribution master station and the terminal store respective trusted certificates and keys.
Referring to fig. 2, fig. 2 shows a power distribution internet of things endogenous security protection model based on trusted computing, which indicates a security protection system including a master station, a substation, and a terminal. The FTU can assign an electric switch monitoring terminal, has the functions of remote control, remote measurement, remote signaling and fault detection, is communicated with a power distribution automation master station, and provides the running condition of a power distribution system and various parameters, namely information required by monitoring control; the DTU may refer to a wireless terminal device that is specially used to convert serial data into IP data or convert IP data into serial data for transmission through a wireless communication network; the TTU can be assigned an electric transformer monitoring terminal for acquiring and controlling the information of the distribution transformer, monitors the operation condition of the distribution transformer in real time and can transmit the acquired information to a master station or other intelligent devices. Where solid arrows represent energy flow, curved dashed arrows represent trusted network connections, dotted lines with dot-space represent control flow, and double-headed arrows represent information flow. Wherein, letter a represents the terminal credible collection evidence, B represents the integrity measurement collector, C represents the terminal credible evidence statistical check, and D represents the integrity measurement verifier.
As shown in fig. 2, hierarchical trusted immune management and control strategies of a main station end and an edge end of a power distribution internet of things are constructed, and three hierarchical functions of node trust, network connection trust, application trust and the like of trusted computing are realized at each level. And the characteristics of computing power, safety protection capability, data importance and the like of each node in the power distribution network and the power distribution internet of things are respectively mapped into a full node or a main node, a light node or a slave node, so that an endogenous safety immune model of the power distribution internet of things is constructed based on a trusted computing technology in combination with the requirements of power distribution service sensing equipment and network safety management, and a manageable, controllable, accurate protection, visual credibility and intelligent defense safety protection model of the power distribution internet of things is established.
Further, for the hierarchical design of the security module based on trusted computing in the terminal or the cloud service or the edge server, reference may be made to fig. 3, where fig. 3 provides a schematic diagram of a hierarchical structure of an embedded trusted module according to a preferred embodiment of the present application.
As shown in fig. 3, the hierarchical structure of the embedded trusted module may be divided into three layers, specifically including:
(1) and a hardware layer. A TCM security chip is integrated in an embedded internet of things terminal hardware system, namely, a security chip with a lightweight TCM trusted computing function is integrated, the embedded internet of things terminal hardware system has the functions of a trusted root, independent closed secure computing environment construction, password operation and the like, and hardware support is provided for the embedded internet of things terminal to provide the trusted computing security function.
(2) An operating system layer. And the Linux kernel is customized to realize the reinforcement of the safety protection function of Linux.
(3) And (5) an application layer. The method comprises the following steps: lightweight TCM security protocol stack design, white list system, custom security application.
The embedded internet of things trusted terminal system adopts a lightweight TCM function design, and considers the factor that the memory operation space of most embedded internet of things terminal devices is smaller, so that the embedded internet of things trusted terminal system can not provide a complete TCM standard function like a host system, and by properly cutting a TCM function system and a white list system, the embedded internet of things trusted terminal system can meet the trusted platform function construction requirements of the device system and the requirements of the device system on tighter operation resources and high real-time performance.
Optionally, referring to fig. 4, fig. 4 provides an interaction flow diagram of a power distribution master station and a terminal performing storage of a trusted certificate and a key according to an embodiment of the present application.
According to fig. 4, the power distribution master station and the terminal implement mutual trusted authentication by performing the following operations: the master station takes the current time T1, the master station trusted computing chip takes a random number R1, and the trusted computing chip is used for signing (T1| | | R1) to obtain a signature result S1; the master station transmits (T1, R1, S1) to the terminal; after receiving the signature, the terminal gives the signature to a trusted computing chip to verify the signature, meanwhile, the terminal takes the current time T2 to verify whether | T2-T1| is in the validity period, if so, the trusted computing chip generates a random number R2, the trusted computing chip signs (T1| | R1| | R2) to obtain S2, and the authentication sub-key stored by the trusted computing chip is used for encrypting the R1; the terminal transmits (T2, closed (R1), R2 and S2) to the master station; the master station trusted computing chip decrypts Enc (R1) by using the verification sub-key, verifies whether the Enc is equal to R1 or not, verifies the correctness of the signature S2 by using the trusted computing chip, takes the current time T3, verifies whether the absolute value of T3-T1 and the absolute value of T3-T2 are in the valid period or not, if the decryption result is equal to R1, the signature S2 verifies the correctness, and the T1 and the T2 are in the valid period, the master station completes the authentication of the terminal; the master station encrypts R2 in the trusted computing chip by using the authentication subkey and transmits Enc (R2) to the terminal; the terminal decrypts Enc (R2) in the trusted computing chip by using the authentication sub-key pair, verifies whether the Enc is equal to R2, and if the Enc is equal to R2, the terminal completes authentication of the master station.
Compared with the prior art, the trusted computing is generally divided into three levels, namely node trust, network connection trust and application trust. The node credibility layer provides a credibility starting point for the whole active immune system and is the source of the active immune system; the network connection credible layer bears the interactive immunity among the nodes and is a credible key part of the network; and the application credibility layer provides immune support and service for the nodes and the network, updates the security strategy and enhances the immune capability of the nodes. Therefore, according to the hierarchical credible immune management and control strategy of the power distribution Internet of things main station end and the edge end, each level respectively realizes three levels of functions of credible node, credibility of network connection, credibility of application and the like of credible calculation. Therefore, the secure access area and the credible management and control are transferred to the edge side, the localization and localization of calculation, analysis and security control are realized based on the edge calculation technology, the processing efficiency is improved, faster response is provided, the processing load of the main station end is reduced, and remote and localized processing cooperation and optimized management are supported.
Based on the same inventive concept of the invention, the invention also provides a layered safety control method based on trusted computing, and the layered safety control method is applied to any one of the layered safety control systems.
The layered security management and control method based on the trusted computing in the embodiment of the invention corresponds to the layered security management and control system based on the trusted computing in the embodiment of the invention, and the technical characteristics and the beneficial effects described in the embodiment of the layered security management and control system based on the trusted computing are all applicable to the embodiment of the layered security management and control method based on the trusted computing.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.

Claims (10)

1. A layered safety management and control system based on trusted computing is characterized in that the layered safety management and control system is applied to an energy Internet system, the energy Internet system comprises a power distribution main station, a distribution network substation and a terminal which are associated based on information flow and energy flow, the layered safety management and control system comprises a main station trusted subsystem and an edge trusted subsystem, the main station trusted subsystem is responsible for safety management and control of the main station, the edge trusted subsystem is responsible for safety management and control of the substation and the terminal,
the trusted network connection comprises a trusted network connection of a distribution main station and a distribution network substation, a trusted network connection of a distribution network substation and wireless terminal equipment in a terminal, and a trusted network connection of a distribution transformer monitoring terminal in a terminal and node equipment, wherein the wireless terminal equipment comprises wireless terminal equipment which converts serial port data into IP data or converts the IP data into the serial port data.
2. The layered safety management and control system according to claim 1, wherein a three-layer power distribution network architecture composed of the power distribution master station, the distribution network substation and the terminal corresponds to three logical layer architectures composed of a sensing layer, a network transmission layer and a processing application layer, wherein the sensing layer is a transmitter node and a sensor network gateway node, the network transmission layer is a network for remotely transmitting sensed data to a processing center, and the processing application layer is a platform for storing, intelligently processing and serving the sensed data.
3. The layered safety management and control system according to claim 2, wherein the sensing layer is divided into a unit sensing layer and a system sensing layer, the unit sensing layer is included in the system sensing layer, the unit sensing layer comprises a distribution transformer monitoring terminal and a node device in a terminal, and the system sensing layer comprises the unit sensing layer, a distribution network substation, a distribution switch monitoring terminal and a wireless terminal device.
4. The layered security management and control system of claim 2, wherein the network transport layer comprises a remote communication network between a master station and a slave station, and a local communication network between a slave station and a terminal.
5. The hierarchical security management system of claim 2, wherein the processing application layer comprises an application server of a master station.
6. The hierarchical security management and control system of claim 1, wherein the hierarchical security management and control includes edge-computing-based local trusted verification of terminals and cloud-based or remote trusted verification of terminals of a power distribution master station or a distribution network substation.
7. The hierarchical security management system according to claim 1 or 6, wherein the trusted computing comprises one or more of:
collecting credible evidence and integrity measurement information of the terminal node equipment and the wireless terminal equipment;
and carrying out terminal credible evidence statistical examination or/and integrity measurement verification on the terminal distribution transformer monitoring terminal, the distribution network substation and the distribution main station.
8. The hierarchical security management and control system of claim 1, wherein trusted computing chips in the power distribution master station and the terminal store respective trusted certificates and keys.
9. The hierarchical security management and control system according to claim 1 or 8, wherein the power distribution master station and the terminal implement mutual trusted authentication by performing the following operations:
the master station takes the current time T1, the master station trusted computing chip takes a random number R1, and the trusted computing chip is used for signing (T1| | | R1) to obtain a signature result S1;
the master station transmits (T1, R1, S1) to the terminal;
after receiving the signature, the terminal gives the signature to a trusted computing chip to verify the signature, meanwhile, the terminal takes the current time T2 to verify whether | T2-T1| is in the validity period, if so, the trusted computing chip generates a random number R2, the trusted computing chip signs (T1| | R1| | R2) to obtain S2, and the authentication sub-key stored by the trusted computing chip is used for encrypting the R1;
the terminal transmits (T2, closed (R1), R2 and S2) to the master station;
the master station trusted computing chip decrypts Enc (R1) by using the verification sub-key, verifies whether the Enc is equal to R1 or not, verifies the correctness of the signature S2 by using the trusted computing chip, takes the current time T3, verifies whether the absolute value of T3-T1 and the absolute value of T3-T2 are in the valid period or not, if the decryption result is equal to R1, the signature S2 verifies the correctness, and the T1 and the T2 are in the valid period, the master station completes the authentication of the terminal;
the master station encrypts R2 in the trusted computing chip by using the authentication subkey and transmits Enc (R2) to the terminal;
the terminal decrypts Enc (R2) in the trusted computing chip by using the authentication sub-key pair, verifies whether the Enc is equal to R2, and if the Enc is equal to R2, the terminal completes authentication of the master station.
10. A layered security management and control method based on trusted computing, characterized in that the layered security management and control method is applied to the layered security management and control system according to any one of claims 1 to 9.
CN202011458326.0A 2020-12-11 2020-12-11 Layered security management and control system and method based on trusted computing Pending CN112615841A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011458326.0A CN112615841A (en) 2020-12-11 2020-12-11 Layered security management and control system and method based on trusted computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011458326.0A CN112615841A (en) 2020-12-11 2020-12-11 Layered security management and control system and method based on trusted computing

Publications (1)

Publication Number Publication Date
CN112615841A true CN112615841A (en) 2021-04-06

Family

ID=75233328

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011458326.0A Pending CN112615841A (en) 2020-12-11 2020-12-11 Layered security management and control system and method based on trusted computing

Country Status (1)

Country Link
CN (1) CN112615841A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113365269A (en) * 2021-06-15 2021-09-07 珠海市鸿瑞信息技术股份有限公司 Power distribution 5G communication encryption system and communication encryption method based on Internet of things
CN113709739A (en) * 2021-09-03 2021-11-26 四川启睿克科技有限公司 Reliable management and rapid network access method and system for intelligent equipment
CN113726726A (en) * 2021-05-30 2021-11-30 国网河北省电力有限公司信息通信分公司 Power internet of things credibility measurement method based on edge calculation
CN114826742A (en) * 2022-04-28 2022-07-29 江苏徐工工程机械研究院有限公司 Communication safety system and authentication method for engineering machinery Internet of things sensing layer network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009051471A2 (en) * 2007-09-20 2009-04-23 Mimos Berhad Trusted computer platform method and system without trust credential
CN109257327A (en) * 2017-07-14 2019-01-22 中国电力科学研究院 A kind of the communication message safety interacting method and device of electrical power distribution automatization system
CN110535653A (en) * 2019-07-15 2019-12-03 中国电力科学研究院有限公司 A kind of safe distribution terminal and its means of communication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009051471A2 (en) * 2007-09-20 2009-04-23 Mimos Berhad Trusted computer platform method and system without trust credential
CN109257327A (en) * 2017-07-14 2019-01-22 中国电力科学研究院 A kind of the communication message safety interacting method and device of electrical power distribution automatization system
CN110535653A (en) * 2019-07-15 2019-12-03 中国电力科学研究院有限公司 A kind of safe distribution terminal and its means of communication

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
孙跃,杨晟,龚钢军,杨佳轩,周波: "基于可信计算和区块链的配电物联网内生安全研究", 《华电技术》 *
范博,龚钢军,孙淑娴: "基于等保2.0的配电物联网动态安全体系研究", 《信息网络安全》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113726726A (en) * 2021-05-30 2021-11-30 国网河北省电力有限公司信息通信分公司 Power internet of things credibility measurement method based on edge calculation
CN113726726B (en) * 2021-05-30 2022-11-22 国网河北省电力有限公司信息通信分公司 Electric power Internet of things credible immune system based on edge calculation and measurement method
CN113365269A (en) * 2021-06-15 2021-09-07 珠海市鸿瑞信息技术股份有限公司 Power distribution 5G communication encryption system and communication encryption method based on Internet of things
CN113365269B (en) * 2021-06-15 2022-02-11 珠海市鸿瑞信息技术股份有限公司 Power distribution 5G communication encryption system and communication encryption method based on Internet of things
CN113709739A (en) * 2021-09-03 2021-11-26 四川启睿克科技有限公司 Reliable management and rapid network access method and system for intelligent equipment
CN114826742A (en) * 2022-04-28 2022-07-29 江苏徐工工程机械研究院有限公司 Communication safety system and authentication method for engineering machinery Internet of things sensing layer network
CN114826742B (en) * 2022-04-28 2023-07-28 江苏徐工工程机械研究院有限公司 Communication security system and authentication method for engineering machinery internet of things perception layer network

Similar Documents

Publication Publication Date Title
CN112615841A (en) Layered security management and control system and method based on trusted computing
CN101753312B (en) Security certification method and security certification device for power grid equipment and negative control terminal
He et al. Security analysis and improvement of a secure and distributed reprogramming protocol for wireless sensor networks
EP3509893B1 (en) Roaming method
CN113783836A (en) Internet of things data access control method and system based on block chain and IBE algorithm
CN103905469A (en) Safety control system and method applied to smart power grid wireless sensor network and cloud computing
CN110362357A (en) A kind of configuration file management method and device of application program
KR20130143446A (en) Method for authenticating low efficiency device
CN110601844B (en) System and method for guaranteeing safety and authentication of Internet of things equipment by using block chain technology
CN104850091A (en) Secure power supply for an industrial control system
US20130028411A1 (en) Simple Group Security for Machine-to-Machine Networking (SGSM2M)
CN111786785B (en) Block chain-based power distribution Internet of things node switching method and device
CN103684793A (en) Method for enhancing communication security of power distribution network based on trusted computing
CN103747051A (en) Service platform of vehicle-mounted terminal
CN107508842A (en) A kind of intelligent electric meter control module and method based on CCKS
Jiao et al. A blockchain-based trusted upload scheme for the internet of things nodes
CN113159766A (en) Data protection method, device, system, electronic device and storage medium
KR101509079B1 (en) Smart Card and Dynamic ID Based Electric Vehicle User Authentication Scheme
Urien Securing the IoT with TLS/DTLS server stacks embedded in secure elements: An ePlug usecase
KR20200143034A (en) Certificate-based security electronic watt hour meter
CN113037865B (en) Processing method, device and system of Internet of things equipment
Belej et al. Features of application of data transmission protocols in wireless networks of sensors
Wang et al. Analysis and Design of Identity Authentication for IoT Devices in the Blockchain Using Hashing and Digital Signature Algorithms
CN102215226A (en) Self-organized network
CN104115156B (en) The method for initializing the memory block of intelligent meter

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Su Chang

Inventor after: Zhang Lei

Inventor after: Song Ge

Inventor after: Zhou Jizan

Inventor after: Tang Baoyu

Inventor after: Sun Jianhang

Inventor after: Jin Chengming

Inventor after: Gang Yining

Inventor after: Bian Shenghua

Inventor after: Liu Xuesong

Inventor after: Tong Donghui

Inventor after: Ding Yi

Inventor after: Li Chong

Inventor after: Chen Zhiyong

Inventor before: Su Chang

Inventor before: Zhang Lei

Inventor before: Song Ge

Inventor before: Zhou Jizan

Inventor before: Tang Baoyu

Inventor before: Sun Jianhang

Inventor before: Jin Chengming

Inventor before: Gang Yining

Inventor before: Bian Shenghua

Inventor before: Liu Xuesong

Inventor before: Tong Donghui

Inventor before: Ding Yi

Inventor before: Li Chong

Inventor before: Chen Zhiyong

CB03 Change of inventor or designer information