CN112738023A - Safety transmission method for cross-substation GOOSE message of rail transit substation - Google Patents

Safety transmission method for cross-substation GOOSE message of rail transit substation Download PDF

Info

Publication number
CN112738023A
CN112738023A CN202011424109.XA CN202011424109A CN112738023A CN 112738023 A CN112738023 A CN 112738023A CN 202011424109 A CN202011424109 A CN 202011424109A CN 112738023 A CN112738023 A CN 112738023A
Authority
CN
China
Prior art keywords
goose
data
mapping table
value
plaintext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011424109.XA
Other languages
Chinese (zh)
Other versions
CN112738023B (en
Inventor
金辉
黄伟锋
王平
郑淳淳
王文浩
程鹏
廖权保
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Metro Group Co Ltd
Guangzhou Baiyun Electric Equipment Co Ltd
Original Assignee
Guangzhou Metro Group Co Ltd
Guangzhou Baiyun Electric Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Metro Group Co Ltd, Guangzhou Baiyun Electric Equipment Co Ltd filed Critical Guangzhou Metro Group Co Ltd
Priority to CN202011424109.XA priority Critical patent/CN112738023B/en
Publication of CN112738023A publication Critical patent/CN112738023A/en
Application granted granted Critical
Publication of CN112738023B publication Critical patent/CN112738023B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention provides a safe transmission method of a cross-regional GOOSE message of a rail transit substation, which is characterized in that the characteristics of the cross-regional GOOSE message are combined, state information transmitted by the GOOSE is corresponded by bits and converted into a combined value, a plaintext/ciphertext mapping table is generated in advance by traversing all combinations of the state information, when a device is started, data of the plaintext/ciphertext mapping table is written into a DDR, the combined value is used as a table retrieval index, the data encryption and decryption directly adopt a table lookup mode, the encryption and decryption processes are omitted, the data processing time delay is reduced, and the real-time performance of the GOOSE is not influenced.

Description

Safety transmission method for cross-substation GOOSE message of rail transit substation
Technical Field
The invention relates to the technical field of network data transmission, in particular to a safety transmission method of cross-substation GOOSE messages of a rail transit substation.
Background
The rail transit power supply system adopts an IEC61850 communication protocol to realize information sharing among power supply equipment, cross-domain signals among substations such as interlocking signals, bilateral interlocking signals and the like are also transmitted in a mode of optical fiber medium and GOOSE protocol, and the IEC61850 standard is only concentrated on information interaction among IED devices and does not consider safety in the communication process. The cross-domain signal GOOSE transmission interval is long in distance, multiple in transmission nodes are provided, and the cross-domain signal GOOSE is relatively easy to invade, so that certain potential invasion risks exist. Once a GOOSE network is invaded, the normal operation of a subway power supply system is affected, and the consequences are unreasonable, so that the safety problem of transmitting information across the subway domain by using GOOSE information is urgently solved.
The IEC62351 standard is a data and communication safety standard developed by the international electrotechnical commission aiming at a related communication protocol in the power field, encryption and authentication are core contents in the IEC62351, the IEC62351-6 provides a safety mechanism of GOOSE communication, the mechanism is compatible with an original GOOSE message, the consistency of data processing is ensured, as the time requirement of the GOOSE message is extremely high, the encryption of the GOOSE message can not be met in time, and the message is not defined and encrypted in the mechanism, the mechanism solves identity authentication and replay attack prevention, and does not solve data eavesdropping.
Disclosure of Invention
Aiming at the safety problem of cross-substation information GOOSE transmission of the rail transit substation, the invention provides the safe cross-domain transmission method of the GOOSE message of the rail transit substation based on IEC62351 and FPGA encryption, which can ensure the real-time property of data processing, encrypt the transmission data, improve the safety of the data and ensure that the transmission data is not intercepted.
In order to achieve the above object, the technical solution of the present invention is implemented as follows:
a safety transmission method for cross-substation GOOSE messages of a rail transit substation comprises the following steps:
(1) establishing a plaintext/ciphertext mapping table, wherein a cross-transmitted GOOSE message only contains a state quantity, if the state quantity Value n is less than or equal to 16, the Value of an allData field of the GOOSE message is n 0x 830 x 010 x01/0x00 abstract syntax mark ASN.1TLV data block combinations, wherein 0x83 is the type Tag of data, 0x01 is the Length of the data, 0x01/0x00 is the state Value with the Value of 0 or 1, the n state values are expressed by bit, and the n states have 2 in totalnThe combination mode is characterized in that the AES128 encryption algorithm is used for encrypting messages corresponding to all combinations to form a plaintext/ciphertext mapping table, and the combination value is used as a retrieval index of the plaintext/ciphertext mapping table;
if the state quantity n in the message is larger than 16, grouping according to 16 groups, namely a plurality of 16 grouping blocks, wherein each grouping block also utilizes a plaintext/ciphertext mapping table to carry out retrieval indexing;
(2) after the safety transmission device is started, the CPU board writes the pre-generated plaintext/ciphertext mapping table content into a double-rate random access memory DDR through a PCIE bus through a field programmable gate array FPGA, and after data writing is finished, the FPGA records the first address of the mapping table in the DDR, so that the FPGA data addressing is facilitated;
(3) in order to ensure the fast processing of decryption, the state combination value calculated in the step (1) is filled into the Private field of the GOOSE APDU extension field, and the receiver can fast locate the position corresponding to the mapping table data by analyzing the Private value when unpacking, so as to ensure the real-time processing of decryption.
The invention has the beneficial effects that:
according to the method, characteristics of cross-station GOOSE signal transmission of the rail transit substation are combined, when cross-station signals are transmitted through GOOSE message communication, on the basis of IEC62351 standards, GOOSE message data are encrypted, a mapping table of a corresponding relation between a plaintext and a ciphertext is established according to the characteristics of the GOOSE messages, the mapping table data are rapidly positioned in an addressing mode, and processing time of an AES encryption and decryption algorithm is shortened. The method comprises the steps of establishing an AES128 encryption mapping table, encrypting GOOSE message data, transmitting cross-location domain information by using GOOSE, realizing the expansion of a GOOSE multicast domain, ensuring the real-time performance of data processing and the safety of communication, and further ensuring the safety of the cross-location domain information transmission of rail transit.
Drawings
FIG. 1 is a block diagram of the apparatus of the present invention;
FIG. 2 is a block diagram of a GOOSE message data processing flow;
fig. 3(a) is a schematic diagram of a GOOSE message structure based on IEC61850 standard;
fig. 3(b) is a schematic diagram of a GOOSE message structure based on IEC62351 standard;
FIG. 4 is a GOOSE PDU structure;
FIG. 5 is a plaintext/cyphertext mapping table structure according to the present invention;
Detailed Description
The invention specifically comprises the following contents:
on the basis of the original IEC62351-6 standard, in order to prevent the data content from being intercepted, the data content in the GOOSE application protocol data unit APDU is encrypted by using an AES128 algorithm. Fig. 4 is a PDU structure of a GOOSE message, where the left half is names of parameters of the PDU, the right half is TAG values corresponding to the parameters, and an allDate field, that is, a current value of data transmitted by the GOOSE message, is an encrypted object of the method. Considering that the encryption and decryption processes can affect the real-time performance of GOOSE data processing, the invention combines the characteristics of cross-domain GOOSE messages, corresponds the state information transmitted by the GOOSE by using bits, converts the state information into a combined value, generates a plaintext/ciphertext mapping table in advance by traversing all combinations of the state information, writes the data of the plaintext/ciphertext mapping table into a DDR when the device is started, uses the combined value as a table retrieval index, directly adopts a table lookup mode for the encryption and decryption of the data, omits the encryption and decryption processes, reduces the data processing delay and ensures that the real-time performance of the GOOSE is not affected. The key process is as follows:
as shown in fig. 2, after the secure transmission device is started, the CPU board writes the contents of the pre-generated plaintext/ciphertext mapping table into the double-rate ram DDR through the PCIE bus via the field programmable gate array FPGA, and after the data writing is completed, the FPGA records the first address of the mapping table in the DDR, which is convenient for addressing the FPGA data, and the block diagram of the secure transmission device module is shown in fig. 1.
The GOOSE message data field is encrypted, the FPGA converts the GOOSE message data field into a combined value according to the interlocking information to be transmitted, then addresses the DDR with the head address + the combined value n, obtains an AES128 ciphertext corresponding to the information from the DDR, fills the message data field, and writes the combined value into the GOOSE extended PDU Private field, as shown in fig. 3, where fig. 3(a) is a schematic diagram of a GOOSE message structure based on the IEC61850 standard, and fig. 3(b) is a schematic diagram of a GOOSE message structure based on the IEC62351 standard.
And decrypting the GOOSE encrypted message, analyzing a Private domain to obtain a state combination value after the subscriber receives the encrypted message, then addressing the DDR by using the first address + the combination value x n, obtaining a corresponding plaintext and a corresponding ciphertext from the DDR, comparing the DDR to obtain the ciphertext and the encrypted data, and decoding the plaintext if the ciphertext is consistent with the encrypted data.
The following explains, by way of specific embodiments, a transmission flow of an IEC 62351-based encrypted GOOSE packet, where a publishing terminal sends an encrypted packet, a subscribing terminal analyzes the encrypted packet, and the processing flows of the publishing terminal and the subscribing terminal on the packet are as follows.
And (3) encryption process:
(1) the CPU mainboard monitors the cross-transmitted GOOSE state information in real time, and sends the GOOSE state information to the FPGA module through the system bus after monitoring the change;
(2) the FPGA acquires GOOSE state information from the bus, and combines 16 GOOSE information according to bit to form a combined value of 0-65535; taking the state quantity 16 as an example, the Value of the GOOSE message allData field is 16 data block combinations of 0x 830 x 010 x01/0x00 abstract syntax notation asn.1tlv (TLV refers to a structure consisting of a type Tag of data, a Length of the data, and a Value of the data), where 0x83 is T, 0x01 is L, and 0x01/0x00 is a state Value, and since the Value of the state Value is 0 or 1, 16 state values are represented by bit, and then 16 states will have 2 in total1665536 combined modes (power 16 of 2), and the format of the index of the plaintext/ciphertext mapping table is shown in FIG. 5.
(3) Calculating address offset of ciphertext storage according to the combination value FPGA, if the combination value is n, the offset address of the ciphertext in the mapping table is n x (48+64) +48, the address of the corresponding ciphertext stored in the DDR is a first address + the offset address, and the corresponding ciphertext is obtained by reading the address;
(4) constructing a GOOSE safety extension message based on IEC62351, wherein the message structure is shown in FIG. 3(b), the construction process refers to the construction of an IEC62351 standard extension message, filling reserved fields and calculating CRC, wherein a GOOSE PDU allData field V value is filled by using the ciphertext obtained in the step (3), and meanwhile, a combined value is written into an extended Private field;
(5) calculating a signature value by using an HMAC SHA-256HASH algorithm, and writing the HMAC signature value into an extended Authentication V domain, so that the package is completed;
and (3) decryption process:
(1) reading data in the first-in first-out queue FIFO to obtain a safety extension message, and sending the safety extension message into a GOOSE coding and decoding module;
(2) extracting an Authentication V value, calculating an HMAC signature value by using an SHA-256HASH algorithm, continuing if the HMAC signature value is consistent with the HMAC signature value, and returning an error if the HMAC signature value is not consistent with the HMAC signature value;
(3) verifying CRC, extracting values of a mark protocol identification field TPID, a mark control information field TCI, an Ethernet type EtherType and an application identification field APPID, calculating a CRC value by using a CRC16 algorithm, verifying whether the CRC value is consistent with a Reserved field 2(Reserved2), continuing if so, and returning an error if not;
(4) extracting the value of an extended Private domain, acquiring a combined value, calculating the addresses of plain text and cipher text in a DDR mapping table according to the combined value, namely the first address + the combined value (48+64), and addressing to acquire plain text and cipher text from DDR;
(5) extracting a GOOSE PDU allData V value, comparing whether the allData is consistent with the inquired ciphertext, if so, continuing, and otherwise, returning an error;
(6) and sending the corresponding plaintext into an analysis module to obtain the transmitted GOOSE state information, and then transmitting the information to the CPU board through a system bus.
According to the method, characteristics of cross-station GOOSE signal transmission of the rail transit substation are combined, when cross-station signals are transmitted through GOOSE message communication, on the basis of IEC62351 standards, GOOSE message data are encrypted, a mapping table of a corresponding relation between a plaintext and a ciphertext is established according to the characteristics of the GOOSE messages, the mapping table data are rapidly positioned in an addressing mode, and processing time of an AES encryption and decryption algorithm is shortened. The method comprises the steps of establishing an AES128 encryption mapping table, encrypting GOOSE message data, transmitting cross-location domain information by using GOOSE, realizing the expansion of a GOOSE multicast domain, ensuring the real-time performance of data processing and the safety of communication, and further ensuring the safety of the cross-location domain information transmission of rail transit.
The technical solutions described above only represent the preferred technical solutions of the present invention, and some possible modifications to some parts of the technical solutions by those skilled in the art all represent the principles of the present invention, and fall within the protection scope of the present invention.

Claims (1)

1. A safety transmission method of cross-substation GOOSE messages of a rail transit substation is characterized by comprising the following steps:
(1) establishing a plaintext/ciphertext mapping table, wherein a cross-transmitted GOOSE message only contains a state quantity, if the state quantity Value n is less than or equal to 16, the Value of an allData field of the GOOSE message is n 0x 830 x 010 x01/0x00 abstract syntax mark ASN.1TLV data block combinations, wherein 0x83 is the type Tag of data, 0x01 is the Length of the data, 0x01/0x00 is the state Value with the Value of 0 or 1, the n state values are expressed by bit, and the n states have 2 in totalnThe combination mode is characterized in that the AES128 encryption algorithm is used for encrypting messages corresponding to all combinations to form a plaintext/ciphertext mapping table, and the combination value is used as a retrieval index of the plaintext/ciphertext mapping table;
if the state quantity n in the message is larger than 16, grouping according to 16 groups, namely a plurality of 16 grouping blocks, wherein each grouping block also utilizes a plaintext/ciphertext mapping table to carry out retrieval indexing;
(2) after the safety transmission device is started, the CPU board writes the pre-generated plaintext/ciphertext mapping table content into a double-rate random access memory DDR through a PCIE bus through a field programmable gate array FPGA, and after data writing is finished, the FPGA records the first address of the mapping table in the DDR, so that the FPGA data addressing is facilitated;
(3) in order to ensure the fast processing of decryption, the state combination value calculated in the step (1) is filled into the Private field of the GOOSE APDU extension field, and the receiver can fast locate the position corresponding to the mapping table data by analyzing the Private value when unpacking, so as to ensure the real-time processing of decryption.
CN202011424109.XA 2020-12-08 2020-12-08 Safety transmission method for cross-substation GOOSE message of rail transit substation Active CN112738023B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011424109.XA CN112738023B (en) 2020-12-08 2020-12-08 Safety transmission method for cross-substation GOOSE message of rail transit substation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011424109.XA CN112738023B (en) 2020-12-08 2020-12-08 Safety transmission method for cross-substation GOOSE message of rail transit substation

Publications (2)

Publication Number Publication Date
CN112738023A true CN112738023A (en) 2021-04-30
CN112738023B CN112738023B (en) 2022-02-18

Family

ID=75598486

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011424109.XA Active CN112738023B (en) 2020-12-08 2020-12-08 Safety transmission method for cross-substation GOOSE message of rail transit substation

Country Status (1)

Country Link
CN (1) CN112738023B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7626944B1 (en) * 2004-03-31 2009-12-01 Packeteer, Inc. Methods, apparatuses and systems facilitating remote, automated deployment of network devices
CN103746962A (en) * 2013-12-12 2014-04-23 华南理工大学 GOOSE electric real-time message encryption and decryption method
CN103873461A (en) * 2014-02-14 2014-06-18 中国南方电网有限责任公司 IEC62351-based security interaction method for GOOSE message
CN104410153A (en) * 2014-11-06 2015-03-11 中国南方电网有限责任公司 IEC62351 intelligent substation process layer intelligent electronic device communication method and communication system
CN108090370A (en) * 2018-01-10 2018-05-29 芯盾网安(北京)科技发展有限公司 Instant messaging encryption method and system based on index
US20190260204A1 (en) * 2018-02-17 2019-08-22 Electro Industries/Gauge Tech Devices, systems and methods for the collection of meter data in a common, globally accessible, group of servers, to provide simpler configuration, collection, viewing, and analysis of the meter data
CN111259416A (en) * 2020-01-13 2020-06-09 湖北大学 Multi-algorithm security encryption authentication system and method based on FPGA

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7626944B1 (en) * 2004-03-31 2009-12-01 Packeteer, Inc. Methods, apparatuses and systems facilitating remote, automated deployment of network devices
CN103746962A (en) * 2013-12-12 2014-04-23 华南理工大学 GOOSE electric real-time message encryption and decryption method
CN103873461A (en) * 2014-02-14 2014-06-18 中国南方电网有限责任公司 IEC62351-based security interaction method for GOOSE message
CN104410153A (en) * 2014-11-06 2015-03-11 中国南方电网有限责任公司 IEC62351 intelligent substation process layer intelligent electronic device communication method and communication system
CN108090370A (en) * 2018-01-10 2018-05-29 芯盾网安(北京)科技发展有限公司 Instant messaging encryption method and system based on index
US20190260204A1 (en) * 2018-02-17 2019-08-22 Electro Industries/Gauge Tech Devices, systems and methods for the collection of meter data in a common, globally accessible, group of servers, to provide simpler configuration, collection, viewing, and analysis of the meter data
CN111259416A (en) * 2020-01-13 2020-06-09 湖北大学 Multi-algorithm security encryption authentication system and method based on FPGA

Also Published As

Publication number Publication date
CN112738023B (en) 2022-02-18

Similar Documents

Publication Publication Date Title
US8756411B2 (en) Application layer security proxy for automation and control system networks
CN103746962B (en) GOOSE electric real-time message encryption and decryption method
CN113037478B (en) Quantum key distribution system and method
CN108322484A (en) A kind of industrial control data ferry-boat system
CN113472520A (en) ModbusTCP (Transmission control protocol) security enhancement method and system
CN112738023B (en) Safety transmission method for cross-substation GOOSE message of rail transit substation
CN112217806B (en) Data transmission encryption method, server and storage medium
CN114866778B (en) Monitoring video safety system
CN113676467B (en) Data processing method, device, equipment and storage medium
CN111181956A (en) Wireless multi-service data encryption system and method applied to relay protection device
CN111935112B (en) Cross-network data security ferrying device and method based on serial
CN111510916B (en) WAMS data encryption and decryption method, device and system
EP1668807B1 (en) Method and apparatus of integrating link layer security into a physical layer transceiver
CN106230858A (en) Industrial data encrypted transmission method
CN204119252U (en) The device that a kind of Wide area protection system data communication network is real-time encrypted
CN107087000B (en) Safety processing method for secondary shared information of transformer substation
CN111064575A (en) Method for analyzing network packet capturing applied to signal system of domestic password encryption
CN103716163A (en) SV message encryption and decryption method meeting IEC61850-9-2 (LE) standard
CN104219057A (en) Method and device of real-time encryption for data communication network of wide area protection system
CN115694997B (en) Intelligent gateway system of Internet of things
CN114866527B (en) Data processing method, device and system
CN214474997U (en) Hard implementation equipment for SM4 encryption algorithm
CN102148704A (en) Software implementation method for universal network management interface of safe switch
KR102038989B1 (en) Method of encrypting protocol for programmable logic controller
CN207460233U (en) A kind of secure encryption system based on power generation control with monitoring data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant