CN112738023A - Safety transmission method for cross-substation GOOSE message of rail transit substation - Google Patents
Safety transmission method for cross-substation GOOSE message of rail transit substation Download PDFInfo
- Publication number
- CN112738023A CN112738023A CN202011424109.XA CN202011424109A CN112738023A CN 112738023 A CN112738023 A CN 112738023A CN 202011424109 A CN202011424109 A CN 202011424109A CN 112738023 A CN112738023 A CN 112738023A
- Authority
- CN
- China
- Prior art keywords
- goose
- data
- mapping table
- value
- plaintext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/06—Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a safe transmission method of a cross-regional GOOSE message of a rail transit substation, which is characterized in that the characteristics of the cross-regional GOOSE message are combined, state information transmitted by the GOOSE is corresponded by bits and converted into a combined value, a plaintext/ciphertext mapping table is generated in advance by traversing all combinations of the state information, when a device is started, data of the plaintext/ciphertext mapping table is written into a DDR, the combined value is used as a table retrieval index, the data encryption and decryption directly adopt a table lookup mode, the encryption and decryption processes are omitted, the data processing time delay is reduced, and the real-time performance of the GOOSE is not influenced.
Description
Technical Field
The invention relates to the technical field of network data transmission, in particular to a safety transmission method of cross-substation GOOSE messages of a rail transit substation.
Background
The rail transit power supply system adopts an IEC61850 communication protocol to realize information sharing among power supply equipment, cross-domain signals among substations such as interlocking signals, bilateral interlocking signals and the like are also transmitted in a mode of optical fiber medium and GOOSE protocol, and the IEC61850 standard is only concentrated on information interaction among IED devices and does not consider safety in the communication process. The cross-domain signal GOOSE transmission interval is long in distance, multiple in transmission nodes are provided, and the cross-domain signal GOOSE is relatively easy to invade, so that certain potential invasion risks exist. Once a GOOSE network is invaded, the normal operation of a subway power supply system is affected, and the consequences are unreasonable, so that the safety problem of transmitting information across the subway domain by using GOOSE information is urgently solved.
The IEC62351 standard is a data and communication safety standard developed by the international electrotechnical commission aiming at a related communication protocol in the power field, encryption and authentication are core contents in the IEC62351, the IEC62351-6 provides a safety mechanism of GOOSE communication, the mechanism is compatible with an original GOOSE message, the consistency of data processing is ensured, as the time requirement of the GOOSE message is extremely high, the encryption of the GOOSE message can not be met in time, and the message is not defined and encrypted in the mechanism, the mechanism solves identity authentication and replay attack prevention, and does not solve data eavesdropping.
Disclosure of Invention
Aiming at the safety problem of cross-substation information GOOSE transmission of the rail transit substation, the invention provides the safe cross-domain transmission method of the GOOSE message of the rail transit substation based on IEC62351 and FPGA encryption, which can ensure the real-time property of data processing, encrypt the transmission data, improve the safety of the data and ensure that the transmission data is not intercepted.
In order to achieve the above object, the technical solution of the present invention is implemented as follows:
a safety transmission method for cross-substation GOOSE messages of a rail transit substation comprises the following steps:
(1) establishing a plaintext/ciphertext mapping table, wherein a cross-transmitted GOOSE message only contains a state quantity, if the state quantity Value n is less than or equal to 16, the Value of an allData field of the GOOSE message is n 0x 830 x 010 x01/0x00 abstract syntax mark ASN.1TLV data block combinations, wherein 0x83 is the type Tag of data, 0x01 is the Length of the data, 0x01/0x00 is the state Value with the Value of 0 or 1, the n state values are expressed by bit, and the n states have 2 in totalnThe combination mode is characterized in that the AES128 encryption algorithm is used for encrypting messages corresponding to all combinations to form a plaintext/ciphertext mapping table, and the combination value is used as a retrieval index of the plaintext/ciphertext mapping table;
if the state quantity n in the message is larger than 16, grouping according to 16 groups, namely a plurality of 16 grouping blocks, wherein each grouping block also utilizes a plaintext/ciphertext mapping table to carry out retrieval indexing;
(2) after the safety transmission device is started, the CPU board writes the pre-generated plaintext/ciphertext mapping table content into a double-rate random access memory DDR through a PCIE bus through a field programmable gate array FPGA, and after data writing is finished, the FPGA records the first address of the mapping table in the DDR, so that the FPGA data addressing is facilitated;
(3) in order to ensure the fast processing of decryption, the state combination value calculated in the step (1) is filled into the Private field of the GOOSE APDU extension field, and the receiver can fast locate the position corresponding to the mapping table data by analyzing the Private value when unpacking, so as to ensure the real-time processing of decryption.
The invention has the beneficial effects that:
according to the method, characteristics of cross-station GOOSE signal transmission of the rail transit substation are combined, when cross-station signals are transmitted through GOOSE message communication, on the basis of IEC62351 standards, GOOSE message data are encrypted, a mapping table of a corresponding relation between a plaintext and a ciphertext is established according to the characteristics of the GOOSE messages, the mapping table data are rapidly positioned in an addressing mode, and processing time of an AES encryption and decryption algorithm is shortened. The method comprises the steps of establishing an AES128 encryption mapping table, encrypting GOOSE message data, transmitting cross-location domain information by using GOOSE, realizing the expansion of a GOOSE multicast domain, ensuring the real-time performance of data processing and the safety of communication, and further ensuring the safety of the cross-location domain information transmission of rail transit.
Drawings
FIG. 1 is a block diagram of the apparatus of the present invention;
FIG. 2 is a block diagram of a GOOSE message data processing flow;
fig. 3(a) is a schematic diagram of a GOOSE message structure based on IEC61850 standard;
fig. 3(b) is a schematic diagram of a GOOSE message structure based on IEC62351 standard;
FIG. 4 is a GOOSE PDU structure;
FIG. 5 is a plaintext/cyphertext mapping table structure according to the present invention;
Detailed Description
The invention specifically comprises the following contents:
on the basis of the original IEC62351-6 standard, in order to prevent the data content from being intercepted, the data content in the GOOSE application protocol data unit APDU is encrypted by using an AES128 algorithm. Fig. 4 is a PDU structure of a GOOSE message, where the left half is names of parameters of the PDU, the right half is TAG values corresponding to the parameters, and an allDate field, that is, a current value of data transmitted by the GOOSE message, is an encrypted object of the method. Considering that the encryption and decryption processes can affect the real-time performance of GOOSE data processing, the invention combines the characteristics of cross-domain GOOSE messages, corresponds the state information transmitted by the GOOSE by using bits, converts the state information into a combined value, generates a plaintext/ciphertext mapping table in advance by traversing all combinations of the state information, writes the data of the plaintext/ciphertext mapping table into a DDR when the device is started, uses the combined value as a table retrieval index, directly adopts a table lookup mode for the encryption and decryption of the data, omits the encryption and decryption processes, reduces the data processing delay and ensures that the real-time performance of the GOOSE is not affected. The key process is as follows:
as shown in fig. 2, after the secure transmission device is started, the CPU board writes the contents of the pre-generated plaintext/ciphertext mapping table into the double-rate ram DDR through the PCIE bus via the field programmable gate array FPGA, and after the data writing is completed, the FPGA records the first address of the mapping table in the DDR, which is convenient for addressing the FPGA data, and the block diagram of the secure transmission device module is shown in fig. 1.
The GOOSE message data field is encrypted, the FPGA converts the GOOSE message data field into a combined value according to the interlocking information to be transmitted, then addresses the DDR with the head address + the combined value n, obtains an AES128 ciphertext corresponding to the information from the DDR, fills the message data field, and writes the combined value into the GOOSE extended PDU Private field, as shown in fig. 3, where fig. 3(a) is a schematic diagram of a GOOSE message structure based on the IEC61850 standard, and fig. 3(b) is a schematic diagram of a GOOSE message structure based on the IEC62351 standard.
And decrypting the GOOSE encrypted message, analyzing a Private domain to obtain a state combination value after the subscriber receives the encrypted message, then addressing the DDR by using the first address + the combination value x n, obtaining a corresponding plaintext and a corresponding ciphertext from the DDR, comparing the DDR to obtain the ciphertext and the encrypted data, and decoding the plaintext if the ciphertext is consistent with the encrypted data.
The following explains, by way of specific embodiments, a transmission flow of an IEC 62351-based encrypted GOOSE packet, where a publishing terminal sends an encrypted packet, a subscribing terminal analyzes the encrypted packet, and the processing flows of the publishing terminal and the subscribing terminal on the packet are as follows.
And (3) encryption process:
(1) the CPU mainboard monitors the cross-transmitted GOOSE state information in real time, and sends the GOOSE state information to the FPGA module through the system bus after monitoring the change;
(2) the FPGA acquires GOOSE state information from the bus, and combines 16 GOOSE information according to bit to form a combined value of 0-65535; taking the state quantity 16 as an example, the Value of the GOOSE message allData field is 16 data block combinations of 0x 830 x 010 x01/0x00 abstract syntax notation asn.1tlv (TLV refers to a structure consisting of a type Tag of data, a Length of the data, and a Value of the data), where 0x83 is T, 0x01 is L, and 0x01/0x00 is a state Value, and since the Value of the state Value is 0 or 1, 16 state values are represented by bit, and then 16 states will have 2 in total1665536 combined modes (power 16 of 2), and the format of the index of the plaintext/ciphertext mapping table is shown in FIG. 5.
(3) Calculating address offset of ciphertext storage according to the combination value FPGA, if the combination value is n, the offset address of the ciphertext in the mapping table is n x (48+64) +48, the address of the corresponding ciphertext stored in the DDR is a first address + the offset address, and the corresponding ciphertext is obtained by reading the address;
(4) constructing a GOOSE safety extension message based on IEC62351, wherein the message structure is shown in FIG. 3(b), the construction process refers to the construction of an IEC62351 standard extension message, filling reserved fields and calculating CRC, wherein a GOOSE PDU allData field V value is filled by using the ciphertext obtained in the step (3), and meanwhile, a combined value is written into an extended Private field;
(5) calculating a signature value by using an HMAC SHA-256HASH algorithm, and writing the HMAC signature value into an extended Authentication V domain, so that the package is completed;
and (3) decryption process:
(1) reading data in the first-in first-out queue FIFO to obtain a safety extension message, and sending the safety extension message into a GOOSE coding and decoding module;
(2) extracting an Authentication V value, calculating an HMAC signature value by using an SHA-256HASH algorithm, continuing if the HMAC signature value is consistent with the HMAC signature value, and returning an error if the HMAC signature value is not consistent with the HMAC signature value;
(3) verifying CRC, extracting values of a mark protocol identification field TPID, a mark control information field TCI, an Ethernet type EtherType and an application identification field APPID, calculating a CRC value by using a CRC16 algorithm, verifying whether the CRC value is consistent with a Reserved field 2(Reserved2), continuing if so, and returning an error if not;
(4) extracting the value of an extended Private domain, acquiring a combined value, calculating the addresses of plain text and cipher text in a DDR mapping table according to the combined value, namely the first address + the combined value (48+64), and addressing to acquire plain text and cipher text from DDR;
(5) extracting a GOOSE PDU allData V value, comparing whether the allData is consistent with the inquired ciphertext, if so, continuing, and otherwise, returning an error;
(6) and sending the corresponding plaintext into an analysis module to obtain the transmitted GOOSE state information, and then transmitting the information to the CPU board through a system bus.
According to the method, characteristics of cross-station GOOSE signal transmission of the rail transit substation are combined, when cross-station signals are transmitted through GOOSE message communication, on the basis of IEC62351 standards, GOOSE message data are encrypted, a mapping table of a corresponding relation between a plaintext and a ciphertext is established according to the characteristics of the GOOSE messages, the mapping table data are rapidly positioned in an addressing mode, and processing time of an AES encryption and decryption algorithm is shortened. The method comprises the steps of establishing an AES128 encryption mapping table, encrypting GOOSE message data, transmitting cross-location domain information by using GOOSE, realizing the expansion of a GOOSE multicast domain, ensuring the real-time performance of data processing and the safety of communication, and further ensuring the safety of the cross-location domain information transmission of rail transit.
The technical solutions described above only represent the preferred technical solutions of the present invention, and some possible modifications to some parts of the technical solutions by those skilled in the art all represent the principles of the present invention, and fall within the protection scope of the present invention.
Claims (1)
1. A safety transmission method of cross-substation GOOSE messages of a rail transit substation is characterized by comprising the following steps:
(1) establishing a plaintext/ciphertext mapping table, wherein a cross-transmitted GOOSE message only contains a state quantity, if the state quantity Value n is less than or equal to 16, the Value of an allData field of the GOOSE message is n 0x 830 x 010 x01/0x00 abstract syntax mark ASN.1TLV data block combinations, wherein 0x83 is the type Tag of data, 0x01 is the Length of the data, 0x01/0x00 is the state Value with the Value of 0 or 1, the n state values are expressed by bit, and the n states have 2 in totalnThe combination mode is characterized in that the AES128 encryption algorithm is used for encrypting messages corresponding to all combinations to form a plaintext/ciphertext mapping table, and the combination value is used as a retrieval index of the plaintext/ciphertext mapping table;
if the state quantity n in the message is larger than 16, grouping according to 16 groups, namely a plurality of 16 grouping blocks, wherein each grouping block also utilizes a plaintext/ciphertext mapping table to carry out retrieval indexing;
(2) after the safety transmission device is started, the CPU board writes the pre-generated plaintext/ciphertext mapping table content into a double-rate random access memory DDR through a PCIE bus through a field programmable gate array FPGA, and after data writing is finished, the FPGA records the first address of the mapping table in the DDR, so that the FPGA data addressing is facilitated;
(3) in order to ensure the fast processing of decryption, the state combination value calculated in the step (1) is filled into the Private field of the GOOSE APDU extension field, and the receiver can fast locate the position corresponding to the mapping table data by analyzing the Private value when unpacking, so as to ensure the real-time processing of decryption.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011424109.XA CN112738023B (en) | 2020-12-08 | 2020-12-08 | Safety transmission method for cross-substation GOOSE message of rail transit substation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011424109.XA CN112738023B (en) | 2020-12-08 | 2020-12-08 | Safety transmission method for cross-substation GOOSE message of rail transit substation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112738023A true CN112738023A (en) | 2021-04-30 |
CN112738023B CN112738023B (en) | 2022-02-18 |
Family
ID=75598486
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011424109.XA Active CN112738023B (en) | 2020-12-08 | 2020-12-08 | Safety transmission method for cross-substation GOOSE message of rail transit substation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112738023B (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7626944B1 (en) * | 2004-03-31 | 2009-12-01 | Packeteer, Inc. | Methods, apparatuses and systems facilitating remote, automated deployment of network devices |
CN103746962A (en) * | 2013-12-12 | 2014-04-23 | 华南理工大学 | GOOSE electric real-time message encryption and decryption method |
CN103873461A (en) * | 2014-02-14 | 2014-06-18 | 中国南方电网有限责任公司 | IEC62351-based security interaction method for GOOSE message |
CN104410153A (en) * | 2014-11-06 | 2015-03-11 | 中国南方电网有限责任公司 | IEC62351 intelligent substation process layer intelligent electronic device communication method and communication system |
CN108090370A (en) * | 2018-01-10 | 2018-05-29 | 芯盾网安(北京)科技发展有限公司 | Instant messaging encryption method and system based on index |
US20190260204A1 (en) * | 2018-02-17 | 2019-08-22 | Electro Industries/Gauge Tech | Devices, systems and methods for the collection of meter data in a common, globally accessible, group of servers, to provide simpler configuration, collection, viewing, and analysis of the meter data |
CN111259416A (en) * | 2020-01-13 | 2020-06-09 | 湖北大学 | Multi-algorithm security encryption authentication system and method based on FPGA |
-
2020
- 2020-12-08 CN CN202011424109.XA patent/CN112738023B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7626944B1 (en) * | 2004-03-31 | 2009-12-01 | Packeteer, Inc. | Methods, apparatuses and systems facilitating remote, automated deployment of network devices |
CN103746962A (en) * | 2013-12-12 | 2014-04-23 | 华南理工大学 | GOOSE electric real-time message encryption and decryption method |
CN103873461A (en) * | 2014-02-14 | 2014-06-18 | 中国南方电网有限责任公司 | IEC62351-based security interaction method for GOOSE message |
CN104410153A (en) * | 2014-11-06 | 2015-03-11 | 中国南方电网有限责任公司 | IEC62351 intelligent substation process layer intelligent electronic device communication method and communication system |
CN108090370A (en) * | 2018-01-10 | 2018-05-29 | 芯盾网安(北京)科技发展有限公司 | Instant messaging encryption method and system based on index |
US20190260204A1 (en) * | 2018-02-17 | 2019-08-22 | Electro Industries/Gauge Tech | Devices, systems and methods for the collection of meter data in a common, globally accessible, group of servers, to provide simpler configuration, collection, viewing, and analysis of the meter data |
CN111259416A (en) * | 2020-01-13 | 2020-06-09 | 湖北大学 | Multi-algorithm security encryption authentication system and method based on FPGA |
Also Published As
Publication number | Publication date |
---|---|
CN112738023B (en) | 2022-02-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8756411B2 (en) | Application layer security proxy for automation and control system networks | |
CN103746962B (en) | GOOSE electric real-time message encryption and decryption method | |
CN113037478B (en) | Quantum key distribution system and method | |
CN108322484A (en) | A kind of industrial control data ferry-boat system | |
CN113472520A (en) | ModbusTCP (Transmission control protocol) security enhancement method and system | |
CN112738023B (en) | Safety transmission method for cross-substation GOOSE message of rail transit substation | |
CN112217806B (en) | Data transmission encryption method, server and storage medium | |
CN114866778B (en) | Monitoring video safety system | |
CN113676467B (en) | Data processing method, device, equipment and storage medium | |
CN111181956A (en) | Wireless multi-service data encryption system and method applied to relay protection device | |
CN111935112B (en) | Cross-network data security ferrying device and method based on serial | |
CN111510916B (en) | WAMS data encryption and decryption method, device and system | |
EP1668807B1 (en) | Method and apparatus of integrating link layer security into a physical layer transceiver | |
CN106230858A (en) | Industrial data encrypted transmission method | |
CN204119252U (en) | The device that a kind of Wide area protection system data communication network is real-time encrypted | |
CN107087000B (en) | Safety processing method for secondary shared information of transformer substation | |
CN111064575A (en) | Method for analyzing network packet capturing applied to signal system of domestic password encryption | |
CN103716163A (en) | SV message encryption and decryption method meeting IEC61850-9-2 (LE) standard | |
CN104219057A (en) | Method and device of real-time encryption for data communication network of wide area protection system | |
CN115694997B (en) | Intelligent gateway system of Internet of things | |
CN114866527B (en) | Data processing method, device and system | |
CN214474997U (en) | Hard implementation equipment for SM4 encryption algorithm | |
CN102148704A (en) | Software implementation method for universal network management interface of safe switch | |
KR102038989B1 (en) | Method of encrypting protocol for programmable logic controller | |
CN207460233U (en) | A kind of secure encryption system based on power generation control with monitoring data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |