CN113300845B - Intelligent heat supply network data transmission safety protection system and method - Google Patents

Intelligent heat supply network data transmission safety protection system and method Download PDF

Info

Publication number
CN113300845B
CN113300845B CN202110816058.3A CN202110816058A CN113300845B CN 113300845 B CN113300845 B CN 113300845B CN 202110816058 A CN202110816058 A CN 202110816058A CN 113300845 B CN113300845 B CN 113300845B
Authority
CN
China
Prior art keywords
key
dike
power plant
transmission
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110816058.3A
Other languages
Chinese (zh)
Other versions
CN113300845A (en
Inventor
刘曙元
王春懿
谢华
李志强
程睿君
吴长东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guoneng Xinkong Internet Technology Co Ltd
Original Assignee
Guoneng Xinkong Internet Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guoneng Xinkong Internet Technology Co Ltd filed Critical Guoneng Xinkong Internet Technology Co Ltd
Priority to CN202110816058.3A priority Critical patent/CN113300845B/en
Publication of CN113300845A publication Critical patent/CN113300845A/en
Application granted granted Critical
Publication of CN113300845B publication Critical patent/CN113300845B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a security protection system and a security protection method for data transmission of an intelligent heat supply network, wherein the system comprises a transmission encryption system at a heat user side and a transmission encryption system server at a power plant side, and the transmission encryption system is integrated in a heat user totalizer in a state secret security SDK form; the transmission encryption system server is deployed at a data entrance and exit of the intelligent heat supply network management system server at the power plant side; the transmission encryption system establishes a key management mechanism and establishes a safety data transmission channel between a hot user side and a power plant side; the power plant side transmits the reverse proxy server of the encryption system as the intelligent heat supply network management system, and meanwhile, the encryption connection is authenticated, encrypted and decrypted, so that the safety protection of the intelligent heat supply network data transmission is realized. The invention ensures the integrity and confidentiality of the heat supply network data, enhances the data processing capability and improves the flexibility and the usability of the system.

Description

Intelligent heat supply network data transmission safety protection system and method
Technical Field
The invention belongs to the technical field of heat supply network data transmission safety, and relates to an intelligent heat supply network data transmission safety protection system and method.
Background
The intelligent heat supply network closely combines a traditional heat supply network physical system and a business information system, uses technologies such as big data, artificial intelligence, cloud computing and internet, and realizes real-time monitoring and remote control instruction issuing of the heat supply network through data acquisition and analysis of important real-time parameters of heat supply, such as pressure, instantaneous flow, accumulated flow, acquisition time, valve state, available gas amount and the like.
At present, a wireless operator network is generally adopted by an intelligent heat supply network heat user, and a TCP/IP protocol is used for transmitting data to an interface platform of an intelligent heat supply network management system of a power plant; and the interface platform analyzes the message, reads the real-time data and stores the real-time data into the heat supply network real-time database. The important parameter data of heat supply and the remote control instruction are transmitted in plain text, an attacker can acquire the transmitted heat supply network data by means of sniffing or man-in-the-middle attack and the like, the heat supply network data or the control instruction is further tampered, and the transmission safety of the data cannot be guaranteed.
In the aspect of data transmission safety protection technology, in the traditional mode, in the process of establishing a safe access channel of a remote, a large number of generated keys exist in a system, and when the generated invalid keys cannot be cleared in time, a large amount of storage space is occupied; secondly, in a heat supply network scene, a large number of concurrent users send connection establishment requests to a power plant side server, and heavy operation burden is easily brought to the whole server, so that the problems of slow data transmission, even business overtime and the like are caused.
Disclosure of Invention
In order to solve the defects in the prior art, the application provides a system and a method for protecting the data transmission safety of the intelligent heat supply network, and the safety of the data transmission of the intelligent heat supply network is improved.
In order to achieve the above purpose, the invention adopts the following technical scheme:
an intelligent heat supply network data transmission safety protection system comprises a transmission encryption system at a heat user side and a transmission encryption system server at a power plant side;
the transmission encryption system is integrated in a hot user totalizer in a state secret security SDK form;
the transmission encryption system server is deployed at a data entrance and exit of the intelligent heat supply network management system server at the power plant side;
the transmission encryption system establishes a key management mechanism, constructs a safety data transmission channel between a heat user side and a power plant side, and a server end of the transmission encryption system of the power plant side is used as a reverse proxy server of the intelligent heat supply network management system, and simultaneously carries out authentication, data encryption and decryption unloading on encryption connection, so that the safety protection of intelligent heat supply network data transmission is realized.
The invention further comprises the following preferred embodiments:
preferably, the transmission encryption system re-encapsulates the incoming packet in the proxy mode to implement data communication encryption, changes the data processing logic by function replacement, and the function calls the cryptographic SSL acceleration engine to complete forwarding of data encryption or decryption, specifically,
the encryption protocol of the communication of the transmission encryption system is packaged by referring to the national security SSL VPN standard so as to ensure the security of network transmission data.
Preferably, the transmission encryption system provides a secure transmission channel delivery service of TCP + SSL/TLS by embedding a TCP service module, and meets a TCP network application system based on an SSL/TLS security protocol or a traditional TCP network application system without a security policy, thereby realizing rapid security guarantee and acceleration of the transmission channel.
Preferably, the transmission encryption system adopts an event-driven model of a dynamic connection pool and a connection multiplexing mode to construct a secure data transmission channel between a hot user side and a power plant side based on a domestic cryptographic algorithm, and is used for batch user connection to realize session acceleration;
preferably, the event driven model comprises an event collector, an event sender and an event handler;
the event collector is used for collecting various IO requests of a work process;
the event transmitter is used for transmitting the IO event to the event processor;
the event processor is used for responding various events.
The event sender puts each request into a pending event list and invokes the event handler to handle the request using non-blocking I/O.
Preferably, the transmission encryption system at the hot user side realizes encryption and decryption functions by calling various interfaces, including a verification API and an encryption API;
the management and authentication functions of the KEY are realized by using USB-KEY, and each USB-KEY can only be bound with one hot user totalizer;
the transmission encryption system server side at the power plant side realizes various domestic encryption algorithms including SM2, SM3 and SM4 through PCIe encryption cards;
preferably, the transmission encryption system has a five-layer key management system, and includes a device master key DMK, a device identity key pair and certificate DIK, a premaster key PMK, a master key MK, an encryption key DEK, and a verification key DAK.
Preferably, the key management mechanism of the transmission encryption system specifically includes:
(1) key generation: the power plant side transmission encryption system server side is used for generating random numbers by a WNG8 (WNG) of 4 physical noise source generators approved by the State and Key administration, and outputting the random numbers after XOR (exclusive OR) logic to generate keys; the hot user side integrating instrument generates a random number by using the USB-KEY so as to obtain a secret KEY;
(2) and (4) safe storage of the key: the device master KEY DMK is stored in the security chip or the USB-KEY; the DIK is protected by the DMK and stored in the transmission encryption system; for each Session key connected, the Session key exists in a system memory and is protected by a transmission encryption system boundary; all the keys involved, at any time, do not appear outside the system in clear;
(3) the key controllable use: namely setting key attributes, including:
the key type determines which types of operations can be performed by the key:
1) signature key pair and certificate: for identity authentication;
2) encryption key pair and certificate: for Session key exchange;
3) session key: the system comprises an encryption key DEK and a verification key DAK, and is used for encryption and integrity verification of application data;
and the algorithm identification indicates which algorithm should be adopted in the operation of the key.
(4) Key destruction:
when the system is initialized, the DMK is regenerated, and the old DMK is covered by the new DMK;
when the system is reinitialized, the DIK file of the old equipment identity key pair is repeatedly written into the 'all 0' file for 10 times, so that the DIK of the old equipment identity key pair can not be recovered;
the PMK is destroyed after the MK is calculated;
the master key MK destroys the encryption key DEK and the verification key DAK after calculating the encryption key DEK and the verification key DAK;
the encryption key DEK and the verification key DAK are destroyed along with the ending of the session;
and after the session is finished, the keys such as PMK, MK, DAK, DEK and the like existing in the system memory are destroyed in a buffer clear 0 mode, and the memory buffer is released after the destruction.
The invention also discloses a safety protection method for data transmission of the intelligent heat supply network, which comprises the following steps:
step 1: before the session starts, starting a security service and establishing a security channel;
step 2: the heat supply network data collected by the totalizer is encrypted by using a state encryption algorithm, then is encrypted by a TCP (transmission control protocol) load bearing, and is decrypted by using wireless transmission to a power plant side transmission encryption system server to obtain a plaintext;
and step 3: transmitting the plaintext to an interface platform of the intelligent heat supply network management system for analysis and storing into a heat supply network real-time database;
and 4, step 4: the intelligent heat supply network management system calls an interface provided by the database to write back data, the electromagnetic valve control instruction from the power plant side to the heat user side is issued through the database, and the transmission encryption system is used for encrypting the control instruction to perform safety protection.
Preferably, in step 1, the hot user totalizer starts a transmission encryption system by calling a national security SDK, initiates a connection request, starts a security service by the transmission encryption system, authenticates identities of both parties of communication, and establishes a security channel, specifically:
before transmitting data to the intelligent heat supply network management system at the power plant side, the heat user side establishes an SSL safety channel with the power plant side according to a national security SSL v1.1 handshake protocol;
and adopting the two-way authentication security based on the PKI and the digital certificate technology to identify the identities of both communication parties, namely adopting a preset security certificate to authenticate the identities of both communication parties of an opposite terminal, only pre-configured equipment can establish a security channel, and the identity authentication adopts a two-way TLS protocol and uses algorithms of SM2 and SM 3.
Preferably, in step 1, the method further includes initializing a secure channel between the hot user side transmission encryption system and the power plant side transmission encryption system server, where the initializing of the secure channel includes:
step 1.1: the hot user side initiates an access request to a server side of a transmission encryption system of the power plant side, the transmission content comprises a protocol version and a password suite list supported by the hot user side, and a random number R is generated1
Step 1.2: the power plant side transmits a server side response request of the encryption system, determines a used protocol version and a password suite, and generates a random number R2
Step 1.3: the power plant side transmits the encryption system server side to send a national password signature certificate and an encryption certificate to the hot user side;
step 1.4: power plant side transmission encryption system server end determination elliptic curve and base points G and R thereof2Private key DIKE as power plant side elliptic curvepv2Remain local; according to the base point G and its private key DIKEpv2Calculating the elliptic curve public key DIKE of the power plant sidepb2
Wherein:
DIKEpb2=DIKEpv2*G
DIKE is applied topb2G is sent as a key parameter to the hot user side, in preparation for generating the premaster Key PMK, using the signature Key private Key DIKSpv2Elliptic curve public key DIKE for power plant sidepb2Making a signature;
step 1.5: the power plant side transmits the content of the response request of the encryption system server end to finish;
step 1.6: the hot user side transmission encryption system verifies whether the certificate of the power plant side is legal or not, and specifically comprises the following steps:
verifying step by step through a certificate chain to confirm the authenticity of the certificate; then through the use of the public key DIKS of the signature key of the certificatepb2Verifying the signature and confirming its identity;
step 1.7: the hot user side transmits the encryption system to send the national password signature certificate and the encryption certificate to the power plant side;
step 1.8: the hot user side transmission encryption system generates a random number R1Private key DIKE as hot user side elliptic curvepv1And remain local. According to the known base point G and its private key DIKEpv1Calculating an elliptic curve public key DIKE of a user side endpb1
Wherein:
DIKEpb1=DIKEpv1*G
DIKE is applied topb1As key parameters to the power plant side, in preparation for generating the premaster secret PMK, using the signature secret key private key DIKSpv1Elliptic curve public key DIKE for power plant sidepb1Making a signature;
step 1.9: the method comprises the following steps that a server side of a transmission encryption system of a power plant side checks whether a certificate of a hot user side is legal or not, and specifically comprises the following steps:
verifying step by step through the certificate chain, confirming the authenticity of the certificate, and then using the signature key public key DIKS of the certificatepb2Verifying the signature and confirming its identity;
step 1.10: both parties respectively obtain public key DIKE of the other partypb1And DIKEpb2Calculating respective calculation points Q by using a public key and a private key of each other;
wherein:
the calculation point on the hot user side is Q1=DIKEpv1*DIKEpb2
The calculation point on the power plant side is Q2=DIKEpv2*DIKEpb1
The elliptic curve satisfies the multiplicative commutative law and the associative law, namely:
Q=Q1=DIKEpv1*DIKEpb2=DIKEpv1*DIKEpv2*G=DIKEpv2*DIKEpv1*G=DIKEpv2*DIKEpb1=Q2
the two parties obtain the same key, namely Q, namely the premaster key PMK;
step 1.11: master key MK uses "R1+R2Generating three materials of + PMK', calculating by using a main key MK to obtain an encryption key DEK, and checking a key DAK;
step 1.12: and after the key agreement is finished, the power plant side transmission encryption system server side sends a message to inform the hot user side to switch the subsequent communication mode into an encryption mode, and data is encrypted and decrypted by adopting an SM4 symmetric encryption algorithm.
Preferably, in step 1, an asynchronous non-blocking mechanism and a multi-process mechanism are adopted for request processing;
the asynchronous non-blocking mechanism realizes process calling based on an event-driven model, the asynchronous non-blocking mechanism refers to that a transmission encryption system can process a plurality of requests, when a certain subprocess receives a request from a hot user side, IO is called to process the request, and if a result cannot be obtained immediately, other requests are processed, namely non-blocking; the hot user side does not need to wait for response in the period, and can process other things, namely asynchronization; when IO returns, the subprocess is informed; the process is notified to temporarily suspend the currently processed transaction in response to the request from the hot user side.
Preferably, the multi-process mechanism means that each time a server end of the power plant side transmission encryption system receives a connection of a hot user, a sub-process is generated on a main process of the server to establish connection with the hot user side for interaction until the connection is disconnected;
the multi-process starting and executing process comprises the following steps:
after the main program is started, receiving and processing an external signal through a for loop;
the main process generates working sub-processes through a fork () function, and each sub-process executes a for loop to realize the receiving and processing of the transmission encryption system to the event;
for each request, there is and only one work process to process it, first, each work process is coming from the main process fork; in the main process, after a socket needing to be monitored is established, fork produces a plurality of working processes;
all the working processes can become readable when being newly connected, preempt the exclusive lock accept _ mutex before registering the listenfd read event, preempt the process of the exclusive lock to register the listenfd read event, and call the accept to accept the connection in the read event;
when a work process is connected with the accept, the request is read, analyzed and processed, data is generated and then returned to the client, and finally the connection is disconnected, so that the work process is a complete request.
The beneficial effect that this application reached:
according to the invention, the hot user totalizer is integrated with the national password security SDK, and the server end of the transmission encryption system is deployed at the side of the power plant, so that a domestic password security transmission channel can be quickly and effectively established; the method is characterized in that an identity authentication and encryption algorithm is adopted based on a domestic cryptographic algorithm, an autonomous key management mechanism is established, safety protection is carried out on heat supply network data, the safety problem of plaintext transmission of the heat supply network data in a wireless network is solved under the condition that original services are not influenced, an attacker cannot acquire the heat supply network data by adopting attack means such as sniffing and the like, and the integrity and confidentiality of the heat supply network data are guaranteed.
The transmission encryption system adopts an event-driven model of a dynamic connection pool and connection multiplexing to meet a large number of hot user connections in a heat supply network scene, and adopts a request processing mode of a multiprocess mechanism and an asynchronous non-blocking mechanism, so that the data processing capacity is enhanced, and the flexibility and the usability of the system are improved.
Drawings
FIG. 1 is a schematic diagram of an intelligent heat supply network data transmission safety protection system according to the present invention;
FIG. 2 is a key management system diagram of a security protection system for intelligent heat supply network data transmission according to the present invention;
fig. 3 is a timing chart of transmission encryption of the security protection system for data transmission in an intelligent heat supply network according to the present invention.
Detailed Description
The present application is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present application is not limited thereby.
As shown in fig. 1, the intelligent heat supply network data transmission safety protection system of the present invention includes a transmission encryption system at a heat user side and a transmission encryption system server at a power plant side;
the transmission encryption system is integrated in a hot user totalizer in a state secret security SDK form;
the transmission encryption system server is deployed at a data entrance and exit of the intelligent heat supply network management system server at the power plant side;
the transmission encryption system establishes a key management mechanism, establishes a safety data transmission channel between a heat user side and a power plant side, and a transmission encryption system server side of the power plant side serves as a reverse proxy server of the intelligent heat supply network management system and simultaneously performs authentication, data encryption and decryption unloading on encrypted connection, so that the safety protection of intelligent heat supply network data transmission is realized.
In specific implementation, the transmission encryption system encapsulates the incoming packet again through the proxy mode to realize data communication encryption;
the data processing logic is changed through function replacement, and the function calls a cryptographic SSL acceleration engine to complete the forwarding of data encryption or decryption, and particularly,
the encryption protocol of the communication of the transmission encryption system is packaged by referring to the national security SSL VPN standard so as to ensure the security of network transmission data.
Before data receiving and sending are formally initiated, data to be sent need to be stored in a memory, so that a national Security Socket Layer (SSL) acceleration engine can encrypt or decrypt heat supply network data, then a transmission encryption system sends the data to equipment of an intelligent heat supply network management system in the identity of a security agent, and connection establishment of a security channel is completed.
The transmission encryption system provides a secure transmission channel delivery service of TCP + SSL/TLS through embedding a TCP service module, meets a TCP network application system based on an SSL/TLS security protocol or a traditional TCP network application system without a security strategy, and realizes rapid security guarantee and acceleration of the transmission channel.
The transmission encryption system does not adopt a mode of establishing an encryption tunnel by traditional dialing, namely VPN (virtual private network), and adopts an event-driven model of a dynamic connection pool and a connection multiplexing mode to construct a safety data transmission channel between a hot user side and a power plant side based on a domestic cryptographic algorithm, so that batch user connection is realized, and conversation acceleration is realized;
the event driven model comprises an event collector, an event transmitter and an event processor;
the event collector is used for collecting various IO requests of the work process;
the event transmitter is used for transmitting the IO event to the event processor;
the event processor is used for responding various events.
The event sender puts each request into a pending event list and invokes the event handler to handle the request using non-blocking I/O.
The transmission encryption system on the power plant side adopts a hardware PCIe encryption mode; the hot user side adopts an integrated SDK and software encryption mode, specifically, aiming at the scene of a hot user side integrating instrument with an internet wireless transmission module, a 4G/5G module is embedded in hardware, and at the moment, a transmission encryption system is integrated into a system of the integrating instrument by a state secret security SDK, and data is encrypted in a software mode;
the transmission encryption system at the hot user side realizes encryption and decryption functions by calling various interfaces, including but not limited to a verification API, an encryption API and the like;
and the management and authentication functions of the KEY are realized by using USB-KEY, and each USB-KEY can only be bound with one hot user totalizer.
The power plant side transmission encryption system server side realizes various domestic cryptographic algorithms including SM2, SM3 and SM4 by applying a high-performance PCIe cryptographic card, and realizes encryption and decryption functions in a hardware encryption mode.
The transmission encryption system has a five-layer key management system, comprises an equipment master key DMK, an equipment identity key pair, a certificate DIK, a premaster key PMK, a master key MK, an encryption key DEK and a verification key DAK, and encapsulates the cryptographic operation process inside the system to complete the cryptographic operation process.
As shown in fig. 2, the key management mechanism of the transmission encryption system of the present invention specifically includes:
(1) key generation: the random key generation is supported, 4 pieces of physical noise source generators WNG8 approved by the State encryption administration at the server side of the power plant side transmission encryption system are used for generating random numbers, and the random numbers are output after being subjected to XOR logic, so that a high-strength key can be generated efficiently and stably; the hot user side integrating instrument of the integrated national security SDK realizes the generation of random numbers by using USB-KEY so as to obtain a secret KEY;
a device master KEY DMK, generated by a PCIe crypto card or USB-KEY;
when the system is initialized, a PCIe password card or a USB-KEY is called to generate a device master KEY for encrypting a device identity KEY pair DIK;
a device identity key pair DIKE, generated by the KMS of the CA center;
when the system is initialized, the CA center issues a digital certificate for the transmission encryption system, wherein the DIKE generates an encryption key pair and the digital certificate for the CA center, and the encryption key pair and the digital certificate are used for bidirectional identity authentication in a channel establishment stage;
a device identity KEY pair DIKS generated by a PCIe crypto card or USB-KEY;
when the system is initialized, the transmission encryption system generates DIKS, the PCIe password card uses 4 physical noise source generators WNG8 to generate random numbers and generate KEY pairs or uses USB-KEY to realize the generation of the random numbers and generate the KEY pairs for the bidirectional KEY negotiation in the channel establishment stage;
pre-master key PMK, device identity key pair negotiation generation;
in the stage of establishing a secure channel, both communication parties use an equipment identity key to generate a pre-master key for negotiation, and random numbers are required to be used for calculating the master key during negotiation;
master key MK, generated using premaster key calculations;
in the stage of establishing the secure channel, the two communication parties respectively use the premaster secret keys to calculate own master secret keys for calculating the DEK and the DAK;
the verification key DAK and the encryption key DEK, generated by calculation using the master key;
in the stage of establishing the secure channel, the two communication parties respectively use the master key to calculate and obtain the DAK and the DEK of the two communication parties, and the DAK and the DEK are used for encrypting the communication data and calculating the check value of the communication data.
(2) And (4) safe storage of the key: the device master KEY DMK is stored in a security chip or a USB-KEY; the DIK (including a signature key pair and an encryption key pair) is protected by the DMK and is stored in the transmission encryption system; for each Session key connected, the Session key exists in a system memory and is protected by a transmission encryption system boundary; all the keys involved, at any time, do not appear outside the system in clear;
(3) the key can be used in a controlled way: each key has its own attributes: key type, algorithm identification.
The type of the key determines which types of operations can be performed by the key:
1) signature key pair and certificate: for identity authentication;
2) encryption key pair and certificate: for Session key exchange;
3) session key: the system comprises an encryption key DEK and a verification key DAK, and is used for encryption and integrity verification of application data;
algorithm identification, which indicates the algorithm to be used in the operation of the key: SM2, SM 4.
(4) Key destruction:
when the system is initialized, the DMK is regenerated, and the old DMK is covered by the new DMK;
when the system is reinitialized, the DIK file of the old equipment identity key pair is repeatedly written into the 'all 0' file for 10 times, so that the DIK of the old equipment identity key pair can not be recovered;
the pre-master key PMK is destroyed after calculating the master key MK;
the master key MK destroys the encryption key DEK and the verification key DAK after calculating the encryption key DEK and the verification key DAK;
the encryption key DEK and the verification key DAK are destroyed along with the ending of the session;
and after the session is finished, the keys such as PMK, MK, DAK, DEK and the like existing in the system memory are destroyed in a buffer clear 0 mode, and the memory buffer is released after the destruction.
The invention discloses a safety protection method for intelligent heat supply network data transmission, which comprises the following steps:
step 1: before the session starts, starting a security service and establishing a security channel;
during specific implementation, the hot user totalizer starts a transmission encryption system by calling a national security SDK, initiates a connection request, starts a security service by the transmission encryption system, authenticates the identities of both communication parties, and can establish a security channel only by pre-configured equipment, specifically:
before transmitting data to the intelligent heat supply network management system at the power plant side, the heat user side needs to establish an SSL safety channel with the power plant side according to a national security SSL v1.1 handshake protocol;
the two-way authentication security based on the PKI and digital certificate technology is adopted to identify the identities of both communication parties, support the designated authentication CA/RA certificate chain level and support the domestic password dual-certificate authentication;
namely, the preset security certificate is adopted to authenticate the identities of the two opposite communication parties, and only the pre-configured equipment can establish a security channel.
The identity authentication adopts a bidirectional TLS protocol, and uses SM2 and SM3 algorithms.
As shown in fig. 3, in step 1, a secure channel initialization is further performed between the hot user side transmission encryption system and the power plant side transmission encryption system server, where the secure channel initialization includes:
step 1.1: the hot user side transmits an access request to the server side of the encryption system for the transmission of the power plant side, and transmits the access requestThe content includes a list of hot user-side supported protocol versions and cipher suites, and a random number R is generated1
Step 1.2: the power plant side transmits a server side response request of the encryption system, determines a used protocol version and a password suite, and generates a random number R2
In this scenario, the ECDHE _ SM4_ SM3 cipher suite is used using the protocol tlsv1.2. The cipher suite specifies that the algorithm used to implement the key exchange ECDHE is SM2, the message authentication code MAC algorithm is SM3, and the encryption algorithm is SM 4.
Step 1.3: the power plant side transmits the encryption system server side to send a national password signature certificate and an encryption certificate to the hot user side;
step 1.4: power plant side transmission encryption system server end determination elliptic curve and base points G and R thereof2Private key DIKE as power plant side elliptic curvepv2Remain local; according to the base point G and its private key DIKEpv2Calculating the elliptic curve public key DIKE of the power plant sidepb2Wherein:
DIKEpb2=DIKEpv2*G
DIKE is applied topb2And G is sent to the hot user side as a key parameter to prepare for generating a premaster secret PMK. To ensure that the public key of the elliptic curve is not tampered with by a third party, the private key DIKS of the signature key is usedpv2Elliptic curve public key DIKE for power plant sidepb2Making a signature;
step 1.5: the transmission of the content of the encryption system server side response request on the power plant side is finished;
step 1.6: the hot user side transmission encryption system verifies whether the certificate of the power plant side is legal or not; verifying step by step through a certificate chain to confirm the authenticity of the certificate; then through the use of the public key DIKS of the signature key of the certificatepb2The signature is verified and its identity is confirmed.
Step 1.7: the hot user side transmits the encryption system to send the national password signature certificate and the encryption certificate to the power plant side;
step 1.8: the hot user side transmission encryption system generates a random number R1As a hot user side ellipseCircular curve private key DIKEpv1And remain local. According to the known base point G and its private key DIKEpv 1Calculating an elliptic curve public key DIKE of a user side endpb1Wherein:
DIKEpb1=DIKEpv1*G
DIKE is applied topb1And sending the key parameter to the power plant side to prepare for generating the pre-master key PMK. To ensure that the public key is not tampered with by third parties, the signature Key private Key DIKS is usedpv1Elliptic curve public key DIKE for power plant sidepb1Making a signature;
step 1.9: and the power plant side transmission encryption system server side checks whether the certificate of the hot user side is legal or not. Specifically, the authenticity of the certificate is confirmed through the step-by-step verification of the certificate chain; then through the use of the public key DIKS of the signature key of the certificatepb2Verifying the signature and confirming its identity;
step 1.10: both parties respectively obtain public key DIKE of the other partypb1And DIKEpb2And calculating respective calculation points Q by using the public key and the private key of the other party respectively, wherein:
the calculation point on the hot user side is Q1=DIKEpv1*DIKEpb2
The calculation point on the power plant side is Q2=DIKEpv2*DIKEpb1
The elliptic curve satisfies the multiplicative commutative law and the associative law, namely:
Q=Q1=DIKEpv1*DIKEpb2=DIKEpv1*DIKEpv2*G
=DIKEpv2*DIKEpv1*G=DIKEpv2*DIKEpb1=Q2
the two parties obtain the same key, namely Q, namely the premaster key PMK;
step 1.11: the master key MK is represented by "R1+R2+ PMK ", calculating and generating by PRF pseudo random function;
MK=PRF(PMK,R1+R2)
reuse of the master key MK, random number R1、R2Adopting PRF pseudo-random function to calculate and divide in sequence to obtain a check key DAK and an encryption key DEK;
step 1.12: and after the key agreement is finished, the power plant side transmission encryption system server side sends a message to inform the hot user side to switch the subsequent communication mode into an encryption mode, and data is encrypted and decrypted by adopting an SM4 symmetric encryption algorithm.
The asynchronous non-blocking mechanism and the multi-process mechanism are adopted to process the request, so that the aim of simultaneously processing concurrent requests of a large number of users is fulfilled
The asynchronous non-blocking mechanism enables the transmission encryption system to process a plurality of requests, when a certain subprocess receives the request of the hot user side, IO is called to process, and if the result cannot be obtained immediately, other requests (namely non-blocking) are processed; the hot user side does not need to wait for a response during this period, and can do other things (i.e. asynchronous). When IO returns, the child process will be notified; the process is notified to temporarily suspend the currently processed transaction in response to the request from the hot user side. However, the process calling mode is realized by an event-driven model of the transmission encryption system server.
The event-driven model is composed of three basic units, namely an event collector, an event transmitter and an event processor.
An event collector: the system is responsible for collecting various IO requests of a work process;
an event transmitter: responsible for sending IO events to the event handler;
an event handler: is responsible for responding to various events.
The event sender puts each request into a pending event list and invokes the event handler to handle the request using non-blocking I/O.
The multi-process mechanism is that when a server end of the transmission encryption system at the power plant side receives the connection of a hot user, a sub-process is generated on a main process of the server to establish connection with the hot user side for interaction until the connection is disconnected;
therefore, the processes are independent from each other and do not influence each other, locking is not needed, and the influence of the use lock on the performance is reduced. The multi-process starting and executing process comprises the following steps:
after the main program is started, receiving and processing an external signal through a for loop;
the main process generates working sub-processes through a fork () function, and each sub-process executes a for loop to realize the receiving and processing of the event by the transmission encryption system.
The transmission encryption system provides a binding option of CPU affinity for better utilizing the characteristics of multiple cores, and a certain process can be bound on a certain core, so that the Cache failure caused by the switching of the process can be avoided.
For each request, there is and only one work process to process it, first, each work process is coming from the main process fork; in the main process, after a socket needing to be monitored is established, fork produces a plurality of working processes;
all the working processes can be read when being connected newly, in order to ensure that only one process processes the connection, all the working processes preempt the exclusive lock accept _ mutex before registering the read event of the listenfd, and the process which preempts the exclusive lock registers the read event of the listenfd, calls the accept to accept the connection in the read event.
When a work process is connected with the accept, the work process starts to read the request, analyzes the request, processes the request, generates data, returns the data to the client, and finally disconnects the connection, so that the work process is a complete request. A request is handled entirely by a worker process and is handled in only one worker process.
In the running process of the transmission encryption system, the main process and the work process need process interaction. The interaction is done relying on the pipes of the Socket implementation.
And 2, step: the heat supply network data collected by the totalizer is encrypted by using a state encryption algorithm, then is encrypted by a TCP (transmission control protocol) load bearing, and is decrypted by using wireless transmission to a power plant side transmission encryption system server to obtain a plaintext;
and step 3: plaintext data is sent to an IP address and a port of an intelligent heat supply network management system interface platform server, and the plaintext is transmitted to an interface platform of the intelligent heat supply network management system to be analyzed and stored in a heat supply network real-time database;
and 4, step 4: the intelligent heat supply network management system calls an interface provided by the database to write back data, the electromagnetic valve control instruction from the power plant side to the heat user side is issued through the database, and the transmission encryption system is used for encrypting the control instruction to perform safety protection.
In summary, the invention solves the safety protection problem of data plaintext transmission in the intelligent heat supply network scene under the condition of not influencing the original service. A transient session window is established by deploying a transmission encryption system and adopting an event-driven model of a dynamic connection pool and a connection multiplexing technology based on a domestic cryptographic algorithm; a perfect key management system is established, invalid keys are cleared in time, a large amount of storage space and system resources are saved, the whole data transmission and service processing speed is improved, and a request processing mode such as a multi-process mechanism and an asynchronous non-blocking mechanism is adopted, so that concurrent requests of a large number of hot users, safe data transmission and safe issuing of control instructions are met.
Specifically, after the transmission encryption system is bundled with a large number of hot user connection requests, the tunnel connection of the user is not kept for a long time until the user is disconnected as in the traditional VPN, but only a short session window time is reserved as in a load balancing system, and then connection resources are allocated to other new connections and data requests.
The transmission encryption system establishes a plurality of TCP connections with the intelligent heat supply network management system server at the rear end in advance and keeps the TCP connections continuously, so that the number of connections of the heat user end to be processed by the rear end server is reduced, the connection processing speed is increased, and the processing capacity of the intelligent heat supply network management system is improved. Different from other connection optimization technologies, the transmission encryption system adopts a dynamic connection pool mode, when each hot user request is sent to the transmission encryption system, according to a load balancing strategy, the system searches for an idle connection in a server end to which the request is sent, if the idle connection exists, the request is directly sent to the server through the connection, and if the idle connection does not exist, a connection is newly established to communicate with the server end. Therefore, the minimum connection number is always maintained at the server side, and the phenomenon of hot user side request queuing caused by no idle connection is avoided.
The present applicant has described and illustrated embodiments of the present invention in detail with reference to the accompanying drawings, but it should be understood by those skilled in the art that the above embodiments are merely preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not for limiting the scope of the present invention, and on the contrary, any improvement or modification made based on the spirit of the present invention should fall within the scope of the present invention.

Claims (12)

1. The utility model provides an wisdom heat supply network data transmission safety protection system, includes the transmission encryption system server end of the transmission encryption system of heat consumer side and the power plant side, its characterized in that:
the transmission encryption system is integrated in a hot user totalizer in a state secret security SDK form;
the transmission encryption system server is deployed at a data entrance and exit of the intelligent heat supply network management system server at the power plant side;
the transmission encryption system establishes a key management mechanism, a safety data transmission channel between a hot user side and a power plant side is established, a server end of the power plant side transmission encryption system serves as a reverse proxy server of the intelligent heat supply network management system, and meanwhile authentication, data encryption, decryption and unloading are carried out on encrypted connection, so that the safety protection of intelligent heat supply network data transmission is realized;
based on when wisdom heat supply network data transmission safety protection system realized wisdom heat supply network data transmission safety protection, at first need start security service before the conversation begins, establish the secure channel, carry out the secure channel initialization to hot user side transmission encryption system and power plant side transmission encryption system server side, the secure channel initialization includes:
1): the hot user side initiates an access request to the server end of the transmission encryption system of the power plant side, and the access request is transmittedContains a list of hot user-side supported protocol versions and ciphersuites and generates a random number R1
2): the power plant side transmits a server side response request of the encryption system, determines a used protocol version and a password suite, and generates a random number R2
3): the power plant side transmits the encryption system server side to send a national password signature certificate and an encryption certificate to the hot user side;
4): power plant side transmission encryption system server end determination elliptic curve and base points G and R thereof2Private key DIKE as power plant side elliptic curvepv2Remain local; according to the base point G and its private key DIKEpv2Calculating the elliptic curve public key DIKE of the power plant sidepb2
Wherein:
DIKEpb2=DIKEpv2*G
DIKE is applied topb2G is sent as a key parameter to the hot user side, in preparation for generating the premaster Key PMK, using the signature Key private Key DIKSpv2Elliptic curve public key DIKE for power plant sidepb2Making a signature;
5): the power plant side transmits the content of the response request of the encryption system server end to finish;
6): the hot user side transmission encryption system verifies whether the certificate of the power plant side is legal or not, and specifically comprises the following steps:
verifying step by step through a certificate chain to confirm the authenticity of the certificate; then through the use of the public key DIKS of the signature key of the certificatepb2Verifying the signature and confirming its identity;
7): the hot user side transmits the encryption system to send the national password signature certificate and the encryption certificate to the power plant side;
8): the hot user side transmission encryption system generates a random number R1Private key DIKE as hot user side elliptic curvepv1Remain local; according to the known base point G and its private key DIKEpv1Calculating an elliptic curve public key DIKE of a user side endpb1
Wherein:
DIKEpb1=DIKEpv1*G
DIKE is applied topb1As key parameters to the power plant side, in preparation for generating the premaster secret PMK, using the signature secret key private key DIKSpv1Elliptic curve public key DIKE for power plant sidepb1Making a signature;
9): the method comprises the following steps that a server side of a transmission encryption system of a power plant side checks whether a certificate of a hot user side is legal or not, and specifically comprises the following steps:
verifying step by step through the certificate chain, confirming the authenticity of the certificate, and then using the signature key public key DIKS of the certificatepb2Verifying the signature and confirming its identity;
10): both parties respectively obtain public keys DIKE of the other partypb1And DIKEpb2Calculating respective calculation points Q by using a public key and a private key of each other;
wherein:
the calculation point on the hot user side is Q1=DIKEpv1*DIKEpb2
The calculation point on the power plant side is Q2=DIKEpv2*DIKEpb1
The elliptic curve satisfies the multiplication commutative law and the combination law, namely:
Q=Q1=DIKEpv1*DIKEpb2=DIKEpv1*DIKEpv2*G=DIKEpv2*DIKEpv1*G=DIKEpv2*DIKEpb1=Q2
the two parties obtain the same key, namely Q, namely the premaster key PMK;
11): master key MK uses "R1+R2Generating three materials of + PMK, calculating by using a master key MK to obtain an encryption key DEK, and checking a key DAK;
12): and after the key negotiation is finished, the server side of the power plant side transmission encryption system sends a message to inform the hot user side to switch the subsequent communication mode into an encryption mode, and the SM4 symmetric encryption algorithm is adopted to encrypt and decrypt data.
2. The system of claim 1, wherein the security system comprises:
the transmission encryption system re-encapsulates the incoming packet through the proxy mode to realize data communication encryption, changes the data processing logic through function replacement, and the function calls the cryptographic SSL acceleration engine to complete the forwarding of data encryption or decryption, specifically,
the encryption protocol of the communication of the transmission encryption system is packaged according to the national security SSL VPN standard so as to ensure the security of network transmission data.
3. The system of claim 2, wherein the security system comprises:
the transmission encryption system provides a secure transmission channel delivery service of TCP + SSL/TLS through embedding a TCP service module, meets a TCP network application system based on an SSL/TLS security protocol or a traditional TCP network application system without a security strategy, and realizes rapid security guarantee and acceleration of the transmission channel.
4. The system of claim 1, wherein the security system comprises:
the transmission encryption system adopts an event-driven model of a dynamic connection pool and a connection multiplexing mode to construct a safety data transmission channel between a hot user side and a power plant side based on a domestic cryptographic algorithm, and is used for batch user connection to realize session acceleration.
5. The system of claim 4, wherein the security system comprises:
the event driven model comprises an event collector, an event transmitter and an event processor;
the event collector is used for collecting various I/O requests of the work process;
the event transmitter is used for transmitting the I/O event to the event processor;
the event processor is used for responding various events;
the event sender puts each request into a pending event list and invokes the event handler to handle the request using non-blocking I/O.
6. The system of claim 1, wherein the security system comprises:
the transmission encryption system at the hot user side realizes encryption and decryption functions by calling various interfaces, including a verification API and an encryption API;
the management and authentication functions of the KEY are realized by using USB-KEY, and each USB-KEY can only be bound with one hot user totalizer;
the server end of the transmission encryption system at the power plant side realizes various domestic encryption algorithms including SM2, SM3 and SM4 through PCIe encryption cards.
7. The system of claim 1, wherein the security system comprises:
the transmission encryption system has a five-layer key management system and comprises a device master key DMK, a device identity key pair, a certificate DIK, a pre-master key PMK, a master key MK, an encryption key DEK and a verification key DAK.
8. The system of claim 7, wherein the security system comprises:
the key management mechanism of the transmission encryption system specifically comprises:
(1) key generation: the power plant side transmission encryption system server side is used for generating random numbers by a WNG8 (WNG) of 4 physical noise source generators approved by the State and Key administration, and outputting the random numbers after XOR (exclusive OR) logic to generate keys; the hot user side integrating instrument generates a random number by using the USB-KEY so as to obtain a secret KEY;
(2) and (4) safe storage of the key: the device master KEY DMK is stored in a security chip or a USB-KEY; the DIK is protected by the DMK and stored in the transmission encryption system; for each Session key connected, the Session key exists in a system memory and is protected by a transmission encryption system boundary; all the keys involved, at any time, do not appear outside the system in clear;
(3) the key can be used in a controlled way: namely setting key attributes, including:
the type of the key determines which types of operations can be performed by the key:
1) signature key pair and certificate: for identity authentication;
2) encryption key pair and certificate: for Session key exchange;
3) session key: the system comprises an encryption key DEK and a verification key DAK, and is used for encryption and integrity verification of application data;
algorithm identification, which indicates the algorithm to be used in the operation of the key;
(4) key destruction:
when the system is initialized, the DMK is regenerated, and the old DMK is covered by the new DMK;
when the system is reinitialized, the DIK file of the old equipment identity key pair is repeatedly written into the 'all 0' file for 10 times, so that the DIK of the old equipment identity key pair can not be recovered;
the pre-master key PMK is destroyed after calculating the master key MK;
the master key MK destroys the encryption key DEK and the verification key DAK after calculating the encryption key DEK and the verification key DAK;
the encryption key DEK and the verification key DAK are destroyed along with the ending of the session;
and after the session is finished, the keys of the PMK, the MK, the DAK and the DEK existing in the system memory are destroyed in a buffer zone clear 0 mode, and the memory buffer zone is released after the key is destroyed.
9. A safety protection method for data transmission of an intelligent heat supply network is characterized by comprising the following steps:
the method comprises the following steps:
step 1: before the session starts, starting a security service and establishing a security channel;
in step 1, the method further comprises the steps that a server side of the heat user side transmission encryption system and a server side of the power plant side transmission encryption system are initialized to form a safety channel, and the initialization of the safety channel comprises the following steps:
step 1.1: heat consumer side to power plant side transmissionThe server side of the secret system initiates an access request, the transmission content comprises a protocol version and a password suite list supported by the hot user side, and a random number R is generated1
Step 1.2: the power plant side transmits a server side response request of the encryption system, determines a used protocol version and a password suite, and generates a random number R2
Step 1.3: the power plant side transmits the encryption system server side to send a national password signature certificate and an encryption certificate to the hot user side;
step 1.4: power plant side transmission encryption system server end determination elliptic curve and base points G and R thereof2Private key DIKE as power plant side elliptic curvepv2Remain local; according to the base point G and its private key DIKEpv2Calculating the elliptic curve public key DIKE of the power plant sidepb2
Wherein:
DIKEpb2=DIKEpv2*G
DIKE is applied topb2G is sent as a key parameter to the hot user side, in preparation for generating the premaster Key PMK, using the signature Key private Key DIKSpv2Elliptic curve public key DIKE for power plant sidepb2Making a signature;
step 1.5: the power plant side transmits the content of the response request of the encryption system server end to finish;
step 1.6: the hot user side transmission encryption system verifies whether the certificate of the power plant side is legal or not, and specifically comprises the following steps:
verifying step by step through a certificate chain to confirm the authenticity of the certificate; then through the use of the public key DIKS of the signature key of the certificatepb2Verifying the signature and confirming its identity;
step 1.7: the hot user side transmits the encryption system to send the national password signature certificate and the encryption certificate to the power plant side;
step 1.8: the hot user side transmission encryption system generates a random number R1Private key DIKE as hot user side elliptic curvepv1Remain local; according to the known base point G and its private key DIKEpv1Calculating an elliptic curve public key DIKE of a user side endpb1
Wherein:
DIKEpb1=DIKEpv1*G
DIKE is applied topb1As key parameters to the power plant side, in preparation for generating the premaster secret PMK, using the signature secret key private key DIKSpv1Elliptic curve public key DIKE for power plant sidepb1Making a signature;
step 1.9: the method comprises the following steps that a server side of a transmission encryption system of a power plant side checks whether a certificate of a hot user side is legal or not, and specifically comprises the following steps:
verifying step by step through the certificate chain, confirming the authenticity of the certificate, and then using the signature key public key DIKS of the certificatepb2Verifying the signature and confirming its identity;
step 1.10: both parties respectively obtain public key DIKE of the other partypb1And DIKEpb2Calculating respective calculation points Q by using a public key and a private key of each other;
wherein:
the calculation point on the hot user side is Q1=DIKEpv1*DIKEpb2
The calculation point on the power plant side is Q2=DIKEpv2*DIKEpb1
The elliptic curve satisfies the multiplicative commutative law and the associative law, namely:
Q=Q1=DIKEpv1*DIKEpb2=DIKEpv1*DIKEpv2*G=DIKEpv2*DIKEpv1*G=DIKEpv2*DIKEpb1=Q2
the two parties obtain the same key, namely Q, namely the premaster key PMK;
step 1.11: master key MK uses "R1+R2Generating three materials of + PMK, calculating by using a master key MK to obtain an encryption key DEK, and checking a key DAK;
step 1.12: after the key agreement is finished, the server end of the power plant side transmission encryption system sends a message to inform the hot user side to switch the subsequent communication mode into an encryption mode, and data are encrypted and decrypted by adopting an SM4 symmetric encryption algorithm;
step 2: the heat supply network data collected by the totalizer is encrypted by using a state encryption algorithm, then is encrypted by a TCP (transmission control protocol) load bearing, and is decrypted by using wireless transmission to a power plant side transmission encryption system server to obtain a plaintext;
and step 3: transmitting the plaintext to an interface platform of the intelligent heat supply network management system for analysis and storing into a heat supply network real-time database;
and 4, step 4: the intelligent heat supply network management system calls an interface provided by the database to perform data rewriting, the electromagnetic valve control instruction from the power plant side to the heat user side is issued through the database, and the transmission encryption system is used for encrypting the control instruction to perform safety protection.
10. The method of claim 9, wherein the security protection method for intelligent heat supply network data transmission comprises:
in step 1, the hot user totalizer starts a transmission encryption system by calling a national security SDK, initiates a connection request, starts a security service by the transmission encryption system, authenticates the identities of both communication parties, and establishes a security channel, specifically:
before transmitting data to the intelligent heat supply network management system at the power plant side, the heat user side establishes an SSL safety channel with the power plant side according to a national security SSL v1.1 handshake protocol;
and adopting the two-way authentication security based on the PKI and the digital certificate technology to identify the identities of both communication parties, namely adopting a preset security certificate to authenticate the identities of both communication parties of an opposite terminal, only pre-configured equipment can establish a security channel, and the identity authentication adopts a two-way TLS protocol and uses algorithms of SM2 and SM 3.
11. The method of claim 9, wherein the security protection method for intelligent heat supply network data transmission comprises:
in step 1, an asynchronous non-blocking mechanism and a multi-process mechanism are adopted for request processing;
the asynchronous non-blocking mechanism realizes process calling based on an event-driven model, the asynchronous non-blocking mechanism means that a transmission encryption system can process a plurality of requests, when a certain subprocess receives a request of a hot user side, I/O is called for processing, if a result cannot be obtained immediately, other requests are processed, and the request is non-blocking; the hot user side does not need to wait for response in the period, and can process other things, namely asynchronization; when I/O returns, the sub-process is informed; the process is notified to temporarily suspend the currently processed transaction in response to the request from the hot user side.
12. The method of claim 11, wherein the security protection method for intelligent heat supply network data transmission comprises:
the multi-process mechanism means that when a server side of the transmission encryption system at the power plant side receives connection of a hot user, a sub-process is generated on a main process of the server to establish connection with the hot user side for interaction until the connection is disconnected;
the multi-process starting and executing process comprises the following steps:
after the main program is started, receiving and processing an external signal through a for loop;
the main process generates working sub-processes through a fork () function, and each sub-process executes a for loop to realize the receiving and processing of the transmission encryption system to events;
for each request, there is and only one work process to process it, first, each work process is coming from the main process fork; in the main process, after a socket needing to be monitored is established, fork produces a plurality of working processes;
all the working processes can become readable when being newly connected, preempt the exclusive lock accept _ mutex before registering the listenfd read event, preempt the process of the exclusive lock to register the listenfd read event, and call the accept to accept the connection in the read event;
when a work process is connected with the accept, the work process starts to read the request, analyzes the request, processes the request, generates data, returns the data to the client, and finally disconnects the connection, so that the work process is a complete request.
CN202110816058.3A 2021-07-20 2021-07-20 Intelligent heat supply network data transmission safety protection system and method Active CN113300845B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110816058.3A CN113300845B (en) 2021-07-20 2021-07-20 Intelligent heat supply network data transmission safety protection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110816058.3A CN113300845B (en) 2021-07-20 2021-07-20 Intelligent heat supply network data transmission safety protection system and method

Publications (2)

Publication Number Publication Date
CN113300845A CN113300845A (en) 2021-08-24
CN113300845B true CN113300845B (en) 2022-07-05

Family

ID=77330861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110816058.3A Active CN113300845B (en) 2021-07-20 2021-07-20 Intelligent heat supply network data transmission safety protection system and method

Country Status (1)

Country Link
CN (1) CN113300845B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009076811A1 (en) * 2007-12-14 2009-06-25 Huawei Technologies Co., Ltd. A method, a system, a client and a server for key negotiating

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020199001A1 (en) * 2001-02-25 2002-12-26 Storymail, Inc. System and method for conducting a secure response communication session
US20070074282A1 (en) * 2005-08-19 2007-03-29 Black Jeffrey T Distributed SSL processing
EP2320621B1 (en) * 2009-11-06 2016-10-05 F.Hoffmann-La Roche Ag Method for establishing cryptographic communications between a remote device and a medical device and system for carrying out the method
CN108418781A (en) * 2017-02-10 2018-08-17 北京华大智宝电子系统有限公司 A kind of control method of data transmission, device and safety bus module
CN108234501B (en) * 2018-01-11 2020-12-11 北京中电普华信息技术有限公司 Quantum key fusion-based virtual power plant secure communication method
CN110264200B (en) * 2019-05-29 2021-11-19 中国工商银行股份有限公司 Block chain data processing method and device
CN111740844A (en) * 2020-06-24 2020-10-02 上海缔安科技股份有限公司 SSL communication method and device based on hardware cryptographic algorithm
CN113127914A (en) * 2021-05-12 2021-07-16 国网山西省电力公司电力科学研究院 Electric power Internet of things data security protection method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009076811A1 (en) * 2007-12-14 2009-06-25 Huawei Technologies Co., Ltd. A method, a system, a client and a server for key negotiating

Also Published As

Publication number Publication date
CN113300845A (en) 2021-08-24

Similar Documents

Publication Publication Date Title
CN109347809B (en) Application virtualization secure communication method oriented to autonomous controllable environment
CN110380852B (en) Bidirectional authentication method and communication system
CN109510708B (en) Public key password calculation method and system based on Intel SGX mechanism
CN104023013B (en) Data transmission method, server side and client
US7007163B2 (en) Methods and apparatus for accelerating secure session processing
CN113612605A (en) Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
CN113225352B (en) Data transmission method and device, electronic equipment and storage medium
JPH07325785A (en) Network user identifying method, ciphering communication method, application client and server
CN111526007B (en) Random number generation method and system
CN113630407A (en) Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology
CN112332986B (en) Private encryption communication method and system based on authority control
CN113612797A (en) Kerberos identity authentication protocol improvement method based on state cryptographic algorithm
CN109104278A (en) A kind of encrypting and decrypting method
WO2023231817A1 (en) Data processing method and apparatus, and computer device and storage medium
CN101997835B (en) Network security communication method, data security processing device and system for finance
CN105099699A (en) Safe and high-efficiency communication method based on equipment of Internet of things and system
CN112733129B (en) Trusted access method for server out-of-band management
CN114422205A (en) Method for establishing data tunnel of network layer of CPU chip special for electric power
CN111901335B (en) Block chain data transmission management method and system based on middle station
CN107104888B (en) Safe instant messaging method
CN116743372A (en) Quantum security protocol implementation method and system based on SSL protocol
CN113300845B (en) Intelligent heat supply network data transmission safety protection system and method
CN116132025A (en) Key negotiation method, device and communication system based on preset key group
CN114386020A (en) Quick secondary identity authentication method and system based on quantum security
CN210839642U (en) Device for safely receiving and sending terminal data of Internet of things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant