Method for communication key configuration and update management in transformer substation
Technical Field
The invention relates to the field of communication security of a power system, in particular to a method for distributing and updating a communication key for encryption and authentication of a substation.
Background
With the large application of computer and communication technology, the network security problem in the power system is increasingly highlighted. Authentication and encryption are common methods for reinforcing communication security, wherein the security management of a secret key is a core component of system security; the part is usually high in management cost, and the security and the convenience of key management are particularly important.
The source end generates an asymmetric secret key pair and issues the asymmetric secret key pair through the digital certificate management center, and the security of the private key is guaranteed to the greatest extent because the private key cannot leave the device. In a transformer substation, embedded equipment is limited by resources, and a key pair is frequently generated to possibly cause system resource bottleneck, so that the normal operation of a system is influenced; meanwhile, the possibility of maliciously damaging the system operation by frequently triggering the generation of the key pair exists, and the security risk exists. Through the authority management, only the generation of the key pair is triggered by the authenticated legal user, so that the problem that the key pair is frequently and maliciously triggered to cause the denial of service attack to the system can be effectively avoided. However, the method for maintaining and managing the transformer substation key through the authority access control has the disadvantages of numerous devices, large workload for operating the device by device through the human-computer interface, high error tendency, high management cost and the like, and also relates to the authority management and maintenance problem of operators. Meanwhile, most stock transformer substation equipment does not support the identity verification function of a human-computer, and certain application limitation exists when the method is used for controlling the generation and management of the secret key.
Disclosure of Invention
The technical problem solved by the invention is as follows: the method is independent of a man-machine interaction authentication technology, provides safety management of equipment keys in the transformer substation, provides the capability of resisting final service attack, and improves the safety and convenience of operation management of the transformer substation.
In order to achieve the purpose, the invention adopts the technical scheme that: a method for communication key configuration and update management in a transformer substation comprises the following contents: before key management, a PKI management system is preset with a private key, a digital certificate signed by a trusted authority and a trust chain digital certificate which are respectively marked as PKIKey、PKICrt、PKITrustChain(ii) a The signature algorithm adopted by the digital certificate is marked as DSx=Sign(PKIKeyHash (X), where X is the signature content, DSxHash (x) is a message digest algorithm; the signature verification algorithm is labeled hash (x) Verify (PKI)Crt.pukkey,DSx),PKICrt.pukkeyIs a digital certificate public key; meanwhile, the substation equipment presets a credible mechanismThe CA root digital certificate of (2);
the key and certificate management of the transformer substation comprises two processes: the process is an optional process, namely, the verification process of the transformer substation equipment on the certificate of the PKI management system is used for realizing the identity validity identification of the PKI management system; and a second process, namely, a PKI management system performs a key and certificate management process on the substation equipment, and the key and certificate management process is used for issuing a certificate of the substation equipment and triggering the substation equipment to generate a key pair and identity authentication of the certificate request.
Further, the verification process of the substation equipment on the certificate of the PKI management system is an optional process, and the process needs to be applied when the PKI management system is applied for key and certificate management of the substation equipment for the first time, or the key and certificate management of the substation equipment is performed again after the key and the digital certificate of the PKI management system are updated; this process may not be applied if the substation device has correctly recorded the digital certificate of the PKI management system.
Further, the verification process of the substation equipment on the certificate of the PKI management system comprises the following specific steps:
the PKI management system PKI converts the digital certificate thereof into a PKICrtTrust chain digital certificate PKITrustChainTransmitting the data to substation equipment; the substation equipment establishes a trust chain according to the signature information of the certificates, and then verifies the signature information of each digital certificate step by step according to the trust chain by applying CA digital certificates of a preset trusted authority; if all the signature information passes the verification, the substation equipment records and applies the digital certificate PKI of the PKI management systemCrt。
Digital certificate PKI (public Key infrastructure) without effective record of substation equipmentCrtWhen the PKI management system receives the certificate management message, the symmetric key and the certificate management message are sent to the PKI management system; PKI for effectively recording digital certificateCrtAnd then, starting to respond to the management request message of the PKI management system to the equipment asymmetric key.
Further, the PKI management system performs a key and certificate management process on the substation equipment, and the specific steps are as follows:
step 1: the substation equipment detects the digital certificate state of the equipment, and if no valid digital certificate or digital certificate existsIf the book is close to the book expiration, an asymmetric key pair and a digital certificate request file CrtReq are actively generatedFile(ii) a Then, a communication link request responding to the PKI management system is awaited.
And 2, step: the PKI management system detects the communication state with the substation equipment, and establishes and maintains a link; after the link is established, sending a certificate acquisition request message GetCrtReqMsg and then waiting for a response, and entering step 4.
And step 3: after the transformer substation equipment receives the certificate acquisition request message, if the digital certificate request file CrtReq does not exist, the transformer substation equipment requests a CrtReq fileFileGenerating a PKI check file ChkPKIFileThe file contains a single short-term effective Random number Random; then, responding to the check request message ChkPKIReqMsg, and transmitting the file ChkPKIFileTransmitting to a PKI management system; and after the transmission is finished, switching to a PKI verification state machine, and entering the step 5. If CrtReq has been generatedFileThe file responds to a certificate sending request message SendcrtReqMsg, and the file CrtReq is sentFileTransmitting to a PKI management system; and after the transmission is finished, switching to a certificate verification state machine, and entering the step 7.
And 4, step 4: after receiving the response message, the PKI management system analyzes the type of the response message; if the check request message is the check request message, extracting a check file ChkPKI'FileThe Random number Random' in (1) is further signed and marked as DSRandom'=Sign(PKIKeyHash (Random')); then, the signature value DS is usedRandom'Creating a check reply file ChkRspFileAnd using check response message ChkPKIRspMsg to make file ChkRspFileTransmitting the data to corresponding substation equipment; and after the transmission is finished, returning to the step 2. If the message type is a certificate request sending message, the step 6 is entered. If no response message or other types of messages are received for a long time, returning to the step 2.
And 5: after the transformer substation equipment enters a PKI verification state machine, if a verification response message is received within the effective time, extracting the received verification response file ChkRsp'FileSignature value information DS'RandomAnd the signature value is signed and is marked as Hash'R=Verify(PKICrt.pukkey,DS'Random) (ii) a And calculating a random numberDigest of Random message, marked as HashRHash (random); if of Hash'R≡HashRIf so, judging that the verification response passes, and immediately generating an asymmetric key pair and a digital certificate request file; if the check response is not passed or the check response message is not received within the valid time, immediately invalidating the Random number Random, and returning to the step 1.
And 6: after receiving the certificate sending request message, the PKI management system analyzes the content of the digital certificate request file and creates a new digital certificate NewCrtFile(ii) a If the content of the digital certificate request file is valid, signing the new content of the digital certificate; otherwise, filling the digital signature content with invalid data; then, the certificate issuing message SetNewCrtMsg is used for issuing the file NewCrtFileAnd transmitting the data to substation equipment.
And 7: after the transformer substation equipment enters a certificate verification state machine, if a certificate signing message is received within the valid time, analyzing a new digital certificate file and carrying out validity verification; if the new digital certificate public key information is consistent with the key pair public key and the digital signature passes the PKICrt.pukkeyIf the signature is verified, the new digital certificate is judged to be successfully verified, and the new private key and the new digital certificate are applied. If the certificate signing message is not received within the valid time or the verification of the new digital certificate fails, returning to the step 1.
According to the invention, through applying a single signature verification link of the short-time random number at the substation equipment side, the problem that a secret key pair is generated by malicious frequent triggering within the validity period of a digital certificate is solved; when no valid digital certificate exists or the certificate is about to expire, the management flow of the certificate is simplified by generating a key pair in advance; through the optional process of verifying the digital certificate of the PKI management system by the substation equipment, the process of repeatedly verifying the identity of the PKI management system is reduced, and the system efficiency is optimized. The method solves the problem of generating the key pair of the substation equipment under the condition that the authority management is not supported, gives consideration to the system efficiency of the management process, and improves the safety of the management process.
Drawings
Fig. 1 is a schematic diagram illustrating the downloading of a PKI digital certificate and validation by a substation device according to the present invention;
fig. 2 is a schematic diagram of asymmetric key management of substation equipment by applying the PKI management system of the present invention.
Detailed Description
The technical solutions of the present invention will be further described below with reference to the accompanying drawings so that those skilled in the art can better understand the present invention and can implement the present invention. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the scope of the invention.
The embodiment provides a method for communication key configuration and update management in a transformer substation, which comprises the following steps: the method relates to a PKI management system and substation equipment which perform information interaction through SFTP communication. Before key management, a PKI management system presets a private key, a digital certificate signed by a trusted authority and other trust chain digital certificates which are respectively marked as PKIKey、PKICrt、PKITrustChain(ii) a The message digest algorithm and the signature algorithm of the digital certificate are respectively SM3 and SM2, and the corresponding signature expression is DSx=SM2(PKIKey,SM3(X)), wherein DSxA signature value that is signature content X; signature verification algorithm is SM3(X)=Verify(PKICrt.pukkey,DSx),PKICrt.pukkeyThe system digital certificate public key is managed for PKI. And moreover, the substation equipment presets a CA root digital certificate of a trusted authority.
The asymmetric key management of the substation equipment comprises two processes: the method comprises the steps of verifying a PKI management system certificate by substation equipment, and managing a key and a certificate by the PKI management system to the substation equipment.
The verification process of the substation equipment on the certificate of the PKI management system is an optional process, and the process needs to be applied when the PKI management system is applied for key and certificate management of the substation equipment for the first time or the key and certificate management of the substation equipment is performed again after the key and the digital certificate of the PKI management system are updated; this process may not be applied if the substation device has correctly recorded the digital certificate of the PKI management system.
The verification process of the substation equipment on the certificate of the PKI management system is shown in fig. 1, and the specific steps are as follows:
PKI management system PKI of digital certificate of self through SFTP protocolCrtTrust chain digital certificate PKITrustChainDownloading to substation equipment; the method comprises the steps that the substation equipment establishes a certificate trust chain according to a PKI management system digital certificate and signature information of each digital certificate of the trust chain, and then the CA digital certificates of a preset trusted authority are applied to verify the signature information of each digital certificate step by step according to the trust chain; if all the signature information passes the verification, the substation equipment records and applies the digital certificate PKI of the PKI management systemCrt。
Digital certificate PKI (public Key infrastructure) without effective record of substation equipmentCrtWhen the PKI management system receives the certificate management message, the symmetric key and the certificate management message are sent to the PKI management system; PKI for effectively recording digital certificateCrtAnd then, starting to respond to the management request message of the PKI management system to the equipment asymmetric key.
And (II) carrying out a key and certificate management process on the transformer substation equipment by the PKI management system, which comprises the following specific steps:
step 1: the substation equipment detects the state of a digital certificate of the substation equipment, and if no valid digital certificate exists or the digital certificate is close to an over-period, an asymmetric key pair and a digital certificate request file CrtReq are generatedFile(ii) a Then, an SFTP communication link request responding to the PKI management system is awaited.
Step 2: the PKI management system detects the SFTP communication state of the substation equipment, and establishes and maintains a link; and after the link is established, reading the certificate request catalog of the substation equipment through the SFTP, waiting for response, and entering the step 4.
And 3, step 3: after the substation equipment receives an SFTP request for reading a certificate request file directory: if no digital certificate request file CrtReq existsFileThen generating a PKI check file ChkPKI containing single short-term effective Random number RandomFileAnd returning the PKI check file name to the PKI management system; and then, the PKI verification state machine is switched to enter a step 5. If CrtReq has been generatedFileThe file returns the name of the digital certificate request file to the PKI management system(ii) a Then, the process goes to a certificate verification state machine and enters step 7.
And 4, step 4: after receiving the response message, the PKI management system calls the corresponding file through the SFTP according to the returned file name information: check file ChkPKI 'if PKI'FileThen obtaining the Random number Random' of the file to sign, and then creating a check response file ChkRsp according to the signature valueFileThe corresponding signature value calculation procedure is DSRandom'=SM2(PKIKey,SM3(Random')); then, the check response file ChkRsp is processed by SFTPFileDownloading and installing the transformer substation equipment to corresponding transformer substation equipment; and after the downloading is finished, returning to the step 2. If the file is requested for a certificate, step 6 is entered. And if the response message is not received for a long time or the returned file name information is incorrect, returning to the step 2.
And 5: after the substation equipment enters the PKI verification state machine, if a verification response file ChkRsp 'is received in the valid time'FileExtracting the signature value DS 'in the file'RandomAnd performing signature verification, the verification process being marked as SM3'R=Verify(PKICrt.pukkey,DS'Random) (ii) a And with SM3R=SM3(Random) calculating a message digest of the Random number Random; if SM3'R≡SM3RIf yes, judging that the verification is passed, and immediately generating a new asymmetric key pair and a digital certificate request file; and if the verification fails or the verification response file is not received within the valid time, the Random number Random is invalid, and the step 1 is returned.
Step 6: after receiving the response message, the PKI management system calls a corresponding file on the SFTP according to the returned file name information; if the document is requested for the certificate, the document content is analyzed and verified, and then a new digital certificate NewCrt is createdFile(ii) a If the content of the digital certificate request file is valid, signing the new content of the digital certificate; otherwise, filling the digital signature content with invalid data; then, the file NewCrt is converted through the SFTP protocolFileAnd downloading to substation equipment.
And 7: after the transformer substation equipment enters the certificate verification state machine, if the digital certificate file NewCrt 'is received within the valid time'FileAnalyzing and verifying the effectiveness; if the public key of the digital certificate is consistent with the public key of the local key pair, and the signature passes the PKICrt.pukkeyIf the digital signature is verified, the verification is judged to be successful, and a new private key and a new digital certificate NewCrt 'are applied'File. If the certificate signing message is not received within the valid time or the verification of the new digital certificate fails, returning to the step 1.