CN113364582B - Method for communication key configuration and update management in transformer substation - Google Patents

Method for communication key configuration and update management in transformer substation Download PDF

Info

Publication number
CN113364582B
CN113364582B CN202110510606.XA CN202110510606A CN113364582B CN 113364582 B CN113364582 B CN 113364582B CN 202110510606 A CN202110510606 A CN 202110510606A CN 113364582 B CN113364582 B CN 113364582B
Authority
CN
China
Prior art keywords
pki
file
certificate
digital certificate
management system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110510606.XA
Other languages
Chinese (zh)
Other versions
CN113364582A (en
Inventor
阮黎翔
李广华
王松
戚宣威
李响
丁峰
罗华峰
周强
方芳
沈奕菲
孙文文
王自成
谢豪
陈明
艾文凯
曹文斌
顾浩
李心宇
周进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electric Power Research Institute of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
NR Engineering Co Ltd
Electric Power Research Institute of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NR Engineering Co Ltd, Electric Power Research Institute of State Grid Zhejiang Electric Power Co Ltd filed Critical NR Engineering Co Ltd
Priority to CN202110510606.XA priority Critical patent/CN113364582B/en
Publication of CN113364582A publication Critical patent/CN113364582A/en
Application granted granted Critical
Publication of CN113364582B publication Critical patent/CN113364582B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention discloses a method for communication key configuration and update management in a transformer substation. The invention applies two processes: optionally, the verification process of the substation equipment on the digital certificate of the PKI management system and the management process of the PKI management system on the key and the certificate of the substation equipment are performed. According to the invention, through the signature verification method using the single short-time random number, the generation problem of malicious frequently-triggered key pairs can be effectively resisted within the validity period of the digital certificate, the certificate management process is simplified by generating the key pairs in advance under necessary conditions, and the repeated identity verification process of the PKI management system is reduced by applying the verification process of optional substation equipment to the digital certificate of the PKI management system. The invention not only solves the problem that the substation equipment generates a secret key pair under the condition that the authority management is not supported, but also considers the implementation efficiency of the system and improves the safety of the management process.

Description

Method for communication key configuration and update management in transformer substation
Technical Field
The invention relates to the field of communication security of a power system, in particular to a method for distributing and updating a communication key for encryption and authentication of a substation.
Background
With the large application of computer and communication technology, the network security problem in the power system is increasingly highlighted. Authentication and encryption are common methods for reinforcing communication security, wherein the security management of a secret key is a core component of system security; the part is usually high in management cost, and the security and the convenience of key management are particularly important.
The source end generates an asymmetric secret key pair and issues the asymmetric secret key pair through the digital certificate management center, and the security of the private key is guaranteed to the greatest extent because the private key cannot leave the device. In a transformer substation, embedded equipment is limited by resources, and a key pair is frequently generated to possibly cause system resource bottleneck, so that the normal operation of a system is influenced; meanwhile, the possibility of maliciously damaging the system operation by frequently triggering the generation of the key pair exists, and the security risk exists. Through the authority management, only the generation of the key pair is triggered by the authenticated legal user, so that the problem that the key pair is frequently and maliciously triggered to cause the denial of service attack to the system can be effectively avoided. However, the method for maintaining and managing the transformer substation key through the authority access control has the disadvantages of numerous devices, large workload for operating the device by device through the human-computer interface, high error tendency, high management cost and the like, and also relates to the authority management and maintenance problem of operators. Meanwhile, most stock transformer substation equipment does not support the identity verification function of a human-computer, and certain application limitation exists when the method is used for controlling the generation and management of the secret key.
Disclosure of Invention
The technical problem solved by the invention is as follows: the method is independent of a man-machine interaction authentication technology, provides safety management of equipment keys in the transformer substation, provides the capability of resisting final service attack, and improves the safety and convenience of operation management of the transformer substation.
In order to achieve the purpose, the invention adopts the technical scheme that: a method for communication key configuration and update management in a transformer substation comprises the following contents: before key management, a PKI management system is preset with a private key, a digital certificate signed by a trusted authority and a trust chain digital certificate which are respectively marked as PKIKey、PKICrt、PKITrustChain(ii) a The signature algorithm adopted by the digital certificate is marked as DSx=Sign(PKIKeyHash (X), where X is the signature content, DSxHash (x) is a message digest algorithm; the signature verification algorithm is labeled hash (x) Verify (PKI)Crt.pukkey,DSx),PKICrt.pukkeyIs a digital certificate public key; meanwhile, the substation equipment presets a credible mechanismThe CA root digital certificate of (2);
the key and certificate management of the transformer substation comprises two processes: the process is an optional process, namely, the verification process of the transformer substation equipment on the certificate of the PKI management system is used for realizing the identity validity identification of the PKI management system; and a second process, namely, a PKI management system performs a key and certificate management process on the substation equipment, and the key and certificate management process is used for issuing a certificate of the substation equipment and triggering the substation equipment to generate a key pair and identity authentication of the certificate request.
Further, the verification process of the substation equipment on the certificate of the PKI management system is an optional process, and the process needs to be applied when the PKI management system is applied for key and certificate management of the substation equipment for the first time, or the key and certificate management of the substation equipment is performed again after the key and the digital certificate of the PKI management system are updated; this process may not be applied if the substation device has correctly recorded the digital certificate of the PKI management system.
Further, the verification process of the substation equipment on the certificate of the PKI management system comprises the following specific steps:
the PKI management system PKI converts the digital certificate thereof into a PKICrtTrust chain digital certificate PKITrustChainTransmitting the data to substation equipment; the substation equipment establishes a trust chain according to the signature information of the certificates, and then verifies the signature information of each digital certificate step by step according to the trust chain by applying CA digital certificates of a preset trusted authority; if all the signature information passes the verification, the substation equipment records and applies the digital certificate PKI of the PKI management systemCrt
Digital certificate PKI (public Key infrastructure) without effective record of substation equipmentCrtWhen the PKI management system receives the certificate management message, the symmetric key and the certificate management message are sent to the PKI management system; PKI for effectively recording digital certificateCrtAnd then, starting to respond to the management request message of the PKI management system to the equipment asymmetric key.
Further, the PKI management system performs a key and certificate management process on the substation equipment, and the specific steps are as follows:
step 1: the substation equipment detects the digital certificate state of the equipment, and if no valid digital certificate or digital certificate existsIf the book is close to the book expiration, an asymmetric key pair and a digital certificate request file CrtReq are actively generatedFile(ii) a Then, a communication link request responding to the PKI management system is awaited.
And 2, step: the PKI management system detects the communication state with the substation equipment, and establishes and maintains a link; after the link is established, sending a certificate acquisition request message GetCrtReqMsg and then waiting for a response, and entering step 4.
And step 3: after the transformer substation equipment receives the certificate acquisition request message, if the digital certificate request file CrtReq does not exist, the transformer substation equipment requests a CrtReq fileFileGenerating a PKI check file ChkPKIFileThe file contains a single short-term effective Random number Random; then, responding to the check request message ChkPKIReqMsg, and transmitting the file ChkPKIFileTransmitting to a PKI management system; and after the transmission is finished, switching to a PKI verification state machine, and entering the step 5. If CrtReq has been generatedFileThe file responds to a certificate sending request message SendcrtReqMsg, and the file CrtReq is sentFileTransmitting to a PKI management system; and after the transmission is finished, switching to a certificate verification state machine, and entering the step 7.
And 4, step 4: after receiving the response message, the PKI management system analyzes the type of the response message; if the check request message is the check request message, extracting a check file ChkPKI'FileThe Random number Random' in (1) is further signed and marked as DSRandom'=Sign(PKIKeyHash (Random')); then, the signature value DS is usedRandom'Creating a check reply file ChkRspFileAnd using check response message ChkPKIRspMsg to make file ChkRspFileTransmitting the data to corresponding substation equipment; and after the transmission is finished, returning to the step 2. If the message type is a certificate request sending message, the step 6 is entered. If no response message or other types of messages are received for a long time, returning to the step 2.
And 5: after the transformer substation equipment enters a PKI verification state machine, if a verification response message is received within the effective time, extracting the received verification response file ChkRsp'FileSignature value information DS'RandomAnd the signature value is signed and is marked as Hash'R=Verify(PKICrt.pukkey,DS'Random) (ii) a And calculating a random numberDigest of Random message, marked as HashRHash (random); if of Hash'R≡HashRIf so, judging that the verification response passes, and immediately generating an asymmetric key pair and a digital certificate request file; if the check response is not passed or the check response message is not received within the valid time, immediately invalidating the Random number Random, and returning to the step 1.
And 6: after receiving the certificate sending request message, the PKI management system analyzes the content of the digital certificate request file and creates a new digital certificate NewCrtFile(ii) a If the content of the digital certificate request file is valid, signing the new content of the digital certificate; otherwise, filling the digital signature content with invalid data; then, the certificate issuing message SetNewCrtMsg is used for issuing the file NewCrtFileAnd transmitting the data to substation equipment.
And 7: after the transformer substation equipment enters a certificate verification state machine, if a certificate signing message is received within the valid time, analyzing a new digital certificate file and carrying out validity verification; if the new digital certificate public key information is consistent with the key pair public key and the digital signature passes the PKICrt.pukkeyIf the signature is verified, the new digital certificate is judged to be successfully verified, and the new private key and the new digital certificate are applied. If the certificate signing message is not received within the valid time or the verification of the new digital certificate fails, returning to the step 1.
According to the invention, through applying a single signature verification link of the short-time random number at the substation equipment side, the problem that a secret key pair is generated by malicious frequent triggering within the validity period of a digital certificate is solved; when no valid digital certificate exists or the certificate is about to expire, the management flow of the certificate is simplified by generating a key pair in advance; through the optional process of verifying the digital certificate of the PKI management system by the substation equipment, the process of repeatedly verifying the identity of the PKI management system is reduced, and the system efficiency is optimized. The method solves the problem of generating the key pair of the substation equipment under the condition that the authority management is not supported, gives consideration to the system efficiency of the management process, and improves the safety of the management process.
Drawings
Fig. 1 is a schematic diagram illustrating the downloading of a PKI digital certificate and validation by a substation device according to the present invention;
fig. 2 is a schematic diagram of asymmetric key management of substation equipment by applying the PKI management system of the present invention.
Detailed Description
The technical solutions of the present invention will be further described below with reference to the accompanying drawings so that those skilled in the art can better understand the present invention and can implement the present invention. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the scope of the invention.
The embodiment provides a method for communication key configuration and update management in a transformer substation, which comprises the following steps: the method relates to a PKI management system and substation equipment which perform information interaction through SFTP communication. Before key management, a PKI management system presets a private key, a digital certificate signed by a trusted authority and other trust chain digital certificates which are respectively marked as PKIKey、PKICrt、PKITrustChain(ii) a The message digest algorithm and the signature algorithm of the digital certificate are respectively SM3 and SM2, and the corresponding signature expression is DSx=SM2(PKIKey,SM3(X)), wherein DSxA signature value that is signature content X; signature verification algorithm is SM3(X)=Verify(PKICrt.pukkey,DSx),PKICrt.pukkeyThe system digital certificate public key is managed for PKI. And moreover, the substation equipment presets a CA root digital certificate of a trusted authority.
The asymmetric key management of the substation equipment comprises two processes: the method comprises the steps of verifying a PKI management system certificate by substation equipment, and managing a key and a certificate by the PKI management system to the substation equipment.
The verification process of the substation equipment on the certificate of the PKI management system is an optional process, and the process needs to be applied when the PKI management system is applied for key and certificate management of the substation equipment for the first time or the key and certificate management of the substation equipment is performed again after the key and the digital certificate of the PKI management system are updated; this process may not be applied if the substation device has correctly recorded the digital certificate of the PKI management system.
The verification process of the substation equipment on the certificate of the PKI management system is shown in fig. 1, and the specific steps are as follows:
PKI management system PKI of digital certificate of self through SFTP protocolCrtTrust chain digital certificate PKITrustChainDownloading to substation equipment; the method comprises the steps that the substation equipment establishes a certificate trust chain according to a PKI management system digital certificate and signature information of each digital certificate of the trust chain, and then the CA digital certificates of a preset trusted authority are applied to verify the signature information of each digital certificate step by step according to the trust chain; if all the signature information passes the verification, the substation equipment records and applies the digital certificate PKI of the PKI management systemCrt
Digital certificate PKI (public Key infrastructure) without effective record of substation equipmentCrtWhen the PKI management system receives the certificate management message, the symmetric key and the certificate management message are sent to the PKI management system; PKI for effectively recording digital certificateCrtAnd then, starting to respond to the management request message of the PKI management system to the equipment asymmetric key.
And (II) carrying out a key and certificate management process on the transformer substation equipment by the PKI management system, which comprises the following specific steps:
step 1: the substation equipment detects the state of a digital certificate of the substation equipment, and if no valid digital certificate exists or the digital certificate is close to an over-period, an asymmetric key pair and a digital certificate request file CrtReq are generatedFile(ii) a Then, an SFTP communication link request responding to the PKI management system is awaited.
Step 2: the PKI management system detects the SFTP communication state of the substation equipment, and establishes and maintains a link; and after the link is established, reading the certificate request catalog of the substation equipment through the SFTP, waiting for response, and entering the step 4.
And 3, step 3: after the substation equipment receives an SFTP request for reading a certificate request file directory: if no digital certificate request file CrtReq existsFileThen generating a PKI check file ChkPKI containing single short-term effective Random number RandomFileAnd returning the PKI check file name to the PKI management system; and then, the PKI verification state machine is switched to enter a step 5. If CrtReq has been generatedFileThe file returns the name of the digital certificate request file to the PKI management system(ii) a Then, the process goes to a certificate verification state machine and enters step 7.
And 4, step 4: after receiving the response message, the PKI management system calls the corresponding file through the SFTP according to the returned file name information: check file ChkPKI 'if PKI'FileThen obtaining the Random number Random' of the file to sign, and then creating a check response file ChkRsp according to the signature valueFileThe corresponding signature value calculation procedure is DSRandom'=SM2(PKIKey,SM3(Random')); then, the check response file ChkRsp is processed by SFTPFileDownloading and installing the transformer substation equipment to corresponding transformer substation equipment; and after the downloading is finished, returning to the step 2. If the file is requested for a certificate, step 6 is entered. And if the response message is not received for a long time or the returned file name information is incorrect, returning to the step 2.
And 5: after the substation equipment enters the PKI verification state machine, if a verification response file ChkRsp 'is received in the valid time'FileExtracting the signature value DS 'in the file'RandomAnd performing signature verification, the verification process being marked as SM3'R=Verify(PKICrt.pukkey,DS'Random) (ii) a And with SM3R=SM3(Random) calculating a message digest of the Random number Random; if SM3'R≡SM3RIf yes, judging that the verification is passed, and immediately generating a new asymmetric key pair and a digital certificate request file; and if the verification fails or the verification response file is not received within the valid time, the Random number Random is invalid, and the step 1 is returned.
Step 6: after receiving the response message, the PKI management system calls a corresponding file on the SFTP according to the returned file name information; if the document is requested for the certificate, the document content is analyzed and verified, and then a new digital certificate NewCrt is createdFile(ii) a If the content of the digital certificate request file is valid, signing the new content of the digital certificate; otherwise, filling the digital signature content with invalid data; then, the file NewCrt is converted through the SFTP protocolFileAnd downloading to substation equipment.
And 7: after the transformer substation equipment enters the certificate verification state machine, if the digital certificate file NewCrt 'is received within the valid time'FileAnalyzing and verifying the effectiveness; if the public key of the digital certificate is consistent with the public key of the local key pair, and the signature passes the PKICrt.pukkeyIf the digital signature is verified, the verification is judged to be successful, and a new private key and a new digital certificate NewCrt 'are applied'File. If the certificate signing message is not received within the valid time or the verification of the new digital certificate fails, returning to the step 1.

Claims (7)

1. A method for communication key configuration and update management in a transformer substation is characterized by comprising two processes: the process is an optional process, namely, the verification process of the transformer substation equipment on the certificate of the PKI management system is used for realizing the identity validity identification of the PKI management system; the second process is that the PKI management system performs a key and certificate management process on the substation equipment, and is used for issuing a certificate of the substation equipment and triggering the substation equipment to generate a key pair and identity authentication of the certificate request;
before the management of the key and the certificate, the PKI management system presets a private key, a digital certificate signed by a trusted authority and a trust chain digital certificate which are respectively PKIKey、PKICrtAnd PKITrustChain(ii) a The signature algorithm adopted by the digital certificate is DSx=Sign(PKIKeyHash (X), where X is the signature content, DSxHash (x) is a message digest algorithm; the signature verification algorithm is Hash (X) Verify (PKI)Crt.pukkey,DSx),PKICrt.pukkeyIs a digital certificate public key; meanwhile, the substation equipment presets a CA root digital certificate of a trusted authority;
the second process comprises the following specific steps:
step 1: the substation equipment detects the state of a digital certificate of the substation equipment, and if no valid digital certificate exists or the digital certificate is close to an over-period, an asymmetric key pair and a digital certificate request file CrtReq are actively generatedFile(ii) a Then, waiting for a response to a communication link request of the PKI management system;
and 2, step: the PKI management system detects the communication state with the substation equipment, and establishes and maintains a link; after the link is established, sending a certificate acquisition request message GetCrtReqMsg and then waiting for a response, and entering step 4;
and step 3: after the transformer substation equipment receives the certificate acquisition request message, if the digital certificate request file CrtReq does not exist, the transformer substation equipment requests a CrtReq fileFileGenerating a PKI check file ChkPKIFileThe file contains a single short-term effective Random number Random; then responding to the check request message ChkPKIReqMsg and using the file ChkPKIFileTransmitting to a PKI management system; after the transmission is finished, switching to a PKI verification state machine, and entering the step 5; if CrtReq is presentFileThe file responds to a certificate sending request message SendcrtReqMsg, and the file CrtReq is sentFileTransmitting to a PKI management system; after the transmission is finished, switching to a certificate verification state machine, and entering step 7;
and 4, step 4: after receiving the response message, the PKI management system analyzes the type of the response message; if the check request message is the check request message, receiving a check file ChkPKI'FileAnd creates a check reply file ChkRspFile(ii) a Using check response message ChkPKIRspMsg to convert file ChkRspFileTransmitting the data to corresponding substation equipment; after the transmission is finished, returning to the step 2; if the message type is a certificate sending request message, entering step 6; if no response message or other types of messages are received for a long time, returning to the step 2;
and 5: after the transformer substation equipment enters the PKI verification state machine, if a verification response message is received, a verification response file ChkRsp 'is obtained'FileVerifying the validity of the signature value in the file; if the verification is passed, a new asymmetric key pair and a digital certificate request file are immediately generated; if the verification is not passed or the verification response message is not received within the effective time, immediately invalidating the Random number Random and returning to the step 1;
step 6: after receiving the certificate sending request message, the PKI management system acquires and analyzes a digital certificate request file and creates a new digital certificate NewCrtFile(ii) a If the content of the digital certificate request file is valid, signing the new content of the digital certificate; otherwise, filling the digital signature content with invalid data; then, the certificate issuing message SetNewCrtMsg is used for issuing the file NewCrtFileTransmitting the data to substation equipment;
and 7:after the transformer substation equipment enters a certificate verification state machine, if a certificate signing message is received, a digital certificate file is obtained and validity is verified; if the public key of the digital certificate is consistent with the public key of the key pair, and the certificate signature passes the PKICrt.pukkeyIf the signature is verified, the verification is judged to be successful, and a new private key and a new digital certificate are applied; if the certificate signing message is not received within the valid time or the verification of the new digital certificate fails, returning to the step 1.
2. The method as claimed in claim 1, wherein in step 4, the PKI management system creates a check reply file ChkRspFileThe method comprises the following steps: acquiring check file ChkPKI'FileRandom number Random' and in the formula DSRandom'=Sign(PKIKeyHash (Random')) to sign the Random number; then uses the signature value DSRandom'A check reply file is created as the file content.
3. The method for communication key configuration and update management in the substation according to claim 1, wherein in step 5, the verification method of the substation equipment on the verification response file is as follows: obtaining check reply file ChkRsp'FileSignature value information DS'RandomSigning the value and calculating the formula Hash'R=Verify(PKICrt.pukkey,DS'Random) Analyzing the signature value information to obtain message abstract Hash'R(ii) a Hash with formulaRHash (Random) digest Hash of a message for computing a Random number RandomR(ii) a If of Hash'R≡HashRIf not, the verification is judged to be passed.
4. The method for communication key configuration and update management in the transformer substation according to any one of claims 1 to 3, characterized in that the verification process of the certificate of the PKI management system by the transformer substation equipment is an optional process, and the process is required to be applied when the PKI management system is applied for the first time to perform key and certificate management on the transformer substation equipment or the key and certificate of the PKI management system is updated and then the key and certificate management is performed on the transformer substation equipment again; this process may not be applied if the substation device has correctly recorded the digital certificate of the PKI management system.
5. The method for communication key configuration and update management in the transformer substation according to any one of claims 1 to 3, wherein the first procedure, namely the verification procedure of the PKI management system certificate by the substation equipment, is as follows: the PKI management system PKI converts the digital certificate thereof into a PKICrtTrust chain digital certificate PKITrustChainTransmitting the data to substation equipment; the substation equipment establishes a trust chain according to the signature information of the certificates, and then verifies the signature information of each digital certificate of the trust chain step by using a CA root certificate of a preset trusted authority; if all the signature information passes the verification, the substation equipment records and applies the digital certificate PKI of the PKI management systemCrt
6. The method for communication key configuration and update management in the transformer substation according to any one of claims 1 to 3, wherein the transformer substation equipment does not have a valid PKI management system digital certificate PKICrtAnd no response is made to any key management message of the PKI management system.
7. The method as claimed in claim 6, wherein the digital certificate PKI is effectively recordedCrtAnd then, starting to respond to the management request message of the PKI management system to the equipment asymmetric key.
CN202110510606.XA 2021-05-11 2021-05-11 Method for communication key configuration and update management in transformer substation Active CN113364582B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110510606.XA CN113364582B (en) 2021-05-11 2021-05-11 Method for communication key configuration and update management in transformer substation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110510606.XA CN113364582B (en) 2021-05-11 2021-05-11 Method for communication key configuration and update management in transformer substation

Publications (2)

Publication Number Publication Date
CN113364582A CN113364582A (en) 2021-09-07
CN113364582B true CN113364582B (en) 2022-07-12

Family

ID=77526111

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110510606.XA Active CN113364582B (en) 2021-05-11 2021-05-11 Method for communication key configuration and update management in transformer substation

Country Status (1)

Country Link
CN (1) CN113364582B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114928486B (en) * 2022-05-18 2023-10-17 浙江木链物联网科技有限公司 Industrial control protocol security ferrying method, device and system based on digital certificate and storage medium
CN115277125B (en) * 2022-07-13 2024-02-13 南京国电南自电网自动化有限公司 Substation remote control method and system with bidirectional credibility and safety

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104717211A (en) * 2015-02-16 2015-06-17 中国南方电网有限责任公司 Substation message analysis method based on encryption communication shared secret key management
CN110267270A (en) * 2019-05-07 2019-09-20 国网浙江省电力有限公司电力科学研究院 A kind of substation's inner sensor terminal access Border Gateway authentication intelligence contract
CN111245847A (en) * 2020-01-15 2020-06-05 北京三未信安科技发展有限公司 Lightweight certificateless authentication method, client and system
CN112350826A (en) * 2021-01-08 2021-02-09 浙江中控技术股份有限公司 Industrial control system digital certificate issuing management method and encrypted communication method
CN112367175A (en) * 2020-11-12 2021-02-12 西安电子科技大学 Implicit certificate key generation method based on SM2 digital signature

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9319224B2 (en) * 2013-09-27 2016-04-19 Intel Corporation Public key infrastructure for system-on-chip
US20150281278A1 (en) * 2014-03-28 2015-10-01 Southern California Edison System For Securing Electric Power Grid Operations From Cyber-Attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104717211A (en) * 2015-02-16 2015-06-17 中国南方电网有限责任公司 Substation message analysis method based on encryption communication shared secret key management
CN110267270A (en) * 2019-05-07 2019-09-20 国网浙江省电力有限公司电力科学研究院 A kind of substation's inner sensor terminal access Border Gateway authentication intelligence contract
CN111245847A (en) * 2020-01-15 2020-06-05 北京三未信安科技发展有限公司 Lightweight certificateless authentication method, client and system
CN112367175A (en) * 2020-11-12 2021-02-12 西安电子科技大学 Implicit certificate key generation method based on SM2 digital signature
CN112350826A (en) * 2021-01-08 2021-02-09 浙江中控技术股份有限公司 Industrial control system digital certificate issuing management method and encrypted communication method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
电力数字证书查询验证服务系统的研究;余勇等;《电力信息化》;20060920(第09期);全文 *

Also Published As

Publication number Publication date
CN113364582A (en) 2021-09-07

Similar Documents

Publication Publication Date Title
EP1714422B1 (en) Establishing a secure context for communicating messages between computer systems
US8340283B2 (en) Method and system for a PKI-based delegation process
JP5099139B2 (en) How to get and check public key certificate status
WO2022095730A1 (en) Service communication method, system and apparatus, and electronic device
CN110267270B (en) Identity authentication method for sensor terminal access edge gateway in transformer substation
CN102984127A (en) User-centered mobile internet identity managing and identifying method
CN101453334B (en) Access management method and system based Novell network
CN113364582B (en) Method for communication key configuration and update management in transformer substation
CN110225050B (en) JWT token management method
CN111131301A (en) Unified authentication and authorization scheme
CN110958111A (en) Electric power mobile terminal identity authentication mechanism based on block chain
CN105872848B (en) A kind of credible mutual authentication method suitable for asymmetric resource environment
CN104683107A (en) Digital certificate storage method and device, and digital signature method and device
CN104579657A (en) Method and device for identity authentication
JP2020120173A (en) Electronic signature system, certificate issuing system, certificate issuing method, and program
CN110581829A (en) Communication method and device
CN114282267A (en) Token generation method, token signature verification method, device, equipment and storage medium
CN113824566A (en) Certificate authentication method, code number downloading method, device, server and storage medium
JP2020014168A (en) Electronic signature system, certificate issuing system, key management system, and electronic certificate issuing method
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN114650181B (en) E-mail encryption and decryption method, system, equipment and computer readable storage medium
CN116346423A (en) Client data multiple encryption system and method in intelligent Internet of things energy system
CN113872992B (en) Method for realizing remote Web access strong security authentication in BMC system
WO2021170049A1 (en) Method and apparatus for recording access behavior
CN111935164A (en) Https interface request method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20221026

Address after: 310014 No. 1, Huadian lane, Zhaohui eighth District, Gongshu District, Hangzhou City, Zhejiang Province

Patentee after: STATE GRID ZHEJIANG ELECTRIC POWER COMPANY LIMITED ELECTRIC POWER Research Institute

Address before: The eight district of Hangzhou city in Zhejiang province 310014 Huadian Zhaohui under No. 1 Lane

Patentee before: STATE GRID ZHEJIANG ELECTRIC POWER COMPANY LIMITED ELECTRIC POWER Research Institute

Patentee before: NR ENGINEERING Co.,Ltd.

TR01 Transfer of patent right