CN113572766A - Power data transmission method and system - Google Patents
Power data transmission method and system Download PDFInfo
- Publication number
- CN113572766A CN113572766A CN202110835485.6A CN202110835485A CN113572766A CN 113572766 A CN113572766 A CN 113572766A CN 202110835485 A CN202110835485 A CN 202110835485A CN 113572766 A CN113572766 A CN 113572766A
- Authority
- CN
- China
- Prior art keywords
- data
- encryption module
- gateway
- message
- protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 54
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000012544 monitoring process Methods 0.000 claims abstract description 64
- 230000004044 response Effects 0.000 claims abstract description 42
- 238000012795 verification Methods 0.000 claims abstract description 28
- 238000012545 processing Methods 0.000 claims abstract description 20
- 239000010409 thin film Substances 0.000 claims description 3
- 230000006854 communication Effects 0.000 abstract description 26
- 238000004891 communication Methods 0.000 abstract description 21
- 230000002349 favourable effect Effects 0.000 abstract 1
- 230000008569 process Effects 0.000 description 10
- 239000003999 initiator Substances 0.000 description 7
- 241000700605 Viruses Species 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 239000010408 film Substances 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a power data transmission method and a system, wherein the power data transmission method comprises the following steps: acquiring a first protection message sent by an encryption module; the first protection message is generated by the encryption module acquiring first request data sent by the application module, encrypting the first request data based on a cryptographic algorithm and performing integrity protection processing; the encryption module and the application module are arranged in the power terminal; after integrity verification and decryption are carried out on the first protection message based on a state cryptographic algorithm, second request data are obtained and sent to a monitoring server; receiving feedback data sent by the monitoring server, encrypting and integrity protecting the feedback data based on a state cipher algorithm to obtain a second protection message and sending the second protection message to the encryption module; and the second protection message is used for obtaining response data and sending the response data to the application module after the encryption module carries out integrity verification and decryption based on a state cryptographic algorithm. The technical scheme that this application provided is favorable to improving the communication security of electric power data transmission system.
Description
Technical Field
The present application relates to the field of power technologies, and in particular, to a power data transmission method and system.
Background
With the continuous development of the technical level of the smart power grid, the collection mode of the power data is changed from the traditional manual mode to the remote control mode
In a traditional power data transmission method, a power terminal is connected to a monitoring platform server, and required data are acquired from the monitoring platform server. In the communication process, a communication link between the power terminal and the monitoring platform server may be attacked, so that the data transmission process is threatened safely. Therefore, the conventional power data transmission method and system have a problem of poor communication safety.
Disclosure of Invention
In view of the above, it is necessary to provide a power data transmission method and system with high communication safety.
A power data transmission method is applied to a gateway of a power monitoring platform and comprises the following steps:
acquiring a first protection message sent by an encryption module; the encryption module acquires first request data sent by the application module, and encrypts and integrity-protects the first request data based on a cryptographic algorithm to generate the first protection message; the encryption module and the application module are arranged in the power terminal;
carrying out integrity verification and decryption on the first protection message based on a state cryptographic algorithm to obtain second request data and sending the second request data to a monitoring server;
receiving feedback data sent by the monitoring server, encrypting and integrity protecting the feedback data based on a state cipher algorithm to obtain a second protection message and sending the second protection message to the encryption module; and the second protection message is used for obtaining response data and sending the response data to the application module after the encryption module carries out integrity verification and decryption based on a state cryptographic algorithm.
In one embodiment, the cryptographic algorithm is a cryptographic SM1 algorithm, a cryptographic SM2 algorithm, or a cryptographic SM4 algorithm.
In one embodiment, before the obtaining the first protection packet sent by the encryption module, the method further includes:
and carrying out key agreement with the encryption module based on the network key exchange protocol to obtain a session key pair.
In one embodiment, the network key exchange protocol is a national security IPSec VPN protocol, and performing key agreement with the encryption module based on the network key exchange protocol to obtain a session key pair includes:
based on the national secret IPSec VPN protocol, working key negotiation is carried out with an encryption module to determine a working key;
receiving a virtual IP request message sent by the encryption module, and feeding back a virtual IP response message to the encryption module according to the virtual IP request message;
and under the protection of the working key, performing session key negotiation with the encryption module based on the national secret IPSec VPN protocol to obtain a session key pair.
In one embodiment, the virtual IP request packet and the virtual IP response packet each include a generic attribute payload and a configuration attribute payload.
In one embodiment, the generic attribute payload includes a generic payload header, a generic type, and a generic extension.
In one embodiment, the configuration attribute payload includes a configuration type, a configuration length, and a configuration content.
A power data transmission method is applied to an encryption module of a power terminal and comprises the following steps:
acquiring first request data sent by an application module; the application module is arranged in the power terminal;
after the first request data are encrypted and subjected to integrity protection processing based on a state cryptographic algorithm, generating a first protection message and sending the first protection message to a gateway of the power monitoring platform;
receiving a second protection message fed back by the gateway, and after integrity verification and decryption are carried out on the second protection message based on a state cryptographic algorithm, obtaining response data and sending the response data to the application module;
the second protection message is generated by the gateway after receiving the feedback data sent by the monitoring server and encrypting and integrity protecting the feedback data based on a cryptographic algorithm; the feedback data is obtained by the monitoring server according to second request data sent by the gateway; and the second request data is obtained by the gateway after integrity check and decryption are carried out on the second protection message based on a cryptographic algorithm.
A power data transmission system comprises a power terminal with an application module and an encryption module built in, and a power monitoring platform comprising a gateway and a monitoring server; the encryption module is connected with the application module and the gateway, and the gateway is connected with the monitoring server;
the encryption module acquires first request data sent by an application module, encrypts the first request data based on a cryptographic algorithm and performs integrity protection processing on the first request data, generates a first protection message and sends the first protection message to the gateway; after the gateway carries out integrity verification and decryption on the first protection message, second request data are obtained and sent to the monitoring server; the monitoring server outputs feedback data according to the second data request; the gateway receives the feedback data, encrypts and integrally protects the feedback data based on a state cipher algorithm to obtain a second protection message and sends the second protection message to the encryption module; and the encryption module obtains response data and sends the response data to the application module after integrity verification and decryption are carried out on the second protection message based on a state cryptographic algorithm.
In one embodiment, the encryption module is a secure chip or a thin film card.
According to the electric power data transmission method, the encryption module of the electric power terminal obtains first request data sent by the application module, encrypts and integrally protects the first request data based on a state cryptographic algorithm, generates a first protection message and sends the first protection message to a gateway of the electric power monitoring platform; the gateway performs integrity check and decryption on the first protection message to obtain second request data, sends the second request data to the monitoring server, receives feedback data sent by the monitoring server, performs encryption and integrity protection processing on the feedback data based on a state cryptographic algorithm to obtain a second protection message, and sends the second protection message to the encryption module; and finally, the encryption module performs integrity verification and decryption on the second protection message based on a state cryptographic algorithm to obtain response data and sends the response data to the application module, so that remote encryption transmission of the electric power data is realized, and the communication safety of the electric power data transmission system is improved.
Drawings
FIG. 1 is a flow chart of a method of power data transmission according to an embodiment;
FIG. 2 is a flow chart of a method of power data transmission in another embodiment;
FIG. 3 is a flowchart illustrating key agreement with an encryption module based on a network key exchange protocol to obtain a session key pair according to an embodiment;
FIG. 4 is a key agreement process between an encryption module and a gateway in one embodiment;
FIG. 5 is a diagram of protocol formats of a virtual IP request packet and a virtual IP response packet in an embodiment;
FIG. 6 is a flow chart of a method for transmitting power data according to another embodiment;
FIG. 7 is a schematic diagram of an embodiment of a power data transmission system;
FIG. 8 is a diagram illustrating an exemplary power data transmission process.
Detailed Description
To facilitate an understanding of the present application, the present application will now be described more fully with reference to the accompanying drawings. Embodiments of the present application are set forth in the accompanying drawings. This application may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
It will be understood that when an element is referred to as being "connected" to another element, it can be directly connected to the other element or be connected to the other element through intervening elements. Further, "connection" in the following embodiments is understood to mean "electrical connection", "communication connection", or the like, if there is a transfer of electrical signals or data between the connected objects.
As used herein, the singular forms "a", "an" and "the" may include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises/comprising," "includes" or "including," etc., specify the presence of stated features, integers, steps, operations, components, parts, or combinations thereof, but do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.
To enhance the Security of the power data transmission process, the communication between the power terminal and the power monitoring platform may be performed based on SSL (Secure Sockets Layer) and TLS (Transport Layer Security). However, in the communication process based on the SSL protocol, on one hand, a plaintext key exchange manner is adopted, so that certain security holes exist, and the effect of improving the security of the communication process is limited; on the other hand, after the key exchange is completed, the SSL protocol adopts decryption before integrity verification, and the working efficiency is low. Based on the above, the application provides a power data transmission method and system, which apply the national secret IPSec VPN protocol to the scene of power terminal access, solve the problem of safe communication between the power terminal and the monitoring platform, and simultaneously, the decryption and integrity verification of the national secret IPSec VPN protocol are synchronously performed, which is beneficial to improving the working efficiency.
In a first aspect of the present application, a power data transmission method is provided, which is applied to a gateway of a power monitoring platform. As shown in fig. 1, the power data transmission method includes steps S220 to S260.
Step S220: and acquiring a first protection message sent by the encryption module.
The power terminal can be a concentrator, a collector or an electric energy meter and the like, and is internally provided with an encryption module and an application module. The power monitoring platform comprises a gateway and a monitoring server. The encryption module can be a security chip or a film card with a national encryption algorithm and is used for encrypting and decrypting data to ensure the integrity and the security of the data.
Further, in one embodiment, the encryption module and the gateway communicate via a national Security IPSec (Internet Protocol Security) channel. National security IPSec is a protocol package that protects the network transport protocol family of IP protocols by encrypting and authenticating packets of the IP protocols. The IPsec mainly includes an Authentication Header (AH), an Encapsulated Security Payload (ESP), a Security Association (SA) protocol, and an encryption key protocol (IKE). Wherein, the authentication header provides connectionless data integrity, message authentication and replay attack protection for the IP datagram; the encapsulation security payload provides confidentiality, data source authentication, connectionless integrity, replay protection and limited transport stream confidentiality, the security association provides algorithms and data packets, provides parameters required for AH and ESP operations; the key agreement provides for the survival and exchange of symmetric keys. The IPsec channel is adopted for communication, mainly because the IPsec protocol provides a security protection protocol standard for guaranteeing confidentiality, integrity and authentication of IP services in a network layer, the IPsec provides service for communication security of the network layer by introducing a security mechanism in cryptography.
Specifically, the encryption module acquires first request data sent by the application module, encrypts and integrity-protects the first request data based on a cryptographic algorithm to generate a first protection message, and then sends the first protection message to a gateway of the power monitoring platform. The type of cryptographic algorithm is not exclusive and may be, for example, the cryptographic SM1 algorithm, the cryptographic SM2 algorithm, or the cryptographic SM4 algorithm.
Further, the purpose of the integrity protection process is to protect the integrity of data and the integrity of data-related attributes that may be compromised in different ways by preventing threats or detecting threats. Specifically, an integrity constraint may be set to perform integrity protection processing on the first request data. For example, an integrity sequence number may be appended to the data item prior to encryption protection; an encryption chain may also be generated during encryption using a chain that extends over a sequence of data items. In addition, the gateway may obtain the first protection packet actively or passively.
Step S240: and after integrity verification and decryption are carried out on the first protection message based on the state cryptographic algorithm, second request data are obtained and sent to the monitoring server.
The type of the monitoring server is not exclusive, and may be, for example, a tower server, a rack server, a blade server, a high-density server, a single-path server, a two-path server, or a multi-path server. Integrity checking refers to checking whether data is complete according to integrity constraints. Specifically, the gateway performs integrity check and decryption on the first protection message based on the cryptographic algorithm, and after determining that the data is complete, obtains second request data and sends the second request data to the monitoring server. It should be noted that the first request data and the second request data are both plaintext request data. If the integrity check is not passed, the situation that an attacker tampers and viruses attack exists is indicated, at the moment, the gateway feeds back abnormal information to the power terminal, and the power data transmission is stopped.
Step S260: and receiving feedback data sent by the monitoring server, encrypting and integrity protecting the feedback data based on a state cipher algorithm, obtaining a second protection message and sending the second protection message to the encryption module.
Specifically, the monitoring server receives the second request data, extracts corresponding feedback data according to the second request data, and sends the feedback data to the gateway. After receiving the feedback data, the gateway encrypts and integrity-protects the feedback data based on a state-secret algorithm to obtain a second protection message and sends the second protection message to the encryption module. And finally, the encryption module performs integrity verification and decryption on the second protection message based on the national encryption algorithm to obtain response data and sends the response data to the application module. Similarly, if the integrity check fails, it indicates that there are situations of attacker tampering and virus attack, and at this time, the encryption module feeds back abnormal information to the application module, and terminates this power data transmission.
According to the electric power data transmission method, the encryption module of the electric power terminal obtains first request data sent by the application module, encrypts and integrally protects the first request data based on a state cryptographic algorithm, generates a first protection message and sends the first protection message to a gateway of the electric power monitoring platform; the gateway performs integrity check and decryption on the first protection message to obtain second request data, sends the second request data to the monitoring server, receives feedback data sent by the monitoring server, performs encryption and integrity protection processing on the feedback data based on a state cryptographic algorithm to obtain a second protection message, and sends the second protection message to the encryption module; and finally, the encryption module performs integrity verification and decryption on the second protection message based on a state cryptographic algorithm to obtain response data and sends the response data to the application module, so that remote encryption transmission of the electric power data is realized, and the communication safety of the electric power data transmission system is improved. Furthermore, the national encryption algorithm has the advantages of high password complexity, high processing speed and low machine performance consumption, and encryption and decryption processing can be performed by using the national encryption algorithm, so that decryption and integrity verification can be performed synchronously, and the work efficiency is improved.
In one embodiment, as shown in fig. 2, before the step S220, a step S210 is further included: and carrying out key agreement with the encryption module based on the network key exchange protocol to obtain a session key pair.
The session key pair refers to a key obtained by negotiating and jointly establishing two or more entities, and the session key pair is obtained by calculating parameters respectively generated by each protocol participant. The negotiation object with the session key pair is established, and the transmission data is encrypted and decrypted according to the session key pair, so that the safety of the data transmission process can be ensured. The type of the key exchange protocol is not exclusive, and may be, for example, national security IPSec VPN (Virtual Private Network) protocol or Oakley protocol.
Specifically, before normal communication is performed between a gateway of the power monitoring platform and an encryption module in the power terminal, key agreement is performed through message interaction based on a network key exchange protocol to obtain a session key pair. The number of session key pairs is determined by the number of encryption/decryption times during communication. Specifically, in this embodiment, the number of the session key pairs is two, and the total number of the session key pairs is four, including the request direction encryption key and the integrity check key, and the response direction encryption key and the integrity check key.
In the above embodiment, before normal communication is performed, the session key pair is obtained based on the network key exchange protocol, which is beneficial to further ensuring the security of the data transmission process.
In one embodiment, as shown in fig. 3, the network key exchange protocol is the national security IPSec VPN protocol, and step S210 includes steps S212 to S216.
Step S212: based on the national secret IPSec VPN protocol, working secret key negotiation is carried out with the encryption module to determine a working secret key.
The function of the VPN is to establish a private network over a public network and perform encrypted communication. The national secret IPSec VPN protocol is a VPN tunnel protocol based on the national secret IPSec and is a third layer tunnel protocol. Specifically, the gateway performs work key negotiation with the encryption module based on the national secret IPSec VPN protocol, determines a work key, and establishes a channel which passes identity authentication and security protection.
Referring to fig. 4, the message interaction process in the work key negotiation process specifically includes: the method comprises the following steps that firstly, a first message containing suggestions such as a first-stage algorithm, a negotiation version, a life cycle and the like is sent to a responder by an initiator, the responder receives the first message, and replies first feedback information containing the first-stage algorithm, a protocol version, a signature, an encryption certificate and the like according to the first message; then the initiator verifies the encrypted certificate, exchanges the temporary key, the signature certificate and the signature, and the responder verifies the signature of the initiator and generates a first-stage key parameter and a working key; and finally, the initiator and the responder respectively identify the keys generated in the negotiation process to determine the working keys. The initiator is an encryption module, and the responder is a gateway.
Step S214: and receiving a virtual IP request message sent by the encryption module, and feeding back a virtual IP response message to the encryption module according to the virtual IP request message.
The virtual IP request message and the virtual IP response message are used for allocating a virtual IP address of the terminal so as to support the terminal access scene. Specifically, please refer to fig. 4, the encryption module sends a virtual IP request packet to the gateway, and the gateway feeds back a virtual IP response packet to the encryption module according to the virtual IP request packet to perform virtual IP address allocation.
In one embodiment, as shown in fig. 5, the virtual IP request message and the virtual IP response message each include a generic attribute payload and a configuration attribute payload.
The generic attribute load is the original load contained in the national secret IPSec VPN protocol. The configuration attribute load is the newly added load in the virtual IP request message and the virtual IP response message.
In one embodiment, continuing with reference to FIG. 5, the generic attribute payload includes a generic payload header, a generic type, and a generic extension. The universal load head is used for defining the boundary of the load, and the length of the universal load head is 4 bytes; the general type is used for indicating a configuration request and has the length of 1 byte; the universal extension is a reserved part in the universal payload and is 1 byte in length.
In one embodiment, continuing with FIG. 5, the configuration attribute payload includes a configuration type, a configuration length, and a configuration content. Wherein the configuration type is the requested virtual IP type, such as IPV4 or IPV 6; the configuration length defines the byte length of the whole configuration attribute load, and the configuration type and the configuration length occupy 3 bytes. The content is configured for placing the corresponding IP address of the feedback, such as the IPV4 address or the IPV6 address. It can be understood that in the virtual IP request message, the configuration content is empty and there is no data stuffing.
Step S216: under the protection of the working key, session key negotiation is carried out with the encryption module based on the national secret IPSec VPN protocol to obtain a session key pair.
Specifically, after the working key is determined, a relatively secure communication channel is established, and at this time, the gateway and the encryption module perform session key agreement based on the national secret IPSec VPN protocol. After the key negotiation is successful, a session key pair is obtained, and then encrypted communication between the encryption module and the gateway can be carried out.
Referring to fig. 4, the message interaction process in the session key negotiation process specifically includes: the initiator sends a second message containing a second-stage algorithm, a life cycle and key intermediate parameters to the responder, and the responder receives the second message and replies second feedback information containing the second-stage algorithm, the life cycle and the key intermediate parameters according to the second message; and the initiator checks the message verification process and generates a session key pair after the verification is passed.
In the above embodiment, on the one hand, the negotiation of two stages is performed based on the national secret IPSec VPN protocol, that is, the negotiation of the working secret key of the first stage is performed first, so as to protect the negotiation process of the session secret key of the second stage, which is beneficial to further improving the communication security; on the other hand, based on the national secret IPSec VPN protocol, the user-defined protocol is expanded to distribute the virtual IP address of the terminal, the terminal access scene is supported, and the problem that the traditional national secret IPSec protocol is only used for the inter-network secure communication and can not support the terminal access can be solved.
In a second aspect of the present application, a power data transmission method is provided, which is applied to an encryption module of a power terminal. As shown in fig. 6, the power data transmission method includes steps S120 to S160.
Step S120: the method comprises the steps of obtaining first request data sent by an application module.
The application module is arranged in the power terminal, and the power terminal can be a concentrator, a collector or an electric energy meter and the like. The encryption module can be a security chip or a film card with a national encryption algorithm and is used for encrypting and decrypting data to ensure the integrity and the security of the data. Specifically, the first request data is plaintext request data, and the encryption module may actively obtain or passively receive the first request data sent by the application module.
Step S140: and after the first request data is encrypted and subjected to integrity protection processing based on a state cryptographic algorithm, generating a first protection message and sending the first protection message to a gateway of the power monitoring platform.
The power monitoring platform comprises a gateway and a monitoring server. The type of monitoring server is not exclusive and may be, for example, a tower server, a rack server, a blade server, a high-density server, a single-pass server, a two-pass server, a multi-pass server, or the like. The type of cryptographic algorithm is also not unique and may be, for example, the cryptographic SM1 algorithm, the cryptographic SM2 algorithm, or the cryptographic SM4 algorithm. Further, the purpose of the integrity protection process is to protect the integrity of data and the integrity of data-related attributes that may be compromised in different ways by preventing threats or detecting threats. Specifically, an integrity constraint may be set to perform integrity protection processing on the first request data. For example, an integrity sequence number may be appended to the data item prior to encryption protection; an encryption chain may also be generated during encryption using a chain that extends over a sequence of data items.
Further, in one embodiment, the encryption module and the gateway communicate via a national Security IPSec (Internet Protocol Security) channel. For the specific definition of national secret IPSec, see above, further description is omitted here.
Step S120: and receiving a second protection message fed back by the gateway, carrying out integrity verification and decryption on the second protection message based on a state cryptographic algorithm, obtaining response data and sending the response data to the application module.
The second protection message is generated after the gateway receives feedback data sent by the monitoring server and encrypts and integrally protects the feedback data based on a state cryptographic algorithm; the feedback data is obtained by the monitoring server according to the second request data sent by the gateway; and the second request data is obtained by the gateway after integrity verification and decryption are carried out on the second protection message based on the cryptographic algorithm. Integrity checking refers to checking whether data is complete according to integrity constraints.
Specifically, the second request data is plaintext request data. And the gateway carries out integrity check and decryption on the first protection message based on a state cryptographic algorithm, and after the data is determined to be complete, second request data is obtained and sent to the monitoring server. And the monitoring server receives the second request data, extracts corresponding feedback data according to the second request data and sends the feedback data to the gateway. After receiving the feedback data, the gateway encrypts and integrity-protects the feedback data based on a state-secret algorithm to obtain a second protection message and sends the second protection message to the encryption module. And finally, the encryption module performs integrity verification and decryption on the second protection message based on the national encryption algorithm to obtain response data and sends the response data to the application module. It should be noted that, in the data transmission process, if the integrity check fails, it indicates that there are situations of attacker tampering and virus attack, and at this time, the gateway or the encryption module feeds back the abnormal information and terminates the current power data transmission.
In one embodiment, before step S120, the method further includes: and carrying out key agreement with the gateway based on the network key exchange protocol to obtain a session key pair.
In one embodiment, the network key exchange protocol is a national security IPSec VPN protocol, and performs key agreement with the gateway based on the network key exchange protocol to obtain a session key pair, including: based on the national secret IPSec VPN protocol, working key negotiation is carried out with the gateway to determine a working key; sending a virtual IP request message to the gateway, and receiving a virtual IP response message fed back by the gateway; under the protection of the working key, session key negotiation is carried out with the gateway based on the national secret IPSec VPN protocol to obtain a session key pair.
For the limitation of the specific communication process between the encryption module and the gateway, refer to the method embodiment of the first aspect, which is not described herein again.
According to the electric power data transmission method, the encryption module of the electric power terminal obtains first request data sent by the application module, encrypts and integrally protects the first request data based on a state cryptographic algorithm, generates a first protection message and sends the first protection message to a gateway of the electric power monitoring platform; the gateway performs integrity check and decryption on the first protection message to obtain second request data, sends the second request data to the monitoring server, receives feedback data sent by the monitoring server, performs encryption and integrity protection processing on the feedback data based on a state cryptographic algorithm to obtain a second protection message, and sends the second protection message to the encryption module; and finally, the encryption module performs integrity verification and decryption on the second protection message based on a state cryptographic algorithm to obtain response data and sends the response data to the application module, so that remote encryption transmission of the electric power data is realized, and the communication safety of the electric power data transmission system is improved. Furthermore, the national encryption algorithm has the advantages of high password complexity, high processing speed and low machine performance consumption, and encryption and decryption processing can be performed by using the national encryption algorithm, so that decryption and integrity verification can be performed synchronously, and the work efficiency is improved.
In a third aspect of the present application, as shown in fig. 7, there is provided an electric power data transmission system, including an electric power terminal 100 with a built-in application module 101 and an encryption module 102, and an electric power monitoring platform 200 including a gateway 201 and a monitoring server 202; the encryption module 102 is connected with the application module 101 and the gateway 201, and the gateway 201 is connected with the monitoring server 202. The encryption module 102 and the gateway 201 are used to execute the above-described power data transmission method.
For the definition of each module, see above, it is not repeated here. It is understood that the above modules may be implemented in whole or in part by software, hardware, and combinations thereof.
Specifically, as shown in fig. 8, the encryption module 102 obtains first request data sent by the application module 101, encrypts the first request data based on a cryptographic algorithm and performs integrity protection processing on the first request data, generates a first protection packet, and sends the first protection packet to the gateway 201; after the gateway 201 performs integrity check and decryption on the first protection message, second request data is obtained and sent to the monitoring server 202; the monitoring server 202 outputs feedback data according to the second data request; the gateway 201 receives the feedback data, encrypts and integrity-protects the feedback data based on a national cryptographic algorithm, obtains a second protection message, and sends the second protection message to the encryption module 102; the encryption module 102 performs integrity check and decryption on the second protection message based on the cryptographic algorithm, obtains response data, and sends the response data to the application module 101. Further, in one embodiment, the encryption module and the gateway communicate via a national security IPSec tunnel.
In one embodiment, the encryption module 102 is a secure chip or thin film card. As shown in fig. 7, the encryption module 102 includes a hardware cryptographic module and a software IPSec client, and implements key storage and key operation by the hardware cryptographic module, and establishes a national key IPSec channel in cooperation with the software IPSec client and the gateway, so that the security of the key at the terminal side can be effectively ensured, and the security of the communication process can be further improved.
In the electric power data transmission system, the encryption module of the electric power terminal acquires first request data sent by the application module, encrypts the first request data based on a state cryptographic algorithm, performs integrity protection processing on the first request data, generates a first protection message and sends the first protection message to a gateway of the electric power monitoring platform; the gateway performs integrity check and decryption on the first protection message to obtain second request data, sends the second request data to the monitoring server, receives feedback data sent by the monitoring server, performs encryption and integrity protection processing on the feedback data based on a state cryptographic algorithm to obtain a second protection message, and sends the second protection message to the encryption module; and finally, the encryption module performs integrity verification and decryption on the second protection message based on a state cryptographic algorithm to obtain response data and sends the response data to the application module, so that remote encryption transmission of the electric power data is realized, and the communication safety of the electric power data transmission system is improved. Furthermore, the national encryption algorithm has the advantages of high password complexity, high processing speed and low machine performance consumption, and encryption and decryption processing can be performed by using the national encryption algorithm, so that decryption and integrity verification can be performed synchronously, and the work efficiency is improved.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A power data transmission method is characterized in that a gateway applied to a power monitoring platform comprises the following steps:
acquiring a first protection message sent by an encryption module; the encryption module acquires first request data sent by the application module, and encrypts and integrity-protects the first request data based on a cryptographic algorithm to generate the first protection message; the encryption module and the application module are arranged in the power terminal;
carrying out integrity verification and decryption on the first protection message based on a state cryptographic algorithm to obtain second request data and sending the second request data to a monitoring server;
receiving feedback data sent by the monitoring server, encrypting and integrity protecting the feedback data based on a state cipher algorithm to obtain a second protection message and sending the second protection message to the encryption module; and the second protection message is used for obtaining response data and sending the response data to the application module after the encryption module carries out integrity verification and decryption based on a state cryptographic algorithm.
2. The power data transmission method according to claim 1, wherein the national secret algorithm is a national secret SM1 algorithm, a national secret SM2 algorithm, or a national secret SM4 algorithm.
3. The power data transmission method according to claim 1, wherein before the obtaining the first protection packet sent by the encryption module, the method further comprises:
and carrying out key agreement with the encryption module based on the network key exchange protocol to obtain a session key pair.
4. The power data transmission method according to claim 3, wherein the network key exchange protocol is a national secret IPSec VPN protocol, and performing key agreement with the encryption module based on the network key exchange protocol to obtain a session key pair includes:
based on the national secret IPSec VPN protocol, working key negotiation is carried out with an encryption module to determine a working key;
receiving a virtual IP request message sent by the encryption module, and feeding back a virtual IP response message to the encryption module according to the virtual IP request message;
and under the protection of the working key, performing session key negotiation with the encryption module based on the national secret IPSec VPN protocol to obtain a session key pair.
5. The power data transmission method according to claim 4, wherein the virtual IP request message and the virtual IP response message each include a generic attribute load and a configuration attribute load.
6. The power data transmission method according to claim 5, wherein the generic attribute payload includes a generic payload header, a generic type, and a generic extension.
7. The power data transmission method according to claim 5, wherein the configuration attribute payload includes a configuration type, a configuration length, and a configuration content.
8. A power data transmission method is characterized in that an encryption module applied to a power terminal comprises the following steps:
acquiring first request data sent by an application module; the application module is arranged in the power terminal;
after the first request data are encrypted and subjected to integrity protection processing based on a state cryptographic algorithm, generating a first protection message and sending the first protection message to a gateway of the power monitoring platform;
receiving a second protection message fed back by the gateway, and after integrity verification and decryption are carried out on the second protection message based on a state cryptographic algorithm, obtaining response data and sending the response data to the application module;
the second protection message is generated by the gateway after receiving the feedback data sent by the monitoring server and encrypting and integrity protecting the feedback data based on a cryptographic algorithm; the feedback data is obtained by the monitoring server according to second request data sent by the gateway; and the second request data is obtained by the gateway after integrity check and decryption are carried out on the second protection message based on a cryptographic algorithm.
9. The electric power data transmission system is characterized by comprising an electric power terminal with an application module and an encryption module built in, and an electric power monitoring platform comprising a gateway and a monitoring server; the encryption module is connected with the application module and the gateway, and the gateway is connected with the monitoring server;
the encryption module acquires first request data sent by an application module, encrypts the first request data based on a cryptographic algorithm and performs integrity protection processing on the first request data, generates a first protection message and sends the first protection message to the gateway; after the gateway carries out integrity verification and decryption on the first protection message, second request data are obtained and sent to the monitoring server; the monitoring server outputs feedback data according to the second data request; the gateway receives the feedback data, encrypts and integrally protects the feedback data based on a state cipher algorithm to obtain a second protection message and sends the second protection message to the encryption module; and the encryption module obtains response data and sends the response data to the application module after integrity verification and decryption are carried out on the second protection message based on a state cryptographic algorithm.
10. The power data transmission system of claim 9, wherein the encryption module is a secure chip or a thin film card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110835485.6A CN113572766A (en) | 2021-07-23 | 2021-07-23 | Power data transmission method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110835485.6A CN113572766A (en) | 2021-07-23 | 2021-07-23 | Power data transmission method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113572766A true CN113572766A (en) | 2021-10-29 |
Family
ID=78166638
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110835485.6A Pending CN113572766A (en) | 2021-07-23 | 2021-07-23 | Power data transmission method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113572766A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113990045A (en) * | 2021-11-19 | 2022-01-28 | 国网上海市电力公司 | Internet of things encryption system for SF6 gas leakage alarm device system |
| CN114363024A (en) * | 2021-12-22 | 2022-04-15 | 北京六方云信息技术有限公司 | Data encryption transmission method and device, terminal equipment and storage medium |
| CN114499969A (en) * | 2021-12-27 | 2022-05-13 | 天翼云科技有限公司 | Communication message processing method and device, electronic equipment and storage medium |
| CN115202952A (en) * | 2022-09-15 | 2022-10-18 | 北京智芯微电子科技有限公司 | Method and system for testing cost control function of electric energy meter, test host and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101426030A (en) * | 2008-12-09 | 2009-05-06 | 华为技术有限公司 | Method and terminal for acquiring network address |
| CN102055733A (en) * | 2009-10-30 | 2011-05-11 | 华为技术有限公司 | Method, device and system for negotiating business bearing tunnels |
| CN109150688A (en) * | 2018-10-22 | 2019-01-04 | 网宿科技股份有限公司 | IPSec VPN data transmission method and device |
| CN110636052A (en) * | 2019-09-04 | 2019-12-31 | 广西电网有限责任公司防城港供电局 | Power consumption data transmission system |
| US20200120078A1 (en) * | 2017-08-02 | 2020-04-16 | Huawei Technologies Co., Ltd. | Packet sending method and apparatus |
| CN111245862A (en) * | 2020-02-25 | 2020-06-05 | 无锡艾立德智能科技有限公司 | System for safely receiving and sending terminal data of Internet of things |
-
2021
- 2021-07-23 CN CN202110835485.6A patent/CN113572766A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101426030A (en) * | 2008-12-09 | 2009-05-06 | 华为技术有限公司 | Method and terminal for acquiring network address |
| CN102055733A (en) * | 2009-10-30 | 2011-05-11 | 华为技术有限公司 | Method, device and system for negotiating business bearing tunnels |
| US20200120078A1 (en) * | 2017-08-02 | 2020-04-16 | Huawei Technologies Co., Ltd. | Packet sending method and apparatus |
| CN109150688A (en) * | 2018-10-22 | 2019-01-04 | 网宿科技股份有限公司 | IPSec VPN data transmission method and device |
| CN110636052A (en) * | 2019-09-04 | 2019-12-31 | 广西电网有限责任公司防城港供电局 | Power consumption data transmission system |
| CN111245862A (en) * | 2020-02-25 | 2020-06-05 | 无锡艾立德智能科技有限公司 | System for safely receiving and sending terminal data of Internet of things |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113990045A (en) * | 2021-11-19 | 2022-01-28 | 国网上海市电力公司 | Internet of things encryption system for SF6 gas leakage alarm device system |
| CN114363024A (en) * | 2021-12-22 | 2022-04-15 | 北京六方云信息技术有限公司 | Data encryption transmission method and device, terminal equipment and storage medium |
| CN114499969A (en) * | 2021-12-27 | 2022-05-13 | 天翼云科技有限公司 | Communication message processing method and device, electronic equipment and storage medium |
| CN114499969B (en) * | 2021-12-27 | 2023-06-23 | 天翼云科技有限公司 | Communication message processing method and device, electronic equipment and storage medium |
| CN115202952A (en) * | 2022-09-15 | 2022-10-18 | 北京智芯微电子科技有限公司 | Method and system for testing cost control function of electric energy meter, test host and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108650227B (en) | Handshaking method and system based on datagram secure transmission protocol | |
| CN111835752A (en) | Lightweight authentication method based on equipment identity and gateway | |
| CN113572766A (en) | Power data transmission method and system | |
| CN111245862A (en) | System for safely receiving and sending terminal data of Internet of things | |
| CN112637136A (en) | Encrypted communication method and system | |
| CN112073115B (en) | Lora-based low-orbit satellite Internet of things registration security verification method, Internet of things terminal, network server and user server | |
| CN111756627A (en) | Cloud platform security access gateway of electric power monitored control system | |
| EP3944554A1 (en) | Rollover of encryption keys in a packet-compatible network | |
| CN112422560A (en) | Lightweight substation secure communication method and system based on secure socket layer | |
| CN115766172B (en) | Message forwarding method, device, equipment and medium based on DPU and national cipher | |
| CN115567206A (en) | Method and system for realizing encryption and decryption of network data message by quantum distribution key | |
| CN114172745A (en) | Internet of things security protocol system | |
| CN113950802B (en) | Gateway device and method for performing site-to-site communication | |
| CN115834026A (en) | Safety encryption method based on industrial protocol | |
| CN113746861B (en) | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology | |
| CN114500013A (en) | Data encryption transmission method | |
| CN113973001A (en) | Method and device for updating authentication key | |
| CN114928503B (en) | Method for realizing secure channel and data transmission method | |
| CN108111515B (en) | End-to-end secure communication encryption method suitable for satellite communication | |
| US20240154949A1 (en) | Devices and Methods for Performing Cryptographic Handshaking | |
| CN112822015B (en) | Information transmission method and related device | |
| CN210839642U (en) | Device for safely receiving and sending terminal data of Internet of things | |
| Zuo et al. | A novel software-defined network packet security tunnel forwarding mechanism | |
| CN111585986A (en) | Safe transmission method, device, medium and terminal equipment based on power gateway | |
| Limniotis et al. | Cryptography threats |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230428 Address after: Full Floor 14, Unit 3, Building 2, No. 11, Middle Spectra Road, Huangpu District, Guangzhou, Guangdong 510700 Applicant after: China Southern Power Grid Digital Grid Technology (Guangdong) Co.,Ltd. Address before: Room 86, room 406, No.1, Yichuang street, Zhongxin Guangzhou Knowledge City, Huangpu District, Guangzhou City, Guangdong Province Applicant before: Southern Power Grid Digital Grid Research Institute Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211029 |