CN114024698A - Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm - Google Patents

Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm Download PDF

Info

Publication number
CN114024698A
CN114024698A CN202010689081.6A CN202010689081A CN114024698A CN 114024698 A CN114024698 A CN 114024698A CN 202010689081 A CN202010689081 A CN 202010689081A CN 114024698 A CN114024698 A CN 114024698A
Authority
CN
China
Prior art keywords
internet
things
service
edge
interaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010689081.6A
Other languages
Chinese (zh)
Inventor
李二霞
亢超群
李玉凌
何连杰
樊勇华
孙智涛
常方圆
许保平
杨红磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Original Assignee
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, China Electric Power Research Institute Co Ltd CEPRI filed Critical State Grid Corp of China SGCC
Priority to CN202010689081.6A priority Critical patent/CN114024698A/en
Publication of CN114024698A publication Critical patent/CN114024698A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/35Utilities, e.g. electricity, gas or water
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/10Detection; Monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The invention provides a power distribution Internet of things service safety interaction method based on a state cryptographic algorithm, which comprises the following steps: when the service interaction between a server and a client of the power distribution internet of things is realized based on the edge internet of things agent: according to the service type, selecting an encryption algorithm matched with the service type from the pre-established cascade encryption algorithms; encrypting and interacting the service among the edge Internet of things agent, the server side and the client side of the power distribution Internet of things respectively; the cascade encryption algorithm is formulated based on a national encryption algorithm; the differentiated protection requirements of the cloud platform, the edge Internet of things agent and the Internet of things terminal in the service interaction process under the scene of the power distribution Internet of things can be met, and the formed step safety interaction flow can provide moderate and efficient full-environment safety service guarantee for the power distribution Internet of things service.

Description

Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm
Technical Field
The invention belongs to the technical field of power distribution internet of things combining an industrial control system and the internet of things technology, and particularly relates to a power distribution internet of things service safety interaction method and system based on a state-secret algorithm.
Background
The power distribution internet of things is a product of deep integration of a power distribution automation system and the internet of things technology, and the power distribution internet of things is characterized in that the comprehensive perception, data integration and intelligent application of a power distribution network are realized through global identification of low-voltage equipment in the power distribution network and wide interconnection among equipment. As an important component of the full-service ubiquitous power Internet of things, the safety construction of the power distribution Internet of things must meet the requirements of the state and the industry level:
from the aspects of technical management, safety management, confidentiality management, supervision management and the like, the information safety management of the power monitoring system is enhanced, the attack and the invasion of hackers and malicious codes on the power monitoring system are prevented, the network product and service safety are guaranteed, the network operation safety is guaranteed, the network data safety is guaranteed, the network information safety is guaranteed and the like, and the legal basis is provided for the safety protection of the whole-service ubiquitous power internet of things; cloud computing security and internet of things security protection have been brought into the expansion requirements of the third-level system. And a relatively complete power industry network and information safety regulation system is constructed on the industry level.
Secondly, the distribution network internet of things simultaneously faces to a power construction production system and a customer power supply service, and any risk can cause a major network security incident to cause double influences of power system paralysis and user information leakage in the face of increasingly complex network security situations. Under a power distribution internet of things architecture system, how to prevent network security events breaks through the traditional security capability scope, and higher requirements are provided for equipment legitimacy control and service data security interaction.
At present, a relatively mature safety protection scheme is provided for a power distribution automation system, and an identity authentication mechanism and a safety protection method for service interaction data between a power distribution master station and a power distribution terminal are formed on the basis of the principles of 'safety partition, network special, transverse isolation and longitudinal authentication', while the power distribution internet of things service safety protection technology is incomplete, so that a corresponding safety protection strategy is formulated in combination with the service characteristics of the power distribution internet of things on the basis of meeting the requirements of various layers of countries, industries and companies, and the identity of a communication subject and the safety and confidentiality of service data in the process of protecting the power distribution internet of things service interaction are required.
Disclosure of Invention
Aiming at the problems that the existing power distribution internet of things service safety protection technology is incomplete, and the corresponding safety protection strategy needs to be formulated by combining the service characteristics of the business on the basis of meeting the requirements of each layer of the state, industry and company urgently, the identity of a communication subject is legal and the service data is safe and confidential in the power distribution internet of things service interaction process, the invention provides a power distribution internet of things service safety interaction method based on a state-secret algorithm, which specifically comprises the following steps:
when the service interaction between a server and a client of the power distribution internet of things is realized based on the edge internet of things agent:
according to the service type, selecting an encryption algorithm matched with the service type from the pre-established cascade encryption algorithms;
encrypting and interacting the service among the edge Internet of things agent, the server side and the client side of the power distribution Internet of things respectively;
and the cascade encryption algorithm is formulated based on the national encryption algorithm.
Preferably, the service types include:
the security level of the keep-alive messages, the state monitoring messages and the control instruction messages is sequentially increased.
Preferably, the selecting, according to the service type, an encryption algorithm matched with the service type from the pre-established gradient encryption algorithms includes:
when the type of the service is a keep-alive message, plaintext transmission is carried out without encryption;
when the type of the service is the state monitoring message, encrypting the state monitoring message by adopting a block cipher algorithm SM1 in a state cipher algorithm and adding a timestamp and a signature value;
when the type of the service is the control instruction type message, the encryption and message authentication code verification are carried out by adopting a block cipher algorithm SM1 in the national cipher algorithm, the abstract calculation is carried out by adopting a commercial hash algorithm SM3 in the national cipher algorithm, and the signature and the timestamp are added.
Preferably, the encrypting interaction of the service between the edge internet of things agent and the server and the client of the power distribution internet of things respectively includes:
1) a "cloud-edge" secure interaction method;
2) an "edge-to-end" secure interaction method;
3) a "cloud-end" secure interaction method;
4) an 'edge-edge' safety interaction method.
Preferably, the "cloud-edge" secure interaction method includes:
when a server side is an internet of things management platform and a client side carries out service interaction for an edge internet of things agent, the edge internet of things agent sends an identification authentication request to the internet of things management platform and submits equipment ID identification information based on a netconf protocol;
then, encrypting and verifying the equipment ID identification information and a commercial asymmetric cryptographic algorithm SM2 in a national cryptographic algorithm through a double-layer parallel redundancy operation mechanism of a safety access service of an internet of things management platform, and screening a session key for the equipment ID identification information based on an IP packet filtering technology to obtain an identification verification result;
when the identification verification result is that the identification information is correct, performing validity verification on the digital signature value of the edge Internet of things agent based on the digital certificate of the edge Internet of things agent, and performing validity verification on the digital signature value of the security access service based on the digital certificate of the Internet of things management platform;
and after the verification is passed, returning the result to the end of the identity verification of the two sides of the safety access service, and starting to carry out service interaction.
Preferably, the "edge-end" secure interaction method includes:
when a server side accesses a client side edge Internet of things agent for service interaction for an Internet of things terminal, the Internet of things terminal starts an identification authentication process to verify the correctness of an identification based on a security chip and a COAP protocol, and returns an authentication result;
when the authentication result is correct, starting a certificate authentication and key agreement process, and generating a session key by using a random number generated in the authentication process after the digital certificate of the Internet of things terminal is used for verifying the correct signature value of the service by the edge Internet of things agent;
and the Internet of things terminal verifies the correct signature value of the service by using the digital certificate of the edge Internet of things agent, confirms the session key and performs service interaction after confirming the correctness.
Preferably, the service end performs service interaction for the edge internet of things agent of the client accessed to the terminal of the internet of things, and the method includes the following steps:
when the server side accesses the client side Internet of things agent for the Internet of things terminal, the unique equipment identification and the digital certificate of the Internet of things terminal are sent to the edge Internet of things agent through the embedded special safety chip to be subjected to uniqueness binding to complete registration.
Preferably, the "cloud-end" secure interaction method includes:
when the service end is an internet of things management platform and the client end performs service interaction for the internet of things terminal, a temporary session key is generated by using a commercial asymmetric cryptographic algorithm SM2 and a digital certificate, bidirectional identity authentication of digital signature and signature verification is performed, hierarchical encryption of a master key and a sub key is performed through a block cryptographic algorithm SM1 to perform identity constraint, and service interaction is performed after the authentication is finished.
Preferably, the "edge-edge" secure interaction method includes:
when the server and the client are both edge internet of things agents, a temporary session key is generated by combining a commercial asymmetric cryptographic algorithm SM2 and a digital certificate to perform bidirectional identity authentication, and business service interaction is performed after the identity authentication is passed.
Preferably, the edge internet of things agent includes: aggregation type devices and sensing type devices.
Based on the same conception, the invention provides a power distribution internet of things service safety interaction system based on a state-secret algorithm, which is characterized by comprising the following steps: the system comprises an algorithm selection module and an encryption interaction module;
the algorithm selection module is used for selecting an encryption algorithm matched with the service type from the pre-established cascade encryption algorithms according to the service type when the service interaction between the server side and the client side of the power distribution internet of things is realized based on the edge internet of things agent;
the encryption interaction module is used for respectively carrying out encryption interaction on the business among the edge Internet of things agent, the server side of the power distribution Internet of things and the client side;
and the cascade encryption algorithm is formulated based on the national encryption algorithm.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention provides a power distribution Internet of things service safety interaction method based on a state cryptographic algorithm, which comprises the following steps: when the service interaction between a server and a client of the power distribution internet of things is realized based on the edge internet of things agent: according to the service type, an encryption algorithm matched with the service type is selected from the preset cascade encryption algorithms to carry out encryption interaction on the service between the edge Internet of things agent and the server and the client of the power distribution Internet of things respectively; the cascade encryption algorithm is formulated based on a national encryption algorithm; the differentiated protection requirements of the cloud platform, the edge Internet of things agent and the Internet of things terminal in the service interaction process under the scene of the power distribution Internet of things can be met, and the formed step safety interaction flow can provide moderate and efficient full-environment safety service guarantee for the power distribution Internet of things service.
Drawings
FIG. 1 is a flow chart of a method provided by the present invention;
fig. 2 is a schematic diagram of a power distribution internet of things architecture provided in an embodiment of the present invention;
fig. 3 is a schematic diagram of cloud-edge and cloud-end security interaction provided by an embodiment of the present invention;
FIG. 4 is a schematic diagram of an edge-to-end security interaction provided by an embodiment of the present invention;
FIG. 5 is a schematic diagram of edge-to-edge security interaction provided by an embodiment of the present invention;
fig. 6 is a system configuration diagram provided by the present invention.
Detailed Description
The embodiments of the present invention will be further described with reference to the accompanying drawings.
Example 1:
the invention provides a method which is introduced by combining a flow chart of a method provided by the invention in figure 1, and comprises the following specific steps:
step 1: when the service interaction between a server and a client of the power distribution internet of things is realized based on the edge internet of things agent: according to the service type, selecting an encryption algorithm matched with the service type from the pre-established cascade encryption algorithms;
step 2: encrypting and interacting the service among the edge Internet of things agent, the server side and the client side of the power distribution Internet of things respectively;
wherein, the step 1: when the service interaction between a server and a client of the power distribution internet of things is realized based on the edge internet of things agent: according to the service type, selecting an encryption algorithm matched with the service type from the pre-established cascade encryption algorithms, which specifically comprises the following steps:
under the power distribution internet of things sensing layer, the communication layer, the platform layer and the application layer (see fig. 2), 3 types of longitudinal interactive scenes including a cloud-edge scene, an edge-end scene and a cloud-end scene, and a transverse interactive scene including an edge-edge scene. The power distribution internet of things is the realization of the internet of things of power distribution monitoring systems and low-voltage equipment such as power distribution automation and marketing systems, the safety attribute of an industrial control system is still kept, and the safe and stable operation of the power distribution internet of things is directly related to the power supply quality and the privacy of hundreds of millions of users, so that the invention adopts a domestic commercial cryptographic algorithm (called a 'national cryptographic algorithm' for short) with high safety and high strength and low disclosure degree to carry out cryptographic support on the safe interaction of various service scenes of the power distribution internet of things.
(1) Domestic commercial cryptographic algorithm selection
The domestic commercial cryptographic algorithm is a domestic cryptographic algorithm determined by the national crypto administration, and can be divided into a symmetric cryptographic algorithm, an asymmetric cryptographic algorithm and a hash algorithm according to different key types.
1) Domestic commercial symmetric cryptographic algorithm
The most important characteristic of the symmetric cryptographic algorithm is that the encryption key is the same as the decryption key, and the encryption and decryption functions of communication messages among the cloud, the edge and the end of the power distribution internet of things can be realized. Domestic commercial symmetric cryptographic algorithms include ZUC, SM1, SM4, SM 7.
ZUC (also called as ancestor rush algorithm) is a sequence cipher algorithm, a 128-bit master key and a 128-bit initial vector are used as input parameters, the encryption process is simple, namely, the addition operation is carried out on the keys and letters of plaintext data one by one; decrypting and then carrying out letter-by-letter subtraction operation on the ciphertext by using the same key; the ZUC cryptographic algorithm is suitable for high real-time scenes such as telephone, video communication and the like.
The SM1, SM4, SM7 are all block cipher algorithms, and the data packet length and key length are all 128 bits. The security and confidentiality strength and related software and hardware implementation performance of the SM1 algorithm are equivalent to those of AES, the algorithm is not disclosed, and the algorithm exists in a chip only in the form of an IP core; the SM4 algorithm is disclosed, the encryption algorithm and the key expansion algorithm both adopt 32-round nonlinear iteration structures, the algorithm speed is high, the key management is complex, the security is poorer than that of SM1, and the method is commonly used for wireless local area network products; the SM7 algorithm text is not published at present, is a lightweight algorithm, is a commercial cryptographic algorithm specially designed for electronic tags, and is suitable for non-connected IC card applications including identification applications, ticket applications, payment-all-purpose card applications and the like.
Based on the analysis, the SM1 algorithm is stronger in safety level and higher in operation efficiency, is more suitable for encryption and decryption of remote service data of the power distribution Internet of things, and can adopt the SM7 algorithm for reading local information of the RFID electronic tag.
2) Domestic commercial asymmetric cryptographic algorithm
The asymmetric cryptographic algorithm uses mutually different encryption keys and decryption keys to form a key pair, wherein one key is used for encryption and the other key is used for decryption. The asymmetric cryptographic algorithm can be used for realizing identity authentication and encryption and decryption functions of communication messages among the cloud, the edge and the end of the power distribution internet of things. Domestic commercial asymmetric cryptographic algorithms include SM2, SM 9.
The SM2 algorithm is called SM2 elliptic curve public key cryptographic algorithm, and the advantages mainly include: the key management is simple, and the number of key groups required during secret transmission is small; the information confidentiality level is high, and the safety is good; the secret key occupies small storage space and is mainly used for replacing the traditional RSA algorithm in the commercial cryptosystem of China. In terms of algorithm security, the SM2 adopts a 256-bit elliptic curve key, and the key strength of the 256-bit elliptic curve key is higher than that of a 2048-bit RSA key in terms of security; in terms of performance, the signature speed of the 256-bit SM2 algorithm is 1.5 times that of the 1024-bit RSA algorithm and 9 times that of the 2048-bit RSA algorithm. The SM9 algorithm is a public key cryptographic algorithm based on identity identification, is different from the SM2 algorithm, the SM9 algorithm does not need to apply for a digital certificate, does not need to negotiate a password or exchange a certificate in advance, can reduce the links of application and verification in a traditional certificate system, and is suitable for the security guarantee of various emerging applications of Internet application.
Based on the analysis, the SM2 algorithm is more suitable for identity authentication of power distribution internet of things equipment by combining the construction condition of power industry password management infrastructure (such as a unified identity authentication system of a national network company).
3) Domestic commercial hash algorithm
The hash algorithm calculates the characteristic information uniquely identifying the file from the original file through mathematical processing to form a summary, and slight changes of the file content can generate different summaries. The method can be used for integrity protection of the interactive data of the power distribution internet of things. The domestic commercial hash algorithm includes SM 3.
The SM3 algorithm is disclosed, the output length of a hash value is 256 bits, the method is suitable for generating and verifying a digital signature and a verification message authentication code in commercial password application, and the hash algorithm is a very convenient and reliable safety means for the data integrity verification of the power distribution Internet of things.
Step 2: the service is encrypted and interacted among the edge Internet of things agent, the server side of the power distribution Internet of things and the client side respectively, and the method specifically comprises the following steps:
(2) power distribution Internet of things safety interaction method based on state cryptographic algorithm
1) Cloud-edge safety interaction method
Under the framework of the power distribution internet of things, the cloud platform plays an important role in gathering, analyzing and decision issuing of mass data from the edge and the internet of things terminal, and in order to not affect interaction among all service systems in the cloud platform, a mode of safety access service in front of the cloud platform is adopted to decouple the external safety function of the cloud platform from the internal service interaction, so that the cloud and edge internet of things agent, the identity mutual recognition of the internet of things terminal and the encryption and decryption of interactive data are realized. Considering that the internet of things management platform has a link convergence function for mass access data, the internet of things management platform is proposed to use an encryption function of the secure access service by adopting a mode of calling the secure access service, as shown in fig. 3, two edge internet of things agents on the left side in the drawing are convergence devices, and edge internet of things agents on the right side are sensing devices, generally, the sensing devices (such as cameras) can access the cloud only through the convergence devices, and sometimes the sensing devices can directly access the cloud.
Identity mutual authentication of cloud and edge
Based on a domestic commercial asymmetric cryptographic algorithm SM2 (including SM3 algorithm) and a digital certificate, the identity mutual authentication before interaction of cloud and edge services is realized, and the process is as follows:
the method comprises the steps that an edge internet of things agent serves as a client, an internet of things management platform serves as a server, TCP connection is initiated by the edge internet of things agent, after the TCP connection is established successfully, the edge internet of things agent exchanges a digital certificate with a security access service through the internet of things management platform, the legality of the certificate is verified, and after the legality verification is passed, the legality of identities of each other is confirmed in a mode of carrying out digital signature and signature verification on party random numbers.
Cloud and edge service data interaction safety protection method
And after the mutual identity authentication between the Internet of things management platform and the edge Internet of things agent is passed, continuing to use the existing TCP connection to carry out service data interaction. (to show that if the TCP connection is disconnected, the TCP connection needs to be reestablished and bidirectional identity authentication is carried out again.)
In the system, the cloud and edge interaction is based on a netconf protocol.
Identity recognition of edge Internet of things agent access cloud platform
Firstly, an edge Internet of things agent serves as a client and initiates a TCP connection request to a cloud platform front security access service;
after the connection is successfully established, the edge Internet of things agent initiates an identification authentication request, submits the equipment ID of the edge Internet of things agent, the safety access service decrypts the identification information and verifies the correctness, and the safety access service returns the identification authentication result to the edge Internet of things agent;
initiating an identity authentication process to the security access service by the edge Internet of things agent, and verifying a signature value of the security access service by adopting a digital certificate of the edge Internet of things agent;
and fourthly, after the identity verification of the edge Internet of things agent is passed by the security access service, the edge Internet of things agent verifies the validity of the signature value of the security access service by adopting the digital certificate of the cloud platform, and after the identity verification is passed, the verification result is returned to the security access service, and at the moment, the identity authentication of the two parties is finished.
Interactive data security protection of edge Internet of things agent and cloud platform
After the bidirectional identity authentication of the edge Internet of things agent and the cloud platform is passed, the edge Internet of things agent initiates protocol link request information, and the message is a plaintext;
after initialization of the protocol link is finished, the transmission of the service message symmetrically encrypted by SM1 is started;
and thirdly, when instructions such as update of an APP (application) of the edge Internet of things agent, downloading of a container and the like are involved, the SM1 is adopted to encrypt the service message, and a timestamp and a signature value are added to protect the freshness and tamper resistance of the instructions.
Firstly, service data types are divided to form 3 messages of a keep-alive type, a state monitoring type and a control instruction type, the security levels of the three types of service messages are increased progressively, and plaintext transmission can be supported for the keep-alive messages; for the state monitoring type message, encrypting the main content of the message based on a domestic commercial symmetric cryptographic algorithm SM 1; for control messages, the main content of the messages is encrypted based on a domestic commercial symmetric cryptographic algorithm SM1, and signatures and timestamps are added on the basis of SM3 digest calculation results, so that the integrity, the repudiation resistance and the playback resistance of control instructions are enhanced.
Data from the side and the end side can enter the cloud platform after being decrypted and checked for validity through the security access service; data issued from the cloud platform needs to be encrypted through the security access service first, and can be sent to the side and the end side. The cryptographic operation unit of the safe access service system adopts a double-layer parallel redundant operation mechanism, and adopts a cryptographic operation software module to realize parallel coordination and handling capacity, and the cryptographic operation software module adopts a scheduling algorithm to schedule high-speed parallel execution of a plurality of cryptographic operation units, so that the requirement of massive concurrence under the scene of the Internet of things is met.
A communication control unit in the safety access service adopts a network layer (a network layer refers to a network layer in a TCP/IP protocol model) screening mechanism for realizing terminal access data based on an IP packet filtering technology, and the session key negotiation quantity of the terminal access quantity of the whole safety access service can reach 8000 times/second.
2) 'edge-end' safety interaction method
Under the scene of the power distribution internet of things, the edge internet of things agent is a locally calculated brain and plays roles in gathering, analyzing and deciding data from the internet of things terminal, the safety functions of the edge internet of things agent and the internet of things terminal are realized by embedding a special safety chip, and the safety chip needs to obtain a commercial password product model certificate issued by the national bureau of cryptography. The edge-to-end secure interaction process is shown in fig. 4.
Mutual identity authentication of edges and ends
Because the hierarchical relationship can not be determined before the edge internet of things agent and the internet of things terminal are formally operated, when the internet of things terminal is accessed to the edge internet of things agent, equipment registration is firstly carried out, the edge internet of things agent is used as a server side, the internet of things terminal is used as a client side, the internet of things terminal initiates a TCP connection request, and the unique equipment identification and the digital certificate of the terminal are sent to the edge internet of things agent. When registering, the edge Internet of things agent uniquely binds information such as an Internet of things terminal identification, a digital certificate and the like; after the registration is finished, when a session link is reestablished, bidirectional identity authentication is carried out based on the digital certificate and the SM2 algorithm, and the authentication process is consistent with cloud and edge authentication.
Edge and end service data interaction safety protection method
When a session link is established each time, a temporary session key needs to be generated based on digital certificate negotiation of both parties, and the temporary session key is used for carrying out encryption protection on transmitted data.
Similarly, data of side and end interaction is divided into keep-alive messages, state monitoring messages, control instruction messages and the like, and plaintext transmission can be supported for the keep-alive messages; for the state monitoring type message, encrypting the main content of the message based on a domestic commercial symmetric cryptographic algorithm SM 1; for the control instruction message, the main content of the message is encrypted based on a domestic commercial symmetric cryptographic algorithm SM1, and a signature and a timestamp are added on the basis of the SM3 summary calculation result, so that the integrity, the anti-repudiation capability and the anti-replay capability of the control instruction are enhanced.
In the system, the edge and end interaction is based on the COAP protocol.
Identity recognition of Internet of things terminal access edge Internet of things agent
Firstly, an Internet of things terminal serves as a client and initiates a UDP connection request to an edge Internet of things agent;
secondly, after the connection is successfully established, the terminal of the Internet of things starts an identification authentication process, verifies the correctness of the identification and returns an authentication result;
the Internet of things terminal starts a certificate authentication and key agreement process, and after the edge Internet of things agent verifies the signature value by adopting the digital certificate of the Internet of things terminal, a session key is generated by using a random number generated in the authentication process;
and fourthly, after the terminal of the Internet of things adopts the digital certificate of the edge Internet of things agent to verify the signature value, the session key generated in the last step is confirmed.
Interactive data safety protection of edge Internet of things agent and Internet of things terminal
After the bidirectional identity authentication of the edge Internet of things agent and the Internet of things terminal is passed, the Internet of things terminal initiates protocol link request information, and the message is a plaintext;
after initialization of the protocol link is finished, the transmission of the service message symmetrically encrypted by SM1 is started;
and thirdly, when instructions such as reactive compensation switching, distributed energy access control and the like are involved, the SM1 is adopted to encrypt the service message, and a timestamp and a signature value are added to protect the freshness and the tamper resistance of the instructions.
3) Cloud-end safety interaction method
For the internet of things terminal directly communicating with the cloud platform, the interaction process is shown in fig. 3. Firstly, an internet of things terminal serves as a client side, an internet of things management platform serves as a server side, a TCP connection request is initiated by the internet of things terminal, TCP connection is established with the internet of things management platform, after connection establishment is successful, bidirectional identity authentication is carried out between the internet of things terminal and a cloud platform, and after authentication is passed, ciphertext interaction is carried out based on a domestic commercial cipher algorithm. The specific service data interaction process refers to a cloud-edge safety interaction method.
4) 'edge-edge' safety interaction method
Firstly, when a communication protocol facing connection such as TCP is adopted, the identity of each other is confirmed when the edge Internet of things agent interacts, and after the verification is passed, the information is transmitted by a ciphertext. As shown in fig. 5.
a) Mutual identity authentication of edges
When the edge nodes and the edge nodes carry out service interaction, bidirectional identity authentication between the equipment is firstly carried out, and the identity authentication process is verified by adopting a mode of combining a domestic commercial asymmetric cryptographic algorithm SM2 and a digital certificate; in the process of bidirectional identity authentication, temporary session keys are synchronously negotiated to provide encryption and decryption keys for the next service interaction.
b) Edge and edge service data interaction safety protection method
When data interaction is carried out, a symmetric encryption technology is adopted to ensure the confidentiality of the data; for key data (such as in-place protection messages), the abstract calculation based on SM3 is carried out on the original messages, and the digital signature based on SM2 algorithm is carried out on the abstract calculation results, so that on one hand, the integrity and the resistance of the data are ensured, on the other hand, the message length can be shortened through the abstract calculation, the signature efficiency is improved, and the high real-time performance of in-place service interaction is ensured; for general data, a MAC (Message Authentication Code) verification technology based on SM1 algorithm is adopted to ensure that the data is not tampered during transmission.
Secondly, when object-oriented communication protocols such as GOOSE are adopted, long connection cannot be established between edge Internet of things agents, and identity constraint can be carried out through a key hierarchy relation. When the side-to-side communication is carried out, the SM1 algorithm is adopted to carry out data encryption and decryption, the decryption key is set as the main key, and the encryption key is set as the sub-key, so that when an edge Internet of things agent receives ciphertext data, the information source can be traced through the encryption key identification.
Whether the service data is transmitted by the cloud-side, the side-end and the cloud-end is classified into a keep-alive type, a state monitoring type and a control instruction type, and the clear text transmission can be supported for keep-alive messages; for the state monitoring type message, encrypting the main content of the message based on a domestic commercial symmetric cryptographic algorithm SM 1; for control messages, the main content of the messages is encrypted based on a domestic commercial symmetric cryptographic algorithm SM1, and the encryption is carried out by adding signatures and timestamps on the basis of SM3 digest calculation results.
Example 2:
based on the same concept, the invention provides a power distribution internet of things service safety interaction system based on a cryptographic algorithm, which is introduced by combining with a system structure diagram of fig. 6, and comprises the following steps: the system comprises an algorithm selection module and an encryption interaction module;
the algorithm selection module is used for selecting an encryption algorithm matched with the service type from the pre-established cascade encryption algorithms according to the service type when the service interaction between the server side and the client side of the power distribution internet of things is realized based on the edge internet of things agent;
the encryption interaction module is used for respectively carrying out encryption interaction on the business among the edge Internet of things agent, the server side of the power distribution Internet of things and the client side;
and the cascade encryption algorithm is formulated based on the national encryption algorithm.
The algorithm selection module comprises: a keep-alive message submodule, a state monitoring message submodule and a control instruction message submodule;
the keep-alive message submodule is used for carrying out plaintext transmission without encryption when the type of the service is a keep-alive message;
the state monitoring message submodule is used for encrypting the state monitoring message by adopting a block cipher algorithm SM1 in a state cipher algorithm and adding a timestamp and a signature value when the type of the service is the state monitoring message;
and the control instruction message submodule is used for carrying out encryption and message authentication code verification by adopting a block cipher algorithm SM1 in a national cipher algorithm and carrying out abstract calculation by adopting a commercial hash algorithm SM3 in the national cipher algorithm and adding a signature and a timestamp when the type of the service is a control instruction message.
The encryption interaction module comprises: the system comprises a cloud side interaction submodule, a side end interaction submodule, a cloud side interaction submodule and a side interaction submodule;
the cloud side interaction submodule is used for carrying out encrypted business interaction for the edge Internet of things agent when the server side is the Internet of things management platform;
the side terminal interaction submodule is used for carrying out encrypted business interaction when the server side accesses the client side internet-of-things agent for the internet-of-things terminal;
the cloud interaction submodule is used for generating a temporary session key by using a commercial asymmetric cryptographic algorithm SM2 and a digital certificate when a server side is an internet of things management platform and a client side performs service interaction for an internet of things terminal, performing bidirectional identity authentication of digital signature and signature verification, performing hierarchical encryption of a main key and a sub key through a block cryptographic algorithm SM1 to perform identity constraint, and performing service interaction after verification is finished;
and the side-to-side interaction submodule is used for generating a temporary session key by combining a commercial asymmetric cryptographic algorithm SM2 and a digital certificate to perform bidirectional identity authentication when the server and the client are edge Internet of things agents, and performing business interaction after the identity authentication is passed.
The cloud edge interaction submodule comprises: the system comprises an information submitting unit, an identification result unit, a legal verification unit and a result returning unit;
the information submitting unit is used for sending an identification authentication request to the Internet of things management platform and submitting equipment ID identification information by the edge Internet of things agent based on a netconf protocol when the server side is the Internet of things management platform and the client side performs service interaction for the edge Internet of things agent;
the identification result unit is used for encrypting and verifying the equipment ID identification information and a commercial asymmetric cryptographic algorithm SM2 in a national cryptographic algorithm through a double-layer parallel redundancy operation mechanism of a safety access service of the internet of things management platform, and screening a session key for the equipment ID identification information based on an IP packet filtering technology to obtain an identification verification result;
the legal verification unit is used for carrying out legal verification on the digital signature value of the edge Internet of things agent based on the digital certificate of the edge Internet of things agent when the identification verification result is that the identification information is correct, and carrying out legal verification on the digital signature value of the safety access service based on the digital certificate of the Internet of things management platform;
and the result returning unit is used for returning the result to the safety access service after the verification is passed, and the identity verification of the two parties is finished, and the service interaction is started.
The edge-side interaction submodule comprises: an authentication unit, a signature value verification unit and a key confirmation unit;
the authentication unit is used for starting an identification authentication process by the Internet of things terminal to verify the correctness of the identification and returning an authentication result based on a security chip and a COAP protocol when the service terminal accesses the edge Internet of things agent of the client for service interaction for the Internet of things terminal;
the signature value verification unit is used for starting a certificate authentication and key agreement process when the authentication result is correct, and generating a session key by using a random number generated in the verification process after the digital certificate of the Internet of things terminal is used for verifying the correct signature value of the service by the edge Internet of things agent;
and the key confirmation unit is used for confirming the session key after the internet of things terminal verifies the correctness of the signature value of the service by using the digital certificate of the edge internet of things agent, and performing service interaction after the correctness is confirmed.
The encryption interaction module further comprises: binding the sub-modules;
and the binding submodule is used for sending the unique equipment identifier and the digital certificate of the Internet of things terminal to the edge Internet of things agent for unique binding and completing registration when the server side accesses the client edge Internet of things agent for the Internet of things terminal through the embedded special safety chip.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The present invention is not limited to the above embodiments, and any modifications, equivalent replacements, improvements, etc. made within the spirit and principle of the present invention are included in the scope of the claims of the present invention which are filed as the application.

Claims (11)

1. A power distribution Internet of things service safety interaction method based on a state cryptographic algorithm is characterized by comprising the following steps:
when the service interaction between a server and a client of the power distribution internet of things is realized based on the edge internet of things agent:
according to the service type, selecting an encryption algorithm matched with the service type from the pre-established cascade encryption algorithms;
encrypting and interacting the service among the edge Internet of things agent, the server side and the client side of the power distribution Internet of things respectively;
and the cascade encryption algorithm is formulated based on the national encryption algorithm.
2. The method of claim 1, wherein the traffic type comprises:
the security level of the keep-alive messages, the state monitoring messages and the control instruction messages is sequentially increased.
3. The method of claim 2, wherein selecting an encryption algorithm matching the traffic type from pre-established concatenated encryption algorithms based on the traffic type comprises:
when the type of the service is a keep-alive message, plaintext transmission is carried out without encryption;
when the type of the service is the state monitoring message, encrypting the state monitoring message by adopting a block cipher algorithm SM1 in a state cipher algorithm and adding a timestamp and a signature value;
when the type of the service is the control instruction type message, the encryption and message authentication code verification are carried out by adopting a block cipher algorithm SM1 in the national cipher algorithm, the abstract calculation is carried out by adopting a commercial hash algorithm SM3 in the national cipher algorithm, and the signature and the timestamp are added.
4. The method of claim 3, wherein the performing encrypted interaction on the service between the edge IOT agent and the server and the client of the distribution IOT respectively comprises:
1) a "cloud-edge" secure interaction method;
2) an "edge-to-end" secure interaction method;
3) a "cloud-end" secure interaction method;
4) an 'edge-edge' safety interaction method.
5. The method of claim 4, wherein the "cloud-edge" secure interaction method comprises:
when a server side is an internet of things management platform and a client side carries out service interaction for an edge internet of things agent, the edge internet of things agent sends an identification authentication request to the internet of things management platform and submits equipment ID identification information based on a netconf protocol;
then, encrypting and verifying the equipment ID identification information and a commercial asymmetric cryptographic algorithm SM2 in a national cryptographic algorithm through a double-layer parallel redundancy operation mechanism of a safety access service of an internet of things management platform, and screening a session key for the equipment ID identification information based on an IP packet filtering technology to obtain an identification verification result;
when the identification verification result is that the identification information is correct, performing validity verification on the digital signature value of the edge Internet of things agent based on the digital certificate of the edge Internet of things agent, and performing validity verification on the digital signature value of the security access service based on the digital certificate of the Internet of things management platform;
and after the verification is passed, returning the result to the end of the identity verification of the two sides of the safety access service, and starting to carry out service interaction.
6. The method of claim 4, wherein the "edge-to-end" secure interaction method comprises:
when a server side accesses a client side edge Internet of things agent for service interaction for an Internet of things terminal, the Internet of things terminal starts an identification authentication process to verify the correctness of an identification based on a security chip and a COAP protocol, and returns an authentication result;
when the authentication result is correct, starting a certificate authentication and key agreement process, and generating a session key by using a random number generated in the authentication process after the digital certificate of the Internet of things terminal is used for verifying the correct signature value of the service by the edge Internet of things agent;
and the Internet of things terminal verifies the correct signature value of the service by using the digital certificate of the edge Internet of things agent, confirms the session key and performs service interaction after confirming the correctness.
7. The method of claim 6, wherein when the server performs service interaction for the internet of things terminal access client edge internet of things proxy, the method comprises the following steps:
when the server side accesses the client side Internet of things agent for the Internet of things terminal, the unique equipment identification and the digital certificate of the Internet of things terminal are sent to the edge Internet of things agent through the embedded special safety chip to be subjected to uniqueness binding to complete registration.
8. The method of claim 7, wherein the "cloud-side" secure interaction method comprises:
when the service end is an internet of things management platform and the client end performs service interaction for the internet of things terminal, a temporary session key is generated by using a commercial asymmetric cryptographic algorithm SM2 and a digital certificate, bidirectional identity authentication of digital signature and signature verification is performed, hierarchical encryption of a master key and a sub key is performed through a block cryptographic algorithm SM1 to perform identity constraint, and service interaction is performed after the authentication is finished.
9. The method of claim 8, wherein the "edge-to-edge" secure interaction method comprises:
when the server and the client are both edge internet of things agents, a temporary session key is generated by combining a commercial asymmetric cryptographic algorithm SM2 and a digital certificate to perform bidirectional identity authentication, and business service interaction is performed after the identity authentication is passed.
10. The method of claim 9, wherein the edge internet of things proxy comprises: aggregation type devices and sensing type devices.
11. The utility model provides a distribution thing networking business safety interactive system based on secret algorithm in state which characterized in that includes: the system comprises an algorithm selection module and an encryption interaction module;
the algorithm selection module is used for selecting an encryption algorithm matched with the service type from the pre-established cascade encryption algorithms according to the service type when the service interaction between the server side and the client side of the power distribution internet of things is realized based on the edge internet of things agent;
the encryption interaction module is used for respectively carrying out encryption interaction on the business among the edge Internet of things agent, the server side of the power distribution Internet of things and the client side;
and the cascade encryption algorithm is formulated based on the national encryption algorithm.
CN202010689081.6A 2020-07-16 2020-07-16 Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm Pending CN114024698A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010689081.6A CN114024698A (en) 2020-07-16 2020-07-16 Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010689081.6A CN114024698A (en) 2020-07-16 2020-07-16 Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm

Publications (1)

Publication Number Publication Date
CN114024698A true CN114024698A (en) 2022-02-08

Family

ID=80053989

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010689081.6A Pending CN114024698A (en) 2020-07-16 2020-07-16 Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm

Country Status (1)

Country Link
CN (1) CN114024698A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118449A (en) * 2022-05-13 2022-09-27 国网浙江省电力有限公司信息通信分公司 Energy internet oriented safe and efficient interaction edge proxy server
CN115314270A (en) * 2022-07-29 2022-11-08 国网浙江省电力有限公司宁波供电公司 Power business hierarchical encryption method and communication method based on quantum key
CN115695053A (en) * 2023-01-03 2023-02-03 国网浙江省电力有限公司金华供电公司 Access system of power distribution internet of things

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118449A (en) * 2022-05-13 2022-09-27 国网浙江省电力有限公司信息通信分公司 Energy internet oriented safe and efficient interaction edge proxy server
CN115118449B (en) * 2022-05-13 2023-06-27 国网浙江省电力有限公司信息通信分公司 Energy internet-oriented safe and efficient interactive edge proxy server
CN115314270A (en) * 2022-07-29 2022-11-08 国网浙江省电力有限公司宁波供电公司 Power business hierarchical encryption method and communication method based on quantum key
CN115695053A (en) * 2023-01-03 2023-02-03 国网浙江省电力有限公司金华供电公司 Access system of power distribution internet of things

Similar Documents

Publication Publication Date Title
CN111083131B (en) Lightweight identity authentication method for power Internet of things sensing terminal
CN109922077B (en) Identity authentication method and system based on block chain
CN113783836B (en) Internet of things data access control method and system based on block chain and IBE algorithm
CN109088870B (en) Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform
CN103095696B (en) A kind of authentication and cryptographic key negotiation method being applicable to power information acquisition system
Bird et al. The kryptoknight family of light-weight protocols for authentication and key distribution
CN101409619B (en) Flash memory card and method for implementing virtual special network key exchange
CN104935568A (en) Interface authentication signature method facing cloud platform
CN111756529B (en) Quantum session key distribution method and system
CN114024698A (en) Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm
CN109640299B (en) Aggregation method and system for ensuring M2M communication integrity and fault tolerance
CN113612610B (en) Session key negotiation method
CN114143117B (en) Data processing method and device
TW201537937A (en) Unified identity authentication platform and authentication method thereof
CN112422560A (en) Lightweight substation secure communication method and system based on secure socket layer
CN113872760A (en) SM9 key infrastructure and security system
CN111756528A (en) Quantum session key distribution method and device and communication architecture
CN115514474A (en) Industrial equipment trusted access method based on cloud-edge-end cooperation
CN101997835B (en) Network security communication method, data security processing device and system for finance
CN111049649A (en) Zero-interaction key negotiation security enhancement protocol based on identification password
CN113312646B (en) Data encryption method based on block chain
CN116599659B (en) Certificate-free identity authentication and key negotiation method and system
CN111490874A (en) Distribution network safety protection method, system, device and storage medium
CN116760530A (en) Lightweight authentication key negotiation method for electric power Internet of things terminal
CN112468983B (en) Low-power-consumption access authentication method for intelligent equipment of power internet of things and auxiliary device thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination