CN114422118A - Industrial controller multicast communication key distribution method and system - Google Patents
Industrial controller multicast communication key distribution method and system Download PDFInfo
- Publication number
- CN114422118A CN114422118A CN202111555495.0A CN202111555495A CN114422118A CN 114422118 A CN114422118 A CN 114422118A CN 202111555495 A CN202111555495 A CN 202111555495A CN 114422118 A CN114422118 A CN 114422118A
- Authority
- CN
- China
- Prior art keywords
- multicast
- key
- key distribution
- information
- group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006854 communication Effects 0.000 title claims abstract description 304
- 238000004891 communication Methods 0.000 title claims abstract description 304
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000012795 verification Methods 0.000 claims abstract description 16
- 238000013475 authorization Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 8
- 239000000463 material Substances 0.000 description 6
- 238000012986 modification Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- 239000004973 liquid crystal related substance Substances 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a multicast communication key distribution method and a system for an industrial controller, wherein the method is applied between group members and a key distribution server, and comprises the following steps: the group member generates multicast key request information, signs the multicast key request information to acquire first signature information, further generates a multicast key request message based on the multicast key request information and the first signature information, and sends the multicast key request message to a key distribution server; the key distribution server inquires the multicast group address and the multicast group communication key of the group member stored by the group member device according to the multicast key request message and by using the group member device identifier, generates a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key and sends the multicast communication key distribution message to the group member; the group members verify the multicast communication key distribution message and store the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result.
Description
Technical Field
The invention relates to the technical field of industrial information security, in particular to a multicast communication key distribution method and system for an industrial controller.
Background
One DCS system includes a DCS controller, an operator station, an engineer, a configuration server, a historical data server, and the like, where the operator station (engineer station) needs to perform operations such as configuration, data acquisition, command issuing, and firmware upgrading on the controller through a relevant communication protocol. The DCS communication network has various communication modes including unicast communication, multicast communication, and broadcast communication, where the multicast communication is generally used for some kind of messages to notify multiple objects (for example, controller status data, self-diagnostic information issue, and cooperative control), thereby reducing communication traffic and improving network communication efficiency. In the traditional control system, the multicast communication of the control system does not consider a security mechanism, such as encryption communication and an identity authentication mechanism, and the communication information is transmitted in a plaintext mode, so that the communication process is easy to monitor, an attacker can attack through a man-in-the-middle to forge a data packet carrying an error state or a control instruction and cheat a control node or a monitoring node of the control system, the system can be damaged, and meanwhile, a user can not find out that the control system is abnormal in time. Therefore, from the practical point of view, the security of multicast communication of the control system will have an important impact on the overall security of the control system. Therefore, starting from the characteristics of the control system, it is considered that a multicast communication identity authentication and communication encryption method suitable for the control system is added, which becomes an urgent problem to be solved.
The control system has high requirements on communication real-time performance and reliability, and further, the controller has limited computing resources and cannot support a secure encryption protocol requiring high computing power, such as the TLS/DTLS protocol. On the other hand, the traditional equipment mostly adopts a public key encryption technology based on a digital certificate to carry out identity authentication, and the digital certificate has the problem of complexity and inconvenience in daily system maintenance.
Disclosure of Invention
Technical problem to be solved
In view of the above disadvantages and shortcomings of the prior art, the present invention provides a method and a system for distributing multicast communication keys of an industrial controller, which solve the technical problems that an effective secure communication mechanism cannot be established for multicast communication related in the traditional DCS control system, and multiple security risks are caused by the fact that multicast group members cannot perform identity authentication and multicast data is not encrypted.
(II) technical scheme
In order to achieve the purpose, the invention adopts the main technical scheme that:
in a first aspect, an embodiment of the present invention provides a method for distributing a multicast communication key of an industrial controller, where the method is applied between a group member and a key distribution server, where the group member is any one of node devices participating in multicast communication in a DCS control network, and the method includes:
s1, the group member generates the multicast key request information, signs the multicast key request information, acquires the first signature information, further generates the multicast key request message based on the multicast key request information and the first signature information, and sends the message to the key distribution server;
the multicast key request message includes: group member random number, device identification of group member, group member timestamp;
s2, the key distribution server queries the multicast group address and the multicast group communication key of the group member stored by the key distribution server according to the multicast key request message and by using the group member device identifier, and further generates a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key and sends the distribution message to the group member;
and S3, the group member verifies the multicast communication key distribution message and stores the corresponding multicast communication key and multicast group address in the multicast communication key distribution message with the verification result of correctness.
Preferably, the S1 includes:
s11, the group member generates the request information of the multicast key;
s12, the group member signs the multicast key request information by using the private key of the group member device certificate to obtain first signature information;
s13, the group member encrypts the multicast key request information and the first signature information by using a public key of a root certificate of a key distribution server to generate a multicast key request message, and sends the multicast key request message to the key distribution server.
Preferably, the S2 includes:
s21, the key distribution server receives the multicast key request message, decrypts the multicast key request message by using the private key of the root certificate of the key distribution server, and acquires multicast key request information and first signature information;
s22, the key distribution server adopts the device certificate public key contained in the key distribution server to verify whether the first signature information is correct, if so, the multicast key request information is recorded;
s23, the key distribution server uses the group member device identification to inquire the multicast group address and the multicast group communication key of the group member pre-stored in the key distribution server;
and S24, if the inquiry is successful, the key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address and the multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further sends the multicast communication key distribution message to group members.
Preferably, the S24 includes:
s241, the key distribution server generates multicast communication key distribution information based on the group member random number, the multicast group address and the multicast group communication key in the multicast key request information;
the multicast traffic key distribution information includes: the method comprises the steps that a group member random number, a group member multicast group address, a multicast communication key and key distribution server timestamp information are obtained;
s242, the key distribution server signs the multicast communication key distribution information by using the root certificate private key to acquire second signature information;
and S243, the key distribution server encrypts the multicast communication key distribution information and the second signature information by using the device certificate public key contained in the group member device certificate, acquires a multicast communication key distribution message, and sends the multicast communication key distribution message to the group members.
Preferably, the S3 includes:
s31, the group member receives the multicast communication key distribution message, decrypts the multicast communication key distribution message by using the private key of the group member device certificate, and acquires second signature information and multicast communication key distribution information;
s32, the group member uses the public key of the root certificate to verify whether the random number of the group member and the timestamp information of the key distribution server contained in the second signature information and the multicast communication key distribution information are correct;
and S33, if the multicast communication key distribution information is correct, the group member stores the multicast communication key and the multicast group address in the multicast communication key distribution information with the correct verification result.
In another aspect, this embodiment further provides a system for distributing multicast communication keys of an industrial controller, including:
the group member is used for generating multicast key request information, signing the multicast key request information, acquiring first signature information, further generating a multicast key request message based on the multicast key request information and the first signature information, and sending the multicast key request message to the key distribution server;
the multicast key request message includes: group member random number, device identification of group member, group member timestamp;
the key distribution server is used for inquiring the multicast group address and the multicast group communication key of the group member stored by the group member equipment according to the multicast key request message and by using the group member equipment identifier, further generating a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key and sending the multicast communication key distribution message to the group member;
the group members are also used for verifying the multicast communication key distribution message and storing the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result.
Preferably, the first and second liquid crystal materials are,
the group member is configured to generate multicast key request information, sign the multicast key request information, acquire first signature information, generate a multicast key request packet based on the multicast key request information and the first signature information, and send the multicast key request packet to a key distribution server, and specifically includes:
the group member generates multicast key request information;
the group member signs the multicast key request information by using a group member device certificate private key to acquire first signature information;
the group member encrypts the multicast key request information and the first signature information by using a root certificate public key of a key distribution server to generate a multicast key request message, and sends the multicast key request message to the key distribution server;
the key distribution server queries, according to the multicast key request message, a multicast group address and a multicast group communication key, where the group member is located, by using the group member device identifier, and further generates, based on the multicast key request message, the multicast group address and the multicast group communication key, a multicast communication key distribution message and sends the multicast communication key distribution message to the group members, which specifically includes:
the method comprises the steps that a key distribution server receives a multicast key request message, decrypts the multicast key request message by using a private key of a root certificate of the key distribution server, and obtains multicast key request information and first signature information;
the key distribution server adopts the device certificate public key contained in the key distribution server to verify whether the first signature information is correct, and if so, the multicast key request information is recorded;
the key distribution server uses the group member device identification to inquire the multicast group address and the multicast group communication key of the group member pre-stored in the key distribution server;
if the inquiry is successful, the key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address and the multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further sends the multicast communication key distribution message to group members;
the group member verifies the multicast communication key distribution message, and stores the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result, which specifically comprises:
the group member receives the multicast communication key distribution message, decrypts the multicast communication key distribution message by using the group member device certificate private key, and acquires second signature information and multicast communication key distribution information;
the group member uses the public key of the root certificate to verify whether the random number of the group member and the timestamp information of the key distribution server contained in the second signature information and the multicast communication key distribution information are correct;
if the multicast communication key distribution information is correct, the group members store the multicast communication key and the multicast group address in the multicast communication key distribution information with the correct verification result.
Preferably, the first and second liquid crystal materials are,
the key distribution server generates multicast communication key distribution information based on the multicast key request information, a multicast group address and a multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further sends the multicast communication key distribution message to group members, and the method specifically includes:
the key distribution server generates multicast communication key distribution information based on the group member random number, the multicast group address and the multicast group communication key in the multicast key request information;
the multicast traffic key distribution information includes: the method comprises the steps that a group member random number, a group member multicast group address, a multicast communication key and key distribution server timestamp information are obtained;
the key distribution server signs the multicast communication key distribution information by using a root certificate private key to acquire second signature information;
and the key distribution server encrypts the multicast communication key distribution information and the second signature information by using the equipment certificate public key contained in the group member equipment certificate to obtain a multicast communication key distribution message and sends the multicast communication key distribution message to the group members.
Preferably, the first and second liquid crystal materials are,
the key distribution server is also used for generating multicast communication key updating information and generating a message authentication code (HMAC) of the multicast communication key updating information by using the multicast communication key; the key distribution server encrypts the multicast communication key updating information and the message authentication code HMAC by using a multicast communication key and then sends the encrypted multicast communication key updating information and the encrypted message as a multicast communication key updating message to the group members;
the multicast communication key updating information comprises a key updating timestamp and a multicast communication updating key;
and the group member is also used for decrypting by using the multicast communication key after receiving the multicast communication key updating message, acquiring and verifying multicast communication key updating information and the message authentication code HMAC, and if the multicast communication key updating information and the message authentication code HMAC are correct, taking the multicast communication key in the multicast communication key updating information as a new multicast communication key.
Preferably, the first and second liquid crystal materials are,
the key distribution server is also used for storing the group member device identification, the device certificate and the multicast group address thereof to finish the group member registration authorization.
(III) advantageous effects
The invention has the beneficial effects that: according to the method and the system for distributing the multicast communication key of the industrial controller, the multicast key request message and the multicast communication key distribution message are adopted between the group members and the key distribution server, so that the identity legitimacy authentication of the group members and the multicast data encryption are realized, the safety is improved, and on the other hand, the communication flow is simplified through a lightweight communication key distribution mechanism.
Drawings
Fig. 1 is a schematic diagram of a multicast communication key distribution method for an industrial controller according to the present invention;
FIG. 2 is a topology diagram of a DCS multicast communication network according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an industrial controller multicast communication key distribution system according to the present invention.
Detailed Description
For the purpose of better explaining the present invention and to facilitate understanding, the present invention will be described in detail by way of specific embodiments with reference to the accompanying drawings.
In order to better understand the above technical solutions, exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Referring to fig. 1, this embodiment provides a method for distributing a multicast communication key of an industrial controller, where the method is applied between a group member and a key distribution server, where the group member is any one of node devices participating in multicast communication in a DCS control network, and the method includes:
s1, the group member generates multicast key request information, signs the multicast key request information, obtains first signature information, and further generates a multicast key request packet based on the multicast key request information and the first signature information, and sends the multicast key request packet to the key distribution server.
The multicast key request message includes: group member random number, device identification of group member, group member timestamp.
And S2, the key distribution server queries the multicast group address and the multicast group communication key of the group member stored by the group member device according to the multicast key request message and by using the group member device identifier, and further generates a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key and sends the multicast communication key distribution message to the group member.
And S3, the group member verifies the multicast communication key distribution message and stores the corresponding multicast communication key and multicast group address in the multicast communication key distribution message with the verification result of correctness.
The method for distributing the multicast communication key of the industrial controller is applied to multi-communication identity authentication and communication encryption among a DCS controller, an operation station and an engineer in a DCS control system. A typical DCS multicast communication network topology is shown in fig. 2. The method relates to multicast group members (namely group members) and a key distribution server, wherein the group members can control any one of multicast communication terminal node equipment in a network, such as a DCS controller, an operation station and an engineer station, for the DCS.
In practical applications of this embodiment, the S1 includes:
s11, the group member generates the request information of the multicast key;
s12, the group member signs the multicast key request information by using the private key of the group member device certificate to obtain first signature information;
s13, the group member encrypts the multicast key request information and the first signature information by using a public key of a root certificate of a key distribution server to generate a multicast key request message, and sends the multicast key request message to the key distribution server.
In practical applications of this embodiment, the S2 includes:
s21, the key distribution server receives the multicast key request message, and decrypts the multicast key request message by using the private key of the root certificate of the key distribution server to obtain the multicast key request message and the first signature information.
S22, the key distribution server adopts the device certificate public key contained in the key distribution server to verify whether the first signature information is correct, if so, the multicast key request information is recorded; (the device certificate public key information has been stored on the key distribution server).
And S23, the key distribution server uses the group member device identification to inquire the multicast group address and the multicast group communication key of the group member stored in the key distribution server in advance.
Specifically, the key distribution server stores the device identifier, the device certificate, and the multicast group address thereof in the group members that have registered the authorization.
And S24, if the inquiry is successful, the key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address and the multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further sends the multicast communication key distribution message to group members.
Specifically, if the query fails (i.e., the device identifier, the device certificate, and the multicast group address thereof of the group member are not queried in the key distribution server), the subsequent process is stopped. The device is a digital certificate, which is a thing representing identity, and the device contains public key information and corresponds to private key information.
In practical applications of this embodiment, the S24 includes:
s241, the key distribution server generates multicast communication key distribution information based on the group member random number, the multicast group address and the multicast group communication key in the multicast key request information;
the multicast traffic key distribution information includes: the method comprises the steps that a group member random number, a group member multicast group address, a multicast communication key and key distribution server timestamp information are obtained;
s242, the key distribution server signs the multicast communication key distribution information by using the root certificate private key to acquire second signature information; (the root certificate is pre-stored on the group member device, and the root certificate is a digital certificate owned by the key sub-server).
And S243, the key distribution server encrypts the multicast communication key distribution information and the second signature information by using the device certificate public key contained in the group member device certificate, acquires a multicast communication key distribution message, and sends the multicast communication key distribution message to the group members.
In practical applications of this embodiment, the S3 includes:
and S31, the group member receives the multicast communication key distribution message, decrypts the multicast communication key distribution message by using the private key of the group member device certificate, and acquires second signature information and multicast communication key distribution information.
And S32, the group member uses the public key of the root certificate to verify whether the group member random number and the timestamp information of the key distribution server contained in the second signature information and the multicast communication key distribution information are correct.
And S33, if the multicast communication key distribution information is correct, the group member stores the multicast communication key and the multicast group address in the multicast communication key distribution information with the correct verification result.
On the other hand, referring to fig. 3, the embodiment further provides an industrial controller multicast communication key distribution system, including:
and the group member is used for generating multicast key request information, signing the multicast key request information, acquiring first signature information, further generating a multicast key request message based on the multicast key request information and the first signature information, and sending the multicast key request message to the key distribution server.
The multicast key request message includes: group member random number, device identification of group member, group member timestamp.
And the key distribution server is used for inquiring the multicast group address and the multicast group communication key of the group member stored by the group member equipment according to the multicast key request message and by using the group member equipment identifier, further generating a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key and sending the multicast communication key distribution message to the group member.
The group members are also used for verifying the multicast communication key distribution message and storing the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result.
In practical application of this embodiment, a group member is configured to generate multicast key request information, sign the multicast key request information, acquire first signature information, generate a multicast key request packet based on the multicast key request information and the first signature information, and send the multicast key request packet to a key distribution server, and specifically includes:
the group members generate multicast key request information.
And the group member signs the multicast key request information by using the private key of the group member device certificate to acquire first signature information.
And the group member encrypts the multicast key request information and the first signature information by using a root certificate public key of a key distribution server to generate a multicast key request message, and sends the multicast key request message to the key distribution server.
The key distribution server queries, according to the multicast key request message, a multicast group address and a multicast group communication key, where the group member is located, by using the group member device identifier, and further generates, based on the multicast key request message, the multicast group address and the multicast group communication key, a multicast communication key distribution message and sends the multicast communication key distribution message to the group members, which specifically includes:
and the key distribution server receives the multicast key request message, decrypts the multicast key request message by using a private key of a root certificate of the key distribution server, and acquires multicast key request information and first signature information.
The key distribution server adopts the device certificate public key contained in the key distribution server to verify whether the first signature information is correct, and if so, the multicast key request information is recorded.
The key distribution server uses the group member device identification to inquire the multicast group address and the multicast group communication key of the group member prestored in the key distribution server.
If the inquiry is successful, the key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address and the multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further sends the multicast communication key distribution message to group members.
The group member verifies the multicast communication key distribution message, and stores the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the verification result being correct.
And the group member receives the multicast communication key distribution message, decrypts the multicast communication key distribution message by using the private key of the group member equipment certificate, and acquires second signature information and multicast communication key distribution information.
And the group member verifies whether the group member random number and the time stamp information of the key distribution server contained in the second signature information and the multicast communication key distribution information are correct or not by using the public key of the root certificate.
If the multicast communication key distribution information is correct, the group members store the multicast communication key and the multicast group address in the multicast communication key distribution information with the correct verification result.
In practical application of this embodiment, the key distribution server generates multicast communication key distribution information based on the multicast key request information, a multicast group address, and a multicast group communication key, obtains a multicast communication key distribution packet based on the multicast communication key distribution information, and further sends the multicast communication key distribution packet to group members, which specifically includes:
and the key distribution server generates multicast communication key distribution information based on the group member random number, the multicast group address and the multicast group communication key in the multicast key request information.
The multicast traffic key distribution information includes: the group member random number, the group member multicast group address, the multicast communication key and the time stamp information of the key distribution server.
And the key distribution server signs the multicast communication key distribution information by using the root certificate private key to acquire second signature information.
And the key distribution server encrypts the multicast communication key distribution information and the second signature information by using the equipment certificate public key contained in the group member equipment certificate to obtain a multicast communication key distribution message and sends the multicast communication key distribution message to the group members.
In practical application of this embodiment, the key distribution server is further configured to generate multicast communication key update information, and generate a message authentication code HMAC of the multicast communication key update information by using a multicast communication key; and the key distribution server encrypts the multicast communication key updating information and the message authentication code HMAC by using a multicast communication key and then sends the encrypted multicast communication key updating information and the encrypted message as a multicast communication key updating message to the group members.
The multicast communication key updating information comprises a key updating timestamp and a multicast communication updating key.
The industrial controller multicast communication key distribution system in the embodiment realizes the multicast key updating function, realizes the source authenticity identification of the multicast key updating communication information and the encryption of communication data based on the shared key technology, and has high efficiency compared with the public key encryption technology, so that the multicast key updating rate is high, and the key distribution efficiency is improved while the communication safety is ensured. The system security is improved by updating the multicast communication key periodically.
And the group member is also used for decrypting by using the multicast communication key after receiving the multicast communication key updating message, acquiring and verifying multicast communication key updating information and the message authentication code HMAC, and if the multicast communication key updating information and the message authentication code HMAC are correct, taking the multicast communication key in the multicast communication key updating information as a new multicast communication key.
In practical application of this embodiment, the key distribution server is further configured to store the group member device identifier, the device certificate, and the multicast group address thereof, so as to complete group member registration authorization.
In the method and system for distributing the multicast communication key of the industrial controller in the embodiment, since the multicast key request message and the multicast communication key distribution message are adopted between the group members and the key distribution server, the identity legitimacy authentication of the group members and the multicast data encryption are realized, the safety is improved, and on the other hand, the communication flow is simplified through a lightweight communication key distribution mechanism.
Since the system described in the above embodiment of the present invention is a system used for implementing the method of the above embodiment of the present invention, based on the method described in the above embodiment of the present invention, a person skilled in the art can understand the specific structure and the modification of the system/apparatus, and thus the detailed description is omitted here. All systems adopted by the method of the above embodiments of the present invention are within the intended scope of the present invention.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the terms first, second, third and the like are for convenience only and do not denote any order. These words are to be understood as part of the name of the component.
Furthermore, it should be noted that in the description of the present specification, the description of the term "one embodiment", "some embodiments", "examples", "specific examples" or "some examples", etc., means that a specific feature, structure, material or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, the claims should be construed to include preferred embodiments and all changes and modifications that fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention should also include such modifications and variations.
Claims (10)
1. A multicast communication key distribution method of an industrial controller is characterized in that the method is applied between a group member and a key distribution server, wherein the group member is any node equipment participating in multicast communication in a DCS control network, and the method comprises the following steps:
s1, the group member generates the multicast key request information, signs the multicast key request information, acquires the first signature information, further generates the multicast key request message based on the multicast key request information and the first signature information, and sends the message to the key distribution server;
the multicast key request message includes: group member random number, device identification of group member, group member timestamp;
s2, the key distribution server queries the multicast group address and the multicast group communication key of the group member stored by the key distribution server according to the multicast key request message and by using the group member device identifier, and further generates a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key and sends the distribution message to the group member;
and S3, the group member verifies the multicast communication key distribution message and stores the corresponding multicast communication key and multicast group address in the multicast communication key distribution message with the verification result of correctness.
2. The method according to claim 1, wherein the S1 includes:
s11, the group member generates the request information of the multicast key;
s12, the group member signs the multicast key request information by using the private key of the group member device certificate to obtain first signature information;
s13, the group member encrypts the multicast key request information and the first signature information by using a public key of a root certificate of a key distribution server to generate a multicast key request message, and sends the multicast key request message to the key distribution server.
3. The method according to claim 2, wherein the S2 includes:
s21, the key distribution server receives the multicast key request message, decrypts the multicast key request message by using the private key of the root certificate of the key distribution server, and acquires multicast key request information and first signature information;
s22, the key distribution server adopts the device certificate public key contained in the key distribution server to verify whether the first signature information is correct, if so, the multicast key request information is recorded;
s23, the key distribution server uses the group member device identification to inquire the multicast group address and the multicast group communication key of the group member pre-stored in the key distribution server;
and S24, if the inquiry is successful, the key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address and the multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further sends the multicast communication key distribution message to group members.
4. The method according to claim 3, wherein the S24 includes:
s241, the key distribution server generates multicast communication key distribution information based on the group member random number, the multicast group address and the multicast group communication key in the multicast key request information;
the multicast traffic key distribution information includes: the method comprises the steps that a group member random number, a group member multicast group address, a multicast communication key and key distribution server timestamp information are obtained;
s242, the key distribution server signs the multicast communication key distribution information by using the root certificate private key to acquire second signature information;
and S243, the key distribution server encrypts the multicast communication key distribution information and the second signature information by using the device certificate public key contained in the group member device certificate, acquires a multicast communication key distribution message, and sends the multicast communication key distribution message to the group members.
5. The method according to claim 4, wherein the S3 includes:
s31, the group member receives the multicast communication key distribution message, decrypts the multicast communication key distribution message by using the private key of the group member device certificate, and acquires second signature information and multicast communication key distribution information;
s32, the group member uses the public key of the root certificate to verify whether the random number of the group member and the timestamp information of the key distribution server contained in the second signature information and the multicast communication key distribution information are correct;
and S33, if the multicast communication key distribution information is correct, the group member stores the multicast communication key and the multicast group address in the multicast communication key distribution information with the correct verification result.
6. An industrial controller multicast communication key distribution system, comprising:
the group member is used for generating multicast key request information, signing the multicast key request information, acquiring first signature information, further generating a multicast key request message based on the multicast key request information and the first signature information, and sending the multicast key request message to the key distribution server;
the multicast key request message includes: group member random number, device identification of group member, group member timestamp;
the key distribution server is used for inquiring the multicast group address and the multicast group communication key of the group member stored by the group member equipment according to the multicast key request message and by using the group member equipment identifier, further generating a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key and sending the multicast communication key distribution message to the group member;
the group members are also used for verifying the multicast communication key distribution message and storing the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result.
7. The system of claim 6,
the group member is configured to generate multicast key request information, sign the multicast key request information, acquire first signature information, generate a multicast key request packet based on the multicast key request information and the first signature information, and send the multicast key request packet to a key distribution server, and specifically includes:
the group member generates multicast key request information;
the group member signs the multicast key request information by using a group member device certificate private key to acquire first signature information;
the group member encrypts the multicast key request information and the first signature information by using a root certificate public key of a key distribution server to generate a multicast key request message, and sends the multicast key request message to the key distribution server;
the key distribution server queries, according to the multicast key request message, a multicast group address and a multicast group communication key, where the group member is located, by using the group member device identifier, and further generates, based on the multicast key request message, the multicast group address and the multicast group communication key, a multicast communication key distribution message and sends the multicast communication key distribution message to the group members, which specifically includes:
the method comprises the steps that a key distribution server receives a multicast key request message, decrypts the multicast key request message by using a private key of a root certificate of the key distribution server, and obtains multicast key request information and first signature information;
the key distribution server adopts the device certificate public key contained in the key distribution server to verify whether the first signature information is correct, and if so, the multicast key request information is recorded;
the key distribution server uses the group member device identification to inquire the multicast group address and the multicast group communication key of the group member pre-stored in the key distribution server;
if the inquiry is successful, the key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address and the multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further sends the multicast communication key distribution message to group members;
the group member verifies the multicast communication key distribution message, and stores the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result, which specifically comprises:
the group member receives the multicast communication key distribution message, decrypts the multicast communication key distribution message by using the group member device certificate private key, and acquires second signature information and multicast communication key distribution information;
the group member uses the public key of the root certificate to verify whether the random number of the group member and the timestamp information of the key distribution server contained in the second signature information and the multicast communication key distribution information are correct;
if the multicast communication key distribution information is correct, the group members store the multicast communication key and the multicast group address in the multicast communication key distribution information with the correct verification result.
8. The system of claim 7,
the key distribution server generates multicast communication key distribution information based on the multicast key request information, a multicast group address and a multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further sends the multicast communication key distribution message to group members, and the method specifically includes:
the key distribution server generates multicast communication key distribution information based on the group member random number, the multicast group address and the multicast group communication key in the multicast key request information;
the multicast traffic key distribution information includes: the method comprises the steps that a group member random number, a group member multicast group address, a multicast communication key and key distribution server timestamp information are obtained;
the key distribution server signs the multicast communication key distribution information by using a root certificate private key to acquire second signature information;
and the key distribution server encrypts the multicast communication key distribution information and the second signature information by using the equipment certificate public key contained in the group member equipment certificate to obtain a multicast communication key distribution message and sends the multicast communication key distribution message to the group members.
9. The system of claim 8,
the key distribution server is also used for generating multicast communication key updating information and generating a message authentication code (HMAC) of the multicast communication key updating information by using the multicast communication key; the key distribution server encrypts the multicast communication key updating information and the message authentication code HMAC by using a multicast communication key and then sends the encrypted multicast communication key updating information and the encrypted message as a multicast communication key updating message to the group members;
the multicast communication key updating information comprises a key updating timestamp and a multicast communication updating key;
and the group member is also used for decrypting by using the multicast communication key after receiving the multicast communication key updating message, acquiring and verifying multicast communication key updating information and the message authentication code HMAC, and if the multicast communication key updating information and the message authentication code HMAC are correct, taking the multicast communication key in the multicast communication key updating information as a new multicast communication key.
10. The system of claim 9,
the key distribution server is also used for storing the group member device identification, the device certificate and the multicast group address thereof to finish the group member registration authorization.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111555495.0A CN114422118A (en) | 2021-12-17 | 2021-12-17 | Industrial controller multicast communication key distribution method and system |
| PCT/CN2022/134182 WO2023109468A1 (en) | 2021-12-17 | 2022-11-24 | Multicast communication key distribution method and system for industrial controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111555495.0A CN114422118A (en) | 2021-12-17 | 2021-12-17 | Industrial controller multicast communication key distribution method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114422118A true CN114422118A (en) | 2022-04-29 |
Family
ID=81266725
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111555495.0A Pending CN114422118A (en) | 2021-12-17 | 2021-12-17 | Industrial controller multicast communication key distribution method and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114422118A (en) |
| WO (1) | WO2023109468A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115460134A (en) * | 2022-09-05 | 2022-12-09 | 国网智能电网研究院有限公司 | MEC data multicast forwarding method for power 5G service |
| WO2023109468A1 (en) * | 2021-12-17 | 2023-06-22 | 浙江中控技术股份有限公司 | Multicast communication key distribution method and system for industrial controller |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6295361B1 (en) * | 1998-06-30 | 2001-09-25 | Sun Microsystems, Inc. | Method and apparatus for multicast indication of group key change |
| JP2005311531A (en) * | 2004-04-19 | 2005-11-04 | Ntt Software Corp | Digital signature processing method and program therefor |
| CN112350826A (en) * | 2021-01-08 | 2021-02-09 | 浙江中控技术股份有限公司 | Industrial control system digital certificate issuing management method and encrypted communication method |
| CN112653551A (en) * | 2020-10-11 | 2021-04-13 | 黑龙江头雁科技有限公司 | Centralized key management method based on key distribution multicast |
| US20210250193A1 (en) * | 2020-02-11 | 2021-08-12 | Honeywell International Inc. | System for communication on a network |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100403814C (en) * | 2004-11-25 | 2008-07-16 | 华为技术有限公司 | Packet broadcasting service key controlling method |
| CN101155027B (en) * | 2006-09-27 | 2012-07-04 | 华为技术有限公司 | Key sharing method and system |
| US8762707B2 (en) * | 2009-07-14 | 2014-06-24 | At&T Intellectual Property I, L.P. | Authorization, authentication and accounting protocols in multicast content distribution networks |
| CN108737430B (en) * | 2018-05-25 | 2020-07-17 | 全链通有限公司 | Encryption communication method and system for block chain node |
| CN114422118A (en) * | 2021-12-17 | 2022-04-29 | 浙江中控技术股份有限公司 | Industrial controller multicast communication key distribution method and system |
-
2021
- 2021-12-17 CN CN202111555495.0A patent/CN114422118A/en active Pending
-
2022
- 2022-11-24 WO PCT/CN2022/134182 patent/WO2023109468A1/en unknown
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6295361B1 (en) * | 1998-06-30 | 2001-09-25 | Sun Microsystems, Inc. | Method and apparatus for multicast indication of group key change |
| JP2005311531A (en) * | 2004-04-19 | 2005-11-04 | Ntt Software Corp | Digital signature processing method and program therefor |
| US20210250193A1 (en) * | 2020-02-11 | 2021-08-12 | Honeywell International Inc. | System for communication on a network |
| CN112653551A (en) * | 2020-10-11 | 2021-04-13 | 黑龙江头雁科技有限公司 | Centralized key management method based on key distribution multicast |
| CN112350826A (en) * | 2021-01-08 | 2021-02-09 | 浙江中控技术股份有限公司 | Industrial control system digital certificate issuing management method and encrypted communication method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023109468A1 (en) * | 2021-12-17 | 2023-06-22 | 浙江中控技术股份有限公司 | Multicast communication key distribution method and system for industrial controller |
| CN115460134A (en) * | 2022-09-05 | 2022-12-09 | 国网智能电网研究院有限公司 | MEC data multicast forwarding method for power 5G service |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023109468A1 (en) | 2023-06-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11784788B2 (en) | Identity management method, device, communications network, and storage medium | |
| JP5975594B2 (en) | Communication terminal and communication system | |
| CN110581854B (en) | Intelligent terminal safety communication method based on block chain | |
| JP5288210B2 (en) | Unicast key management method and multicast key management method in network | |
| US6192130B1 (en) | Information security subscriber trust authority transfer system with private key history transfer | |
| CN101090316B (en) | Identify authorization method between storage card and terminal equipment at off-line state | |
| WO2023109468A1 (en) | Multicast communication key distribution method and system for industrial controller | |
| CN101483866B (en) | WAPI terminal certificate managing method, apparatus and system | |
| CN102238000B (en) | Encrypted communication method, device and system | |
| US20120324218A1 (en) | Peer-to-Peer Trusted Network Using Shared Symmetric Keys | |
| WO2013134927A1 (en) | Transport layer security-based key delivery method, smart meter reading terminal and server | |
| CN112311537B (en) | Block chain-based equipment access authentication system and method | |
| CN101356759A (en) | Token-based distributed generation of security keying material | |
| CN113630248B (en) | Session key negotiation method | |
| CN108259469A (en) | Cluster security authentication method based on block chain, node and cluster | |
| CN109474432A (en) | Digital certificate management method and equipment | |
| CN101217364B (en) | An organization structure and maintenance method of security context in media accessing control system | |
| CN112804356B (en) | Block chain-based networking equipment supervision authentication method and system | |
| CN115632779B (en) | Quantum encryption communication method and system based on power distribution network | |
| CN102255916A (en) | Access authentication method, device, server and system | |
| EP2856789A1 (en) | Method for tracking a mobile device onto a remote displaying unit | |
| US7751569B2 (en) | Group admission control apparatus and methods | |
| CN114726555A (en) | Authentication and key agreement method, device and storage medium | |
| JP2003348072A (en) | Method and device for managing encryption key in autonomous distribution network | |
| CN112822216A (en) | Authentication method for binding of Internet of things sub-equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |