CN114422205B - Method for establishing network layer data tunnel of special CPU chip for electric power - Google Patents

Method for establishing network layer data tunnel of special CPU chip for electric power Download PDF

Info

Publication number
CN114422205B
CN114422205B CN202111638712.2A CN202111638712A CN114422205B CN 114422205 B CN114422205 B CN 114422205B CN 202111638712 A CN202111638712 A CN 202111638712A CN 114422205 B CN114422205 B CN 114422205B
Authority
CN
China
Prior art keywords
gateway
hash value
power terminal
terminal
electric power
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111638712.2A
Other languages
Chinese (zh)
Other versions
CN114422205A (en
Inventor
周柯
金庆忍
习伟
姚浩
莫枝阅
王晓明
李肖博
蔡田田
于杨
冯起辉
王泽宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electric Power Research Institute of Guangxi Power Grid Co Ltd
Southern Power Grid Digital Grid Research Institute Co Ltd
Original Assignee
Electric Power Research Institute of Guangxi Power Grid Co Ltd
Southern Power Grid Digital Grid Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electric Power Research Institute of Guangxi Power Grid Co Ltd, Southern Power Grid Digital Grid Research Institute Co Ltd filed Critical Electric Power Research Institute of Guangxi Power Grid Co Ltd
Priority to CN202111638712.2A priority Critical patent/CN114422205B/en
Publication of CN114422205A publication Critical patent/CN114422205A/en
Application granted granted Critical
Publication of CN114422205B publication Critical patent/CN114422205B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention discloses a method for establishing a network layer data tunnel of a special CPU chip for electric power, which relates to the technical field of electric power, and aims to solve the defect that the data transmission between a master station and an electric power terminal is not safe enough in the prior system by establishing a special IPsec tunnel between the electric power terminal and an encryption authentication gateway by using an IPsec system, carrying out network layer data security transmission by using the IPsec tunnel and carrying out communication by using the IPsec tunnel, so that before a master station interacts with the electric power terminal, carrying out bidirectional identity authentication and data transmission security reinforcement on the encryption authentication gateway and the electric power terminal by using the ESP tunnel.

Description

Method for establishing network layer data tunnel of special CPU chip for electric power
Technical Field
The invention belongs to the technical field of power, and particularly relates to a method for establishing a network layer data tunnel of a special CPU chip for power.
Background
The special CPU chip for the electric power consists of a security subsystem, an application subsystem and an inter-core communication module. The application subsystem comprises a TCP/IP network protocol stack with IPsec, COS, a communication module, a cryptographic algorithm module and a bottom driver, and the security subsystem comprises a security cryptographic algorithm module, COS and a bottom driver. The network protocol stack module with IPsec is responsible for processing network messages and transmitting IPsec network security.
The IPsec protocol is not a single protocol, it provides a complete set of architecture for network data security on the IP layer, providing both authentication and encryption security mechanisms. The authentication mechanism enables the data receiver of the IP communication to confirm the true identity of the data sender and whether the data has been tampered with during transmission. The encryption mechanism ensures confidentiality of the data by performing encryption operation on the data so as to prevent the data from being eavesdropped in the transmission process.
IPsec includes the network authentication protocol ESP (Encapsulating Security Payload, encapsulating security payloads), IKE (Internet Key Exchange ), and some algorithms for network authentication and encryption, among others. Among them, the AH protocol and ESP protocol are used to provide security services, and the IKE protocol is used for key exchange.
IKE consists of two key exchange protocols, internet Security Association (SA) and key management protocol (ISAKMP). IKE does not directly transmit a key over a network, but eventually calculates a key shared by both parties through a series of data exchanges, and even if a third party intercepts all exchanged data used by both parties to calculate the key, it is insufficient to calculate the true key.
The system master station and the power terminal use an application layer encryption authentication, an IPsec security chip to carry out authentication and business operation, and before the master station interacts with the terminal, the security of data transmission needs to be ensured. Therefore, a method for establishing a network layer data tunnel of a power-dedicated CPU chip is required.
Disclosure of Invention
The invention aims to provide a method for establishing a network layer data tunnel of a special CPU chip for electric power, thereby solving the defect of insufficient safety of data transmission between a main station and an electric power terminal of the existing system.
In order to achieve the above object, the present invention provides a method for establishing a network layer data tunnel of a special CPU chip for electric power, comprising: establishing a special IPsec tunnel between the power terminal and the encryption authentication gateway by using an IPsec system, and carrying out network layer data security transmission through the IPsec tunnel, wherein the IPsec tunnel establishment comprises the following steps:
the power terminal sends the suggested security alliance load to the encryption authentication gateway;
after the encryption authentication gateway confirms the security alliance load, returning the received security alliance load suggestion and gateway certificate to the power terminal;
after the power terminal receives the security alliance load suggestion and the gateway certificate, a first-stage secret key is generated and sent to an encryption authentication gateway;
the encryption authentication gateway generates a second-stage secret key after receiving the first-stage secret key and sends the second-stage secret key to the power terminal;
verifying and generating hash values of data in keys of two stages, and completing data exchange and session key generation of incoming flow and outgoing flow through the verification process of the hash values;
the power terminal and the encryption authentication gateway establish an ESP tunnel using the session key, and communicate through the ESP tunnel.
Preferably, after receiving the security alliance load suggestion and the gateway certificate, the power terminal generates a first-stage secret key and sends the first-stage secret key to the encryption authentication gateway, which specifically includes:
after the electric power terminal receives the security alliance load suggestion and the gateway certificate, the electric power terminal encrypts the terminal identity information and the terminal random number by using a terminal temporary secret key to obtain a terminal identity information ciphertext and a terminal random number ciphertext, encrypts the terminal temporary secret key by using a public key in the gateway certificate to obtain a temporary secret key ciphertext, and sends the terminal identity information ciphertext, the terminal random number ciphertext and the temporary terminal secret key ciphertext to the encryption authentication gateway after digital signature.
Preferably, after receiving the first-stage key, the encryption authentication gateway generates a second-stage key and sends the second-stage key to the power terminal, which specifically includes:
and after the encryption authentication gateway receives the first-stage secret key, verifying a digital signature in the received data, decrypting the data after the signature is correct, encrypting the gateway identity information and the gateway random number by using a gateway temporary secret key to obtain a gateway identity ciphertext and a gateway random number ciphertext, encrypting the gateway temporary secret key by using a public key in a terminal certificate to obtain a temporary gateway secret key ciphertext, and carrying out digital signature on the gateway identity ciphertext, the gateway random number ciphertext and the temporary gateway secret key ciphertext and then sending the digital signature to the power terminal.
Preferably, the verification generates hash values of data in two-stage keys, and completes data exchange through the verification process of the hash values, and completes session key generation of incoming traffic and outgoing traffic, and the method specifically comprises the following steps:
the electric power terminal verifies the hash value of the first-stage key data, encrypts and sends the hash value to the encryption authentication gateway;
the encryption authentication gateway verifies the hash value of the second-stage key and encrypts and sends the hash value to the power terminal;
and the power terminal verifies the two hash values, calculates a new hash value, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
Preferably, the power terminal verifies the hash value of the first-stage key data, encrypts and sends the hash value to the encryption authentication gateway, and specifically includes:
and the power terminal calculates a new hash value for the authentication key, the random number, the SA and the terminal ID by using a pseudo-random function, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
Preferably, the encryption authentication gateway verifies the hash value of the second stage key, encrypts and sends the hash value to the power terminal, and specifically includes:
the encryption authentication gateway uses a pseudo-random function to calculate a new hash value for the authentication key, the random number, the SA and the gateway ID, encrypts the new hash value and sends the new hash value to the power terminal.
Preferably, the power terminal verifies the two hash values, calculates a new hash value, encrypts the new hash value, and sends the new hash value to the encrypted authentication gateway, and specifically includes:
and the power terminal verifies the two hash values, calculates a new hash value for the authentication key, the random number and the terminal ID by using a pseudo-random function, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
Preferably, before the master station interacts with the power terminal, bidirectional identity authentication and data transmission security reinforcement of the encryption authentication gateway and the power terminal are performed through the IPsec tunnel.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides a method for establishing a network layer data tunnel of a special CPU chip for electric power, which establishes a special IPsec tunnel between an electric power terminal and an encryption authentication gateway by using an IPsec system, and carries out network layer data security transmission through the IPsec tunnel, wherein the IPsec tunnel establishment comprises the following steps: the power terminal sends the suggested security alliance load to the encryption authentication gateway; after the encryption authentication gateway confirms the security alliance load, returning the received security alliance load suggestion and gateway certificate to the power terminal; after the power terminal receives the security alliance load suggestion and the gateway certificate, a first-stage secret key is generated and sent to an encryption authentication gateway; the encryption authentication gateway generates a second-stage secret key after receiving the first-stage secret key and sends the second-stage secret key to the power terminal; verifying and generating hash values of data in keys of two stages, and completing data exchange and session key generation of incoming flow and outgoing flow through the verification process of the hash values; the electric power terminal and the encryption authentication gateway use the session key to establish an ESP tunnel, and communicate through the ESP tunnel, so that before the master station interacts with the electric power terminal, the encryption authentication gateway and the electric power terminal can be subjected to bidirectional identity authentication and data transmission security reinforcement through the ESP tunnel, and the defect that data transmission between the master station and the electric power terminal of the existing system is not safe enough is overcome.
Drawings
In order to more clearly illustrate the technical solutions of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawing in the description below is only one embodiment of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method for establishing a network layer data tunnel of a special CPU chip for electric power.
Detailed Description
The following description of the embodiments of the present invention will be made more apparent and fully by reference to the accompanying drawings, in which it is shown, however, only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, the method for establishing the network layer data tunnel of the special CPU chip for electric power provided by the invention comprises the following steps: a special IPsec tunnel is established between a power terminal and an encryption authentication gateway by using an IPsec system, network layer data security transmission is carried out through the IPsec tunnel, an IPsec tunnel (tunnel) mode refers to that the whole IP data packet of a user is used for calculating an AH or ESP header, and the AH or ESP header and ESP encrypted user data are encapsulated in a new IP data packet. The IPsec tunnel establishment includes the following steps:
s1, the power terminal sends a suggested security alliance load to the encryption authentication gateway.
And S2, returning the received security alliance load suggestion and gateway certificate to the power terminal after the security alliance load is confirmed by the encryption authentication gateway.
S3, after the electric power terminal receives the security alliance load suggestion and the gateway certificate, a first-stage secret key is generated and sent to an encryption authentication gateway; the method specifically comprises the following steps:
after the electric power terminal receives the security alliance load suggestion and the gateway certificate, the electric power terminal encrypts the terminal identity information and the terminal random number by using a terminal temporary secret key to obtain a terminal identity information ciphertext and a terminal random number ciphertext, encrypts the terminal temporary secret key by using a public key in the gateway certificate to obtain a temporary secret key ciphertext, and sends the terminal identity information ciphertext, the terminal random number ciphertext and the temporary terminal secret key ciphertext to the encryption authentication gateway after digital signature.
S4, after receiving the first-stage secret key, the encryption authentication gateway generates a second-stage secret key and sends the second-stage secret key to the power terminal; the method specifically comprises the following steps:
after the encryption authentication gateway receives the first-stage secret key, namely, after the encryption authentication gateway receives the terminal identity information ciphertext, the terminal random number ciphertext and the temporary terminal secret key ciphertext, digital signatures in received data are verified, when the signatures are correct, the data are decrypted, gateway identity information and gateway random numbers are encrypted by using a gateway temporary secret key to obtain gateway identity ciphertext and gateway random number ciphertext, the gateway temporary secret key is encrypted by using a public key in a terminal certificate to obtain temporary gateway secret key ciphertext, and the gateway identity ciphertext, the gateway random number ciphertext and the temporary gateway secret key ciphertext are digitally signed together and then transmitted to the power terminal.
S5, verifying and generating hash values of data in the keys of the two stages, and completing data exchange and session key generation of incoming traffic and outgoing traffic through the verification process of the hash values; the method specifically comprises the following steps:
s51, the electric power terminal verifies the hash value of the first-stage key data, encrypts and sends the hash value to an encryption authentication gateway; the method specifically comprises the following steps:
the power terminal uses a pseudo-random function to calculate a new hash value for data such as an authentication key, a random number, SA, a terminal ID and the like, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
S52, the encryption authentication gateway verifies the hash value of the second-stage key and encrypts and sends the hash value to the power terminal; the method specifically comprises the following steps:
the encryption authentication gateway uses a pseudo-random function to calculate a new hash value for data such as an authentication key, a random number, SA, gateway ID and the like, encrypts the new hash value and sends the new hash value to the power terminal. The method specifically comprises the following steps:
and the power terminal verifies the two hash values, calculates a new hash value for data such as an authentication key, a random number, a terminal ID and the like by using a pseudo-random function, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
And S53, the power terminal verifies the two hash values, calculates a new hash value, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
And S6, the power terminal and the encryption authentication gateway establish an ESP tunnel by using the session key, and communicate through the ESP tunnel.
The master station and the power terminal perform identity authentication through a security authentication mechanism provided by the INSE COS. The identity authentication is initiated by the master station, the terminal passively responds, one party fails to authenticate the other party, authentication failure information is returned, and the other party data is not responded. Before the master station interacts with the power terminal, bidirectional identity authentication and data transmission security reinforcement of the encryption authentication gateway and the power terminal are required to be carried out through the IPsec tunnel.
In summary, the invention relates to a method for establishing a network layer data tunnel of a special CPU chip for electric power, which establishes a special IPsec tunnel between an electric power terminal and an encryption authentication gateway by using an IPsec system, and carries out network layer data security transmission through the IPsec tunnel, wherein the IPsec tunnel establishment comprises: the power terminal sends the suggested security alliance load to the encryption authentication gateway; after the encryption authentication gateway confirms the security alliance load, returning the received security alliance load suggestion and gateway certificate to the power terminal; after the power terminal receives the security alliance load suggestion and the gateway certificate, a first-stage secret key is generated and sent to an encryption authentication gateway; the encryption authentication gateway generates a second-stage secret key after receiving the first-stage secret key and sends the second-stage secret key to the power terminal; verifying and generating hash values of data in keys of two stages, and completing data exchange and session key generation of incoming flow and outgoing flow through the verification process of the hash values; the electric power terminal and the encryption authentication gateway use the session key to establish an ESP tunnel, and communicate through the ESP tunnel, so that before the master station interacts with the electric power terminal, the encryption authentication gateway and the electric power terminal can be subjected to bidirectional identity authentication and data transmission security reinforcement through the ESP tunnel, and the defect that data transmission between the master station and the electric power terminal of the existing system is not safe enough is overcome.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The foregoing disclosure is merely illustrative of specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art will readily recognize that changes and modifications are possible within the scope of the present invention.

Claims (5)

1. The method for establishing the network layer data tunnel of the special CPU chip for the electric power is characterized in that a special IPsec tunnel is established between an electric power terminal and an encryption authentication gateway by using an IPsec system, network layer data security transmission is carried out through the IPsec tunnel, and the IPsec tunnel establishment comprises the following steps:
the power terminal sends the suggested security alliance load to the encryption authentication gateway;
after the encryption authentication gateway confirms the security alliance load, returning the received security alliance load suggestion and gateway certificate to the power terminal;
after the power terminal receives the security alliance load suggestion and the gateway certificate, a first-stage secret key is generated and sent to an encryption authentication gateway;
the encryption authentication gateway generates a second-stage secret key after receiving the first-stage secret key and sends the second-stage secret key to the power terminal;
verifying and generating hash values of data in keys of two stages, and completing data exchange and session key generation of incoming flow and outgoing flow through the verification process of the hash values;
the power terminal and the encryption authentication gateway establish an ESP tunnel by using the session key, and communicate through the ESP tunnel;
after receiving the security alliance load suggestion and the gateway certificate, the power terminal generates a first-stage secret key and sends the first-stage secret key to the encryption authentication gateway, and the method specifically comprises the following steps: after the electric power terminal receives the security alliance load suggestion and the gateway certificate, the electric power terminal encrypts the terminal identity information and the terminal random number by using a terminal temporary secret key to obtain a terminal identity information ciphertext and a terminal random number ciphertext, encrypts the terminal temporary secret key by using a public key in the gateway certificate to obtain a temporary secret key ciphertext, and digitally signs the terminal identity information ciphertext, the terminal random number ciphertext and the temporary terminal secret key ciphertext together and then sends the digital signature to an encryption authentication gateway;
after receiving the first-stage key, the encryption authentication gateway generates a second-stage key and sends the second-stage key to the power terminal, and the method specifically comprises the following steps: after the encryption authentication gateway receives the first-stage secret key, verifying a digital signature in the received data, decrypting the data after the signature is correct, encrypting gateway identity information and gateway random numbers by using a gateway temporary secret key to obtain gateway identity ciphertext and gateway random number ciphertext, encrypting the gateway temporary secret key by using a public key in a terminal certificate to obtain temporary gateway secret key ciphertext, and carrying out digital signature on the gateway identity ciphertext, the gateway random number ciphertext and the temporary gateway secret key ciphertext together and then sending the digital signature to the power terminal;
verifying and generating hash values of data in keys of two stages, completing data exchange through the verification process of the hash values, and completing session key generation of incoming traffic and outgoing traffic, wherein the method specifically comprises the following steps: the electric power terminal verifies the hash value of the first-stage key data, encrypts and sends the hash value to the encryption authentication gateway; the encryption authentication gateway verifies the hash value of the second-stage key and encrypts and sends the hash value to the power terminal; and the power terminal verifies the two hash values, calculates a new hash value, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
2. The method for establishing the network layer data tunnel of the special CPU chip for electric power according to claim 1, wherein the electric power terminal verifies the hash value of the first-stage key data and encrypts and sends the hash value to the encryption authentication gateway, specifically comprising:
and the power terminal calculates a new hash value for the authentication key, the random number, the SA and the terminal ID by using a pseudo-random function, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
3. The method for establishing the network layer data tunnel of the special CPU chip for electric power according to claim 1, wherein the encryption authentication gateway verifies the hash value of the second stage key and encrypts and transmits the hash value to the electric power terminal, and specifically comprises:
the encryption authentication gateway uses a pseudo-random function to calculate a new hash value for the authentication key, the random number, the SA and the gateway ID, encrypts the new hash value and sends the new hash value to the power terminal.
4. The method for establishing the network layer data tunnel of the special CPU chip for electric power according to claim 1, wherein the electric power terminal verifies two hash values, calculates a new hash value, encrypts the new hash value, and sends the new hash value to the encryption authentication gateway, and specifically comprises:
and the power terminal verifies the two hash values, calculates a new hash value for the authentication key, the random number and the terminal ID by using a pseudo-random function, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
5. The method for establishing the network layer data tunnel of the special CPU chip for the electric power according to claim 1, wherein the mutual identity authentication and the data transmission security reinforcement of the encryption authentication gateway and the electric power terminal are carried out through the IPsec tunnel before the master station interacts with the electric power terminal.
CN202111638712.2A 2021-12-30 2021-12-30 Method for establishing network layer data tunnel of special CPU chip for electric power Active CN114422205B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111638712.2A CN114422205B (en) 2021-12-30 2021-12-30 Method for establishing network layer data tunnel of special CPU chip for electric power

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111638712.2A CN114422205B (en) 2021-12-30 2021-12-30 Method for establishing network layer data tunnel of special CPU chip for electric power

Publications (2)

Publication Number Publication Date
CN114422205A CN114422205A (en) 2022-04-29
CN114422205B true CN114422205B (en) 2024-03-01

Family

ID=81269626

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111638712.2A Active CN114422205B (en) 2021-12-30 2021-12-30 Method for establishing network layer data tunnel of special CPU chip for electric power

Country Status (1)

Country Link
CN (1) CN114422205B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114978648B (en) * 2022-05-13 2024-03-29 武汉珈港科技有限公司 Cloud and chip off-line secure communication method
CN115085943B (en) * 2022-08-18 2023-01-20 南方电网数字电网研究院有限公司 Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017070973A1 (en) * 2015-10-31 2017-05-04 华为技术有限公司 Internet protocol security tunnel establishing method, user equipment and base station
CN108881224A (en) * 2018-06-19 2018-11-23 南方电网科学研究院有限责任公司 A kind of encryption method and relevant apparatus of electrical power distribution automatization system
CN109428852A (en) * 2017-07-18 2019-03-05 中兴通讯股份有限公司 Communication tunnel end-point addresses separation method, terminal, ePDG and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017070973A1 (en) * 2015-10-31 2017-05-04 华为技术有限公司 Internet protocol security tunnel establishing method, user equipment and base station
CN109428852A (en) * 2017-07-18 2019-03-05 中兴通讯股份有限公司 Communication tunnel end-point addresses separation method, terminal, ePDG and storage medium
CN108881224A (en) * 2018-06-19 2018-11-23 南方电网科学研究院有限责任公司 A kind of encryption method and relevant apparatus of electrical power distribution automatization system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘婉澜 ; 邱爱军 ; .浅析基于IPSec协议的VPN技术在集控自动化主站的应用.科学大众(科学教育).2014,(第12期),全文. *
浅析基于IPSec协议的VPN技术在集控自动化主站的应用;刘婉澜;邱爱军;;科学大众(科学教育)(第12期);全文 *

Also Published As

Publication number Publication date
CN114422205A (en) 2022-04-29

Similar Documents

Publication Publication Date Title
CN111083131B (en) Lightweight identity authentication method for power Internet of things sensing terminal
CN102315937B (en) System and method for secure transaction of data between wireless communication device and server
USRE39589E1 (en) Security method for transmissions in telecommunication networks
CN108599925B (en) Improved AKA identity authentication system and method based on quantum communication network
EP0651533B1 (en) Method and apparatus for privacy and authentication in a mobile wireless network
EP1540878B1 (en) Linked authentication protocols
JP4846805B2 (en) System, method and computer program product for authenticating data agreement between network entities
CN109347809A (en) A kind of application virtualization safety communicating method towards under autonomous controllable environment
CN104219217B (en) Security association negotiation method, device and system
CN101409619B (en) Flash memory card and method for implementing virtual special network key exchange
US20150128243A1 (en) Method of authenticating a device and encrypting data transmitted between the device and a server
CN114422205B (en) Method for establishing network layer data tunnel of special CPU chip for electric power
CN104702611A (en) Equipment and method for protecting session key of secure socket layer
CN102577314A (en) Method and device for securely transmitting data
CN112637136A (en) Encrypted communication method and system
CN102065016A (en) Message sending and receiving method and device, message processing method and system
CN103118363A (en) Method, system, terminal device and platform device of secret information transmission
CN102469173A (en) IPv6 (Internet Protocol Version 6) network layer credible transmission method and system based on combined public key algorithm
CN112491550A (en) Mobile terminal equipment credibility authentication method and system based on Internet of vehicles
CN112911588A (en) Lightweight narrowband Internet of things secure transmission method and system
CN115459912A (en) Communication encryption method and system based on quantum key centralized management
KR101704540B1 (en) A method of managing group keys for sharing data between multiple devices in M2M environment
KR20070006913A (en) Fast and secure connectivity for a mobile node
CN112804659A (en) Internet of vehicles safety communication method
CN103986716A (en) Establishing method for SSL connection and communication method and device based on SSL connection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant