CN114422205B - Method for establishing network layer data tunnel of special CPU chip for electric power - Google Patents
Method for establishing network layer data tunnel of special CPU chip for electric power Download PDFInfo
- Publication number
- CN114422205B CN114422205B CN202111638712.2A CN202111638712A CN114422205B CN 114422205 B CN114422205 B CN 114422205B CN 202111638712 A CN202111638712 A CN 202111638712A CN 114422205 B CN114422205 B CN 114422205B
- Authority
- CN
- China
- Prior art keywords
- gateway
- hash value
- power terminal
- terminal
- electric power
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 230000005540 biological transmission Effects 0.000 claims abstract description 19
- 230000002787 reinforcement Effects 0.000 claims abstract description 6
- 238000012795 verification Methods 0.000 claims description 8
- 230000002457 bidirectional effect Effects 0.000 abstract description 5
- 238000004891 communication Methods 0.000 abstract description 4
- 230000007547 defect Effects 0.000 abstract description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The invention discloses a method for establishing a network layer data tunnel of a special CPU chip for electric power, which relates to the technical field of electric power, and aims to solve the defect that the data transmission between a master station and an electric power terminal is not safe enough in the prior system by establishing a special IPsec tunnel between the electric power terminal and an encryption authentication gateway by using an IPsec system, carrying out network layer data security transmission by using the IPsec tunnel and carrying out communication by using the IPsec tunnel, so that before a master station interacts with the electric power terminal, carrying out bidirectional identity authentication and data transmission security reinforcement on the encryption authentication gateway and the electric power terminal by using the ESP tunnel.
Description
Technical Field
The invention belongs to the technical field of power, and particularly relates to a method for establishing a network layer data tunnel of a special CPU chip for power.
Background
The special CPU chip for the electric power consists of a security subsystem, an application subsystem and an inter-core communication module. The application subsystem comprises a TCP/IP network protocol stack with IPsec, COS, a communication module, a cryptographic algorithm module and a bottom driver, and the security subsystem comprises a security cryptographic algorithm module, COS and a bottom driver. The network protocol stack module with IPsec is responsible for processing network messages and transmitting IPsec network security.
The IPsec protocol is not a single protocol, it provides a complete set of architecture for network data security on the IP layer, providing both authentication and encryption security mechanisms. The authentication mechanism enables the data receiver of the IP communication to confirm the true identity of the data sender and whether the data has been tampered with during transmission. The encryption mechanism ensures confidentiality of the data by performing encryption operation on the data so as to prevent the data from being eavesdropped in the transmission process.
IPsec includes the network authentication protocol ESP (Encapsulating Security Payload, encapsulating security payloads), IKE (Internet Key Exchange ), and some algorithms for network authentication and encryption, among others. Among them, the AH protocol and ESP protocol are used to provide security services, and the IKE protocol is used for key exchange.
IKE consists of two key exchange protocols, internet Security Association (SA) and key management protocol (ISAKMP). IKE does not directly transmit a key over a network, but eventually calculates a key shared by both parties through a series of data exchanges, and even if a third party intercepts all exchanged data used by both parties to calculate the key, it is insufficient to calculate the true key.
The system master station and the power terminal use an application layer encryption authentication, an IPsec security chip to carry out authentication and business operation, and before the master station interacts with the terminal, the security of data transmission needs to be ensured. Therefore, a method for establishing a network layer data tunnel of a power-dedicated CPU chip is required.
Disclosure of Invention
The invention aims to provide a method for establishing a network layer data tunnel of a special CPU chip for electric power, thereby solving the defect of insufficient safety of data transmission between a main station and an electric power terminal of the existing system.
In order to achieve the above object, the present invention provides a method for establishing a network layer data tunnel of a special CPU chip for electric power, comprising: establishing a special IPsec tunnel between the power terminal and the encryption authentication gateway by using an IPsec system, and carrying out network layer data security transmission through the IPsec tunnel, wherein the IPsec tunnel establishment comprises the following steps:
the power terminal sends the suggested security alliance load to the encryption authentication gateway;
after the encryption authentication gateway confirms the security alliance load, returning the received security alliance load suggestion and gateway certificate to the power terminal;
after the power terminal receives the security alliance load suggestion and the gateway certificate, a first-stage secret key is generated and sent to an encryption authentication gateway;
the encryption authentication gateway generates a second-stage secret key after receiving the first-stage secret key and sends the second-stage secret key to the power terminal;
verifying and generating hash values of data in keys of two stages, and completing data exchange and session key generation of incoming flow and outgoing flow through the verification process of the hash values;
the power terminal and the encryption authentication gateway establish an ESP tunnel using the session key, and communicate through the ESP tunnel.
Preferably, after receiving the security alliance load suggestion and the gateway certificate, the power terminal generates a first-stage secret key and sends the first-stage secret key to the encryption authentication gateway, which specifically includes:
after the electric power terminal receives the security alliance load suggestion and the gateway certificate, the electric power terminal encrypts the terminal identity information and the terminal random number by using a terminal temporary secret key to obtain a terminal identity information ciphertext and a terminal random number ciphertext, encrypts the terminal temporary secret key by using a public key in the gateway certificate to obtain a temporary secret key ciphertext, and sends the terminal identity information ciphertext, the terminal random number ciphertext and the temporary terminal secret key ciphertext to the encryption authentication gateway after digital signature.
Preferably, after receiving the first-stage key, the encryption authentication gateway generates a second-stage key and sends the second-stage key to the power terminal, which specifically includes:
and after the encryption authentication gateway receives the first-stage secret key, verifying a digital signature in the received data, decrypting the data after the signature is correct, encrypting the gateway identity information and the gateway random number by using a gateway temporary secret key to obtain a gateway identity ciphertext and a gateway random number ciphertext, encrypting the gateway temporary secret key by using a public key in a terminal certificate to obtain a temporary gateway secret key ciphertext, and carrying out digital signature on the gateway identity ciphertext, the gateway random number ciphertext and the temporary gateway secret key ciphertext and then sending the digital signature to the power terminal.
Preferably, the verification generates hash values of data in two-stage keys, and completes data exchange through the verification process of the hash values, and completes session key generation of incoming traffic and outgoing traffic, and the method specifically comprises the following steps:
the electric power terminal verifies the hash value of the first-stage key data, encrypts and sends the hash value to the encryption authentication gateway;
the encryption authentication gateway verifies the hash value of the second-stage key and encrypts and sends the hash value to the power terminal;
and the power terminal verifies the two hash values, calculates a new hash value, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
Preferably, the power terminal verifies the hash value of the first-stage key data, encrypts and sends the hash value to the encryption authentication gateway, and specifically includes:
and the power terminal calculates a new hash value for the authentication key, the random number, the SA and the terminal ID by using a pseudo-random function, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
Preferably, the encryption authentication gateway verifies the hash value of the second stage key, encrypts and sends the hash value to the power terminal, and specifically includes:
the encryption authentication gateway uses a pseudo-random function to calculate a new hash value for the authentication key, the random number, the SA and the gateway ID, encrypts the new hash value and sends the new hash value to the power terminal.
Preferably, the power terminal verifies the two hash values, calculates a new hash value, encrypts the new hash value, and sends the new hash value to the encrypted authentication gateway, and specifically includes:
and the power terminal verifies the two hash values, calculates a new hash value for the authentication key, the random number and the terminal ID by using a pseudo-random function, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
Preferably, before the master station interacts with the power terminal, bidirectional identity authentication and data transmission security reinforcement of the encryption authentication gateway and the power terminal are performed through the IPsec tunnel.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides a method for establishing a network layer data tunnel of a special CPU chip for electric power, which establishes a special IPsec tunnel between an electric power terminal and an encryption authentication gateway by using an IPsec system, and carries out network layer data security transmission through the IPsec tunnel, wherein the IPsec tunnel establishment comprises the following steps: the power terminal sends the suggested security alliance load to the encryption authentication gateway; after the encryption authentication gateway confirms the security alliance load, returning the received security alliance load suggestion and gateway certificate to the power terminal; after the power terminal receives the security alliance load suggestion and the gateway certificate, a first-stage secret key is generated and sent to an encryption authentication gateway; the encryption authentication gateway generates a second-stage secret key after receiving the first-stage secret key and sends the second-stage secret key to the power terminal; verifying and generating hash values of data in keys of two stages, and completing data exchange and session key generation of incoming flow and outgoing flow through the verification process of the hash values; the electric power terminal and the encryption authentication gateway use the session key to establish an ESP tunnel, and communicate through the ESP tunnel, so that before the master station interacts with the electric power terminal, the encryption authentication gateway and the electric power terminal can be subjected to bidirectional identity authentication and data transmission security reinforcement through the ESP tunnel, and the defect that data transmission between the master station and the electric power terminal of the existing system is not safe enough is overcome.
Drawings
In order to more clearly illustrate the technical solutions of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawing in the description below is only one embodiment of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method for establishing a network layer data tunnel of a special CPU chip for electric power.
Detailed Description
The following description of the embodiments of the present invention will be made more apparent and fully by reference to the accompanying drawings, in which it is shown, however, only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, the method for establishing the network layer data tunnel of the special CPU chip for electric power provided by the invention comprises the following steps: a special IPsec tunnel is established between a power terminal and an encryption authentication gateway by using an IPsec system, network layer data security transmission is carried out through the IPsec tunnel, an IPsec tunnel (tunnel) mode refers to that the whole IP data packet of a user is used for calculating an AH or ESP header, and the AH or ESP header and ESP encrypted user data are encapsulated in a new IP data packet. The IPsec tunnel establishment includes the following steps:
s1, the power terminal sends a suggested security alliance load to the encryption authentication gateway.
And S2, returning the received security alliance load suggestion and gateway certificate to the power terminal after the security alliance load is confirmed by the encryption authentication gateway.
S3, after the electric power terminal receives the security alliance load suggestion and the gateway certificate, a first-stage secret key is generated and sent to an encryption authentication gateway; the method specifically comprises the following steps:
after the electric power terminal receives the security alliance load suggestion and the gateway certificate, the electric power terminal encrypts the terminal identity information and the terminal random number by using a terminal temporary secret key to obtain a terminal identity information ciphertext and a terminal random number ciphertext, encrypts the terminal temporary secret key by using a public key in the gateway certificate to obtain a temporary secret key ciphertext, and sends the terminal identity information ciphertext, the terminal random number ciphertext and the temporary terminal secret key ciphertext to the encryption authentication gateway after digital signature.
S4, after receiving the first-stage secret key, the encryption authentication gateway generates a second-stage secret key and sends the second-stage secret key to the power terminal; the method specifically comprises the following steps:
after the encryption authentication gateway receives the first-stage secret key, namely, after the encryption authentication gateway receives the terminal identity information ciphertext, the terminal random number ciphertext and the temporary terminal secret key ciphertext, digital signatures in received data are verified, when the signatures are correct, the data are decrypted, gateway identity information and gateway random numbers are encrypted by using a gateway temporary secret key to obtain gateway identity ciphertext and gateway random number ciphertext, the gateway temporary secret key is encrypted by using a public key in a terminal certificate to obtain temporary gateway secret key ciphertext, and the gateway identity ciphertext, the gateway random number ciphertext and the temporary gateway secret key ciphertext are digitally signed together and then transmitted to the power terminal.
S5, verifying and generating hash values of data in the keys of the two stages, and completing data exchange and session key generation of incoming traffic and outgoing traffic through the verification process of the hash values; the method specifically comprises the following steps:
s51, the electric power terminal verifies the hash value of the first-stage key data, encrypts and sends the hash value to an encryption authentication gateway; the method specifically comprises the following steps:
the power terminal uses a pseudo-random function to calculate a new hash value for data such as an authentication key, a random number, SA, a terminal ID and the like, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
S52, the encryption authentication gateway verifies the hash value of the second-stage key and encrypts and sends the hash value to the power terminal; the method specifically comprises the following steps:
the encryption authentication gateway uses a pseudo-random function to calculate a new hash value for data such as an authentication key, a random number, SA, gateway ID and the like, encrypts the new hash value and sends the new hash value to the power terminal. The method specifically comprises the following steps:
and the power terminal verifies the two hash values, calculates a new hash value for data such as an authentication key, a random number, a terminal ID and the like by using a pseudo-random function, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
And S53, the power terminal verifies the two hash values, calculates a new hash value, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
And S6, the power terminal and the encryption authentication gateway establish an ESP tunnel by using the session key, and communicate through the ESP tunnel.
The master station and the power terminal perform identity authentication through a security authentication mechanism provided by the INSE COS. The identity authentication is initiated by the master station, the terminal passively responds, one party fails to authenticate the other party, authentication failure information is returned, and the other party data is not responded. Before the master station interacts with the power terminal, bidirectional identity authentication and data transmission security reinforcement of the encryption authentication gateway and the power terminal are required to be carried out through the IPsec tunnel.
In summary, the invention relates to a method for establishing a network layer data tunnel of a special CPU chip for electric power, which establishes a special IPsec tunnel between an electric power terminal and an encryption authentication gateway by using an IPsec system, and carries out network layer data security transmission through the IPsec tunnel, wherein the IPsec tunnel establishment comprises: the power terminal sends the suggested security alliance load to the encryption authentication gateway; after the encryption authentication gateway confirms the security alliance load, returning the received security alliance load suggestion and gateway certificate to the power terminal; after the power terminal receives the security alliance load suggestion and the gateway certificate, a first-stage secret key is generated and sent to an encryption authentication gateway; the encryption authentication gateway generates a second-stage secret key after receiving the first-stage secret key and sends the second-stage secret key to the power terminal; verifying and generating hash values of data in keys of two stages, and completing data exchange and session key generation of incoming flow and outgoing flow through the verification process of the hash values; the electric power terminal and the encryption authentication gateway use the session key to establish an ESP tunnel, and communicate through the ESP tunnel, so that before the master station interacts with the electric power terminal, the encryption authentication gateway and the electric power terminal can be subjected to bidirectional identity authentication and data transmission security reinforcement through the ESP tunnel, and the defect that data transmission between the master station and the electric power terminal of the existing system is not safe enough is overcome.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The foregoing disclosure is merely illustrative of specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art will readily recognize that changes and modifications are possible within the scope of the present invention.
Claims (5)
1. The method for establishing the network layer data tunnel of the special CPU chip for the electric power is characterized in that a special IPsec tunnel is established between an electric power terminal and an encryption authentication gateway by using an IPsec system, network layer data security transmission is carried out through the IPsec tunnel, and the IPsec tunnel establishment comprises the following steps:
the power terminal sends the suggested security alliance load to the encryption authentication gateway;
after the encryption authentication gateway confirms the security alliance load, returning the received security alliance load suggestion and gateway certificate to the power terminal;
after the power terminal receives the security alliance load suggestion and the gateway certificate, a first-stage secret key is generated and sent to an encryption authentication gateway;
the encryption authentication gateway generates a second-stage secret key after receiving the first-stage secret key and sends the second-stage secret key to the power terminal;
verifying and generating hash values of data in keys of two stages, and completing data exchange and session key generation of incoming flow and outgoing flow through the verification process of the hash values;
the power terminal and the encryption authentication gateway establish an ESP tunnel by using the session key, and communicate through the ESP tunnel;
after receiving the security alliance load suggestion and the gateway certificate, the power terminal generates a first-stage secret key and sends the first-stage secret key to the encryption authentication gateway, and the method specifically comprises the following steps: after the electric power terminal receives the security alliance load suggestion and the gateway certificate, the electric power terminal encrypts the terminal identity information and the terminal random number by using a terminal temporary secret key to obtain a terminal identity information ciphertext and a terminal random number ciphertext, encrypts the terminal temporary secret key by using a public key in the gateway certificate to obtain a temporary secret key ciphertext, and digitally signs the terminal identity information ciphertext, the terminal random number ciphertext and the temporary terminal secret key ciphertext together and then sends the digital signature to an encryption authentication gateway;
after receiving the first-stage key, the encryption authentication gateway generates a second-stage key and sends the second-stage key to the power terminal, and the method specifically comprises the following steps: after the encryption authentication gateway receives the first-stage secret key, verifying a digital signature in the received data, decrypting the data after the signature is correct, encrypting gateway identity information and gateway random numbers by using a gateway temporary secret key to obtain gateway identity ciphertext and gateway random number ciphertext, encrypting the gateway temporary secret key by using a public key in a terminal certificate to obtain temporary gateway secret key ciphertext, and carrying out digital signature on the gateway identity ciphertext, the gateway random number ciphertext and the temporary gateway secret key ciphertext together and then sending the digital signature to the power terminal;
verifying and generating hash values of data in keys of two stages, completing data exchange through the verification process of the hash values, and completing session key generation of incoming traffic and outgoing traffic, wherein the method specifically comprises the following steps: the electric power terminal verifies the hash value of the first-stage key data, encrypts and sends the hash value to the encryption authentication gateway; the encryption authentication gateway verifies the hash value of the second-stage key and encrypts and sends the hash value to the power terminal; and the power terminal verifies the two hash values, calculates a new hash value, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
2. The method for establishing the network layer data tunnel of the special CPU chip for electric power according to claim 1, wherein the electric power terminal verifies the hash value of the first-stage key data and encrypts and sends the hash value to the encryption authentication gateway, specifically comprising:
and the power terminal calculates a new hash value for the authentication key, the random number, the SA and the terminal ID by using a pseudo-random function, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
3. The method for establishing the network layer data tunnel of the special CPU chip for electric power according to claim 1, wherein the encryption authentication gateway verifies the hash value of the second stage key and encrypts and transmits the hash value to the electric power terminal, and specifically comprises:
the encryption authentication gateway uses a pseudo-random function to calculate a new hash value for the authentication key, the random number, the SA and the gateway ID, encrypts the new hash value and sends the new hash value to the power terminal.
4. The method for establishing the network layer data tunnel of the special CPU chip for electric power according to claim 1, wherein the electric power terminal verifies two hash values, calculates a new hash value, encrypts the new hash value, and sends the new hash value to the encryption authentication gateway, and specifically comprises:
and the power terminal verifies the two hash values, calculates a new hash value for the authentication key, the random number and the terminal ID by using a pseudo-random function, encrypts the new hash value and sends the new hash value to the encryption authentication gateway.
5. The method for establishing the network layer data tunnel of the special CPU chip for the electric power according to claim 1, wherein the mutual identity authentication and the data transmission security reinforcement of the encryption authentication gateway and the electric power terminal are carried out through the IPsec tunnel before the master station interacts with the electric power terminal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111638712.2A CN114422205B (en) | 2021-12-30 | 2021-12-30 | Method for establishing network layer data tunnel of special CPU chip for electric power |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111638712.2A CN114422205B (en) | 2021-12-30 | 2021-12-30 | Method for establishing network layer data tunnel of special CPU chip for electric power |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114422205A CN114422205A (en) | 2022-04-29 |
CN114422205B true CN114422205B (en) | 2024-03-01 |
Family
ID=81269626
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111638712.2A Active CN114422205B (en) | 2021-12-30 | 2021-12-30 | Method for establishing network layer data tunnel of special CPU chip for electric power |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114422205B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114978648B (en) * | 2022-05-13 | 2024-03-29 | 武汉珈港科技有限公司 | Cloud and chip off-line secure communication method |
CN115085943B (en) * | 2022-08-18 | 2023-01-20 | 南方电网数字电网研究院有限公司 | Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017070973A1 (en) * | 2015-10-31 | 2017-05-04 | 华为技术有限公司 | Internet protocol security tunnel establishing method, user equipment and base station |
CN108881224A (en) * | 2018-06-19 | 2018-11-23 | 南方电网科学研究院有限责任公司 | A kind of encryption method and relevant apparatus of electrical power distribution automatization system |
CN109428852A (en) * | 2017-07-18 | 2019-03-05 | 中兴通讯股份有限公司 | Communication tunnel end-point addresses separation method, terminal, ePDG and storage medium |
-
2021
- 2021-12-30 CN CN202111638712.2A patent/CN114422205B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017070973A1 (en) * | 2015-10-31 | 2017-05-04 | 华为技术有限公司 | Internet protocol security tunnel establishing method, user equipment and base station |
CN109428852A (en) * | 2017-07-18 | 2019-03-05 | 中兴通讯股份有限公司 | Communication tunnel end-point addresses separation method, terminal, ePDG and storage medium |
CN108881224A (en) * | 2018-06-19 | 2018-11-23 | 南方电网科学研究院有限责任公司 | A kind of encryption method and relevant apparatus of electrical power distribution automatization system |
Non-Patent Citations (2)
Title |
---|
刘婉澜 ; 邱爱军 ; .浅析基于IPSec协议的VPN技术在集控自动化主站的应用.科学大众(科学教育).2014,(第12期),全文. * |
浅析基于IPSec协议的VPN技术在集控自动化主站的应用;刘婉澜;邱爱军;;科学大众(科学教育)(第12期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN114422205A (en) | 2022-04-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111083131B (en) | Lightweight identity authentication method for power Internet of things sensing terminal | |
CN102315937B (en) | System and method for secure transaction of data between wireless communication device and server | |
USRE39589E1 (en) | Security method for transmissions in telecommunication networks | |
CN108599925B (en) | Improved AKA identity authentication system and method based on quantum communication network | |
EP0651533B1 (en) | Method and apparatus for privacy and authentication in a mobile wireless network | |
EP1540878B1 (en) | Linked authentication protocols | |
JP4846805B2 (en) | System, method and computer program product for authenticating data agreement between network entities | |
CN109347809A (en) | A kind of application virtualization safety communicating method towards under autonomous controllable environment | |
CN104219217B (en) | Security association negotiation method, device and system | |
CN101409619B (en) | Flash memory card and method for implementing virtual special network key exchange | |
US20150128243A1 (en) | Method of authenticating a device and encrypting data transmitted between the device and a server | |
CN114422205B (en) | Method for establishing network layer data tunnel of special CPU chip for electric power | |
CN104702611A (en) | Equipment and method for protecting session key of secure socket layer | |
CN102577314A (en) | Method and device for securely transmitting data | |
CN112637136A (en) | Encrypted communication method and system | |
CN102065016A (en) | Message sending and receiving method and device, message processing method and system | |
CN103118363A (en) | Method, system, terminal device and platform device of secret information transmission | |
CN102469173A (en) | IPv6 (Internet Protocol Version 6) network layer credible transmission method and system based on combined public key algorithm | |
CN112491550A (en) | Mobile terminal equipment credibility authentication method and system based on Internet of vehicles | |
CN112911588A (en) | Lightweight narrowband Internet of things secure transmission method and system | |
CN115459912A (en) | Communication encryption method and system based on quantum key centralized management | |
KR101704540B1 (en) | A method of managing group keys for sharing data between multiple devices in M2M environment | |
KR20070006913A (en) | Fast and secure connectivity for a mobile node | |
CN112804659A (en) | Internet of vehicles safety communication method | |
CN103986716A (en) | Establishing method for SSL connection and communication method and device based on SSL connection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |