CN116170220A - GOOSE real-time message protection method - Google Patents

GOOSE real-time message protection method Download PDF

Info

Publication number
CN116170220A
CN116170220A CN202310177227.2A CN202310177227A CN116170220A CN 116170220 A CN116170220 A CN 116170220A CN 202310177227 A CN202310177227 A CN 202310177227A CN 116170220 A CN116170220 A CN 116170220A
Authority
CN
China
Prior art keywords
field
goose
message
exclusive
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310177227.2A
Other languages
Chinese (zh)
Inventor
李德祥
韦根
韦龙坤
剡河东
左小阳
施杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanning Power Supply Bureau of Guangxi Power Grid Co Ltd
Original Assignee
Nanning Power Supply Bureau of Guangxi Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanning Power Supply Bureau of Guangxi Power Grid Co Ltd filed Critical Nanning Power Supply Bureau of Guangxi Power Grid Co Ltd
Priority to CN202310177227.2A priority Critical patent/CN116170220A/en
Publication of CN116170220A publication Critical patent/CN116170220A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of information security, and discloses a GOOSE real-time message protection method, which comprises an encryption flow and a decryption flow; the encryption flow comprises: generating an integer R, and generating a plurality of random integers R by taking R as seeds i The method comprises the steps of carrying out a first treatment on the surface of the Value range and R of head sensitive field of GOOSE message i Performing exclusive OR operation and filling the value field of the sensitive field of the GOOSE message header; grouping with the value field of AllData field, with the byte length of R, with each group X i Performing exclusive OR operation with R and filling the value field of the AllData field; and (3) carrying out encryption calculation on the R by adopting an encryption algorithm to obtain a ciphertext, and filling the ciphertext into an extension field of the GOOSE message. The invention protects the sensitive information in the GOOSE message, reduces the length of the encrypted message, avoids repeated copying of a message buffer area for encryption and decryption, improves the encryption and decryption speed of the GOOSE message on the premise of ensuring the security, and ensures the instantaneity of the encryption processing of the GOOSE message.

Description

GOOSE real-time message protection method
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a GOOSE real-time message protection method.
Background
IEC 61850 is a common communication standard for the management of various intelligent electronic devices in substations, power distribution networks, and network interconnections between devices. The general object-oriented substation event is a mechanism used for meeting the requirements of rapid message transmission in a power system in the IEC 61850 standard.
The GOOSE message is an ethernet message with a protocol type number of 0x88B8, wherein the APDU carries protocol data APDU of the GOOSE and extension data as optional contents. The AllData field in the GOOSE protocol data message field is a GOOSE data element set and is a T-L-V set of a plurality of state values; the other fields are fixed fields except the AllData field. The real-time performance, the safety and the accuracy of GOOSE message transmission have important significance for the operation of the power system. In order to achieve the security of GOOSE messages, retransmission for protection processing is required in some cases. However, in the process of implementing the present invention, the inventor has found that at least the following problems exist in the prior art:
in the prior art, a high-efficiency method for protecting and encrypting and decrypting the GOOSE message is lacking, and the real-time property of the GOOSE message is influenced because the encryption and decryption calculation itself needs to take a long time when the general encryption and decryption technology directly encrypts the message. For example, the patent application of application number 2013106816729 discloses a GOOSE electric power real-time message encryption and decryption method, which has undesirable effects from practical use and analysis, specifically, the length of GOOSE data after removing ethernet headers from a large number of GOOSE messages in a certain practical network is 399 bytes, the total length of key information data fields described in the patent application is 282 bytes (the data field length of T is 8, the data field length of stnum is 4, the data field length of sqnum is 4, the data field length of alldata is 266), and the omitted unencrypted data length is 29% and is not high. According to this patent, encryption for 282 byte length data requires encryption calculations for a total of 512 byte data buffers of two 256 byte packets, since 256 bytes need to be aligned for buffer filling, in which case the encrypted data length 512 bytes is 45% greater than the original message length. The encryption operation takes a lot of time when several rounds of computation are performed for each packet, and the longer the packet is, the more the packet is used and the longer the packet is used. Meanwhile, in order to perform encryption calculation, the encryption method based on the patent application of the invention needs to copy original information from the original GOOSE message to an encryption data buffer area, and after encryption, ciphertext needs to be copied to the original GOOSE message for buffering, and the operations also influence the encryption processing efficiency. Therefore, the encryption and decryption method of the GOOSE message in the patent application of the invention cannot reduce the processing time occupied by encryption calculation in some cases.
Disclosure of Invention
The present invention aims to solve the above technical problems at least to some extent. Therefore, the invention aims to provide a GOOSE real-time message protection method.
The technical scheme adopted by the invention is as follows:
a GOOSE real-time message protection method comprises an encryption flow and a decryption flow; the encryption flow comprises the following steps:
s11, generating a random large integer R, wherein the bit number of R is the same as the packet length of an encryption algorithm, and generating a plurality of 4-byte random integers R by taking R as a seed i
S12, using the value domain of the head sensitive field of the GOOSE message to be sent and R i Performing exclusive-or operation, and filling the value domain of the sensitive field of the GOOSE message header with the result of the exclusive-or operation;
s13, grouping the data with the byte length of R by using the value field of the AllData field of the GOOSE message to be sent, and using each group X i Performing exclusive OR operation with R, and filling the value domain of the AllData field with the result of the exclusive OR operation;
s14, carrying out encryption calculation on the R by adopting an encryption algorithm to obtain a ciphertext, and filling the ciphertext into an extension field of a GOOSE message to be sent;
the decryption process comprises the following steps:
s21, analyzing the received GOOSE message to obtain an extension field of the GOOSE message, and decrypting the extension field by using a decryption algorithm corresponding to the encryption algorithm to obtain a plaintext integer R; generating a plurality of random integers R of 4 bytes by taking R as seed i
S22, using the value domain and R of the head sensitive field of the received GOOSE message i Performing exclusive-or operation, and filling the value domain of the sensitive field of the GOOSE message header with the result of the exclusive-or operation;
s23, grouping the received GOOSE message with the value field of the AllData field and the byte length of R, and using each group X i And performing exclusive OR operation with R, and filling the value domain of the AllData field by using the result of the exclusive OR operation.
Preferably, in step S13, if the last packet X i The last packet X will be then i Exclusive or operation is carried out with the low L bit of R.
Preferably, the header sensitive field of the GOOSE message includes T, t, stNum, sqNum four fields; the t field is low by 4 bytes and R i And performing exclusive OR operation.
Preferably, the number of Ri is the same as the number of header sensitive fields of GOOSE message.
Preferably, when the value field of the AllData field of the GOOSE packet is subjected to exclusive-or operation, the grouping length of the exclusive-or operation is the bit degree of a random large integer R.
The beneficial effects of the invention are as follows:
according to the GOOSE real-time message protection method provided by the invention, exclusive OR operation is only carried out on the sensitive field T, t, stNum, sqNum of the PDU head of the GOOSE message and the AllData field of the GOOSE message, so that the encryption flow and decryption flow of the GOOSE message are quickened. Sensitive information in the GOOSE message is protected, multiple copies of a message buffer area for encryption and decryption are avoided by reducing the length of the encrypted message, the encryption and decryption speed of the GOOSE message can be improved on the premise of ensuring safety, and instantaneity of the GOOSE message during encryption and processing is guaranteed.
Drawings
Fig. 1 is a schematic diagram of an encryption flow of a GOOSE real-time packet protection method according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made more apparent and fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should also be appreciated that in the embodiments, the functions/acts may occur in a different order than the figures. For example, two figures shown in succession may in fact be executed substantially concurrently or the figures may sometimes be executed in the reverse order, depending upon the functionality/acts involved.
Table 1 shows the structure of GOOSE messages.
TABLE 1GOOSE message Structure Table
Figure BDA0004101293230000041
Figure BDA0004101293230000051
Table 2 shows the structure of the protocol data part of the GOOSE message. In the transmission process of the GOOSE message, the changed part is the content to be protected, which comprises the following steps:
(1) T, t, stNum, sqNum of the header of the GOOSE message, which are respectively the survival time, event time scale, state sequence number and sequence number of the GOOSE message, wherein the T, stNum, sqNum value field is 4 bytes, and the t value field is 8 bytes;
(2) The value field of the state value data set AllData of the GOOSE message is a set of a plurality of state values, and the members in the set may include types such as integers, floating point numbers, character strings and the like.
TABLE 2 protocol data Part (PDU) Structure Table of GOOSE message
Figure BDA0004101293230000052
/>
Figure BDA0004101293230000061
/>
Figure BDA0004101293230000071
As shown in FIG. 1, the GOOSE real-time message protection method of the invention comprises an encryption flow and a decryption flow; the encryption flow comprises the following steps:
s11, generating a random large integer R, wherein the bit number of R is the same as the packet length of a subsequently used encryption algorithm, and generating a plurality of random integers R with 4 bytes by taking R as a seed i ;R i The number of the header sensitive fields of the GOOSE message is the same as the number of the header sensitive fields of the GOOSE message;
s12, using the value domain of the head sensitive field of the GOOSE message to be sent and R i Performing exclusive-or operation, and filling the value domain of the sensitive field of the GOOSE message header with the result of the exclusive-or operation;
s13, grouping the data with the byte length of R by using the value field of the AllData field of the GOOSE message to be sent, and using each group X i Exclusive-or with R, the length of exclusive-or operation is that of each group X i Of byte length of the last packet X i The last packet X will be then i Performing exclusive-or operation with the low L bit of R, and filling the value domain of the AllData field with the result of the exclusive-or operation;
s14, carrying out encryption calculation on the R by adopting an encryption algorithm to obtain a ciphertext, wherein the grouping length of the encryption algorithm is the same as the byte length of the random large integer R, and filling the ciphertext into an extension field of the GOOSE message to be sent.
The exclusive or operation is used for realizing information protection. As shown in table 2, the header sensitive fields of the GOOSE message include T, t, stNum, sqNum four fields, and in the method for protecting the GOOSE message in real time, in order to protect the header of the GOOSE message, exclusive-or operation is only performed on the value fields of the four fields of the header sensitive fields T, t, stNum, sqNum of the GOOSE message; wherein the t field is 8 bytes, and the sensitive information is mainly 4 bytes lower, so that exclusive OR operation is carried out on only the lower 4 bytes of the t field.
The decryption process comprises the following steps:
s21, analyzing the received GOOSE message to obtain an extension field of the GOOSE message, and decrypting the extension field by using a decryption algorithm corresponding to the encryption algorithm in the step S14 to obtain a plaintext integer R; generating a plurality of 4-byte random integers R using R as a seed in the same manner as in step S11 i
S22, using the value domain and R of the head sensitive field of the received GOOSE message i Performing exclusive-or operation, and filling the value domain of the sensitive field of the GOOSE message header with the result of the exclusive-or operation;
s23, grouping the received GOOSE message with the value field of the AllData field and the byte length of R, and using each group X i Exclusive-or with R, the length of exclusive-or operation is that of each group X i Of byte length of the last packet X i The last packet X will be then i And performing exclusive OR operation with the low L bit of R, and filling the value domain of the AllData field by using the result of the exclusive OR operation.
Example 1
In this embodiment, the encryption and decryption algorithm adopts an SM4 algorithm of an ECB (electronic codebook mode) mode, and the SM4 algorithm is a block cipher algorithm with a packet length of 128 bits (16 bytes) and a key length of 128 bits. The random integer length which is the same as the SM4 algorithm grouping length is selected to be 16 bytes, so that grouping filling processing during encryption processing of the random integer can be avoided, and meanwhile, ciphertext is filled in an extension field of a GOOSE message to have a certain length.
The invention relates to a GOOSE real-time message protection method, which comprises an encryption flow and a decryption flow; the sender encryption flow comprises the following steps:
S11: generating a 16-byte random number R, wherein R is respectively grouped according to 4 bytes from the high order to obtain 4 random integers R 1 、R 2 、R 3 、R 4
S12: exclusive-or (operator is #) with the value fields of T, t, stNum, sqNum four fields in the GOOSE message to be sent and 4 random integers, where t is the lower 4 bits t L4 I.e. T # -R1, T L4 R2, stNum ∈R3, sqNum ∈R4, and fills T, t in the GOOSE message to be sent with the result values of 4 exclusive OR operations L4 4-byte content corresponding to StNum and SqNum;
s13: grouping the value fields of the AllData fields in the GOOSE message to be sent according to 16 bytes, performing exclusive OR operation on each group Xi and R, namely Xi, performing exclusive OR operation on R, and filling the message content corresponding to Xi by using an exclusive OR operation result;
s14: and encrypting R by using an SM4 algorithm in an ECB mode to obtain a 16-byte ciphertext E, and filling all ciphertext E in an extension part of the tail part of the GOOSE message to be sent.
The decryption flow of the receiver comprises the following steps:
s21: acquiring a 16-byte ciphertext E from the tail of a received GOOSE message, and decrypting by using an SM4 algorithm of an ECB mode to obtain a plaintext R; r is respectively grouped according to 4 bytes from the high order to obtain 4 random integers R 1 、R 2 、R 3 、R 4
S22: exclusive-or operation is performed on the value fields of T, t, stNum, sqNum four fields in the received GOOSE message and 4 random integers, wherein t is the lower 4 bits t L4 I.e. T # -R1, T L4 R2, stNum R3, sqNum R4, populating T, t in the received GOOSE message with the result values of the 4 exclusive OR operations L4 4-byte content corresponding to StNum and SqNum;
s23: grouping the value fields of the AllData fields in the received Goose messages according to 16 bytes, performing exclusive OR operation on each group Xi and R, namely, xi' R, and filling the message content corresponding to Xi with the exclusive OR calculation result.
In this embodiment, the exclusive-or operation used for protecting the key information of the GOOSE packet is also the inverse-exclusive-or operation, so that the same exclusive-or operation is used in both the encryption processing of the sender and the decryption processing of the receiver.
The invention is not limited to the above-described alternative embodiments, and any person who may derive other various forms of products in the light of the present invention, however, any changes in shape or structure thereof, all falling within the technical solutions defined in the scope of the claims of the present invention, fall within the scope of protection of the present invention.

Claims (6)

1. A GOOSE real-time message protection method is characterized by comprising an encryption flow and a decryption flow; the encryption flow comprises the following steps:
s11, generating a random large integer R, wherein the bit number of R is the same as the packet length of an encryption algorithm, and generating a plurality of 4-byte random integers R by taking R as a seed i
S12, using the value domain of the head sensitive field of the GOOSE message to be sent and R i Performing exclusive-or operation, and filling the value domain of the sensitive field of the GOOSE message header with the result of the exclusive-or operation;
s13, grouping the data with the byte length of R by using the value field of the AllData field of the GOOSE message to be sent, and using each group X i Performing exclusive OR operation with R, and filling the value domain of the AllData field with the result of the exclusive OR operation;
s14, carrying out encryption calculation on the R by adopting an encryption algorithm to obtain a ciphertext, and filling the ciphertext into an extension field of a GOOSE message to be sent;
the decryption process comprises the following steps:
s21, analyzing the received GOOSE message to obtain an extension field of the GOOSE message, and decrypting the extension field by using a decryption algorithm corresponding to the encryption algorithm to obtain a plaintext integer R; generating a plurality of random integers R of 4 bytes by taking R as seed i
S22, using the value domain and R of the head sensitive field of the received GOOSE message i Performing exclusive-or operation, and filling the value domain of the sensitive field of the GOOSE message header with the result of the exclusive-or operation;
s23, using the received GThe value field of the AllData field of the OOSE message is grouped in bytes of length R, with each group X i And performing exclusive OR operation with R, and filling the value domain of the AllData field by using the result of the exclusive OR operation.
2. The GOOSE real-time message protection method according to claim 1, wherein: in step S13, if the last packet X i The last packet X will be then i Exclusive or operation is carried out with the low L bit of R.
3. The GOOSE real-time message protection method according to claim 1, wherein: the header sensitive field of the GOOSE message includes T, t, stNum, sqNum four fields.
4. The GOOSE real-time message protection method as claimed in claim 3, wherein: the t field is low by 4 bytes and R i And performing exclusive OR operation.
5. The GOOSE real-time message protection method according to claim 1, wherein: the R is i The number of the header sensitive fields of the GOOSE message is the same as the number of the header sensitive fields of the GOOSE message.
6. The GOOSE real-time message protection method according to claim 1, wherein: when the value domain of the AllData field of the GOOSE message is subjected to exclusive OR operation, the grouping length of the exclusive OR operation is the bit degree of a random large integer R.
CN202310177227.2A 2023-02-28 2023-02-28 GOOSE real-time message protection method Pending CN116170220A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310177227.2A CN116170220A (en) 2023-02-28 2023-02-28 GOOSE real-time message protection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310177227.2A CN116170220A (en) 2023-02-28 2023-02-28 GOOSE real-time message protection method

Publications (1)

Publication Number Publication Date
CN116170220A true CN116170220A (en) 2023-05-26

Family

ID=86416203

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310177227.2A Pending CN116170220A (en) 2023-02-28 2023-02-28 GOOSE real-time message protection method

Country Status (1)

Country Link
CN (1) CN116170220A (en)

Similar Documents

Publication Publication Date Title
JP3502200B2 (en) Cryptographic communication system
US8249255B2 (en) System and method for securing communications between devices
US9059866B2 (en) Digital microwave radio system and method with encryption
US8687800B2 (en) Encryption method for message authentication
US7095850B1 (en) Encryption method and apparatus with forward secrecy and random-access key updating method
DE60307787T2 (en) Method and system for secure storage and transfer of data when using a one-time pad
CN112235112B (en) Zero-semantic and one-time pad-based IP encryption method, system and storage medium
CN103746962B (en) GOOSE electric real-time message encryption and decryption method
TW200518547A (en) Packet based high definition high-bandwidth digital content protection
WO2000057595A1 (en) Method and apparatus for encrypting and decrypting data
CN107046548B (en) Data packet filtering method under privacy protection
CN111224974A (en) Method, system, electronic device and storage medium for network communication content encryption
CN110011786A (en) A kind of IP secret communication method of high safety
Pérez-Resa et al. Chaotic encryption for 10-Gb Ethernet optical links
CN112532384B (en) Method for quickly encrypting and decrypting transmission key based on packet key mode
CN109040120A (en) A kind of SV message encryption and decryption method based on IEC61850 standard
CN117714134A (en) Buoy-based data encryption transmission method
CN116170220A (en) GOOSE real-time message protection method
CN110213257B (en) High-safety IP secret communication method based on true random stream exclusive or encryption
Zhou et al. Chaos-based delay-constrained green security communications for fog-enabled information-centric multimedia network
CN112333204B (en) 5G network transmission security device based on TCP IP protocol disorder feature code
CN113038306B (en) Optical network secure communication method, device, electronic equipment and medium
CN116743505B (en) Safety transmission encryption method based on national secret
Man et al. Security enhancement on VoIP using chaotic cryptography
Li Exploring the Application of Data Encryption Technology in Computer Network Security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination