Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a distributed photovoltaic grid-connected lightweight admission method and system based on certificate-free encryption, which ensure the safe access of mass distributed photovoltaic terminals and realize the reliable transmission of regulation and control instructions and acquisition data.
The invention adopts the following technical scheme.
The distributed photovoltaic grid-connected lightweight admission method based on certificate-free encryption adopts a handheld terminal for field operation of a power system to carry out key management and distribution, so as to realize identity authentication and data encryption transmission of a distributed photovoltaic data collector and a side fusion terminal of the power system, and the method comprises the following steps:
step 1, establishing communication connection between a handheld terminal and a fusion terminal, and completing bidirectional identity authentication by relying on a built-in key of an encryption chip;
step 2, the handheld terminal distributes a certificate-free key based on a national encryption algorithm to the fusion terminal;
step 3, establishing communication connection between the handheld terminal and the distributed photovoltaic data collector, and completing non-certificate key distribution of the distributed photovoltaic data collector based on a cryptographic algorithm;
and 4, carrying out identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal on the basis of the step 2 and the step 3, and realizing the light-weight admission of the distributed photovoltaic grid connection.
Preferably, the handheld terminal is connected with the fusion terminal and the distributed photovoltaic data in a Bluetooth communication mode.
Preferably, in step 1, the handheld terminal and the converged terminal device are both internally provided with encryption chips, the encryption chips store keys distributed by the unified password service platform of the electric power system, the handheld terminal and the converged terminal rely on the encryption chips arranged in the device to perform identity authentication, the handheld terminal and the converged terminal complete two-way identity authentication, after the authentication is passed, the effective duration of a session is 2min, and authentication is invalid after overtime.
Preferably, step 1 specifically includes:
step 11, the hand-held terminal takes the palm machine serial number as HASH, signs the HASH data, and sends the signature data, the serial number and the certificate to the fusion terminal in a Bluetooth communication mode;
step 12, the fusion terminal adopts the root certificate to verify the certificate sent by the handheld terminal, extracts a public key from the certificate, verifies the signature, then takes the self serial number as the HASH signature, and sends signature data, the serial number, the certificate and the verification result to the handheld terminal;
and 13, the handheld terminal verifies the certificate sent by the fusion terminal by adopting the root certificate, extracts the public key from the certificate, and verifies the signature.
Preferably, step 2 specifically includes:
step 21, the fusion terminal generates a trigger message by the identity verification result and the private key and sends the trigger message to the handheld terminal;
step 22, the hand-held terminal calls a national encryption algorithm interface, generates a private key application message and sends the private key application message to the fusion terminal;
step 23, the fusion terminal invokes a national cryptographic algorithm interface, generates a private key sending message and sends the private key sending message to the handheld terminal;
and step 24, the handheld terminal invokes a national cryptographic algorithm interface, updates the secret key and feeds back the updated result to the fusion terminal.
Preferably, step 3 specifically includes:
step 31, establishing connection between the handheld terminal and the photovoltaic data collector;
step 32, the photovoltaic data collector sends a triggering message generated by the private key to the handheld terminal;
step 33, the hand-held terminal calls a national encryption algorithm interface, generates a private key application message and sends the private key application message to the photovoltaic data collector;
step 34, the photovoltaic data collector calls a national encryption algorithm interface, generates a private key sending message and sends the private key sending message to the handheld terminal;
and 35, the handheld terminal calls a national cryptographic algorithm interface, updates a secret key and feeds an update result back to the photovoltaic data collector.
Preferably, the interface is a cryptographic algorithm KGC interface.
Preferably, in step 4, identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal are performed based on the extended DL/T698.45-2017 protocol.
Preferably, step 4 specifically includes:
step 41, the fusion terminal acquires the ID and the key version of the key equipment to be downloaded;
step 42, the photovoltaic data collector calls an interface provided by the encryption algorithm library, acquires a key state, namely an algorithm library state, acquires a device ID and responds to the fusion terminal;
step 43, the fusion terminal confirms whether the next operation is performed according to the returned algorithm library state, and when the key distribution is finished, the next step is performed;
step 44, the identity authentication is started between the fusion terminal and the photovoltaic data collector, and the fusion terminal calls an algorithm library interface to acquire calculation parameters of the fusion terminal;
step 44, the photovoltaic data collector calls an algorithm library interface to obtain collector calculation parameters;
step 45, the fusion terminal calls an algorithm library interface to obtain a ciphertext 1, and sends the ciphertext 1+TID to the photovoltaic data collector;
the ciphertext 1 comprises M1 and S1, wherein the M1 is obtained by encrypting a random number RN1 through an ID of a fusion terminal, and the S1 is obtained by signing the M1 through a collector private key DS 2;
step 46, the photovoltaic data collector calls an algorithm library interface to decrypt the ciphertext 1, the decryption fails, and the authentication failure is replied; if decryption is successful, an algorithm library interface is called, ciphertext 2 is obtained, and the ciphertext is returned to the fusion terminal;
wherein, the successful decryption means that the fusion terminal private key DS1 is adopted to decrypt the M1 to obtain the RN1;
the ciphertext 2 comprises M2 and S2, wherein the M2 is obtained by encrypting the random number RN2 through the ID of the collector, and the S2 is obtained by signing the M2 through the fusion terminal private key DS 1;
and 47, the fusion terminal calls an algorithm library interface to decrypt the ciphertext 2 to obtain the RN2.
Distributed photovoltaic grid-connected lightweight admission system based on certificate-free encryption, comprising:
the handheld terminal and the fusion terminal identity authentication module are used for establishing communication connection between the handheld terminal and the fusion terminal and completing bidirectional identity authentication by relying on a built-in key of the encryption chip;
the fusion terminal key distribution module is used for the handheld terminal to distribute the certificate-free key based on the national encryption algorithm to the fusion terminal;
the data collector key distribution module is used for establishing communication connection between the handheld terminal and the distributed photovoltaic data collector and completing key distribution of the distributed photovoltaic data collector;
and the photovoltaic data collector and fusion terminal identity authentication and data transmission module is used for carrying out identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal, so that the distributed photovoltaic grid-connected lightweight admission is realized.
A terminal comprising a processor and a storage medium; the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps of the method.
A computer readable storage medium having stored thereon a computer program which when executed by a processor realizes the steps of the method.
The invention has the beneficial effects that compared with the prior art:
the invention starts from the safety requirement of receiving the regulation and control instruction of the power system by the distributed photovoltaic grid connection, performs certificate-free password authentication based on the national encryption algorithm on the premise of ensuring low cost, low invasion and high reliability, expands the existing DL/T698.45-2017 protocol, realizes the identity authentication and encryption transmission of the edge equipment such as the power system fusion terminal and the distributed photovoltaic acquisition terminal (the invention does not relate to encryption transmission and can write identity authentication, key exchange and signature verification), thereby ensuring that the regulation and control instruction and the acquisition data of the power system are not tampered, providing safety protection technical guarantee for the large-scale construction of the distributed photovoltaic, and realizing the hierarchical authentication safety protection of the lightweight admission of the terminal.
(1) According to the invention, the distributed photovoltaic service characteristics are combined, a hierarchical authentication concept is provided, and based on a service system of 'cloud, pipe, side and end', the cloud-side authentication still uses a unified password service platform of a power system to issue digital certificates, and the digital certificates are stored by means of an encryption chip, so that bidirectional identity authentication is realized; the side-end authentication considers the problems of insufficient computing resources, unstable communication environment, limited storage space and the like of the end equipment, and proposes a side-end identity authentication method for realizing light weight based on soft encryption, and the identity authentication and data encryption transmission of the distributed photovoltaic acquisition terminal and the side equipment of the electric power system are realized through the certificate-free soft encryption of a national encryption algorithm, so that a user public key can be directly calculated by using a user identifier and equipment parameters, and before signature verification is carried out, the public key certificates are not required to be exchanged among users, the key quantity is small, the key management burden of a system is greatly reduced, and the low cost, low invasion and high reliability of the distributed photovoltaic grid-connected safety protection are ensured;
(2) The invention fully considers the specific implementation difficulty, is compatible with the existing operation habit, and provides a method for distributing keys by utilizing the field handheld terminal of the electric power system, wherein the method selects the handheld terminal as a key generation center KGC (key generation center) to generate the combination of part of private keys and user secret values, binds public keys and identities without certificates, and simultaneously does not completely depend on KGC to generate the user private keys, so that the key management and distribution under a certification-free cipher system are realized, bluetooth communication is adopted between the handheld terminal and a fusion terminal and a collector, the method belongs to a near-field low-risk communication scene, and the aims of low reconstruction cost and low implementation difficulty are realized.
(3) According to the lightweight access method, the handheld terminal and the power system side equipment rely on the original PKI system-based asymmetric algorithm key of the equipment to realize identity authentication of the handheld terminal and the power system side equipment; on the basis of successful identity authentication, the handheld terminal issues a secret key without a certificate to the side equipment, and the terminal and other edge equipment are integrated to have the secret key authenticated with the distributed photovoltaic acquisition terminal. The handheld terminal and the distributed photovoltaic acquisition terminal establish communication through Bluetooth, and issue a certificate-free secret key to the photovoltaic acquisition terminal, the photovoltaic acquisition terminal is provided with a secret key for authentication with side equipment of a power system, the current situation that the network security protection of the current distributed photovoltaic terminal is absent is improved, the security authentication is covered on the whole business scene of the power grid cloud, the management, the side and the end, and the system can be applied to business systems such as the Internet of things in an extending mode.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. The embodiments described herein are merely some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art without making any inventive effort, are within the scope of the present invention.
As shown in fig. 1, embodiment 1 of the present invention provides a distributed photovoltaic grid-connected lightweight access method based on certificate-free encryption, which adopts a handheld terminal for field operation of a power system to perform key management and distribution, and adopts a key distributed by the handheld terminal to realize identity authentication and encrypted transmission of side equipment of the power system and a photovoltaic acquisition terminal: the communication between the side equipment of the power system and the photovoltaic acquisition terminal is realized through HPLC, and communication connection is established; the side equipment of the electric power system performs key negotiation and identity authentication with the photovoltaic acquisition terminal; the identity authentication between the side equipment of the electric power system and the photovoltaic acquisition terminal is successful, the symmetric algorithm key is negotiated, and the data transmission safety is ensured so as to reduce the calculation resources of the photovoltaic acquisition terminal.
In a preferred but non-limiting embodiment of the invention, the method comprises the steps of:
and step 1, establishing Bluetooth communication connection between the handheld terminal and the fusion terminal, and completing identity authentication by relying on a built-in key of the encryption chip.
The handheld terminal, the fusion terminal and other side-end devices are internally provided with encryption chips, the encryption chips store keys distributed by a unified password service platform of the power system, and in order to ensure the Bluetooth near field communication safety of the handheld terminal and the fusion terminal, the handheld terminal and the fusion terminal firstly rely on the original built-in encryption chips of the devices to carry out identity authentication.
As shown in fig. 2, the implementation steps are as follows:
step 11, the hand-held terminal takes the palm machine serial number as HASH, signs the HASH data, and sends the signature data, the serial number and the certificate to the fusion terminal in a Bluetooth communication mode;
step 12, the fusion terminal adopts the root certificate to verify the certificate sent by the handheld terminal, extracts a public key from the certificate, verifies the signature, then takes the self serial number as the HASH signature, and sends signature data, the serial number, the certificate and the verification result to the handheld terminal;
and 13, the handheld terminal verifies the certificate sent by the fusion terminal by adopting the root certificate, extracts the public key from the certificate, and verifies the signature.
So far, the handheld terminal and the fusion terminal finish two-way identity authentication, after the authentication is passed, the effective duration of the session is 2min, and the authentication is invalid after the timeout.
Step 2, the handheld terminal distributes a certificate-free key based on a cryptographic algorithm to side-end devices such as a fusion terminal, and the implementation steps are as follows, specifically as shown in fig. 2:
step 21, the fusion terminal generates a trigger message by the identity verification result and the private key and sends the trigger message to the handheld terminal;
step 22, the hand-held terminal calls the KGC interface, generates a private key application message and sends the private key application message to the fusion terminal;
step 23, the fusion terminal calls the KGC interface, generates a private key sending message and sends the private key sending message to the handheld terminal;
and step 24, the handheld terminal calls the KGC interface, updates the key and feeds back the updated result (success/failure) to the fusion terminal.
Further preferably, the key management and issuance in the no-certificate system is performed based on the SM2 no-certificate cryptosystem.
The user public key can be calculated by directly using the user identification and the system parameters, so that public key certificates are not required to be exchanged between users before signature verification is performed, a complex process of certificate management is not required to be supported, the amount of the key stored by the platform is small, the amount of the key is almost unchanged along with the increase of the number of terminal equipment, the system key management burden is greatly reduced, massive user identifications can be supported, and the method is particularly suitable for being applied to distributed photovoltaic business scenes.
Step 3, the handheld terminal establishes Bluetooth communication connection with the distributed photovoltaic data collector, and completes key distribution of the distributed photovoltaic data collector, as shown in fig. 3, the implementation steps are as follows:
step 31, establishing Bluetooth connection between the handheld terminal and the photovoltaic data collector;
step 32, the photovoltaic data collector sends a triggering message generated by the private key to the handheld terminal;
step 33, the hand-held terminal calls the KGC interface, generates a private key application message and sends the private key application message to the photovoltaic data collector;
step 34, the photovoltaic data collector calls the KGC interface, generates a private key sending message and sends the private key sending message to the handheld terminal;
and 35, the hand-held terminal calls the KGC interface, updates the key and feeds back the updated result (success/failure) to the photovoltaic data collector.
And 4, based on an extended DL/T698.45-2017 protocol, the identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal are realized, the distributed photovoltaic grid-connected light-weight access is realized, and the interaction safety of the control-related instructions and the collected data of the distributed photovoltaic collector and the fusion terminal is ensured.
In order to ensure the safety and reliability of the communication protocol and the popularization of the standard, the DL/T698.45-2017 protocol is adopted, and the DL/T698.45-2017 protocol originally has the functions of encryption and authentication, and can meet the authentication and encryption transmission of the photovoltaic data collector, the fusion terminal and other side equipment after being further expanded.
As shown in fig. 4, the implementation steps are as follows:
step 41, the fusion terminal acquires the ID and the key version of the key equipment to be downloaded;
step 42, the photovoltaic data collector calls an interface provided by the encryption algorithm library, acquires a key state, namely an algorithm library state, acquires a device ID and responds to the fusion terminal;
step 43, the fusion terminal confirms whether the next operation is performed according to the returned algorithm library state; when the key distribution is finished, entering the next step;
step 44, the identity authentication is started between the fusion terminal and the photovoltaic data collector, and the fusion terminal calls an algorithm library interface to acquire calculation parameters of the fusion terminal;
step 44, the photovoltaic data collector calls an algorithm library interface to obtain collector calculation parameters;
step 45, the fusion terminal calls an algorithm library interface to obtain ciphertext 1 (M1+S1), and sends the ciphertext 1+TID to the photovoltaic data collector;
the ciphertext 1 comprises M1 and S1, wherein the M1 is obtained by encrypting a random number RN1 through an ID of a fusion terminal, and the S1 is obtained by signing the M1 through a collector private key DS 2;
step 46, the photovoltaic data collector calls an algorithm library interface to decrypt the ciphertext 1, the decryption fails, and the authentication failure is replied; if decryption is successful, an algorithm library interface is called to obtain ciphertext 2 (M2+S2), and the ciphertext is returned to the fusion terminal;
wherein, the successful decryption means that the fusion terminal private key DS1 is adopted to decrypt the M1 to obtain the RN1;
the ciphertext 2 comprises M2 and S2, wherein the M2 is obtained by encrypting the random number RN2 through the ID of the collector, and the S2 is obtained by signing the M2 through the fusion terminal private key DS 1;
and 47, the fusion terminal calls an algorithm library interface to decrypt the ciphertext 2 to obtain the RN2.
The photovoltaic data collector comprises: the method is characterized in that data of a photovoltaic grid-connected inverter, a combiner box, a weather station, an ammeter and other equipment in a photovoltaic power station are collected and transmitted to equipment of a photovoltaic control system in a GPRS (general packet radio service), ethernet, WIFI (wireless fidelity), 3G (third generation telecommunication) mode and the like;
the fusion terminal comprises: the cloud management edge device is edge equipment of a cloud management edge architecture of a national grid company intelligent Internet of things system, has the functions of information acquisition, internet of things agency and edge calculation, and supports marketing, power distribution and emerging services. The intelligent fusion terminal equipment integrating functions of hardware platform, functional software, structure modularization, software and hardware decoupling, communication protocol self-adapting design, high-performance concurrency, large-capacity storage and multi-acquisition object requirements, power distribution station power supply and electricity consumption acquisition, data collection of each acquisition terminal or electric energy meter, equipment state monitoring, communication networking, in-situ call analysis decision, collaborative calculation and the like is adopted.
The embodiment 2 of the invention provides a distributed photovoltaic grid-connected lightweight admission system based on certificate-free encryption, which comprises the following components:
the handheld terminal and the fusion terminal identity authentication module are used for establishing communication connection between the handheld terminal and the fusion terminal and completing bidirectional identity authentication by relying on a built-in key of the encryption chip;
the fusion terminal key distribution module is used for the handheld terminal to distribute the certificate-free key based on the national encryption algorithm to the fusion terminal;
the data collector key distribution module is used for establishing communication connection between the handheld terminal and the distributed photovoltaic data collector and completing key distribution of the distributed photovoltaic data collector;
and the photovoltaic data collector and fusion terminal identity authentication and data transmission module is used for carrying out identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal, so that the distributed photovoltaic grid-connected lightweight admission is realized.
A terminal comprising a processor and a storage medium; the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps of the method.
A computer readable storage medium having stored thereon a computer program which when executed by a processor realizes the steps of the method.
The invention has the beneficial effects that compared with the prior art:
the invention starts from the safety requirement of receiving the regulation and control instruction of the power system by the distributed photovoltaic grid connection, performs certificate-free password authentication based on the national encryption algorithm on the premise of ensuring low cost, low invasion and high reliability, expands the existing DL/T698.45-2017 protocol, realizes the identity authentication and encryption transmission of the edge equipment such as the power system fusion terminal and the distributed photovoltaic acquisition terminal (the invention does not relate to encryption transmission and can write identity authentication, key exchange and signature verification), thereby ensuring that the regulation and control instruction and the acquisition data of the power system are not tampered, providing safety protection technical guarantee for the large-scale construction of the distributed photovoltaic, and realizing the hierarchical authentication safety protection of the lightweight admission of the terminal.
(1) According to the invention, the distributed photovoltaic service characteristics are combined, a hierarchical authentication concept is provided, and based on a service system of 'cloud, pipe, side and end', the cloud-side authentication still uses a unified password service platform of a power system to issue digital certificates, and the digital certificates are stored by means of an encryption chip, so that bidirectional identity authentication is realized; the side-end authentication considers the problems of insufficient computing resources, unstable communication environment, limited storage space and the like of the end equipment, and proposes a side-end identity authentication method for realizing light weight based on soft encryption, and the identity authentication and data encryption transmission of the distributed photovoltaic acquisition terminal and the side equipment of the electric power system are realized through the certificate-free soft encryption of a national encryption algorithm, so that a user public key can be directly calculated by using a user identifier and equipment parameters, and before signature verification is carried out, the public key certificates are not required to be exchanged among users, the key quantity is small, the key management burden of a system is greatly reduced, and the low cost, low invasion and high reliability of the distributed photovoltaic grid-connected safety protection are ensured;
(2) The invention fully considers the specific implementation difficulty, is compatible with the existing operation habit, and provides a method for distributing keys by utilizing the field handheld terminal of the electric power system, wherein the method selects the handheld terminal as a key generation center KGC (key generation center) to generate the combination of part of private keys and user secret values, binds public keys and identities without certificates, and simultaneously does not completely depend on KGC to generate the user private keys, so that the key management and distribution under a certification-free cipher system are realized, bluetooth communication is adopted between the handheld terminal and a fusion terminal and a collector, the method belongs to a near-field low-risk communication scene, and the aims of low reconstruction cost and low implementation difficulty are realized.
(3) According to the lightweight access method, the handheld terminal and the power system side equipment rely on the original PKI system-based asymmetric algorithm key of the equipment to realize identity authentication of the handheld terminal and the power system side equipment; on the basis of successful identity authentication, the handheld terminal issues a secret key without a certificate to the side equipment, and the terminal and other edge equipment are integrated to have the secret key authenticated with the distributed photovoltaic acquisition terminal. The handheld terminal and the distributed photovoltaic acquisition terminal establish communication through Bluetooth, and issue a certificate-free secret key to the photovoltaic acquisition terminal, the photovoltaic acquisition terminal is provided with a secret key for authentication with side equipment of a power system, the current situation that the network security protection of the current distributed photovoltaic terminal is absent is improved, the security authentication is covered on the whole business scene of the power grid cloud, the management, the side and the end, and the system can be applied to business systems such as the Internet of things in an extending mode.
The present disclosure may be a system, method, and/or computer program product. The computer program product may include a computer readable storage medium having computer readable program instructions embodied thereon for causing a processor to implement aspects of the present disclosure.
The computer readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: portable computer disks, hard disks, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static Random Access Memory (SRAM), portable compact disk read-only memory (CD-ROM), digital Versatile Disks (DVD), memory sticks, floppy disks, mechanical coding devices, punch cards or in-groove structures such as punch cards or grooves having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media, as used herein, are not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., optical pulses through fiber optic cables), or electrical signals transmitted through wires.
The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a respective computing/processing device or to an external computer or external storage device over a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmissions, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium in the respective computing/processing device.
Computer program instructions for performing the operations of the present disclosure can be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, c++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may be executed entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present disclosure are implemented by personalizing electronic circuitry, such as programmable logic circuitry, field Programmable Gate Arrays (FPGAs), or Programmable Logic Arrays (PLAs), with state information of computer readable program instructions, which can execute the computer readable program instructions.
Finally, it should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.