CN116193434A - Distributed photovoltaic grid-connected light-weight admission method and system based on certificate-free encryption - Google Patents

Distributed photovoltaic grid-connected light-weight admission method and system based on certificate-free encryption Download PDF

Info

Publication number
CN116193434A
CN116193434A CN202211531461.2A CN202211531461A CN116193434A CN 116193434 A CN116193434 A CN 116193434A CN 202211531461 A CN202211531461 A CN 202211531461A CN 116193434 A CN116193434 A CN 116193434A
Authority
CN
China
Prior art keywords
terminal
encryption
fusion
key
data collector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211531461.2A
Other languages
Chinese (zh)
Inventor
陈岑
郭志民
狄立
徐茂敬
侯胜坤
练永宾
石潇龙
王晔
孙晋亮
陈�峰
邓进
张伟
吕卓
杨庆坤
李暖暖
王倩
田杨阳
王文婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Qingdao Topscomm Communication Co Ltd
Nari Information and Communication Technology Co
Original Assignee
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Qingdao Topscomm Communication Co Ltd
Nari Information and Communication Technology Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electric Power Research Institute of State Grid Henan Electric Power Co Ltd, Qingdao Topscomm Communication Co Ltd, Nari Information and Communication Technology Co filed Critical Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Priority to CN202211531461.2A priority Critical patent/CN116193434A/en
Publication of CN116193434A publication Critical patent/CN116193434A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Distributed photovoltaic grid-connected light-weight admission method and system based on certificate-free encryption, wherein the method comprises the following steps: the handheld terminal establishes communication connection with the fusion terminal, and completes bidirectional identity authentication by relying on a built-in key of the encryption chip; the handheld terminal distributes a certificate-free key based on a national encryption algorithm to the fusion terminal; the handheld terminal establishes communication connection with the distributed photovoltaic data collector, and completes non-certificate key distribution of the distributed photovoltaic data collector based on a national encryption algorithm; and carrying out identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal, and realizing the light admission of the distributed photovoltaic grid connection. The invention can ensure the safe access of mass distributed photovoltaic terminals and realize the reliable transmission of regulation and control instructions and acquisition data.

Description

Distributed photovoltaic grid-connected light-weight admission method and system based on certificate-free encryption
Technical Field
The invention belongs to the technical field of power distribution network safety protection, and relates to a distributed photovoltaic grid-connected lightweight admission method and system based on certificate-free encryption.
Background
In recent years, key information infrastructures such as electric power have become an important target of network attacks due to occurrence of events of large-area outage caused by network attacks. With the acceleration of a novel power system, the development of new energy presents a centralized and distributed combined situation, the photovoltaic and other social asset equipment of different investment subjects are connected into the power system, and the distributed photovoltaic terminals are explosively increased and are connected in mass. The manufacturers of the distributed photovoltaic equipment and the like are numerous, the safety protection level is uneven, the distributed photovoltaic equipment and the like are always exposed outdoors, the control degree of a power grid is low, the distributed photovoltaic equipment and the like are accessed to the internet of things equipment at the edge of the power grid under the condition of lacking effective safety authentication and monitoring sensing means, the event that counterfeit equipment is accessed to attack a business master station is extremely likely to occur, and the control instruction is seriously tampered and other safety events can be caused. Therefore, the following technical needs exist for current distributed photovoltaic grid-connected safety protection:
(1) Aiming at distributed photovoltaic grid-connected terminal equipment, a modbus transmission protocol is mainly adopted in the current power system, network security protection measures are not considered in a terminal body and a communication protocol, and under the condition that protection measures such as identity authentication and data encryption are absent, the power system has network security risks such as identity spoofing and man-in-the-middle attack;
(2) The current access of the electric power system depends on an encryption chip based on a national encryption algorithm aiming at the terminal, for example, the factors such as the investment cost of terminal equipment of the distributed photovoltaic are considered, and the high-invasion type safety protection measures of the electric power system are difficult to implement and apply to the distributed photovoltaic terminal;
(3) If the public key and the identity are bound by means of the certificate, a complex key negotiation process exists, a large amount of computing resources and storage space are required to be consumed, and the consumption of computing resources such as key negotiation, data encryption and the like is difficult to bear by considering the software and hardware resources of the distributed photovoltaic terminal equipment.
In summary, with the large-scale development of distributed photovoltaics, the access of mass terminal devices causes the boundary of the power system to be fuzzy and the attack exposure surface to be increased. In addition, the high-intrusion authentication method of the power system is difficult to popularize and apply in social assets, and a large number of terminals lack of safety protection measures to directly connect to the grid, so that attack gangways can directly influence the safe and stable operation of the power grid.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a distributed photovoltaic grid-connected lightweight admission method and system based on certificate-free encryption, which ensure the safe access of mass distributed photovoltaic terminals and realize the reliable transmission of regulation and control instructions and acquisition data.
The invention adopts the following technical scheme.
The distributed photovoltaic grid-connected lightweight admission method based on certificate-free encryption adopts a handheld terminal for field operation of a power system to carry out key management and distribution, so as to realize identity authentication and data encryption transmission of a distributed photovoltaic data collector and a side fusion terminal of the power system, and the method comprises the following steps:
step 1, establishing communication connection between a handheld terminal and a fusion terminal, and completing bidirectional identity authentication by relying on a built-in key of an encryption chip;
step 2, the handheld terminal distributes a certificate-free key based on a national encryption algorithm to the fusion terminal;
step 3, establishing communication connection between the handheld terminal and the distributed photovoltaic data collector, and completing non-certificate key distribution of the distributed photovoltaic data collector based on a cryptographic algorithm;
and 4, carrying out identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal on the basis of the step 2 and the step 3, and realizing the light-weight admission of the distributed photovoltaic grid connection.
Preferably, the handheld terminal is connected with the fusion terminal and the distributed photovoltaic data in a Bluetooth communication mode.
Preferably, in step 1, the handheld terminal and the converged terminal device are both internally provided with encryption chips, the encryption chips store keys distributed by the unified password service platform of the electric power system, the handheld terminal and the converged terminal rely on the encryption chips arranged in the device to perform identity authentication, the handheld terminal and the converged terminal complete two-way identity authentication, after the authentication is passed, the effective duration of a session is 2min, and authentication is invalid after overtime.
Preferably, step 1 specifically includes:
step 11, the hand-held terminal takes the palm machine serial number as HASH, signs the HASH data, and sends the signature data, the serial number and the certificate to the fusion terminal in a Bluetooth communication mode;
step 12, the fusion terminal adopts the root certificate to verify the certificate sent by the handheld terminal, extracts a public key from the certificate, verifies the signature, then takes the self serial number as the HASH signature, and sends signature data, the serial number, the certificate and the verification result to the handheld terminal;
and 13, the handheld terminal verifies the certificate sent by the fusion terminal by adopting the root certificate, extracts the public key from the certificate, and verifies the signature.
Preferably, step 2 specifically includes:
step 21, the fusion terminal generates a trigger message by the identity verification result and the private key and sends the trigger message to the handheld terminal;
step 22, the hand-held terminal calls a national encryption algorithm interface, generates a private key application message and sends the private key application message to the fusion terminal;
step 23, the fusion terminal invokes a national cryptographic algorithm interface, generates a private key sending message and sends the private key sending message to the handheld terminal;
and step 24, the handheld terminal invokes a national cryptographic algorithm interface, updates the secret key and feeds back the updated result to the fusion terminal.
Preferably, step 3 specifically includes:
step 31, establishing connection between the handheld terminal and the photovoltaic data collector;
step 32, the photovoltaic data collector sends a triggering message generated by the private key to the handheld terminal;
step 33, the hand-held terminal calls a national encryption algorithm interface, generates a private key application message and sends the private key application message to the photovoltaic data collector;
step 34, the photovoltaic data collector calls a national encryption algorithm interface, generates a private key sending message and sends the private key sending message to the handheld terminal;
and 35, the handheld terminal calls a national cryptographic algorithm interface, updates a secret key and feeds an update result back to the photovoltaic data collector.
Preferably, the interface is a cryptographic algorithm KGC interface.
Preferably, in step 4, identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal are performed based on the extended DL/T698.45-2017 protocol.
Preferably, step 4 specifically includes:
step 41, the fusion terminal acquires the ID and the key version of the key equipment to be downloaded;
step 42, the photovoltaic data collector calls an interface provided by the encryption algorithm library, acquires a key state, namely an algorithm library state, acquires a device ID and responds to the fusion terminal;
step 43, the fusion terminal confirms whether the next operation is performed according to the returned algorithm library state, and when the key distribution is finished, the next step is performed;
step 44, the identity authentication is started between the fusion terminal and the photovoltaic data collector, and the fusion terminal calls an algorithm library interface to acquire calculation parameters of the fusion terminal;
step 44, the photovoltaic data collector calls an algorithm library interface to obtain collector calculation parameters;
step 45, the fusion terminal calls an algorithm library interface to obtain a ciphertext 1, and sends the ciphertext 1+TID to the photovoltaic data collector;
the ciphertext 1 comprises M1 and S1, wherein the M1 is obtained by encrypting a random number RN1 through an ID of a fusion terminal, and the S1 is obtained by signing the M1 through a collector private key DS 2;
step 46, the photovoltaic data collector calls an algorithm library interface to decrypt the ciphertext 1, the decryption fails, and the authentication failure is replied; if decryption is successful, an algorithm library interface is called, ciphertext 2 is obtained, and the ciphertext is returned to the fusion terminal;
wherein, the successful decryption means that the fusion terminal private key DS1 is adopted to decrypt the M1 to obtain the RN1;
the ciphertext 2 comprises M2 and S2, wherein the M2 is obtained by encrypting the random number RN2 through the ID of the collector, and the S2 is obtained by signing the M2 through the fusion terminal private key DS 1;
and 47, the fusion terminal calls an algorithm library interface to decrypt the ciphertext 2 to obtain the RN2.
Distributed photovoltaic grid-connected lightweight admission system based on certificate-free encryption, comprising:
the handheld terminal and the fusion terminal identity authentication module are used for establishing communication connection between the handheld terminal and the fusion terminal and completing bidirectional identity authentication by relying on a built-in key of the encryption chip;
the fusion terminal key distribution module is used for the handheld terminal to distribute the certificate-free key based on the national encryption algorithm to the fusion terminal;
the data collector key distribution module is used for establishing communication connection between the handheld terminal and the distributed photovoltaic data collector and completing key distribution of the distributed photovoltaic data collector;
and the photovoltaic data collector and fusion terminal identity authentication and data transmission module is used for carrying out identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal, so that the distributed photovoltaic grid-connected lightweight admission is realized.
A terminal comprising a processor and a storage medium; the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps of the method.
A computer readable storage medium having stored thereon a computer program which when executed by a processor realizes the steps of the method.
The invention has the beneficial effects that compared with the prior art:
the invention starts from the safety requirement of receiving the regulation and control instruction of the power system by the distributed photovoltaic grid connection, performs certificate-free password authentication based on the national encryption algorithm on the premise of ensuring low cost, low invasion and high reliability, expands the existing DL/T698.45-2017 protocol, realizes the identity authentication and encryption transmission of the edge equipment such as the power system fusion terminal and the distributed photovoltaic acquisition terminal (the invention does not relate to encryption transmission and can write identity authentication, key exchange and signature verification), thereby ensuring that the regulation and control instruction and the acquisition data of the power system are not tampered, providing safety protection technical guarantee for the large-scale construction of the distributed photovoltaic, and realizing the hierarchical authentication safety protection of the lightweight admission of the terminal.
(1) According to the invention, the distributed photovoltaic service characteristics are combined, a hierarchical authentication concept is provided, and based on a service system of 'cloud, pipe, side and end', the cloud-side authentication still uses a unified password service platform of a power system to issue digital certificates, and the digital certificates are stored by means of an encryption chip, so that bidirectional identity authentication is realized; the side-end authentication considers the problems of insufficient computing resources, unstable communication environment, limited storage space and the like of the end equipment, and proposes a side-end identity authentication method for realizing light weight based on soft encryption, and the identity authentication and data encryption transmission of the distributed photovoltaic acquisition terminal and the side equipment of the electric power system are realized through the certificate-free soft encryption of a national encryption algorithm, so that a user public key can be directly calculated by using a user identifier and equipment parameters, and before signature verification is carried out, the public key certificates are not required to be exchanged among users, the key quantity is small, the key management burden of a system is greatly reduced, and the low cost, low invasion and high reliability of the distributed photovoltaic grid-connected safety protection are ensured;
(2) The invention fully considers the specific implementation difficulty, is compatible with the existing operation habit, and provides a method for distributing keys by utilizing the field handheld terminal of the electric power system, wherein the method selects the handheld terminal as a key generation center KGC (key generation center) to generate the combination of part of private keys and user secret values, binds public keys and identities without certificates, and simultaneously does not completely depend on KGC to generate the user private keys, so that the key management and distribution under a certification-free cipher system are realized, bluetooth communication is adopted between the handheld terminal and a fusion terminal and a collector, the method belongs to a near-field low-risk communication scene, and the aims of low reconstruction cost and low implementation difficulty are realized.
(3) According to the lightweight access method, the handheld terminal and the power system side equipment rely on the original PKI system-based asymmetric algorithm key of the equipment to realize identity authentication of the handheld terminal and the power system side equipment; on the basis of successful identity authentication, the handheld terminal issues a secret key without a certificate to the side equipment, and the terminal and other edge equipment are integrated to have the secret key authenticated with the distributed photovoltaic acquisition terminal. The handheld terminal and the distributed photovoltaic acquisition terminal establish communication through Bluetooth, and issue a certificate-free secret key to the photovoltaic acquisition terminal, the photovoltaic acquisition terminal is provided with a secret key for authentication with side equipment of a power system, the current situation that the network security protection of the current distributed photovoltaic terminal is absent is improved, the security authentication is covered on the whole business scene of the power grid cloud, the management, the side and the end, and the system can be applied to business systems such as the Internet of things in an extending mode.
Drawings
FIG. 1 is a schematic diagram of a method implementation of the present invention;
FIG. 2 is a flow chart of key distribution between a handheld terminal and a converged terminal in accordance with the present invention;
FIG. 3 is a flow chart of the key distribution of the handheld terminal and the photovoltaic collector of the present invention;
fig. 4 is a flow chart of authentication of the fusion terminal and the collector in the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. The embodiments described herein are merely some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art without making any inventive effort, are within the scope of the present invention.
As shown in fig. 1, embodiment 1 of the present invention provides a distributed photovoltaic grid-connected lightweight access method based on certificate-free encryption, which adopts a handheld terminal for field operation of a power system to perform key management and distribution, and adopts a key distributed by the handheld terminal to realize identity authentication and encrypted transmission of side equipment of the power system and a photovoltaic acquisition terminal: the communication between the side equipment of the power system and the photovoltaic acquisition terminal is realized through HPLC, and communication connection is established; the side equipment of the electric power system performs key negotiation and identity authentication with the photovoltaic acquisition terminal; the identity authentication between the side equipment of the electric power system and the photovoltaic acquisition terminal is successful, the symmetric algorithm key is negotiated, and the data transmission safety is ensured so as to reduce the calculation resources of the photovoltaic acquisition terminal.
In a preferred but non-limiting embodiment of the invention, the method comprises the steps of:
and step 1, establishing Bluetooth communication connection between the handheld terminal and the fusion terminal, and completing identity authentication by relying on a built-in key of the encryption chip.
The handheld terminal, the fusion terminal and other side-end devices are internally provided with encryption chips, the encryption chips store keys distributed by a unified password service platform of the power system, and in order to ensure the Bluetooth near field communication safety of the handheld terminal and the fusion terminal, the handheld terminal and the fusion terminal firstly rely on the original built-in encryption chips of the devices to carry out identity authentication.
As shown in fig. 2, the implementation steps are as follows:
step 11, the hand-held terminal takes the palm machine serial number as HASH, signs the HASH data, and sends the signature data, the serial number and the certificate to the fusion terminal in a Bluetooth communication mode;
step 12, the fusion terminal adopts the root certificate to verify the certificate sent by the handheld terminal, extracts a public key from the certificate, verifies the signature, then takes the self serial number as the HASH signature, and sends signature data, the serial number, the certificate and the verification result to the handheld terminal;
and 13, the handheld terminal verifies the certificate sent by the fusion terminal by adopting the root certificate, extracts the public key from the certificate, and verifies the signature.
So far, the handheld terminal and the fusion terminal finish two-way identity authentication, after the authentication is passed, the effective duration of the session is 2min, and the authentication is invalid after the timeout.
Step 2, the handheld terminal distributes a certificate-free key based on a cryptographic algorithm to side-end devices such as a fusion terminal, and the implementation steps are as follows, specifically as shown in fig. 2:
step 21, the fusion terminal generates a trigger message by the identity verification result and the private key and sends the trigger message to the handheld terminal;
step 22, the hand-held terminal calls the KGC interface, generates a private key application message and sends the private key application message to the fusion terminal;
step 23, the fusion terminal calls the KGC interface, generates a private key sending message and sends the private key sending message to the handheld terminal;
and step 24, the handheld terminal calls the KGC interface, updates the key and feeds back the updated result (success/failure) to the fusion terminal.
Further preferably, the key management and issuance in the no-certificate system is performed based on the SM2 no-certificate cryptosystem.
The user public key can be calculated by directly using the user identification and the system parameters, so that public key certificates are not required to be exchanged between users before signature verification is performed, a complex process of certificate management is not required to be supported, the amount of the key stored by the platform is small, the amount of the key is almost unchanged along with the increase of the number of terminal equipment, the system key management burden is greatly reduced, massive user identifications can be supported, and the method is particularly suitable for being applied to distributed photovoltaic business scenes.
Step 3, the handheld terminal establishes Bluetooth communication connection with the distributed photovoltaic data collector, and completes key distribution of the distributed photovoltaic data collector, as shown in fig. 3, the implementation steps are as follows:
step 31, establishing Bluetooth connection between the handheld terminal and the photovoltaic data collector;
step 32, the photovoltaic data collector sends a triggering message generated by the private key to the handheld terminal;
step 33, the hand-held terminal calls the KGC interface, generates a private key application message and sends the private key application message to the photovoltaic data collector;
step 34, the photovoltaic data collector calls the KGC interface, generates a private key sending message and sends the private key sending message to the handheld terminal;
and 35, the hand-held terminal calls the KGC interface, updates the key and feeds back the updated result (success/failure) to the photovoltaic data collector.
And 4, based on an extended DL/T698.45-2017 protocol, the identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal are realized, the distributed photovoltaic grid-connected light-weight access is realized, and the interaction safety of the control-related instructions and the collected data of the distributed photovoltaic collector and the fusion terminal is ensured.
In order to ensure the safety and reliability of the communication protocol and the popularization of the standard, the DL/T698.45-2017 protocol is adopted, and the DL/T698.45-2017 protocol originally has the functions of encryption and authentication, and can meet the authentication and encryption transmission of the photovoltaic data collector, the fusion terminal and other side equipment after being further expanded.
As shown in fig. 4, the implementation steps are as follows:
step 41, the fusion terminal acquires the ID and the key version of the key equipment to be downloaded;
step 42, the photovoltaic data collector calls an interface provided by the encryption algorithm library, acquires a key state, namely an algorithm library state, acquires a device ID and responds to the fusion terminal;
step 43, the fusion terminal confirms whether the next operation is performed according to the returned algorithm library state; when the key distribution is finished, entering the next step;
step 44, the identity authentication is started between the fusion terminal and the photovoltaic data collector, and the fusion terminal calls an algorithm library interface to acquire calculation parameters of the fusion terminal;
step 44, the photovoltaic data collector calls an algorithm library interface to obtain collector calculation parameters;
step 45, the fusion terminal calls an algorithm library interface to obtain ciphertext 1 (M1+S1), and sends the ciphertext 1+TID to the photovoltaic data collector;
the ciphertext 1 comprises M1 and S1, wherein the M1 is obtained by encrypting a random number RN1 through an ID of a fusion terminal, and the S1 is obtained by signing the M1 through a collector private key DS 2;
step 46, the photovoltaic data collector calls an algorithm library interface to decrypt the ciphertext 1, the decryption fails, and the authentication failure is replied; if decryption is successful, an algorithm library interface is called to obtain ciphertext 2 (M2+S2), and the ciphertext is returned to the fusion terminal;
wherein, the successful decryption means that the fusion terminal private key DS1 is adopted to decrypt the M1 to obtain the RN1;
the ciphertext 2 comprises M2 and S2, wherein the M2 is obtained by encrypting the random number RN2 through the ID of the collector, and the S2 is obtained by signing the M2 through the fusion terminal private key DS 1;
and 47, the fusion terminal calls an algorithm library interface to decrypt the ciphertext 2 to obtain the RN2.
The photovoltaic data collector comprises: the method is characterized in that data of a photovoltaic grid-connected inverter, a combiner box, a weather station, an ammeter and other equipment in a photovoltaic power station are collected and transmitted to equipment of a photovoltaic control system in a GPRS (general packet radio service), ethernet, WIFI (wireless fidelity), 3G (third generation telecommunication) mode and the like;
the fusion terminal comprises: the cloud management edge device is edge equipment of a cloud management edge architecture of a national grid company intelligent Internet of things system, has the functions of information acquisition, internet of things agency and edge calculation, and supports marketing, power distribution and emerging services. The intelligent fusion terminal equipment integrating functions of hardware platform, functional software, structure modularization, software and hardware decoupling, communication protocol self-adapting design, high-performance concurrency, large-capacity storage and multi-acquisition object requirements, power distribution station power supply and electricity consumption acquisition, data collection of each acquisition terminal or electric energy meter, equipment state monitoring, communication networking, in-situ call analysis decision, collaborative calculation and the like is adopted.
The embodiment 2 of the invention provides a distributed photovoltaic grid-connected lightweight admission system based on certificate-free encryption, which comprises the following components:
the handheld terminal and the fusion terminal identity authentication module are used for establishing communication connection between the handheld terminal and the fusion terminal and completing bidirectional identity authentication by relying on a built-in key of the encryption chip;
the fusion terminal key distribution module is used for the handheld terminal to distribute the certificate-free key based on the national encryption algorithm to the fusion terminal;
the data collector key distribution module is used for establishing communication connection between the handheld terminal and the distributed photovoltaic data collector and completing key distribution of the distributed photovoltaic data collector;
and the photovoltaic data collector and fusion terminal identity authentication and data transmission module is used for carrying out identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal, so that the distributed photovoltaic grid-connected lightweight admission is realized.
A terminal comprising a processor and a storage medium; the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps of the method.
A computer readable storage medium having stored thereon a computer program which when executed by a processor realizes the steps of the method.
The invention has the beneficial effects that compared with the prior art:
the invention starts from the safety requirement of receiving the regulation and control instruction of the power system by the distributed photovoltaic grid connection, performs certificate-free password authentication based on the national encryption algorithm on the premise of ensuring low cost, low invasion and high reliability, expands the existing DL/T698.45-2017 protocol, realizes the identity authentication and encryption transmission of the edge equipment such as the power system fusion terminal and the distributed photovoltaic acquisition terminal (the invention does not relate to encryption transmission and can write identity authentication, key exchange and signature verification), thereby ensuring that the regulation and control instruction and the acquisition data of the power system are not tampered, providing safety protection technical guarantee for the large-scale construction of the distributed photovoltaic, and realizing the hierarchical authentication safety protection of the lightweight admission of the terminal.
(1) According to the invention, the distributed photovoltaic service characteristics are combined, a hierarchical authentication concept is provided, and based on a service system of 'cloud, pipe, side and end', the cloud-side authentication still uses a unified password service platform of a power system to issue digital certificates, and the digital certificates are stored by means of an encryption chip, so that bidirectional identity authentication is realized; the side-end authentication considers the problems of insufficient computing resources, unstable communication environment, limited storage space and the like of the end equipment, and proposes a side-end identity authentication method for realizing light weight based on soft encryption, and the identity authentication and data encryption transmission of the distributed photovoltaic acquisition terminal and the side equipment of the electric power system are realized through the certificate-free soft encryption of a national encryption algorithm, so that a user public key can be directly calculated by using a user identifier and equipment parameters, and before signature verification is carried out, the public key certificates are not required to be exchanged among users, the key quantity is small, the key management burden of a system is greatly reduced, and the low cost, low invasion and high reliability of the distributed photovoltaic grid-connected safety protection are ensured;
(2) The invention fully considers the specific implementation difficulty, is compatible with the existing operation habit, and provides a method for distributing keys by utilizing the field handheld terminal of the electric power system, wherein the method selects the handheld terminal as a key generation center KGC (key generation center) to generate the combination of part of private keys and user secret values, binds public keys and identities without certificates, and simultaneously does not completely depend on KGC to generate the user private keys, so that the key management and distribution under a certification-free cipher system are realized, bluetooth communication is adopted between the handheld terminal and a fusion terminal and a collector, the method belongs to a near-field low-risk communication scene, and the aims of low reconstruction cost and low implementation difficulty are realized.
(3) According to the lightweight access method, the handheld terminal and the power system side equipment rely on the original PKI system-based asymmetric algorithm key of the equipment to realize identity authentication of the handheld terminal and the power system side equipment; on the basis of successful identity authentication, the handheld terminal issues a secret key without a certificate to the side equipment, and the terminal and other edge equipment are integrated to have the secret key authenticated with the distributed photovoltaic acquisition terminal. The handheld terminal and the distributed photovoltaic acquisition terminal establish communication through Bluetooth, and issue a certificate-free secret key to the photovoltaic acquisition terminal, the photovoltaic acquisition terminal is provided with a secret key for authentication with side equipment of a power system, the current situation that the network security protection of the current distributed photovoltaic terminal is absent is improved, the security authentication is covered on the whole business scene of the power grid cloud, the management, the side and the end, and the system can be applied to business systems such as the Internet of things in an extending mode.
The present disclosure may be a system, method, and/or computer program product. The computer program product may include a computer readable storage medium having computer readable program instructions embodied thereon for causing a processor to implement aspects of the present disclosure.
The computer readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: portable computer disks, hard disks, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static Random Access Memory (SRAM), portable compact disk read-only memory (CD-ROM), digital Versatile Disks (DVD), memory sticks, floppy disks, mechanical coding devices, punch cards or in-groove structures such as punch cards or grooves having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media, as used herein, are not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., optical pulses through fiber optic cables), or electrical signals transmitted through wires.
The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a respective computing/processing device or to an external computer or external storage device over a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmissions, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium in the respective computing/processing device.
Computer program instructions for performing the operations of the present disclosure can be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, c++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may be executed entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present disclosure are implemented by personalizing electronic circuitry, such as programmable logic circuitry, field Programmable Gate Arrays (FPGAs), or Programmable Logic Arrays (PLAs), with state information of computer readable program instructions, which can execute the computer readable program instructions.
Finally, it should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.

Claims (12)

1. The distributed photovoltaic grid-connected lightweight admission method based on certificate-free encryption adopts a handheld terminal for field operation of a power system to manage and distribute keys, realizes identity authentication and data encryption transmission of a distributed photovoltaic data collector and a terminal for side fusion of the power system, and is characterized in that:
the method comprises the following steps:
step 1, establishing communication connection between a handheld terminal and a fusion terminal, and completing bidirectional identity authentication by relying on a built-in key of an encryption chip;
step 2, the handheld terminal distributes a certificate-free key based on a national encryption algorithm to the fusion terminal;
step 3, establishing communication connection between the handheld terminal and the distributed photovoltaic data collector, and completing non-certificate key distribution of the distributed photovoltaic data collector based on a cryptographic algorithm;
and 4, carrying out identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal on the basis of the step 2 and the step 3, and realizing the light-weight admission of the distributed photovoltaic grid connection.
2. The distributed photovoltaic grid-connected lightweight admission method based on certificateless encryption as claimed in claim 1, wherein:
the handheld terminal is connected with the fusion terminal and the distributed photovoltaic data in a Bluetooth communication mode.
3. The distributed photovoltaic grid-connected lightweight admission method based on certificateless encryption as claimed in claim 1, wherein:
in step 1, the handheld terminal and the fusion terminal device are both internally provided with encryption chips, the encryption chips store keys distributed by the unified password service platform of the power system, the handheld terminal and the fusion terminal device carry out identity authentication by relying on the encryption chips arranged in the device, the handheld terminal and the fusion terminal device complete two-way identity authentication, after the authentication passes, the effective duration of a session is 2min, and authentication is invalid after overtime.
4. The distributed photovoltaic grid-connected lightweight admission method based on certificateless encryption as claimed in claim 1, wherein:
the step 1 specifically comprises the following steps:
step 11, the hand-held terminal takes the palm machine serial number as HASH, signs the HASH data, and sends the signature data, the serial number and the certificate to the fusion terminal in a Bluetooth communication mode;
step 12, the fusion terminal adopts the root certificate to verify the certificate sent by the handheld terminal, extracts a public key from the certificate, verifies the signature, then takes the self serial number as the HASH signature, and sends signature data, the serial number, the certificate and the verification result to the handheld terminal;
and 13, the handheld terminal verifies the certificate sent by the fusion terminal by adopting the root certificate, extracts the public key from the certificate, and verifies the signature.
5. The distributed photovoltaic grid-connected lightweight admission method based on certificateless encryption as claimed in claim 1, wherein:
the step 2 specifically comprises the following steps:
step 21, the fusion terminal generates a trigger message by the identity verification result and the private key and sends the trigger message to the handheld terminal;
step 22, the hand-held terminal calls a national encryption algorithm interface, generates a private key application message and sends the private key application message to the fusion terminal;
step 23, the fusion terminal invokes a national cryptographic algorithm interface, generates a private key sending message and sends the private key sending message to the handheld terminal;
and step 24, the handheld terminal invokes a national cryptographic algorithm interface, updates the secret key and feeds back the updated result to the fusion terminal.
6. The distributed photovoltaic grid-connected lightweight admission method based on certificateless encryption as claimed in claim 1, wherein:
the step 3 specifically comprises the following steps:
step 31, establishing connection between the handheld terminal and the photovoltaic data collector;
step 32, the photovoltaic data collector sends a triggering message generated by the private key to the handheld terminal;
step 33, the hand-held terminal calls a national encryption algorithm interface, generates a private key application message and sends the private key application message to the photovoltaic data collector;
step 34, the photovoltaic data collector calls a national encryption algorithm interface, generates a private key sending message and sends the private key sending message to the handheld terminal;
and 35, the handheld terminal calls a national cryptographic algorithm interface, updates a secret key and feeds an update result back to the photovoltaic data collector.
7. The distributed photovoltaic grid-connected lightweight admission method based on certificateless encryption according to claim 5 or 6, wherein:
the interface is a national cryptographic algorithm KGC interface.
8. The distributed photovoltaic grid-connected lightweight admission method based on certificateless encryption as claimed in claim 1, wherein:
in step 4, identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal are performed based on an extended DL/T698.45-2017 protocol.
9. The distributed photovoltaic grid-connected lightweight admission method based on certificateless encryption as claimed in claim 8, wherein:
the step 4 specifically comprises the following steps:
step 41, the fusion terminal acquires the ID and the key version of the key equipment to be downloaded;
step 42, the photovoltaic data collector calls an interface provided by the encryption algorithm library, acquires a key state, namely an algorithm library state, acquires a device ID and responds to the fusion terminal;
step 43, the fusion terminal confirms whether the next operation is performed according to the returned algorithm library state, and when the key distribution is finished, the next step is performed;
step 44, the identity authentication is started between the fusion terminal and the photovoltaic data collector, and the fusion terminal calls an algorithm library interface to acquire calculation parameters of the fusion terminal;
step 44, the photovoltaic data collector calls an algorithm library interface to obtain collector calculation parameters;
step 45, the fusion terminal calls an algorithm library interface to obtain a ciphertext 1, and sends the ciphertext 1+TID to the photovoltaic data collector;
the ciphertext 1 comprises M1 and S1, wherein the M1 is obtained by encrypting a random number RN1 through an ID of a fusion terminal, and the S1 is obtained by signing the M1 through a collector private key DS 2;
step 46, the photovoltaic data collector calls an algorithm library interface to decrypt the ciphertext 1, the decryption fails, and the authentication failure is replied; if decryption is successful, an algorithm library interface is called, ciphertext 2 is obtained, and the ciphertext is returned to the fusion terminal;
wherein, the successful decryption means that the fusion terminal private key DS1 is adopted to decrypt the M1 to obtain the RN1;
the ciphertext 2 comprises M2 and S2, wherein the M2 is obtained by encrypting the random number RN2 through the ID of the collector, and the S2 is obtained by signing the M2 through the fusion terminal private key DS 1;
and 47, the fusion terminal calls an algorithm library interface to decrypt the ciphertext 2 to obtain the RN2.
10. A distributed photovoltaic grid-connected lightweight admission system based on certificate-free encryption for implementing the method of any one of claims 1-9, characterized by: the admission system comprises:
the handheld terminal and the fusion terminal identity authentication module are used for establishing communication connection between the handheld terminal and the fusion terminal and completing bidirectional identity authentication by relying on a built-in key of the encryption chip;
the fusion terminal key distribution module is used for the handheld terminal to distribute the certificate-free key based on the national encryption algorithm to the fusion terminal;
the data collector key distribution module is used for establishing communication connection between the handheld terminal and the distributed photovoltaic data collector and completing key distribution of the distributed photovoltaic data collector;
and the photovoltaic data collector and fusion terminal identity authentication and data transmission module is used for carrying out identity authentication and data encryption transmission of the photovoltaic data collector and the fusion terminal, so that the distributed photovoltaic grid-connected lightweight admission is realized.
11. A terminal comprising a processor and a storage medium; the method is characterized in that:
the storage medium is used for storing instructions;
the processor being operative according to the instructions to perform the steps of the method according to any one of claims 1-9.
12. Computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method according to any one of claims 1-9.
CN202211531461.2A 2022-12-01 2022-12-01 Distributed photovoltaic grid-connected light-weight admission method and system based on certificate-free encryption Pending CN116193434A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211531461.2A CN116193434A (en) 2022-12-01 2022-12-01 Distributed photovoltaic grid-connected light-weight admission method and system based on certificate-free encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211531461.2A CN116193434A (en) 2022-12-01 2022-12-01 Distributed photovoltaic grid-connected light-weight admission method and system based on certificate-free encryption

Publications (1)

Publication Number Publication Date
CN116193434A true CN116193434A (en) 2023-05-30

Family

ID=86437258

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211531461.2A Pending CN116193434A (en) 2022-12-01 2022-12-01 Distributed photovoltaic grid-connected light-weight admission method and system based on certificate-free encryption

Country Status (1)

Country Link
CN (1) CN116193434A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116963051A (en) * 2023-09-14 2023-10-27 国网信息通信产业集团有限公司 Electric power lightweight 5G communication system and method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116963051A (en) * 2023-09-14 2023-10-27 国网信息通信产业集团有限公司 Electric power lightweight 5G communication system and method

Similar Documents

Publication Publication Date Title
CN110267270B (en) Identity authentication method for sensor terminal access edge gateway in transformer substation
CN107948156A (en) The closed key management method and system of a kind of identity-based
CN111711686A (en) Safety protection method based on power distribution terminal
CN111435390B (en) Safety protection method for operation and maintenance tool of power distribution terminal
Chan et al. A secure, intelligent electric vehicle ecosystem for safe integration with the smart grid
CN111711625A (en) Power system information security encryption system based on power distribution terminal
CN114024757A (en) Electric power Internet of things edge terminal access method and system based on identification cryptographic algorithm
CN112270020A (en) Terminal equipment safety encryption device based on safety chip
CN116546011A (en) Intelligent substation business data braiding method based on multi-access edge computing technology
CN101345723B (en) Management authentication method and system of client gateway
CN116193434A (en) Distributed photovoltaic grid-connected light-weight admission method and system based on certificate-free encryption
Khan et al. Energy-efficient mutual authentication protocol for handhled devices based on public key cryptography
KR20090002328A (en) Method for joining new device in wireless sensor network
CN213938340U (en) 5G application access authentication network architecture
CN114205131A (en) Safety certification protocol for transformer substation measurement and control and PMU (power management unit) equipment
Parameswarath et al. Privacy-Preserving User-Centric Authentication Protocol for IoT-Enabled Vehicular Charging System Using Decentralized Identity
CN111064752B (en) Preset secret key sharing system and method based on public network
US20240146511A1 (en) Cryptographic bridge for securing public key infrastructure (pki)
Jia et al. Research and applications of key technologies of quantum secure communication in energy Internet
CN115835194A (en) NB-IOT (network B-Internet of things) terminal security access system and access method
CN101646172A (en) Method and device for generating key in distributed MESH network
CN102195775B (en) A kind of encryption and decryption method of cloud computing key and device
CN113946845A (en) Internet of things equipment offline session method and device and storage medium
Zhang et al. Distributed Authentication Method for Power Grid Based on Consortium Blockchain
Liao et al. Research and application of sm9 in the ubiquitous electric iot

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Chen Cen

Inventor after: Chen Feng

Inventor after: Deng Jin

Inventor after: Zhang Wei

Inventor after: Lv Zhuo

Inventor after: Yang Qingkun

Inventor after: Li Nuannuan

Inventor after: Wang Qian

Inventor after: Tian Yangyang

Inventor after: Wang Wenting

Inventor after: Guo Zhimin

Inventor after: Di Li

Inventor after: Xu Maojing

Inventor after: Hou Shengkun

Inventor after: Lian Yongbing

Inventor after: Shi Xiaolong

Inventor after: Wang Ye

Inventor after: Sun Jinliang

Inventor before: Chen Cen

Inventor before: Chen Feng

Inventor before: Deng Jin

Inventor before: Zhang Wei

Inventor before: Lv Zhuo

Inventor before: Yang Qingkun

Inventor before: Li Nuannuan

Inventor before: Wang Qian

Inventor before: Tian Yangyang

Inventor before: Wang Wenting

Inventor before: Guo Zhimin

Inventor before: Di Li

Inventor before: Xu Maojing

Inventor before: Hou Shengkun

Inventor before: Lian Yongbin

Inventor before: Shi Xiaolong

Inventor before: Wang Ye

Inventor before: Sun Jinliang