CN116208421A - Security authentication management and control method, device, medium and server - Google Patents
Security authentication management and control method, device, medium and server Download PDFInfo
- Publication number
- CN116208421A CN116208421A CN202310227510.1A CN202310227510A CN116208421A CN 116208421 A CN116208421 A CN 116208421A CN 202310227510 A CN202310227510 A CN 202310227510A CN 116208421 A CN116208421 A CN 116208421A
- Authority
- CN
- China
- Prior art keywords
- authentication
- terminal
- server
- information
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000009826 distribution Methods 0.000 claims abstract description 43
- 238000011217 control strategy Methods 0.000 claims abstract description 26
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 16
- 238000007726 management method Methods 0.000 claims description 58
- 238000012795 verification Methods 0.000 claims description 14
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000003860 storage Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 3
- 230000002457 bidirectional effect Effects 0.000 abstract description 24
- 230000003993 interaction Effects 0.000 abstract description 17
- 230000005540 biological transmission Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 206010033799 Paralysis Diseases 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007474 system interaction Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Selective Calling Equipment (AREA)
Abstract
The invention discloses a security authentication management and control method, a device, a medium and a server, which relate to the technical field of security authentication and have the technical scheme that: presetting standard information of a terminal on a server, wherein the standard information represents priority information of the terminal; acquiring parameter configuration information of a terminal equipped with the power distribution network; and the server receives the parameter configuration information, and generates a management and control strategy for carrying out security authentication between the terminal and the server according to the standard information and the parameter configuration information, wherein the management and control strategy comprises bidirectional identity authentication, unidirectional identity authentication and weak authentication, and the bidirectional identity authentication is a one-time password authentication protocol based on SM2, SM3 and SM4 encryption algorithm and hash value combination. The invention reduces the information interaction brought by the mutual identity authentication between the server and the gateway in the security authentication stage, thereby reducing the burden of the server.
Description
Technical Field
The invention relates to the technical field of security authentication, in particular to a security authentication management and control method, a security authentication management and control device, a security authentication medium and a security authentication server.
Background
The power grid is a national key infrastructure, and a plurality of attack events aiming at the power grid occur internationally in recent years. The various instructions and data transmitted by the distribution network are critical and sensitive and therefore require major protection. The security authentication technology is one of important components of the network security technology, and the security authentication comprises one-way identity authentication and two-way identity authentication. The security authentication and data encryption between the server and the terminal are realized by mainly adopting the protection measures of one-way encryption authentication, two-way encryption authentication and the like in the soft algorithm realization form between the terminal and the server in the transformer substation or the distribution substation, so that the security of data interaction and service interaction of the distribution network system is ensured, and the distribution network system is prevented from being broken maliciously and being paralyzed.
However, in an actual application scenario, as the number of intelligent substations and intelligent power distribution stations is gradually increased, more and more substations and power distribution stations realize that server remote control terminals execute corresponding operations, for example, for a breaker terminal, many power distribution stations and power distribution stations can realize remote control on and off of a breaker through a server, and accordingly, attacks for key information infrastructure of a power grid are frequent, and security situation is becoming severe.
When the server performs security authentication with the terminal, a large amount of information interaction needs to be performed between the gateway and the server, for example, random numbers, keys, hash values and the like are transmitted/received, the information interaction complexity of the two-way identity authentication exceeds that of the one-way identity authentication, a plurality of terminals exist in one transformer substation or distribution substation, and if each terminal performs two-way identity authentication from the security aspect, a large amount of information interaction needs to be performed between the server and the gateway, so that the burden of the server is greatly increased.
Disclosure of Invention
The invention provides a security authentication management and control method, a security authentication management and control device, a security authentication medium and a security authentication server.
The technical aim of the invention is realized by the following technical scheme:
in a first aspect of the present application, a security authentication management and control method is provided, applied to a server, and the method includes:
presetting standard information of a terminal on a server, wherein the standard information represents priority information of the terminal;
acquiring parameter configuration information of terminals equipped in a transformer substation and a power distribution station;
the server receives the parameter configuration information, and generates a management and control strategy for carrying out security authentication between the terminal and the server according to the standard information and the parameter configuration information, wherein the management and control strategy comprises two-way identity authentication, one-way identity authentication and weak authentication, and correspondingly, the server executes the management and control strategy to finish the security authentication between the terminal in any one of three authentication modes of two-way identity authentication, one-way identity authentication and weak authentication, wherein the two-way identity authentication is a one-time password authentication protocol based on SM2, SM3 and SM4 encryption algorithm and hash value combination.
In one embodiment, a management and control policy for security authentication between the terminal and the server is generated according to the standard information and the parameter configuration information, specifically:
determining type information of the terminal according to the parameter configuration information, wherein the type information comprises a control terminal, a monitoring terminal and an auxiliary terminal;
generating a priority level of the terminal according to the priority information and the type information;
and selecting an authentication mode corresponding to the control strategy according to the arrangement information of the priority level to realize the security authentication between the terminal and the server.
In one embodiment, the generating the priority level of the terminal according to the priority information and the type information includes:
and sequentially selecting the control terminal, the monitoring terminal and the auxiliary terminal included in the type information according to the sequence of the priority information, and generating a first priority level of the terminal.
In one embodiment, the method further comprises:
when a plurality of terminals with the same priority level appear, acquiring nodes of the terminals with the same priority level on a transformer substation or a power distribution station, and calculating a fault hazard index of a fault element set generated by the nodes during faults;
and generating second priority levels of the terminals with the same priority levels according to the fault hazard indexes of the corresponding nodes of the terminals with the same priority levels.
In one embodiment, the fault hazard index is derived from an indicator function and a hazard level function of the node fault.
In one embodiment, the method further comprises:
presetting identification information of a terminal for weak authentication on a server;
and when the identification information is consistent with the parameter configuration information, the server and the corresponding terminal execute security authentication in a weak authentication mode.
In one embodiment, the method further comprises:
acquiring historical authentication request information for carrying out security authentication on a terminal equipped with the power distribution network;
and verifying the management and control strategy between the terminal and the server in the current time period according to the historical authentication request information, and generating alarm information when the verification fails.
In a third aspect of the present application, there is provided a security authentication management and control device, applied to a server, the device including:
the terminal comprises a preset module, a terminal management module and a terminal management module, wherein the preset module is used for presetting standard information of the terminal on a server, wherein the standard information represents priority information of the terminal;
the acquisition module is used for acquiring parameter configuration information of terminals equipped in the transformer substation and the power distribution station;
the management and control module is used for receiving the parameter configuration information by the server, generating a management and control strategy for carrying out security authentication between the terminal and the server according to the standard information and the parameter configuration information, wherein the management and control strategy comprises two-way identity authentication, one-way identity authentication and weak authentication, and correspondingly, the server executes the management and control strategy to finish the security authentication between the terminal by any one of three authentication modes of two-way identity authentication, one-way identity authentication and weak authentication, wherein the two-way identity authentication is a one-time password authentication protocol based on SM2, SM3, SM4 encryption algorithm and hash value combination.
In a third aspect of the present application, there is provided a computer readable medium having stored thereon a computer program, wherein the program when executed by a processor implements a method according to any of the first aspects of the present application.
In a fourth aspect of the present application, there is provided a server, comprising: one or more processors; a storage device having one or more programs stored thereon; the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described in any of the first aspects of the present application.
Compared with the prior art, the invention has the following beneficial effects:
the invention relates to a security authentication management and control method, which is characterized in that a management and control strategy for security authentication between terminals and a server is generated by priority information and parameter configuration information preset by the terminals, wherein the management and control strategy comprises bidirectional identity authentication and unidirectional identity authentication, and accordingly, the server executes the management and control strategy to complete the security authentication between the terminals in any one of three authentication modes of bidirectional identity authentication, unidirectional identity authentication and weak authentication, so that information interaction caused by the bidirectional identity authentication between the server and a gateway is reduced, and further the load of the server is lightened.
Drawings
The accompanying drawings, which are included to provide a further understanding of embodiments of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention. In the drawings:
fig. 1 is a schematic flow chart of a security authentication management and control method provided in an embodiment of the present application;
fig. 2 is a schematic block diagram of a security authentication management and control device according to an embodiment of the present application.
Detailed Description
For the purpose of making apparent the objects, technical solutions and advantages of the present invention, the present invention will be further described in detail with reference to the following examples and the accompanying drawings, wherein the exemplary embodiments of the present invention and the descriptions thereof are for illustrating the present invention only and are not to be construed as limiting the present invention.
It should be appreciated that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present invention, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
As described in the background art, in an actual application scenario, as the number of base stations such as intelligent substations and intelligent substations of a power distribution network is gradually increased, more and more substations and power distribution stations realize that server remote control terminals execute corresponding operations, for example, for a breaker terminal, many current substations and power distribution stations can realize remote control of opening and closing of a breaker through a server, but with that, attacks for key information infrastructure of a power grid are frequent, and the security situation is becoming severe. When the server performs security authentication with the terminal, a large amount of information interaction needs to be performed between the gateway and the server, for example, random numbers, keys, hash values and the like are transmitted/received, the information interaction complexity of the two-way identity authentication exceeds that of the one-way identity authentication, a plurality of terminals exist in one transformer substation or distribution substation, and if each terminal performs two-way identity authentication from the security aspect, a large amount of information interaction needs to be performed between the server and the gateway, so that the burden of the server is greatly increased.
In order to solve the above-mentioned shortcomings of the prior art, please refer to fig. 1, fig. 1 is a flow chart of a security authentication management and control method provided in an embodiment of the present application, which is applied to a server, the method includes the following steps:
s110, presetting standard information of the terminal on a server, wherein the standard information represents priority information of the terminal.
In an actual power grid scenario, an intelligent power distribution station often adopts a three-layer structure model: a perception layer, a network layer and an application layer. The distribution network automation system master station is used as an application layer and consists of a production control large area and a management information large area; the network layer mainly comprises 3 types of wired optical fiber networks, wireless public networks and wireless private networks; in the sensing layer, the front-end processor is positioned at the boundary of the application layer and is used for receiving the two remote data collected by the terminal, issuing remote control instructions and the like. Because of the diversity of network layer channels, various security structure type loopholes and threats are brought to the distribution network automation system, such as easy interception of system interaction data, easy tampering of system interaction messages, easy spoofing of servers and terminals, and the like. A safe access area is established in a gateway of the intelligent power distribution station, and the safe access area is accessed into a data communication system to realize data filtering and safe access control of power distribution terminal equipment; the gateway signs communication data between the sensing layer distribution terminal and the server, so that message interaction protection and bidirectional identity authentication between the server of the distribution master station and the terminal equipment are realized; the encryption authentication and access control of the terminal are realized through the gateway, and meanwhile, the updating mechanism and the storage mode of the encryption key are improved, so that the transmission safety of communication data is ensured. And the main control chip in the terminal sends the uplink data to the gateway through the SPI or the serial port, the gateway signs and encrypts the uplink data, and the data after signature encryption is sent to the server through the network port, so that the data security interaction is realized.
In the running process of the power grid, the importance degree of the terminal in the power grid is used as priority information of the terminal, and identity authentication between the server and the terminal is further ensured so as to ensure the communication safety in the uplink and downlink processes of the data. It can be understood that, in this embodiment, aiming at the importance degree of the terminal in the power distribution network, the security authentication mode between the terminal and the server is optimally matched, so that the operation burden of the server for executing the complex authentication mode is reduced on the basis of ensuring the security of the power distribution service interaction data.
S120, acquiring parameter configuration information of terminals equipped in the power distribution network.
In this embodiment, the data acquisition manner is the prior art, and redundant explanation is not made in this embodiment.
S130, the server receives the parameter configuration information, and generates a management and control strategy for carrying out security authentication between the terminal and the server according to the standard information and the parameter configuration information, wherein the management and control strategy comprises carrying out bidirectional identity authentication, carrying out unidirectional identity authentication and carrying out weak authentication, and correspondingly, the server executes the management and control strategy to finish the security authentication between the server and the terminal in any one of three authentication modes of bidirectional identity authentication, unidirectional identity authentication and weak authentication, wherein the bidirectional identity authentication is a one-time password authentication protocol based on SM2, SM3 and SM4 encryption algorithm and hash value combination.
In this embodiment, the two-way authentication is a one-time password authentication protocol based on the combination of SM2, SM3, SM4 encryption algorithm and hash value, and specifically, as known in the art, two-way authentication needs to perform encryption and decryption calculation on both sides of the terminal and the server. Therefore, the authentication procedure of the one-time password authentication protocol applied to the terminal is as follows: s1310, when receiving an authentication request sent by a server, a terminal acquires serial number information of the server, calculates a hash value of the serial number information based on an SM3 encryption algorithm, generates a private key and a public key based on an SM2 algorithm, and sends the public key and the hash value to the server, wherein the authentication request is a two-way authentication protocol based on the combination of the SM2, SM3 and SM4 encryption algorithms and the hash value, and the hash value contains 32 bytes; s1311, a terminal receives an encrypted encryption key and an encrypted random number R1 sent by a server, wherein the encryption key and the encrypted random number R1 are obtained by encrypting the key and the random number R1 by a public key, and the key and the random number R1 are generated by an SM4 encryption algorithm; s1312, the terminal decrypts the encryption key and the encryption random number R1 by using the private key to obtain the key and the random number R1, generates a random number R2, encrypts the random number R1 and the random number R2 by using the key to obtain the encryption random number R1 and the encryption random number R2, and sends the encryption random number R1 and the encryption random number R2 to the server; s1313, the terminal decrypts the ciphertext by using the private key to obtain a hash value, invokes the key to calculate a verification hash value of the random number R1, the random number R2 and the serial number information, checks whether the verification hash value is consistent with the hash value of the ciphertext sent by the decryption server, if so, the terminal authenticates the server successfully, the protocol continues, if not, the authentication fails, and the authentication request of the server is refused; the ciphertext is obtained by dispersing a hash value by a root key preset by a server, obtaining a master key of 16 bytes after the hash value, and encrypting the master key by using a public key; and the terminal encrypts the verification hash value by using the private key to obtain an encrypted verification hash value, and sends the encrypted verification hash value to the server.
The authentication process of the one-time password authentication protocol applied to the server is as follows: s1320, the server receives an authentication request sent by the terminal, wherein the authentication request is a two-way authentication protocol based on a combination of SM2, SM3 and SM4 encryption algorithms and hash values; s1321, a server public key encrypts a secret key and a random number R1 to obtain an encryption secret key and an encryption random number R1, and generates the secret key and the random number R1 based on an SM4 encryption algorithm; s1322, presetting a root key on a server, wherein the server disperses a hash value by using the root key to obtain a master key of 16 bytes after the hash value, encrypts the master key by using a public key to obtain a ciphertext, and sends the ciphertext to a terminal, wherein the root key is the first 16 bytes of the hash value; s1323, the server decrypts the encrypted verification hash value by using the public key, calls the private key to calculate the hash value of the random number R1, the random number R2 and the serial number information, and verifies whether the verification hash value obtained by decrypting the public key is consistent with the hash value calculated by the private key, if so, the server authentication terminal is successful, and the bidirectional authentication protocol is completed; otherwise, refusing the authentication request of the terminal; the encryption verification hash value is obtained by encrypting the verification hash value by a private key of the terminal.
Based on the above-mentioned bidirectional identity authentication process, the bidirectional identity authentication provided in this embodiment is known, and based on the bidirectional authentication protocol that combines the SM2, SM3 and SM4 encryption algorithms with the hash value, and based on the key negotiation and the bidirectional authentication process, the random numbers R1 and R2 selected by the server and the distribution terminal are introduced each time the hash value is calculated and verified, even if the transmission data is intercepted, the calculated hash values must be different under the condition that the random numbers selected by the server and the terminal are not repeated. For example, if a third party wants to impersonate a server, the impersonate must be implemented by calculating a hash value generated by the random number R1, the random number R2 and the serial number information of the server, but the possibility that all the calculated data is stolen by the third party is very low, even if the third party can steal the serial number information verification table of the terminal, and obtain the hash value corresponding to the serial number information of the server through the verification table, the correct hash value cannot be calculated even if the secret key and the random number are unknown. Therefore, it is difficult for a third party to realize communication authentication with the terminal through the counterfeit server. If a third party wants to impersonate the terminal, the third party needs to obtain the secret key and calculate the hash value of the random number R1, the random number R2 and the serial number information by using the secret key, but the server and the terminal respectively generate the random number once in the secret key negotiation stage, and the third party cannot obtain the secret key, the public key, the private key and all the random numbers at the same time, so that the third party is difficult to realize communication authentication with the server through the impersonate terminal, and the security of the data interaction of the distribution network system is ensured.
Further, for the two modes of unidirectional identity authentication and weak authentication, which are relatively common in the prior art, for example, in the case of the weak authentication mode, the weak authentication mode can be realized based on a symmetric password weak authentication and key negotiation method, and the specific working principle is the prior art, and redundant description is not made here.
Therefore, compared with the bidirectional authentication protocol in the prior art, the new bidirectional identity authentication flow provided by the embodiment can further resist illegal attacks, so that the network distribution system is prevented from being broken maliciously and is paralyzed, and the security of data interaction of the network distribution system is improved.
Based on the above embodiments, the security authentication management and control method provided in this embodiment generates a management and control policy for performing security authentication between a terminal and a server by using priority information and parameter configuration information preset by the terminal, where the management and control policy includes performing bidirectional identity authentication and performing unidirectional identity authentication, and accordingly, the server performs the management and control policy to perform the bidirectional identity authentication or the unidirectional identity authentication to complete the security authentication with the terminal, so as to reduce information interaction caused by performing the bidirectional identity authentication between the server and a gateway in a security authentication stage, thereby reducing the burden of the server.
In one embodiment, a management and control policy for performing security authentication between the terminal and the server is generated according to the standard information and the parameter configuration information, specifically:
determining type information of the terminal according to the parameter configuration information, wherein the type information comprises a control terminal, a monitoring terminal and an auxiliary terminal;
generating a priority level of the terminal according to the priority information and the type information;
and selecting an authentication mode corresponding to the control strategy according to the arrangement information of the priority level to realize the security authentication between the terminal and the server.
Specifically, in this embodiment, the control terminal includes switch cabinet, looped netowrk cabinet, box-type substation, circuit breaker, isolator, load switch etc. and the monitoring terminal includes remote signaling, remote measuring board etc. and auxiliary terminal includes sensing collection, other auxiliary equipment etc. all are the smart machine in the actual electric wire netting at present to the embodiment enumeration, can realize the intellectuality of electric wire netting. In the actual running process of the power grid, the priority information of the terminals is preset based on the importance degree of the terminals corresponding to different types of information in the power grid node, and the corresponding priority information is matched through the terminals corresponding to each type of information, so that the priority level of each terminal is obtained.
In a further embodiment, the generating a priority report of the terminal according to the priority information and the type information: and sequentially selecting the control terminal, the monitoring terminal and the auxiliary terminal included in the type information according to the sequence of the priority information, and generating a first priority level of the terminal. As a preferred embodiment, the terminals with the first 40% of the priority level are subjected to bidirectional identity authentication according to the corresponding sequence, and the terminals with the 40% -85% of the priority level are subjected to unidirectional identity authentication according to the corresponding sequence, which can, of course, also be adjusted appropriately according to actual requirements, and the embodiment is not limited specifically.
In a further embodiment, the method further comprises: when a plurality of terminals with the same priority level appear, acquiring nodes of the terminals with the same priority level on a transformer substation or a power distribution station, and calculating a fault hazard index of a fault element set generated by the nodes during faults; and generating second priority levels of the terminals with the same priority levels according to the fault hazard indexes of the corresponding nodes of the terminals with the same priority levels.
In this embodiment, considering how to arrange and divide the terminals with the same priority level when the plurality of terminals with the same priority level appear, the authentication mode of the terminals with the same priority level is further selected, so as to further reduce the operation burden of the server, for example, after dividing the plurality of terminals with the same priority level based on the arrangement information, the importance degree of the terminals with the same priority level in the power distribution station can be obtained based on the sequence, so as to realize the accuracy of selecting the security authentication mode. Therefore, in this embodiment, when the power network is attacked, it is considered that the failure of the nodes where the terminals with the same priority level are located in the power network may cause the transmission line to fail, and the transmission lines are subjected to power flow transfer to form a cascading failure, so as to obtain a failure element set, so that the failure element set is used for failure transmission of the power transmission line, and in this embodiment, a hazard degree function and an indication function of the failure of the power transmission line are calculated according to the active power of the neighbor line and the transmission margin of the neighbor line in the power transmission line; further, the fault hazard index is obtained by a hazard degree function of the indication function and the node fault, specifically, the magnitude of the fault hazard index of the node corresponding to the terminals with the same priority level is calculated based on the product of the hazard degree function and the indication function, so that the second priority level of the terminals with the same priority level is determined. Similarly, the second priority level is divided in a percentage manner based on the same principle as the above embodiment, so that the selection of the secure authentication mode between the terminal and the server is facilitated.
In one embodiment, the method further comprises:
presetting identification information of a terminal for weak authentication on a server;
and when the identification information is consistent with the parameter configuration information, the server and the corresponding terminal execute security authentication in a weak authentication mode.
Specifically, in this embodiment, importance division of terminals in a transformer substation or a power distribution station is further considered, for example, a video monitoring system, a light control terminal, a voice terminal and the like, and these only need to log in and authenticate, and can control the operation state of the corresponding terminal, even if they are attacked or impersonated by a network, they will not cause substantial damage to the operation of the power grid, so in this embodiment of the present application, identification information of the terminal that does not perform security authentication is preset on the server, it can be understood that the identification information is obtained by combining area information, number information, model information and the like where the corresponding terminal is located, and the data format of the identification information may be a character string, and when the identification information and parameter configuration information are consistent, the operation state of the terminal can be controlled by directly skipping authentication links, and the operation burden of the server can be further reduced by simply logging in.
In one embodiment, the method further comprises:
acquiring historical authentication request information for carrying out security authentication on a terminal equipped with the power distribution network;
and verifying the management and control strategy between the terminal and the server in the current time period according to the historical authentication request information, and generating alarm information when the verification fails.
Specifically, the embodiment considers that the third party impersonates the terminal and the server to perform security authentication, and initiates network attack and malicious damage to the power distribution automation system, so that the power distribution protection system cannot operate safely and stably. Therefore, in this embodiment, the historical authentication request information of the terminal is used as a standard, the authentication mode with the largest occurrence number is screened out, and is used as the main stream authentication mode of the terminal, for example, unidirectional identity authentication, and the third party impersonates the terminal to perform bidirectional identity authentication, which indicates that the terminal has potential safety hazard, generates alarm information, and the server responds to the alarm information to stop authentication. In this embodiment, the server performs statistical analysis on the historical authentication condition of the terminal to confirm the authenticity of the terminal, and ensure the security in the information interaction process.
Based on the same inventive concept, as shown in fig. 2, fig. 2 is a schematic block diagram of a security authentication management and control device provided in an embodiment of the present application, where the device is applied to a server, and the device includes:
a preset module 210, configured to preset standard information of the terminal on the server, where the standard information represents priority information of the terminal;
an obtaining module 220, configured to obtain parameter configuration information of terminals equipped in the substation and the distribution substation;
the management and control module 230 is configured to receive the parameter configuration information, generate a management and control policy for performing security authentication between the terminal and the server according to the standard information and the parameter configuration information, where the management and control policy includes performing bidirectional identity authentication, performing unidirectional identity authentication, and performing weak authentication, and correspondingly, the server executes the management and control policy to perform security authentication with the terminal in any one of three authentication modes of bidirectional identity authentication, unidirectional identity authentication, and weak authentication, where the bidirectional identity authentication is a one-time password authentication protocol based on SM2, SM3, SM4 encryption algorithm, and hash value combination.
Embodiments of the present application provide a computer readable medium having a computer program stored thereon, wherein the program, when executed by a processor, implements a security authentication management method described in the above method embodiments.
The embodiment of the application also provides a server, which comprises: one or more processors; a storage device having one or more programs stored thereon; the one or more programs, when executed by the one or more processors, cause the one or more processors to implement a method of controlling security authentication as described in the method embodiments above.
It should be noted that, the security authentication management and control device provided in the foregoing embodiments may be a chip, a component or a module, and the security authentication management and control device may include a processor and a memory, where the preset module 210, the obtaining module 220, the management and control module 230, and the like are all stored as program units, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor may comprise a core from which the corresponding program element is fetched, the core may be provided with one or more, the storage means may comprise volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, etc., such as Read Only Memory (ROM) or flash memory (flashRAM), the storage means comprising at least one memory chip.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. The security authentication control method is characterized by being applied to a server, and comprises the following steps:
presetting standard information of a terminal on a server, wherein the standard information represents priority information of the terminal;
acquiring parameter configuration information of terminals equipped in a transformer substation and a power distribution station;
the server receives the parameter configuration information, and generates a management and control strategy for carrying out security authentication between the terminal and the server according to the standard information and the parameter configuration information, wherein the management and control strategy comprises two-way identity authentication, one-way identity authentication and weak authentication, and correspondingly, the server executes the management and control strategy to finish the security authentication between the terminal in any one of three authentication modes of two-way identity authentication, one-way identity authentication and weak authentication, wherein the two-way identity authentication is a one-time password authentication protocol based on SM2, SM3 and SM4 encryption algorithm and hash value combination.
2. The security authentication control method according to claim 1, wherein a security authentication control policy between the terminal and the server is generated according to the standard information and the parameter configuration information, specifically:
determining type information of the terminal according to the parameter configuration information, wherein the type information comprises a control terminal, a monitoring terminal and an auxiliary terminal;
generating a priority level of the terminal according to the priority information and the type information;
and selecting an authentication mode corresponding to the control strategy according to the arrangement information of the priority level to realize the security authentication between the terminal and the server.
3. The security authentication management method according to claim 2, wherein the generating a priority level of a terminal according to the priority information and the type information includes:
and sequentially selecting the control terminal, the monitoring terminal and the auxiliary terminal included in the type information according to the sequence of the priority information, and generating a first priority level of the terminal.
4. A method of controlling security authentication according to claim 3, the method further comprising:
when a plurality of terminals with the same priority level appear, acquiring nodes of the terminals with the same priority level on a transformer substation or a power distribution station, and calculating a fault hazard index of a fault element set generated by the nodes during faults;
and generating second priority levels of the terminals with the same priority levels according to the fault hazard indexes of the corresponding nodes of the terminals with the same priority levels.
5. The method of claim 4, wherein the fault hazard index is derived from an indicator function and a hazard level function of the node fault.
6. The method of security authentication management according to claim 1, further comprising:
presetting identification information of a terminal for weak authentication on a server;
and when the identification information is consistent with the parameter configuration information, the server and the corresponding terminal execute security authentication in a weak authentication mode.
7. The method of security authentication management according to claim 1, further comprising:
acquiring historical authentication request information for carrying out security authentication on a terminal equipped with the power distribution network;
and verifying the management and control strategy between the terminal and the server in the current time period according to the historical authentication request information, and generating alarm information when the verification fails.
8. A security authentication management and control device, which is applied to a server, the device comprising:
the terminal comprises a preset module, a terminal management module and a terminal management module, wherein the preset module is used for presetting standard information of the terminal on a server, wherein the standard information represents priority information of the terminal;
the acquisition module is used for acquiring parameter configuration information of terminals equipped in the transformer substation and the power distribution station;
the management and control module is used for receiving the parameter configuration information by the server, generating a management and control strategy for carrying out security authentication between the terminal and the server according to the standard information and the parameter configuration information, wherein the management and control strategy comprises two-way identity authentication, one-way identity authentication and weak authentication, and correspondingly, the server executes the management and control strategy to finish the security authentication between the terminal by any one of three authentication modes of two-way identity authentication, one-way identity authentication and weak authentication, wherein the two-way identity authentication is a one-time password authentication protocol based on SM2, SM3, SM4 encryption algorithm and hash value combination.
9. A computer readable medium, characterized in that a computer program is stored thereon, wherein the program, when executed by a processor, implements the method according to any of claims 1 to 7.
10. A server, comprising: one or more processors; a storage device having one or more programs stored thereon; the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310227510.1A CN116208421A (en) | 2023-02-27 | 2023-02-27 | Security authentication management and control method, device, medium and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310227510.1A CN116208421A (en) | 2023-02-27 | 2023-02-27 | Security authentication management and control method, device, medium and server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116208421A true CN116208421A (en) | 2023-06-02 |
Family
ID=86509346
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310227510.1A Pending CN116208421A (en) | 2023-02-27 | 2023-02-27 | Security authentication management and control method, device, medium and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116208421A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117874773A (en) * | 2024-03-12 | 2024-04-12 | 麒麟软件有限公司 | Operating system safe starting method and device based on safety level control strategy |
-
2023
- 2023-02-27 CN CN202310227510.1A patent/CN116208421A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117874773A (en) * | 2024-03-12 | 2024-04-12 | 麒麟软件有限公司 | Operating system safe starting method and device based on safety level control strategy |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106789015B (en) | Intelligent power distribution network communication safety system | |
| US7698555B2 (en) | System and method for enabling secure access to a program of a headless server device | |
| CN110267270B (en) | Identity authentication method for sensor terminal access edge gateway in transformer substation | |
| CN101926188B (en) | Security policy distribution to communication terminal | |
| KR101753859B1 (en) | Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device | |
| CN105610837B (en) | For identity authentication method and system between SCADA system main website and slave station | |
| Lim et al. | Security protocols against cyber attacks in the distribution automation system | |
| CN112118106B (en) | Lightweight end-to-end secure communication authentication method based on identification password | |
| CN104506500A (en) | GOOSE message authentication method based on transformer substation | |
| CN111435390B (en) | Safety protection method for operation and maintenance tool of power distribution terminal | |
| CN115001717B (en) | Terminal equipment authentication method and system based on identification public key | |
| CN106685775A (en) | Self-inspection type invasion prevention method and system for intelligent household electrical appliance | |
| CN111711625A (en) | Power system information security encryption system based on power distribution terminal | |
| CN106549502B (en) | A kind of safe distribution of electric power protecting, monitoring system | |
| CN111988328A (en) | Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station | |
| CN116208421A (en) | Security authentication management and control method, device, medium and server | |
| CN112311553B (en) | Equipment authentication method based on challenge response | |
| CN105656623A (en) | Device for enhancing security of intelligent substation IED | |
| CN114531266A (en) | Power distribution network data protection system and method based on intermediate database | |
| CN112995140B (en) | Safety management system and method | |
| Patel et al. | Analysis of SCADA Security models | |
| CN115102732B (en) | Power line communication method and device integrating blockchain and trusted network connection architecture | |
| Xie et al. | Research and application of FTU distribution network automation security protection scheme based on embedded security chip | |
| CN115208696B (en) | Remote communication method and device for substation telecontrol device | |
| CN116389032B (en) | SDN architecture-based power information transmission link identity verification method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |