Disclosure of Invention
Aiming at the problems that the quantum encryption platform applied by quantum encryption has single security risk and part of node equipment and the security level of the communication at the county level is low, the invention provides a power distribution automation protection method based on quantum encryption.
In a first aspect, a technical solution provided in an embodiment of the present invention is a power distribution automation protection method based on quantum encryption, which is applicable to a power distribution network, where the power distribution network includes a power distribution main station, a power distribution substation and a quantum security service platform, and the power distribution substation includes a quantum key charging substation, and includes the following steps:
performing built-in isolation reinforcement and redundant deployment of key node equipment on the quantum security service platform;
establishing a first secret communication channel between the power distribution master station and the quantum security service platform and a second secret communication channel between the power distribution master station and the power distribution substation, wherein the first secret communication channel comprises a security access gateway;
If the power distribution terminal initiates a data request, a session key is acquired through the quantum security service platform, the data encryption is carried out based on the session key, and the session key is filled to a quantum key filling substation of the power distribution substation through the second secret communication channel;
and decrypting the data through the secure access gateway and transmitting the decrypted service data to the power distribution master station.
Optionally, the quantum security service platform includes an original quantum security service module, the original quantum security service module includes a quantum key generation module, a quantum key scheduling module, a quantum key application module and a quantum network management module that are in communication connection, the built-in isolation reinforcement is performed on the quantum security service platform, and the method includes:
the quantum key generation module, the quantum key scheduling module, the quantum key application module and the quantum network management module are subjected to forward and reverse isolation reinforcement, the quantum key generation module is connected with the power distribution terminal through a first communication connection end, and the data request is sent to the quantum key generation module through a first signal connection end.
Optionally, the performing redundant deployment of the key node device on the quantum security service platform includes:
based on the original quantum security service module, a quantum cryptographic service engine mirror image device, a first quantum key service mirror image device, a second quantum key service mirror image device and a forward and reverse security isolation device are deployed, the quantum cryptographic service engine mirror image device is connected with the forward and reverse security isolation device through a second communication connection end, the forward and reverse security isolation device is connected with the first quantum key service mirror image device and one end of the second quantum key service mirror image device through a third communication connection end, and the other ends of the first quantum key service mirror image device and the second quantum key service mirror image device are connected with a fourth communication connection end which is connected to the security access gateway.
Optionally, the quantum key generation module includes a single-sending quantum key generation and management terminal, a single-receiving quantum key generation and management terminal, and a quantum random number generator, where the session key is acquired by the quantum security service platform, and the data encryption is performed based on the session key to acquire the quantum key, and includes:
If any communication connection end receives a data request sent by the power distribution terminal, a quantum random number is generated through the quantum random number generator, and a session key is generated through the single-sending quantum key generation and management terminal and the single-receiving quantum key generation and management terminal;
and the quantum key scheduling module generates the quantum key according to the session key and the quantum random number, and encrypts service data contained in a data request through the quantum key.
Optionally, the quantum key scheduling module includes an exchange cipher machine, a quantum cipher service engine device, and a quantum key charging device, where encrypting, by the quantum key, service data included in the data request includes:
encrypting service data through the exchange cipher machine and distributing the quantum key to the quantum cipher service engine device;
according to a preset scheduling negotiation rule, the quantum cipher service engine device distributes the quantum key to the quantum key application module, and performs key filling on the quantum key through the quantum key filling equipment;
and if the quantum cipher service engine device detects that an abnormal event exists, distributing the quantum key to the quantum key application module through the quantum cipher service engine mirror device according to a preset scheduling negotiation rule.
Optionally, the quantum network management module includes a quantum network management database server and a quantum network management service server which are in communication connection, and in the process of quantum encryption, the running states of the quantum key generation module, the quantum key scheduling module and the quantum key application module are managed and monitored by the quantum network management database server and the quantum network management service server.
Optionally, the security access gateway includes a quantum security access gateway that is communicatively connected and disposed on a side of the quantum security service platform, and a distribution network security gateway that is disposed on a side of the distribution master station, where the data decryption is performed through the security access gateway, and the decrypted service data is sent to the distribution master station, and the method includes:
and carrying out encryption transmission on the service data through the quantum security access gateway and the distribution network security access gateway, decrypting the service data through the distribution network security gateway at one side of the distribution master station, and transmitting the decrypted service data to the distribution master station.
Optionally, the second secret communication channel includes a first quantum key transmission device communicatively connected with the distribution master station and the quantum security service platform, and a second quantum key transmission device disposed in the distribution substation and in secret communication with the first quantum key transmission device, where the second quantum key transmission device is in communication with the quantum key charging substation and a distribution device in the distribution substation, and the first quantum key transmission device and the second quantum key transmission device are used for communication transmission between the distribution master station and the distribution substation, and for quantum key charging of the quantum key charging substation by the quantum key charging device.
In a second aspect, a technical solution provided in an embodiment of the present invention is a quantum encryption-based power distribution automation protection system, configured to execute the quantum encryption-based power distribution automation protection method according to any one of the embodiments, where the system includes:
the quantum security service platform deployment module is used for carrying out built-in isolation reinforcement and redundant deployment of key node equipment on the quantum security service platform;
the channel establishing module is used for establishing a first secret communication channel between the power distribution main station and the quantum security service platform and a second secret communication channel between the power distribution main station and the power distribution substation, wherein the first secret communication channel comprises a security access gateway;
the key acquisition module is used for acquiring a session key through the quantum security service platform if the power distribution terminal initiates a data request, carrying out data encryption based on the session key, and filling the session key to a quantum key filling substation of the power distribution substation through the second secret communication channel;
and the master station data transmission module is used for decrypting the data through the security access gateway and transmitting the decrypted service data to the power distribution master station.
Optionally, the quantum security service platform includes an original quantum security service module, the original quantum security service module includes a quantum key generation module, a quantum key scheduling module, a quantum key application module and a quantum network management module which are in communication connection, the quantum security service platform is subjected to built-in isolation reinforcement, and the quantum security service platform deployment module is specifically used for:
the quantum key generation module, the quantum key scheduling module, the quantum key application module and the quantum network management module are subjected to forward and reverse isolation reinforcement, the quantum key generation module is connected with the power distribution terminal through a first communication connection end, and the data request is sent to the quantum key generation module through a first signal connection end.
The invention has the beneficial effects that: according to the invention, the quantum security service platform is internally isolated and reinforced, so that forward and reverse physical isolation can be realized, and the security protection level of the platform is improved; by carrying out redundant deployment on the key node equipment of the quantum security service platform, the key node equipment in the quantum security service platform can be replaced when the key node equipment is abnormal, and the stable operation of the system is ensured. In addition, by establishing the first secret communication channel and the second secret communication channel, when a data request initiated by the power distribution terminal is received in the power distribution process, data encryption transmission can be performed based on the first secret communication channel, so that the safety of the data encryption transmission is ensured, and the data encryption transmission between the power distribution main station and the power distribution substation is realized through the second secret communication channel, so that the safety of the data transmission is enhanced; and the quantum security service platform can carry out key filling on the quantum key filling substation of the power distribution substation based on the second secret communication channel, so that data encryption and decryption operations in the power distribution substation can be conveniently carried out, and the localization management is realized. Therefore, the invention can enhance the safety of the quantum encryption platform, ensure the stable operation of the system, and improve the safety of communication with county and realize the localization management.
The foregoing summary is merely an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more fully understood, and in order that the same or additional objects, features and advantages of the present invention may be more fully understood.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and examples, it being understood that the detailed description herein is merely a preferred embodiment of the present invention, which is intended to illustrate the present invention, and not to limit the scope of the invention, as all other embodiments obtained by those skilled in the art without making any inventive effort fall within the scope of the present invention.
Before discussing the exemplary embodiments in more detail, it should be mentioned that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart depicts operations (or steps) as a sequential process, many of the operations (or steps) can be performed in parallel, concurrently, or at the same time. Furthermore, the order of the operations may be rearranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figures; the processes may correspond to methods, functions, procedures, subroutines, and the like.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. It should also be understood that, in various embodiments of the present invention, the sequence number of each process does not mean the order of execution, and the order of execution of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
It should be understood that in the present invention, "plurality" means two or more. "and/or" is merely a variable relationship describing an associated object, meaning that there may be three relationships, e.g., and/or B, may represent: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. "comprising A, B and C", "comprising A, B, C" means that all three of A, B, C comprise, "comprising A, B or C" means that one of the three comprises A, B, C, and "comprising A, B and/or C" means that any 1 or any 2 or 3 of the three comprises A, B, C.
It should be understood that in the present invention, "B corresponding to a", "a corresponding to B", or "B corresponding to a" means that B is associated with a, from which B can be determined. Determining B from a does not mean determining B from a alone, but may also determine B from a and/or other information. The matching of A and B is that the similarity of A and B is larger than or equal to a preset threshold value.
Example 1
As shown in fig. 1, a flowchart of a power distribution automation protection method based on quantum encryption is provided in this embodiment. The automatic power distribution protection method based on quantum encryption comprises the following steps of:
S1, carrying out built-in isolation reinforcement and redundant deployment of key node equipment on the quantum security service platform;
s2, establishing a first secret communication channel between the power distribution master station and the quantum security service platform and a second secret communication channel between the power distribution master station and the power distribution substation, wherein the first secret communication channel comprises a security access gateway;
s3, if the power distribution terminal initiates a data request, a session key is acquired through the quantum security service platform, the quantum key is acquired based on the session key to encrypt data, and the session key is filled to a quantum key filling substation of the power distribution substation through the second secret communication channel;
s4, decrypting the data through the secure access gateway, and sending the decrypted service data to the power distribution master station.
Specifically, the quantum encryption-based distribution automation protection method provided by the embodiment of the invention is suitable for a distribution network, and the distribution network can comprise a distribution main station, a distribution substation and a quantum security service platform, wherein the quantum key charging substation is deployed in the distribution substation. The power distribution main station can refer to a city power distribution automation main station, and the power distribution substation can refer to a county workstation. The power distribution terminal (Feeder Terminal Unit, FTU) can be connected to the power distribution master station based on the quantum security service platform in a communication mode, and the power distribution master station is uploaded to the power distribution master station after data encryption is carried out on a transmitted data request through the quantum security service platform, so that communication with the power distribution master station is achieved. Similarly, the power distribution main station can also encrypt data based on the issued command by the quantum security service platform and then issue the command to the power distribution terminal. Wherein the data request may include, but is not limited to, a failure check request, a monitoring data upload request, etc.; the commands include, but are not limited to, adjusting and controlling the power distribution terminals, achieving fault location, fault isolation, and the like.
More specifically, the quantum security service platform may refer to a platform for encrypting and decrypting data transmitted between a power distribution terminal and a power distribution master station through a quantum encryption technology, where the quantum encryption technology is a series of encryption technologies that use a quantum principle to generate a secret key, perform confusion encryption of plaintext, restore decryption of ciphertext, communicate ciphertext, anti-eavesdropping, and the like. In the quantum security service platform, including being used for built-in devices such as quantum key generation, encryption and decryption, key distribution, in order to strengthen the security protection level of built-in devices, can carry out risk isolation reinforcement to built-in devices through the risk isolation technique, for example: and the built-in device is isolated and reinforced by a forward and reverse isolation party technology in network security measures. The key nodes may include necessary devices with large operation volume in the quantum security service platform, for example: quantum cryptography service engine device, quantum key service device, etc. In this embodiment, in order to avoid the unstable system operation caused by downtime on the key node, at least one set of key node redundancy equipment may be newly deployed in the quantum security service platform, and when the downtime occurs on the key node equipment, the system may be switched to the key node redundancy equipment to continue to provide normal operation service, so as to ensure normal operation of the system.
More specifically, the first secure communication channel may be a channel for secure data transmission between the quantum security service platform and the power distribution master station. The second secure communication channel may be a channel for secure transmission of data between the distribution master station and the distribution substation. Specifically, encryption communication can be realized between the quantum security service platform and the power distribution main station based on the security access gateway, and encryption communication can be realized between the power distribution main station and the power distribution substation by arranging an encryption transmission device. The security access gateway can be used as an entrance device in a network, a security encryption tunnel can be established between the quantum security service platform and the power distribution master station, the identity authentication and protocol conversion work is completed, and the data encryption transmission between the quantum security service platform and the power distribution master station is realized.
More specifically, when the power distribution terminal initiates a data request, a session key is output in the quantum security service platform, and service data in the data request is encrypted by acquiring a quantum key based on the session key. Meanwhile, the second secret communication channel can be used for communication between the quantum security service platform and the power distribution substation, and is used for filling the session key into the quantum key filling substation deployed in the power distribution substation, when data encryption transmission is carried out between the power distribution main station and the power distribution substation, the session key can be directly acquired based on the quantum key filling substation, the session key does not need to be acquired from the quantum security service platform at one side of the power distribution main station, the session key is sunk to a county, the localized management is realized, the working efficiency is improved, and the county access quantum secret communication function is synchronously realized. Wherein a one-time request corresponds to one quantum key, following one-time-pad encryption. The encrypted service data can be decrypted at the secure access gateway at the power distribution master station side, the decrypted service data is sent to the power distribution master station, and the power distribution master station can respond to a data request of the service data after receiving the service data, for example: and if the service data is that the point a has high-temperature faults, the power distribution main station sends out a control instruction to control the point a to be cut off.
In the embodiment of the invention, the quantum security service platform is internally isolated and reinforced, so that forward and reverse physical isolation can be realized, and the security protection level of the platform is improved; the quantum security service platform is subjected to redundant deployment of key node equipment, so that the key node equipment in the quantum security service platform can be replaced when the key node equipment is abnormal, and the stable operation of the system is ensured; in the power distribution process, when a data request initiated by a power distribution terminal is received, data encryption transmission can be performed based on the first secret communication channel, so that the safety of the data encryption transmission is ensured, the data encryption transmission between the power distribution main station and the power distribution substation is realized through the second secret communication channel, and the safety of the data transmission is enhanced; and the quantum security service platform can carry out key filling on the quantum key filling substation of the power distribution substation based on the second secret communication channel, so that data encryption and decryption operations in the power distribution substation can be conveniently carried out, and the localization management is realized. Therefore, the invention can enhance the safety of the quantum encryption platform, ensure the stable operation of the system, and improve the safety of communication with county and realize the localization management.
In this embodiment, the quantum security service platform includes an original quantum security service module, where the original quantum security service module includes a quantum key generation module, a quantum key scheduling module, a quantum key application module, and a quantum network management module that are in communication connection, and in the step S1, the quantum security service platform is built-in isolation and reinforcement, including:
the quantum key generation module, the quantum key scheduling module, the quantum key application module and the quantum network management module are subjected to forward and reverse isolation reinforcement, the quantum key generation module is connected with the power distribution terminal through a first communication connection end, and the data request is sent to the quantum key generation module through a first signal connection end.
Specifically, the original quantum security service module may refer to a basic quantum security service platform, and the built-in isolation reinforcement and the redundant deployment of key node equipment in the invention are based on the deployment of the basic quantum security service platform. The quantum key generation module can generate a quantum key according to quantum characteristics, and provides quantum key support for the quantum key scheduling module and the quantum key application module. The quantum key scheduling module can realize the storage and output of quantum keys, the negotiation scheduling and the session key filling. The quantum key application module can construct a quantum secure encryption transmission channel, such as a first secure communication channel, by utilizing the quantum key so as to improve the security level of the 4G/5G transmission channel, and ensure that service data can be safely transmitted to a secure access area and forwarded to a power distribution master station or other service systems. The security access area comprises a quantum security access area arranged on the side of the quantum security service platform and a city wireless security access area arranged on the side of the power distribution main station. The quantum network management module can realize network management and monitoring of the running state of the quantum equipment of the quantum security service platform, and the running state can be monitored to provide operation and maintenance support. The first communication connection end may refer to a plurality of switches deployed in an original quantum security service module, where the switches can provide an independent electrical signal path for any two network nodes accessing the switches, for example: ethernet switches, fabric switches, etc. In this embodiment, one end of the switch may be connected to the power distribution terminal, and the other end is connected to the quantum key generation module of the original quantum security service module in a communication manner, and after the power distribution terminal sends a data request, data is transmitted to the quantum key generation module through the switch to generate a quantum key.
More specifically, the isolation reinforcement can be realized through forward and reverse isolation reinforcement, the forward and reverse isolation is a network security measure, quantum devices with different security levels can be isolated, and information leakage and attack are prevented. Forward and reverse isolation can be achieved by two aspects: firstly, through network topology design, quantum devices with high security level and low security level are isolated in different physical areas, for example: after the quantum devices in the quantum security service platform are divided according to preset security levels, the quantum key generation module and the quantum key scheduling module are isolated in a first-level security area, and the quantum key application module is isolated in a second-level security area. The primary security zone security level is higher than the secondary security zone. Secondly, the network security equipment is used for carrying out security detection and filtering on the data, and only legal data is allowed to pass through, for example: and a firewall or an intrusion detection system is deployed on an original quantum security service module of the quantum security service platform, when an attacker expects to enter the quantum security service platform or some quantum devices in the quantum security service platform, data validity detection is carried out through the firewall or the intrusion detection system, and finally only legal data is allowed to pass through, so that illegal data isolation is realized.
After the reinforcement based on forward and reverse isolation, even if an attacker successfully enters a low-security-level area in the quantum security service platform, the attacker cannot directly attack the high-security-level quantum equipment, so that the division of the security boundaries of the internal and external networks of the quantum security service platform is realized, and the network security is improved.
In this embodiment, in the step S1, the performing redundant deployment of the key node device on the quantum security service platform includes:
based on the original quantum security service module, a quantum cryptographic service engine mirror image device, a first quantum key service mirror image device, a second quantum key service mirror image device and a forward and reverse security isolation device are deployed, the quantum cryptographic service engine mirror image device is connected with the forward and reverse security isolation device through a second communication connection end, the forward and reverse security isolation device is connected with the first quantum key service mirror image device and one end of the second quantum key service mirror image device through a third communication connection end, and the other ends of the first quantum key service mirror image device and the second quantum key service mirror image device are connected with a fourth communication connection end which is connected to the security access gateway.
Specifically, as shown in fig. 2, on the basis of the original quantum security service module, a quantum cryptographic service engine mirror device may be deployed to serve as a standby device of the quantum cryptographic service engine device in the quantum key scheduling module, and a first quantum key service mirror device and a second quantum key service mirror device are deployed to implement quantum key management, where the first quantum key service mirror device and the second quantum key service mirror device serve as standby devices, and when the first quantum key service mirror device is a master device, the second quantum key service mirror device is a standby device; when the second quantum key service mirror device is the main device, the first quantum key service mirror device is the standby device. And at least one forward and reverse safety isolation device is deployed between the first quantum key service mirror device and the second quantum key service mirror device and the quantum cipher service engine mirror device for forward and reverse isolation reinforcement, so that the safety and the protection level of data transmission are enhanced, for example: adding a firewall. The deployed quantum cryptography service engine mirroring device, the first quantum key service mirroring device, the second quantum key service mirroring device and the forward and reverse security isolation device are deployed as 1 set of integral key node redundancy equipment.
More specifically, the second communication connection end, the third communication connection end, and the fourth communication connection end may be service outlets provided for the power distribution terminal, and each communication connection end may include at least one switch. In this embodiment, each communication connection end includes 2 switches, and by providing a plurality of service outlets, a disaster recovery function can be implemented, so as to ensure uninterrupted service of key application. The fourth communication connection end is connected to the secure access gateway, and a quantum network management proxy server is connected between the third communication connection end and the fourth communication connection end, and is used for performing network management and monitoring on the newly deployed first quantum key service mirroring device, the second quantum key service mirroring device and the like. Through newly increasing and deploying a plurality of switches, more distribution equipment can be docked, and more equipment demands are met. Aiming at the increase of power distribution equipment, in order to avoid the problems of excessive data requests and large data processing amount during quantum key generation, a quantum cryptographic service engine mirror image device, a first quantum key service mirror image device, a second quantum key service mirror image device and a forward and reverse safety isolation device are deployed, so that the management and safety protection level of quantum key generation are ensured, and the stability and the data processing capacity of a quantum safety service platform can be enhanced through the auxiliary work of the deployment mirror image device.
In this embodiment, the quantum key generation module includes a single-emission type quantum key generation and management terminal, a single-reception type quantum key generation and management terminal, and a quantum random number generator. In the step S3, the step of obtaining, by the quantum security service platform, the session key, and obtaining, based on the session key, the quantum key for data encryption includes:
if any communication connection end receives a data request sent by the power distribution terminal, a quantum random number is generated through the quantum random number generator, and a session key is generated through the single-sending quantum key generation and management terminal and the single-receiving quantum key generation and management terminal;
and the quantum key scheduling module generates the quantum key according to the session key and the quantum random number, and encrypts service data contained in a data request through the quantum key.
Specifically, when any of the switches receives a data request sent by the power distribution terminal, the data request may be transmitted to the quantum key generation module. In this embodiment, two quantum random numbers may be randomly generated by 2 quantum random number generators for a data request, session keys are respectively output by a single-transmission type quantum key generation and management terminal and a single-reception type quantum key generation and management terminal, the generated quantum random numbers and session keys are transmitted to a quantum key scheduling module to perform quantum key generation and negotiation scheduling, and service data is encrypted based on the generated quantum keys. The single-shot quantum key generation and management terminal and the single-receiving quantum key generation and management terminal realize management monitoring through the quantum key management system server.
In this embodiment, the quantum key scheduling module includes an exchange crypto-engine, a quantum cryptographic service engine device, and a quantum key charging device, where encrypting, by the quantum key, service data included in a data request includes: encrypting service data through the exchange cipher machine and distributing the quantum key to the quantum cipher service engine device;
according to a preset scheduling negotiation rule, the quantum cipher service engine device distributes the quantum key to the quantum key application module, and performs key filling on the quantum key through the quantum key filling equipment;
and if the quantum cipher service engine device detects that an abnormal event exists, distributing the quantum key to the quantum key application module through the quantum cipher service engine mirror device according to a preset scheduling negotiation rule.
Specifically, the session key and the quantum random number are specifically transmitted to an exchange cipher machine deployed in a quantum key scheduling module, the exchange cipher machine generates and stores the quantum key according to the session key and the quantum random number, the generated quantum key is transmitted to a quantum cipher service engine device, and the quantum cipher service engine device schedules and negotiates the quantum key according to a preset scheduling negotiation rule, so that the quantum key can be distributed to a quantum key application module according to safety and order. In this embodiment, the exchange crypto-machine is 2, each interfacing with a random quantum number and a session key. The number of the quantum key filling devices is 2, and the quantum key filling devices are responsible for filling the quantum key through modes such as a U shield/TF card and the like and are used in a quantum key application terminal. Specifically, the quantum key can be output to one quantum key filling machine through 2 password switches, one-time encryption session key output is carried out on the other quantum key filling machine, and key filling is carried out on quantum equipment in the quantum key application module through two quantum key filling machines.
More specifically, during the working process of the quantum security service platform, the key application service of the quantum cryptography service engine device may generate an abnormal event including but not limited to downtime, if the quantum network management module detects that the quantum cryptography service engine device generates the abnormal event, the quantum cryptography service engine device may be switched to the quantum cryptography service engine mirror device to provide emergency service, and after the quantum cryptography service engine device is recovered, the emergency service is closed and synchronous data is performed with the quantum cryptography service engine mirror device. The quantum cryptography service engine device and the quantum cryptography service engine mirror device have the same functions to distribute quantum keys according to preset scheduling negotiation rules.
In this embodiment, the quantum network management module includes a quantum network management database server and a quantum network management service server that are in communication connection, and in the process of quantum encryption, the running states of the quantum key generation module, the quantum key scheduling module and the quantum key application module are managed and monitored by the quantum network management database server and the quantum network management service server.
Specifically, the quantum network management database server is mainly used for deploying database engine software, and provides applications including but not limited to query, update, transaction management, indexing, cache, query optimization and the like. The quantum network management service server mainly provides service logic for application programs and does not store service data. In the quantum encryption process, the running states of all quantum devices in the quantum key generation module, the quantum key scheduling module and the quantum key application module can be subjected to network management and monitoring through a quantum network management database server and a quantum network management service server, so that the running states of all quantum devices are known in real time, and data support is provided for background operation and maintenance personnel.
In this embodiment, the security access gateway includes a quantum security access gateway that is communicatively connected and disposed on a side of the quantum security service platform, and a distribution network security gateway that is disposed on a side of the distribution master station, and the step S4 specifically includes: and carrying out encryption transmission on the service data through the quantum security access gateway and the distribution network security access gateway, decrypting the service data through the distribution network security gateway at one side of the distribution master station, and transmitting the decrypted service data to the distribution master station.
Specifically, as shown in fig. 2, a plurality of quantum security access gateways can be deployed on one side of the quantum security service platform, and a plurality of distribution security gateways can be deployed on one side of the distribution master station, wherein the quantum security access gateways are located in quantum security access areas, and the distribution network security gateways are located in urban office wireless security access areas on the side of the distribution master station. The quantum security access gateway and the distribution network security gateway communicate through a convergence switch, the encrypted service data received by the multipath quantum security access gateway is converted into two paths to be output to one end of the distribution network security gateway, and after the data decryption is carried out through the distribution network security gateway, the decrypted service data can be sent to a distribution master station based on a wireless private network acquisition server. And a forward and reverse safety isolation device can be deployed between the wireless private network acquisition server and the power distribution main station to carry out safety protection, so that the safety of service data transmission is ensured. In addition, a firewall can be deployed between the quantum security access gateway and the electric power wireless virtual private network (4G/G5), and a plurality of operator access switches are deployed between the quantum security access gateway and the electric power wireless virtual private network, so that data security in a power distribution main station can be enhanced through the firewall deployment.
In this embodiment, the second secret communication channel includes a first quantum key transmission device communicatively connected to the distribution master station and the quantum security service platform, and a second quantum key transmission device disposed in the distribution substation and in secret communication with the first quantum key transmission device, where the second quantum key transmission device communicates with the quantum key charging substation and the distribution equipment in the distribution substation, and the first quantum key transmission device and the second quantum key transmission device are used for communication transmission between the distribution master station and the distribution substation, and for quantum key charging of the quantum key charging substation by the quantum key charging equipment.
Specifically, as shown in fig. 2, the second secret communication channel can implement encryption transmission of the quantum key to the service data by respectively disposing 2 first quantum key transmission devices and 2 second quantum key transmission devices in the power distribution master station and the power distribution substation. The first quantum key transmission device is respectively communicated with the second quantum key transmission device, the quantum security service platform and the power distribution main station, and the second quantum key transmission device is communicated with the quantum key charging sub-station and the power distribution automation sub-station in the power distribution sub-station based on a plurality of switches. Based on an interface and management service of a filling key provided by a quantum key filling device in the quantum security service platform, the interface and management service can be connected to a quantum key filling substation through a second secret channel, the quantum key filling substation is subjected to quantum key filling, and the quantum key is stored in the quantum key filling substation. Therefore, the data encryption and decryption transmission is carried out between the power distribution main station and the power distribution substation based on the second secret communication channel, and the safety protection level of the data communication transmission can be improved. The quantum key filling function is realized at the side of the power distribution substation by the quantum key filling substation, so that the power distribution substation can realize the home management function of key filling without acquiring the quantum key from the side of the power distribution main station.
Example two
Referring to fig. 3, a technical solution further provided in the embodiment of the present invention is a quantum encryption-based power distribution automation protection system, configured to execute the quantum encryption-based power distribution automation protection method described in the first embodiment, where the system 40 includes:
the quantum security service platform deployment module 401 is used for carrying out built-in isolation reinforcement and redundant deployment of key node equipment on the quantum security service platform;
a channel establishment module 402, configured to establish a first secure communication channel between the power distribution master station and the quantum security service platform, and a second secure communication channel between the power distribution master station and the power distribution substation, where the first secure communication channel includes a security access gateway;
the key obtaining module 403 is configured to obtain, if the power distribution terminal initiates a data request, a session key through the quantum security service platform, encrypt data based on the session key obtained by the quantum security service platform, and fill the session key to a quantum key filling substation of the power distribution substation through the second secret communication channel;
and the master station data transmission module 404 is used for decrypting data through the secure access gateway and transmitting the decrypted service data to the power distribution master station.
In this embodiment, the quantum security service platform includes an original quantum security service module, where the original quantum security service module includes a quantum key generation module, a quantum key scheduling module, a quantum key application module, and a quantum network management module that are in communication connection, and the quantum security service platform deployment module 401 is specifically configured to: the quantum key generation module, the quantum key scheduling module, the quantum key application module and the quantum network management module are subjected to forward and reverse isolation reinforcement, the quantum key generation module is connected with the power distribution terminal through a first communication connection end, and the data request is sent to the quantum key generation module through a first signal connection end.
In this embodiment, the quantum security service platform deployment module 401 is specifically further configured to: based on the original quantum security service module, a quantum cryptographic service engine mirror image device, a first quantum key service mirror image device, a second quantum key service mirror image device and a forward and reverse security isolation device are deployed, the quantum cryptographic service engine mirror image device is connected with the forward and reverse security isolation device through a second communication connection end, the forward and reverse security isolation device is connected with the first quantum key service mirror image device and one end of the second quantum key service mirror image device through a third communication connection end, and the other ends of the first quantum key service mirror image device and the second quantum key service mirror image device are connected with a fourth communication connection end which is connected to the security access gateway.
In this embodiment, the quantum key generation module includes a single-emission quantum key generation and management terminal, a single-receiving quantum key generation and management terminal, and a quantum random number generator, and the key acquisition module 403 is specifically configured to:
if any communication connection end receives a data request sent by the power distribution terminal, a quantum random number is generated through the quantum random number generator, and a session key is generated through the single-sending quantum key generation and management terminal and the single-receiving quantum key generation and management terminal;
and the quantum key scheduling module generates the quantum key according to the session key and the quantum random number, and encrypts service data contained in a data request through the quantum key.
In this embodiment, the quantum key scheduling module includes an exchange crypto-engine, a quantum cryptographic service engine device, and a quantum key charging device, and the key obtaining module 403 is specifically further configured to:
encrypting service data through the exchange cipher machine and distributing the quantum key to the quantum cipher service engine device;
according to a preset scheduling negotiation rule, the quantum cipher service engine device distributes the quantum key to the quantum key application module, and performs key filling on the quantum key through the quantum key filling equipment;
And if the quantum cipher service engine device detects that an abnormal event exists, distributing the quantum key to the quantum key application module through the quantum cipher service engine mirror device according to a preset scheduling negotiation rule.
In this embodiment, the quantum network management module includes a quantum network management database server and a quantum network management service server that are in communication connection, and in the process of quantum encryption, the key obtaining module 403 is specifically further configured to: and carrying out network management and monitoring on the running states of the quantum key generation module, the quantum key scheduling module and the quantum key application module through the quantum network management database server and the quantum network management service server.
In this embodiment, the security access gateway includes a quantum security access gateway that is communicatively connected and disposed on a side of the quantum security service platform, and a distribution network security gateway that is disposed on a side of the distribution master station, and the data transmission module 404 is specifically configured to: and carrying out encryption transmission on the service data through the quantum security access gateway and the distribution network security access gateway, decrypting the service data through the distribution network security gateway at one side of the distribution master station, and transmitting the decrypted service data to the distribution master station.
In this embodiment, the second secret communication channel includes a first quantum key transmission device communicatively connected to the distribution master station and the quantum security service platform, and a second quantum key transmission device disposed in the distribution substation and in secret communication with the first quantum key transmission device, where the second quantum key transmission device communicates with the quantum key charging substation and the distribution equipment in the distribution substation, and the first quantum key transmission device and the second quantum key transmission device are used for communication transmission between the distribution master station and the distribution substation, and for quantum key charging of the quantum key charging substation by the quantum key charging equipment.
The above embodiments are preferred embodiments of the quantum-encryption-based power distribution automation protection method of the present invention, and are not limited to the specific embodiments, but the scope of the present invention includes not limited to the specific embodiments, and all equivalent changes of the shape and structure according to the present invention are within the scope of the present invention.