WO2021042735A1 - Procédé d'administration de clés de sessions dans un dispositif de chiffrement de système de contrôle industriel de conservation de l'eau - Google Patents

Procédé d'administration de clés de sessions dans un dispositif de chiffrement de système de contrôle industriel de conservation de l'eau Download PDF

Info

Publication number
WO2021042735A1
WO2021042735A1 PCT/CN2020/085870 CN2020085870W WO2021042735A1 WO 2021042735 A1 WO2021042735 A1 WO 2021042735A1 CN 2020085870 W CN2020085870 W CN 2020085870W WO 2021042735 A1 WO2021042735 A1 WO 2021042735A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
session key
encryption device
dadr
water conservancy
Prior art date
Application number
PCT/CN2020/085870
Other languages
English (en)
Chinese (zh)
Inventor
陈宁
高祥涛
王美玲
朱月
曹晓宁
张磊
王培�
陈辉
陆明
赵峰
Original Assignee
江苏省水文水资源勘测局
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 江苏省水文水资源勘测局 filed Critical 江苏省水文水资源勘测局
Publication of WO2021042735A1 publication Critical patent/WO2021042735A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Definitions

  • the invention belongs to the field of information technology, and particularly relates to a session key management method in an encryption device of a water conservancy industrial control system.
  • ADU Modbus Application Data Unit
  • PDU protocol data unit
  • the integrity check mechanism is too simple and easy to be tampered with
  • the secure transmission of ADU can be realized by deploying encryption equipment between the upper computer, the lower computer and other automation control equipment and the fieldbus. How to manage the keys of such encryption devices is currently a more important issue.
  • PKI public key infrastructure
  • CA certification center
  • the present invention proposes a session key management method in an encryption device of a water conservancy industrial control system to realize a decentralized distributed encryption device key management function.
  • the technical solution adopted by the present invention is: a session key management method in an encryption device of a water conservancy industrial control system, which includes the following steps:
  • S1 Set up a field bus FB of the water conservancy industrial control system, connect the encryption device between the control device and the field bus network physical interface, and initialize the encryption device.
  • the initialization process includes the encryption device session key generation and the encryption device session secret Key pre-distribution;
  • step S1 the encryption device is initialized in step S1; the method is as follows:
  • the built-in symmetric encryption module of the encryption device to generate a session key PK
  • the corresponding symmetric encryption algorithm includes but not limited to DES, AES, SM1; set the address code of the control device connected to the encryption device as DADR;
  • PK and DADR as a two-tuple and write them into the memory of the encrypted device, which includes but not limited to NAND Flash and eMMC; use PK and DADR as a two-tuple and export them to the mobile device MD for pre-allocation
  • the form of MD of the mobile device includes but not limited to mobile hard disk, U disk, SD card;
  • the pre-distribution operation is performed on each encryption device. After the pre-distribution is completed, the initialization process ends.
  • control device connected to the encryption device is the master device (Master)
  • slave devices Slave
  • the fieldbus FB exports all the encryption devices connected to other slave devices (Slave) on the fieldbus FB to the two-tuple PK and DADR of the mobile device MD, and write them to the master device respectively In the storage of the connected encryption device;
  • control device connected to the encryption device is a slave device (Slave)
  • step S2 when the address code of the control device DD on the field bus FB changes, update the session key of the encrypted device connected to the control device DD; suppose the original address code of the control device DD is DADR, and for its connection
  • the encryption device of, the update method is as follows:
  • S2.1 Use the built-in symmetric encryption module of the encryption device to regenerate a session key PK_NEW of the encryption device.
  • the corresponding symmetric encryption algorithm includes but not limited to DES, AES, SM1; set the new address code of the control device DD Is DADR_NEW;
  • PK_NEW and DADR_NEW as a two-tuple into the storage of the encrypted device and overwrite the original two-tuple PK and DADR of the encrypted device; use PK_NEW and DADR_NEW as a two-tuple to export to the mobile device MD, and Overwrite the original two-tuple PK and DADR of the encrypted device stored in the MD for use in the pre-allocation phase.
  • the form of the mobile device MD includes but not limited to mobile hard disk, U disk, SD card;
  • control device DD whose address code connected to the encryption device changes is the master device (Master)
  • the master device Master
  • export the encryption device to the two-tuple PK_NEW and DADR_NEW of the mobile device MD, and write them to all other slaves connected to the fieldbus FB.
  • control device DD whose address code changes to the encrypted device is a slave device (Slave)
  • export the encrypted device to the two-tuple PK_NEW, DADR_NEW of the mobile device MD, and write it to the only connected master device on the field bus FB (Master) in the storage of the encryption device;
  • step S2.4 After the pre-allocation of step S2.3 is completed, the update process ends.
  • step S3 when the control device DD on the field bus FB temporarily or permanently disconnects the logical connection with other devices on the field bus FB, the session key in the encryption device connected to the control device DD is moved. Except; suppose the original address code of the control device DD is DADR, for the encrypted device connected to it, the removal method is as follows:
  • the invention realizes the decentralized distributed management of the key of the field bus channel encryption device through the method of offline distribution, update and removal of the symmetric session key.
  • the fieldbus network of the existing water conservancy industrial control system there is no need to establish a separate public key infrastructure (Public Key Infrastructure) and a certification center (Certificate Authority) to realize the identity authentication of the control equipment, which has strong equipment compatibility .
  • Public Key Infrastructure Public Key Infrastructure
  • a certification center Certificate Authority
  • the invention is compatible with the existing bus-type topology network, does not need to modify the field bus physical layer and the link layer, and can effectively prevent unauthorized and illegal devices from monitoring, intercepting, tampering and other man-in-the-middle attacks on the field bus channel.
  • the symmetric encryption scheme adopted in the session key of the present invention has the characteristics of high access efficiency and low time overhead, and therefore has a higher competitive advantage in terms of equipment cost and node processing delay.
  • it reduces the security risk of the fieldbus channel in the industrial control system of the water conservancy industry, and provides a reliable security guarantee for the critical infrastructure in the national economy.
  • Figure 1 is a hierarchical structure diagram of the method of the present invention
  • FIG. 1 is an initialization flowchart of the present invention
  • FIG. 3 is an update flow chart of the present invention.
  • Figure 4 is a removal flow chart of the present invention.
  • control devices D1, D2, and D3 on a field bus FB, where D1 is the upper computer, set to master mode, and the address is 0x01; D2, D3 are lower computers, set to slave mode , The addresses are 0x02 and 0x03 respectively.
  • the control devices D1, D2, and D3 are directly connected to the field bus FB, and no encryption device is deployed between the field bus FB.
  • the session key management method in the encryption device of the water conservancy industrial control system described in this embodiment, as shown in FIG. 1, includes the following steps:
  • SM1 Use the built-in symmetric encryption module of ND1 to generate a session key PK1, and its corresponding symmetric encryption algorithm is SM1.
  • the address code DADR1 of the control device D1 connected to ND1 is 0x01, and PK1 and DADR1 are used as a two-tuple and written into the memory of ND1, which is NAND Flash.
  • PK1 and DADR1 are exported as a two-tuple to the mobile device MD, and the mobile device MD is in the form of a U disk.
  • SM1 Use the built-in symmetric encryption module of ND2 to generate a session key PK2, and its corresponding symmetric encryption algorithm is SM1.
  • the address code DADR2 of the control device D2 connected to ND2 is 0x02, and PK2 and DADR2 are used as a two-tuple and written into the memory of ND2, which is NAND Flash. Export PK2 and DADR2 as a two-tuple to the mobile device MD.
  • SM3 Use the built-in symmetric encryption module of ND3 to generate a session key PK3, and its corresponding symmetric encryption algorithm is SM1.
  • the address code DADR3 of the control device D3 connected to ND3 is 0x03, and PK3 and DADR3 are used as a two-tuple and written into the memory of ND3, which is NAND Flash. Export PK3 and DADR3 as a two-tuple to the mobile device MD.
  • the control device D1 connected to ND1 is the master device (Master), and all the encryption devices ND2, ND3 connected to the other slave devices (Slave) D2 and D3 on the fieldbus FB are exported to the two-tuples PK2, DADR2 and PK3 of the mobile device MD , DADR3, respectively write into the memory of ND1.
  • the control device D2 connected to ND2 is a slave device (Slave), which exports the only encryption device ND1 connected to the master device (Master) D1 on the fieldbus FB to the binary group PK1, DADR1 of the mobile device MD, and writes it to the memory of ND2 in.
  • Master master device
  • DADR1 binary group PK1, DADR1 of the mobile device MD
  • the control device D3 connected to ND3 is the slave device (Slave), which exports the only encryption device ND1 connected to the master device (Master) D1 on the fieldbus FB to the binary group PK1, DADR1 of the mobile device MD, and writes it to the memory of ND3 in.
  • Master master device
  • DADR1 binary group PK1, DADR1 of the mobile device MD
  • ND1 can perform data communication with ND2 and ND3 respectively, and data communication cannot be performed between ND2 and ND3 due to the lack of the other party's session key, thus realizing communication data isolation between slave devices.
  • the initialization process is shown in Figure 2.
  • SM1 Use the built-in symmetric encryption module of ND2 to regenerate a session key PK4, and its corresponding symmetric encryption algorithm is SM1.
  • the new address code DADR4 of the new device D2 connected to ND2 is 0x04, and PK4 and DADR4 are written as a two-tuple into the memory of ND2, and the original two-tuple PK2 and DADR2 are overwritten.
  • Export PK4 and DADR4 as a two-tuple to the mobile device MD, and overwrite the original two-tuple PK2 and DADR2 stored in the MD.
  • control device D2 is a slave device (Slave)
  • the two tuples PK4 and DADR4 exported to the mobile device MD are written into the memory of the encryption device ND1, which is the only encryption device connected to the master device (Master) D1 on the field bus FB.
  • the update process ends.
  • the PK2 of the original device D2 is removed from the memory of the encryption device ND2. Even if the original device D2 is connected to the field bus FB through the encryption device ND2, it cannot communicate with the master device D1. The new device D2 can communicate with the main device D1 normally.
  • the update process is shown in Figure 3.
  • the original two-tuples PK3 and DADR3 of the ND3 that have been written in the memory of the encryption device ND1 connected to the master device D1 are deleted, and the two-tuples are deleted.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé d'administration de clés de sessions dans un dispositif de chiffrement d'un système de contrôle industriel de conservation de l'eau. Le procédé permet d'obtenir la crédibilité distribuée de tous les nœuds sur un bus de terrain du système de contrôle industriel de conservation de l'eau en distribuant, actualisant, et supprimant une clé de session pour un dispositif de chiffrement connecté au système de contrôle industriel de conservation de l'eau. Sur le bus de terrain du système de contrôle industriel de conservation de l'eau, le dispositif de chiffrement est déployé entre chaque nœud connecté au bus et le bus, et la clé de session basée sur un algorithme de chiffrement symétrique est distribuée pour chaque dispositif de chiffrement, de sorte que l'authentification d'identité du dispositif puisse être réalisée, et ainsi, par rapport à un algorithme de chiffrement asymétrique, la présente invention a les avantages d'une haute efficacité d'accès, d'un faible temps mort, et d'une forte compatibilité. La présente invention n'a pas besoin d'améliorer une structure de topologie de réseau de type bus existante, et a une forte résistance à une attaque de l'homme du milieu. Dans un système de contrôle automatique de l'industrie de conservation de l'eau, le risque de sécurité dû au fait qu'un canal de bus de terrain est soumis à une invasion peut être réduit, et une garantie de sécurité fiable est assurée pour des infrastructures clés dans le champ de l'économie nationale.
PCT/CN2020/085870 2019-09-06 2020-04-21 Procédé d'administration de clés de sessions dans un dispositif de chiffrement de système de contrôle industriel de conservation de l'eau WO2021042735A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910841121.1A CN110493257A (zh) 2019-09-06 2019-09-06 一种水利工业控制系统加密设备中会话密钥管理方法
CN201910841121.1 2019-09-06

Publications (1)

Publication Number Publication Date
WO2021042735A1 true WO2021042735A1 (fr) 2021-03-11

Family

ID=68555555

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/085870 WO2021042735A1 (fr) 2019-09-06 2020-04-21 Procédé d'administration de clés de sessions dans un dispositif de chiffrement de système de contrôle industriel de conservation de l'eau

Country Status (2)

Country Link
CN (1) CN110493257A (fr)
WO (1) WO2021042735A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493257A (zh) * 2019-09-06 2019-11-22 江苏省水文水资源勘测局 一种水利工业控制系统加密设备中会话密钥管理方法
CN111988288B (zh) * 2020-08-04 2021-11-23 网络通信与安全紫金山实验室 基于网络时延的密钥交换方法、系统、设备及存储介质
CN113014385B (zh) * 2021-03-25 2023-09-01 黑龙江大学 一种双网口硬件网络数据加密系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767618A (zh) * 2015-04-03 2015-07-08 清华大学 一种基于广播的can总线认证方法及系统
CN106790053A (zh) * 2016-12-20 2017-05-31 江苏大学 一种can总线中ecu安全通信的方法
EP3182674A1 (fr) * 2015-12-14 2017-06-21 Deutsche Telekom AG Système pour communication sécurisée dans un rétrofit de robot
CN106899404A (zh) * 2017-02-15 2017-06-27 同济大学 基于预共享密钥的车载can fd总线通信系统及方法
CN108390754A (zh) * 2018-01-24 2018-08-10 上海航天芯锐电子科技有限公司 基于可变参数的芯片内部总线加扰装置和加扰方法
CN110493257A (zh) * 2019-09-06 2019-11-22 江苏省水文水资源勘测局 一种水利工业控制系统加密设备中会话密钥管理方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110401528B (zh) * 2019-07-16 2021-09-28 河海大学 一种现场总线信道加密设备密钥管理方法

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767618A (zh) * 2015-04-03 2015-07-08 清华大学 一种基于广播的can总线认证方法及系统
EP3182674A1 (fr) * 2015-12-14 2017-06-21 Deutsche Telekom AG Système pour communication sécurisée dans un rétrofit de robot
CN106790053A (zh) * 2016-12-20 2017-05-31 江苏大学 一种can总线中ecu安全通信的方法
CN106899404A (zh) * 2017-02-15 2017-06-27 同济大学 基于预共享密钥的车载can fd总线通信系统及方法
CN108390754A (zh) * 2018-01-24 2018-08-10 上海航天芯锐电子科技有限公司 基于可变参数的芯片内部总线加扰装置和加扰方法
CN110493257A (zh) * 2019-09-06 2019-11-22 江苏省水文水资源勘测局 一种水利工业控制系统加密设备中会话密钥管理方法

Also Published As

Publication number Publication date
CN110493257A (zh) 2019-11-22

Similar Documents

Publication Publication Date Title
WO2021042735A1 (fr) Procédé d'administration de clés de sessions dans un dispositif de chiffrement de système de contrôle industriel de conservation de l'eau
WO2021008181A1 (fr) Procédé de gestion de clé pour dispositif de chiffrement de canal de bus de terrain
WO2019184924A1 (fr) Procédé de gestion d'identité, équipement, réseau de communication, et support de stockage
CN109412794B (zh) 一种适应电力业务的量子密钥自动充注方法及系统
CN112686668B (zh) 联盟链跨链系统及方法
WO2020192285A1 (fr) Procédé de gestion de clé, puce de sécurité, serveur de service et système d'informations
US20030233573A1 (en) System and method for securing network communications
CN104009987B (zh) 一种基于用户身份能力的细粒度云平台安全接入控制方法
CN107947357B (zh) 一种基于安全接入区的配电自动化数据采集装置及方法
CN109190384B (zh) 一种多中心区块链熔断保护系统及方法
CN110852745B (zh) 一种区块链分布式动态网络密钥自动更新方法
KR102450811B1 (ko) 차량 내부 네트워크의 키 관리 시스템
CN111726343A (zh) 一种基于ipfs和区块链的电子公文安全传输方法
CN105471901A (zh) 一种工业信息安全认证系统
CN105610837A (zh) 用于scada系统主站与从站间身份认证的方法及系统
CN111447067A (zh) 一种电力传感设备加密认证方法
CN109302432B (zh) 基于网络安全隔离技术的网络通信数据组合加密传输方法
WO2024088082A1 (fr) Procédé et dispositif de vérification de l'intégrité des données, ainsi que support d'enregistrement
CN205584238U (zh) 一种网络数据加密器
CN113094733A (zh) 一种区块链数据隐私保护方法及系统
CN112653553A (zh) 物联网设备身份管理系统
Schleiffer et al. Secure key management-a key feature for modern vehicle electronics
WO2021170049A1 (fr) Procédé et appareil d'enregistrement de comportement d'accès
CN113067861A (zh) 基于区块链的分布式可扩展访问控制授权系统和方法
CN112347496A (zh) 一种细粒度数据安全访问控制方法及系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20861275

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20861275

Country of ref document: EP

Kind code of ref document: A1