CN104079408A - Method for enhancing communication safety in industrial control system - Google Patents
Method for enhancing communication safety in industrial control system Download PDFInfo
- Publication number
- CN104079408A CN104079408A CN201410240791.5A CN201410240791A CN104079408A CN 104079408 A CN104079408 A CN 104079408A CN 201410240791 A CN201410240791 A CN 201410240791A CN 104079408 A CN104079408 A CN 104079408A
- Authority
- CN
- China
- Prior art keywords
- message
- timestamp
- main website
- control system
- end side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a method for enhancing communication safety in an industrial control system. The method is applied in the industrial control system. The industrial control system comprises a master station side and a terminal side which are in communication with each other. The method is implemented through a preparation stage before communication, a master station side sending stage, and a terminal side receiving, processing and replying stage. The method is used for solving the problems that in communication of an existing industrial control system, the computing capacity of a client is weak, time of the client comes from a server, a communication channel is not reliable, and instantaneity and high safety are needed for key communication. The method is designed for safety communication in the special environment, identity authentication and a complete guarantee are provided for a key communication message, and safety of the whole system is effectively enhanced.
Description
Technical field
The present invention relates to a kind of information security technology, specifically relate to a kind of method that strengthens communications security in industrial control system.
Background technology
Industrial control system (ICS) is the general name to various control system, comprise supervisory control and data acquisition (SCADA) (SCADA) system, dcs (DCS), and the small-sized control system device of programmable logic controller (PLC) (PLC) and so on.Industrial control system is widely used in electric power, running water, oil, natural gas, chemical industry, communications and transportation, pharmacy, paper pulp and papermaking, the energy, food and drink manufacture.Industrial control system is comprised of main website, network and substation.The basic functional principle of industrial control system is that substation gathers industrial process measurement data, by network, data are delivered to main website, after main website analysis, by network, to substation, send to control or parameter such as arranges at the order, substation is moved to industrial process and will be returned execution result and/or state returns to main website.
The communication protocol of using in industrial control system at present comprises IEC60870 series, IEC60970 is serial, IEC61850 is serial, DNP3 etc., the feature of these agreements is to take reliability as primary demand, does not consider the secure contents such as transmitting-receiving authentication, data integrity and data security.And the computing environment of industrial control system application is severe, not only network communication mode is numerous, comprise special line dialing, optical fiber private network, mobile GPRS, satellite communication etc., and equipment is with distributed state, be exposed among open computing environment the possibility that exists opponent to attack completely.The communication protocol of open network environment and " zero security mechanism " makes industrial control system face numerous Information Security Risks.
For this situation, under the prerequisite of the existing communication protocol of compatibility and data format, implement the expansion of safety function, there is very strong realistic meaning.
Summary of the invention
For the deficiencies in the prior art; the object of this invention is to provide a kind of method that strengthens communications security in industrial control system; the method be unidirectional, only for important communication message; adopt a series of method for security protection targetedly such as Elliptic Curve Cryptosystem, the design of employing suffix formula, employing important traffic enrollment mechanism and timestamp mechanism of depth optimization; realized the necessary safety function such as authentication, integrity protection, can not affect the work of this industrial control system simultaneously.
The object of the invention is to adopt following technical proposals to realize:
In a kind of industrial control system, strengthen the method for communications security, its improvements are, described method is applied in industrial control system, and described industrial control system comprises main website side and the end side of intercommunication mutually, and described method is implemented by following three phases:
(1) preparatory stage before communication;
(2) main website side transmission phase;
(3) end side reception, processing and recovery stage.
Further, before the communication of described (1), the preparatory stage comprises the steps:
Step 102: main website lateral root generates elliptic curve cryptography key pair according to the disclosed SM2 ellipse curve public key cipher algorithm of national Password Management No. 21 bulletins of office (issue on December 17th, 2010), comprises private key PriK and PKI PubK;
Step 104: the key pair of the preset elliptic curve cryptography of main website side, comprises private key PriK and PKI PubK; Private key PriK wherein will deposit preset by encrypted card, encryption chip or encryption equipment; Storage should guarantee fail safe, can not leak;
Step 106: the PKI PubK of the preset main website of end side side.
Further, the main website side transmission phase of described (2) comprises the steps:
Step 202: main website adnation becomes to be protected, original important traffic message, described important traffic message is original message M;
Step 204: main website side is filled local time stamp M||timestamp after original message M;
Step 206: main website side after timestamp, fill by the preset private key PriK of main website side to original message M the signed data signature=Sign (M||timestamp, PriK) to this segment data of timestamp;
Step 208: main website side is filled safe packet end mark byte end after signed data, the composite safe message SM of formation, described SM=Signature||end;
Step 210: main website side is sent composite safe message SM to end side.
Further, in described step 202, important traffic message refers to the control message in industrial control system communication protocol; In described step 206, the signature verification that the original message M in communication is carried out is unidirectional signature authentication.
Further, end side reception, processing and the recovery stage of described (3) comprise the steps:
Step 302: end side receives composite safe message SM;
Step 304: end side extracts original important traffic message timestamp timestamp and signed data signature according to composite safe message SM;
Step 306: end side is extracted local time stamp localtime;
Step 308: relatively time tolerance whether in reasonable time window W, i.e. (localtime-timestamp) <W? if in rational time window W, carry out step 310; Otherwise, carry out step 309; The value of reasonable time window W is determined according to concrete application scenarios, in industrial control system example, is set as 30 seconds.
Step 309: abandon described composite safe message SM, do not return to any data;
Step 310: relatively whether important traffic message timestamp timestamp is in the registered timestamp list in this locality L; If so, carry out step 311; Otherwise, carry out step 312;
Step 311: abandon described composite safe message SM, do not return to any data;
Step 312: whether the PKI PubK certifying signature data preset according to end side effective, i.e. ret=verify (signature, PubK), ret=0? if so, carry out step 314; Otherwise, carry out step 313;
Step 313: abandon described composite safe message SM, do not return to any data;
Step 314: end side is processed original message M, whether observation result is normal; If normal, carry out step 316, otherwise, carry out step 315;
Step 315: return to processing exception message;
Step 316: end side registers to important traffic message timestamp timestamp in timestamp list L;
Step 317: return to processing normal message.
Compared with the prior art, the beneficial effect that the present invention reaches is:
1-the present invention, according to the particularity of communication system, has analysed in depth the general and special various attacks form that may run into, and has designed safety measure targetedly, can effectively ensure communication safety and resist attack.
The safe enhanced scheme that 2-the present invention designs on the basis of particularity of analysing in depth former communication system, not only can effectively strengthen communication security, has guaranteed that communication efficiency is influenced hardly simultaneously.
3-the present invention has compatible strong feature at the same time, and being applicable to very much, in large area terminal protocol transformation process, needs the situation of compatible the old and new's agreement, the old and new's terminal.
4-design of the present invention is due to this asymmetric scheme that obtains of the unilateral authentication adopting, and main website side need to increase the password related hardwares such as encrypted card, encryption chip and encryption equipment, and terminal can realize by pure software.Because main website quantity is few and password product price is inexpensive, and if terminal transformation with software, to realize cost lower, so enforcement economic benefit of the present invention is outstanding, cost is low and high efficiency can be described as inexpensive.
Accompanying drawing explanation
Fig. 1 is the preset flow chart of key of preparatory stage before communication provided by the invention;
Fig. 2 is the flow chart that main website provided by the invention adnation becomes message;
Fig. 3 is the flow chart that end side provided by the invention is processed safe packet;
Fig. 4 strengthens the flow chart of the method for communications security in industrial control system provided by the invention.
Embodiment
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in further detail.
Be defined as follows term:
Ellipse curve signature function Sign (tosign, Prik)->signature is ellipse curve signature function, and input tosign is data to be signed, and PriK is private key, and output signature is signature;
Elliptic curve sign test function verify (sign, Pubk)->0/err is elliptic curve sign test function, and input sign is signature, and PubK is PKI key, and it is correct that output 0 is expressed as signature, and other represent mistake;
A||b: character string b is spliced after character string a.
The technical problem that the present invention will solve is to provide a kind of method that strengthens communications security in industrial control system, and the communication in this industrial control system has that end side computing capability is weak, the time of end side derives from main website end, communication channel is unreliable, important traffic frequency is lower but requires the features such as real-time and high security.For these features; the present invention designed a kind of unidirectional, only for important communication message; adopt a series of method for security protection targetedly such as Elliptic Curve Cryptosystem, the design of employing suffix formula, employing important traffic enrollment mechanism and timestamp mechanism of depth optimization; realized the necessary safety function such as authentication, integrity protection, can not affect the work of this industrial control system simultaneously.
Below in conjunction with the communication characteristic of this Special industrial control system, illustrate that the present invention strengthens the method for communications security, proves its fail safe simultaneously.
First, consider the weak computing capability of end side and the requirement of real-time of important traffic and high security requirement.The present invention for the communication both sides of this Special industrial control system, i.e. main website and terminal, their computing capability is widely different, main website side configuration is higher, and end side configuration is lower, the MCU dominant frequency of the employing of low side model wherein may only have tens, and internal memory only has tens K.Because application program also will take most of resource, leave the resource that enhancing function is used safely for very limited.Simultaneously the important traffic due to this Special industrial control system also has requirement of real-time and high security requirement, and the fail safe here, most importantly will prevent that terminal from accepting the important traffic message of illegal main website end.For not affecting to greatest extent the application function of end side, the design does not protect all communication, and only important traffic is wherein protected, and is unidirectional protection.This unidirectional and only for the design of crucial message, cause the safety problem of a series of uniquenesses, follow-up design focal point is placed on and solves in these safety problems.
Before further analyzing the safety problem that the design faces, unidirectional and only for the concrete meaning of crucial message, to explain follow-up safety problem and solution under detailed explanation here.
So-called unidirectional, refer to the only message of the direction from main website to terminal and sign.
So-called important traffic, refers to the control message in this Special industrial control system communication protocol, and the frequency of controlling message use is lower, but operating result directly affects productive life and personal safety, extremely important.Control message all higher to real-time and security requirement.
Unidirectional and only for the design of crucial message, refer to the message except controlling message in the communication of this Special industrial control system, still press original realization, do not make and change.And to controlling message, by main website, message is signed, then mailing to end side, terminal is made sign test after receiving message, if sign test deciphering does not all have mistake, accepts this message, and carries out the work of next step application.And the reply message of terminal does not change, still with former plaintext form, reply main website side.
Only no problem in most of agreement for the design of crucial message, but can cause some problems or hidden danger in the communication protocol of this Special industrial control system.The two ends of the communication protocol of this Special industrial control system; be main website side and end side, main website side has correct time source, and the time of end side derives from main website side; time synchronized message by communication is realized, and this time synchronized message is not protected as crucial message.Because the communication channel of this Special industrial control system is dangerous, so assailant can pass through control time sync message, reach the control terminal time, thereby control the poor of the timestamp of crucial message and end side time, this may cause the design that utilizes the end side time to do function of safety protection to have serious leak.
Above-mentionedly explained for Special industrial control system communication protocol in detail, unique time synchronized message aggression, in addition also has other general protocol attack forms, for the communication protocol that has adopted authentication and encryption mechanism, is mainly Replay Attack.
Replay Attack is a kind of attack type, and assailant first utilizes network monitoring or other modes to obtain effective transmission data, again it is issued to destination host again afterwards.Encryption and authentication can prevent the various attacks forms such as Session Hijack effectively, but do not prevent Replay Attack.
In order to prevent Replay Attack, generally can adopt timestamp, sequence number and 3 kinds of mechanism of challenge question and answer.
The basic thought of timestamp mechanism is: main frame is accepted a message, and and if only if, and its timestamp comprising is enough near apart from current time.It requires the clock of communicating pair to keep synchronous, and this basis does not have in this Special industrial control system.Assailant can utilize the time of time synchronized message aggression change terminal, to reach the object that expired crucial message still can be accepted by end side.So timestamp mechanism strengthens inapplicable for the communications security of this Special industrial control system.
Adopt the communication of sequence number mechanism to need initial sequence number of as offered and increment method, then according to the sequence number in message, judge the freshness of message.Why sequence number mechanism strengthen inapplicable for the communications security of this Special industrial control system is because the process of negotiation sequence number itself needs two-way encrypting and authenticating, and this method need to be changed too much former protocols having.
The Basic practice of enquirement and acknowledgement mechanism is: expectation obtains careful A from B, issues in advance random value N of B, and in the message that requires B to reply, comprises N or F (N), and F is A, the simple function that B makes an appointment.And A judges what whether this carefully retransmitted by judging consistent that whether N in the reply of B or F (N) send with oneself.Because the reason equally similar with sequence number mechanism, puts question to and the communications security of same inapplicable the Special industrial control system of acknowledgement mechanism strengthens.
Based on above, to preventing the analysis of Replay Attack, can see, conventional anti-replay mechanism to the present invention for scene be inapplicable.In this Special industrial control system, the safety enhancing design of communication protocol has adopted timestamp mechanism and important traffic enrollment mechanism in conjunction with preventing Replay Attack.Whether timestamp mechanism wherein surpasses the reasonable time window of setting and is used for preventing that single message from resetting by stabbing detection time, important traffic enrollment mechanism requires the each successfully timestamp of important traffic of end side record, and the important traffic repeating by refusal timestamp prevents from combining the Replay Attack of time synchronized message aggression.Adopt enrollment mechanism to exist in theory and because important traffic frequency is too high, cause the long problem of registration list, but because important traffic frequency in the actual use of this Special industrial control system is lower, this problem does not exist.
Above-mentioned by analysis the communications security of industrial control system strengthen the main contents of design.Except foregoing, the communications security enhancing of industrial control system is designed to further improve the processing speed of end side to encrypting and authenticating message, adopted in ripe public key algorithm that fail safe is higher, the better elliptic curve of calculated performance, and algorithm has been done to depth optimization.
The main advantage of elliptic curve cryptography is that it uses less key---such as RSA cryptographic algorithms---that suitable or more high-grade safety is provided than other method in some cases.Therefore can be very useful in the connection very tight to bandwidth requirement, be just applicable to the communication scenes of this Special industrial control system.
In addition, the communications security enhancing of this Special industrial control system is designed to guarantee not applying the compatibility of the design's terminal in this Special industrial control system, adopted the design of suffix formula safe packet, be that the original of important traffic do not changed, thereafter, increase safe packet, comprise timestamp, signed data and checking data etc., form composite safe message.The whole composite safe message of terminal processes of application this method, does not adopt the design's terminal only to process original message in running status.
The flow chart of the method for enhancing communications security provided by the invention as shown in Figure 4, implement by following three phases by the method:
(1) preparatory stage before communication, flow chart as shown in Figure 1, comprises the steps:
Step 102: main website lateral root generates elliptic curve cryptography key pair according to the disclosed SM2 ellipse curve public key cipher algorithm of national Password Management No. 21 bulletins of office (issue on December 17th, 2010), comprises private key PriK and PKI PubK.The elliptic curve cryptography here refers in particular to the present invention's use, through the elliptic curve cryptography of depth optimization.The generating algorithm key pair here, should adopt by hard-wired encrypted card, encryption chip, encryption equipment and realize, with the fail safe that guarantees that private key is deposited.
Step 104: the key pair of the preset elliptic curve cryptography of main website side, comprises private key PriK and PKI PubK.
Step 106: the PKI PubK of the preset main website of end side side.
(2) main website side transmission phase, flow chart as shown in Figure 2, comprises the steps:
Step 202: main website adnation becomes to be protected, original important traffic message, and this message is called original message M here.
Step 204: main website side is filled local time stamp M||timestamp after original message.
Step 206: main website side after timestamp, fill by the preset private key in this locality to original message the signed data signature=Sign (M||timestamp, PriK) to this segment data of timestamp.
Step 208: main website side is filled safe packet end mark byte end after signed data, the composite safe message SM of formation; Be SM=Signature||end;
Step 210: main website side is sent composite safe message.
(3) end side reception, processing and recovery stage, flow chart as shown in Figure 3, comprises the steps:
Step 302: end side receives composite safe message SM;
Step 304: end side extracts original important traffic message timestamp timestamp and signed data signature according to composite safe message SM;
Step 306: end side is extracted local time stamp localtime;
Step 308: relatively time tolerance whether in reasonable time window W, i.e. (localtime-timestamp) <W? if in rational time window W, carry out step 310; Otherwise, carry out step 309; The value of reasonable time window W is determined according to concrete application scenarios, in industrial control system example, is set as 30 seconds.
Step 309: abandon described composite safe message SM, do not return to any data;
Step 310: relatively whether important traffic message timestamp timestamp is in the registered timestamp list in this locality L; If so, carry out step 311; Otherwise, carry out step 312;
Step 311: abandon described composite safe message SM, do not return to any data;
Step 312: whether the PKI PubK certifying signature data preset according to end side effective, i.e. ret=verify (signature, PubK), ret=0? if so, carry out step 314; Otherwise, carry out step 313;
Step 313: abandon described composite safe message SM, do not return to any data;
Step 314: end side is processed original message M, whether observation result is normal; If normal, carry out step 316, otherwise, carry out step 315;
Step 315: return to processing exception message;
Step 316: end side registers to important traffic message timestamp timestamp in timestamp list L;
Step 317: return to processing normal message.
For the existing old terminal (substation) in running status, receive after compound control message M, can normally read the original load m part in frame according to legacy data form, ignore the processing to completeness check code.For example, in the 1-ISO/IEC8802-3 frame format of the power industry standard IEC61850-8-1 of the People's Republic of China (PRC), comprised length item, length that can recorded message.In " IEC60870-5-101/104 is applied to electrical power distribution automatization system ", in " the variable frame length form of 4.2101 stipulations ", by " length L " item, can list the length of message.The length of integrity verification code/signature can preset, or determines according to algorithm, security parameter.
In above-described embodiment, main website side is signed to the summary info of message, and receiving terminal carries out data source authentication and integrity verification according to signature, has guaranteed the fail safe of information exchange; By signature be placed on original after, the compatible existing industrial control system communication protocol of can trying one's best; End side is verified processing, and old terminal can be omitted the processing of completeness check code, thereby can be as far as possible compatible with existing system, avoids the significant cost to all devices transformation.
When industrial control system control centre or controlled terminal send and control or during the message such as measurement, add completeness check code or signature after message as transmitting terminal; Receiving terminal is received after message, and label are verified or separated to completeness check code or signature, after success, message is processed again.Adopt the technical scheme of the embodiment of the present invention, industrial control system control centre (main website side) and controlled terminal (substation side) can verify the identity of message transmitting party, prevents that malicious persons from pretending to be control centre's (main website side) or controlled terminal (substation side) that industrial control system is controlled and destroyed; Measurement, control, parameter are arranged etc. to message simultaneously and protect, prevent malicious persons distorting message content.The present invention is supporting, under the prerequisite of existing industry control communication protocol functions, can to realize data source authentication, integrity protection and preventing playback attack function between control centre's (main website side) and controlled terminal (substation side).
Finally should be noted that: above embodiment is only in order to illustrate that technical scheme of the present invention is not intended to limit, although the present invention is had been described in detail with reference to above-described embodiment, those of ordinary skill in the field are to be understood that: still can modify or be equal to replacement the specific embodiment of the present invention, and do not depart from any modification of spirit and scope of the invention or be equal to replacement, it all should be encompassed in the middle of claim scope of the present invention.
Claims (5)
1. a method that improves industrial control system communications security, is characterized in that, described industrial control system comprises main website side and the end side of intercommunication mutually, and described method is implemented by following three phases:
(1) preparatory stage before communication;
(2) main website side transmission phase;
(3) end side reception, processing and recovery stage.
2. the method for claim 1, is characterized in that, before the communication of described (1), the preparatory stage comprises the steps:
Step 102: main website lateral root is announced disclosed SM2 ellipse curve public key cipher algorithm for No. 21 according to national Password Management office and generated elliptic curve cryptography key pair, comprises private key PriK and PKI PubK;
Step 104: the key pair of the preset elliptic curve cryptography of main website side, comprises private key PriK and PKI PubK; Private key PriK wherein will deposit preset by encrypted card, encryption chip or encryption equipment;
Step 106: the PKI PubK of the preset main website of end side side.
3. the method for claim 1, is characterized in that, the main website side transmission phase of described (2) comprises the steps:
Step 202: main website adnation becomes to be protected, original important traffic message, described important traffic message is original message M;
Step 204: main website side is filled local time stamp M||timestamp after original message M;
Step 206: main website side after timestamp, fill by the preset private key PriK of main website side to original message M the signed data signature=Sign (M||timestamp, PriK) to this segment data of timestamp;
Step 208: main website side is filled safe packet end mark byte end after signed data, the composite safe message SM (Signature||end) of formation;
Step 210: main website side is sent composite safe message SM to end side.
4. method as claimed in claim 3, is characterized in that, in described step 202, important traffic message is the control message in industrial control system communication protocol; In described step 206, the signature verification that the original message M in communication is carried out is unidirectional signature authentication.
5. the method for claim 1, is characterized in that, end side reception, processing and the recovery stage of described (3) comprise the steps:
Step 302: end side receives composite safe message SM;
Step 304: end side extracts original important traffic message timestamp timestamp and signed data signature according to composite safe message SM;
Step 306: end side is extracted local time stamp localtime;
Step 308: relatively time tolerance whether in reasonable time window W, i.e. (localtime-timestamp) <W; If in rational time window W, carry out step 310; Otherwise, carry out step 309; The value of reasonable time window W is determined according to concrete application scenarios, in industrial control system example, is set as 30 seconds.
Step 309: abandon described composite safe message SM, do not return to any data;
Step 310: relatively whether important traffic message timestamp timestamp is in the registered timestamp list in this locality L; If so, carry out step 311; Otherwise, carry out step 312;
Step 311: abandon described composite safe message SM, do not return to any data;
Step 312: whether the PKI PubK certifying signature data preset according to end side effective, i.e. ret=verify (signature, PubK), ret=0? if so, carry out step 314; Otherwise, carry out step 313;
Step 313: abandon described composite safe message SM, do not return to any data;
Step 314: end side is processed original message M, whether observation result is normal; If normal, carry out step 316, otherwise, carry out step 315;
Step 315: return to processing exception message;
Step 316: end side registers to important traffic message timestamp timestamp in timestamp list L;
Step 317: return to processing normal message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410240791.5A CN104079408B (en) | 2014-05-30 | 2014-05-30 | Strengthen the method for communications security in a kind of industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410240791.5A CN104079408B (en) | 2014-05-30 | 2014-05-30 | Strengthen the method for communications security in a kind of industrial control system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104079408A true CN104079408A (en) | 2014-10-01 |
| CN104079408B CN104079408B (en) | 2018-01-19 |
Family
ID=51600466
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410240791.5A Active CN104079408B (en) | 2014-05-30 | 2014-05-30 | Strengthen the method for communications security in a kind of industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104079408B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105491060A (en) * | 2015-12-30 | 2016-04-13 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for defending attack of distribution denial of service (DDOS), client and defense device |
| CN106291603A (en) * | 2016-07-29 | 2017-01-04 | 中传数广(合肥)技术有限公司 | Guarantee method, terminal and the system applying data correctly to export |
| CN108833346A (en) * | 2018-05-04 | 2018-11-16 | 北京天元创新科技有限公司 | A kind of industrial control system safety communicating method and device |
| CN111049657A (en) * | 2019-12-10 | 2020-04-21 | 成都理工大学 | CAN bus network equipment node access authority management method and system |
| CN113472520A (en) * | 2021-08-07 | 2021-10-01 | 山东省计算中心(国家超级计算济南中心) | ModbusTCP (Transmission control protocol) security enhancement method and system |
| CN115086955A (en) * | 2022-05-17 | 2022-09-20 | 中国科学院沈阳自动化研究所 | Industrial control system-oriented wireless half-duplex communication time synchronization system and method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101175076A (en) * | 2007-10-23 | 2008-05-07 | 赵运磊 | High-efficiency, deniable, safety-unforgeable cryptographic key exchanging protocol of on-line computation |
| CN101441693A (en) * | 2008-11-25 | 2009-05-27 | 西安理工大学 | Security protection method for electric document digital signing based on elliptical curve |
| CN101800989A (en) * | 2010-01-19 | 2010-08-11 | 重庆邮电大学 | Anti-replay-attack system for industrial wireless network |
| US20120303973A1 (en) * | 2009-09-29 | 2012-11-29 | James Newsome | Method for protecting sensor data from manipulation and sensor to that end |
| CN103490895A (en) * | 2013-09-12 | 2014-01-01 | 北京斯庄格科技有限公司 | Industrial control identity authentication method and device with state cryptographic algorithms |
-
2014
- 2014-05-30 CN CN201410240791.5A patent/CN104079408B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101175076A (en) * | 2007-10-23 | 2008-05-07 | 赵运磊 | High-efficiency, deniable, safety-unforgeable cryptographic key exchanging protocol of on-line computation |
| CN101441693A (en) * | 2008-11-25 | 2009-05-27 | 西安理工大学 | Security protection method for electric document digital signing based on elliptical curve |
| US20120303973A1 (en) * | 2009-09-29 | 2012-11-29 | James Newsome | Method for protecting sensor data from manipulation and sensor to that end |
| CN101800989A (en) * | 2010-01-19 | 2010-08-11 | 重庆邮电大学 | Anti-replay-attack system for industrial wireless network |
| CN103490895A (en) * | 2013-09-12 | 2014-01-01 | 北京斯庄格科技有限公司 | Industrial control identity authentication method and device with state cryptographic algorithms |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105491060A (en) * | 2015-12-30 | 2016-04-13 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for defending attack of distribution denial of service (DDOS), client and defense device |
| WO2017114175A1 (en) * | 2015-12-30 | 2017-07-06 | 北京神州绿盟信息安全科技股份有限公司 | Method, apparatus, client and device for defending distributed denial of service attack |
| CN105491060B (en) * | 2015-12-30 | 2019-07-02 | 北京神州绿盟信息安全科技股份有限公司 | Method, apparatus, client and the equipment of defending distributed denial of service attack |
| US10812524B2 (en) | 2015-12-30 | 2020-10-20 | NSFOCUS Information Technology Co., Ltd. | Method, and devices for defending distributed denial of service attack |
| US10812525B2 (en) | 2015-12-30 | 2020-10-20 | NSFOCUS Information Technology Co., Ltd. | Method and system for defending distributed denial of service attack |
| CN106291603A (en) * | 2016-07-29 | 2017-01-04 | 中传数广(合肥)技术有限公司 | Guarantee method, terminal and the system applying data correctly to export |
| CN108833346A (en) * | 2018-05-04 | 2018-11-16 | 北京天元创新科技有限公司 | A kind of industrial control system safety communicating method and device |
| CN111049657A (en) * | 2019-12-10 | 2020-04-21 | 成都理工大学 | CAN bus network equipment node access authority management method and system |
| CN111049657B (en) * | 2019-12-10 | 2021-04-20 | 成都理工大学 | CAN bus network equipment node access authority management method and system |
| CN113472520A (en) * | 2021-08-07 | 2021-10-01 | 山东省计算中心(国家超级计算济南中心) | ModbusTCP (Transmission control protocol) security enhancement method and system |
| CN115086955A (en) * | 2022-05-17 | 2022-09-20 | 中国科学院沈阳自动化研究所 | Industrial control system-oriented wireless half-duplex communication time synchronization system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104079408B (en) | 2018-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103095696B (en) | A kind of authentication and cryptographic key negotiation method being applicable to power information acquisition system | |
| CN103581173B (en) | Safe data transmission method, system and device based on industrial Ethernet | |
| CN101917270B (en) | Weak authentication and key agreement method based on symmetrical password | |
| CN103618610A (en) | Information safety algorithm based on energy information gateway in smart power grid | |
| CN104079408A (en) | Method for enhancing communication safety in industrial control system | |
| CN101753553B (en) | Safety isolating and message switching system and method | |
| EP2590356A1 (en) | Method, device and system for authenticating gateway, node and server | |
| CN103491072A (en) | Boundary access control method based on double one-way separation gatekeepers | |
| CN104158653A (en) | Method of secure communication based on commercial cipher algorithm | |
| CN107395312A (en) | A kind of secure network method for synchronizing time and device | |
| CN102780698A (en) | User terminal safety communication method in platform of Internet of Things | |
| CN103281224B (en) | CAN safety communicating method in a kind of intelligent lighting system | |
| CN104811427B (en) | A kind of safe industrial control system communication means | |
| CN103873461A (en) | IEC62351-based security interaction method for GOOSE message | |
| CN103546486A (en) | SYN Cookie source authentication method and device for preventing DDOS attack | |
| CN102137095A (en) | Industrial control system data exchange safety protection method and system and device thereof | |
| CN103746962A (en) | GOOSE electric real-time message encryption and decryption method | |
| CN101729871B (en) | Method for safe cross-domain access to SIP video monitoring system | |
| CN112422560A (en) | Lightweight substation secure communication method and system based on secure socket layer | |
| CN102377571A (en) | Method and system for implementing IEC104 message transmission | |
| CN110098939A (en) | Message authentication method and device | |
| CN108833346A (en) | A kind of industrial control system safety communicating method and device | |
| WO2023236551A1 (en) | Decentralized trusted access method for cellular base station | |
| CN111541776A (en) | Safe communication device and system based on Internet of things equipment | |
| CN114003970A (en) | Hash chain-based low-overhead message integrity protection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20160425 Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant after: State Grid Corporation of China Applicant after: China Electric Power Research Institute Applicant after: State Grid Smart Grid Institute Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant before: State Grid Corporation of China Applicant before: China Electric Power Research Institute |
|
| CB02 | Change of applicant information |
Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant after: State Grid Corporation of China Applicant after: China Electric Power Research Institute Applicant after: GLOBAL ENERGY INTERCONNECTION RESEARCH INSTITUTE Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant before: State Grid Corporation of China Applicant before: China Electric Power Research Institute Applicant before: State Grid Smart Grid Institute |
|
| COR | Change of bibliographic data | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |