A kind of method of raising RSSP-II protocol safeties
Technical field
The present invention relates to a kind of method for improving RSSP-II protocol safeties in railway signalling network, belong to railway signal
System regions, particularly railway system's safety communication between devices field.
Background technology
Vital role is served as in secure communication in railway signal system, once the signal of communication in railway is attacked
The person of hitting monitors, distorts or even forged, it will and the failure of railway signal system is caused, even results in the generation of train operation accident,
Immeasurable loss is brought for the country and people.In view of this, RSSP-II (Railway are used in railway signal system
Signal Security Protocol) agreement ensures secure communication between railway system key equipment.RSSP-II agreements are advised
Determine to carry out between signals security equipment the functional structure of security related information interaction by closed network or open network,
It has been widely applied in current railway signal system.
The safety function module of RSSP-II agreements is divided into two layers:Message differentiates among safe floor (MASL) and safety applications
Sublayer (SAI).The Core Feature of MASL layers be by produce message authentication code (Message Authentication Code,
MAC), ensure message integrity while message source certification is provided, realize the safe transmission of user data, prevent message by
Tripartite distorts or forged.SAI layers resist message by additionally adding the information such as sequence number, counter/timestamp in the message
Repetition, delete, reorder and data delay etc. is attacked.
In RSSP-II agreements, the CBC-MAC schema recommendations algorithm 3 (Retail MAC algorithms) based on block cipher is used as
Message Authentication Code algorithm in MASL layers;DES algorithms are used as block cipher therein.In view of code-breaking techniques is quick
Development, CBC-MAC algorithms are presented in face of people more and more with the defects of DES algorithms, and these defects are malicious attacker
Hidden attack meanses are provided, once above-mentioned algorithm is broken through by attacker, attacker can abandon, distort or even forge railway
The message transmitted in signal system, and then control whole railway signalling network.Meanwhile at present through DES algorithms and CBC-MAC patterns
Message after processing has only carried out integrity protection, and message content is still with plaintext transmission, for the information of railway signal system
Safety brings great hidden danger.For problem above, prior art makes certain improvements, such as in RSSP-II agreement numbers
The certification tail of data message Hash check values is stored with according to addition in message or replaces the DES algorithms in RSSP-II agreements
For aes algorithm, but this improvement does not solve the safety problem in current RSSP-II agreements fundamentally.RSSP-II agreements
It is the core protocol of whole high ferro signals security communication, existing safety analysis conclusion shows that this agreement has severe safety
Hidden danger, high-speed railway operation security is formed and directly threatened.Therefore, there is an urgent need to the safety to current RSSP-II agreements
Property is comprehensively improved.
The content of the invention
The purpose of the present invention is the deficiency for existing RSSP-II protocol safeties, proposes that one kind effectively improves RSSP-II
The method of protocol safety, so as to solve the potential safety hazard in current RSSP-II agreements, ensure equipment room in railway signal system
The safe transmission of message.
To reach above-mentioned purpose, the technical solution adopted by the present invention is as follows:
A kind of method of raising RSSP-II protocol safeties, in the railway signal system using RSSP-II agreements
In, to improve the security to be communicated between railway system's key equipment;By closed network or opened between signals security equipment
Put formula network and carry out security related information interaction, including following technological means:
1) block cipher and block cipher mode of operation selection negotiation mechanism, addition block cipher row, are introduced
Table and block cipher mode of operation list;
2) in block cipher mode of operation, in addition to certification mode, introduce the authenticated encryption pattern with associated data and make
To strengthen safe mode;
3) the maximum allowable message number of single secure connection is limited;
4) judgement of docking packet receiving content is strengthened.
Block cipher and block cipher mode of operation the selection negotiation mechanism is operated in calling party device with being called
Method, apparatus is established in peer-entities verification process when connecting, the block cipher and block cipher for selecting session to use respectively
Mode of operation;The block cipher list is used for caller direction callee and sends the block cipher that calling party supports;
The block cipher mode of operation list is used for caller direction callee and sends the block cipher mode of operation that calling party supports.
On the basis of above-mentioned technical proposal, the present invention can also do following improvement.
Further, block cipher and block cipher the mode of operation negotiation mechanism, its step include:
Step 1:When peer-entities checking starts, caller direction callee sends the block cipher list that we support
And block cipher mode of operation list;
Step 2:Callee is according to local security policy, the block cipher list sent from calling party and block cipher
The block cipher and block cipher mode of operation that subsequent session uses are selected in mode of operation list;
Step 3:The block cipher list and the list of block cipher mode of operation of callee's calculating transmission containing calling party,
The block cipher and the MAC of block cipher mode of operation field that one's own side chooses;
Step 4:Callee is by containing the block cipher and block cipher mode of operation and step 3 selected in step 2
The MAC of calculating message is sent to calling party;
Step 5:After calling party receives the message of callee's step 3 transmission, the message is verified, if verification is logical
Cross, then into step 6, if verification is by the way that connection breaking, which is laid equal stress on, in calling party opens connection and establish program;
Step 6:Caller direction callee sends confirmation message.
Further, the block cipher list is used for the block cipher calculation that caller direction callee sends calling party's support
Method, user can flexibly select block cipher therein, to ensure security, recommend selection block length to be equal to 128 ratios
The domestic and international open block cipher standard that special, key length is more than or equal to 128 bits is calculated as block cipher therein
Method.
Further, the block cipher mode of operation list is used to provide calling party's block cipher work supported to callee
Operation mode, user can flexibly select block cipher mode of operation therein, to ensure security, selected block cipher work
Operation mode recommends selection possess complete Security Proof, have the higher block cipher mode of operation for realizing efficiency, can examine
Worry uses International Publication standard.
Further, the block cipher mode of operation in the block cipher mode of operation list includes two types:Certification
Pattern with associated data authenticated encryption pattern (Authenticated Encryption with Associated Data,
AEAD), certification mode is by calculating the integrality of mac authentication message, and the authenticated encryption pattern with associated data is to associated data
Completed while completeness check encryption and the completeness check of dereferenced data.
Further, the block cipher and block cipher mode of operation collective effect, it is close according to selected packet
The difference of code mode of operation, to needing message to be processed to provide different safeguard functions:When selecting certification mode, message is entered
Row integrity protection, when selecting the authenticated encryption pattern with associated data, integrality and Confidentiality protection are carried out to message.
Further, the maximum allowable message number of the limitation single secure connection is used to reduce in single secure connection week
The possibility that MAC is collided in phase;Suitable single secure connection is set according to railway signal system network actual conditions first
Maximum allowable message count, secondly the message in single secure connection is counted, when message sum reaches limit value, restarted
Secure connection.
Further, the method that the content of the bag for strengthening receiving judges includes:
Recipient is judged the packet received, if there is meaningless mess code more than continuous 4 byte, recipient
Disconnect former connection and rebuild secure connection with sender;
Recipient is when judging packet, if packet occur can not parse, parse situations such as abnormal parameters,
Recipient should disconnect former connection and rebuild secure connection with sender.
The beneficial effects of the invention are as follows:
1. compared with prior art, introduce block cipher list, the list of block cipher mode of operation and algorithm association
Business opportunity system has very big lifting for the security of system, versatility, flexibility, robustness aspect;First, block cipher arranges
The block length for the single block cipher for recommending to select in table reaches more than 128 bits with key length, with DES algorithms
The block length of 64 and key length used is compared, and its security is stronger, and then improves the security of whole system;Its
It is secondary, country variant and ground can be supported using the individual equipment of block cipher list and block cipher mode of operation list
The safety standard in area, be advantageous to the outlet of equipment, be more beneficial for the high ferro outlet of China;Again, to block cipher list
And block cipher mode of operation list is when being modified, it is only necessary to updates corresponding algoritic module, does not influence other algorithm moulds
Block, it ensure that the flexibility of system;Finally, when detecting that signal is cracked in system, using block cipher list with
And the equipment of block cipher mode of operation list allows railway operator to be switched fast block cipher and its mode of operation,
Attack is made in short time and timely and effectively being reacted, prevents the further destruction of attacker;
By AE schemes, (2. Authenticated Encryption, refer to the authenticated encryption side based on block cipher to the present invention
Case) RSSP-II agreements are introduced, to ensure railway system's signals security communication, there is higher feasibility;First, with existing skill
Art is compared, and AE schemes have outstanding advantage in terms of security:1) cryptographic services end to end can be provided, solve railway letter
The problem of part messages are transmitted with clear-text way in number system;2) safety higher than known most strong security definitions can be provided
Property, the safe transmission of railway system's signal will be ensured to the full extent;Secondly, it is highly developed at present with associated data
Authenticated encryption pattern (AEAD), functionally it is fully able to meet the needs of railway system's signal transmission, and typical AE schemes
It is each provided with the support to AEAD characteristics;Finally, simple encryption or certificate scheme are substituted with AE schemes, TLS,
It is widely applied in the network security protocols such as IPsec and 802.11i;
Occur 3. the maximum allowable message number connected by limiting single can effectively reduce in single secure connection
The probability of MAC collisions, reduce possibility of the phone system by birthday attack;
4. when attacker has cracked session key and communication system is disturbed using erroneous packets, mess code bag, pass through
The content for strengthening bag judges and restarts secure connection, improves the susceptibility of system, and then prevents attacker close using having cracked
Key carries out follow-on attack.
Brief description of the drawings
Fig. 1 is the block cipher and block cipher mode of operation negotiations process schematic diagram;
Fig. 2 is the block cipher list field (ENATY, Encryption Algorithm Type) structure chart;
Fig. 3 is block cipher mode of operation list field (MDTY, the Mode Type) structure chart;
Fig. 4 is selected block cipher field (CKENA, the Checked Encryption Algorithm) knot
Composition;
Fig. 5 is described selected block cipher mode of operation field (CKMD, Checked Mode) structure chart;
Fig. 6 connects maximum allowable message number schematic diagram of mechanism for limitation individual security.
Embodiment
The present invention will be further described below in conjunction with the accompanying drawings, and example is only used for explaining the present invention, is not intended to limit
Determine the scope of the present invention.
Present invention is generally directed to the security of the RSSP-II agreements in railway signal system, introduce block cipher and
Block cipher mode of operation selects negotiation mechanism, adds block cipher list and block cipher mode of operation list;Packet
In password mode of operation, in addition to certification mode, the authenticated encryption pattern with associated data is also introduced as enhancing safe mode;
Limit the maximum allowable message number of single secure connection;Strengthen the judgement of docking packet receiving content.
Block cipher selection in the block cipher list meets the algorithm of following condition:Algorithm is packet
Length is more than or equal to the domestic and international open block cipher standard of 128 bits equal to 128 bits, key length.
Block cipher mode of operation in the block cipher mode of operation list includes two types:Certification mode and band
The authenticated encryption pattern of associated data, in addition, after to overcome current grouped cryptographic algorithm to be handled with block cipher mode of operation
Message content still with plaintext transmission the defects of, calling party sends in the negotiating algorithm mechanism block cipher mode of operation
Mode of operation in list recommends authenticated encryption pattern of the selection with associated data, ensures to carry out the same of completeness check to message
When ensure message confidentiality.
AES selection negotiation mechanism is operated in caller device and peer-entities when establishing is connected with called equipment safety
In verification process, former peer-entities verification process detailed step see " European Wireless electric system functional interface specification " (specification number,
" Euroradio FIS subset-037 ") the peer-entities verification process after algorithms selection is consulted is added as shown in figure 1, encryption
Algorithms selection negotiation mechanism comprises the following steps:
Step 1:Caller direction callee send containing we support block cipher list (ENATY,
Encryption Algorithm Type) and block cipher mode of operation list (MDTY, Mode Type) message 1;
Step 2:After callee receives the message 1 of calling party's transmission, according to local security policy, point sent from calling party
The block cipher and be grouped close that subsequent session uses are selected in group cryptographic algorithm list and block cipher mode of operation list
Code mode of operation, the block cipher of selection are designated as CKENA (Checked Encryption Algorithm), point of selection
Group password mode of operation is designated as CKMD (Checked Mode);
Step 3:Callee calculates the block cipher list (ENATY) sent containing calling party, packet using CBC-MAC
Block cipher (CKENA) that password mode of operation list (MDTY), one's own side select, block cipher mode of operation (CKMD) word
The MAC of section:(CBC-MAC(KS,Text3|RA|CKENA|CKMD|RB|ENATY|MDTY|DA|p));
Step 4:Callee is by containing the selected block cipher (CKENA) of step 2, block cipher mode of operation (CKMD)
And the MAC of step 3 calculating message 2 is sent to calling party;
Step 5:After calling party receives message 2, the message is verified using CBC-MAC algorithms, if verification passes through,
Then enter step 6, if verification is by the way that connection breaking, which is laid equal stress on, in calling party opens connection and establish program;
Step 6:Caller direction callee sends confirmation message.
For ease of explaining, it is assumed that totally 8 kinds of block cipher for being available for block cipher list to select, then such as Fig. 2 institutes
Show, block cipher list (ENATY, the Encryption Algorithm Type) field is formed by 8, Ge Weiqu
It is worth and represents that calling party does not support the alternative block cipher for " 0 " or " 1 ", " 0 ", " 1 " represents that calling party supports this alternatively to divide
Group cryptographic algorithm (the unified block cipher that calling party maintains to arrange in advance with callee represents to gather), such as A block ciphers
Algorithm corresponds to the 1st alternative block cipher in ENATY fields, and B block ciphers correspond to the 2nd in ENATY fields
Individual block cipher;Then when ENATY fields value is " 01010011 ", represent calling party support arrange in advance the 2nd, 4,
7th, 8 block ciphers.
For ease of explaining, it is assumed that totally 8 kinds of block cipher for being available for the list of block cipher mode of operation to select, then as schemed
Similar with ENATY field definitions shown in 3, block cipher mode of operation list (MDTY, the Mode Type) field is by 8 hytes
Into every value is " 0 " or " 1 ", and " 0 " represents that calling party does not support the alternative block cipher mode of operation, and " 1 " represents calling party
Support the alternative block cipher mode of operation.
As shown in figure 4, block cipher (CKENA, the Checked Encryption that callee selectes
Algorithm) field is formed by 4, and every value is " 0 " or " 1 ", and its corresponding decimal value represents point selected by callee
Group cryptographic algorithm (the unified block cipher that calling party maintains to arrange in advance with callee represents to gather), such as CKENA fields
Value is that " 0001 " represents the 1st block cipher of the block cipher as session that callee's selection is arranged in advance,
" 0011 " represents the 3rd block cipher of the block cipher as session that callee's selection is arranged in advance.
As shown in figure 5, similar with CKENA field definitions, block cipher mode of operation that callee selectes (CKMD,
Checked Mode) field forms by 4, and every value is " 0 " or " 1 ", and its corresponding decimal value is represented selected by callee
Block cipher (the unified block cipher that calling party and callee maintain to arrange in advance represents set).
As shown in fig. 6, for limit single secure connection maximum allowable message number the step of it is as follows:
Step 1:After secure session connection is established, callee's initiation message number counter, to hereafter communicating pair
Conversation message is counted;
Step 2:When calling party has message to reach or callee has message transmission, Counter Value adds one;
Step 3:The value of counter is set to reach limited threshold value when the arrival of calling party's message or callee's message are sent
When, callee notifies calling party to restart secure connection and disconnects this connection, and closes message number counter;
Step 4:After secure connection disconnects, calling party resends secure connection and establishes request to restart secure connection;
To determine the maximum allowable message count of single connection, it is different most that the setting of railway signal system different scenes need to be directed to
It is big to allow message count, it is now assumed that listener has carried out 106Secondary secure connection is monitored, for the birthday attack probability of success is limited in into ten thousand
Within/mono-, it is proposed that by the maximum allowable message total number threshold restriction of single connection 216Within.
Strengthening the method that docking packet receiving content judges includes:
When callee is judged the packet received, if there is meaningless mess code more than continuous 4 byte, it is called
Side disconnects former connection and notifies calling party to rebuild secure connection;
Callee is when judging packet, if multibyte mess code can not be parsed or continuously occur by packet occur
Situations such as, callee should disconnect former connection and notify calling party to rebuild secure connection.