CN106941494A - A kind of security isolation gateway and its application method suitable for power information acquisition system - Google Patents

A kind of security isolation gateway and its application method suitable for power information acquisition system Download PDF

Info

Publication number
CN106941494A
CN106941494A CN201710202842.9A CN201710202842A CN106941494A CN 106941494 A CN106941494 A CN 106941494A CN 201710202842 A CN201710202842 A CN 201710202842A CN 106941494 A CN106941494 A CN 106941494A
Authority
CN
China
Prior art keywords
processing unit
crosspoint
application data
outer net
isolation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710202842.9A
Other languages
Chinese (zh)
Inventor
翟峰
梁晓兵
赵兵
付义伦
刘鹰
吕英杰
许斌
岑炜
李保丰
曹永峰
张庚
孔令达
徐萌
冯云
袁泉
冯占成
杨全萍
任博
周琪
徐文静
卢艳
韩文博
李丽丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Original Assignee
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, China Electric Power Research Institute Co Ltd CEPRI filed Critical State Grid Corp of China SGCC
Priority to CN201710202842.9A priority Critical patent/CN106941494A/en
Publication of CN106941494A publication Critical patent/CN106941494A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of security isolation gateway and its application method suitable for power information acquisition system, the security isolation gateway includes Intranet processing unit, and it is used to receive the message of acquisition server transmission and sends the data that the pure application data of its encapsulation receives the transmission of outer net processing unit to isolation crosspoint and from isolation crosspoint;Outer net processing unit, it is used to receive the message of acquisition terminal transmission and sends the data that the pure application data of its encapsulation receives the transmission of Intranet processing unit to isolation crosspoint and from isolation crosspoint;Isolate crosspoint, it is located between Intranet processing unit and outer net processing unit, the pure application data transmitted for storing intranet processing unit and outer net processing unit, with the controllable exchange for the pure application data for completing Intranet processing unit and outer net processing unit;And cryptography processing units, it completes the protocol testing of password for the data that isolation crosspoint flows through formula processing and provides cryptographic checksum decryption service.

Description

A kind of security isolation gateway and its application method suitable for power information acquisition system
Technical field
It is used for power information acquisition system the present invention relates to field of information security technology, and more particularly, to one kind Security isolation gateway.
Background technology
Power information acquisition system is the key service system in resident, business electrical infrastructure, and system can be by right The collection and analysis of the electricity consumption data of distribution transformer and terminal user, realize power monitoring, carry out ladder price, load pipe Reason, line loss analyzing, finally realize automatic data logging, use electricity in off-peak hours, power utility check (anti-electricity-theft), load prediction and using electricity wisely cost Etc. purpose.
Because acquisition system main website summarizes multiple user power utilization information, while also carry control electric supply meter open/close Lock, the important process such as electricity price information are issued, be rated for hierarchical protection three-level information system, more strict border need to be taken to prevent Shield measure.Current acquisition system main website according to《Electric power monitoring system security protection is provided》(the Committee of Development and Reform【2014】No. 14) require, For acquisition terminal access be provided with safe marketing access area, deployed in secure accessing area 3A certificate servers, fire wall with Intrusion prevention system (Intrusion Prevention System, IPS), possesses preliminary security boundary protective capacities.But It is to be interacted between acquisition system main website and terminal device using specialized protocol, general purpose firewall kind equipment lacks to these specialized protocols The ability that data are analyzed and filtered, is required, acquisition system main website border according to NS software in hierarchical protection three-level There need to be technological means to analyze and filter above-mentioned specialized protocol data.
For power information acquisition system, influence acquisition system main website is normally run and distorts, forges, resetting descending control Two class security risks of system instruction authenticity are the most serious.Relevant information security incident will have a strong impact on resident, enterprise once occurring The normal electricity consumption of industry.At present, power information acquisition system is using cipher machine and ESAM chips to descending control and parameter setting Class order carries out application layer encryption protection, due to being used as biography using wireless network more than power information acquisition system main website and terminal room Defeated passage, network opening is stronger, and the communication link of main website and terminal room lacks safeguard measure, exist transmission data be trapped, The risk forge, distorted, it would be highly desirable to increase a kind of Special safety isolation gateway newly in the secure accessing area on acquisition system main website border, To ensure the safe and reliable operation of electricity consumption acquisition system.
The content of the invention
In order to solve the problem of background technology is present, the present invention provides a kind of safety suitable for power information acquisition system Isolate gateway, the security isolation gateway includes:
Intranet processing unit, it is used to receive by cryptography processing units cryptographic check and decryption from isolation crosspoint The pure application data of reason is simultaneously sent to power information acquisition system acquisition server, and for carrying out identity to acquisition server Differentiate and certification, receive from the message by identity discriminating and the legal acquisition server of certification, row format inspection is entered to message Look into, and send after the pure application data in the message by format checking is packaged to isolation crosspoint;
Outer net processing unit, it is used to carry out identity discriminating and certification to acquisition terminal, receives and come from by identity discriminating With the message of the legal acquisition terminal of certification, to message carry out format checking, and by the message by format checking it is pure should Sent after being packaged with data to isolation crosspoint, and pass through cryptography processing units password from isolation crosspoint reception The pure application data of verification and decryption processing is simultaneously sent to power information acquisition system acquisition terminal, wherein, outer net processing unit Receive after the message from acquisition terminal, format checking is carried out according to SAL protocol massages form;
Isolate crosspoint, it is located between Intranet processing unit and outer net processing unit, it is single for receiving outer net processing The pure application data of member transmission, and the protocol testing of password, password are completed to the pure application data by cryptography processing units Examine and sent after decryption to Intranet processing unit, and receive the pure application data of Intranet processing unit transmission, and by close Code processing unit completes to send single to outer net processing after protocol testing, cryptographic verification and the decryption of password to the pure application data Member, with the controllable exchange for the pure application data for completing Intranet processing unit and outer net processing unit;And
Cryptography processing units, it completes the protocol testing of password for the data that isolation crosspoint flows through formula processing and carried Decrypt and service for cryptographic checksum.
Further, the isolation crosspoint includes on-site programmable gate array FPGA (Field-Programmable Gate Array) module and dual-port static random access memory SRAM (Static Random Access Memory) mould Block, wherein, FPGA module provides control signal for control Intranet processing unit and the visit of outer net processing unit timesharing mutual exclusion SRAM module is asked, i.e., when isolation crosspoint with one in Intranet processing unit or outer net processing unit in connection status When, the connection with another is fully disconnected, and dual-port SRAM module is used for storing intranet processing unit and outer net processing unit enters The pure application data that row is exchanged.
Further, the security isolation gateway is using the isolation handing-over technology of red-black isolation architecture, outer net processing unit Include Ethernet interface and memory interface respectively with Intranet processing unit, wherein:
The Ethernet interface of outer net processing unit be responsible for receiving the data message that is sent by the acquisition terminal of terminal authentication and The pure application data of isolation crosspoint transmission is sent to acquisition terminal, memory interface is responsible for receiving isolation crosspoint hair During the control signal gone out, by the pure application data that outer net processing unit is encapsulated be sent to isolation crosspoint and reception be stored in every From the pure application data in the dual-port SRAM module of crosspoint;
The memory interface of Intranet processing unit is responsible for when receiving the control signal that isolation crosspoint is sent, and reception is deposited Store up the pure application data in the dual-port SRAM module of isolation crosspoint and send the pure application of Intranet processing unit encapsulation Data to isolating crosspoint, the pure application data that Ethernet interface is responsible for receiving memory interface send to acquisition server and Receive the message gathered from the acquisition server by identity discriminating and certification.
Further, the security isolation gateway sets up network company respectively with Intranet processing unit and outer net processing unit Connect, the connection between the safety isolated switch and acquisition terminal is terminated at outer net by isolating the FPGA module of crosspoint Connection between processing unit, with acquisition server terminates at Intranet processing unit, so as to effectively prevent that attacker from leading to Cross outer net host computer system and access Intranet.Outer net processing unit and outer net processing unit are belonging respectively to different address space, realize Internal address is hidden.
Further, the security isolation gateway carries out acquisition server and acquisition terminal certification access mechanism, using pair The Double-puzzle system for claiming algorithm and asymmetric arithmetic to be combined realizes the authentication to acquisition server and acquisition terminal.Collection When terminal accesses main website, the terminal certificate and key embedded using acquisition terminal, using the identity discrimination machine based on digital signature System, verifies the legitimacy of acquisition terminal, takes precautions against illegal terminal (such as replicating SIM card) and obtains setting up industry with main website after communication link The attack of business connection.Certification system uses prefabricated shared key, the security protocol of certificate, and terminal receives session request message, tested Message digital signature is demonstrate,proved, the identity for completing to isolate Special safety gateway is verified and differentiates.Similarly security isolation gateway pair Conversational response message carries out signature verification, and the identity of complete paired terminal differentiates.
Further, when there is multiple acquisition terminals to access, the security isolation gateway is worked with trunking mode, in cluster Key between security isolation gateway is realized shared by key shared server.When security isolation gateway and acquisition terminal complete meeting Talk about after key agreement, session key ciphertext is uploaded in key shared server in real time, gateway cluster is based on key shared service Device realizes that session key is synchronous, and when acquisition terminal is accessed, according to the set communication strategy of power information acquisition system, equilibrium assignment is extremely Different gateways, when certain gateway fails in cluster, acquisition terminal that the gateway is carried can equilibrium assignment to its in cluster His gateway, the session key data of new access terminal can be obtained by key shared server by accepting gateway, take over fault network Close and provide service for the terminal, it is ensured that business datum is not interrupted.
Further, the security isolation gateway uses multiple cryptography processing units concurrent workings to realize pure application data Encryption, decryption computing and cryptographic check.
According to another aspect of the present invention, the present invention provides a kind of security isolation net suitable for power information acquisition system The application method of pass, methods described includes:
Outer net processing unit is carried out after identity discriminating and certification to acquisition terminal, is received and is adopted from legal by Ethernet interface Collect the message of terminal;
Outer net processing unit carries out format checking to the message of reception, and to carrying out TCP/IP by the message of format checking Procotol is peeled off, and the pure application data separated is Resealed;
Isolation crosspoint sends control signal, it is connected with outer net processing unit and is passed through with receiving outer net processing unit Pure application data that memory interface is transmitted, by encapsulation is simultaneously stored;
Cryptography processing units complete protocol testing, cryptographic verification and the decryption of password to the pure application data;And
Isolation crosspoint sends control signal, it is connected with Intranet processing unit, Intranet processing unit passes through internal memory Interface completes the protocol testing of password, cryptographic verification and the pure application data of decryption, and is transmitted by Ethernet interface to adopting Collect server.
It is described present invention also offers a kind of application method of the security isolation gateway suitable for power information acquisition system Method includes:
Intranet processing unit is carried out after identity discriminating and certification to acquisition server, is received by Ethernet interface from legal The message of acquisition server;
Intranet processing unit carries out format checking to the message of reception, and to carrying out TCP/IP by the message of format checking Procotol is peeled off, and the pure application data separated is Resealed;
Isolation crosspoint sends control signal, it is connected with Intranet processing unit and is passed through with receiving Intranet processing unit Pure application data that memory interface is transmitted, by encapsulation is simultaneously stored;
Cryptography processing units complete protocol testing, cryptographic verification and the decryption of password to the pure application data;And
Isolation crosspoint sends control signal, it is connected with outer net processing unit, outer net processing unit passes through internal memory Interface completes the protocol testing of password, cryptographic verification and the pure application data of decryption, and is transmitted by Ethernet interface to adopting Collect terminal.
Further, the isolation crosspoint in methods described provides control signal by FPGA module, and Intranet processing is single In dual-port SRAM module of the pure application data store that member and outer net processing unit are swapped in isolation crosspoint.
Further, in the process, security isolation gateway is built respectively with Intranet processing unit and outer net processing unit Vertical network connection, makes the connection between the safety isolated switch and acquisition terminal whole by isolating the FPGA module of crosspoint Outer net processing unit is terminated in, the connection between acquisition server terminates at Intranet processing unit.
Further, methods described carries out acquisition server and acquisition terminal certification access mechanism, using symmetry algorithm and The Double-puzzle system that asymmetric arithmetic is combined realizes the authentication to acquisition server and acquisition terminal.
Further, when there is multiple acquisition terminals to access, security isolation gateway is worked with trunking mode in methods described, Key in cluster between security isolation gateway is realized shared by key shared server.
Further, multiple cryptography processing units concurrent workings are used in methods described to realize adding for pure application data Close, decryption computing and cryptographic check.
In summary, it is provided by the present invention suitable for the security isolation gateway of power information acquisition system and its use Method realizes Network Isolation, specialized protocol processing using isolation switching technology, and collection clothes are realized using terminal authentication technology The certification of business device and acquisition terminal, and possess the high-performance data encryption skill based on multiple specialized hardware cryptography processing units Art, so as to ensure that power information acquisition system is safely and reliably run.Dedicated encrypted isolation gateway proposed by the present invention is directed to The security risk that power information acquisition system can suffer from, integrated use password and network safety guard technology, are devised perfect Effective safety prevention measure.
Brief description of the drawings
By reference to the following drawings, the illustrative embodiments of the present invention can be more fully understood by:
Fig. 1 is the structure of the security isolation gateway suitable for power information acquisition system of the specific embodiment of the invention Figure;
Fig. 2 is the user of the security isolation gateway suitable for power information acquisition system of the specific embodiment of the invention The flow chart of method;And
Fig. 3 is the user of the security isolation gateway suitable for power information acquisition system of the specific embodiment of the invention Another flow chart of method.
Embodiment
The illustrative embodiments of the present invention are introduced with reference now to accompanying drawing, however, the present invention can use many different shapes Formula is implemented, and it is to disclose at large and fully there is provided these embodiments to be not limited to embodiment described herein The present invention, and fully pass on the scope of the present invention to person of ordinary skill in the field.For showing for being illustrated in the accompanying drawings Term in example property embodiment is not limitation of the invention.In the accompanying drawings, identical cells/elements are attached using identical Icon is remembered.
Unless otherwise indicated, term (including scientific and technical terminology) used herein has to person of ordinary skill in the field It is common to understand implication.Further it will be understood that the term limited with usually used dictionary, is appreciated that and it The linguistic context of association area has consistent implication, and is not construed as Utopian or excessively formal meaning.
Fig. 1 is the structure of the security isolation gateway suitable for power information acquisition system of the specific embodiment of the invention Figure.As shown in figure 1, the security isolation gateway 100 includes Intranet processing unit 101, outer net processing unit 102, isolation exchange Unit 103 and cryptography processing units 104, wherein,
Intranet processing unit 101, it is used to receive by the password school of cryptography processing units 104 from isolation crosspoint 103 Test and decryption processing pure application data and send to power information acquisition system acquisition server 105, and for collection Server 105 carries out identity discriminating and certification, receives from the report by identity discriminating and the legal acquisition server 105 of certification Text, format checking is carried out to message, and send after the pure application data in the message by format checking is packaged to every From crosspoint 103;
Outer net processing unit 102, it is used to carry out identity discriminating and certification to acquisition terminal 106, receives and come from by body The message of the legal acquisition terminal 106 of part discriminating and certification, carries out format checking, and will pass through the message of format checking to message In pure application data be packaged after send to isolation crosspoint 103, and from isolation crosspoint 103 receive through overstocked The pure application data of the code cryptographic check of processing unit 104 and decryption processing is simultaneously sent to acquisition terminal 106;
Isolate crosspoint 103, it is located between Intranet processing unit 101 and outer net processing unit 102, it is outer for receiving The pure application data that net processing unit 102 is transmitted, and complete password by 104 pairs of pure application datas of cryptography processing units Sent after protocol testing, cryptographic verification and decryption to Intranet processing unit 101, and receive the transmission of Intranet processing unit 101 Pure application data, and by 104 pairs of the cryptography processing units pure application datas complete the protocol testing of password, cryptographic verification with Sent after decryption to outer net processing unit 102, to complete the pure application number of Intranet processing unit 101 and outer net processing unit 102 According to controllable exchange;And
Cryptography processing units 104, it completes the protocol testing of password for the data that isolation crosspoint 103 flows through formula processing And cryptographic checksum decryption service is provided.
Preferably, the isolation crosspoint 103 includes FPGA module 131 and dual-port SRAM module 132, wherein, FPGA module 131 provides control signal for control Intranet processing unit 101 and the visit of the timesharing mutual exclusion of outer net processing unit 102 SRAM module 132 is asked, i.e., at one in isolation crosspoint 103 and Intranet processing unit 101 or outer net processing unit 102 When connection status, the connection with another is fully disconnected, and dual-port SRAM module 132 is used for storing intranet processing unit 101 The pure application data swapped with outer net processing unit 102.
Preferably, the security isolation gateway is using the isolation handing-over technology of red-black isolation architecture, outer net processing unit 102 Include Ethernet interface and memory interface respectively with Intranet processing unit 101, wherein:
The Ethernet interface 121 of outer net processing unit 102 is responsible for receiving the number sent by the acquisition terminal 106 of terminal authentication According to message and the pure application data for sending the isolation transmission of crosspoint 103 to acquisition terminal 106, memory interface 122 is responsible for connecing Receive isolation crosspoint 103 send control signal when, by the pure application data that outer net processing unit 102 is encapsulated be sent to every The pure application data in the dual-port SRAM module 132 of isolation crosspoint 103 is stored in from crosspoint 103 and reception;
The memory interface 112 of Intranet processing unit 101 is responsible for receiving the control signal that isolation crosspoint 103 is sent When, receive the pure application data being stored in the dual-port SRAM module 132 of isolation crosspoint 103 and transmission Intranet processing is single Member 101 encapsulation pure application datas to isolate crosspoint 103, Ethernet interface 111 be responsible for by memory interface 112 receive it is pure should Sent with data to acquisition server 105 and receive the report gathered from the acquisition server 105 by identity discriminating and certification Text.
Preferably, the security isolation gateway sets up network respectively with Intranet processing unit 101 and outer net processing unit 102 Connection, makes the company between the safety isolated switch and acquisition terminal 106 by the FPGA module 131 for isolating crosspoint 103 Connect and terminate at outer net processing unit 101, the connection between acquisition server 105 terminates at Intranet processing unit 101.
Preferably, the security isolation gateway carries out acquisition server and acquisition terminal certification access mechanism, using symmetrical The Double-puzzle system that algorithm and asymmetric arithmetic are combined realizes the authentication to acquisition server and acquisition terminal.
Preferably, when there is multiple acquisition terminals to access, the security isolation gateway is worked with trunking mode, is pacified in cluster Key between full isolation gateway is realized shared by key shared server.
Preferably, the security isolation gateway uses multiple concurrent workings of cryptography processing units 104 to realize pure application number According to encryption, decryption computing and cryptographic check.
Fig. 2 is the user of the security isolation gateway suitable for power information acquisition system of the specific embodiment of the invention The flow chart of method, methods described refers to that outer net processing unit is transmitted to acquisition server, such as Fig. 2 after receiving data from acquisition terminal Shown, methods described is since step 201.
In step 201, outer net processing unit is carried out after identity discriminating and certification to acquisition terminal, received by Ethernet interface Message from legal acquisition terminal;
In step 202, outer net processing unit carries out format checking to the message of reception, and to the message by format checking TCP/IP procotol strippings are carried out, the pure application data separated is Resealed;
In step 203, isolation crosspoint sends control signal, makes it be connected to receive at outer net with outer net processing unit Pure application data that reason unit is transmitted by memory interface, by encapsulation is simultaneously stored;
In step 204, cryptography processing units complete protocol testing, cryptographic verification and the solution of password to the pure application data It is close;
In step 205, isolation crosspoint sends control signal, it is connected with Intranet processing unit, and Intranet processing is single Member finishes receiving the protocol testing of password, cryptographic verification and the pure application data of decryption by memory interface, and passes through Ethernet Acquisition server is transported in oral instructions.
Fig. 3 is the user of the security isolation gateway suitable for power information acquisition system of the specific embodiment of the invention Another flow chart of method, methods described refers to that Intranet processing unit receives data transfer to acquisition terminal from acquisition server, As shown in figure 3, methods described is since step 301.
In step 301, Intranet processing unit is carried out after identity discriminating and certification to acquisition server, connect by Ethernet interface Receive the message from legal acquisition server;
In step 302, Intranet processing unit carries out format checking to the message of reception, and to the message by format checking TCP/IP procotol strippings are carried out, the pure application data separated is Resealed;
In step 303, isolation crosspoint sends control signal, makes it be connected to receive at Intranet with Intranet processing unit Pure application data that reason unit is transmitted by memory interface, by encapsulation is simultaneously stored;
In step 304, cryptography processing units complete protocol testing, cryptographic verification and the solution of password to the pure application data It is close;And
In step 305, isolation crosspoint sends control signal, it is connected with outer net processing unit, and outer net processing is single Member finishes receiving the protocol testing of password, cryptographic verification and the pure application data of decryption by memory interface, and passes through Ethernet Acquisition terminal is transported in oral instructions.
Preferably, the isolation crosspoint in methods described provides control signal, Intranet processing unit by FPGA module In dual-port SRAM module of the pure application data store swapped with outer net processing unit in isolation crosspoint.
Preferably, in the process, security isolation gateway is set up respectively with Intranet processing unit and outer net processing unit Network connection, the connection between the safety isolated switch and acquisition terminal is terminated by isolating the FPGA module of crosspoint In outer net processing unit, the connection between acquisition server terminates at Intranet processing unit.
Preferably, methods described carries out acquisition server and acquisition terminal certification access mechanism, using symmetry algorithm and non- The Double-puzzle system that symmetry algorithm is combined realizes the authentication to acquisition server and acquisition terminal.
Preferably, when there is multiple acquisition terminals to access, security isolation gateway is worked with trunking mode in methods described, is collected Key in group between security isolation gateway is realized shared by key shared server.
Preferably, multiple cryptography processing units concurrent workings are used in methods described with realize pure application data encryption, Decrypt computing and cryptographic check.
Normally, all terms used in the claims are all solved according to them in the usual implication of technical field Release, unless clearly defined in addition wherein.All references " one/described/be somebody's turn to do【Device, component etc.】" all it is opened ground At least one example in described device, component etc. is construed to, unless otherwise expressly specified.Any method disclosed herein Step need not all be run with disclosed accurate order, unless explicitly stated otherwise.

Claims (14)

1. a kind of security isolation gateway suitable for power information acquisition system, it is characterised in that the security isolation gateway bag Include:
Intranet processing unit, it is used to receive by cryptography processing units cryptographic check and decryption processing from isolation crosspoint Pure application data is simultaneously sent to power information acquisition system acquisition server, and for carrying out identity discriminating to acquisition server And certification, receive from the message by identity discriminating and the legal acquisition server of certification, format checking is carried out to message, and Sent after pure application data in message by format checking is packaged to isolation crosspoint;
Outer net processing unit, it is used to carry out identity discriminating and certification to acquisition terminal, receives and come from by identity discriminating and recognize The message of the legal acquisition terminal of card, format checking is carried out to message, and by the pure application number in the message by format checking Extremely isolate crosspoint according to being sent after being packaged, and pass through cryptography processing units cryptographic check from isolation crosspoint reception And decryption processing pure application data and send to power information acquisition system acquisition terminal;
Isolate crosspoint, it is located between Intranet processing unit and outer net processing unit, passed for receiving outer net processing unit Defeated pure application data, and the protocol testing of password, cryptographic verification are completed to the pure application data by cryptography processing units With being sent after decryption to Intranet processing unit, and receive the pure application data of Intranet processing unit transmission, and by password at Reason unit is sent to outer net processing unit after completing protocol testing, cryptographic verification and the decryption of password to the pure application data, With the controllable exchange for the pure application data for completing Intranet processing unit and outer net processing unit;And
Cryptography processing units, it completes the protocol testing of password for the data that isolation crosspoint flows through formula processing and provided close Code check and decryption are serviced.
2. security isolation gateway according to claim 1, it is characterised in that the isolation crosspoint can be compiled including scene Journey gate array FPGA module and dual-port static random access memory SRAM module, wherein, FPGA module provides control signal For control Intranet processing unit and outer net processing unit timesharing mutual exclusion access SRAM module, i.e., when isolation crosspoint with One in Intranet processing unit or outer net processing unit when being in connection status, the connection with another is fully disconnected, both-end Mouth SRAM module is used for the pure application data that storing intranet processing unit and outer net processing unit are swapped.
3. security isolation gateway according to claim 2, it is characterised in that the security isolation gateway is isolated using red-black The isolation handing-over technology of framework, outer net processing unit and Intranet processing unit include Ethernet interface and memory interface respectively, wherein:
The Ethernet interface of outer net processing unit is responsible for receiving the data message sent by the acquisition terminal of terminal authentication and transmission Isolate the pure application data of crosspoint transmission to acquisition terminal, memory interface is responsible for receiving what isolation crosspoint was sent During control signal, the pure application data that outer net processing unit is encapsulated is sent to isolation crosspoint and reception is stored in isolation and handed over The pure application data changed in the dual-port SRAM module of unit;
The memory interface of Intranet processing unit is responsible for when receiving the control signal that isolation crosspoint is sent, and reception is stored in The pure application data and the pure application data of transmission Intranet processing unit encapsulation isolated in the dual-port SRAM module of crosspoint To isolation crosspoint, the pure application data that Ethernet interface is responsible for receiving memory interface is sent to acquisition server and reception The message gathered from the acquisition server by identity discriminating and certification.
4. security isolation gateway according to claim 2, it is characterised in that the security isolation gateway handles single with Intranet Member and outer net processing unit set up network connection respectively, make the safety isolated switch by isolating the FPGA module of crosspoint Connection between acquisition terminal terminates at outer net processing unit, and it is single that the connection between acquisition server terminates at Intranet processing Member.
5. security isolation gateway according to claim 1, it is characterised in that the security isolation gateway carries out collection service Device and acquisition terminal certification access mechanism, the Double-puzzle system being combined using symmetry algorithm and asymmetric arithmetic are realized to collection The authentication of server and acquisition terminal.
6. security isolation gateway according to claim 1, it is characterised in that described when there is multiple acquisition terminals to access Security isolation gateway is worked with trunking mode, and the key in cluster between security isolation gateway is realized altogether by key shared server Enjoy.
7. security isolation gateway according to claim 1, it is characterised in that the security isolation gateway uses multiple passwords Processing unit for parallel works to realize the encryption, decryption computing and cryptographic check of pure application data.
8. a kind of application method of security isolation gateway suitable for power information acquisition system, it is characterised in that methods described Including:
Outer net processing unit is carried out after identity discriminating and certification to acquisition terminal, is received by Ethernet interface from legal collection eventually The message at end;
Outer net processing unit carries out format checking to the message of reception, and to carrying out TCP/IP networks by the message of format checking Agreement is peeled off, and the pure application data separated is Resealed;
Isolation crosspoint sends control signal, it is connected with outer net processing unit and passes through internal memory to receive outer net processing unit Pure application data that interface is transmitted, by encapsulation is simultaneously stored;
Cryptography processing units complete protocol testing, cryptographic verification and the decryption of password to the pure application data;And
Isolation crosspoint sends control signal, it is connected with Intranet processing unit, Intranet processing unit passes through memory interface The protocol testing, cryptographic verification and the pure application data of decryption of password are finished receiving, and is transmitted by Ethernet interface to collection clothes Business device.
9. a kind of application method of security isolation gateway suitable for power information acquisition system, it is characterised in that methods described Including:
Intranet processing unit is carried out after identity discriminating and certification to acquisition server, is received by Ethernet interface and is come from legal collection The message of server;
Intranet processing unit carries out format checking to the message of reception, and to carrying out TCP/IP networks by the message of format checking Agreement is peeled off, and the pure application data separated is Resealed;
Isolation crosspoint sends control signal, it is connected with Intranet processing unit and passes through internal memory to receive Intranet processing unit Pure application data that interface is transmitted, by encapsulation is simultaneously stored;
Cryptography processing units complete protocol testing, cryptographic verification and the decryption of password to the pure application data;And
Isolation crosspoint sends control signal, it is connected with outer net processing unit, outer net processing unit passes through memory interface The protocol testing, cryptographic verification and the pure application data of decryption of password are finished receiving, and is transmitted by Ethernet interface to collection eventually End.
10. the application method of the security isolation gateway according to claim 8 or 9, it is characterised in that in methods described Isolate crosspoint and provide control signal by FPGA module, Intranet processing unit and outer net processing unit swap it is pure should With in dual-port SRAM module of the data storage in isolation crosspoint.
11. the application method of the security isolation gateway according to claim 8 or 9, it is characterised in that in methods described In, security isolation gateway sets up network connection respectively with Intranet processing unit and outer net processing unit, by isolating crosspoint FPGA module the connection between the safety isolated switch and acquisition terminal is terminated at outer net processing unit, with collection service Connection between device terminates at Intranet processing unit.
12. the application method of security isolation gateway according to claim 8 or claim 9, it is characterised in that methods described is carried out and adopted Collect server and acquisition terminal certification access mechanism, the Double-puzzle system being combined using symmetry algorithm and asymmetric arithmetic is realized Authentication to acquisition server and acquisition terminal.
13. the application method of the security isolation gateway according to claim 8 or 9, it is characterised in that when there is multiple collections When terminal is accessed, security isolation gateway is worked with trunking mode in the process, the key in cluster between security isolation gateway Realized by key shared server shared.
14. the application method of the security isolation gateway according to claim 8 or 9, it is characterised in that the application method It is middle to use multiple cryptography processing units concurrent workings to realize the encryption, decryption computing and cryptographic check of pure application data.
CN201710202842.9A 2017-03-30 2017-03-30 A kind of security isolation gateway and its application method suitable for power information acquisition system Pending CN106941494A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710202842.9A CN106941494A (en) 2017-03-30 2017-03-30 A kind of security isolation gateway and its application method suitable for power information acquisition system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710202842.9A CN106941494A (en) 2017-03-30 2017-03-30 A kind of security isolation gateway and its application method suitable for power information acquisition system

Publications (1)

Publication Number Publication Date
CN106941494A true CN106941494A (en) 2017-07-11

Family

ID=59463588

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710202842.9A Pending CN106941494A (en) 2017-03-30 2017-03-30 A kind of security isolation gateway and its application method suitable for power information acquisition system

Country Status (1)

Country Link
CN (1) CN106941494A (en)

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107733871A (en) * 2017-09-15 2018-02-23 苏州中天赛诺信息技术有限公司 Network security shielding system
CN107968787A (en) * 2017-12-07 2018-04-27 徐珊 A kind of rete mirabile signaling alarm systems of man-computer cooperation
CN108810011A (en) * 2018-06-29 2018-11-13 南京南瑞继保电气有限公司 A kind of universal network secure accessing sound zone system and message processing method suitable for power private network
CN108810023A (en) * 2018-07-19 2018-11-13 北京智芯微电子科技有限公司 Safe encryption method, key sharing method and safety encryption isolation gateway
CN108833395A (en) * 2018-06-07 2018-11-16 北京网迅科技有限公司杭州分公司 A kind of outer net access authentication system and authentication method based on hardware access card
CN109213108A (en) * 2018-11-08 2019-01-15 深圳中广核工程设计有限公司 A kind of nuclear power station operator runs auxiliary support system and method
CN109413112A (en) * 2018-12-21 2019-03-01 北京科东电力控制***有限责任公司 High concurrent collecting method and device
CN109510841A (en) * 2018-12-26 2019-03-22 杭州优稳自动化***有限公司 A kind of security isolation gateway of control device and system
CN110247924A (en) * 2019-06-25 2019-09-17 深圳市利谱信息技术有限公司 Transmitted in both directions and control system and data transmission method based on physical transfer
CN110768982A (en) * 2019-10-24 2020-02-07 山东超越数控电子股份有限公司 Network security interconnection device based on homemade SOC
CN111083168A (en) * 2019-12-31 2020-04-28 广东嘉泰智能技术有限公司 Configurable data transmission method and device of Internet of things platform gateway and gateway
CN111654497A (en) * 2020-06-03 2020-09-11 广东电网有限责任公司电力科学研究院 Method and device for enhancing access security of power monitoring system terminal
CN112073375A (en) * 2020-08-07 2020-12-11 中国电力科学研究院有限公司 Isolation device and isolation method suitable for power Internet of things client side
CN112671719A (en) * 2020-12-08 2021-04-16 山东鲁能软件技术有限公司 Network security isolation method and device based on data stripping and construction method thereof
CN112887267A (en) * 2021-01-05 2021-06-01 天津七所精密机电技术有限公司 Network isolation system with message authentication function and method thereof
CN113329018A (en) * 2021-05-28 2021-08-31 中国电子信息产业集团有限公司第六研究所 Novel security isolation IPsec VPN processing architecture
CN113645610A (en) * 2021-07-09 2021-11-12 厦门市美亚柏科信息股份有限公司 Mobile phone data parallel acquisition method and system based on intranet system
CN113722189A (en) * 2021-09-16 2021-11-30 中国船舶重工集团海装风电股份有限公司 Wind power multi-source heterogeneous data acquisition and convergence system based on industrial internet
CN113949523A (en) * 2021-08-30 2022-01-18 国网安徽省电力有限公司电力科学研究院 Cross-network transmission system and method for individual soldier
CN114095184A (en) * 2020-07-15 2022-02-25 中国航发上海商用航空发动机制造有限责任公司 Data transmission system and transmission method thereof
CN114500068A (en) * 2022-02-10 2022-05-13 广州云羲网络科技有限公司 Information data exchange system based on safety isolation network gate
CN114513444A (en) * 2022-02-15 2022-05-17 南京鑫蓝优图信息技术有限公司 Inspection gateway with network gate function and data uploading and issuing method
CN114745454A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Boundary protection device, system, method, computer equipment and storage medium
CN114745398A (en) * 2021-01-07 2022-07-12 中国石油天然气股份有限公司 Data acquisition and access system
CN115001906A (en) * 2022-06-02 2022-09-02 广东电网有限责任公司 Safety gateway
CN115001804A (en) * 2022-05-30 2022-09-02 广东电网有限责任公司 Bypass access control system, method and storage medium for field station
CN115484091A (en) * 2022-09-13 2022-12-16 国网智能电网研究院有限公司 Virtual power plant aggregation gateway device and internal and external network data transmission method

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007090225A1 (en) * 2006-02-06 2007-08-16 Uhs Systems Pty Ltd Versatile utility gateway
CN101662359A (en) * 2009-08-17 2010-03-03 珠海市鸿瑞信息技术有限公司 Security protection method of communication data of special electricity public network
US8261067B2 (en) * 2008-08-07 2012-09-04 Asteris, Inc. Devices, methods, and systems for sending and receiving case study files
CN102882850A (en) * 2012-09-03 2013-01-16 广东电网公司电力科学研究院 Cryptographic device and method thereof for isolating data by employing non-network way
CN202856781U (en) * 2012-08-29 2013-04-03 广东电网公司电力科学研究院 Industrial control system main station safety device
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN106411562A (en) * 2016-06-17 2017-02-15 全球能源互联网研究院 Electric power information network safety linkage defense method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007090225A1 (en) * 2006-02-06 2007-08-16 Uhs Systems Pty Ltd Versatile utility gateway
US8261067B2 (en) * 2008-08-07 2012-09-04 Asteris, Inc. Devices, methods, and systems for sending and receiving case study files
CN101662359A (en) * 2009-08-17 2010-03-03 珠海市鸿瑞信息技术有限公司 Security protection method of communication data of special electricity public network
CN202856781U (en) * 2012-08-29 2013-04-03 广东电网公司电力科学研究院 Industrial control system main station safety device
CN102882850A (en) * 2012-09-03 2013-01-16 广东电网公司电力科学研究院 Cryptographic device and method thereof for isolating data by employing non-network way
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN106411562A (en) * 2016-06-17 2017-02-15 全球能源互联网研究院 Electric power information network safety linkage defense method and system

Cited By (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107733871A (en) * 2017-09-15 2018-02-23 苏州中天赛诺信息技术有限公司 Network security shielding system
CN107968787A (en) * 2017-12-07 2018-04-27 徐珊 A kind of rete mirabile signaling alarm systems of man-computer cooperation
CN108833395A (en) * 2018-06-07 2018-11-16 北京网迅科技有限公司杭州分公司 A kind of outer net access authentication system and authentication method based on hardware access card
CN108810011A (en) * 2018-06-29 2018-11-13 南京南瑞继保电气有限公司 A kind of universal network secure accessing sound zone system and message processing method suitable for power private network
CN108810023A (en) * 2018-07-19 2018-11-13 北京智芯微电子科技有限公司 Safe encryption method, key sharing method and safety encryption isolation gateway
CN109213108A (en) * 2018-11-08 2019-01-15 深圳中广核工程设计有限公司 A kind of nuclear power station operator runs auxiliary support system and method
CN109413112A (en) * 2018-12-21 2019-03-01 北京科东电力控制***有限责任公司 High concurrent collecting method and device
CN109510841A (en) * 2018-12-26 2019-03-22 杭州优稳自动化***有限公司 A kind of security isolation gateway of control device and system
CN109510841B (en) * 2018-12-26 2022-01-18 杭州优稳自动化***有限公司 Safety isolation gateway of control device and system
CN110247924A (en) * 2019-06-25 2019-09-17 深圳市利谱信息技术有限公司 Transmitted in both directions and control system and data transmission method based on physical transfer
CN110768982A (en) * 2019-10-24 2020-02-07 山东超越数控电子股份有限公司 Network security interconnection device based on homemade SOC
CN111083168A (en) * 2019-12-31 2020-04-28 广东嘉泰智能技术有限公司 Configurable data transmission method and device of Internet of things platform gateway and gateway
CN111654497A (en) * 2020-06-03 2020-09-11 广东电网有限责任公司电力科学研究院 Method and device for enhancing access security of power monitoring system terminal
CN114095184A (en) * 2020-07-15 2022-02-25 中国航发上海商用航空发动机制造有限责任公司 Data transmission system and transmission method thereof
CN112073375A (en) * 2020-08-07 2020-12-11 中国电力科学研究院有限公司 Isolation device and isolation method suitable for power Internet of things client side
CN112073375B (en) * 2020-08-07 2023-09-26 中国电力科学研究院有限公司 Isolation device and isolation method suitable for client side of electric power Internet of things
CN112671719A (en) * 2020-12-08 2021-04-16 山东鲁能软件技术有限公司 Network security isolation method and device based on data stripping and construction method thereof
CN112887267A (en) * 2021-01-05 2021-06-01 天津七所精密机电技术有限公司 Network isolation system with message authentication function and method thereof
CN114745398A (en) * 2021-01-07 2022-07-12 中国石油天然气股份有限公司 Data acquisition and access system
CN113329018A (en) * 2021-05-28 2021-08-31 中国电子信息产业集团有限公司第六研究所 Novel security isolation IPsec VPN processing architecture
CN113645610B (en) * 2021-07-09 2024-04-02 厦门市美亚柏科信息股份有限公司 Mobile phone data parallel acquisition method and system based on intranet system
CN113645610A (en) * 2021-07-09 2021-11-12 厦门市美亚柏科信息股份有限公司 Mobile phone data parallel acquisition method and system based on intranet system
CN113949523A (en) * 2021-08-30 2022-01-18 国网安徽省电力有限公司电力科学研究院 Cross-network transmission system and method for individual soldier
CN113722189A (en) * 2021-09-16 2021-11-30 中国船舶重工集团海装风电股份有限公司 Wind power multi-source heterogeneous data acquisition and convergence system based on industrial internet
CN114500068A (en) * 2022-02-10 2022-05-13 广州云羲网络科技有限公司 Information data exchange system based on safety isolation network gate
CN114500068B (en) * 2022-02-10 2024-01-09 广州云羲网络科技有限公司 Information data exchange system based on safety isolation gatekeeper
CN114513444A (en) * 2022-02-15 2022-05-17 南京鑫蓝优图信息技术有限公司 Inspection gateway with network gate function and data uploading and issuing method
CN114513444B (en) * 2022-02-15 2024-01-23 南京鑫蓝优图信息技术有限公司 Patrol gateway with gateway function and data uploading and issuing method
CN114745454A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Boundary protection device, system, method, computer equipment and storage medium
CN115001804A (en) * 2022-05-30 2022-09-02 广东电网有限责任公司 Bypass access control system, method and storage medium for field station
CN115001804B (en) * 2022-05-30 2023-11-10 广东电网有限责任公司 Bypass access control system, method and storage medium applied to field station
CN115001906A (en) * 2022-06-02 2022-09-02 广东电网有限责任公司 Safety gateway
CN115001906B (en) * 2022-06-02 2024-03-29 广东电网有限责任公司 Security gateway
CN115484091A (en) * 2022-09-13 2022-12-16 国网智能电网研究院有限公司 Virtual power plant aggregation gateway device and internal and external network data transmission method

Similar Documents

Publication Publication Date Title
CN106941494A (en) A kind of security isolation gateway and its application method suitable for power information acquisition system
CN105323302B (en) The communication of safety is established for vehicle diagnostic data
CN107018134A (en) A kind of distribution terminal secure accessing platform and its implementation
CN103491072B (en) A kind of border access control method based on double unidirection insulation network brakes
CN112073375A (en) Isolation device and isolation method suitable for power Internet of things client side
CN103269332B (en) Safeguard system for power secondary system
CN101447907A (en) VPN secure access method and system thereof
CN110267270B (en) Identity authentication method for sensor terminal access edge gateway in transformer substation
CN109088870A (en) A kind of method of new energy plant stand generator unit acquisition terminal secure accessing platform
CN107172020A (en) A kind of network data security exchange method and system
CN106992984A (en) A kind of method of the mobile terminal safety access information Intranet based on electric power acquisition net
CN107612698B (en) Commercial password detection method, device and system
CN114302402A (en) Electric power regulation and control business safety communication method based on 5G
CN103139058A (en) Internet of things security access gateway
CN101778099A (en) Architecture accessing trusted network for tolerating untrusted components and access method thereof
CN108810023A (en) Safe encryption method, key sharing method and safety encryption isolation gateway
CN106302535A (en) The attack emulation mode of power system, device and attack emulator
MX2007013862A (en) A system and method for converting serial data into secure data packets configured for wireless transmission in a power system.
CN106973056A (en) The safety chip and its encryption method of a kind of object-oriented
CN107070907A (en) Intranet and extranet data unidirectional transmission method and system
CN107295312A (en) A kind of wireless video safety access system based on SSL VPN
CN107347047A (en) Attack guarding method and device
CN107733747A (en) Towards the common communication access system of multiple service supporting
CN106941491A (en) The safety application data link layer device and communication means of power information acquisition system
CN105610837A (en) Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170711

RJ01 Rejection of invention patent application after publication