CN108366055A - A kind of GOOSE message signature and the method for certification - Google Patents
A kind of GOOSE message signature and the method for certification Download PDFInfo
- Publication number
- CN108366055A CN108366055A CN201810109227.8A CN201810109227A CN108366055A CN 108366055 A CN108366055 A CN 108366055A CN 201810109227 A CN201810109227 A CN 201810109227A CN 108366055 A CN108366055 A CN 108366055A
- Authority
- CN
- China
- Prior art keywords
- message
- goose
- signature
- goose message
- certification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/004—Arrangements for detecting or preventing errors in the information received by using forward error control
- H04L1/0056—Systems characterized by the type of code used
- H04L1/0061—Error detection codes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Communication Control (AREA)
Abstract
The invention discloses a kind of GOOSE message signature and the methods of certification, including:Sender packages to GOOSE message;Sender carries out classification signature to GOOSE message content;The subscriber of GOOSE message verifies.The present invention is by quick group packet to GOOSE message and to the classification signature of message content, to improve the efficiency of GOOSE message information security certification in intelligent substation, to meet the requirement of real-time to process layer devices.
Description
Technical field
The present invention relates to a kind of GOOSE message signature and the methods of certification, belong to power system automatic field.
Background technology
For the safe design of electric system, the safeguard procedures designed at present are substantially security boundary measure, not mistake
The specific embodiments for being related to substation's internal network communication security protection, if system will when under attack in substation more
Become very fragile.The exposure of information security events in recent years, after so that the whole world is shocked, also let us is recognized:Country is important
The information security of industry is faced with acid test, and comprehensive information security is extremely urgent in electric system.And electric system
The standardization of communication protocol so that information communication is easier to be attacked by " hacker ", and International Organization for standardization IEC is formulated newest
The concept of " wide area GOOSE ", transformer substation case (GOOSE) message towards general object are proposed in IEC61850 international standards
Using being also no longer limited in single substation, and will be related to across in the more open and complicated network environment such as station, trans-regional
Using.GOOSE message, which will be more easy to face, at that time the security risks such as maliciously eavesdrops, distorts, and the safety issue of data is increasingly prominent.
This kind of communication messages for being directly used in tripping of especially GOOSE can bring breaker to malfunction serious once be tampered
Consequence, this proposes no small challenge to the safety of electric system, reliability.
In order to solve the data and Communication Security Problem of field of power communication, in April, 2005, IEC has formulated IEC62351
Data and communication security international standard (draft).Message is after data are intercepted and captured by third party in transmission process in order to prevent, through deleting
Remove, be inserted into, changing, change order, etc. issue recipient again after operations, certification and encryption are core contents.But it is different from other
Message, GOOSE messages have harsh requirement of real-time, are encrypted for GOOSE message, cannot meet the requirements in time.
Invention content
In order to solve the above technical problem, the present invention provides a kind of GOOSE message signature and the methods of certification.
In order to achieve the above object, the technical solution adopted in the present invention is:
A kind of GOOSE message signature and the method for certification, including,
Sender packages to GOOSE message:
When initialization, the fixed data domain in GOOSE message is organized, and record offset of the delta data domain in GOOSE message;
In real-time group packet, if delta data domain content changes, first according to offset more new content, then tissue change data field;
Sender carries out classification signature to GOOSE message content:
SqNum in GOOSE message APDU is rejected, remaining data carry out SHA1 Information Signature, SqNum are carried out independent
The CRC operation result of CRC operation, signature digest and SqNum rise as the extended field in GOOSE message with original message one
It send;
Heartbeat message carries out CRC operation in signature, by the SqNum of the frame message, and SHA1 Information Signature continues to use previous frame message;
The subscriber of GOOSE message verifies:
Judge whether the signature digest for receiving message is consistent with previous frame message;If consistent, parse SqNum and verify it
Whether CRC is correct, if verifying successfully and SqNum is previous frame message SqNum sequence plus 1, judges this frame message for heartbeat
Message, link are normal;If it is inconsistent, to APDU again sign test and verifying the crc value of SqNum, sign test and verify successfully then
Adopt the message.
The GOOSE message of transmission is encoded using regular length mode.
The GOOSE message of transmission uses TLV said shanks.
In classification signature, the content of GOOSE message reserved field 1 is become whether to be GOOSE certification amplifying messages
The content of GOOSE message reserved field 2, is become the length of extended field by mark.
Subscriber first judges to receive whether message is GOOSE certifications extension report according to reserved field 1 when verifying
Text if it is carries out signature digest judgement, if not then carrying out proper solution packet stream journey.
Extended field further includes the CRC result of calculations of GOOSE message TPID, TCI, EtherType and APPID.
The advantageous effect that the present invention is reached:The present invention is wrapped and by the quick group to GOOSE message to message content
Classification signature, to improve the efficiency of GOOSE message information security certification in intelligent substation, with meet to process layer devices
Requirement of real-time.
Description of the drawings
Fig. 1 is the flow chart of the present invention;
Fig. 2 is original GOOSE message format;
Fig. 3 is GOOSE message identifying formats;
Fig. 4 is the flow chart that subscriber receives and verifies.
Specific implementation mode
The invention will be further described below in conjunction with the accompanying drawings.Following embodiment is only used for clearly illustrating the present invention
Technical solution, and not intended to limit the protection scope of the present invention.
As shown in Figure 1, a kind of GOOSE message signature and the method for certification, specific as follows:
1)Sender packages to GOOSE message.
For sender, in order to realize, quickly group packet, the GOOSE message of transmission are encoded using regular length mode, are specifically pressed
TLV(Type-length-value)Said shank, T(Type)、L(Length)And V(Value)Occupied space is fixed, such as StNum
With data length L all 4 bytes of fixed occupancy of SqNum, the data field V of StNum and SqNum are fixed as 4 bytes.
In initialization, the fixed data domain in GOOSE message is organized, fixed data domain such as APPID in Fig. 2,
Length, reserved field 1, reserved field 2, gocbRef, dataSet, goID, confRev, nsdCom and
NumDatasetEntries, offset of the record delta data domain in GOOSE message, delta data domain such as Tal, t in Fig. 2,
StNum, sqNum, test and allData.In real-time group packet, if delta data domain content changes, first updated according to offset
Content, then tissue change data field need not so organize packet from the beginning, achieve the purpose that quick group of packet.
2)Sender carries out classification signature to GOOSE message content.
As shown in Fig. 2, the reserved field 1 in original GOOSE message format and reserved field 2, in order to be mended to signature
Fill explanation.By the content of GOOSE message reserved field 1 become whether be GOOSE certification amplifying messages mark, could dictate that:Such as
Fruit value is that 0x0001 is then GOOSE message identifyings, if not then be original GOOSE message;By GOOSE message reserved field 2
Content become the length of extended field.
SqNum in GOOSE message APDU is rejected, remaining data carry out SHA1 Information Signature, SqNum are carried out single
Only CRC operation, by the carry out CRC calculating of GOOSE message TPID, TCI, EtherType and APPID.
Signature digest and all CRC operation results are sent as the extended field in GOOSE message together with original message,
Specific extended field includes three parts as shown in topic 3, and the CRC of first part TPID, TCI, EtherType and APPID are calculated
As a result(CRC1);Second part is signature digest(AuthenticationValue), it is to the data information in GOOSE message
Squeeze operation is carried out, using SHA1 algorithms, data generate the signature digest character string of fixed length after being compressed;Second part is
The CRC result of calculations of SqNum(CRC2).
CRC1 is remained unchanged after completing to calculate, and in signature, only SqNum is changing heartbeat message in heartbeat message,
Other content is fixed, and SqNum only expresses heartbeat message serial number at this time, therefore only need to the SqNum of the frame message be carried out CRC fortune
It calculates, SHA1 Information Signature is continued to use previous frame message, that is, remained unchanged, and the efficiency of signature is substantially increased, when content changes
When, AuthenticationValue is recalculated and updates, CRC2 is required for recalculating and update per frame message.
3)The subscriber of GOOSE message verifies.
Subscriber receive and the flow verified as shown in figure 4, first according to reserved field 1 judge reception message whether be
GOOSE certification amplifying messages;If it is not, then carrying out proper solution packet stream journey;If it is, judging the signature digest of reception message
It is whether consistent with previous frame message;If consistent, parse SqNum and whether verify its CRC correct, if verify successfully and
SqNum is previous frame message SqNum sequences plus 1, then judges this frame message for heartbeat message, link is normal, if other feelings
Condition then abandons the message;If it is inconsistent, to APDU again sign test and verifying the crc value of SqNum, sign test and verify successfully then
Adopt the message, otherwise abandons the message.Should during to heartbeat message without sign test again, it is only necessary to compare signature digest and
CRC check is carried out to SqNum, substantially increases the analyzing efficiency to GOOSE safety certification messages.
The above method is by quick group packet to GOOSE message and to the classification signature of message content, to improve intelligence
The efficiency of GOOSE message information security certification in substation, to meet the requirement of real-time to process layer devices.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, without departing from the technical principles of the invention, several improvement and deformations can also be made, these improvement and deformations
Also it should be regarded as protection scope of the present invention.
Claims (6)
1. a kind of GOOSE message signature and the method for certification, it is characterised in that:Including,
Sender packages to GOOSE message:
When initialization, the fixed data domain in GOOSE message is organized, and record offset of the delta data domain in GOOSE message;
In real-time group packet, if delta data domain content changes, first according to offset more new content, then tissue change data field;
Sender carries out classification signature to GOOSE message content:
SqNum in GOOSE message APDU is rejected, remaining data carry out SHA1 Information Signature, SqNum are carried out independent
The CRC operation result of CRC operation, signature digest and SqNum rise as the extended field in GOOSE message with original message one
It send;
Heartbeat message carries out CRC operation in signature, by the SqNum of the frame message, and SHA1 Information Signature continues to use previous frame message;
The subscriber of GOOSE message verifies:
Judge whether the signature digest for receiving message is consistent with previous frame message;If consistent, parse SqNum and verify it
Whether CRC is correct, if verifying successfully and SqNum is previous frame message SqNum sequence plus 1, judges this frame message for heartbeat
Message, link are normal;If it is inconsistent, to APDU again sign test and verifying the crc value of SqNum, sign test and verify successfully then
Adopt the message.
2. a kind of GOOSE message signature according to claim 1 and the method for certification, it is characterised in that:The GOOSE of transmission
Message is encoded using regular length mode.
3. a kind of GOOSE message signature according to claim 2 and the method for certification, it is characterised in that:The GOOSE of transmission
Message uses TLV said shanks.
4. a kind of GOOSE message signature according to claim 1 and the method for certification, it is characterised in that:In classification signature
When, by the content of GOOSE message reserved field 1 become whether be GOOSE certification amplifying messages mark, GOOSE message is protected
The content of section of writeeing down characters 2 becomes the length of extended field.
5. a kind of GOOSE message signature according to claim 4 and the method for certification, it is characterised in that:Subscriber into
When row verification, is first judged to receive whether message is GOOSE certification amplifying messages according to reserved field 1, if it is be signed
Abstract judges, if not then carrying out proper solution packet stream journey.
6. a kind of GOOSE message signature according to claim 1 and the method for certification, it is characterised in that:Extended field is also
CRC result of calculations including GOOSE message TPID, TCI, EtherType and APPID.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810109227.8A CN108366055A (en) | 2018-02-05 | 2018-02-05 | A kind of GOOSE message signature and the method for certification |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810109227.8A CN108366055A (en) | 2018-02-05 | 2018-02-05 | A kind of GOOSE message signature and the method for certification |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108366055A true CN108366055A (en) | 2018-08-03 |
Family
ID=63004765
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810109227.8A Pending CN108366055A (en) | 2018-02-05 | 2018-02-05 | A kind of GOOSE message signature and the method for certification |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108366055A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110995729A (en) * | 2019-12-12 | 2020-04-10 | 广东电网有限责任公司电力调度控制中心 | Control system communication method and device based on asymmetric encryption and computer equipment |
CN113746631A (en) * | 2021-07-12 | 2021-12-03 | 浙江众合科技股份有限公司 | Safety communication method based on safety code |
CN114339765A (en) * | 2021-11-25 | 2022-04-12 | 国网河南省电力公司电力科学研究院 | Differential protection data interactive chain type verification method and system based on 5G communication |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100039954A1 (en) * | 2008-08-18 | 2010-02-18 | Abb Technology Ag | Analyzing communication configuration in a process control system |
CN103873461A (en) * | 2014-02-14 | 2014-06-18 | 中国南方电网有限责任公司 | IEC62351-based security interaction method for GOOSE message |
CN104506500A (en) * | 2014-12-11 | 2015-04-08 | 广东电网有限责任公司电力科学研究院 | GOOSE message authentication method based on transformer substation |
CN104639328A (en) * | 2015-01-29 | 2015-05-20 | 华南理工大学 | GOOSE message authentication method and GOOSE (Generic Object Oriented Substation Event) message authentication system |
CN106451376A (en) * | 2016-09-30 | 2017-02-22 | 西电通用电气自动化有限公司 | Method and apparatus for issuing GOOSE messages |
-
2018
- 2018-02-05 CN CN201810109227.8A patent/CN108366055A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100039954A1 (en) * | 2008-08-18 | 2010-02-18 | Abb Technology Ag | Analyzing communication configuration in a process control system |
CN103873461A (en) * | 2014-02-14 | 2014-06-18 | 中国南方电网有限责任公司 | IEC62351-based security interaction method for GOOSE message |
CN104506500A (en) * | 2014-12-11 | 2015-04-08 | 广东电网有限责任公司电力科学研究院 | GOOSE message authentication method based on transformer substation |
CN104639328A (en) * | 2015-01-29 | 2015-05-20 | 华南理工大学 | GOOSE message authentication method and GOOSE (Generic Object Oriented Substation Event) message authentication system |
CN106451376A (en) * | 2016-09-30 | 2017-02-22 | 西电通用电气自动化有限公司 | Method and apparatus for issuing GOOSE messages |
Non-Patent Citations (2)
Title |
---|
王智东等: "结合域含义的GOOSE报文加解密方法 ", 《华南理工大学学报(自然科学版)》 * |
王智东等: "结合域含义的GOOSE报文加解密方法", 《华南理工大学学报(自然科学版)》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110995729A (en) * | 2019-12-12 | 2020-04-10 | 广东电网有限责任公司电力调度控制中心 | Control system communication method and device based on asymmetric encryption and computer equipment |
CN110995729B (en) * | 2019-12-12 | 2022-09-16 | 广东电网有限责任公司电力调度控制中心 | Control system communication method and device based on asymmetric encryption and computer equipment |
CN113746631A (en) * | 2021-07-12 | 2021-12-03 | 浙江众合科技股份有限公司 | Safety communication method based on safety code |
CN114339765A (en) * | 2021-11-25 | 2022-04-12 | 国网河南省电力公司电力科学研究院 | Differential protection data interactive chain type verification method and system based on 5G communication |
CN114339765B (en) * | 2021-11-25 | 2024-01-19 | 国网河南省电力公司电力科学研究院 | Differential protection data interactive chain type verification method and system based on 5G communication |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108366055A (en) | A kind of GOOSE message signature and the method for certification | |
CN104702466B (en) | A kind of process layer safety test system and method based on IEC62351 | |
JP5374752B2 (en) | Protection control measurement system and apparatus, and data transmission method | |
CN106357690B (en) | data transmission method, data sending device and data receiving device | |
CN104811427B (en) | A kind of safe industrial control system communication means | |
CN103581683B (en) | Jpeg image encryption transmission method | |
CN106559419B (en) | The application and identification method and identification terminal of short message verification code | |
CN103441983A (en) | Information protection method and device based on link layer discovery protocol | |
CN105187209A (en) | Ethernet communication security protection method | |
CN106507352B (en) | The website identification method and identification terminal of short message verification code | |
CN103714017B (en) | A kind of authentication method, authentication device and authenticating device | |
CN108449310B (en) | Domestic network security isolation and one-way import system and method | |
EP3713147A1 (en) | Railway signal security encryption method and system | |
CN104639328B (en) | A kind of GOOSE message authentication method and system | |
CN104135469B (en) | A kind of method of raising RSSP II protocol safeties | |
CN107786951A (en) | A kind of information processing method and terminal device | |
CN115694931A (en) | Relay protection remote operation and maintenance intrusion prevention and detection method and system | |
CN106936834B (en) | Method for intrusion detection of IEC61850 digital substation SMV message | |
CN105763328A (en) | Fragmented message transmission method and network equipment | |
CN102316032B (en) | A kind of method and the network switch of protection link exchange safety | |
CN112839037A (en) | Power distribution network protocol instruction tamper-proofing method and system | |
CN111356178B (en) | Transmission method, transmitting side PDCP entity and receiving side PDCP entity | |
CN111030804A (en) | Fault information transmission method, device, system, equipment and storage medium | |
CN102761845B (en) | Method for carrying out remote control by using short message, and network integration device | |
CN109462591A (en) | A kind of data transmission method, method of reseptance, apparatus and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180803 |