CN108366055A - A kind of GOOSE message signature and the method for certification - Google Patents

A kind of GOOSE message signature and the method for certification Download PDF

Info

Publication number
CN108366055A
CN108366055A CN201810109227.8A CN201810109227A CN108366055A CN 108366055 A CN108366055 A CN 108366055A CN 201810109227 A CN201810109227 A CN 201810109227A CN 108366055 A CN108366055 A CN 108366055A
Authority
CN
China
Prior art keywords
message
goose
signature
goose message
certification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810109227.8A
Other languages
Chinese (zh)
Inventor
郑洁
梅德冬
姚燕春
罗华煜
李耕
李嘉
张连生
周化
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Tianjin Electric Power Co Ltd
NARI Group Corp
Nari Technology Co Ltd
NARI Nanjing Control System Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Tianjin Electric Power Co Ltd
NARI Group Corp
Nari Technology Co Ltd
NARI Nanjing Control System Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Tianjin Electric Power Co Ltd, NARI Group Corp, Nari Technology Co Ltd, NARI Nanjing Control System Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201810109227.8A priority Critical patent/CN108366055A/en
Publication of CN108366055A publication Critical patent/CN108366055A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0056Systems characterized by the type of code used
    • H04L1/0061Error detection codes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Communication Control (AREA)

Abstract

The invention discloses a kind of GOOSE message signature and the methods of certification, including:Sender packages to GOOSE message;Sender carries out classification signature to GOOSE message content;The subscriber of GOOSE message verifies.The present invention is by quick group packet to GOOSE message and to the classification signature of message content, to improve the efficiency of GOOSE message information security certification in intelligent substation, to meet the requirement of real-time to process layer devices.

Description

A kind of GOOSE message signature and the method for certification
Technical field
The present invention relates to a kind of GOOSE message signature and the methods of certification, belong to power system automatic field.
Background technology
For the safe design of electric system, the safeguard procedures designed at present are substantially security boundary measure, not mistake The specific embodiments for being related to substation's internal network communication security protection, if system will when under attack in substation more Become very fragile.The exposure of information security events in recent years, after so that the whole world is shocked, also let us is recognized:Country is important The information security of industry is faced with acid test, and comprehensive information security is extremely urgent in electric system.And electric system The standardization of communication protocol so that information communication is easier to be attacked by " hacker ", and International Organization for standardization IEC is formulated newest The concept of " wide area GOOSE ", transformer substation case (GOOSE) message towards general object are proposed in IEC61850 international standards Using being also no longer limited in single substation, and will be related to across in the more open and complicated network environment such as station, trans-regional Using.GOOSE message, which will be more easy to face, at that time the security risks such as maliciously eavesdrops, distorts, and the safety issue of data is increasingly prominent. This kind of communication messages for being directly used in tripping of especially GOOSE can bring breaker to malfunction serious once be tampered Consequence, this proposes no small challenge to the safety of electric system, reliability.
In order to solve the data and Communication Security Problem of field of power communication, in April, 2005, IEC has formulated IEC62351 Data and communication security international standard (draft).Message is after data are intercepted and captured by third party in transmission process in order to prevent, through deleting Remove, be inserted into, changing, change order, etc. issue recipient again after operations, certification and encryption are core contents.But it is different from other Message, GOOSE messages have harsh requirement of real-time, are encrypted for GOOSE message, cannot meet the requirements in time.
Invention content
In order to solve the above technical problem, the present invention provides a kind of GOOSE message signature and the methods of certification.
In order to achieve the above object, the technical solution adopted in the present invention is:
A kind of GOOSE message signature and the method for certification, including,
Sender packages to GOOSE message:
When initialization, the fixed data domain in GOOSE message is organized, and record offset of the delta data domain in GOOSE message; In real-time group packet, if delta data domain content changes, first according to offset more new content, then tissue change data field;
Sender carries out classification signature to GOOSE message content:
SqNum in GOOSE message APDU is rejected, remaining data carry out SHA1 Information Signature, SqNum are carried out independent The CRC operation result of CRC operation, signature digest and SqNum rise as the extended field in GOOSE message with original message one It send;
Heartbeat message carries out CRC operation in signature, by the SqNum of the frame message, and SHA1 Information Signature continues to use previous frame message;
The subscriber of GOOSE message verifies:
Judge whether the signature digest for receiving message is consistent with previous frame message;If consistent, parse SqNum and verify it Whether CRC is correct, if verifying successfully and SqNum is previous frame message SqNum sequence plus 1, judges this frame message for heartbeat Message, link are normal;If it is inconsistent, to APDU again sign test and verifying the crc value of SqNum, sign test and verify successfully then Adopt the message.
The GOOSE message of transmission is encoded using regular length mode.
The GOOSE message of transmission uses TLV said shanks.
In classification signature, the content of GOOSE message reserved field 1 is become whether to be GOOSE certification amplifying messages The content of GOOSE message reserved field 2, is become the length of extended field by mark.
Subscriber first judges to receive whether message is GOOSE certifications extension report according to reserved field 1 when verifying Text if it is carries out signature digest judgement, if not then carrying out proper solution packet stream journey.
Extended field further includes the CRC result of calculations of GOOSE message TPID, TCI, EtherType and APPID.
The advantageous effect that the present invention is reached:The present invention is wrapped and by the quick group to GOOSE message to message content Classification signature, to improve the efficiency of GOOSE message information security certification in intelligent substation, with meet to process layer devices Requirement of real-time.
Description of the drawings
Fig. 1 is the flow chart of the present invention;
Fig. 2 is original GOOSE message format;
Fig. 3 is GOOSE message identifying formats;
Fig. 4 is the flow chart that subscriber receives and verifies.
Specific implementation mode
The invention will be further described below in conjunction with the accompanying drawings.Following embodiment is only used for clearly illustrating the present invention Technical solution, and not intended to limit the protection scope of the present invention.
As shown in Figure 1, a kind of GOOSE message signature and the method for certification, specific as follows:
1)Sender packages to GOOSE message.
For sender, in order to realize, quickly group packet, the GOOSE message of transmission are encoded using regular length mode, are specifically pressed TLV(Type-length-value)Said shank, T(Type)、L(Length)And V(Value)Occupied space is fixed, such as StNum With data length L all 4 bytes of fixed occupancy of SqNum, the data field V of StNum and SqNum are fixed as 4 bytes.
In initialization, the fixed data domain in GOOSE message is organized, fixed data domain such as APPID in Fig. 2, Length, reserved field 1, reserved field 2, gocbRef, dataSet, goID, confRev, nsdCom and NumDatasetEntries, offset of the record delta data domain in GOOSE message, delta data domain such as Tal, t in Fig. 2, StNum, sqNum, test and allData.In real-time group packet, if delta data domain content changes, first updated according to offset Content, then tissue change data field need not so organize packet from the beginning, achieve the purpose that quick group of packet.
2)Sender carries out classification signature to GOOSE message content.
As shown in Fig. 2, the reserved field 1 in original GOOSE message format and reserved field 2, in order to be mended to signature Fill explanation.By the content of GOOSE message reserved field 1 become whether be GOOSE certification amplifying messages mark, could dictate that:Such as Fruit value is that 0x0001 is then GOOSE message identifyings, if not then be original GOOSE message;By GOOSE message reserved field 2 Content become the length of extended field.
SqNum in GOOSE message APDU is rejected, remaining data carry out SHA1 Information Signature, SqNum are carried out single Only CRC operation, by the carry out CRC calculating of GOOSE message TPID, TCI, EtherType and APPID.
Signature digest and all CRC operation results are sent as the extended field in GOOSE message together with original message, Specific extended field includes three parts as shown in topic 3, and the CRC of first part TPID, TCI, EtherType and APPID are calculated As a result(CRC1);Second part is signature digest(AuthenticationValue), it is to the data information in GOOSE message Squeeze operation is carried out, using SHA1 algorithms, data generate the signature digest character string of fixed length after being compressed;Second part is The CRC result of calculations of SqNum(CRC2).
CRC1 is remained unchanged after completing to calculate, and in signature, only SqNum is changing heartbeat message in heartbeat message, Other content is fixed, and SqNum only expresses heartbeat message serial number at this time, therefore only need to the SqNum of the frame message be carried out CRC fortune It calculates, SHA1 Information Signature is continued to use previous frame message, that is, remained unchanged, and the efficiency of signature is substantially increased, when content changes When, AuthenticationValue is recalculated and updates, CRC2 is required for recalculating and update per frame message.
3)The subscriber of GOOSE message verifies.
Subscriber receive and the flow verified as shown in figure 4, first according to reserved field 1 judge reception message whether be GOOSE certification amplifying messages;If it is not, then carrying out proper solution packet stream journey;If it is, judging the signature digest of reception message It is whether consistent with previous frame message;If consistent, parse SqNum and whether verify its CRC correct, if verify successfully and SqNum is previous frame message SqNum sequences plus 1, then judges this frame message for heartbeat message, link is normal, if other feelings Condition then abandons the message;If it is inconsistent, to APDU again sign test and verifying the crc value of SqNum, sign test and verify successfully then Adopt the message, otherwise abandons the message.Should during to heartbeat message without sign test again, it is only necessary to compare signature digest and CRC check is carried out to SqNum, substantially increases the analyzing efficiency to GOOSE safety certification messages.
The above method is by quick group packet to GOOSE message and to the classification signature of message content, to improve intelligence The efficiency of GOOSE message information security certification in substation, to meet the requirement of real-time to process layer devices.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, without departing from the technical principles of the invention, several improvement and deformations can also be made, these improvement and deformations Also it should be regarded as protection scope of the present invention.

Claims (6)

1. a kind of GOOSE message signature and the method for certification, it is characterised in that:Including,
Sender packages to GOOSE message:
When initialization, the fixed data domain in GOOSE message is organized, and record offset of the delta data domain in GOOSE message; In real-time group packet, if delta data domain content changes, first according to offset more new content, then tissue change data field;
Sender carries out classification signature to GOOSE message content:
SqNum in GOOSE message APDU is rejected, remaining data carry out SHA1 Information Signature, SqNum are carried out independent The CRC operation result of CRC operation, signature digest and SqNum rise as the extended field in GOOSE message with original message one It send;
Heartbeat message carries out CRC operation in signature, by the SqNum of the frame message, and SHA1 Information Signature continues to use previous frame message;
The subscriber of GOOSE message verifies:
Judge whether the signature digest for receiving message is consistent with previous frame message;If consistent, parse SqNum and verify it Whether CRC is correct, if verifying successfully and SqNum is previous frame message SqNum sequence plus 1, judges this frame message for heartbeat Message, link are normal;If it is inconsistent, to APDU again sign test and verifying the crc value of SqNum, sign test and verify successfully then Adopt the message.
2. a kind of GOOSE message signature according to claim 1 and the method for certification, it is characterised in that:The GOOSE of transmission Message is encoded using regular length mode.
3. a kind of GOOSE message signature according to claim 2 and the method for certification, it is characterised in that:The GOOSE of transmission Message uses TLV said shanks.
4. a kind of GOOSE message signature according to claim 1 and the method for certification, it is characterised in that:In classification signature When, by the content of GOOSE message reserved field 1 become whether be GOOSE certification amplifying messages mark, GOOSE message is protected The content of section of writeeing down characters 2 becomes the length of extended field.
5. a kind of GOOSE message signature according to claim 4 and the method for certification, it is characterised in that:Subscriber into When row verification, is first judged to receive whether message is GOOSE certification amplifying messages according to reserved field 1, if it is be signed Abstract judges, if not then carrying out proper solution packet stream journey.
6. a kind of GOOSE message signature according to claim 1 and the method for certification, it is characterised in that:Extended field is also CRC result of calculations including GOOSE message TPID, TCI, EtherType and APPID.
CN201810109227.8A 2018-02-05 2018-02-05 A kind of GOOSE message signature and the method for certification Pending CN108366055A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810109227.8A CN108366055A (en) 2018-02-05 2018-02-05 A kind of GOOSE message signature and the method for certification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810109227.8A CN108366055A (en) 2018-02-05 2018-02-05 A kind of GOOSE message signature and the method for certification

Publications (1)

Publication Number Publication Date
CN108366055A true CN108366055A (en) 2018-08-03

Family

ID=63004765

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810109227.8A Pending CN108366055A (en) 2018-02-05 2018-02-05 A kind of GOOSE message signature and the method for certification

Country Status (1)

Country Link
CN (1) CN108366055A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995729A (en) * 2019-12-12 2020-04-10 广东电网有限责任公司电力调度控制中心 Control system communication method and device based on asymmetric encryption and computer equipment
CN113746631A (en) * 2021-07-12 2021-12-03 浙江众合科技股份有限公司 Safety communication method based on safety code
CN114339765A (en) * 2021-11-25 2022-04-12 国网河南省电力公司电力科学研究院 Differential protection data interactive chain type verification method and system based on 5G communication

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100039954A1 (en) * 2008-08-18 2010-02-18 Abb Technology Ag Analyzing communication configuration in a process control system
CN103873461A (en) * 2014-02-14 2014-06-18 中国南方电网有限责任公司 IEC62351-based security interaction method for GOOSE message
CN104506500A (en) * 2014-12-11 2015-04-08 广东电网有限责任公司电力科学研究院 GOOSE message authentication method based on transformer substation
CN104639328A (en) * 2015-01-29 2015-05-20 华南理工大学 GOOSE message authentication method and GOOSE (Generic Object Oriented Substation Event) message authentication system
CN106451376A (en) * 2016-09-30 2017-02-22 西电通用电气自动化有限公司 Method and apparatus for issuing GOOSE messages

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100039954A1 (en) * 2008-08-18 2010-02-18 Abb Technology Ag Analyzing communication configuration in a process control system
CN103873461A (en) * 2014-02-14 2014-06-18 中国南方电网有限责任公司 IEC62351-based security interaction method for GOOSE message
CN104506500A (en) * 2014-12-11 2015-04-08 广东电网有限责任公司电力科学研究院 GOOSE message authentication method based on transformer substation
CN104639328A (en) * 2015-01-29 2015-05-20 华南理工大学 GOOSE message authentication method and GOOSE (Generic Object Oriented Substation Event) message authentication system
CN106451376A (en) * 2016-09-30 2017-02-22 西电通用电气自动化有限公司 Method and apparatus for issuing GOOSE messages

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王智东等: "结合域含义的GOOSE报文加解密方法 ", 《华南理工大学学报(自然科学版)》 *
王智东等: "结合域含义的GOOSE报文加解密方法", 《华南理工大学学报(自然科学版)》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995729A (en) * 2019-12-12 2020-04-10 广东电网有限责任公司电力调度控制中心 Control system communication method and device based on asymmetric encryption and computer equipment
CN110995729B (en) * 2019-12-12 2022-09-16 广东电网有限责任公司电力调度控制中心 Control system communication method and device based on asymmetric encryption and computer equipment
CN113746631A (en) * 2021-07-12 2021-12-03 浙江众合科技股份有限公司 Safety communication method based on safety code
CN114339765A (en) * 2021-11-25 2022-04-12 国网河南省电力公司电力科学研究院 Differential protection data interactive chain type verification method and system based on 5G communication
CN114339765B (en) * 2021-11-25 2024-01-19 国网河南省电力公司电力科学研究院 Differential protection data interactive chain type verification method and system based on 5G communication

Similar Documents

Publication Publication Date Title
CN108366055A (en) A kind of GOOSE message signature and the method for certification
CN104702466B (en) A kind of process layer safety test system and method based on IEC62351
JP5374752B2 (en) Protection control measurement system and apparatus, and data transmission method
CN106357690B (en) data transmission method, data sending device and data receiving device
CN104811427B (en) A kind of safe industrial control system communication means
CN103581683B (en) Jpeg image encryption transmission method
CN106559419B (en) The application and identification method and identification terminal of short message verification code
CN103441983A (en) Information protection method and device based on link layer discovery protocol
CN105187209A (en) Ethernet communication security protection method
CN106507352B (en) The website identification method and identification terminal of short message verification code
CN103714017B (en) A kind of authentication method, authentication device and authenticating device
CN108449310B (en) Domestic network security isolation and one-way import system and method
EP3713147A1 (en) Railway signal security encryption method and system
CN104639328B (en) A kind of GOOSE message authentication method and system
CN104135469B (en) A kind of method of raising RSSP II protocol safeties
CN107786951A (en) A kind of information processing method and terminal device
CN115694931A (en) Relay protection remote operation and maintenance intrusion prevention and detection method and system
CN106936834B (en) Method for intrusion detection of IEC61850 digital substation SMV message
CN105763328A (en) Fragmented message transmission method and network equipment
CN102316032B (en) A kind of method and the network switch of protection link exchange safety
CN112839037A (en) Power distribution network protocol instruction tamper-proofing method and system
CN111356178B (en) Transmission method, transmitting side PDCP entity and receiving side PDCP entity
CN111030804A (en) Fault information transmission method, device, system, equipment and storage medium
CN102761845B (en) Method for carrying out remote control by using short message, and network integration device
CN109462591A (en) A kind of data transmission method, method of reseptance, apparatus and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180803