CN111541699B - Method for safely transmitting data based on IEC102 communication protocol - Google Patents

Method for safely transmitting data based on IEC102 communication protocol Download PDF

Info

Publication number
CN111541699B
CN111541699B CN202010334630.8A CN202010334630A CN111541699B CN 111541699 B CN111541699 B CN 111541699B CN 202010334630 A CN202010334630 A CN 202010334630A CN 111541699 B CN111541699 B CN 111541699B
Authority
CN
China
Prior art keywords
message
information body
variable frame
digest value
byte
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010334630.8A
Other languages
Chinese (zh)
Other versions
CN111541699A (en
Inventor
栗会峰
刘哲
李宣义
李均强
赵宇皓
杨立波
马斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd
State Grid Hebei Energy Technology Service Co Ltd
Original Assignee
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd
State Grid Hebei Energy Technology Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd, State Grid Hebei Energy Technology Service Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202010334630.8A priority Critical patent/CN111541699B/en
Publication of CN111541699A publication Critical patent/CN111541699A/en
Application granted granted Critical
Publication of CN111541699B publication Critical patent/CN111541699B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00006Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
    • H02J13/00028Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment involving the use of Internet protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/26Special purpose or proprietary protocols or architectures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method for safely transmitting data based on an IEC102 communication protocol, which relates to the technical field of power system automation; the method comprises the steps of S1-S3, step S1, defining an information body of an application service data unit of a variable frame message as a reserved information body B, wherein the reserved information body B comprises an information body address, an information element set and a time mark t1, step S2, negotiating and exchanging a symmetric encryption algorithm, a secret key, an HMAC algorithm and the secret key between a master station side and a terminal side are completed in an off-line mode, and step S3, the terminal side is scheduled to send an IEC102 protocol communication message to the master station side, the terminal side analyzes the first byte of the message, identifies the message format, and adopts security reinforcement processing according to the message format; through the steps of S1-S3 and the like, the data security in the electric energy data transmission process is good.

Description

Method for safely transmitting data based on IEC102 communication protocol
Technical Field
The invention relates to the technical field of power system automation, in particular to a method for safely transmitting data based on an IEC102 communication protocol.
Background
The IEC102 communication protocol is widely applied to communication between a master station of the electric energy metering system and an electric energy acquisition terminal, and the safety of data transmission of the electric energy metering system is related to benefits among power generation enterprises, power grid enterprises and power consumers. Therefore, the method has the advantages of resisting external network attacks, preventing the electric quantity data from being subjected to network attacks such as monitoring, tampering and replaying in the transmission process, ensuring that accurate and real electric quantity data are obtained, and having very important practical significance for maintaining the benefits of all parties.
The IEC102 protocol specifies a message format in the transmission process of the electric energy data, and is a plaintext transmission protocol, and in the transmission process of the electric energy data message, the message is transmitted in plaintext, so that a network eavesdropping risk exists. The integrity of the data message is not checked in the 102 protocol message, and the integrity of the message is verified only by using the check code, which can result in that the integrity cannot be effectively guaranteed due to the tamper property of the check code. The defect causes that an attacker can realize identity camouflage at any stage of the communication process by intercepting, tampering or simulating the message and send a false message to the opposite side. The 102 protocol message also lacks a security check mechanism to resist the replay attack of the message.
Problems with the prior art and considerations:
how to solve the poor technical problem of data security among the electric energy data transmission process.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a method for safely transmitting data based on an IEC102 communication protocol, which realizes good data safety in the process of transmitting electric energy data through steps from S1 to S3 and the like.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows: a method for safely transmitting data based on IEC102 communication protocol comprises steps S1-S3, step S1: defining an information body of an application service data unit of a variable frame message as a reserved information body B, wherein the reserved information body B comprises an information body address, an information element set and a time mark t 1; step S2: the method comprises the steps that negotiation and exchange of a symmetric encryption algorithm and a secret key, and an HMAC algorithm and a secret key between a master station side and a terminal side are completed in an off-line mode; step S3: the terminal side transmits an IEC102 protocol communication message to the master station side, analyzes the first byte of the message, identifies the format of the message, and adopts safety reinforcement processing according to the format of the message.
The further technical scheme is as follows: further comprising steps S4, S5, and S10, step S4: identifying the format of the message, and if the message is a variable frame message, entering step S5; if the message is a single byte or fixed frame message, then step S10 is entered; step S5: using an HMAC algorithm to calculate and obtain a message digest value M1 of the variable frame message, putting a calculation result in an information element set in the reserved information body B, and writing the current terminal system time into a time mark t1 of the reserved information body; step S10: and the master station side receives the message sent by the terminal side, stores and processes the message, and finishes message transmission.
The further technical scheme is as follows: further comprising a step of S6, step S6: and encrypting the variable frame message by adopting a symmetric encryption algorithm to obtain a variable frame message ciphertext.
The further technical scheme is as follows: further comprising steps S7-S9, step S7: the master station side receives the variable frame message ciphertext, decrypts the variable frame message ciphertext by using a secret key, if the decryption is successful and a variable frame message plaintext is obtained, the step S8 is entered, and if the decryption is failed, the variable frame message is discarded; step S8: using an HMAC algorithm to calculate a message digest value M2 of the plaintext of the variable frame message, performing consistency verification on the message digest value M1, if the message digest value M2 is completely consistent with the message digest value M1, entering a step S9 if the message digest value M1 is completely consistent with the message digest value M, and if the message digest value M is not completely consistent with the message digest value M9, failing to verify, and discarding the variable frame message; step S9: and comparing the time mark T1 in the information body B with the current master station side system time T2, if the difference value of the time mark T1 and the current master station side system time is within the time range T, successfully verifying, and entering the step S10, if the difference value is not within the time range T, failing to verify, and discarding the variable frame message.
The further technical scheme is as follows: in step S1, the reserved information body B is located at the tail of the application service data unit, and is 8+ L bytes long before the check code, and includes an information body identifier, an information body element, and an information body timestamp; the length of the information body identifier is 1 byte, the content is 0, the length of the information body element is L, the content is the message digest value M1, the time mark t1 of the information body is a B-class time mark, and the content is the terminal system time.
The further technical scheme is as follows: in step S2, the offline mode refers to that the symmetric encryption algorithm and the HMAC algorithm used by the master station side and the terminal side are determined in a preset mode, and the symmetric encryption algorithm and the HMAC algorithm key are synchronized.
The further technical scheme is as follows: in step S3, the step of identifying the message format includes: analyzing the content of the first byte of the message, and if the content of the first byte is E5, the message is a single byte message; if the first byte is 0x10, the message is a fixed frame message; if the first byte is 0x68, the message is a variable frame message.
The further technical scheme is as follows: in step S5, the range of the variable frame message participating in the calculation of the message digest value M1 is a message between the first byte and the reserved information body B, and the length of the message digest value M1 is less than or equal to L bytes.
The further technical scheme is as follows: in step S8, the range of the plaintext of the variable frame message participating in the calculation of the message digest value M2 is a message between the first byte and the reserved information body B, and the length of the message digest value M2 is less than or equal to L bytes.
The further technical scheme is as follows: in step S9, the time range T is represented by (T0, T3) S, where T0 is a negative number and greater than-10, and T3 is a positive number and equal to or less than 60; the values of t0 and t3 are determined based on the clock errors on the master side and the terminal side.
Adopt the produced beneficial effect of above-mentioned technical scheme to lie in:
a method for safely transmitting data based on IEC102 communication protocol comprises steps S1-S3, step S1: defining an information body of an application service data unit of a variable frame message as a reserved information body B, wherein the reserved information body B comprises an information body address, an information element set and a time mark t 1; step S2: the method comprises the steps that negotiation and exchange of a symmetric encryption algorithm and a secret key, and an HMAC algorithm and a secret key between a master station side and a terminal side are completed in an off-line mode; step S3: the terminal side transmits an IEC102 protocol communication message to the master station side, analyzes the first byte of the message, identifies the format of the message, and adopts safety reinforcement processing according to the format of the message, so that the data safety in the electric energy data transmission process is good through steps from S1 to S3 and the like.
See detailed description of the preferred embodiments.
Drawings
FIG. 1 is a flow chart of the present invention;
fig. 2 is a structural diagram of a variable frame message in the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the application, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application, but the present application may be practiced in other ways than those described herein, and it will be apparent to those of ordinary skill in the art that the present application is not limited to the specific embodiments disclosed below.
Example 1:
as shown in fig. 1 and fig. 2, the present invention discloses a method for securely transmitting data based on IEC102 communication protocol, including steps S1-S10:
step S1: one information body of the application service data unit of the variable frame message is defined as a reserved information body B, and the reserved information body B includes an information body address, an information element set and a time stamp t 1.
Step S2: and the negotiation and exchange of a symmetric encryption algorithm and a secret key as well as an HMAC algorithm and a secret key between the master station side and the terminal side are completed in an off-line mode.
Step S3: the terminal side transmits an IEC102 protocol communication message to the master station side, analyzes the first byte of the message, identifies the format of the message, and adopts safety reinforcement processing according to the format of the message.
Step S4: identifying the format of the message, and if the message is a variable frame message, entering step S5; if the message is a single byte or fixed frame message, the process proceeds to step S10.
Step S5: and calculating to obtain a message digest value M1 of the variable frame message by using an HMAC algorithm, putting a calculation result in an information element set in the reserved information body B, and writing the current terminal system time into a time mark t1 of the reserved information body.
Step S6: and encrypting the variable frame message by adopting a symmetric encryption algorithm to obtain a variable frame message ciphertext.
Step S7: and the master station side receives the variable frame message ciphertext, decrypts the variable frame message ciphertext by using the secret key, if the decryption is successful and the variable frame message plaintext is obtained, the step S8 is entered, and if the decryption is failed, the variable frame message is discarded.
Step S8: and calculating a message digest value M2 of the plaintext of the variable frame message by using an HMAC algorithm, performing consistency verification on the message digest value M2 and the message digest value M1, if the message digest value M is completely consistent with the message digest value M1, successfully verifying, and entering a step S9, and if the message digest value M is not completely consistent with the message digest value M, failing to verify, and discarding the variable frame message.
Step S9: and comparing the time mark T1 in the information body B with the current master station side system time T2, if the difference value of the time mark T1 and the current master station side system time is within the time range T, successfully verifying, and entering the step S10, if the difference value is not within the time range T, failing to verify, and discarding the variable frame message.
Step S10: and the master station side receives the message sent by the terminal side, stores and processes the message, and finishes message transmission.
Example 2:
embodiment 2 differs from embodiment 1 in that step S1 is further optimized.
As shown in fig. 1 and fig. 2, the present invention discloses a method for securely transmitting data based on IEC102 communication protocol, including steps S1-S10:
step S1: one information body of the application service data unit of the variable frame message is defined as a reserved information body B, and the reserved information body B includes an information body address, an information element set and a time stamp t 1.
The reserved information body B is positioned at the tail part of the application service data unit, is 8+ L bytes in length before the check code and comprises an information body identifier, an information body element and an information body time scale; the length of the information body identifier is 1 byte, the content is 0, the length of the information body element is L, the content is the message digest value M1, the time mark t1 of the information body is a B-class time mark, and the content is the terminal system time.
Step S2: and the negotiation and exchange of a symmetric encryption algorithm and a secret key as well as an HMAC algorithm and a secret key between the master station side and the terminal side are completed in an off-line mode.
Step S3: the terminal side transmits an IEC102 protocol communication message to the master station side, analyzes the first byte of the message, identifies the format of the message, and adopts safety reinforcement processing according to the format of the message.
Step S4: identifying the format of the message, and if the message is a variable frame message, entering step S5; if the message is a single byte or fixed frame message, the process proceeds to step S10.
Step S5: and calculating to obtain a message digest value M1 of the variable frame message by using an HMAC algorithm, putting a calculation result in an information element set in the reserved information body B, and writing the current terminal system time into a time mark t1 of the reserved information body.
Step S6: and encrypting the variable frame message by adopting a symmetric encryption algorithm to obtain a variable frame message ciphertext.
Step S7: and the master station side receives the variable frame message ciphertext, decrypts the variable frame message ciphertext by using the secret key, if the decryption is successful and the variable frame message plaintext is obtained, the step S8 is entered, and if the decryption is failed, the variable frame message is discarded.
Step S8: and calculating a message digest value M2 of the plaintext of the variable frame message by using an HMAC algorithm, performing consistency verification on the message digest value M2 and the message digest value M1, if the message digest value M is completely consistent with the message digest value M1, successfully verifying, and entering a step S9, and if the message digest value M is not completely consistent with the message digest value M, failing to verify, and discarding the variable frame message.
Step S9: and comparing the time mark T1 in the information body B with the current master station side system time T2, if the difference value of the time mark T1 and the current master station side system time is within the time range T, successfully verifying, and entering the step S10, if the difference value is not within the time range T, failing to verify, and discarding the variable frame message.
Step S10: and the master station side receives the message sent by the terminal side, stores and processes the message, and finishes message transmission.
Example 3:
embodiment 3 differs from embodiment 2 in that step S2 is further optimized.
As shown in fig. 1 and fig. 2, the present invention discloses a method for securely transmitting data based on IEC102 communication protocol, including steps S1-S10:
step S1: one information body of the application service data unit of the variable frame message is defined as a reserved information body B, and the reserved information body B includes an information body address, an information element set and a time stamp t 1.
The reserved information body B is positioned at the tail part of the application service data unit, is 8+ L bytes in length before the check code and comprises an information body identifier, an information body element and an information body time scale; the length of the information body identifier is 1 byte, the content is 0, the length of the information body element is L, the content is the message digest value M1, the time mark t1 of the information body is a B-class time mark, and the content is the terminal system time.
Step S2: and the negotiation and exchange of a symmetric encryption algorithm and a secret key as well as an HMAC algorithm and a secret key between the master station side and the terminal side are completed in an off-line mode.
The off-line mode is to determine a symmetric encryption algorithm and an HMAC algorithm used by the master station side and the terminal side in a preset mode and to synchronize keys of the symmetric encryption algorithm and the HMAC algorithm.
Step S3: the terminal side transmits an IEC102 protocol communication message to the master station side, analyzes the first byte of the message, identifies the format of the message, and adopts safety reinforcement processing according to the format of the message.
Step S4: identifying the format of the message, and if the message is a variable frame message, entering step S5; if the message is a single byte or fixed frame message, the process proceeds to step S10.
Step S5: and calculating to obtain a message digest value M1 of the variable frame message by using an HMAC algorithm, putting a calculation result in an information element set in the reserved information body B, and writing the current terminal system time into a time mark t1 of the reserved information body.
Step S6: and encrypting the variable frame message by adopting a symmetric encryption algorithm to obtain a variable frame message ciphertext.
Step S7: and the master station side receives the variable frame message ciphertext, decrypts the variable frame message ciphertext by using the secret key, if the decryption is successful and the variable frame message plaintext is obtained, the step S8 is entered, and if the decryption is failed, the variable frame message is discarded.
Step S8: and calculating a message digest value M2 of the plaintext of the variable frame message by using an HMAC algorithm, performing consistency verification on the message digest value M2 and the message digest value M1, if the message digest value M is completely consistent with the message digest value M1, successfully verifying, and entering a step S9, and if the message digest value M is not completely consistent with the message digest value M, failing to verify, and discarding the variable frame message.
Step S9: and comparing the time mark T1 in the information body B with the current master station side system time T2, if the difference value of the time mark T1 and the current master station side system time is within the time range T, successfully verifying, and entering the step S10, if the difference value is not within the time range T, failing to verify, and discarding the variable frame message.
Step S10: and the master station side receives the message sent by the terminal side, stores and processes the message, and finishes message transmission.
Example 4:
embodiment 4 differs from embodiment 3 in that step S3 is further optimized.
As shown in fig. 1 and fig. 2, the present invention discloses a method for securely transmitting data based on IEC102 communication protocol, including steps S1-S10:
step S1: one information body of the application service data unit of the variable frame message is defined as a reserved information body B, and the reserved information body B includes an information body address, an information element set and a time stamp t 1.
The reserved information body B is positioned at the tail part of the application service data unit, is 8+ L bytes in length before the check code and comprises an information body identifier, an information body element and an information body time scale; the length of the information body identifier is 1 byte, the content is 0, the length of the information body element is L, the content is the message digest value M1, the time mark t1 of the information body is a B-class time mark, and the content is the terminal system time.
Step S2: and the negotiation and exchange of a symmetric encryption algorithm and a secret key as well as an HMAC algorithm and a secret key between the master station side and the terminal side are completed in an off-line mode.
The off-line mode is to determine a symmetric encryption algorithm and an HMAC algorithm used by the master station side and the terminal side in a preset mode and to synchronize keys of the symmetric encryption algorithm and the HMAC algorithm.
Step S3: the terminal side transmits an IEC102 protocol communication message to the master station side, analyzes the first byte of the message, identifies the format of the message, and adopts safety reinforcement processing according to the format of the message. The step of identifying the message format comprises:
analyzing the content of the first byte of the message, and if the content of the first byte is E5, the message is a single byte message;
if the first byte is 0x10, the message is a fixed frame message;
if the first byte is 0x68, the message is a variable frame message.
Step S4: identifying the format of the message, and if the message is a variable frame message, entering step S5; if the message is a single byte or fixed frame message, the process proceeds to step S10.
Step S5: and calculating to obtain a message digest value M1 of the variable frame message by using an HMAC algorithm, putting a calculation result in an information element set in the reserved information body B, and writing the current terminal system time into a time mark t1 of the reserved information body.
Step S6: and encrypting the variable frame message by adopting a symmetric encryption algorithm to obtain a variable frame message ciphertext.
Step S7: and the master station side receives the variable frame message ciphertext, decrypts the variable frame message ciphertext by using the secret key, if the decryption is successful and the variable frame message plaintext is obtained, the step S8 is entered, and if the decryption is failed, the variable frame message is discarded.
Step S8: and calculating a message digest value M2 of the plaintext of the variable frame message by using an HMAC algorithm, performing consistency verification on the message digest value M2 and the message digest value M1, if the message digest value M is completely consistent with the message digest value M1, successfully verifying, and entering a step S9, and if the message digest value M is not completely consistent with the message digest value M, failing to verify, and discarding the variable frame message.
Step S9: and comparing the time mark T1 in the information body B with the current master station side system time T2, if the difference value of the time mark T1 and the current master station side system time is within the time range T, successfully verifying, and entering the step S10, if the difference value is not within the time range T, failing to verify, and discarding the variable frame message.
Step S10: and the master station side receives the message sent by the terminal side, stores and processes the message, and finishes message transmission.
Example 5:
embodiment 5 differs from embodiment 4 in that steps S5, S8, and S9 are further optimized.
As shown in fig. 1 and fig. 2, the present invention discloses a method for securely transmitting data based on IEC102 communication protocol, including steps S1-S10:
step S1: one information body of the application service data unit of the variable frame message is defined as a reserved information body B, and the reserved information body B includes an information body address, an information element set and a time stamp t 1.
The reserved information body B is positioned at the tail part of the application service data unit, is 8+ L bytes in length before the check code and comprises an information body identifier, an information body element and an information body time scale; the length of the information body identifier is 1 byte, the content is 0, the length of the information body element is L, the content is the message digest value M1, the time mark t1 of the information body is a B-class time mark, and the content is the terminal system time.
Step S2: and the negotiation and exchange of a symmetric encryption algorithm and a secret key as well as an HMAC algorithm and a secret key between the master station side and the terminal side are completed in an off-line mode.
The off-line mode is to determine a symmetric encryption algorithm and an HMAC algorithm used by the master station side and the terminal side in a preset mode and to synchronize keys of the symmetric encryption algorithm and the HMAC algorithm.
Step S3: the terminal side transmits an IEC102 protocol communication message to the master station side, analyzes the first byte of the message, identifies the format of the message, and adopts safety reinforcement processing according to the format of the message. The step of identifying the message format comprises:
analyzing the content of the first byte of the message, and if the content of the first byte is E5, the message is a single byte message;
if the first byte is 0x10, the message is a fixed frame message;
if the first byte is 0x68, the message is a variable frame message.
Step S4: identifying the format of the message, and if the message is a variable frame message, entering step S5; if the message is a single byte or fixed frame message, the process proceeds to step S10.
Step S5: and calculating to obtain a message digest value M1 of the variable frame message by using an HMAC algorithm, putting a calculation result in an information element set in the reserved information body B, and writing the current terminal system time into a time mark t1 of the reserved information body. The range of the variable frame message participating in the calculation of the message digest value M1 is a message between the first byte and the reserved information body B.
Step S6: and encrypting the variable frame message by adopting a symmetric encryption algorithm to obtain a variable frame message ciphertext.
Step S7: and the master station side receives the variable frame message ciphertext, decrypts the variable frame message ciphertext by using the secret key, if the decryption is successful and the variable frame message plaintext is obtained, the step S8 is entered, and if the decryption is failed, the variable frame message is discarded.
Step S8: and calculating a message digest value M2 of the plaintext of the variable frame message by using an HMAC algorithm, performing consistency verification on the message digest value M2 and the message digest value M1, if the message digest value M is completely consistent with the message digest value M1, successfully verifying, and entering a step S9, and if the message digest value M is not completely consistent with the message digest value M, failing to verify, and discarding the variable frame message. The range of the plaintext of the variable frame message participating in the calculation of the message digest value M2 is a message between the first byte and the reserved information body B.
Step S9: and comparing the time mark T1 in the information body B with the current master station side system time T2, if the difference value of the time mark T1 and the current master station side system time is within the time range T, successfully verifying, and entering the step S10, if the difference value is not within the time range T, failing to verify, and discarding the variable frame message. The time range T is represented by (T0, T3) s, wherein T0 is a negative number and is greater than-10, and T3 is a positive number and is less than or equal to 60; the values of t0 and t3 are determined based on the clock errors on the master side and the terminal side.
Step S10: and the master station side receives the message sent by the terminal side, stores and processes the message, and finishes message transmission.
The invention concept of the application is as follows:
in order to solve the technical problems in the prior art, the method for data transmission security facing the IEC102 protocol provided by the application improves the capability of resisting data interception, data tampering and message replay attack to a certain extent and improves the security of the IEC102 protocol by performing measures of data encryption, integrity verification and timestamp verification on data messages of the IEC102 protocol.
The technical contribution of the application lies in:
step S1: one information body of the application service data unit of the variable frame message is defined as a reserved information body B, and the reserved information body B includes an information body address, an information element set and a time stamp t 1.
Step S2: and the negotiation and exchange of a symmetric encryption algorithm and a secret key as well as an HMAC algorithm and a secret key between the master station side and the terminal side are completed in an off-line mode.
Step S3: the terminal side transmits an IEC102 protocol communication message to the master station side, analyzes the first byte of the message, identifies the format of the message, and adopts safety reinforcement processing according to the format of the message.
Step S4: and carrying out security reinforcement processing on the message according to the message format. If the message is a variable frame message, the process proceeds to step S5. If the message is a single byte or fixed frame message, the process proceeds to step S10.
Step S5: and calculating to obtain a message digest value M1 of the variable frame message by using an HMAC algorithm, putting a calculation result in an information element set in the reserved information body B, and writing the current terminal system time into a time mark t1 of the reserved information body.
Step S6: and encrypting the variable frame message by adopting a symmetric encryption algorithm to obtain a variable frame message ciphertext.
Step S7: and the master station side receives the variable frame message ciphertext, decrypts the variable frame message ciphertext by using the secret key, if the decryption is successful and the variable frame message plaintext is obtained, the step S8 is entered, and if the decryption is failed, the variable frame message is discarded.
Step S8: and calculating a message digest value M2 of the plaintext of the variable frame message by using an HMAC algorithm, performing consistency verification on the message digest value M2 and the message digest value M1, if the message digest value M is completely consistent with the message digest value M1, successfully verifying, and entering a step S9, and if the message digest value M is not completely consistent with the message digest value M, failing to verify, and discarding the variable frame message.
Step S9: and comparing the time mark T1 in the information body B with the current master station side system time T2, if the difference value of the time mark T1 and the current master station side system time is within the time range T, successfully verifying, and entering the step S10, if the difference value is not within the time range T, failing to verify, and discarding the variable frame message.
Step S10: and the master station side receives the message sent by the terminal side, stores and processes the message, and finishes message transmission.
Preferably, in step S1, the reserved information body B is located at the tail of the application service data unit, and is preceded by the check code, and has a length of 8+ L bytes, and includes an information body identifier, an information body element, and an information body time stamp. The length of the information body identifier is 1 byte, the content is 0, the length of the information body element is L, the content is the message digest value M1, the time mark t1 of the information body is a B-class time mark, and the content is the terminal system time.
Preferably, in step S2, the offline mode refers to that the symmetric encryption algorithm and the HMAC algorithm used by the master station side and the terminal side are determined in a preset mode, and the symmetric encryption algorithm and the HMAC algorithm key are synchronized.
Preferably, in step S3, the step of identifying the message format includes:
and analyzing the content of the first byte of the message, and if the content of the first byte is E5, determining that the message is a single byte message.
If the first byte is 0x10, the message is a fixed frame message.
If the first byte is 0x68, the message is a variable frame message.
Preferably, in step S5, the range of the variable frame message participating in the calculation of the message digest value M1 is a message between the first byte and the reserved information body B, and does not include the information body B.
Preferably, in step S8, the range of the plaintext of the variable frame message participating in the calculation of the message digest value M2 is a message between the first byte and the reserved information body B, and does not include the information body B.
Preferably, in step S9, the time range T is represented by (T0, T3) S, where T0 is a negative number and greater than-10, and T3 is a positive number and less than or equal to 60. the values of t0 and t3 can be determined based on the clock errors at the master and terminal sides.
Description of the technical solution:
as shown in fig. 1, the method comprises the steps of:
step S1: one information body of the application service data unit of the variable frame message is defined as a reserved information body B, and the reserved information body B includes an information body address, an information element set and a time stamp t 1.
Step S2: and the negotiation and exchange of a symmetric encryption algorithm and a secret key as well as an HMAC algorithm and a secret key between the master station side and the terminal side are completed in an off-line mode.
Step S3: the terminal side transmits an IEC102 protocol communication message to the master station side, analyzes the first byte of the message, identifies the format of the message, and adopts safety reinforcement processing according to the format of the message.
Step S4: and carrying out security reinforcement processing on the message according to the message format. If the message is a variable frame message, the process proceeds to step S5. If the message is a single byte or fixed frame message, the process proceeds to step S10.
Step S5: and calculating to obtain a message digest value M1 of the variable frame message by using an HMAC algorithm, putting a calculation result in an information element set in the reserved information body B, and writing the current terminal system time into a time mark t1 of the reserved information body.
Step S6: and encrypting the variable frame message by adopting a symmetric encryption algorithm to obtain a variable frame message ciphertext.
Step S7: and the master station side receives the variable frame message ciphertext, decrypts the variable frame message ciphertext by using the secret key, if the decryption is successful and the variable frame message plaintext is obtained, the step S8 is entered, and if the decryption is failed, the variable frame message is discarded.
Step S8: and calculating a message digest value M2 of the plaintext of the variable frame message by using an HMAC algorithm, performing consistency verification on the message digest value M2 and the message digest value M1, if the message digest value M is completely consistent with the message digest value M1, successfully verifying, and entering a step S9, and if the message digest value M is not completely consistent with the message digest value M, failing to verify, and discarding the variable frame message.
Step S9: and comparing the time mark T1 in the information body B with the current master station side system time T2, if the difference value of the time mark T1 and the current master station side system time is within the time range T, successfully verifying, and entering the step S10, if the difference value is not within the time range T, failing to verify, and discarding the variable frame message.
Step S10: and the master station side receives the message sent by the terminal side, stores and processes the message, and finishes message transmission.
Preferably, in step S1, the reserved information body B is located at the tail of the application service data unit, and is preceded by the check code, and has a length of 8+ L bytes, and includes an information body identifier, an information body element, and an information body time stamp. The length of the information body identifier is 1 byte, the content is 0, the length of the information body element is L, the content is the message digest value M1, the time mark t1 of the information body is a B-class time mark, and the content is the terminal system time.
Preferably, in step S2, the offline mode refers to that the symmetric encryption algorithm and the HMAC algorithm used by the master station side and the terminal side are determined in a preset mode, and the symmetric encryption algorithm and the HMAC algorithm key are synchronized.
Preferably, in step S3, the step of identifying the message format includes:
and analyzing the content of the first byte of the message, and if the content of the first byte is E5, determining that the message is a single byte message.
If the first byte is 0x10, the message is a fixed frame message.
If the first byte is 0x68, the message is a variable frame message.
Preferably, in step S5, the range of the variable frame message participating in the calculation of the message digest value M1 is a message between the first byte and the reserved information body B, and does not include the information body B.
Preferably, in step S8, the range of the plaintext of the variable frame message participating in the calculation of the message digest value M2 is a message between the first byte and the reserved information body B, and does not include the information body B.
Preferably, in step S9, the time range T is represented by (T0, T3) S, where T0 is a negative number and greater than-10, and T3 is a positive number and less than or equal to 60. the values of t0 and t3 can be determined based on the clock errors at the master and terminal sides.
After the application runs secretly for a period of time, the feedback of field technicians has the advantages that:
compared with the prior art, the technical scheme of the application encrypts the message by adopting a symmetric encryption algorithm, so that the capability of preventing eavesdropping attack of the electric energy data in the transmission process is improved; the message digest value of the message is calculated by adopting an HMAC algorithm, so that the capability of preventing tampering attack of the electric energy data in the transmission process is improved; by checking the message body time mark of the message, the capability of resisting replay attack in the electric energy data transmission process is improved.

Claims (7)

1. A method for safely transmitting data based on IEC102 communication protocol is characterized in that: includes the steps of S1-S10,
step S1: defining an information body of an application service data unit of a variable frame message as a reserved information body B, wherein the reserved information body B comprises an information body address, an information element set and a time mark t 1;
step S2: the method comprises the steps that negotiation and exchange of a symmetric encryption algorithm and a secret key, and an HMAC algorithm and a secret key between a master station side and a terminal side are completed in an off-line mode;
step S3: the terminal side transmits an IEC102 protocol communication message to the master station side, analyzes the first byte of the message, identifies the message format and adopts safety reinforcement processing according to the message format;
step S4: identifying the format of the message, and if the message is a variable frame message, entering step S5; if the message is a single byte or fixed frame message, then step S10 is entered;
step S5: using an HMAC algorithm to calculate and obtain a message digest value M1 of the variable frame message, putting a calculation result in an information element set in the reserved information body B, and writing the current terminal system time into a time mark t1 of the reserved information body;
step S6: encrypting the variable frame message by adopting a symmetric encryption algorithm to obtain a variable frame message ciphertext;
step S7: the master station side receives the variable frame message ciphertext, decrypts the variable frame message ciphertext by using a secret key, if the decryption is successful and a variable frame message plaintext is obtained, the step S8 is entered, and if the decryption is failed, the variable frame message is discarded;
step S8: using an HMAC algorithm to calculate a message digest value M2 of the plaintext of the variable frame message, performing consistency verification on the message digest value M1, if the message digest value M2 is completely consistent with the message digest value M1, entering a step S9 if the message digest value M1 is completely consistent with the message digest value M, and if the message digest value M is not completely consistent with the message digest value M9, failing to verify, and discarding the variable frame message;
step S9: comparing the time mark T1 in the information body B with the current master station side system time T2, if the difference value of the time mark T1 and the current master station side system time is within the time range T, successfully verifying, and entering the step S10, if the difference value is not within the time range T, failing to verify, and discarding the variable frame message;
step S10: and the master station side receives the message sent by the terminal side, stores and processes the message, and finishes message transmission.
2. The method of claim 1, wherein the method comprises the following steps: in step S1, the reserved information body B is located at the tail of the application service data unit, and is 8+ L bytes long before the check code, and includes an information body identifier, an information body element, and an information body timestamp; the length of the information body identifier is 1 byte, the content is 0, the length of the information body element is L, the content is the message digest value M1, the time mark t1 of the information body is a B-class time mark, and the content is the terminal system time.
3. The method of claim 1, wherein the method comprises the following steps: in step S2, the offline mode refers to that the symmetric encryption algorithm and the HMAC algorithm used by the master station side and the terminal side are determined in a preset mode, and the symmetric encryption algorithm and the HMAC algorithm key are synchronized.
4. The method of claim 1, wherein the method comprises the following steps: in step S3, the step of identifying the message format includes:
analyzing the content of the first byte of the message, and if the content of the first byte is E5, the message is a single byte message;
if the first byte is 0x10, the message is a fixed frame message;
if the first byte is 0x68, the message is a variable frame message.
5. The method of claim 1, wherein the method comprises the following steps: in step S5, the range of the variable frame message participating in the calculation of the message digest value M1 is a message between the first byte and the reserved information body B, and the length of the message digest value M1 is less than or equal to L bytes.
6. The method of claim 1, wherein the method comprises the following steps: in step S8, the range of the plaintext of the variable frame message participating in the calculation of the message digest value M2 is a message between the first byte and the reserved information body B, and the length of the message digest value M2 is less than or equal to L bytes.
7. The method of claim 1, wherein the method comprises the following steps: in step S9, the time range T is represented by (T0, T3) S, where T0 is a negative number and greater than-10, and T3 is a positive number and equal to or less than 60; the values of t0 and t3 are determined based on the clock errors on the master side and the terminal side.
CN202010334630.8A 2020-04-24 2020-04-24 Method for safely transmitting data based on IEC102 communication protocol Active CN111541699B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010334630.8A CN111541699B (en) 2020-04-24 2020-04-24 Method for safely transmitting data based on IEC102 communication protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010334630.8A CN111541699B (en) 2020-04-24 2020-04-24 Method for safely transmitting data based on IEC102 communication protocol

Publications (2)

Publication Number Publication Date
CN111541699A CN111541699A (en) 2020-08-14
CN111541699B true CN111541699B (en) 2022-04-22

Family

ID=71970196

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010334630.8A Active CN111541699B (en) 2020-04-24 2020-04-24 Method for safely transmitting data based on IEC102 communication protocol

Country Status (1)

Country Link
CN (1) CN111541699B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422275A (en) * 2020-10-26 2021-02-26 深圳Tcl新技术有限公司 Key negotiation method, system, equipment and computer storage medium in UART communication
CN114401147B (en) * 2022-01-20 2024-02-20 山西晟视汇智科技有限公司 New energy power station communication message comparison method and system based on abstract algorithm

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130768B (en) * 2010-12-20 2012-11-07 西安西电捷通无线网络通信股份有限公司 Terminal equipment having capability of encrypting and decrypting link layer and data processing method thereof
CN109194656A (en) * 2018-09-10 2019-01-11 国家电网有限公司 A kind of method of distribution wireless terminal secure accessing

Also Published As

Publication number Publication date
CN111541699A (en) 2020-08-14

Similar Documents

Publication Publication Date Title
CN104735068B (en) Method based on the close SIP safety certification of state
CN101340289B (en) Replay attack preventing method and system thereof
CN111541699B (en) Method for safely transmitting data based on IEC102 communication protocol
CN103581173A (en) Safe data transmission method, system and device based on industrial Ethernet
CN106973056A (en) The safety chip and its encryption method of a kind of object-oriented
CN110224823B (en) Transformer substation message safety protection method and device, computer equipment and storage medium
CN102164037A (en) Digital signing system and method
CN111526023A (en) Block chain uplink data security authentication method and system based on IPK
CN111181723B (en) Method and device for offline security authentication between Internet of things devices
CN114826656A (en) Trusted data link transmission method and system
CN111107085A (en) Safety communication method based on publish-subscribe mode
CN105281910A (en) Internet of things lock with CA digital certificate serving as network access identity identifier and network access identity identification method
CN114024698A (en) Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm
CN112954039A (en) Block chain evidence storage method
CN114915396B (en) Hopping key digital communication encryption system and method based on national encryption algorithm
CN110049045B (en) Safety certification system for power line carrier
CN102281203A (en) Method and system for transmitting IEC101 protocol message
CN113472520B (en) ModbusTCP (Transmission control protocol) security enhancement method and system
JPH0974408A (en) Security communication method
Heinrich et al. Security analysis of the RaSTA safety protocol
CN113259315B (en) Communication message safety protection method and system suitable for power distribution network
CN112787990B (en) Power terminal trusted access authentication method and system
CN102316107A (en) Method for IEC104 protocol message transmission and system
CN114205131A (en) Safety certification protocol for transformer substation measurement and control and PMU (power management unit) equipment
CN104363098B (en) A kind of distributed monitoring end message safety protecting method based on digital encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant