CN116192428A - Information double encryption method, device and system applied to edge node device - Google Patents

Information double encryption method, device and system applied to edge node device Download PDF

Info

Publication number
CN116192428A
CN116192428A CN202211553033.XA CN202211553033A CN116192428A CN 116192428 A CN116192428 A CN 116192428A CN 202211553033 A CN202211553033 A CN 202211553033A CN 116192428 A CN116192428 A CN 116192428A
Authority
CN
China
Prior art keywords
encryption
key
transmitted
information content
decryption algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211553033.XA
Other languages
Chinese (zh)
Inventor
***
王伟
宋倩
周捷
陈伟勇
叶宏
李国和
黄坤
王亦宁
张海滨
梅德冬
邓烽
田小锋
张何
滕云
刘世裕
曹东宏
方冰
吕顺利
左红兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nari Technology Co Ltd
State Grid Xinyuan Co Ltd
Shaoxing Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
State Grid Electric Power Research Institute
Original Assignee
Nari Technology Co Ltd
State Grid Xinyuan Co Ltd
Shaoxing Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
State Grid Electric Power Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nari Technology Co Ltd, State Grid Xinyuan Co Ltd, Shaoxing Power Supply Co of State Grid Zhejiang Electric Power Co Ltd, State Grid Electric Power Research Institute filed Critical Nari Technology Co Ltd
Priority to CN202211553033.XA priority Critical patent/CN116192428A/en
Publication of CN116192428A publication Critical patent/CN116192428A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an information double encryption method, a device and a system applied to an edge node device, which comprise the steps of encrypting a first re-key by utilizing a first encryption and decryption algorithm, sending the encrypted first re-key to a receiving end, decrypting the encrypted first re-key by utilizing the first encryption and decryption algorithm by the receiving end, and obtaining and storing the first re-key; and encrypting the information content to be transmitted by using a second encryption and decryption algorithm which is different from the first encryption and decryption algorithm and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end decrypts the encrypted information content to be transmitted by using the stored first encryption and decryption algorithm as the initial key and matching with the second encryption and decryption algorithm to obtain the information content to be transmitted. The invention encrypts/decrypts the initial key by using the first encryption/decryption algorithm, and encrypts/decrypts the information to be transmitted by using the initial key and the second encryption/decryption algorithm, thereby greatly improving the safety of electric power information interaction.

Description

Information double encryption method, device and system applied to edge node device
Technical Field
The invention belongs to the field of power automation, and particularly relates to an information double encryption method, device and system applied to an edge node device.
Background
With the development of the technical field of information security and the improvement of computing power of hardware equipment such as an embedded device and a server, the information interaction established based on the information is greatly changed for the secondary power equipment of a power system, but at the same time, the open environment is also threatening the security aspect of the power information interaction. The power information security technology is an important means of maintaining information confidentiality, integrity and reliability, and it includes all measures to protect information from illegal modification, destruction and leakage. The cryptographic technology is the core of information security technology, and comprises a plurality of security ranges such as the design and analysis of a cryptographic algorithm, identity authentication and digital signature, key management and the like. The design of practical and effective data encryption algorithm, data authentication algorithm, digital signature algorithm and key management algorithm has great significance for the safety of electric power information.
SM4.0 is a block cipher algorithm promulgated by the national institutes of ciphers, with a block length and key length of 128 bits. The encryption and decryption algorithm adopts a 32-round nonlinear iteration structure. Although the security of data transmission can be increased by using the SM4.0 encryption algorithm. However, due to the openness of the SM4.0 encryption algorithm, the round key generation algorithm is similar to the encryption algorithm in structure, resulting in reduced security. Therefore, how to improve the security of data when encrypted with SM4 is a problem to be solved.
Disclosure of Invention
In view of the above problems, the present invention provides an information double encryption method, device and system applied to an edge node device, which improves the security of electric power information interaction through the design of encryption or decryption of a first re-key or an initial key and encryption or decryption of a second re-information content of electric power system electric power secondary equipment.
In order to achieve the technical purpose and achieve the technical effect, the invention is realized by the following technical scheme:
in a first aspect, the present invention provides an information double encryption method applied to an edge node device, including:
encrypting the first re-key by using a first encryption and decryption algorithm, and sending the encrypted first re-key to a receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain and store the first re-key;
and encrypting the information content to be transmitted by using a second encryption and decryption algorithm which is different from the first encryption and decryption algorithm and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end decrypts the encrypted information content to be transmitted by using the stored first encryption and decryption algorithm as the initial key and matching with the second encryption and decryption algorithm to obtain the information content to be transmitted.
Optionally, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
splitting the information content to be transmitted into a plurality of single-frame messages when the number of bytes contained in the information content to be transmitted exceeds the maximum transmission byte number requirement specified by the second encryption and decryption algorithm;
and if the byte number of all the single-frame messages is equal to the maximum transmission byte number specified by the second encryption algorithm, the first re-key is used as an initial key, and the second encryption and decryption algorithm is utilized to encrypt each single-frame message.
Optionally, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
if the byte number of the last single-frame message is smaller than the maximum sending byte number specified by the second encryption algorithm, subtracting the byte number of the last single-frame message from the maximum sending byte number of the second encryption algorithm to obtain the byte number to be supplemented, carrying out byte supplementation on the last single-frame message according to the byte number to be supplemented to form a new last single-frame message, and filling the byte number of the last single-frame message into an effective byte number area;
and encrypting each single-frame message by using the first re-key as an initial key and using a second encryption and decryption algorithm.
Optionally, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
and if the number of bytes contained in the information content to be transmitted is equal to the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, the first re-key is used as an initial key, and the information content to be transmitted is encrypted by using the second encryption and decryption algorithm.
Optionally, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
if the number of bytes contained in the information content to be transmitted is smaller than the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, subtracting the number of bytes contained in the information content to be transmitted from the maximum transmission byte number of the second encryption algorithm to obtain the number of bytes to be supplemented, carrying out byte supplementation on the information content to be transmitted according to the number of bytes to be supplemented, and filling the number of bytes of the information content to be transmitted into an effective byte number area;
and encrypting the information content to be transmitted by using the second encryption and decryption algorithm by taking the first re-key as an initial key.
Optionally, the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; and the second encryption and decryption algorithm and the first encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers.
In a second aspect, the present invention provides an information double encryption method applied to an edge node device, including:
receiving an encrypted first re-key, and decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key; the encrypted first re-key is obtained by encrypting the first re-key by a sender through a first encryption and decryption algorithm;
receiving encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using a first re-key obtained after decryption as an initial key and matching a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
Optionally, the encrypting the information content to be transmitted in cooperation with a second encrypting and decrypting algorithm includes the following steps:
when the information content to be transmitted is sent in a mode of a plurality of single-frame messages, each single-frame message is decrypted according to the first re-key obtained after decryption as an initial key and in combination with a second encryption and decryption algorithm;
And if all the decrypted single-frame messages do not contain the effective byte number area, splicing all the single-frame messages to obtain the information content to be transmitted.
Optionally, the encrypting the information content to be transmitted in cooperation with a second encrypting and decrypting algorithm includes the following steps:
if the decrypted last single-frame message contains an effective byte number area, deleting bytes of the last single-frame message according to the byte number in the effective byte number area to form a new last single-frame message;
and splicing all the single-frame messages according to the sequence to obtain the information content to be transmitted.
Optionally, the encrypting the information content to be transmitted in cooperation with a second encrypting and decrypting algorithm includes the following steps:
when the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
if the decrypted single-frame message does not contain the effective byte number area, the decrypted single-frame message is the information content to be transmitted.
Optionally, the encrypting the information content to be transmitted in cooperation with a second encrypting and decrypting algorithm further comprises the following steps:
When the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
if the decrypted single-frame message contains an effective byte number area, deleting bytes of the single-frame message according to the byte number in the effective byte number area to obtain the information content to be transmitted.
Optionally, the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; and the second encryption and decryption algorithm and the second first encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers.
In a third aspect, the present invention provides an information double encryption apparatus applied to an edge node apparatus, comprising:
the key encryption module is used for encrypting the first re-key by using a first encryption and decryption algorithm and sending the encrypted first re-key to the receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain the first re-key;
the information content encryption module to be transmitted is used for encrypting the information content to be transmitted by using the first re-key as an initial key and using a second encryption and decryption algorithm, and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end uses the first re-key obtained after decryption of the first re-key as the initial key and is matched with the second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, and the information content to be transmitted is obtained.
In a fourth aspect, the present invention provides an information double encryption apparatus applied to an edge node apparatus, including:
the key decryption module is used for receiving the encrypted first re-key, decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key, wherein the encrypted first re-key is obtained by encrypting the first re-key by a sender by using the first encryption and decryption algorithm;
the information content decryption module to be transmitted is used for receiving the encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using the first re-key obtained after decryption as an initial key and matching with a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
In a fifth aspect, the present invention provides an information double encryption system applied to an edge node apparatus, including: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of the first parties.
In a sixth aspect, the present invention provides an information double encryption system applied to an edge node apparatus, including: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of the second aspects.
In a seventh aspect, the present invention provides an information double encryption system applied to an edge node apparatus, including: a transmitting end and a receiving end;
the sending end encrypts the first re-key by using a first encryption and decryption algorithm and sends the encrypted first re-key to the receiving end;
the receiving end decrypts the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key;
the sending end takes the first re-key as an initial key, encrypts the information content to be transmitted by using a second encryption and decryption algorithm, and sends the encrypted information content to be transmitted to the receiving end;
and the receiving end uses the first re-key obtained after decryption as an initial key and is matched with a second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, so as to obtain the information content to be transmitted.
Compared with the prior art, the invention has the beneficial effects that:
according to the invention, through the encryption or decryption of the first re-key of the electric power secondary equipment of the electric power system and the encryption or decryption design of the information content to be transmitted, the safety of electric power information interaction is improved, the initial key can be prevented from being stored locally, and the password leakage caused by viruses or invaded in a storage medium is avoided.
The initial key (namely the first re-key) is obtained in the communication process of the initial stage of the establishment of the double-transmission or multi-party communication, and the initial key is obtained through an encryption and decryption algorithm different from the information content to be transmitted, so that the leakage of the initial key caused by capturing messages and other reasons is avoided, and the safety of electric power information interaction is improved.
The first encryption and decryption algorithm and the second encryption and decryption algorithm are different encryption and decryption algorithms, if the first encryption and decryption algorithm is decrypted, only an initial key is obtained, and the data information content before the second encryption and decryption algorithm is encrypted cannot be obtained; if only the second encryption and decryption algorithm is decrypted, and the initial key is required to be input by the second encryption and decryption algorithm, the correct initial key is not input, and the data information content before the second encryption and decryption algorithm is not obtained; the reasonable application of the first encryption and decryption algorithm and the second encryption and decryption algorithm is interdependent, so that the difficulty of key decryption is further improved, and the safety of electric power information interaction is truly improved.
The invention also refers to the processing of single frame message and multi frame message and the processing of the complementary byte required by non-encryption and decryption algorithm, which is a double-password encryption method for the secondary equipment of the electric power system, especially for the electric power edge node equipment.
Drawings
In order that the invention may be more readily understood, a more particular description of the invention will be rendered by reference to specific embodiments that are illustrated in the appended drawings, in which:
FIG. 1 is a flow chart of an encryption process implementation of one embodiment of the present invention;
fig. 2 is a flowchart illustrating a decryption process implementation of an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following examples in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the detailed description and specific examples are intended for purposes of illustration only and are not intended to limit the scope of the invention.
The principle of application of the invention is described in detail below with reference to the accompanying drawings.
Example 1
The embodiment of the invention provides an information double encryption method applied to an edge node device, which is applied to a transmitting end, as shown in fig. 1, and comprises the following steps:
(1) Encrypting the first re-key by using a first encryption and decryption algorithm, and sending the encrypted first re-key to a receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain the first re-key; wherein the first re-decryption does not require an initial key;
(2) And encrypting the information content to be transmitted by using the second encryption and decryption algorithm and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end uses the first re-key obtained after decryption as the initial key and decrypts the encrypted information content to be transmitted by matching with the second encryption and decryption algorithm to obtain the information content to be transmitted.
Based on the information double encryption method in the embodiment of the invention, because the initial key (namely the first re-key) is obtained in the communication process of the initial stage of the establishment of the double-transmission or multi-party communication, the initial key leakage caused by capturing messages and other reasons can be avoided by the encryption and decryption algorithm, thereby improving the safety of the electric power information interaction.
In a specific implementation manner of the embodiment of the present invention, the encrypting the first re-key by using the first encrypting and decrypting algorithm specifically includes the following steps:
A DES, RSA, AES and other symmetric encryption and decryption algorithms (namely, the same secret key is used for encryption and decryption) are selected as a first encryption and decryption algorithm, and the decryption process of the first encryption and decryption algorithm is an inverse process of the encryption process;
encrypting the first re-key by using the first encryption and decryption algorithm;
in the embodiment of the invention, the first re-key serving as the initial key of the second encryption and decryption algorithm (such as SM 4.0) is encrypted, and only the transmitting end and the receiving end establish connection, the receiving end can obtain the encrypted initial key without pre-storing the initial key, so that the leakage of the initial key caused by viruses or invasion in a storage medium of the receiving end is avoided, and the information security is further improved. For a transmitting end (initial key provider), the initial key (first re-key) before encryption is recorded locally, and the initial key is encrypted by DES, RSA, AES and other information encryption and decryption algorithms and then transmitted to a receiving end, so that the initial key can be prevented from being directly obtained through message capturing, and the information security is improved.
The first re-key in the embodiment of the invention can be encrypted by a first encryption and decryption algorithm at a link layer, can be encrypted by the first encryption and decryption algorithm at a network layer, can be encrypted by the first encryption and decryption algorithm at a transmission layer, can be encrypted by the first encryption and decryption algorithm at an application layer, and can be encrypted by a combination of the link layer, the network layer, the transmission layer and the application layer or simultaneously encrypted.
In the embodiment of the invention, the first encryption and decryption algorithm is utilized to encrypt the first re-key, and the application of the first re-key in the power system comprises but is not limited to authority, password or other keys, such as a password for controlling operation, management authority for referring to data and the like. The first encryption and decryption algorithm is used for encrypting the first re-key, and is suitable for equipment such as a relay protection device, a measurement and control device, an electric measurement device, a monitoring device, a spare power automatic switching device, a stability control device and the like, and a master station or a factory station system which is communicated with the equipment.
In a specific implementation manner of the embodiment of the present invention, the second encryption and decryption algorithm may be a symmetric encryption and decryption algorithm such as SM4.0 (i.e. the same key is used for encryption and decryption), and the decryption process of the second encryption and decryption algorithm is an inverse process of the encryption process. In the specific implementation process, the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; the second encryption and decryption algorithm and the second encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers, wherein the layers are a link layer, a network layer, a transmission layer or an application layer.
The application of encrypting the information content to be transmitted by using the second encryption and decryption algorithm in the power system in the embodiment of the invention comprises, but is not limited to, MQTT, CMS, IEC61850, IEC60870-5-101, IEC60870-5-102, IEC60870-5-103, IEC60870-5-104, COMTRADE, modbus, other power industry specifications or custom specifications and the like. The encryption and decryption algorithm is used for encrypting the information content to be transmitted, and is suitable for equipment such as a relay protection device, a measurement and control device, an electric measurement device, a monitoring device, a spare power automatic switching device, a stability control device and the like, and a master station or a factory station system which is communicated with the equipment.
In a specific implementation manner of the embodiment of the present invention, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
splitting the information content to be transmitted into a plurality of single-frame messages when the number of bytes contained in the information content to be transmitted exceeds the maximum transmission byte number requirement specified by the second encryption and decryption algorithm;
if the byte number of all the single-frame messages is equal to the maximum sending byte number specified by the second encryption algorithm, the first re-key is used as an initial key, and each single-frame message is encrypted by using the second encryption algorithm;
If the byte number of the last single-frame message is smaller than the maximum sending byte number specified by the second encryption algorithm, subtracting the byte number of the last single-frame message from the maximum sending byte number of the second encryption algorithm to obtain the byte number to be supplemented, carrying out byte supplementation on the last single-frame message according to the byte number to be supplemented to form a new last single-frame message, and filling the byte number of the last single-frame message into an effective byte number area;
using the first re-key as an initial key, and encrypting each single-frame message by using a second encryption and decryption algorithm;
if the number of bytes contained in the information content to be transmitted is equal to the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, the first re-key is used as an initial key, and the information content to be transmitted is encrypted by the second encryption and decryption algorithm;
if the number of bytes contained in the information content to be transmitted is smaller than the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, subtracting the number of bytes contained in the information content to be transmitted from the maximum transmission byte number of the second encryption algorithm to obtain the number of bytes to be supplemented, carrying out byte supplementation on the information content to be transmitted according to the number of bytes to be supplemented, and filling the number of bytes of the information content to be transmitted into an effective byte number area; in the implementation process, in order to avoid errors, all the bytes complemented are represented by hexadecimal 0x 0;
And encrypting the information content to be transmitted by using the second encryption and decryption algorithm by taking the first re-key as an initial key.
The communication protocols include, but are not limited to, MQTT, CMS, IEC61850, IEC60870-5-101, IEC60870-5-102, IEC60870-5-103, IEC60870-5-104, COMTRADE, modbus, and other power industry protocols or custom protocols, etc.;
the method comprises the steps of directly encrypting a single-frame message or splitting the single-frame message into a plurality of single-frame messages according to the size of information content to be transmitted, and then encrypting the single-frame message.
In a specific implementation manner of the embodiment of the present invention, when encrypting and decrypting the information content to be transmitted, block type message encryption and decryption or chain type message encryption and decryption may be selectively supported, and specifically:
the encryption and decryption of the block type message are not affected each other among the blocks, and the encryption and decryption of the message only has an influence on the block type message.
The chained message encryption and decryption method is characterized in that the encryption of the block depends on the message of the previous block, and if the message of the block or the message of the previous block is abnormal, the encryption and decryption result of the message of the block is affected.
The block encryption and decryption efficiency is higher, and the chain encryption and decryption security is higher.
The block encryption and decryption is suitable for encrypting and decrypting device equipment with low hardware performance, such as an embedded device. The block encryption and decryption is suitable for operations requiring faster time response, such as the operation of a switching circuit breaker.
The chained encryption and decryption is applicable to encryption and decryption of a system layer with better hardware performance, such as a server. The chained encryption and decryption is suitable for operations with low time response requirements, such as uploading state monitoring information.
Example 2
The embodiment of the invention provides an information double encryption method applied to an edge node device, which is applied to a receiving end, as shown in fig. 2, and comprises the following steps:
receiving an encrypted first re-key, and decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key, wherein the encrypted first re-key is obtained by encrypting the first re-key by a sender by using the first encryption and decryption algorithm;
receiving encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using a first re-key obtained after decryption as an initial key and matching a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
In a specific implementation manner of the embodiment of the present invention, the method for obtaining the first rekey specifically includes the following steps:
A DES, RSA, AES and other symmetric encryption and decryption algorithms (namely, the same secret key is used for encryption and decryption) are selected as a first encryption and decryption algorithm, and the decryption process of the first encryption and decryption algorithm is an inverse process of the encryption process;
encrypting the first re-key by using the first encryption and decryption algorithm;
in the embodiment of the invention, the first re-key serving as the initial key of the second encryption and decryption algorithm (such as SM 4.0) is encrypted, and only the transmitting end and the receiving end establish connection, the receiving end can obtain the encrypted initial key without pre-storing the initial key, so that the leakage of the initial key caused by viruses or invasion in a storage medium of the receiving end is avoided, and the information security is further improved. For a transmitting end (initial key provider), the initial key (first re-key) before encryption is recorded locally, and the initial key is encrypted by DES, RSA, AES and other information encryption and decryption algorithms and then transmitted to a receiving end, so that the initial key can be prevented from being directly obtained through message capturing, and the information security is improved.
The first re-key in the embodiment of the invention can be encrypted by a first encryption and decryption algorithm at a link layer, can be encrypted by the first encryption and decryption algorithm at a network layer, can be encrypted by the first encryption and decryption algorithm at a transmission layer, can be encrypted by the first encryption and decryption algorithm at an application layer, and can be encrypted by a combination of the link layer, the network layer, the transmission layer and the application layer or simultaneously encrypted.
In the embodiment of the invention, the first encryption and decryption algorithm is utilized to encrypt the first re-key, and the application of the first re-key in the power system comprises but is not limited to authority, password or other keys. Such as a password for controlling operations, a management right for referring to data, etc. The first encryption and decryption algorithm is used for encrypting the first re-key, and is suitable for equipment such as a relay protection device, a measurement and control device, an electric measurement device, a monitoring device, a spare power automatic switching device, a stability control device and the like, and a master station or a factory station system which is communicated with the equipment.
In a specific implementation manner of the embodiment of the present invention, the second encryption and decryption algorithm may be a symmetric encryption and decryption algorithm such as SM4.0 (i.e. the same key is used for encryption and decryption), and the decryption process of the second encryption and decryption algorithm is an inverse process of the encryption process. In the specific implementation process, the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; the second encryption and decryption algorithm and the second encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers, wherein the layers are a link layer, a network layer, a transmission layer or an application layer.
The application of encrypting the information content to be transmitted by using the second encryption and decryption algorithm in the power system in the embodiment of the invention comprises, but is not limited to, MQTT, CMS, IEC61850, IEC60870-5-101, IEC60870-5-102, IEC60870-5-103, IEC60870-5-104, COMTRADE, modbus, other power industry specifications or custom specifications and the like. The encryption and decryption algorithm is used for encrypting the information content to be transmitted, and is suitable for equipment such as a relay protection device, a measurement and control device, an electric measurement device, a monitoring device, a spare power automatic switching device, a stability control device and the like, and a master station or a factory station system which is communicated with the equipment.
In a specific implementation manner of the embodiment of the present invention, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
when the information content to be transmitted is sent in a mode of a plurality of single-frame messages, each single-frame message is decrypted according to the first re-key obtained after decryption as an initial key and in combination with a second encryption and decryption algorithm;
if all the decrypted single-frame messages do not contain the effective byte number area, splicing all the single-frame messages to obtain information content to be transmitted;
if the decrypted last single-frame message contains an effective byte number area, deleting bytes of the last single-frame message according to the byte number in the effective byte number area to form a new last single-frame message;
All the single-frame messages are spliced according to the sequence to obtain the information content to be transmitted;
when the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
if the decrypted single-frame message does not contain the effective byte number area, the decrypted single-frame message is the information content to be transmitted;
when the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
if the decrypted single-frame message contains an effective byte number area, deleting bytes of the single-frame message according to the byte number in the effective byte number area to obtain information content to be transmitted; in an implementation, before determining to delete a complementary byte, the program needs to compare with whether the byte is hexadecimal 0x0 to avoid deleting the byte by mistake.
In a specific implementation manner of the embodiment of the present invention, when encrypting and decrypting the information content to be transmitted, block type message encryption and decryption or chain type message encryption and decryption can be selectively supported.
The encryption and decryption of the block type message are not affected each other among the blocks, and the encryption and decryption of the message only has an influence on the block type message.
The chained message encryption and decryption method is characterized in that the encryption of the block depends on the message of the previous block, and if the message of the block or the message of the previous block is abnormal, the encryption and decryption result of the message of the block is affected.
The block encryption and decryption efficiency is higher, and the chain encryption and decryption security is higher.
The block encryption and decryption is suitable for encrypting and decrypting device equipment with low hardware performance, such as an embedded device. The block encryption and decryption is suitable for operations requiring faster time response, such as the operation of a switching circuit breaker.
The chained encryption and decryption is applicable to encryption and decryption of a system layer with better hardware performance, such as a server. The chained encryption and decryption is suitable for operations with low time response requirements, such as uploading state monitoring information.
Example 3
Based on the same inventive concept as embodiment 1, the present invention provides an information double encryption device applied to an edge node device, including:
the key encryption module is used for encrypting the first re-key by using a first encryption and decryption algorithm and sending the encrypted first re-key to the receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain the first re-key;
The information content encryption module to be transmitted is used for encrypting the information content to be transmitted by using the first re-key as an initial key and using a second encryption and decryption algorithm, and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end uses the first re-key obtained after decryption of the first re-key as the initial key and is matched with the second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, and the information content to be transmitted is obtained.
Example 4
Based on the same inventive concept as embodiment 2, the present invention provides an information double encryption device applied to an edge node device, including:
the key decryption module is used for receiving the encrypted first re-key, decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key, wherein the encrypted first re-key is obtained by encrypting the first re-key by a sender by using the first encryption and decryption algorithm;
the information content decryption module to be transmitted is used for receiving the encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using the first re-key obtained after decryption as an initial key and matching with a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
Example 5
Based on the same inventive concept as embodiment 1, the present invention provides an information double encryption system applied to an edge node apparatus, including: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of embodiment 1.
Example 6
Based on the same inventive concept as embodiment 2, the present invention provides an information double encryption system applied to an edge node apparatus, including: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of embodiment 2.
Example 7
The embodiment of the invention provides an information double encryption system applied to an edge node device, which comprises the following steps: a transmitting end and a receiving end;
the sending end encrypts the first re-key by using a first encryption and decryption algorithm and sends the encrypted first re-key to the receiving end;
the receiving end decrypts the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key;
The sending end takes the first re-key as an initial key, encrypts the information content to be transmitted by using a second encryption and decryption algorithm, and sends the encrypted information content to be transmitted to the receiving end;
and the receiving end uses the first re-key obtained after decryption as an initial key and is matched with a second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, so as to obtain the information content to be transmitted.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.

Claims (17)

1. An information double encryption method applied to an edge node device, comprising:
encrypting the first re-key by using a first encryption and decryption algorithm, and sending the encrypted first re-key to a receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain and store the first re-key;
and encrypting the information content to be transmitted by using a second encryption and decryption algorithm which is different from the first encryption and decryption algorithm and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end decrypts the encrypted information content to be transmitted by using the stored first encryption and decryption algorithm as the initial key and matching with the second encryption and decryption algorithm to obtain the information content to be transmitted.
2. The method for encrypting information by two layers applied to the edge node device according to claim 1, wherein the encrypting information content to be transmitted by the second encrypting and decrypting algorithm comprises the following steps:
splitting the information content to be transmitted into a plurality of single-frame messages when the number of bytes contained in the information content to be transmitted exceeds the maximum transmission byte number requirement specified by the second encryption and decryption algorithm;
And if the byte number of all the single-frame messages is equal to the maximum transmission byte number specified by the second encryption algorithm, the first re-key is used as an initial key, and the second encryption and decryption algorithm is utilized to encrypt each single-frame message.
3. The method for encrypting information by two layers applied to the edge node device according to claim 2, wherein the encrypting information content to be transmitted by the second encrypting and decrypting algorithm comprises the following steps:
if the byte number of the last single-frame message is smaller than the maximum sending byte number specified by the second encryption algorithm, subtracting the byte number of the last single-frame message from the maximum sending byte number of the second encryption algorithm to obtain the byte number to be supplemented, carrying out byte supplementation on the last single-frame message according to the byte number to be supplemented to form a new last single-frame message, and filling the byte number of the last single-frame message into an effective byte number area;
and encrypting each single-frame message by using the first re-key as an initial key and using a second encryption and decryption algorithm.
4. The method for encrypting information by two layers applied to the edge node device according to claim 1, wherein the encrypting information content to be transmitted by the second encrypting and decrypting algorithm comprises the following steps:
And if the number of bytes contained in the information content to be transmitted is equal to the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, the first re-key is used as an initial key, and the information content to be transmitted is encrypted by using the second encryption and decryption algorithm.
5. The method for encrypting information by two layers applied to the edge node device according to claim 1, wherein the encrypting information content to be transmitted by the second encrypting and decrypting algorithm comprises the following steps:
if the number of bytes contained in the information content to be transmitted is smaller than the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, subtracting the number of bytes contained in the information content to be transmitted from the maximum transmission byte number of the second encryption algorithm to obtain the number of bytes to be supplemented, carrying out byte supplementation on the information content to be transmitted according to the number of bytes to be supplemented, and filling the number of bytes of the information content to be transmitted into an effective byte number area;
and encrypting the information content to be transmitted by using the second encryption and decryption algorithm by taking the first re-key as an initial key.
6. The method for double encryption of information applied to an edge node apparatus according to claim 1, wherein: the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; and the second encryption and decryption algorithm and the first encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers.
7. An information double encryption method applied to an edge node device, comprising:
receiving an encrypted first re-key, and decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key; the encrypted first re-key is obtained by encrypting the first re-key by a sender through a first encryption and decryption algorithm;
receiving encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using a first re-key obtained after decryption as an initial key and matching a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
8. The method for double encryption of information applied to an edge node apparatus according to claim 7, wherein: the encrypting and decrypting algorithm is matched to decrypt the encrypted information content to be transmitted, and the method comprises the following steps:
when the information content to be transmitted is sent in a mode of a plurality of single-frame messages, each single-frame message is decrypted according to the first re-key obtained after decryption as an initial key and in combination with a second encryption and decryption algorithm;
And if all the decrypted single-frame messages do not contain the effective byte number area, splicing all the single-frame messages to obtain the information content to be transmitted.
9. The method for double encryption of information applied to an edge node apparatus according to claim 8, wherein: the encrypting and decrypting algorithm is matched to decrypt the encrypted information content to be transmitted, and the method comprises the following steps:
if the decrypted last single-frame message contains an effective byte number area, deleting bytes of the last single-frame message according to the byte number in the effective byte number area to form a new last single-frame message;
and splicing all the single-frame messages according to the sequence to obtain the information content to be transmitted.
10. The method for double encryption of information applied to an edge node apparatus according to claim 7, wherein: the encrypting and decrypting algorithm is matched to decrypt the encrypted information content to be transmitted, and the method comprises the following steps:
when the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
If the decrypted single-frame message does not contain the effective byte number area, the decrypted single-frame message is the information content to be transmitted.
11. The method for double encryption of information applied to an edge node apparatus according to claim 7, wherein: the encrypted information content to be transmitted is decrypted by matching with a second encryption and decryption algorithm, and the method further comprises the following steps:
when the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
if the decrypted single-frame message contains an effective byte number area, deleting bytes of the single-frame message according to the byte number in the effective byte number area to obtain the information content to be transmitted.
12. The method for double encryption of information applied to an edge node apparatus according to claim 7, wherein: the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; and the second encryption and decryption algorithm and the second first encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers.
13. An information double encryption device applied to an edge node device, comprising:
the key encryption module is used for encrypting the first re-key by using a first encryption and decryption algorithm and sending the encrypted first re-key to the receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain the first re-key;
the information content encryption module to be transmitted is used for encrypting the information content to be transmitted by using the first re-key as an initial key and using a second encryption and decryption algorithm, and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end uses the first re-key obtained after decryption of the first re-key as the initial key and is matched with the second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, and the information content to be transmitted is obtained.
14. An information double encryption device applied to an edge node device, comprising:
the key decryption module is used for receiving the encrypted first re-key, decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key, wherein the encrypted first re-key is obtained by encrypting the first re-key by a sender by using the first encryption and decryption algorithm;
The information content decryption module to be transmitted is used for receiving the encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using the first re-key obtained after decryption as an initial key and matching with a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
15. An information double encryption system applied to an edge node apparatus, comprising: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of claims 1-6.
16. An information double encryption system applied to an edge node apparatus, comprising: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor being operative according to the instructions to perform the steps of the method according to any one of claims 7-12.
17. An information double encryption system applied to an edge node apparatus, comprising: a transmitting end and a receiving end; the sending end encrypts the first re-key by using a first encryption and decryption algorithm and sends the encrypted first re-key to the receiving end;
The receiving end decrypts the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key; the sending end takes the first re-key as an initial key, encrypts the information content to be transmitted by using a second encryption and decryption algorithm, and sends the encrypted information content to be transmitted to the receiving end;
and the receiving end uses the first re-key obtained after decryption as an initial key and is matched with a second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, so as to obtain the information content to be transmitted.
CN202211553033.XA 2022-12-06 2022-12-06 Information double encryption method, device and system applied to edge node device Pending CN116192428A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211553033.XA CN116192428A (en) 2022-12-06 2022-12-06 Information double encryption method, device and system applied to edge node device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211553033.XA CN116192428A (en) 2022-12-06 2022-12-06 Information double encryption method, device and system applied to edge node device

Publications (1)

Publication Number Publication Date
CN116192428A true CN116192428A (en) 2023-05-30

Family

ID=86447816

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211553033.XA Pending CN116192428A (en) 2022-12-06 2022-12-06 Information double encryption method, device and system applied to edge node device

Country Status (1)

Country Link
CN (1) CN116192428A (en)

Similar Documents

Publication Publication Date Title
US11496298B2 (en) Many-to-many symmetric cryptographic system and method
JP5815294B2 (en) Secure field programmable gate array (FPGA) architecture
US20190268145A1 (en) Systems and Methods for Authenticating Communications Using a Single Message Exchange and Symmetric Key
CN110896401A (en) Two-dimensional code-based unidirectional data stream transmission system and method between isolated networks
KR101608815B1 (en) Method and system for providing service encryption in closed type network
US7894608B2 (en) Secure approach to send data from one system to another
CN112804205A (en) Data encryption method and device and data decryption method and device
CN104660590A (en) Cloud storage scheme for file encryption security
CN116132043B (en) Session key negotiation method, device and equipment
US9571273B2 (en) Method and system for the accelerated decryption of cryptographically protected user data units
CN101931623B (en) Safety communication method suitable for remote control with limited capability at controlled end
CN112948867A (en) Method and device for generating and decrypting encrypted message and electronic equipment
Agarwal et al. Authenticating cryptography over network in data
CN115499118A (en) Message key generation method, message key generation device, file encryption method, message key decryption method, file encryption device, file decryption device and medium
CN114499857A (en) Method for realizing data correctness and consistency in big data quantum encryption and decryption
CN111510282A (en) Information encryption algorithm and device, information decryption algorithm and device and communication method
WO2022237440A1 (en) Authenticated encryption apparatus with initialization-vector misuse resistance and method therefor
CN113542309B (en) Data processing system and method
CN102622561A (en) Enciphering and deciphering method for invoking data in software
CN116192428A (en) Information double encryption method, device and system applied to edge node device
CN111431846B (en) Data transmission method, device and system
Arora et al. Handling Secret Key Compromise by Deriving Multiple Asymmetric Keys based on Diffie-Hellman Algorithm
CN112329066A (en) Data file encryption method and system
CN117675205A (en) Data security transmission method
Alenezi et al. On the performance of AES algorithm variants

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination