CN116192428A - Information double encryption method, device and system applied to edge node device - Google Patents
Information double encryption method, device and system applied to edge node device Download PDFInfo
- Publication number
- CN116192428A CN116192428A CN202211553033.XA CN202211553033A CN116192428A CN 116192428 A CN116192428 A CN 116192428A CN 202211553033 A CN202211553033 A CN 202211553033A CN 116192428 A CN116192428 A CN 116192428A
- Authority
- CN
- China
- Prior art keywords
- encryption
- key
- transmitted
- information content
- decryption algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an information double encryption method, a device and a system applied to an edge node device, which comprise the steps of encrypting a first re-key by utilizing a first encryption and decryption algorithm, sending the encrypted first re-key to a receiving end, decrypting the encrypted first re-key by utilizing the first encryption and decryption algorithm by the receiving end, and obtaining and storing the first re-key; and encrypting the information content to be transmitted by using a second encryption and decryption algorithm which is different from the first encryption and decryption algorithm and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end decrypts the encrypted information content to be transmitted by using the stored first encryption and decryption algorithm as the initial key and matching with the second encryption and decryption algorithm to obtain the information content to be transmitted. The invention encrypts/decrypts the initial key by using the first encryption/decryption algorithm, and encrypts/decrypts the information to be transmitted by using the initial key and the second encryption/decryption algorithm, thereby greatly improving the safety of electric power information interaction.
Description
Technical Field
The invention belongs to the field of power automation, and particularly relates to an information double encryption method, device and system applied to an edge node device.
Background
With the development of the technical field of information security and the improvement of computing power of hardware equipment such as an embedded device and a server, the information interaction established based on the information is greatly changed for the secondary power equipment of a power system, but at the same time, the open environment is also threatening the security aspect of the power information interaction. The power information security technology is an important means of maintaining information confidentiality, integrity and reliability, and it includes all measures to protect information from illegal modification, destruction and leakage. The cryptographic technology is the core of information security technology, and comprises a plurality of security ranges such as the design and analysis of a cryptographic algorithm, identity authentication and digital signature, key management and the like. The design of practical and effective data encryption algorithm, data authentication algorithm, digital signature algorithm and key management algorithm has great significance for the safety of electric power information.
SM4.0 is a block cipher algorithm promulgated by the national institutes of ciphers, with a block length and key length of 128 bits. The encryption and decryption algorithm adopts a 32-round nonlinear iteration structure. Although the security of data transmission can be increased by using the SM4.0 encryption algorithm. However, due to the openness of the SM4.0 encryption algorithm, the round key generation algorithm is similar to the encryption algorithm in structure, resulting in reduced security. Therefore, how to improve the security of data when encrypted with SM4 is a problem to be solved.
Disclosure of Invention
In view of the above problems, the present invention provides an information double encryption method, device and system applied to an edge node device, which improves the security of electric power information interaction through the design of encryption or decryption of a first re-key or an initial key and encryption or decryption of a second re-information content of electric power system electric power secondary equipment.
In order to achieve the technical purpose and achieve the technical effect, the invention is realized by the following technical scheme:
in a first aspect, the present invention provides an information double encryption method applied to an edge node device, including:
encrypting the first re-key by using a first encryption and decryption algorithm, and sending the encrypted first re-key to a receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain and store the first re-key;
and encrypting the information content to be transmitted by using a second encryption and decryption algorithm which is different from the first encryption and decryption algorithm and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end decrypts the encrypted information content to be transmitted by using the stored first encryption and decryption algorithm as the initial key and matching with the second encryption and decryption algorithm to obtain the information content to be transmitted.
Optionally, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
splitting the information content to be transmitted into a plurality of single-frame messages when the number of bytes contained in the information content to be transmitted exceeds the maximum transmission byte number requirement specified by the second encryption and decryption algorithm;
and if the byte number of all the single-frame messages is equal to the maximum transmission byte number specified by the second encryption algorithm, the first re-key is used as an initial key, and the second encryption and decryption algorithm is utilized to encrypt each single-frame message.
Optionally, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
if the byte number of the last single-frame message is smaller than the maximum sending byte number specified by the second encryption algorithm, subtracting the byte number of the last single-frame message from the maximum sending byte number of the second encryption algorithm to obtain the byte number to be supplemented, carrying out byte supplementation on the last single-frame message according to the byte number to be supplemented to form a new last single-frame message, and filling the byte number of the last single-frame message into an effective byte number area;
and encrypting each single-frame message by using the first re-key as an initial key and using a second encryption and decryption algorithm.
Optionally, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
and if the number of bytes contained in the information content to be transmitted is equal to the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, the first re-key is used as an initial key, and the information content to be transmitted is encrypted by using the second encryption and decryption algorithm.
Optionally, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
if the number of bytes contained in the information content to be transmitted is smaller than the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, subtracting the number of bytes contained in the information content to be transmitted from the maximum transmission byte number of the second encryption algorithm to obtain the number of bytes to be supplemented, carrying out byte supplementation on the information content to be transmitted according to the number of bytes to be supplemented, and filling the number of bytes of the information content to be transmitted into an effective byte number area;
and encrypting the information content to be transmitted by using the second encryption and decryption algorithm by taking the first re-key as an initial key.
Optionally, the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; and the second encryption and decryption algorithm and the first encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers.
In a second aspect, the present invention provides an information double encryption method applied to an edge node device, including:
receiving an encrypted first re-key, and decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key; the encrypted first re-key is obtained by encrypting the first re-key by a sender through a first encryption and decryption algorithm;
receiving encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using a first re-key obtained after decryption as an initial key and matching a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
Optionally, the encrypting the information content to be transmitted in cooperation with a second encrypting and decrypting algorithm includes the following steps:
when the information content to be transmitted is sent in a mode of a plurality of single-frame messages, each single-frame message is decrypted according to the first re-key obtained after decryption as an initial key and in combination with a second encryption and decryption algorithm;
And if all the decrypted single-frame messages do not contain the effective byte number area, splicing all the single-frame messages to obtain the information content to be transmitted.
Optionally, the encrypting the information content to be transmitted in cooperation with a second encrypting and decrypting algorithm includes the following steps:
if the decrypted last single-frame message contains an effective byte number area, deleting bytes of the last single-frame message according to the byte number in the effective byte number area to form a new last single-frame message;
and splicing all the single-frame messages according to the sequence to obtain the information content to be transmitted.
Optionally, the encrypting the information content to be transmitted in cooperation with a second encrypting and decrypting algorithm includes the following steps:
when the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
if the decrypted single-frame message does not contain the effective byte number area, the decrypted single-frame message is the information content to be transmitted.
Optionally, the encrypting the information content to be transmitted in cooperation with a second encrypting and decrypting algorithm further comprises the following steps:
When the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
if the decrypted single-frame message contains an effective byte number area, deleting bytes of the single-frame message according to the byte number in the effective byte number area to obtain the information content to be transmitted.
Optionally, the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; and the second encryption and decryption algorithm and the second first encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers.
In a third aspect, the present invention provides an information double encryption apparatus applied to an edge node apparatus, comprising:
the key encryption module is used for encrypting the first re-key by using a first encryption and decryption algorithm and sending the encrypted first re-key to the receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain the first re-key;
the information content encryption module to be transmitted is used for encrypting the information content to be transmitted by using the first re-key as an initial key and using a second encryption and decryption algorithm, and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end uses the first re-key obtained after decryption of the first re-key as the initial key and is matched with the second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, and the information content to be transmitted is obtained.
In a fourth aspect, the present invention provides an information double encryption apparatus applied to an edge node apparatus, including:
the key decryption module is used for receiving the encrypted first re-key, decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key, wherein the encrypted first re-key is obtained by encrypting the first re-key by a sender by using the first encryption and decryption algorithm;
the information content decryption module to be transmitted is used for receiving the encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using the first re-key obtained after decryption as an initial key and matching with a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
In a fifth aspect, the present invention provides an information double encryption system applied to an edge node apparatus, including: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of the first parties.
In a sixth aspect, the present invention provides an information double encryption system applied to an edge node apparatus, including: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of the second aspects.
In a seventh aspect, the present invention provides an information double encryption system applied to an edge node apparatus, including: a transmitting end and a receiving end;
the sending end encrypts the first re-key by using a first encryption and decryption algorithm and sends the encrypted first re-key to the receiving end;
the receiving end decrypts the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key;
the sending end takes the first re-key as an initial key, encrypts the information content to be transmitted by using a second encryption and decryption algorithm, and sends the encrypted information content to be transmitted to the receiving end;
and the receiving end uses the first re-key obtained after decryption as an initial key and is matched with a second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, so as to obtain the information content to be transmitted.
Compared with the prior art, the invention has the beneficial effects that:
according to the invention, through the encryption or decryption of the first re-key of the electric power secondary equipment of the electric power system and the encryption or decryption design of the information content to be transmitted, the safety of electric power information interaction is improved, the initial key can be prevented from being stored locally, and the password leakage caused by viruses or invaded in a storage medium is avoided.
The initial key (namely the first re-key) is obtained in the communication process of the initial stage of the establishment of the double-transmission or multi-party communication, and the initial key is obtained through an encryption and decryption algorithm different from the information content to be transmitted, so that the leakage of the initial key caused by capturing messages and other reasons is avoided, and the safety of electric power information interaction is improved.
The first encryption and decryption algorithm and the second encryption and decryption algorithm are different encryption and decryption algorithms, if the first encryption and decryption algorithm is decrypted, only an initial key is obtained, and the data information content before the second encryption and decryption algorithm is encrypted cannot be obtained; if only the second encryption and decryption algorithm is decrypted, and the initial key is required to be input by the second encryption and decryption algorithm, the correct initial key is not input, and the data information content before the second encryption and decryption algorithm is not obtained; the reasonable application of the first encryption and decryption algorithm and the second encryption and decryption algorithm is interdependent, so that the difficulty of key decryption is further improved, and the safety of electric power information interaction is truly improved.
The invention also refers to the processing of single frame message and multi frame message and the processing of the complementary byte required by non-encryption and decryption algorithm, which is a double-password encryption method for the secondary equipment of the electric power system, especially for the electric power edge node equipment.
Drawings
In order that the invention may be more readily understood, a more particular description of the invention will be rendered by reference to specific embodiments that are illustrated in the appended drawings, in which:
FIG. 1 is a flow chart of an encryption process implementation of one embodiment of the present invention;
fig. 2 is a flowchart illustrating a decryption process implementation of an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following examples in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the detailed description and specific examples are intended for purposes of illustration only and are not intended to limit the scope of the invention.
The principle of application of the invention is described in detail below with reference to the accompanying drawings.
Example 1
The embodiment of the invention provides an information double encryption method applied to an edge node device, which is applied to a transmitting end, as shown in fig. 1, and comprises the following steps:
(1) Encrypting the first re-key by using a first encryption and decryption algorithm, and sending the encrypted first re-key to a receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain the first re-key; wherein the first re-decryption does not require an initial key;
(2) And encrypting the information content to be transmitted by using the second encryption and decryption algorithm and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end uses the first re-key obtained after decryption as the initial key and decrypts the encrypted information content to be transmitted by matching with the second encryption and decryption algorithm to obtain the information content to be transmitted.
Based on the information double encryption method in the embodiment of the invention, because the initial key (namely the first re-key) is obtained in the communication process of the initial stage of the establishment of the double-transmission or multi-party communication, the initial key leakage caused by capturing messages and other reasons can be avoided by the encryption and decryption algorithm, thereby improving the safety of the electric power information interaction.
In a specific implementation manner of the embodiment of the present invention, the encrypting the first re-key by using the first encrypting and decrypting algorithm specifically includes the following steps:
A DES, RSA, AES and other symmetric encryption and decryption algorithms (namely, the same secret key is used for encryption and decryption) are selected as a first encryption and decryption algorithm, and the decryption process of the first encryption and decryption algorithm is an inverse process of the encryption process;
encrypting the first re-key by using the first encryption and decryption algorithm;
in the embodiment of the invention, the first re-key serving as the initial key of the second encryption and decryption algorithm (such as SM 4.0) is encrypted, and only the transmitting end and the receiving end establish connection, the receiving end can obtain the encrypted initial key without pre-storing the initial key, so that the leakage of the initial key caused by viruses or invasion in a storage medium of the receiving end is avoided, and the information security is further improved. For a transmitting end (initial key provider), the initial key (first re-key) before encryption is recorded locally, and the initial key is encrypted by DES, RSA, AES and other information encryption and decryption algorithms and then transmitted to a receiving end, so that the initial key can be prevented from being directly obtained through message capturing, and the information security is improved.
The first re-key in the embodiment of the invention can be encrypted by a first encryption and decryption algorithm at a link layer, can be encrypted by the first encryption and decryption algorithm at a network layer, can be encrypted by the first encryption and decryption algorithm at a transmission layer, can be encrypted by the first encryption and decryption algorithm at an application layer, and can be encrypted by a combination of the link layer, the network layer, the transmission layer and the application layer or simultaneously encrypted.
In the embodiment of the invention, the first encryption and decryption algorithm is utilized to encrypt the first re-key, and the application of the first re-key in the power system comprises but is not limited to authority, password or other keys, such as a password for controlling operation, management authority for referring to data and the like. The first encryption and decryption algorithm is used for encrypting the first re-key, and is suitable for equipment such as a relay protection device, a measurement and control device, an electric measurement device, a monitoring device, a spare power automatic switching device, a stability control device and the like, and a master station or a factory station system which is communicated with the equipment.
In a specific implementation manner of the embodiment of the present invention, the second encryption and decryption algorithm may be a symmetric encryption and decryption algorithm such as SM4.0 (i.e. the same key is used for encryption and decryption), and the decryption process of the second encryption and decryption algorithm is an inverse process of the encryption process. In the specific implementation process, the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; the second encryption and decryption algorithm and the second encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers, wherein the layers are a link layer, a network layer, a transmission layer or an application layer.
The application of encrypting the information content to be transmitted by using the second encryption and decryption algorithm in the power system in the embodiment of the invention comprises, but is not limited to, MQTT, CMS, IEC61850, IEC60870-5-101, IEC60870-5-102, IEC60870-5-103, IEC60870-5-104, COMTRADE, modbus, other power industry specifications or custom specifications and the like. The encryption and decryption algorithm is used for encrypting the information content to be transmitted, and is suitable for equipment such as a relay protection device, a measurement and control device, an electric measurement device, a monitoring device, a spare power automatic switching device, a stability control device and the like, and a master station or a factory station system which is communicated with the equipment.
In a specific implementation manner of the embodiment of the present invention, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
splitting the information content to be transmitted into a plurality of single-frame messages when the number of bytes contained in the information content to be transmitted exceeds the maximum transmission byte number requirement specified by the second encryption and decryption algorithm;
if the byte number of all the single-frame messages is equal to the maximum sending byte number specified by the second encryption algorithm, the first re-key is used as an initial key, and each single-frame message is encrypted by using the second encryption algorithm;
If the byte number of the last single-frame message is smaller than the maximum sending byte number specified by the second encryption algorithm, subtracting the byte number of the last single-frame message from the maximum sending byte number of the second encryption algorithm to obtain the byte number to be supplemented, carrying out byte supplementation on the last single-frame message according to the byte number to be supplemented to form a new last single-frame message, and filling the byte number of the last single-frame message into an effective byte number area;
using the first re-key as an initial key, and encrypting each single-frame message by using a second encryption and decryption algorithm;
if the number of bytes contained in the information content to be transmitted is equal to the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, the first re-key is used as an initial key, and the information content to be transmitted is encrypted by the second encryption and decryption algorithm;
if the number of bytes contained in the information content to be transmitted is smaller than the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, subtracting the number of bytes contained in the information content to be transmitted from the maximum transmission byte number of the second encryption algorithm to obtain the number of bytes to be supplemented, carrying out byte supplementation on the information content to be transmitted according to the number of bytes to be supplemented, and filling the number of bytes of the information content to be transmitted into an effective byte number area; in the implementation process, in order to avoid errors, all the bytes complemented are represented by hexadecimal 0x 0;
And encrypting the information content to be transmitted by using the second encryption and decryption algorithm by taking the first re-key as an initial key.
The communication protocols include, but are not limited to, MQTT, CMS, IEC61850, IEC60870-5-101, IEC60870-5-102, IEC60870-5-103, IEC60870-5-104, COMTRADE, modbus, and other power industry protocols or custom protocols, etc.;
the method comprises the steps of directly encrypting a single-frame message or splitting the single-frame message into a plurality of single-frame messages according to the size of information content to be transmitted, and then encrypting the single-frame message.
In a specific implementation manner of the embodiment of the present invention, when encrypting and decrypting the information content to be transmitted, block type message encryption and decryption or chain type message encryption and decryption may be selectively supported, and specifically:
the encryption and decryption of the block type message are not affected each other among the blocks, and the encryption and decryption of the message only has an influence on the block type message.
The chained message encryption and decryption method is characterized in that the encryption of the block depends on the message of the previous block, and if the message of the block or the message of the previous block is abnormal, the encryption and decryption result of the message of the block is affected.
The block encryption and decryption efficiency is higher, and the chain encryption and decryption security is higher.
The block encryption and decryption is suitable for encrypting and decrypting device equipment with low hardware performance, such as an embedded device. The block encryption and decryption is suitable for operations requiring faster time response, such as the operation of a switching circuit breaker.
The chained encryption and decryption is applicable to encryption and decryption of a system layer with better hardware performance, such as a server. The chained encryption and decryption is suitable for operations with low time response requirements, such as uploading state monitoring information.
Example 2
The embodiment of the invention provides an information double encryption method applied to an edge node device, which is applied to a receiving end, as shown in fig. 2, and comprises the following steps:
receiving an encrypted first re-key, and decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key, wherein the encrypted first re-key is obtained by encrypting the first re-key by a sender by using the first encryption and decryption algorithm;
receiving encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using a first re-key obtained after decryption as an initial key and matching a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
In a specific implementation manner of the embodiment of the present invention, the method for obtaining the first rekey specifically includes the following steps:
A DES, RSA, AES and other symmetric encryption and decryption algorithms (namely, the same secret key is used for encryption and decryption) are selected as a first encryption and decryption algorithm, and the decryption process of the first encryption and decryption algorithm is an inverse process of the encryption process;
encrypting the first re-key by using the first encryption and decryption algorithm;
in the embodiment of the invention, the first re-key serving as the initial key of the second encryption and decryption algorithm (such as SM 4.0) is encrypted, and only the transmitting end and the receiving end establish connection, the receiving end can obtain the encrypted initial key without pre-storing the initial key, so that the leakage of the initial key caused by viruses or invasion in a storage medium of the receiving end is avoided, and the information security is further improved. For a transmitting end (initial key provider), the initial key (first re-key) before encryption is recorded locally, and the initial key is encrypted by DES, RSA, AES and other information encryption and decryption algorithms and then transmitted to a receiving end, so that the initial key can be prevented from being directly obtained through message capturing, and the information security is improved.
The first re-key in the embodiment of the invention can be encrypted by a first encryption and decryption algorithm at a link layer, can be encrypted by the first encryption and decryption algorithm at a network layer, can be encrypted by the first encryption and decryption algorithm at a transmission layer, can be encrypted by the first encryption and decryption algorithm at an application layer, and can be encrypted by a combination of the link layer, the network layer, the transmission layer and the application layer or simultaneously encrypted.
In the embodiment of the invention, the first encryption and decryption algorithm is utilized to encrypt the first re-key, and the application of the first re-key in the power system comprises but is not limited to authority, password or other keys. Such as a password for controlling operations, a management right for referring to data, etc. The first encryption and decryption algorithm is used for encrypting the first re-key, and is suitable for equipment such as a relay protection device, a measurement and control device, an electric measurement device, a monitoring device, a spare power automatic switching device, a stability control device and the like, and a master station or a factory station system which is communicated with the equipment.
In a specific implementation manner of the embodiment of the present invention, the second encryption and decryption algorithm may be a symmetric encryption and decryption algorithm such as SM4.0 (i.e. the same key is used for encryption and decryption), and the decryption process of the second encryption and decryption algorithm is an inverse process of the encryption process. In the specific implementation process, the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; the second encryption and decryption algorithm and the second encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers, wherein the layers are a link layer, a network layer, a transmission layer or an application layer.
The application of encrypting the information content to be transmitted by using the second encryption and decryption algorithm in the power system in the embodiment of the invention comprises, but is not limited to, MQTT, CMS, IEC61850, IEC60870-5-101, IEC60870-5-102, IEC60870-5-103, IEC60870-5-104, COMTRADE, modbus, other power industry specifications or custom specifications and the like. The encryption and decryption algorithm is used for encrypting the information content to be transmitted, and is suitable for equipment such as a relay protection device, a measurement and control device, an electric measurement device, a monitoring device, a spare power automatic switching device, a stability control device and the like, and a master station or a factory station system which is communicated with the equipment.
In a specific implementation manner of the embodiment of the present invention, the encrypting the information content to be transmitted by using the second encrypting and decrypting algorithm specifically includes the following steps:
when the information content to be transmitted is sent in a mode of a plurality of single-frame messages, each single-frame message is decrypted according to the first re-key obtained after decryption as an initial key and in combination with a second encryption and decryption algorithm;
if all the decrypted single-frame messages do not contain the effective byte number area, splicing all the single-frame messages to obtain information content to be transmitted;
if the decrypted last single-frame message contains an effective byte number area, deleting bytes of the last single-frame message according to the byte number in the effective byte number area to form a new last single-frame message;
All the single-frame messages are spliced according to the sequence to obtain the information content to be transmitted;
when the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
if the decrypted single-frame message does not contain the effective byte number area, the decrypted single-frame message is the information content to be transmitted;
when the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
if the decrypted single-frame message contains an effective byte number area, deleting bytes of the single-frame message according to the byte number in the effective byte number area to obtain information content to be transmitted; in an implementation, before determining to delete a complementary byte, the program needs to compare with whether the byte is hexadecimal 0x0 to avoid deleting the byte by mistake.
In a specific implementation manner of the embodiment of the present invention, when encrypting and decrypting the information content to be transmitted, block type message encryption and decryption or chain type message encryption and decryption can be selectively supported.
The encryption and decryption of the block type message are not affected each other among the blocks, and the encryption and decryption of the message only has an influence on the block type message.
The chained message encryption and decryption method is characterized in that the encryption of the block depends on the message of the previous block, and if the message of the block or the message of the previous block is abnormal, the encryption and decryption result of the message of the block is affected.
The block encryption and decryption efficiency is higher, and the chain encryption and decryption security is higher.
The block encryption and decryption is suitable for encrypting and decrypting device equipment with low hardware performance, such as an embedded device. The block encryption and decryption is suitable for operations requiring faster time response, such as the operation of a switching circuit breaker.
The chained encryption and decryption is applicable to encryption and decryption of a system layer with better hardware performance, such as a server. The chained encryption and decryption is suitable for operations with low time response requirements, such as uploading state monitoring information.
Example 3
Based on the same inventive concept as embodiment 1, the present invention provides an information double encryption device applied to an edge node device, including:
the key encryption module is used for encrypting the first re-key by using a first encryption and decryption algorithm and sending the encrypted first re-key to the receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain the first re-key;
The information content encryption module to be transmitted is used for encrypting the information content to be transmitted by using the first re-key as an initial key and using a second encryption and decryption algorithm, and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end uses the first re-key obtained after decryption of the first re-key as the initial key and is matched with the second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, and the information content to be transmitted is obtained.
Example 4
Based on the same inventive concept as embodiment 2, the present invention provides an information double encryption device applied to an edge node device, including:
the key decryption module is used for receiving the encrypted first re-key, decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key, wherein the encrypted first re-key is obtained by encrypting the first re-key by a sender by using the first encryption and decryption algorithm;
the information content decryption module to be transmitted is used for receiving the encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using the first re-key obtained after decryption as an initial key and matching with a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
Example 5
Based on the same inventive concept as embodiment 1, the present invention provides an information double encryption system applied to an edge node apparatus, including: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of embodiment 1.
Example 6
Based on the same inventive concept as embodiment 2, the present invention provides an information double encryption system applied to an edge node apparatus, including: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of embodiment 2.
Example 7
The embodiment of the invention provides an information double encryption system applied to an edge node device, which comprises the following steps: a transmitting end and a receiving end;
the sending end encrypts the first re-key by using a first encryption and decryption algorithm and sends the encrypted first re-key to the receiving end;
the receiving end decrypts the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key;
The sending end takes the first re-key as an initial key, encrypts the information content to be transmitted by using a second encryption and decryption algorithm, and sends the encrypted information content to be transmitted to the receiving end;
and the receiving end uses the first re-key obtained after decryption as an initial key and is matched with a second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, so as to obtain the information content to be transmitted.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.
Claims (17)
1. An information double encryption method applied to an edge node device, comprising:
encrypting the first re-key by using a first encryption and decryption algorithm, and sending the encrypted first re-key to a receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain and store the first re-key;
and encrypting the information content to be transmitted by using a second encryption and decryption algorithm which is different from the first encryption and decryption algorithm and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end decrypts the encrypted information content to be transmitted by using the stored first encryption and decryption algorithm as the initial key and matching with the second encryption and decryption algorithm to obtain the information content to be transmitted.
2. The method for encrypting information by two layers applied to the edge node device according to claim 1, wherein the encrypting information content to be transmitted by the second encrypting and decrypting algorithm comprises the following steps:
splitting the information content to be transmitted into a plurality of single-frame messages when the number of bytes contained in the information content to be transmitted exceeds the maximum transmission byte number requirement specified by the second encryption and decryption algorithm;
And if the byte number of all the single-frame messages is equal to the maximum transmission byte number specified by the second encryption algorithm, the first re-key is used as an initial key, and the second encryption and decryption algorithm is utilized to encrypt each single-frame message.
3. The method for encrypting information by two layers applied to the edge node device according to claim 2, wherein the encrypting information content to be transmitted by the second encrypting and decrypting algorithm comprises the following steps:
if the byte number of the last single-frame message is smaller than the maximum sending byte number specified by the second encryption algorithm, subtracting the byte number of the last single-frame message from the maximum sending byte number of the second encryption algorithm to obtain the byte number to be supplemented, carrying out byte supplementation on the last single-frame message according to the byte number to be supplemented to form a new last single-frame message, and filling the byte number of the last single-frame message into an effective byte number area;
and encrypting each single-frame message by using the first re-key as an initial key and using a second encryption and decryption algorithm.
4. The method for encrypting information by two layers applied to the edge node device according to claim 1, wherein the encrypting information content to be transmitted by the second encrypting and decrypting algorithm comprises the following steps:
And if the number of bytes contained in the information content to be transmitted is equal to the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, the first re-key is used as an initial key, and the information content to be transmitted is encrypted by using the second encryption and decryption algorithm.
5. The method for encrypting information by two layers applied to the edge node device according to claim 1, wherein the encrypting information content to be transmitted by the second encrypting and decrypting algorithm comprises the following steps:
if the number of bytes contained in the information content to be transmitted is smaller than the maximum transmission byte number requirement specified by the second encryption and decryption algorithm, subtracting the number of bytes contained in the information content to be transmitted from the maximum transmission byte number of the second encryption algorithm to obtain the number of bytes to be supplemented, carrying out byte supplementation on the information content to be transmitted according to the number of bytes to be supplemented, and filling the number of bytes of the information content to be transmitted into an effective byte number area;
and encrypting the information content to be transmitted by using the second encryption and decryption algorithm by taking the first re-key as an initial key.
6. The method for double encryption of information applied to an edge node apparatus according to claim 1, wherein: the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; and the second encryption and decryption algorithm and the first encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers.
7. An information double encryption method applied to an edge node device, comprising:
receiving an encrypted first re-key, and decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key; the encrypted first re-key is obtained by encrypting the first re-key by a sender through a first encryption and decryption algorithm;
receiving encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using a first re-key obtained after decryption as an initial key and matching a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
8. The method for double encryption of information applied to an edge node apparatus according to claim 7, wherein: the encrypting and decrypting algorithm is matched to decrypt the encrypted information content to be transmitted, and the method comprises the following steps:
when the information content to be transmitted is sent in a mode of a plurality of single-frame messages, each single-frame message is decrypted according to the first re-key obtained after decryption as an initial key and in combination with a second encryption and decryption algorithm;
And if all the decrypted single-frame messages do not contain the effective byte number area, splicing all the single-frame messages to obtain the information content to be transmitted.
9. The method for double encryption of information applied to an edge node apparatus according to claim 8, wherein: the encrypting and decrypting algorithm is matched to decrypt the encrypted information content to be transmitted, and the method comprises the following steps:
if the decrypted last single-frame message contains an effective byte number area, deleting bytes of the last single-frame message according to the byte number in the effective byte number area to form a new last single-frame message;
and splicing all the single-frame messages according to the sequence to obtain the information content to be transmitted.
10. The method for double encryption of information applied to an edge node apparatus according to claim 7, wherein: the encrypting and decrypting algorithm is matched to decrypt the encrypted information content to be transmitted, and the method comprises the following steps:
when the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
If the decrypted single-frame message does not contain the effective byte number area, the decrypted single-frame message is the information content to be transmitted.
11. The method for double encryption of information applied to an edge node apparatus according to claim 7, wherein: the encrypted information content to be transmitted is decrypted by matching with a second encryption and decryption algorithm, and the method further comprises the following steps:
when the information content to be transmitted is sent in a single-frame message mode, the first re-key obtained after decryption is used as an initial key, and the single-frame message is decrypted by matching with a second encryption and decryption algorithm;
if the decrypted single-frame message contains an effective byte number area, deleting bytes of the single-frame message according to the byte number in the effective byte number area to obtain the information content to be transmitted.
12. The method for double encryption of information applied to an edge node apparatus according to claim 7, wherein: the second encryption and decryption algorithm performs combined encryption or simultaneous encryption on the information content to be transmitted at a link layer, a network layer, a transmission layer and an application layer; and the second encryption and decryption algorithm and the second first encryption and decryption algorithm execute encryption or decryption operation on the same layer or different layers.
13. An information double encryption device applied to an edge node device, comprising:
the key encryption module is used for encrypting the first re-key by using a first encryption and decryption algorithm and sending the encrypted first re-key to the receiving end, so that the receiving end decrypts the encrypted first re-key by using the first encryption and decryption algorithm to obtain the first re-key;
the information content encryption module to be transmitted is used for encrypting the information content to be transmitted by using the first re-key as an initial key and using a second encryption and decryption algorithm, and sending the encrypted information content to be transmitted to the receiving end, so that the receiving end uses the first re-key obtained after decryption of the first re-key as the initial key and is matched with the second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, and the information content to be transmitted is obtained.
14. An information double encryption device applied to an edge node device, comprising:
the key decryption module is used for receiving the encrypted first re-key, decrypting the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key, wherein the encrypted first re-key is obtained by encrypting the first re-key by a sender by using the first encryption and decryption algorithm;
The information content decryption module to be transmitted is used for receiving the encrypted information content to be transmitted, and decrypting the encrypted information content to be transmitted by using the first re-key obtained after decryption as an initial key and matching with a second encryption and decryption algorithm to obtain the information content to be transmitted; the encrypted information content to be transmitted is obtained by using the first re-key as an initial key by a sender and encrypting the information content to be transmitted by using a second encryption and decryption algorithm.
15. An information double encryption system applied to an edge node apparatus, comprising: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of claims 1-6.
16. An information double encryption system applied to an edge node apparatus, comprising: including a storage medium and a processor;
the storage medium is used for storing instructions;
the processor being operative according to the instructions to perform the steps of the method according to any one of claims 7-12.
17. An information double encryption system applied to an edge node apparatus, comprising: a transmitting end and a receiving end; the sending end encrypts the first re-key by using a first encryption and decryption algorithm and sends the encrypted first re-key to the receiving end;
The receiving end decrypts the encrypted first re-key by using a first encryption and decryption algorithm to obtain a first re-key; the sending end takes the first re-key as an initial key, encrypts the information content to be transmitted by using a second encryption and decryption algorithm, and sends the encrypted information content to be transmitted to the receiving end;
and the receiving end uses the first re-key obtained after decryption as an initial key and is matched with a second encryption and decryption algorithm to decrypt the encrypted information content to be transmitted, so as to obtain the information content to be transmitted.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211553033.XA CN116192428A (en) | 2022-12-06 | 2022-12-06 | Information double encryption method, device and system applied to edge node device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211553033.XA CN116192428A (en) | 2022-12-06 | 2022-12-06 | Information double encryption method, device and system applied to edge node device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116192428A true CN116192428A (en) | 2023-05-30 |
Family
ID=86447816
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211553033.XA Pending CN116192428A (en) | 2022-12-06 | 2022-12-06 | Information double encryption method, device and system applied to edge node device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116192428A (en) |
-
2022
- 2022-12-06 CN CN202211553033.XA patent/CN116192428A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11496298B2 (en) | Many-to-many symmetric cryptographic system and method | |
JP5815294B2 (en) | Secure field programmable gate array (FPGA) architecture | |
US20190268145A1 (en) | Systems and Methods for Authenticating Communications Using a Single Message Exchange and Symmetric Key | |
CN110896401A (en) | Two-dimensional code-based unidirectional data stream transmission system and method between isolated networks | |
KR101608815B1 (en) | Method and system for providing service encryption in closed type network | |
US7894608B2 (en) | Secure approach to send data from one system to another | |
CN112804205A (en) | Data encryption method and device and data decryption method and device | |
CN104660590A (en) | Cloud storage scheme for file encryption security | |
CN116132043B (en) | Session key negotiation method, device and equipment | |
US9571273B2 (en) | Method and system for the accelerated decryption of cryptographically protected user data units | |
CN101931623B (en) | Safety communication method suitable for remote control with limited capability at controlled end | |
CN112948867A (en) | Method and device for generating and decrypting encrypted message and electronic equipment | |
Agarwal et al. | Authenticating cryptography over network in data | |
CN115499118A (en) | Message key generation method, message key generation device, file encryption method, message key decryption method, file encryption device, file decryption device and medium | |
CN114499857A (en) | Method for realizing data correctness and consistency in big data quantum encryption and decryption | |
CN111510282A (en) | Information encryption algorithm and device, information decryption algorithm and device and communication method | |
WO2022237440A1 (en) | Authenticated encryption apparatus with initialization-vector misuse resistance and method therefor | |
CN113542309B (en) | Data processing system and method | |
CN102622561A (en) | Enciphering and deciphering method for invoking data in software | |
CN116192428A (en) | Information double encryption method, device and system applied to edge node device | |
CN111431846B (en) | Data transmission method, device and system | |
Arora et al. | Handling Secret Key Compromise by Deriving Multiple Asymmetric Keys based on Diffie-Hellman Algorithm | |
CN112329066A (en) | Data file encryption method and system | |
CN117675205A (en) | Data security transmission method | |
Alenezi et al. | On the performance of AES algorithm variants |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |