阅读说明：本技术 一种智能配网安全接入平台及其实现方法 (intelligent distribution network security access platform and implementation method thereof ) 是由 许勇刚 林亮成 张崇超 刘增明 马靖 姜帆 刘伟 于 2018-06-06 设计创作，主要内容包括：本发明提供一种智能配网安全接入平台及其实现方法,所述平台包括配电主站、配电安全接入网关、数据隔离组件和配电终端；所述配电终端内嵌安全芯片；所述配电主站、数据隔离组件、配电安全接入网关和配电终端依次通信连接；所述配电主站通过数据隔离组件向采集服务器发起连接请求,所述采集服务器通过配电安全接入网关将连接请求发送至配电终端,所述配电安全接入网关与配电终端建立连接并进行安全协商。本发明采有利于加快配电自动化业务系统建设和安全防护进程,有利于新旧配电主站及终端平稳过渡,在满足信息安全防护要求的基础上,保持公司生产管理大区和管理信息大区信息安全防护水平,保障配电自动化系统安全。(The invention provides an intelligent distribution network security access platform and an implementation method thereof, wherein the platform comprises a distribution master station, a distribution security access gateway, a data isolation component and a distribution terminal; a safety chip is embedded in the power distribution terminal; the power distribution master station, the data isolation component, the power distribution safety access gateway and the power distribution terminal are sequentially in communication connection; the power distribution main station initiates a connection request to the acquisition server through the data isolation assembly, the acquisition server sends the connection request to the power distribution terminal through the power distribution safety access gateway, and the power distribution safety access gateway establishes connection with the power distribution terminal and conducts safety negotiation. The invention is beneficial to accelerating the construction and safety protection process of the distribution automation service system, is beneficial to the stable transition of the old and new distribution main stations and terminals, keeps the information safety protection level of a company production management area and a management information area on the basis of meeting the information safety protection requirement, and ensures the safety of the distribution automation system.)

1. An intelligent distribution network security access platform is characterized by comprising a distribution master station, a distribution security access gateway, a data isolation assembly and a distribution terminal; a safety chip is embedded in the power distribution terminal; the power distribution master station, the data isolation component, the power distribution safety access gateway and the power distribution terminal are sequentially in communication connection;

The power distribution main station initiates a connection request to the acquisition server through the data isolation assembly, the acquisition server sends the connection request to the power distribution terminal through the power distribution safety access gateway, and the power distribution safety access gateway establishes connection with the power distribution terminal and conducts safety negotiation.

2. The intelligent distribution network security access platform of claim 1, wherein an acquisition server is disposed between the distribution security access gateway and the distribution master station; the acquisition server is used for interaction between the power distribution safety access gateway and the power distribution master station.

3. The intelligent distribution network security access platform of claim 1, wherein the server is provided with a static route, and the static route is used for directionally sending data streams of the acquisition server to the distribution access gateway.

4. the intelligent distribution network security access platform of claim 1, wherein the security chip employs an SPI interface, and an operating system of the power distribution terminal performs read-write operation on the security chip through the SPI interface.

5. The intelligent distribution network security access platform of claim 1, wherein the data isolation component comprises forward and reverse isolation, provides access control, data content filtering, achieves boundary security isolation, and prevents direct access by illegal links.

6. The intelligent distribution network security access platform of claim 1, wherein the platform further comprises

a firewall for taking access control measures and effectively monitoring and controlling the application layer data flow; and

the remote parameter setting and remote upgrading information are signed by adopting an asymmetric state cipher algorithm, and the identity authentication and the message integrity protection of the power distribution main station by the power distribution terminal are realized.

7. A method for realizing the safe access of an intelligent distribution network is characterized in that the method comprises the following steps

(1) The power distribution master station initiates a request for power distribution service data acquisition;

(2) The acquisition server sets a static route and directionally routes the data stream of the acquisition server to the power distribution access gateway;

(3) the power distribution terminal and the power distribution security access gateway perform key agreement authentication to establish a security channel and then perform data interaction;

(4) And after data interaction, the power distribution main station is disconnected and connected with the power distribution terminal.

8. the method for realizing the security access of the intelligent distribution network according to claim 7, wherein the step (4) includes that if the power distribution master station needs to collect data again, the power distribution terminal needs to perform security key negotiation with the security access gateway again.

9. the method for realizing the security access of the intelligent distribution network according to claim 7, wherein the data encryption and decryption algorithms of the power distribution terminal and the security access gateway adopt a national encryption algorithm.

Technical Field

The invention relates to the technical field of distribution network safety management, in particular to an intelligent distribution network safety access platform and an implementation method thereof.

Background

disclosure of Invention

In order to overcome the problems in the related technology at least to a certain extent, the application provides an intelligent distribution network security access platform and an implementation method thereof.

The purpose of the invention is realized by adopting the following technical scheme:

The intelligent distribution network security access platform is improved in that the platform comprises a distribution master station, a distribution security access gateway, a data isolation assembly and a distribution terminal; a safety chip is embedded in the power distribution terminal; the power distribution master station, the data isolation component, the power distribution safety access gateway and the power distribution terminal are sequentially in communication connection;

The power distribution main station initiates a connection request to the acquisition server through the data isolation assembly, the acquisition server sends the connection request to the power distribution terminal through the power distribution safety access gateway, and the power distribution safety access gateway establishes connection with the power distribution terminal and conducts safety negotiation.

furthermore, an acquisition server is arranged between the power distribution safety access gateway and the power distribution master station; the acquisition server is used for interaction between the power distribution safety access gateway and the power distribution master station.

Furthermore, a static route is arranged on the server and used for directionally sending the data stream of the acquisition server to the power distribution access gateway.

Furthermore, the security chip adopts an SPI interface, and an operating system of the power distribution terminal performs read-write operation on the security chip through the SPI interface.

Furthermore, the data isolation component comprises forward and reverse isolation, provides access control and data content filtering, realizes boundary safety isolation and prevents illegal links from directly accessing.

Further, the platform also comprises

A firewall for taking access control measures and effectively monitoring and controlling the application layer data flow; and

The remote parameter setting and remote upgrading information are signed by adopting an asymmetric state cipher algorithm, and the identity authentication and the message integrity protection of the power distribution main station by the power distribution terminal are realized.

The invention also provides a method for realizing the safe access of the intelligent distribution network, and the improvement is that the method comprises the following steps

(1) the power distribution master station initiates a request for power distribution service data acquisition;

(2) The acquisition server sets a static route and directionally routes the data stream of the acquisition server to the power distribution access gateway;

(3) The power distribution terminal and the power distribution security access gateway perform key agreement authentication to establish a security channel and then perform data interaction;

(4) and after data interaction, the power distribution main station is disconnected and connected with the power distribution terminal.

Further, the step (4) includes that if the power distribution master station needs to collect data again, the power distribution terminal needs to perform secure key agreement with the secure access gateway again.

Further, the data encryption and decryption algorithms of the power distribution terminal and the security access gateway adopt a national encryption algorithm.

The following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed embodiments. This summary is not an extensive overview and is intended to neither identify key/critical elements nor delineate the scope of such embodiments. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is presented later.

Compared with the closest prior art, the technical scheme provided by the invention has the following excellent effects:

The invention adopts the power distribution encryption authentication device to provide a digital signature function for the power distribution service, provides service data integrity protection and avoids the risk of forging a power distribution master station. The power distribution main station and the power distribution terminal do not encrypt the application layer of the service data, so that the calculation load of the front-end processor, the power distribution terminal and the safety chip can be reduced.

The invention adopts the power distribution security access gateway to provide the functions of identity authentication, channel data encryption, terminal state monitoring and the like for the terminal, and the data isolation component can provide the network boundary isolation function, thereby improving the overall security protection capability and ensuring that the security protection strength of the power distribution service system meets the company requirements.

The invention adopts the information safety protection scheme of the power distribution automation system to meet the information safety protection requirements of countries and companies, does not reduce the safety standard, minimizes the influence on the service performance, reduces the reconstruction and development workload of the service system, is favorable for accelerating the construction and safety protection process of the power distribution automation service system, is favorable for the stable transition of a new power distribution main station and an old power distribution main station, keeps the information safety protection level of a company production management area and a management information area on the basis of meeting the information safety protection requirements, and ensures the safety of the power distribution automation system.

for the purposes of the foregoing and related ends, the following description and the annexed drawings set forth in detail certain illustrative aspects and are indicative of but a few of the various ways in which the principles of the various embodiments may be employed. Other benefits and novel features will become apparent from the following detailed description when considered in conjunction with the drawings and the disclosed embodiments are intended to include all such aspects and their equivalents.

drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.

fig. 1 is a schematic structural diagram of an intelligent distribution network security access platform provided in the present invention;

FIG. 2 is a flow chart of a method for implementing the secure access of an intelligent distribution network according to the present invention;

Fig. 3 is a key negotiation flow chart in the method for implementing secure access of an intelligent distribution network according to the present invention.

Detailed Description

The following describes embodiments of the present invention in further detail with reference to the accompanying drawings.

The following description and the drawings sufficiently illustrate specific embodiments of the invention to enable those skilled in the art to practice them. Other embodiments may incorporate structural, logical, electrical, process, and other changes. The examples merely typify possible variations. Individual components and functions are optional unless explicitly required, and the sequence of operations may vary. Portions and features of embodiments may be included in or substituted for those of other embodiments. The scope of embodiments of the invention encompasses the full ambit of the claims, as well as all available equivalents of the claims. Embodiments of the invention may be referred to herein, individually or collectively, by the term "invention" merely for convenience and without intending to voluntarily limit the scope of this application to any single invention or inventive concept if more than one is in fact disclosed.

As shown in fig. 1, the present invention provides an intelligent distribution network security access platform, which includes a distribution master station, a distribution security access gateway, a data isolation component, and a distribution terminal; a safety chip is embedded in the power distribution terminal; the power distribution master station, the data isolation component, the power distribution safety access gateway and the power distribution terminal are sequentially in communication connection; the power distribution main station initiates a connection request to the acquisition server through the data isolation assembly, the acquisition server sends the connection request to the power distribution terminal through the power distribution safety access gateway, and the power distribution safety access gateway establishes connection with the power distribution terminal and conducts safety negotiation. The power distribution terminal provides a power distribution terminal operating system software compiling environment, assists in installing a power distribution security access gateway client program, and ensures that the power distribution security access gateway client program can be started up and automatically started and abnormally recovered (hardware watchdog).

In the technical scheme, the communication mode of the power distribution master station and the power distribution terminal is mainly power optical fiber or wireless public network communication, and a wireless private network communication mode is adopted for a peripheral power distribution terminal without power optical fiber communication conditions; no matter which communication mode is adopted, the security protection is carried out by adopting an authentication technology based on a digital certificate and an encryption technology based on a domestic commercial cryptographic algorithm.

in the technical scheme, the platform adopts a safe reinforced operating system; adopts 1 or more user identity authentication modes such as user name/strong password, dynamic password, biological identification, digital certificate and the like.

In the technical scheme, the invention can adopt the power distribution security access gateway and the data isolation to realize the security protection or adopt the data isolation alone to realize the security protection.

In the above technical solution, the power distribution terminal accesses the secure access gateway through the optical fiber: using separate cores (or wavelengths); and deploying a power distribution security access gateway, and establishing an encryption tunnel by adopting a state-secret algorithm to realize bidirectional identity authentication and data encryption.

in the technical scheme, an acquisition server is arranged between the power distribution safety access gateway and the power distribution master station; the acquisition server is used for interaction between the power distribution safety access gateway and the power distribution master station.

In the technical scheme, the server is provided with a static route, and the static route is used for directionally sending the data stream of the acquisition server to the power distribution access gateway.

In the above technical scheme, the security chip adopts the SPI interface for the operating system of the power distribution terminal, and the operating system of the power distribution terminal needs to support the read-write operation on the SPI interface. The electrical characteristics of the security chip should satisfy the following conditions:

Typical operating current: <7mA @10MHz Core; 12mA @10MHZ Core, PAE 10 MHZ;

Maximum operating current: 28mA @ Core 20MHz, PAE 20MHz,48mA @ Core 40MHz, PAE40 MHz;

a low power consumption mode is supported, and the lowest power consumption is less than 100 uA;

The security chip should fulfill the following functions:

SM1 functions including importing symmetric keys, importing initial vectors, SM1 encryption, and SM1 decryption;

SM2 functions including generating key pairs, importing and exporting public keys, importing and exporting private keys, SM3hash, SM2 signature and signature, SM2 encryption and decryption, and generating certificate request files;

Other functions include generating random numbers, obtaining version information, and security factors.

in the technical scheme, the data isolation component comprises forward and reverse isolation, access control and data content filtering are provided, boundary safety isolation is realized, and direct access of illegal links is prevented. The data isolation component is based on NP technology and can provide the linear speed forwarding function of the data packet, including classification, statistics, filtering and forwarding of the data packet; the equipment can configure ACL rules and define services based on the power distribution service to realize the classified management of power distribution service data packets, adopts a 100G network processor, and achieves the concurrency of 100W level.

in the above technical solution, the platform further comprises

a firewall for taking access control measures and effectively monitoring and controlling the application layer data flow; and

the remote parameter setting and remote upgrading information are signed by adopting an asymmetric state cipher algorithm, and the identity authentication and the message integrity protection of the power distribution main station by the power distribution terminal are realized. Wherein, the distribution safety access gateway: based on the bidirectional authentication and key agreement of the digital certificate, a bidirectional encryption tunnel is established with the power distribution terminal by adopting a national cryptographic algorithm, so that the logical isolation between the bidirectional encryption tunnel and other services of a wireless network is realized, and the safety of a communication link and data transmission is ensured.

A data isolation component: the functions of access control, data content filtering and the like are provided, the safe isolation of the boundary is realized, and the direct access of illegal links is prevented.

Distribution encryption authentication device: and performing signature operation on information such as remote parameter setting, remote upgrading and the like by adopting an asymmetric cryptographic algorithm, and realizing identity authentication and message integrity protection of the power distribution terminal on the power distribution master station.

As shown in fig. 2, the present invention further provides a method for implementing the secure access of the intelligent distribution network, wherein the method includes the steps of

(1) The power distribution master station initiates a power distribution service data acquisition request: the power distribution master station needs to designate an ip address of a terminal to complete the collection of power distribution service data;

(2) The acquisition server sets a static route and directionally routes the data stream of the acquisition server to the power distribution access gateway;

(3) The power distribution terminal and the power distribution security access gateway perform key agreement authentication to establish a security channel and then perform data interaction;

(4) And after data interaction, the power distribution main station is disconnected and connected with the power distribution terminal.

In the above technical solution, the step (4) includes that if the power distribution master station needs to acquire data again, the power distribution terminal needs to perform secure key negotiation with the secure access gateway again. As shown in fig. 3, the key agreement process is as follows: the key agreement is initiated by the device 1 (power distribution terminal), the device 1 generates a random number r1, and a message A is generated by r1 and sent to the device 2 (power distribution security access gateway); the device 2 receives the message A sent by the device 1, analyzes the message A to obtain r1 of the device 1, generates a random number r2, obtains a session key by r1 and r2, generates a message B by r2 and sends the message B to the device 1; the device 1 processes the received message B to analyze to obtain r2 of the device 2, calculates by r1 and r2 to obtain a session key and form a message C, and sends the message C to the device 2; the device 2 analyzes the received message C to obtain the key generated by the device 1, compares the key with the own key, if the two parties are the same, the two parties already verify the identity of the other party, hold the same session key, and establish a secure channel. If not, the device 1 re-initiates the key agreement.

In the technical scheme, the data encryption and decryption algorithms of the power distribution terminal and the security access gateway adopt a state encryption algorithm. An encryption channel is established with the power distribution security access gateway by adopting a state encryption algorithm, so that bidirectional identity authentication and data encryption are realized; bidirectional identity authentication between the power distribution main station system and the power distribution main station system based on an asymmetric state-secret algorithm is realized; and upgrading and transforming the stock power distribution terminal, and serially connecting a power distribution encryption box embedded with a safety chip outside the terminal. The data encryption process comprises the following steps: after the secure channel is established, all data transmission between the power distribution terminal and the power distribution secure access gateway adopts ciphertexts, and whether the message format is correct or not needs to be checked after decryption.

It should be understood that the specific order or hierarchy of steps in the processes disclosed is an example of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged without departing from the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not intended to be limited to the specific order or hierarchy presented.

in the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, invention lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby expressly incorporated into the detailed description, with each claim standing on its own as a separate preferred embodiment of the invention.

Finally, it should be noted that: although the present invention has been described in detail with reference to the above embodiments, those skilled in the art can make modifications and equivalents to the embodiments of the present invention without departing from the spirit and scope of the present invention, which is set forth in the claims of the present application.