阅读说明：本技术 一种适用于传输配电物联网文件的方法及系统 (Method and system suitable for transmitting files of power distribution Internet of things ) 是由 韩子龙 亢超群 李二霞 李玉凌 杨红磊 何连杰 王利 孙智涛 樊勇华 许保平 张 于 2021-07-05 设计创作，主要内容包括：本发明公开了一种适用于传输配电物联网文件的方法及系统,属于配电自动化信息安全技术领域。本发明方法,包括：针对待发送的配电物联网文件,确定配电物联网文件的明文的HASH值H1；对HASH值H1、密文填充及加密长度,使用预设的加密方式加密,获取SSAL报文,并对SSAL报文进行传输；接收SSAL报文,确定SSAL报文的加密方式,若加密方式为预设的加密方式,则计算SSAL报文中的明文HASH值H,若HASH值H1与HASH值H相等,则SALL报文传输至终端或安全接入服务,并传输配电物联网文件。本发明极大地提升了传输速率,而且使用SM3HASH算法实现了完整性保护,再使用SM1ECB算法进行机密性保护,实现了大文件在保证完整性前提下的轻量化加密及高效传输。(The invention discloses a method and a system suitable for transmitting a power distribution Internet of things file, and belongs to the technical field of power distribution automation information safety. The method comprises the following steps: determining a HASH value H1 of a plaintext of a power distribution Internet of things file to be sent according to the power distribution Internet of things file; encrypting the HASH value H1, the ciphertext filling and the encryption length by using a preset encryption mode to obtain an SSAL message, and transmitting the SSAL message; receiving the SSAL message, determining the encryption mode of the SSAL message, calculating a plaintext HASH value H in the SSAL message if the encryption mode is a preset encryption mode, and transmitting the SALL message to a terminal or a secure access service and transmitting a power distribution Internet of things file if the HASH value H1 is equal to the HASH value H. The invention greatly improves the transmission rate, realizes integrity protection by using the SM3HASH algorithm, and then performs confidentiality protection by using the SM1ECB algorithm, thereby realizing light encryption and high-efficiency transmission of large files on the premise of ensuring the integrity.)

1. A method for transmitting power distribution internet of things files, the method comprising:

determining a HASH value H1 of a plaintext of a power distribution Internet of things file to be sent according to the power distribution Internet of things file;

encrypting the HASH value H1, the ciphertext filling and the encryption length by using a preset encryption mode to obtain an SSAL message, and transmitting the SSAL message;

receiving the SSAL message, determining the encryption mode of the SSAL message, calculating a plaintext HASH value H in the SSAL message if the encryption mode is a preset encryption mode, and transmitting the SALL message to a terminal or a secure access service and transmitting a power distribution Internet of things file if the HASH value H1 is equal to the HASH value H.

2. The method of claim 1, further comprising: and if the encryption mode of the received SSAL message is not a preset encryption mode or the HASH value H1 is not equal to the HASH value H, discarding the SSAL message.

3. The method of claim 1, wherein the predetermined encryption scheme is SM1_ ECB _ play encryption scheme.

4. The method of claim 1, the determining the HASH value H1 of the plaintext of the power distribution internet of things file using the SM1 algorithm.

5. The method of claim 1, the ciphertext being 48 bytes.

6. A system adapted for transmitting power distribution internet of things files, the system comprising:

the calculation module is used for determining a HASH value H1 of a plaintext of a power distribution Internet of things file to be sent according to the power distribution Internet of things file;

the message encryption transmission module is used for encrypting the HASH value H1, the ciphertext filling and the encryption length by using a preset encryption mode, acquiring an SSAL message and transmitting the SSAL message;

the file transmission module receives the SSAL message, determines the encryption mode of the SSAL message, calculates a plaintext HASH value H in the SSAL message if the encryption mode is a preset encryption mode, and transmits the SALL message to a terminal or a secure access service and transmits a power distribution Internet of things file if the HASH value H1 is equal to the HASH value H.

7. The system of claim 6, the file transfer module further to: and when the encryption mode of the received SSAL message is determined to be not a preset encryption mode or the HASH value H1 is not equal to the HASH value H, discarding the SSAL message.

8. The system of claim 6, wherein the predetermined encryption scheme is an SM1_ ECB _ play encryption scheme.

9. The system of claim 6, the determining the HASH value H1 of the plaintext of the power distribution internet of things file using the SM1 algorithm.

10. The system of claim 6, the ciphertext is 48 bytes.

Technical Field

The invention relates to the technical field of power distribution automation information security, in particular to a method and a system suitable for transmitting a power distribution internet of things file.

Background

The file transmission function in the power distribution internet of things is mainly applied to the following scenes: the method comprises the steps of log file transmission in a terminal log uploading service, patch package transmission of an operating system in a system upgrading service, APP installation, APP file transmission in an updating service and the like.

Under present distribution thing networking scene, the main website or thing allies oneself with management platform and terminal adopt HTTPS encryption mode to carry out big file transmission more, the terminal is direct to adopt soft encryption with the equipment management subassembly to carry out file encryption transmission, pass through distribution thing networking security corridor, distribution thing networking security corridor includes the safe access service of main website or thing allies oneself with management platform side, thing networking security access gateway, terminal equipment's safety agency and safety chip, the higher security has been ensured to the hard encryption mode that this passageway adopted.

At the beginning of design, the internet of things safety access gateway is applied to an electricity consumption information acquisition scene (when the internet of things safety access gateway is named as an I-type safety access gateway), a front part is deployed in the south direction of the gateway, data of a plurality of devices are gathered, and the data are sent to the gateway in a form of one or a limited number of links, so that at the position of the gateway, terminal data lose coupling and corresponding relation with the links, namely the gateway can only judge which terminal the data come from through a data message.

Therefore, when the operation mode is applied to a power distribution scene, certain potential safety hazards exist. Under the access scene of the intelligent terminal in the transformer area, the gateway is not deployed, the internet of things security access gateway still only identifies which terminal the message comes from according to the information of the message self identification, and because the file transmission adopts the plaintext, no other technical means is provided to ensure that the data comes from the legally authorized equipment, so that the forged terminal can modify the terminal identification information in the SSAL message into the legally authorized equipment, and then the data message of the forged terminal is forwarded to the master station by the gateway, and if the SM1ECB mode which is the same as that of other messages is adopted for file transmission, the encryption and decryption process takes too long and the significance is not great.

Disclosure of Invention

In order to solve the problems, the invention provides a method suitable for transmitting a power distribution internet of things file, which comprises the following steps:

determining a HASH value H1 of a plaintext of a power distribution Internet of things file to be sent according to the power distribution Internet of things file;

encrypting the HASH value H1, the ciphertext filling and the encryption length by using a preset encryption mode to obtain an SSAL message, and transmitting the SSAL message;

receiving the SSAL message, determining the encryption mode of the SSAL message, calculating a plaintext HASH value H in the SSAL message if the encryption mode is a preset encryption mode, and transmitting the SALL message to a terminal or a secure access service and transmitting a power distribution Internet of things file if the HASH value H1 is equal to the HASH value H.

Optionally, the method further comprises: and if the encryption mode of the received SSAL message is not a preset encryption mode or the HASH value H1 is not equal to the HASH value H, discarding the SSAL message.

Optionally, the preset encryption mode is an SM1_ ECB _ play encryption mode.

Optionally, the HASH value H1 of the plaintext of the distribution internet of things file is determined, and the SM1 algorithm is used.

Optionally, the cipher text is 48 bytes.

The invention also provides a system suitable for transmitting the files of the power distribution internet of things, which comprises the following components:

the calculation module is used for determining a HASH value H1 of a plaintext of a power distribution Internet of things file to be sent according to the power distribution Internet of things file;

the message encryption transmission module is used for encrypting the HASH value H1, the ciphertext filling and the encryption length by using a preset encryption mode, acquiring an SSAL message and transmitting the SSAL message;

the file transmission module receives the SSAL message, determines the encryption mode of the SSAL message, calculates a plaintext HASH value H in the SSAL message if the encryption mode is a preset encryption mode, and transmits the SALL message to a terminal or a secure access service and transmits a power distribution Internet of things file if the HASH value H1 is equal to the HASH value H.

Optionally, the file transfer module is further configured to: and when the encryption mode of the received SSAL message is determined to be not a preset encryption mode or the HASH value H1 is not equal to the HASH value H, discarding the SSAL message.

Optionally, the preset encryption mode is an SM1_ ECB _ play encryption mode.

Optionally, the HASH value H1 of the plaintext of the distribution internet of things file is determined, and the SM1 algorithm is used.

Optionally, the cipher text is 48 bytes.

The invention greatly improves the transmission rate, realizes integrity protection by using the SM3HASH algorithm, and then performs confidentiality protection by using the SM1ECB algorithm, thereby realizing light encryption and high-efficiency transmission of large files on the premise of ensuring the integrity.

Drawings

FIG. 1 is a flow chart of the method of the present invention;

FIG. 2 is a block diagram of an environment in which the method of the present invention may be used;

fig. 3 is a schematic diagram of the system of the present invention.

Detailed Description

The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.

Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.

The invention provides a method suitable for transmitting a power distribution internet of things file, which comprises the following steps of:

determining a HASH value H1 of a plaintext of a power distribution Internet of things file to be sent according to the power distribution Internet of things file;

encrypting the HASH value H1, the ciphertext filling and the encryption length by using a preset encryption mode to obtain an SSAL message, and transmitting the SSAL message;

receiving an SSAL message, determining an encryption mode of the SSAL message, calculating a plaintext HASH value H in the SSAL message if the encryption mode is a preset encryption mode, and transmitting the SALL message to a terminal or a secure access service and transmitting a power distribution Internet of things file if the HASH value H1 is equal to the HASH value H;

and if the encryption mode of the received SSAL message is not a preset encryption mode or the HASH value H1 is not equal to the HASH value H, discarding the SSAL message.

The preset encryption mode is an SM1_ ECB _ PLAIN encryption mode.

The HASH value H1 of the plaintext of the distribution Internet of things file is determined, and the SM1 algorithm is used.

Wherein, the cipher text is 48 bytes.

The invention is further illustrated by the following examples:

the invention relates to modification of links of a gateway, a security access service and a security agent, wherein the modification content comprises the following steps: calculating the HASH value of the long message, encrypting and decrypting the fixed-length message, and judging the comparison and the like.

Firstly, defining an interaction format:

the APDU content is shown in table 1:

TABLE 1

Field(s)	Length (byte)	Description of the invention
			Plaintext content	APDU_LEN-48	The content is in clear.
Ciphertext content	48	And (4) ciphertext content.

The format of the ciphertext content before encryption is shown in table 2:

TABLE 2

And (3) processing by the sender:

when transmitting, the SM3HASH algorithm is adopted to calculate the HASH value H1 from the plaintext content. And packing in a mode of 'plaintext + ciphertext', encrypting 48 bytes of ciphertext by using a session key, and filling SM1_ ECB _ PLAIN in an encryption mode when SSAL is used for packing messages.

And (3) carrying out receiver processing:

after receiving the SSAL message, if the encryption mode is SM1_ ECB _ PLAIN, the receiving party acquires plaintext content, calculates a plaintext HASH value H, decrypts 48 bytes of ciphertext by using a session key, acquires a decrypted HASH value H1, verifies whether the values of H and H1 are equal, forwards the values to a terminal or a safety access service if the values are equal, and discards the values if the values are not equal.

File interaction flow:

descending:

when the security access service issues plaintext, the SM1_ ECB _ PLAIN encryption mode is filled. The gateway calculates the plaintext HASH value, packages, encrypts and the like according to the encryption mode and the processing mode of the sender, and sends the message to the terminal;

after receiving the message, the terminal calculates a plaintext HASH value, decrypts the message, verifies the HASH value and the like according to the SM1_ ECB _ PLAIN encryption mode and the processing flow of the receiver, and forwards the plaintext to the lower-level device after the plaintext HASH value passes the verification.

Ascending:

when the terminal needs to send the plaintext upwards, the SSAL message should fill an SM1_ ECB _ PLAIN encryption mode, and work such as calculating a plaintext hash value, packaging, encrypting and the like is carried out according to a sender processing mode, and the message is sent to the gateway;

after receiving the message, the gateway calculates a plaintext HASH value, decrypts the message, verifies the HASH value and the like according to the SM1_ ECB _ PLAIN encryption mode and the processing flow of the receiving party, and sends the plaintext to the security access service after the plaintext is verified.

Through tests, the length of each frame of message can reach 30k when the large file is transmitted, the length is far larger than the limit value (limited by the processing performance of a safety chip) of each frame of full ciphertext transmission, the transmission rate is greatly improved, integrity protection is realized by using an SM3HASH algorithm, confidentiality protection is performed by using an SM1ECB algorithm, and light encryption and efficient transmission of the large file on the premise of guaranteeing the integrity are realized.

The method is tested in a laboratory, the testing environment is shown in fig. 2, and the method comprises a cloud master station, an equipment management assembly, a power distribution encryption authentication device, an Internet of things security access gateway and a platform area intelligent terminal (intelligent core board), wherein a security chip (national security bureau batch number: SSX1608) supporting a domestic commercial symmetric cryptographic algorithm (SM1) and an asymmetric cryptographic algorithm (SM2 and SM3) is embedded in the platform area intelligent terminal, so that bidirectional identity authentication and data encryption operation with the Internet of things security access gateway and the power distribution master station are realized. The platform district intelligent terminal, the thing networking safety access gateway, the authentication device is encrypted in the distribution, equipment management subassembly, south rui cloud main website and safety access service adopt the local deployment mode.

The laboratory debugging device information for managing the large file secure transmission of the channel is shown in table 3:

TABLE 3

After debugging, the large file can be normally transmitted, the frame size reaches 30k, timing is performed on the terminal side, and the obtained results are shown in table 4.

TABLE 4

The invention further provides a system 200 suitable for transmitting the files of the power distribution internet of things, as shown in fig. 3, including:

the calculation module 201 determines, for a to-be-sent distribution internet of things file, a HASH value H1 of a plaintext of the distribution internet of things file;

the message encryption transmission module 202 encrypts the HASH value H1, the ciphertext padding and the encryption length by using a preset encryption mode to obtain an SSAL message and transmits the SSAL message;

the file transmission module 203 receives the SSAL message, determines an encryption mode of the SSAL message, calculates a plaintext HASH value H in the SSAL message if the encryption mode is a preset encryption mode, and transmits the SALL message to a terminal or a secure access service and transmits a distribution internet of things file if the HASH value H1 is equal to the HASH value H.

Wherein, the file transmission module is further configured to: and when the encryption mode of the received SSAL message is determined to be not a preset encryption mode or the HASH value H1 is not equal to the HASH value H, discarding the SSAL message.

The preset encryption mode is an SM1_ ECB _ PLAIN encryption mode.

The HASH value H1 of the plaintext of the distribution Internet of things file is determined, and the SM1 algorithm is used.

Wherein, the cipher text is 48 bytes.

The invention greatly improves the transmission rate, realizes integrity protection by using the SM3HASH algorithm, and then performs confidentiality protection by using the SM1ECB algorithm, thereby realizing light encryption and high-efficiency transmission of large files on the premise of ensuring the integrity.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the application can be implemented by adopting various computer languages, such as object-oriented programming language Java and transliterated scripting language JavaScript.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.