CN107065750A - The industrial control network dynamic security method of interior raw safety - Google Patents
The industrial control network dynamic security method of interior raw safety Download PDFInfo
- Publication number
- CN107065750A CN107065750A CN201710338986.7A CN201710338986A CN107065750A CN 107065750 A CN107065750 A CN 107065750A CN 201710338986 A CN201710338986 A CN 201710338986A CN 107065750 A CN107065750 A CN 107065750A
- Authority
- CN
- China
- Prior art keywords
- dynamic
- key
- industrial control
- control network
- safe
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 claims abstract description 69
- 230000005540 biological transmission Effects 0.000 claims abstract description 17
- 230000008859 change Effects 0.000 claims abstract description 13
- 238000004891 communication Methods 0.000 claims abstract description 9
- 230000008569 process Effects 0.000 claims description 10
- 230000001360 synchronised effect Effects 0.000 claims description 9
- 238000012546 transfer Methods 0.000 claims description 6
- 239000012634 fragment Substances 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000020509 sex determination Effects 0.000 claims description 3
- 241001269238 Data Species 0.000 claims 1
- 238000003780 insertion Methods 0.000 claims 1
- 230000037431 insertion Effects 0.000 claims 1
- 230000007123 defense Effects 0.000 abstract description 7
- 230000002265 prevention Effects 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 8
- 238000012795 verification Methods 0.000 description 4
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 2
- 230000032683 aging Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013502 data validation Methods 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/05—Programmable logic controllers, e.g. simulating logic interconnections of signals according to ladder diagrams or function charts
- G05B19/054—Input/output
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/10—Plc systems
- G05B2219/11—Plc I-O input output
- G05B2219/1103—Special, intelligent I-O processor, also plc can only access via processor
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of industrial control network dynamic security method of interior raw safety, it is characterized in that, by carrying out dynamic reconfigurable to AES, and combine the dynamic change of key and certification password, safe reconstruct is carried out to IP messages in transport network layer, with commissioner's office's data transmission channel of raw safety in being set up between node device.The present invention provides a kind of industrial control network dynamic security method of interior raw safety, the problem of it exists for traditional industry control network security system, multimode, dynamic, transparent safe commissioner's office's channel are built on open ethernet communication link, effectively prevention carrys out the unauthorized access of automatic network, man-in-the-middle attack and replay attack, change Passive Defence is Initiative Defense, and variable boundary is safely interior raw safety.The present invention also provides a kind of method for applying interior raw safe industrial control network dynamic security method to carry out data transmission.
Description
Technical field
The present invention relates to a kind of industrial control network dynamic security method towards industry control security fields.More specifically,
The present invention relates to it is a kind of multimode is set up between industrial control equipment, the specific side of dynamic, transparent safe commissioner's office's data transmission channel
Method.
Background technology
With information-based with industrialized depth integration and " industry 4.0 ", " intelligence manufacture ", and " internet+" are pushed away
Go out and develop, industrial control network not be one closing " isolated island ", need with internet, Internet of Things depth integration, for
Huge security risk certainly will be brought for security very fragile control network.
Traditional Prevention-Security measure is in face of control networked-induced delay, reliability requirement height, and control device is that node is set
Standby specificity is strong, it is difficult to during the particular problem such as deployment secure strategy, can only take with subregion isolate based on depth defense skill
Art, is isolated layer by layer between control net, enterprise network and extranets by fire wall.
But it is still an open system in itself to control network, is embodied in:Communications protocol is opened, and data clear text is passed
Defeated, data validation, integrity verification are not enough, authentication and access control etc. are lacked between control device, to across fire wall
Attack and Intranet attack hard to work, the prevention policies taken also based on Passive Defence traditional, based on priori,
Lack change, protection effect has much room for improvement.
The content of the invention
It is an object of the invention to solve at least the above and/or defect, and provide at least will be described later excellent
Point.
It is a still further object of the present invention to provide a kind of industrial control network dynamic security method of interior raw safety, it is directed to
Traditional industry control network security system is the problem of exist, built on open ethernet communication link multimode, dynamic,
Transparent safe commissioner's office's channel, effectively prevents to come the unauthorized access of automatic network, man-in-the-middle attack and replay attack, becomes passive anti-
Drive as Initiative Defense, variable boundary is safely interior raw safety.
Enter it is a still further object of the present invention to provide a kind of industrial control network dynamic security method for applying interior raw safety
The method of row data transfer, this method can be in the case where not influenceing control system agreement and packet to route, in control
Multimode is set up between control equipment, dynamic, transparent safe commissioner's office's channel, effectively evade the various peaces brought of control network opening
Full blast danger, by controlling the Initiative Defense function of network itself, breaks away from the dependence to fire wall and security gateway.
In order to realize that object of the present invention and further advantage are moved there is provided a kind of industrial control network of interior raw safety
State defence method, by carrying out dynamic reconfigurable to AES, and combines the dynamic change of key and certification password, in network
Transport layer carries out safe reconstruct to the IP messages that need to be transmitted, with commissioner's office's data transfer of raw safety in being set up between node device
Channel.
Preferably, wherein, in the method for dynamic reconfigurable is carried out to AES, the repeating query of the AES time
Dynamic random change of the number between 8-12, to realize the dynamic restructuring of AES, and each node in industrial control network
Between the uniformity of dynamic restructuring process and result is ensured by synchronous coordination method.
Preferably, wherein, the dynamic change method of key and certification password includes:
Changed by the dynamic random of initial key, using the AES key expansion algorithm of standard, produce 48 32 dynamics
Sub-key;
XOR is carried out based on first dynamic sub-key and last dynamic sub-key, to obtain dynamic authentication mouthful
Order;
The one of dynamic restructuring process and result is ensured by synchronous coordination method between each node in industrial control network
Cause property.
Preferably, wherein, the dynamic generation algorithm of key and certification password includes:
User's preset password of 64 is split, high 32 initial conditions as linear feedback shift register,
Low 32 participations subsequent arithmetic;
One 32 pseudo random number is generated by LFSR linear feedback shifts register;
"AND", "or", NOT sum exclusive logic fortune are carried out respectively by low 32 of pseudo random number and user's preset password
Calculate, obtain 4 groups of medians (C1, C2, C3, C4);
4 groups of medians are merged, the initial key of one 128 is produced;
Using the AES key expansion algorithm of standard, 48 32 dynamic sub-key W0~W47 are produced;
To W0With W47Dynamic sub-key carries out XOR, to obtain the dynamic authentication for data source legitimate verification
Password S.
Preferably, wherein, the method for the synchronous coordination includes:
Identical Dynamical Secret Key Building Algorithm is implanted into the multimode judgment device of each network node and dynamic reconfigurable adds
Close algorithm;
The multimode judgment device of any one node in industrial control network is chosen as management node, with to other nodes
Dynamic restructuring process synchronize control;The multimode judgment device of management node irregularly starts dynamic restructuring event, with certainly
Pseudo random number one between dynamic generation one 8~12, the repeating query number of times as AES, and generation one 64 it is pseudo- with
Machine number two, the seed as generation dynamic key, to obtain the Back ground Information for dynamic restructuring, and will by broadcasting packet
Back ground Information encryption is sent in the multimode judgment device of other nodes in network;
The multimode judgment device of other nodes obtains Back ground Information from broadcasting packet, to reconstruct AES according to repeating query number of times
AES, and unified dynamic key and certification password is generated according to key seed value, realize the synchronous coordination between node.
Preferably, wherein, the foundation of safe commissioner's office's data transmission channel, by being connected on each node device ether
Multimode judgment device hardware on net communication link is realized.
Preferably, wherein, the multimode judgment device includes:
One has the FPGA of dynamic reconfigurable function;
Two separate network chips for being connected on FPGA;
One function sets toggle switch;
Two panels memory device;
Three independent data processing engines for being built in FPGA.
Preferably, wherein, in the method that IP messages carry out safe reconstruct, including:
By the multimode judgment device positioned at data transfer source, the IP that its corresponding node is sent is intercepted and captured on communication link
Original message;
IP original message data section of the multimode judgment device based on acquisition, is separately added into its afterbody and recognizes for identity
The certification password information of card and access control, for the time tag information of replay attack protection and for integrity protection
Summary info;
The multimode judgment device utilizes dynamic key and AES, and the relevant information for being inserted into data segment trailer is entered
Row encryption, to form the safe packet after reconstruct.
Preferably, wherein, being inserted into the relevant informations of IP original message data segment trailers also includes safe packet burst
Mark;
Wherein, the message fragment is that the IP original messages that length is more than into 1500 bytes are into two pieces, by first, the
The segmental identification of two is respectively configured as 01H, 10H, and the segmental identification that message length is no more than into 1500 bytes is configured to
00H。
A kind of method for applying the industrial control network dynamic security method to carry out data transmission, including:
The IP messages of its corresponding node equipment transmission are obtained in the multimode judgment device of source, with the data field tail of message
Portion is sequentially inserted into dynamic authentication password information, time tag information and summary info, and these information are encrypted, and is formed
Safe packet, then carried out data transmission by disclosed internet;
The safe packet for being sent to destination object is intercepted and captured in the multimode judgment device of destination end, passes through the dynamic authentication in message
Password information, time tag information and summary info carry out legitimacy, integrality, timeliness sex determination, filter out various illegal
Packet, will valid data message reduce after be transmitted to corresponding node device, with set up between node device multimode,
Dynamic, transparent safe commissioner's office's information transfer channel.
The industrial control network dynamic security method of interior raw safety proposed by the invention, successively including following content:
First, safe packet building method, refers specifically to intercept and capture the IP messages that control device is sent in source, in data field tail
Portion is sequentially inserted into " dynamic authentication password " for authentication and access control, " the time mark " protected for replay attack
With " summary " protected for completion property, and these key messages are encrypted, form safe packet, then pass through open network
Transmission.
Second, safe packet parsing, checking, restoring method, refer specifically to be sent to the safety report of destination object in eye end intercepting and capturing
Text, by legitimacy, integrality, timeliness sex determination, filters out various invalid data bags, is transmitted to after valid data report is reduced
Control device.
Third, security mechanism dynamic reconfiguration method, AES, key and recognize that secure transfer protocol used are referred specifically to
The change of password dynamic random is demonstrate,proved, security protocol itself is possessed multimode, dynamic, random Initiative Defense characteristic.
Fourth, the synchronisation control means of dynamic restructuring link, refers specifically to management node start by set date dynamic restructuring event, it is raw
Other nodes are passed information into the essential information for reconstruct, and by broadcasting packet, it is utilized identical kind Ziwen
Part (algorithm) generates consistent dynamic key, certification password and AES.
The present invention at least includes following beneficial effect:
First, the dynamic security method of the interior raw safety of the present invention, its can not influence control system agreement and
Data packet sets up multimode, dynamic safe commissioner's office's channel between control device, effectively evades control network in the case of
The various security risks that opening is brought, by controlling the Initiative Defense function of network itself, break away to fire wall and safety net
The dependence of pass.
Second, the dynamic security method of the interior raw safety of the present invention, this method passes through certification password, key and AES
Dynamic change, change Passive Defence makes the attack based on priori hard to work into Initiative Defense, further improves control
The Prevention-Security performance of network processed.
Third, the dynamic security method of the interior raw safety of the present invention, this method is by being connected on ethernet communication link
Special hardware realize, it is transparent to control device, do not change the inherent characteristic of industrial control system, easy promotion and implementation, its
The Hardware Implementation based on FPGA and the tandem working pattern of external hanging type proposed, ensure that control network to the full extent
Real-time, effectively evaded the closing of control device (such as PLC) kernel and be difficult to the practical problem of deployment secure strategy.
Further advantage, target and the feature of the present invention embodies part by following explanation, and part will also be by this
The research and practice of invention and be understood by the person skilled in the art.
Brief description of the drawings
Fig. 1 is safe packet lattice in the industrial control network dynamic security method of raw safety in one embodiment of the present of invention
The structural representation of formula;
Fig. 2 is safe packet structure in the industrial control network dynamic security method of raw safety in one embodiment of the present of invention
Make flow chart;
In industrial control network dynamic security methods of the Fig. 3 to give birth to safety in one embodiment of the present of invention at safe packet
Put flow chart;
Fig. 4 is dynamic restructuring machine in the industrial control network dynamic security method of raw safety in one embodiment of the present of invention
The schematic flow sheet of system;
Fig. 5 is that multimode judgement is filled in the industrial control network dynamic security method of raw safety in one embodiment of the present of invention
Put system architecture composition schematic diagram;
Fig. 6 be in one embodiment of the present of invention in the industrial control network dynamic security method of raw safety dynamic password and
The schematic flow sheet of key schedule.
Embodiment
The present invention is described in further detail below in conjunction with the accompanying drawings, to make those skilled in the art with reference to specification text
Word can be implemented according to this.
It should be appreciated that such as " having ", "comprising" and " comprising " term used herein do not allot one or many
The presence or addition of individual other elements or its combination.
According to a kind of way of realization of the industrial control network dynamic security method of interior raw safety of the present invention, in conjunction with
The present invention is described further for lower 6 examples.
In example 1, safe packet form is given with reference to Fig. 1, specifically safe packet is in TCP/IP messages 101
On the basis of be defined, in data field 102, back segment is sequentially inserted into " certification password " 103, " time mark " 104, " summary "
The additional information such as 105 and " segmental identification " 106, forms new data field 107, and new data is encrypted, and ultimately forms peace
Full message 108.
In specific implementation, safe packet field definition is as shown in Figure 1:
IP headers:20 bytes, in safe packet construction process, only " total length " and " header check and " field according to
Data field length value changes, and other fields keep constant;
Certification password:4 bytes, for data source legitimacy certification, are conducted interviews control using the field, prevent illegal visit
Ask the transmission of packet;
Time marks:6 bytes, for the ageing checking of data source, Replay Attack protection is carried out using the field;
Summary:16 bytes, for the integrity verification of data source, prevent data tampering and forgery;
In example 2, flow is constructed with reference to Fig. 2 safe packets for giving source, is specifically comprised the following steps:
The first step 201:The initial IP message that control device is sent is intercepted and captured from ethernet communication link.
Second step 202:" dynamic authentication password " and " time mark " are sequentially inserted into former data field afterbody;
3rd step 203:Using MD5 algorithms to the source address in message, purpose location, TCP header, former data field and slotting
Added field entered etc. carries out hash operations, generates digest value, and be inserted into after " time mark ".
4th step 204:Using dynamic key and AES encryption algorithm, the data field of new message is encrypted, safety is formed
Message;
5th step 205:Message fragment, two panels, first burst are classified as if message length is more than 1500 bytes
Mark is set to " 01H ", and second segmental identification is set to " 10H ", if message length is no more than 1500 bytes, segmental identification is set
The 6th step is directly entered for " 00H " (the no burst of sign);
6th step 206:Message length is calculated, " total length " and " stem verify with " field, other words of IP headers is changed
Section keeps constant;
6th step 207:Safe packet is sent to network, is transmitted by interchanger.
In example 3, the safe packet disposal process of eye end is given with reference to Fig. 3, is specifically comprised the following steps:
The first step 301:The IP messages (safe packet) that interchanger issues target device are intercepted and captured from network;
Second step 302:Burst is assembled.Judge whether the message has carried out burst according to segmental identification first, nothing then enters
3rd step, has and the message then is stored in into buffer area, and scan matching burst is whether there is in buffer area, has after duty assembled
Into the 3rd step, nothing then returns to listening state;
3rd step 303:Data field is decrypted;
4th step 304:Integrity verification is carried out to packet according to digest value, distorts, abandons the packet;
5th step 305:Legitimate verification is carried out to packet according to certification password, does not conform to rule and abandons the packet;
5th step 306:Ageing checking is carried out to packet according to time mark, time consistency is unsatisfactory for requiring then to lose
Abandon packet;
6th step 307:The additional information in packet is deleted, IP messages are reduced;
7th step 308:Initial IP message after reduction is sent to target device.
In example 4, the implementation process of dynamic reconfiguration method is given with reference to Fig. 4, specifically including herein below:
Implantation identical Dynamical Secret Key Building Algorithm, AES encryption are calculated in all " industrial network multimode judgment device "
Method and user's preset password;
Some " industrial network multimode judgment device " is chosen dynamic restructuring process is synchronized and controlled as management node
System.Specific implementation step is as follows:
The first step:Management node is under the driving of cycle timer 401, and clocked flip dynamic restructuring event passes through random number
Two pseudo random numbers that generator 402 is generated, the seed for being used to generate dynamic key for one 404, one 405 is used to encrypt calculation
The repeating query number of times of method;
Second step:Management section using random number 1 and user's preset password 406 as Dynamical Secret Key Building Algorithm 407 seed
Value input, by calculating generation dynamic key 409 and certification password 410;
3rd step:Management node is reset according to random number 2 to the repeating query number of times of AES encryption algorithm 408, is completed
AES is reconstructed;
4th step:Complete two random numbers after itself reconstruct by broadcasting packet 411, encrypted transmission is to miscellaneous equipment;
5th step:Miscellaneous equipment receives and execution and management node identical dynamic restructuring algorithm is adopted after broadcasting packet, generation
Completely the same dynamic key and dynamic authentication password, while completing the dynamic restructuring of AES.
In example 5, the implementation process of dynamic password and key schedule is given with reference to Fig. 5, is specifically included
Following steps:
The first step:User's preset password 501 of 64 is split, high 32 are used as linear feedback shift register
502 initial conditions, low 32 participations subsequent arithmetic;
Second step:One 32 pseudo random number 503 is generated by LFSR linear feedback shifts register 502;
3rd step:"AND", "or", NOT sum distance are carried out respectively by low 32 of pseudo random number and user's preset password
Logical operation 504, obtains 4 groups of medians 505;
4th step:4 groups of medians C1, C2, C3, C4 are merged, the initial key input 506 of one 128 is produced;
5th step:Using the AES key expansion algorithm 507 of standard, 48 dynamic sub-keys 508 are produced;
6th step:XOR 509 is carried out to first dynamic sub-key and last dynamic sub-key, dynamic is obtained
Certification password 510.
In example 6, the system architecture of multimode judgment device is given with reference to Fig. 6, is specifically included:
One has the fpga chip 601 of dynamic reconfigurable function, is realized for algorithm and the hardware of flow;
Two separate network chips 602 for being connected on FPGA, receiving and transmission for IP messages;
A piece of SDRAM603 is used for data pack buffer;
A piece of flash604 is used for permanently storing for user configuration information;
One toggle switch 605, the setting for node type;
Three independent data processing engines for being built in FPGA, wherein 607 are used for the construction of safe packet, 608 use
It is used for security system dynamic restructuring in safe packet disposal, 609.
Number of devices and treatment scale described herein are the explanations for simplifying the present invention.To the Nei Shengan of the present invention
The application of full industrial control network dynamic security method and related algorithm, modifications and variations are to one skilled in the art
It is obvious.
Although embodiment of the present invention is disclosed as above, it is not restricted in specification and embodiment listed
With.It can be applied to various suitable the field of the invention completely., can be easily for those skilled in the art
Realize other modification.Therefore under the universal limited without departing substantially from claim and equivalency range, the present invention is not limited
In specific details and shown here as the legend with description.
Claims (10)
1. a kind of industrial control network dynamic security method of interior raw safety, it is characterised in that by entering action to AES
State restructural, and combine the dynamic change of key and certification password, safe reconstruct is carried out in transport network layer to IP messages, with
Raw safe commissioner's office's data transmission channel in being set up between node device.
2. the industrial control network dynamic security method of raw safety in as claimed in claim 1, it is characterised in that to encryption
Algorithm is carried out in the method for dynamic reconfigurable, repeating query number of times dynamic random change between 8~12 of the AES, and
Ensure the uniformity of dynamic restructuring process and result in industrial control network between each node by synchronous coordination method.
3. the industrial control network dynamic security method of raw safety in as claimed in claim 1, it is characterised in that key and recognize
The dynamic change method of card password includes:
Changed by the dynamic random of initial key, using the AES key expansion algorithm of standard, produce 48 32 dynamic close
Key;
XOR is carried out to first dynamic sub-key and last dynamic sub-key, to obtain dynamic authentication password;
Ensure the uniformity of dynamic restructuring process and result between each node by synchronous coordination method in industrial control network.
4. the industrial control network dynamic security method of raw safety in as claimed in claim 3, it is characterised in that key and recognize
The dynamic generation algorithm of card password includes:
User's preset password of 64 is split, high 32 initial conditions as linear feedback shift register, low 32
Position participates in subsequent arithmetic;
One 32 pseudo random number is generated by LFSR linear feedback shifts register;
"AND", "or", NOT sum exclusive logic computing are carried out respectively by low 32 of pseudo random number and user's preset password, are obtained
To 4 groups of medians C1, C2, C3, C4;
4 groups of medians are merged, the initial key of one 128 is produced;
Using the AES key expansion algorithm of standard, 48 32 dynamic sub-keys are produced;
First dynamic sub-key and last sub- dynamic key are subjected to XOR, to obtain being used for data source legitimacy
The dynamic authentication password S of checking.
5. the industrial control network dynamic security method of raw safety in as claimed in claim 2 or claim 3, it is characterised in that described
The method of synchronous coordination includes:
Identical Dynamical Secret Key Building Algorithm is implanted into the multimode judgment device of each network node and dynamic reconfigurable encryption is calculated
Method;
The multimode judgment device of any one node in industrial control network is chosen as management node, to be moved to other nodes
State restructuring procedure synchronizes control;
The multimode judgment device of management node irregularly starts dynamic restructuring event, to automatically generate the puppet between one 8~12
The pseudo random number two of random number one, the repeating query number of times as AES, and generation one 64, as generation dynamic key
Seed, to obtain the Back ground Information for dynamic restructuring, and Back ground Information encryption is sent to by net by broadcasting packet
In network in the multimode judgment device of other nodes;
The multimode judgment device of other nodes obtains Back ground Information from broadcasting packet, to reconstruct AES encryption according to repeating query number of times
Algorithm, and unified dynamic key and certification password is generated according to key seed value, realize the synchronous coordination between node.
6. the industrial control network dynamic security method of raw safety in as claimed in claim 1, it is characterised in that the safety
The foundation of commissioner's office's data transmission channel, passes through the multimode judgment device hardware being connected on each node device ethernet communication link
Realize.
7. the industrial control network dynamic security method of raw safety in as claimed in claim 6, it is characterised in that the multimode
Judgment device includes:
One has the FPGA of dynamic reconfigurable function;
Two separate network chips for being connected on FPGA;
One function sets toggle switch;
Two panels memory device;
Three independent data processing engines for being built in FPGA.
8. the industrial control network dynamic security method of raw safety in as claimed in claim 1, it is characterised in that in IP messages
In the method for carrying out safe reconstruct, including:
By the multimode judgment device positioned at data transfer source, the IP that its corresponding node sends is intercepted and captured on communication link original
Message;
IP original message data section of the multimode judgment device based on acquisition, be separately added into for authentication in its afterbody and
The certification password information of access control, the time tag information protected for replay attack and the summary for integrity protection
Information;
The multimode judgment device utilizes dynamic key and AES, and the relevant information for being inserted into data segment trailer is added
It is close, to form the safe packet after reconstruct.
9. the industrial control network dynamic security method of raw safety in as claimed in claim 7, it is characterised in that be inserted into IP
The relevant information of original message data segment trailer also includes safe packet segmental identification;
Wherein, the message fragment is that length is into two pieces more than the IP original messages of 1500 bytes, by first, second
Segmental identification be respectively configured as 01H, 10H, and the segmental identification by message length no more than 1500 bytes is configured to 00H.
10. one kind application as described in claim 1-7 any one industrial control network dynamic security method industrial control equipment it
Between set up the implementation method of safe commissioner's office's data transmission channel, it is characterised in that including:
The multimode judgment device of source obtain its corresponding node equipment transmission IP messages, with the data field afterbody of message according to
Secondary insertion dynamic authentication password information, time tag information and summary info, and these information are encrypted, form safety
Message, then carried out data transmission by disclosed internet;
The safe packet for being sent to destination object is intercepted and captured in the multimode judgment device of destination end, passes through the dynamic authentication password in message
Information, time tag information and summary info carry out legitimacy, integrality, timeliness sex determination, filter out various invalid datas
Bag, corresponding node device is transmitted to after valid data message is reduced, to set up multimode between node device, move
State, transparent safe commissioner's office's data transmission channel.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710338986.7A CN107065750B (en) | 2017-05-15 | 2017-05-15 | The industrial control network dynamic security method of interior raw safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710338986.7A CN107065750B (en) | 2017-05-15 | 2017-05-15 | The industrial control network dynamic security method of interior raw safety |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107065750A true CN107065750A (en) | 2017-08-18 |
| CN107065750B CN107065750B (en) | 2019-04-02 |
Family
ID=59597207
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710338986.7A Active CN107065750B (en) | 2017-05-15 | 2017-05-15 | The industrial control network dynamic security method of interior raw safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107065750B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110795754A (en) * | 2019-11-12 | 2020-02-14 | 中核控制系统工程有限公司 | Information security maintenance method based on FPGA |
| CN111132153A (en) * | 2019-12-19 | 2020-05-08 | 中山大学 | Endogenous safety communication method based on wireless channel characteristics |
| WO2020094123A1 (en) * | 2018-11-08 | 2020-05-14 | 深圳市中兴微电子技术有限公司 | Method and apparatus for transmitting packet, and computer-readable storage medium |
| CN111487658A (en) * | 2020-06-02 | 2020-08-04 | 西安沣华电子科技有限责任公司 | High-reliability GPS line patrol system for unmanned automobile and working method thereof |
| CN111556132A (en) * | 2020-04-26 | 2020-08-18 | 湖南大学 | Method and system for generating intelligent defense schematic diagram for industrial Internet of things |
| CN112969184A (en) * | 2021-02-07 | 2021-06-15 | 中国联合网络通信集团有限公司 | Endogenous security control method for 6G network, electronic device and storage medium |
| CN114115099A (en) * | 2021-11-08 | 2022-03-01 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| WO2023197925A1 (en) * | 2022-04-12 | 2023-10-19 | 支付宝(杭州)信息技术有限公司 | Packet processing method and apparatus |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1494274A (en) * | 2002-10-31 | 2004-05-05 | ����ͨѶ�ɷ�����˾ | Method of Realizing IP Packet Fragmentation Reassembly Based on Network Processor |
| CN1588839A (en) * | 2004-07-29 | 2005-03-02 | 北京航空航天大学 | Safety group broadcast management system and method |
| CN1972237A (en) * | 2006-12-06 | 2007-05-30 | 胡祥义 | VPN system based on dynamic encryption algorithm |
| CN102932354A (en) * | 2012-11-02 | 2013-02-13 | 杭州迪普科技有限公司 | Verification method and device for internet protocol (IP) address |
| CN103457931A (en) * | 2013-08-15 | 2013-12-18 | 华中科技大学 | Active defense method for network trick and counter attack |
| CN104580248A (en) * | 2015-01-27 | 2015-04-29 | 中復保有限公司 | Secure login method of variable key encryption under HTTP protocol |
-
2017
- 2017-05-15 CN CN201710338986.7A patent/CN107065750B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1494274A (en) * | 2002-10-31 | 2004-05-05 | ����ͨѶ�ɷ�����˾ | Method of Realizing IP Packet Fragmentation Reassembly Based on Network Processor |
| CN1588839A (en) * | 2004-07-29 | 2005-03-02 | 北京航空航天大学 | Safety group broadcast management system and method |
| CN1972237A (en) * | 2006-12-06 | 2007-05-30 | 胡祥义 | VPN system based on dynamic encryption algorithm |
| CN102932354A (en) * | 2012-11-02 | 2013-02-13 | 杭州迪普科技有限公司 | Verification method and device for internet protocol (IP) address |
| CN103457931A (en) * | 2013-08-15 | 2013-12-18 | 华中科技大学 | Active defense method for network trick and counter attack |
| CN104580248A (en) * | 2015-01-27 | 2015-04-29 | 中復保有限公司 | Secure login method of variable key encryption under HTTP protocol |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020094123A1 (en) * | 2018-11-08 | 2020-05-14 | 深圳市中兴微电子技术有限公司 | Method and apparatus for transmitting packet, and computer-readable storage medium |
| CN110795754A (en) * | 2019-11-12 | 2020-02-14 | 中核控制系统工程有限公司 | Information security maintenance method based on FPGA |
| CN110795754B (en) * | 2019-11-12 | 2022-02-18 | 中核控制系统工程有限公司 | Information security maintenance method based on FPGA |
| CN111132153A (en) * | 2019-12-19 | 2020-05-08 | 中山大学 | Endogenous safety communication method based on wireless channel characteristics |
| CN111556132A (en) * | 2020-04-26 | 2020-08-18 | 湖南大学 | Method and system for generating intelligent defense schematic diagram for industrial Internet of things |
| CN111487658A (en) * | 2020-06-02 | 2020-08-04 | 西安沣华电子科技有限责任公司 | High-reliability GPS line patrol system for unmanned automobile and working method thereof |
| CN112969184A (en) * | 2021-02-07 | 2021-06-15 | 中国联合网络通信集团有限公司 | Endogenous security control method for 6G network, electronic device and storage medium |
| CN114115099A (en) * | 2021-11-08 | 2022-03-01 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| CN114115099B (en) * | 2021-11-08 | 2024-01-02 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| WO2023197925A1 (en) * | 2022-04-12 | 2023-10-19 | 支付宝(杭州)信息技术有限公司 | Packet processing method and apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107065750B (en) | 2019-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107065750B (en) | The industrial control network dynamic security method of interior raw safety | |
| Wazid et al. | LAM-CIoT: Lightweight authentication mechanism in cloud-based IoT environment | |
| Aman et al. | Low power data integrity in IoT systems | |
| CN101917270B (en) | Weak authentication and key agreement method based on symmetrical password | |
| CN107249009A (en) | A kind of data verification method and system based on block chain | |
| CN103581173A (en) | Safe data transmission method, system and device based on industrial Ethernet | |
| WO2010024379A1 (en) | Communication system, communication device on transmission side and reception or transfer side, method for data communication and data transmission program | |
| CN104780177A (en) | Information security guarantee method of internet of things sensing device cloud simulation system | |
| CN105610837A (en) | Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system | |
| Musa et al. | Secure security model implementation for security services and related attacks base on end-to-end, application layer and data link layer security | |
| CN113472520A (en) | ModbusTCP (Transmission control protocol) security enhancement method and system | |
| Chuah et al. | Key derivation function: the SCKDF scheme | |
| Li et al. | Lightweight secure communication mechanism towards UAV networks | |
| Lu et al. | Modeling and verification of IEEE 802.11 i security protocol in UPPAAL for Internet of Things | |
| CN102892113B (en) | Method for safety transmission of data between nodes in hierarchical wireless sensor network | |
| Zhang et al. | Old School, New Primitive: Toward Scalable PUF-Based Authenticated Encryption Scheme in IoT | |
| Ghormare et al. | Implementation of data confidentiality for providing high security in wireless sensor network | |
| Jolfaei et al. | A lightweight integrity protection scheme for fast communications in smart grid | |
| Gao et al. | A security protocol resistant to intermittent position trace attacks and desynchronization attacks in RFID systems | |
| Køien | A brief survey of nonces and nonce usage | |
| CN103249035A (en) | Wireless sensor network data encryption transmission method | |
| CN105848150A (en) | Wireless sensor network grouping small data security distributing method | |
| Hu et al. | A lightweight and confidential communication scheme for on-vehicle ECUs | |
| CN103457915A (en) | Military Internet of Things security protocol capable of being proved in formalized mode | |
| Ali et al. | Secure key loss recovery for network broadcast in single-hop wireless sensor networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |