[go: up one dir, main page]

CN114374550B - Electric power metering platform with high safety - Google Patents

Electric power metering platform with high safety Download PDF

Info

Publication number
CN114374550B
CN114374550B CN202111643556.9A CN202111643556A CN114374550B CN 114374550 B CN114374550 B CN 114374550B CN 202111643556 A CN202111643556 A CN 202111643556A CN 114374550 B CN114374550 B CN 114374550B
Authority
CN
China
Prior art keywords
metering
end server
metering terminal
terminal
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111643556.9A
Other languages
Chinese (zh)
Other versions
CN114374550A (en
Inventor
王联智
谢敏
吴海杰
屈晓瑞
王康桑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southern Power Grid Digital Grid Group Hainan Co ltd
Original Assignee
Hainan Digital Power Grid Research Institute of China Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hainan Digital Power Grid Research Institute of China Southern Power Grid Co Ltd filed Critical Hainan Digital Power Grid Research Institute of China Southern Power Grid Co Ltd
Priority to CN202111643556.9A priority Critical patent/CN114374550B/en
Publication of CN114374550A publication Critical patent/CN114374550A/en
Application granted granted Critical
Publication of CN114374550B publication Critical patent/CN114374550B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q9/00Arrangements in telecontrol or telemetry systems for selectively calling a substation from a main station, in which substation desired apparatus is selected for applying a control signal thereto or for obtaining measured values therefrom
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2209/00Arrangements in telecontrol or telemetry systems
    • H04Q2209/60Arrangements in telecontrol or telemetry systems for transmitting utility meters data, i.e. transmission of data from the reader of the utility meter
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本发明提供一种具备高安全性的电力计量平台,包括计量主站、计量终端、前置服务器、应用认证系统,所述计量终端,采集来自多个电能表的业务数据,并所述业务数据进行加密,并将加密数据上传至所述前置服务器;所述前置服务器,用于接收并缓存来自所述计量终端的加密数据,并通过API接口调用所述应用认证系统实现计量终端的身份认证以及对加密数据进行解密,并将解密后的业务数据上传至所述计量主站;所述应用认证系统,用于对所述计量终端实现用户认证以及对计量终端的上传数据进行解密处理、对前置服务器的回传数据以及控制报文进行加密处理;所述计量主站,用于向所述前置服务器发送控制报文,同时对解密后的业务数据进行入库处理。

The present invention provides a highly secure electric power metering platform, comprising a metering main station, a metering terminal, a front-end server, and an application authentication system, wherein the metering terminal collects business data from a plurality of electric energy meters, encrypts the business data, and uploads the encrypted data to the front-end server; the front-end server is used to receive and cache the encrypted data from the metering terminal, and calls the application authentication system through an API interface to implement identity authentication of the metering terminal and decrypt the encrypted data, and upload the decrypted business data to the metering main station; the application authentication system is used to implement user authentication for the metering terminal, decrypt the uploaded data of the metering terminal, and encrypt the return data and control messages of the front-end server; the metering main station is used to send control messages to the front-end server, and simultaneously perform storage processing on the decrypted business data.

Description

一种具备高安全性的电力计量平台A highly secure power metering platform

技术领域Technical Field

本发明涉及电力计量技术领域,尤其涉及一种具备高安全性的电力计量平台。The present invention relates to the technical field of electric power metering, and in particular to an electric power metering platform with high security.

背景技术Background technique

计量系统主站通过通信信道与计量终端连接,实现电能量数据的采集、数据管理、数据双向传输、转发或控制命令的执行等功能。目前的计量系统安全防护体系没有建立与业务结构相匹配的主站-终端-表计的安全防护体系结构。在集中器、厂站采集终端、负荷管理终端、配变监测终端中缺乏安全防护措施,数据以明文方式传输,容易遭受数据非法窃取、黑客跨网入侵等风险。The metering system master station is connected to the metering terminal through a communication channel to realize functions such as electric energy data collection, data management, two-way data transmission, forwarding or execution of control commands. The current metering system security protection system has not established a master station-terminal-meter security protection system architecture that matches the business structure. There is a lack of security protection measures in the concentrator, plant acquisition terminal, load management terminal, and distribution transformer monitoring terminal. Data is transmitted in plain text, which is prone to risks such as illegal data theft and cross-network intrusion by hackers.

发明内容Summary of the invention

本发明的目的在于提供一种具备高安全性的电力计量平台,以解决上述背景技术中提出的问题。The purpose of the present invention is to provide a highly secure power metering platform to solve the problems raised in the above background technology.

本发明是通过以下技术方案实现的:一种具备高安全性的电力计量平台,包括计量主站、计量终端、前置服务器、应用认证系统,所述计量终端、应用认证系统中均包含相同的密钥库,其中,The present invention is implemented by the following technical scheme: a highly secure power metering platform, comprising a metering master station, a metering terminal, a front-end server, and an application authentication system, wherein the metering terminal and the application authentication system both contain the same key library, wherein:

所述计量终端,采集来自多个电能表的业务数据,并所述业务数据进行加密,并将加密数据上传至所述前置服务器;The metering terminal collects business data from a plurality of electric energy meters, encrypts the business data, and uploads the encrypted data to the front-end server;

所述前置服务器,用于接收并缓存来自所述计量终端的加密数据,并通过API接口调用所述应用认证系统实现计量终端的身份认证以及对加密数据进行解密,并将解密后的业务数据上传至所述计量主站;The front-end server is used to receive and cache the encrypted data from the metering terminal, and call the application authentication system through the API interface to implement the identity authentication of the metering terminal and decrypt the encrypted data, and upload the decrypted business data to the metering master station;

所述应用认证系统,用于对所述计量终端实现用户认证以及对计量终端的上传数据进行解密处理、对前置服务器的回传数据以及控制报文进行加密处理;The application authentication system is used to implement user authentication for the metering terminal, decrypt the uploaded data of the metering terminal, and encrypt the returned data and control messages of the front-end server;

所述计量主站,用于向所述前置服务器发送控制报文,同时对解密后的业务数据进行入库处理。The metering master station is used to send control messages to the front-end server and simultaneously perform storage processing on the decrypted business data.

可选的,所述计量终端对所述业务数据进行加密前,需要进行注册操作,其具体过程包括:用户向计量终端输入出厂码,所述计量终端基于出厂码向所述前置服务器发送第一明码报文,所述前置服务器根据所述第一明码报文向所述计量终端反馈标识码。Optionally, before the metering terminal encrypts the business data, a registration operation is required, and the specific process includes: the user inputs a factory code into the metering terminal, the metering terminal sends a first plain text message to the front-end server based on the factory code, and the front-end server feeds back an identification code to the metering terminal based on the first plain text message.

可选的,所述计量终端对所述业务数据进行加密前,需要进行密钥激活以及身份认证,其具体的过程包括:Optionally, before the metering terminal encrypts the service data, key activation and identity authentication are required, and the specific process includes:

所述计量终端向所述前置服务器发送第二明码报文,所述前置服务器基于第二明码报文对所述计量终端进行验证,若验证成功则向所述计量终端回传第一激活报文,所述计量终端根据所述第一激活报文激活密钥库;The metering terminal sends a second plaintext message to the front-end server, and the front-end server verifies the metering terminal based on the second plaintext message. If the verification is successful, the front-end server returns a first activation message to the metering terminal, and the metering terminal activates the key library according to the first activation message;

所述计量终端通过密钥库对身份认证请求数据进行加密,并将加密后的身份认证请求数据发送至所述前置服务器,所述前置服务器调用应用认证系统进行解密并验证,若验证成功则向所述所述计量终端回传认证成功信息。The metering terminal encrypts the identity authentication request data through the key library and sends the encrypted identity authentication request data to the front-end server. The front-end server calls the application authentication system to decrypt and verify. If the verification is successful, the authentication success information is returned to the metering terminal.

可选的,当所述计量终端向所述前置服务器发送第二明码报文,且所述前置服务器基于所述第二明码报文的验证失败时,所述计量终端重复发送N次第二明码报文,若前置服务器对N次第二明码报文的验证均失败,所述前置服务器对第N+1次收到的第二明码报文执行丢包操作。Optionally, when the metering terminal sends a second plain code message to the front-end server and the front-end server fails to verify the second plain code message, the metering terminal repeatedly sends the second plain code message N times. If the front-end server fails to verify the second plain code message N times, the front-end server performs a packet drop operation on the second plain code message received for the N+1th time.

可选的,当所述计量终端向所述前置服务器发送加密后的身份认证请求数据,且所述前置服务器基于所述加密后的身份认证请求数据的验证失败时,所述计量终端重复发送M次加密后的身份认证请求数据,若前置服务器对M次加密后的身份认证请求数据的验证均失败,所述前置服务器对第M+1次收到的加密后的身份认证请求数据执行丢包操作。Optionally, when the metering terminal sends encrypted identity authentication request data to the front-end server, and the front-end server fails to verify the encrypted identity authentication request data, the metering terminal repeatedly sends the encrypted identity authentication request data M times. If the front-end server fails to verify the M encrypted identity authentication request data, the front-end server performs a packet loss operation on the encrypted identity authentication request data received for the M+1th time.

可选的,所述密钥库中包含多种国密算法,所述计量终端根据所述第一激活报文激活密钥库并选择相应的国密算法。Optionally, the key library contains multiple national encryption algorithms, and the metering terminal activates the key library according to the first activation message and selects a corresponding national encryption algorithm.

可选的,在时间t间隔后,所述前置服务器对应用认证系统中使用的国密算法进行切换,在切换成功后向所述计量终端发送第二激活指令,所述计量终端根据第二激活指令在计量终端的密钥库中选择相应的国密算法进行加密/解密操作。Optionally, after a time interval of t, the front-end server switches the national secret algorithm used in the application authentication system, and after the switch is successful, sends a second activation instruction to the metering terminal. The metering terminal selects the corresponding national secret algorithm in the key library of the metering terminal for encryption/decryption operations according to the second activation instruction.

可选的,在时间T中,所述前置服务器调用应用认证系统对采用旧国密算法加密的计量终端业务数据进行解密,在T时间后,只对采用新国密算法加密的计量终端业务数据进行解密。Optionally, at time T, the front-end server calls the application authentication system to decrypt the metering terminal business data encrypted by the old national encryption algorithm. After time T, only the metering terminal business data encrypted by the new national encryption algorithm is decrypted.

与现有技术相比,本发明达到的有益效果如下:Compared with the prior art, the present invention has the following beneficial effects:

本发明提供的一种具备高安全性的电力计量平台,其计量终端首先需要发送相应的明码报文至前置服务器进行密钥激活认证以及身份认证的双激活操作,在双激活操作成功后,将计量终端自身所采集的业务数据通过自身的密钥库进行加密,并传输至前置服务器进行预存储,前置服务器通过API接口调用所述应用认证系统对加密数据进行解密,并将解密后的业务数据上传至所述计量主站,而计量主站向计量终端发送下行控制指令时,也需要前置服务器调用应用认证系统对下行控制指令进行加密,其加密的数据被传输至计量终端后,由计量终端进行解密并根据下行控制指令执行相应的操作。The present invention provides a highly secure electric power metering platform, wherein the metering terminal first needs to send a corresponding plaintext message to a front-end server for dual activation operations of key activation authentication and identity authentication. After the dual activation operation is successful, the business data collected by the metering terminal itself is encrypted through its own key library and transmitted to the front-end server for pre-storage. The front-end server calls the application authentication system through an API interface to decrypt the encrypted data, and uploads the decrypted business data to the metering master station. When the metering master station sends a downlink control instruction to the metering terminal, the front-end server is also required to call the application authentication system to encrypt the downlink control instruction. After the encrypted data is transmitted to the metering terminal, the metering terminal decrypts the data and performs corresponding operations according to the downlink control instruction.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的优选实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required for use in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only preferred embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without creative work.

图1为本发明提供的一种具备高安全性的电力计量平台的结构图。FIG1 is a structural diagram of a highly secure power metering platform provided by the present invention.

图中,1计量主站,2计量终端,3前置服务器,4应用认证系统.In the figure, 1 is the metering main station, 2 is the metering terminal, 3 is the front-end server, and 4 is the application authentication system.

具体实施方式Detailed ways

为了使得本发明的目的、技术方案和优点更为明显,下面将参照附图详细描述根据本发明的示例实施例。显然,所描述的实施例仅仅是本发明的一部分实施例,而不是本发明的全部实施例,应理解,本发明不受这里描述的示例实施例的限制。基于本发明中描述的本发明实施例,本领域技术人员在没有付出创造性劳动的情况下所得到的所有其它实施例都应落入本发明的保护范围之内。In order to make the purpose, technical scheme and advantages of the present invention more obvious, the exemplary embodiments according to the present invention will be described in detail with reference to the accompanying drawings. Obviously, the described embodiments are only part of the embodiments of the present invention, rather than all the embodiments of the present invention, and it should be understood that the present invention is not limited to the exemplary embodiments described herein. Based on the embodiments of the present invention described in the present invention, all other embodiments obtained by those skilled in the art without paying creative work should fall within the protection scope of the present invention.

在下文的描述中,给出了大量具体的细节以便提供对本发明更为彻底的理解。然而,对于本领域技术人员而言显而易见的是,本发明可以无需一个或多个这些细节而得以实施。在其他的例子中,为了避免与本发明发生混淆,对于本领域公知的一些技术特征未进行描述。In the following description, a large number of specific details are provided to provide a more thorough understanding of the present invention. However, it is obvious to those skilled in the art that the present invention can be implemented without one or more of these details. In other examples, in order to avoid confusion with the present invention, some technical features well known in the art are not described.

应当理解的是,本发明能够以不同形式实施,而不应当解释为局限于这里提出的实施例。相反地,提供这些实施例将使公开彻底和完全,并且将本发明的范围完全地传递给本领域技术人员。It should be understood that the present invention can be implemented in different forms and should not be interpreted as limited to the embodiments set forth herein. On the contrary, these embodiments are provided to make the disclosure thorough and complete and to fully convey the scope of the present invention to those skilled in the art.

在此使用的术语的目的仅在于描述具体实施例并且不作为本发明的限制。在此使用时,单数形式的“一”、“一个”和“所述/该”也意图包括复数形式,除非上下文清楚指出另外的方式。还应明白术语“组成”和/或“包括”,当在该说明书中使用时,确定所述特征、整数、步骤、操作、元件和/或部件的存在,但不排除一个或更多其它的特征、整数、步骤、操作、元件、部件和/或组的存在或添加。在此使用时,术语“和/或”包括相关所列项目的任何及所有组合。The purpose of the terms used herein is only to describe specific embodiments and is not intended to be limiting of the present invention. When used herein, the singular forms "one", "an" and "said/the" are also intended to include plural forms, unless the context clearly indicates otherwise. It should also be understood that the terms "consisting of" and/or "comprising", when used in this specification, determine the presence of the features, integers, steps, operations, elements and/or parts, but do not exclude the presence or addition of one or more other features, integers, steps, operations, elements, parts and/or groups. When used herein, the term "and/or" includes any and all combinations of the relevant listed items.

为了彻底理解本发明,将在下列的描述中提出详细的结构,以便阐释本发明提出的技术方案。本发明的可选实施例详细描述如下,然而除了这些详细描述外,本发明还可以具有其他实施方式。In order to fully understand the present invention, a detailed structure will be proposed in the following description to illustrate the technical solution proposed by the present invention. The optional embodiments of the present invention are described in detail as follows, but in addition to these detailed descriptions, the present invention may also have other implementations.

参见图1,一种具备高安全性的电力计量平台,该平台在架构上包括计量主站1、计量终端2、前置服务器3、应用认证系统4,所述计量终端2、应用认证系统4中均包含相同的密钥库,其中,Referring to FIG1 , a highly secure power metering platform is shown. The platform includes a metering master station 1, a metering terminal 2, a front-end server 3, and an application authentication system 4 in terms of architecture. The metering terminal 2 and the application authentication system 4 both contain the same key library, wherein:

所述计量终端2,采集来自多个电能表的业务数据,并所述业务数据进行加密,并将加密数据上传至所述前置服务器3;The metering terminal 2 collects business data from multiple electric energy meters, encrypts the business data, and uploads the encrypted data to the front-end server 3;

所述前置服务器3,用于接收并缓存来自所述计量终端2的加密数据,并通过API接口调用所述应用认证系统4实现计量终端2的身份认证以及对加密数据进行解密,并将解密后的业务数据上传至所述计量主站1;The front-end server 3 is used to receive and cache the encrypted data from the metering terminal 2, and call the application authentication system 4 through the API interface to implement the identity authentication of the metering terminal 2 and decrypt the encrypted data, and upload the decrypted business data to the metering master station 1;

所述应用认证系统4,用于对所述计量终端2实现用户认证以及对计量终端2的上传数据进行解密处理、对前置服务器3的回传数据以及控制报文进行加密处理;The application authentication system 4 is used to implement user authentication for the metering terminal 2, decrypt the uploaded data of the metering terminal 2, and encrypt the returned data and control messages of the front-end server 3;

所述计量主站1,用于向所述前置服务器3发送控制报文,同时对解密后的业务数据进行入库处理。The metering master station 1 is used to send control messages to the front-end server 3 and simultaneously process the decrypted business data into a warehouse.

本发明在实施时,计量终端2首先需要发送相应的明码报文至前置服务器3进行密钥激活认证以及身份认证的双激活操作,在双激活操作成功后,将计量终端2自身所采集的业务数据通过自身的密钥库进行加密,并传输至前置服务器3进行预存储,前置服务器3通过API接口调用所述应用认证系统4对加密数据进行解密,并将解密后的业务数据上传至所述计量主站1,而计量主站1向计量终端2发送下行控制指令时,也需要前置服务器3调用应用认证系统4对下行控制指令进行加密,其加密的数据被传输至计量终端2后,由计量终端2进行解密并根据下行控制指令执行相应的操作。When the present invention is implemented, the metering terminal 2 first needs to send the corresponding plain text message to the front server 3 to perform dual activation operations of key activation authentication and identity authentication. After the dual activation operation is successful, the business data collected by the metering terminal 2 itself is encrypted through its own key library and transmitted to the front server 3 for pre-storage. The front server 3 calls the application authentication system 4 through the API interface to decrypt the encrypted data, and uploads the decrypted business data to the metering master station 1. When the metering master station 1 sends a downlink control instruction to the metering terminal 2, the front server 3 is also required to call the application authentication system 4 to encrypt the downlink control instruction. After the encrypted data is transmitted to the metering terminal 2, the metering terminal 2 decrypts it and performs corresponding operations according to the downlink control instruction.

进一步的,所述计量终端2对所述业务数据进行加密前,需要进行注册操作,其具体过程包括:用户向计量终端2输入出厂码,其中出厂码由厂家在安装所述计量终端2时预先给到用户,所述计量终端2基于出厂码向所述前置服务器3发送第一明码报文,其中第一明码报文包括终端地址、出厂码、所述前置服务器3根据所述第一明码报文向所述计量终端2反馈标识码,其标识码为前置服务器3赋予所接入的每个计量终端2的独一无二的“英文+数字”集合。Furthermore, before the metering terminal 2 encrypts the business data, a registration operation is required, and the specific process includes: the user inputs a factory code into the metering terminal 2, wherein the factory code is given to the user in advance by the manufacturer when the metering terminal 2 is installed; the metering terminal 2 sends a first plain text message to the front-end server 3 based on the factory code, wherein the first plain text message includes the terminal address, the factory code, and the front-end server 3 feeds back an identification code to the metering terminal 2 according to the first plain text message, wherein the identification code is a unique "English + number" set assigned by the front-end server 3 to each connected metering terminal 2.

进一步的,所述计量终端2对所述业务数据进行加密前,需要进行密钥激活以及身份认证,其具体的过程包括:Furthermore, before the metering terminal 2 encrypts the service data, key activation and identity authentication are required, and the specific process includes:

所述计量终端2向所述前置服务器3发送第二明码报文,其中第二明码报文包括计量终端2地址、标识码以及请求报文,所述前置服务器3基于第二明码报文对所述计量终端2进行验证,即验证计量终端2地址以及标识码的正确情况,同时验证判断所述请求报文是否符合规定的格式要求,若所述计量终端2地址、标识码以及请求报文均正确以及符合要求,则所述前置服务器3对所述计量终端2的验证正确,此时向所述计量终端2回传第一激活报文,所述计量终端2根据所述第一激活报文激活密钥库,其第一激活报文由单一英文或者数字构成,每个单一的英文或数字均指代密钥库中唯一的国密算法。The metering terminal 2 sends a second plain code message to the front-end server 3, wherein the second plain code message includes the metering terminal 2 address, identification code and request message. The front-end server 3 verifies the metering terminal 2 based on the second plain code message, that is, verifies the correctness of the metering terminal 2 address and identification code, and verifies whether the request message meets the specified format requirements. If the metering terminal 2 address, identification code and request message are all correct and meet the requirements, then the front-end server 3 verifies the metering terminal 2 correctly. At this time, the first activation message is returned to the metering terminal 2. The metering terminal 2 activates the key library according to the first activation message, and its first activation message consists of a single English or number, and each single English or number refers to a unique national secret algorithm in the key library.

在本发明的一个实施方式中,当所述计量终端2向所述前置服务器3发送第二明码报文,且所述前置服务器3基于所述第二明码报文的验证失败时,所述计量终端2重复发送N次第二明码报文,若前置服务器3对N次第二明码报文的验证均失败,所述前置服务器3对第N+1次收到的第二明码报文执行丢包操作,即所述前置服务器3不再接收来自该计量终端2的第二明码报文数据。In one embodiment of the present invention, when the metering terminal 2 sends a second plain code message to the front-end server 3, and the front-end server 3 fails to verify the second plain code message, the metering terminal 2 repeatedly sends the second plain code message N times. If the front-end server 3 fails to verify the N second plain code messages, the front-end server 3 performs a packet loss operation on the second plain code message received for the N+1th time, that is, the front-end server 3 no longer receives the second plain code message data from the metering terminal 2.

进一步的,当所述计量终端2向所述前置服务器3发送第二明码报文时,所述前置服务器3在所述应用认证系统4的密钥库中先对国密算法进行选择,基于选择结果生成对应的第一激活报文,例如在密钥库中的国密算法包括SM2非对称加密算法、SM3密码杂凑算法、SM4分组加密算法、SM7分组加密算法、SM9基于标识的非对称密码算法,当前置服务器3选择SM4分组加密算法时,会生成指代SM4分组加密算法的第一激活报文,所述计量终端2根据所述第一激活报文激活密钥库并选择SM4分组加密算法来进行业务数据的加密。Furthermore, when the metering terminal 2 sends a second plaintext message to the front-end server 3, the front-end server 3 first selects the national secret algorithm in the key library of the application authentication system 4, and generates a corresponding first activation message based on the selection result. For example, the national secret algorithms in the key library include SM2 asymmetric encryption algorithm, SM3 cryptographic hash algorithm, SM4 block encryption algorithm, SM7 block encryption algorithm, and SM9 identifier-based asymmetric encryption algorithm. When the front-end server 3 selects the SM4 block encryption algorithm, a first activation message referring to the SM4 block encryption algorithm is generated. The metering terminal 2 activates the key library according to the first activation message and selects the SM4 block encryption algorithm to encrypt business data.

在本发明的一个实施方式中,当计量终端2的密钥激活成功后,所述计量终端2通过密钥库中所选择的国密算法,对身份认证请求数据进行加密,其中身份认证请求数据包括计量终端2地址、身份认证请求报文、标识码,将上述身份认证请求数据通过相应的国密算法进行加密后,获得加密后的身份认证请求数据,将前述数据发送至所述前置服务器3,所述前置服务器3调用应用认证系统4进行解密并验证,若验证成功则向所述所述计量终端2回传认证成功信息。In one embodiment of the present invention, when the key of the metering terminal 2 is successfully activated, the metering terminal 2 encrypts the identity authentication request data through the national secret algorithm selected in the key library, wherein the identity authentication request data includes the address of the metering terminal 2, the identity authentication request message, and the identification code. After encrypting the above-mentioned identity authentication request data through the corresponding national secret algorithm, the encrypted identity authentication request data is obtained, and the above-mentioned data is sent to the front-end server 3. The front-end server 3 calls the application authentication system 4 for decryption and verification. If the verification is successful, the authentication success information is returned to the metering terminal 2.

进一步的,当所述计量终端2向所述前置服务器3发送加密后的身份认证请求数据,且所述前置服务器3基于所述加密后的身份认证请求数据的验证失败时,所述计量终端2重复发送M次加密后的身份认证请求数据,若前置服务器3对M次加密后的身份认证请求数据的验证均失败,所述前置服务器3对第M+1次收到的加密后的身份认证请求数据执行丢包操作,即所述前置服务器3不再接收来自该计量终端2的第二明码报文数据。Furthermore, when the metering terminal 2 sends encrypted identity authentication request data to the front-end server 3, and the front-end server 3 fails to verify the encrypted identity authentication request data, the metering terminal 2 repeatedly sends the encrypted identity authentication request data M times. If the front-end server 3 fails to verify the M encrypted identity authentication request data, the front-end server 3 performs a packet loss operation on the encrypted identity authentication request data received for the M+1th time, that is, the front-end server 3 no longer receives the second plaintext message data from the metering terminal 2.

在本发明的一些实施方式中,在时间t间隔后,所述前置服务器3对应用认证系统4中使用的国密算法进行切换,例如从SM4分组加密算法切换到SM7分组加密算法,在切换成功后向所述计量终端2发送第二激活指令,其第二激活指令包括SM7分组加密算法所对应的激活报文,所述计量终端2根据第二激活指令在计量终端2的密钥库中选择相应的国密算法进行加密/解密操作。In some embodiments of the present invention, after a time interval of t, the front-end server 3 switches the national encryption algorithm used in the application authentication system 4, for example, switching from the SM4 block encryption algorithm to the SM7 block encryption algorithm. After the switch is successful, a second activation instruction is sent to the metering terminal 2, and the second activation instruction includes an activation message corresponding to the SM7 block encryption algorithm. The metering terminal 2 selects the corresponding national encryption algorithm in the key library of the metering terminal 2 according to the second activation instruction to perform encryption/decryption operations.

可选的,在时间T中,所述前置服务器3调用应用认证系统4对采用旧国密算法加密的计量终端2业务数据进行解密,在T时间后,只对采用新国密算法加密的计量终端2业务数据进行解密。Optionally, at time T, the front-end server 3 calls the application authentication system 4 to decrypt the business data of the metering terminal 2 encrypted by the old national encryption algorithm. After time T, only the business data of the metering terminal 2 encrypted by the new national encryption algorithm is decrypted.

在本发明的一些实施方式中,计量主站1向计量终端2发送下行控制指令时,也需要前置服务器3调用应用认证系统4对下行控制指令进行加密,其加密的数据被传输至计量终端2后,由计量终端2进行解密并根据下行控制指令执行相应的操作。In some embodiments of the present invention, when the metering master station 1 sends a downlink control instruction to the metering terminal 2, the front-end server 3 is also required to call the application authentication system 4 to encrypt the downlink control instruction. After the encrypted data is transmitted to the metering terminal 2, the metering terminal 2 decrypts it and performs corresponding operations according to the downlink control instruction.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明保护的范围之内。The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present invention should be included in the scope of protection of the present invention.

Claims (6)

1. The utility model provides a power metering platform with high security, which is characterized in that the utility model comprises a metering main station, a metering terminal, a front-end server and an application authentication system, wherein the metering terminal and the application authentication system both comprise the same key store, and the key store comprises a key store and a key store,
The metering terminal collects service data from a plurality of electric energy meters, encrypts the service data and uploads the encrypted data to the front-end server;
The front-end server is used for receiving and caching the encrypted data from the metering terminal, calling the application authentication system through an API interface to realize the identity authentication of the metering terminal and decrypt the encrypted data, and uploading the decrypted service data to the metering master station;
the application authentication system is used for realizing user authentication on the metering terminal, decrypting the uploading data of the metering terminal, and encrypting the returned data and the control message of the front-end server;
the metering master station is used for sending a control message to the front-end server and carrying out warehousing processing on decrypted service data;
Before the metering terminal encrypts the service data, registration operation is required, and the specific process comprises the following steps: the method comprises the steps that a user inputs a factory code to a metering terminal, the metering terminal sends a first clear code message to a front-end server based on the factory code, and the front-end server feeds back an identification code to the metering terminal according to the first clear code message;
before the metering terminal encrypts the service data, key activation and identity authentication are required, and the specific process comprises the following steps:
the metering terminal sends a second clear message to the front-end server, the front-end server verifies the metering terminal based on the second clear message, if verification is successful, a first activation message is returned to the metering terminal, and the metering terminal activates a key bank according to the first activation message;
After the key of the metering terminal is successfully activated, the metering terminal encrypts the identity authentication request data through a cryptographic algorithm selected in a key bank, the encrypted identity authentication request data is sent to the front-end server, the front-end server calls an application authentication system to decrypt and verify, and if verification is successful, authentication success information is returned to the metering terminal;
The first clear message comprises a terminal address and a factory code;
the second clear message comprises a metering terminal address, an identification code and a request message.
2. The power metering platform with high security according to claim 1, wherein when the metering terminal sends a second clear message to the front-end server and the verification of the front-end server based on the second clear message fails, the metering terminal repeatedly sends N second clear messages, and if the front-end server fails to verify N second clear messages, the front-end server performs packet loss operation on the (n+1) th received second clear message.
3. The power metering platform with high security according to claim 2, wherein when the metering terminal sends encrypted authentication request data to the front-end server and verification of the front-end server based on the encrypted authentication request data fails, the metering terminal repeatedly sends M times of encrypted authentication request data, and if the front-end server fails to verify M times of encrypted authentication request data, the front-end server performs packet loss operation on the m+1st received encrypted authentication request data.
4. The power metering platform with high security according to claim 3, wherein the key store comprises a plurality of national encryption algorithms, and the metering terminal activates the key store and selects the corresponding national encryption algorithm according to the first activation message.
5. The power metering platform with high security according to claim 4, wherein after a time t interval, the front-end server switches the cryptographic algorithm used in the application authentication system, and after the switching is successful, the metering terminal sends a second activation instruction to the metering terminal, and the metering terminal selects a corresponding cryptographic algorithm in a key store of the metering terminal to perform encryption/decryption operation according to the second activation instruction.
6. The high security power metering platform of claim 5, wherein in time T, the front end server invokes the application authentication system to decrypt metering terminal service data encrypted using the old cryptographic algorithm, and after time T, only metering terminal service data encrypted using the new cryptographic algorithm is decrypted.
CN202111643556.9A 2021-12-29 2021-12-29 Electric power metering platform with high safety Active CN114374550B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111643556.9A CN114374550B (en) 2021-12-29 2021-12-29 Electric power metering platform with high safety

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111643556.9A CN114374550B (en) 2021-12-29 2021-12-29 Electric power metering platform with high safety

Publications (2)

Publication Number Publication Date
CN114374550A CN114374550A (en) 2022-04-19
CN114374550B true CN114374550B (en) 2024-07-19

Family

ID=81141715

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111643556.9A Active CN114374550B (en) 2021-12-29 2021-12-29 Electric power metering platform with high safety

Country Status (1)

Country Link
CN (1) CN114374550B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134113B (en) * 2022-05-13 2024-04-09 山东鲁软数字科技有限公司 Platform data security authentication method, system, terminal and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721490A (en) * 2015-07-01 2016-06-29 北京东润环能科技股份有限公司 Intelligent collection terminal, master station system and data processing method
CN109450854A (en) * 2018-10-11 2019-03-08 珠海许继芝电网自动化有限公司 A kind of distribution terminal communication security protection method and system

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050005093A1 (en) * 2003-07-01 2005-01-06 Andrew Bartels Methods, systems and devices for securing supervisory control and data acquisition (SCADA) communications
CN102750813A (en) * 2012-06-12 2012-10-24 上海市电力公司 Power use information acquisition system
EP3118771B1 (en) * 2014-03-14 2021-07-28 Rowem Inc Confidential data management method and device, and security authentication method and system
US11734396B2 (en) * 2014-06-17 2023-08-22 El Electronics Llc Security through layers in an intelligent electronic device
CN104243481B (en) * 2014-09-24 2019-02-05 国家电网公司 A method and system for pre-processing data of electricity consumption information collection
WO2017177435A1 (en) * 2016-04-15 2017-10-19 深圳前海达闼云端智能科技有限公司 Identity authentication method, terminal and server
CN107018134B (en) * 2017-04-06 2020-11-06 北京国电通网络技术有限公司 A security access platform for power distribution terminal and its realization method
CN110881026B (en) * 2019-10-15 2022-10-04 中国电力科学研究院有限公司 A method and system for identity authentication of information collection terminal users
CN112104604B (en) * 2020-08-07 2024-03-29 国电南瑞科技股份有限公司 System and method for realizing secure access service based on electric power Internet of things management platform
CN112671710B (en) * 2020-11-26 2023-01-06 中国大唐集团科学技术研究院有限公司 Security encryption device based on national cryptographic algorithm, bidirectional authentication and encryption method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721490A (en) * 2015-07-01 2016-06-29 北京东润环能科技股份有限公司 Intelligent collection terminal, master station system and data processing method
CN109450854A (en) * 2018-10-11 2019-03-08 珠海许继芝电网自动化有限公司 A kind of distribution terminal communication security protection method and system

Also Published As

Publication number Publication date
CN114374550A (en) 2022-04-19

Similar Documents

Publication Publication Date Title
CN102196425B (en) Quantum-key-distribution-network-based mobile encryption system and communication method thereof
CN103491531B (en) Power system WiMAX wireless communication networks uses the method that quantum key improves power information transmission security
CN101197674B (en) Encrypted communication method, server and encrypted communication system
CN101296086B (en) Method, system and device for access authentication
CN102333093A (en) Data encryption transmission method and system
CN113114460B (en) Quantum encryption-based power distribution network information secure transmission method
CN202121593U (en) Mobile encryption system based on quantum key distribution network
CN101420686B (en) Implementation method of secure communication in industrial wireless network based on key
CN112671710B (en) Security encryption device based on national cryptographic algorithm, bidirectional authentication and encryption method
CN101877702A (en) Method and system for activating and authenticating an internet protocol television client
CN110995716A (en) A method and system for data transmission encryption and decryption of substation inspection robot
CN110300108A (en) A kind of power distribution automation message encryption transmission method, system, terminal and storage medium
CN104901803A (en) Data interaction safety protection method based on CPK identity authentication technology
CN107094138A (en) A kind of smart home safe communication system and communication means
CN102045343B (en) DC (Digital Certificate) based communication encrypting safety method, server and system
CN114374550B (en) Electric power metering platform with high safety
CN111385088B (en) Efficient satellite quantum key pairing generation method
CN112039663B (en) Data transmission method and system
CN102523563A (en) Multimedia messaging service (MMS) encrypting method based on identity-based cryptograph (IBC) technology
CN111740941A (en) Industrial scene real-time data file encryption transmission method
CN102547686A (en) M2M (Machine-to-Machine) terminal security access method and terminal and management platform
CN112054905B (en) Secure communication method and system of mobile terminal
CN113656814A (en) Equipment key safety management method and system
CN101640840B (en) Broadcast or multicast-based safe communication method and broadcast or multicast-based safe communication device
CN110661803A (en) A gate encryption control system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: No.32, Haifu Road, Meilan District, Haikou City, Hainan Province, 570203

Patentee after: Southern Power Grid Digital Grid Group (Hainan) Co.,Ltd.

Country or region after: China

Address before: No. 32 Haifu Road, Meilan District, Haikou City, Hainan Province

Patentee before: China Southern Power Grid Hainan Digital Power Grid Research Institute Co.,Ltd.

Country or region before: China

CP03 Change of name, title or address