CN-121984717-A - Method, medium and terminal for realizing safety protection mechanism by multi-protocol architecture

Abstract

The invention is applicable to the technical field of communication safety of power systems, and relates to a method, a medium and a terminal for realizing a safety protection mechanism by a multi-protocol architecture, wherein the method comprises the steps of defining a safety protection module and a universal interface set; the method comprises the steps of when a protocol module is initialized, calling a configuration interface to register parameters related to a protocol and a link layer data receiving and transmitting interface to a safety protection module, after the protocol module receives an application service data unit ASDU, calling a processing ASDU data interface to process data, calling a safety state monitoring interface to detect by the protocol module, calling a process stop state interface to determine whether to stop a protocol process before the protocol module prepares to send the data, calling the sending ASDU data interface to send the data when the protocol module knows that the process does not need to stop, and controlling the safety protection module to enter a challenge waiting state if the protocol module knows that the process does not need to stop. The invention realizes that a set of safety protection mechanism is shared by a plurality of protocols, reduces the cost of software and improves the operation and maintenance efficiency.

Inventors

• ZHOU YI
• LI JUN
• HAN TAO
• GAO YI
• MENG HONGBIN
• YANG HUA

Assignees

• 威胜信息技术股份有限公司

Dates

Publication Date

20260505

Application Date

20251231

Claims (10)

1. 1. A method for implementing a security mechanism by a multiprotocol architecture, comprising the steps of: s10, defining a safety protection module independent of each protocol, and defining a set of universal interface set between the safety protection module and a plurality of protocol modules; S20, when a protocol module is initialized, calling a configuration interface of the safety protection module, and registering parameters related to a protocol and a link layer data receiving and transmitting interface to the safety protection module in a callback function mode; S30, after receiving an application service data unit ASDU, a protocol module calls a processing ASDU data interface of the safety protection module, and the safety protection module performs unified safety processing on the data; s40, in the running process of the protocol module, periodically or event-triggered calling a safety state monitoring interface of the safety protection module, wherein the safety state monitoring interface is used for detecting overtime of a safety related timer or overflow event of a counter; S50, before the protocol module prepares to send data, calling an acquisition flow stop state interface of the safety protection module, and determining whether to pause the protocol flow according to a return value of the interface so as to wait for safety verification to be completed; And S60, when the protocol module knows that the flow does not need to be stopped, calling a transmission ASDU data interface of the safety protection module to transmit data, and if the transmission is a key ASDU, controlling the safety protection module to enter a challenge waiting state.
2. 2. The method for implementing a security mechanism according to claim 1, wherein in S20, the configuration interface of the security module is configured to: providing a callback function mode for the detection interface of each protocol link layer communication abnormality to the safety protection module; providing a callback function mode for the data transmission interface of each protocol link layer to the safety protection module; and setting related parameters for the safety protection module, and realizing the safety protection module through a parameter setting interface.
3. 3. The method for implementing a security protection mechanism by using a multiprotocol architecture according to claim 1, wherein in S30, processing ASDU data implementing logic is as follows: Judging whether the key is the key negotiation data or not, if yes, ending the flow after sending the key negotiation response; if not, judging whether the data is the challenge data, if so, sending response data and ending the flow; if not, judging whether the data is response data, if so, verifying the response, and if the response is verified, transmitting ASDU which passes the authentication to the protocol layer, and ending the flow; if not, judging whether the ASDU data is the key ASDU data, if so, sending the challenge data and then waiting for a response, and if not, transmitting the ASDU to the protocol layer, and ending the flow.
4. 4. The method for implementing a security protection mechanism according to claim 1, wherein in S40, the security state monitoring logic is: judging whether the response timer is overtime, if so, generating a timer overtime event, and ending the flow after processing the event; if not, judging whether the timer overtime counter overflows, if so, generating an overtime counter overflow event, and ending the flow after processing the event; if not, judging whether the verification failure counter overflows, if so, generating a failure counter overflow event, and counting the flow after processing the event; If not, judging whether the expected change of the key is overtime, if so, generating a key change event, and ending the flow after the event is processed.
5. 5. The method for implementing a security protection mechanism by using a multiprotocol architecture according to claim 1, wherein in S50, the obtaining a flow stop state logic is: judging whether to wait for the challenge data, if so, returning to a state of needing to stop the protocol flow and ending the flow; if not, judging whether to wait for the response data, if so, returning to the state of the protocol flow to be stopped and ending the flow, otherwise, returning to the state of the protocol flow not to be stopped.
6. 6. The method for implementing a security protection mechanism by using a multiprotocol architecture according to claim 1, wherein in S60, the ASDU data sending logic is configured to: judging whether the data is an ASDU or not, if the data is not the ASDU, directly transmitting the data and ending the flow, and if the data is the ASDU, entering a challenge waiting state after the data is transmitted, and ending the flow.
7. 7. The method for implementing a security mechanism in a multi-protocol architecture according to claim 1, wherein the plurality of protocols includes at least two of IEC 60870-5-101, IEC 60870-5-102, IEC 60870-5-103, IEC 60870-5-104, and DNP3 protocols.
8. 8. The method for implementing a security mechanism in a multiprotocol architecture according to claim 2, wherein the parameters of the security module include timeout time, critical ASDU configuration, threshold.
9. 9. A computer readable storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 8.
10. 10. An electronic terminal is characterized by comprising a processor and a memory; The memory is configured to store a computer program, and the processor is configured to execute the computer program stored in the memory, to cause the terminal to perform the method according to any one of claims 1 to 8.

Description

Method, medium and terminal for realizing safety protection mechanism by multi-protocol architecture Technical Field The invention belongs to the technical field of communication safety of power systems, and particularly relates to a method, medium and terminal for realizing a safety protection mechanism by a multi-protocol architecture. Background With the development of intelligent and networking of power systems, communication networks face increasingly severe security threats. To ensure integrity and certification security of power monitoring system communications, the International Electrotechnical Commission (IEC) has established standards in the IEC 62351 series. The IEC 62351-5 standard specially designs a security extension mechanism for IEC 60870-5 series and derivative protocols thereof (such as IEC 60870-5-101, IEC 60870-5-102, IEC 60870-5-103, IEC 60870-5-104, DNP3 and the like), the security extension mechanism comprises a verification mechanism and a session key negotiation mechanism, wherein the verification mechanism is based on challenge-response (the challenge is a random number (Nonce) generated by a verifier (such as a master station or a client) or a unique time sensitive value and sent to the verifier (such as a terminal device or a server)), the response is signature data generated by the verifier after the challenge value is received by the verifier, the signature data generated by encrypting or calculating a Message Authentication Code (MAC) by using a pre-shared key or a digital certificate, and the data is used for proving that the verifier holds a legal key, and the session key negotiation mechanism aims at preventing attacks such as data tampering and camouflage. In the prior art solutions, it is generally implemented by directly embedding the security protection mechanism (such as authentication challenge and key negotiation) specified by IEC 62351-5 into the original architecture of each specific communication protocol (such as IEC 60870-5-101, IEC 60870-5-102, IEC 60870-5-103, IEC 60870-5-104, DNP3, etc.), that is, each protocol needs to implement a complete set of security processing logic independently, including key negotiation, key Application Service Data Unit (ASDU) for transmitting information, and its structure includes a data unit identifier and a plurality of functional modules such as authentication challenge and security state maintenance of information objects. The implementation mode of the protocol and the set of safety can meet basic safety requirements, but has the obvious defects that firstly, developers are required to be simultaneously profited in the details and the complex safety cryptography knowledge of a specific protocol, so that development thresholds are high, the period is long, personnel investment is large, software cost is high, secondly, when the same equipment or system needs to support multiple protocols, each protocol carries a set of safety modules with similar functions, serious code and functional redundancy is caused, storage space occupation is increased, and system operation efficiency is possibly influenced, and finally, as safety logic is dispersed in each protocol implementation, any problem repair, functional upgrading or parameter adjustment aiming at a safety mechanism needs to be carried out one by one in all protocol versions, so that maintenance workload is high, efficiency is low, modification inconsistency or omission is extremely easy to occur, and finally product quality is difficult to guarantee and maintenance cost is increased. Therefore, how to implement a set of security protection mechanism shared by multiple protocols to reduce software cost and improve operation and maintenance efficiency is a problem to be solved by those skilled in the art. Disclosure of Invention Aiming at the defects of the prior art, the invention aims to provide a method for realizing a safety protection mechanism by a multi-protocol architecture, so as to solve the problems of high software cost and lower operation and maintenance efficiency caused by the fact that a plurality of protocols cannot share one set of safety protection mechanism in a power system in the prior art. In order to solve the technical problems, the invention adopts the following technical scheme: In a first aspect, the present invention provides a method for implementing a security protection mechanism by using a multiprotocol architecture, including the following steps: s10, defining a safety protection module independent of each protocol, and defining a set of universal interface set between the safety protection module and a plurality of protocol modules; S20, when a protocol module is initialized, calling a configuration interface of the safety protection module, and registering parameters related to a protocol and a link layer data receiving and transmitting interface to the safety protection module in a callback function mode; S30, after receiving an applicatio