CN-122001579-A - Smart grid terminal group secure communication method and device based on certificateless public key cryptography

Abstract

The invention relates to the technical field of network security and cryptography, and discloses a smart grid terminal group secure communication method and device based on a certificateless public key cryptography, which comprises three stages of system initialization and registration, key negotiation and communication and fault self-healing, wherein a key generation center constructs certificateless public key cryptosystem parameters of elliptic curve cryptography, a secure gateway performs offline registration, an intelligent terminal performs broadcast registration and is arbitrated and taken over by a group gateway, a layered key negotiation architecture is adopted to realize encrypted communication of a management-gateway layer, a gateway terminal layer and a group broadcast layer, a gateway fault self-healing mechanism of heartbeat detection and arbitration take over is designed, and a device matched with the method is realized. The method eliminates the risks of certificate management and key escrow, adapts to the lightweight operation requirement of the terminal, realizes the dynamic registration of the terminal and the self-healing of gateway faults, improves the broadcasting communication efficiency, combines the high safety, the high availability and the high efficiency of communication, and is suitable for the safety communication scene of the large-scale intelligent power grid terminal group.

Inventors

• LIU YUANLONG
• WANG WENTING
• LIU JING
• LIU XIN
• GUAN TI
• ZHANG QIANG
• ZHANG TIANYU
• CHEN HAO
• LIU LEI
• ZHAO XIAOHONG
• ZHANG KUN
• BAI YINGWEI

Assignees

• 国网山东省电力公司电力科学研究院
• 国网山东省电力公司

Dates

Publication Date

20260508

Application Date

20260309

Claims (10)

1. 1. The smart grid terminal group safety communication method based on the certificate-free public key cipher is characterized by being applied to a smart grid system comprising a data processing center, a key generation center, a plurality of safety gateways and a large number of smart terminals, wherein all the smart terminals and the safety gateways are divided into groups, the plurality of smart terminals and the plurality of safety gateways form groups together, and different groups are logically isolated; the method comprises three stages of system initialization and registration, key negotiation and communication and fault self-healing; the system initialization and registration includes: S1, a key generation center establishes system parameters based on a certificate-free public key cryptosystem of elliptic curve cryptography, wherein the system parameters comprise a system master key and public system parameters; S2, the security gateway to be registered sends a registration request to a key generation center through a secure offline channel, the key generation center sends partial private keys and public system parameters after verifying the identity legitimacy of the security gateway, and sends the security gateway identity information which is successfully registered in the group where the security gateway to be registered is located to the security gateway to be registered, and the security gateway to be registered generates a random master key and constructs a complete public-private key pair; S3, the intelligent terminal locally broadcasts a registration request, a security gateway Zhong Caichu winner in the group verifies the identity of the terminal to a key generation center instead, and the key generation center authorizes the winner to take over the terminal after verification is passed, and the winner sends public system parameters to the intelligent terminal; The key agreement and communication includes: s4, performing two-party authentication key negotiation of a certificate-free public key cipher between the data processing center and the security gateway and between the data processing center and the security gateway, generating a management-gateway layer session key and encrypting communication based on the key; s5, the security gateway and the intelligent terminal taking over are bound with a derived gateway-terminal layer session key through an elliptic curve Diffie-Hellman and an identity to complete lightweight encrypted communication; S6, the security gateway and all intelligent terminals taking over complete group authentication key negotiation, a shared group session key is generated to realize broadcast encryption communication, a message authentication code is added after ciphertext is obtained through the communication, and decryption is carried out after verification of a receiver is passed; The fault self-healing comprises: S7, the security gateway continuously broadcasts light heartbeats, the data processing center triggers a self-healing process after detecting the security gateway fault, healthy security gateways in the group are arbitrated to generate winners, the winners take over intelligent terminals managed by the fault security gateways and reestablish point-to-point key negotiation with the intelligent terminals newly taken over.
2. 2. The smart grid terminal group secure communication method based on the certificateless public key cryptography according to claim 1, wherein the system master key is prime order from an integer elliptic curve Is a multiplicative group of (a) Random number selected in (a) ; The disclosed system parameters include elliptic curve base points Prime order of elliptic curve Public key of system First hash function for identity mapping Second hash function for key derivation Third hash function for key confirmation message generation The elliptic curve base points belong to prime order cyclic groups The first hash function is a hash function mapping binary strings with arbitrary lengths to the prime number order cyclic group The second hash function is a hash function mapping points in the prime order cyclic group to a fixed length binary string The third hash function is a common hash function; And the disclosed system parameters are sent to all registered security gateways and intelligent terminals in the data processing center and the system.
3. 3. The smart grid terminal group secure communication method based on the certificateless public key cryptography according to claim 2, wherein the key generation center stores and maintains a secure gateway pre-registration list and a secure gateway access list, the secure gateway pre-registration list contains identity identifiers and pre-allocation group identifiers of legal but unregistered secure gateways, and the secure gateway access list contains identity identifiers, group identifiers and corresponding partial private keys of successfully registered secure gateways; the partial private key generated by the key generation center is , An identity of the security gateway; random master key of the security gateway For multiplying groups from prime orders of integer modular elliptic curves A random number selected from the group; the complete private key of the security gateway The method consists of a random master key and a partial private key; the public key component of the security gateway is ; Complete public key Consists of an identity of the security gateway and a public key component.
4. 4. The smart grid terminal group secure communication method based on the certificateless public key cryptography according to claim 1, wherein the key generation center stores and maintains a smart terminal pre-registration list and a smart terminal take-over list of each registered secure gateway, the smart terminal pre-registration list contains identity identifiers of legal but unregistered smart terminals, and the smart terminal take-over list contains identity identifiers of smart terminals taken over by the corresponding secure gateway; The step of the security gateway in the group arbitrates and determines the winner is as follows: The security gateways receiving the registration request automatically become candidate security gateways; The candidate security gateway broadcasts self proposals, and collects proposals of other candidate security gateways in a fixed time window, wherein the proposals comprise identity marks, current load rate and timestamp information; And after the fixed time window is exceeded, stopping receiving proposals of other candidate security gateways by the candidate security gateways, calculating scores of the candidate security gateways and all received proposals through a deterministic arbitration scoring function, wherein the highest score of the candidate security gateways is the winner, forwarding a terminal registration request to a key generation center, and ignoring the registration request by the rest gateways.
5. 5. The method of claim 4, wherein if the candidate security gateway generates a plurality of winners through local arbitration, each winner forwards a registration request of the intelligent terminal to the key generation center, and after the key generation center receives the request, if the intelligent terminal is verified to be legal and is not authorized to be registered, the security gateway which forwards the request currently is authorized to take over the intelligent terminal, otherwise, the registration verification request is ignored.
6. 6. The smart grid terminal group secure communication method based on the certificateless public key cryptography according to claim 2, wherein the two-party certification key negotiation of the certificateless public key cryptography includes the steps of: in the first round of communication, a communication party A generates a multiplication group of prime orders of integer modular elliptic curve Interim private key in And calculates a corresponding temporary public key Identity of communication party A is marked Public key component Temporary public key Transmitting to a communication party B; Second round of communication, communication party B generates same-rule temporary private key And calculates a corresponding temporary public key Communication party B recalculates the shared key material , As the random master key of communication party B, By passing through The communication party B derives the session key through a second hash function Generating a key confirmation message via a third hash function Then the identity of the communication party B is identified Public key component Temporary public key Key confirmation message Transmitting to a communication party A; Third round of communication, communication party A calculates shared key material according to the same rule And deriving session keys , Communication party a verifies the key confirmation message of communication party B If the verification fails, the protocol is terminated, and after the verification passes, a key confirmation message of the protocol is generated and sent To communication party B, communication party B authentication After passing the verification, both parties confirm the use of the same session key As the management-gateway layer session key.
7. 7. The smart grid terminal group secure communication method based on the certificateless public key cryptography according to claim 1, wherein the secure gateway and the takeover smart terminal perform key negotiation based on elliptic curve Diffie-Hellman and identity binding derivation by: The communication parties A and B respectively generate temporary private keys in multiplication groups of prime orders of integer modular elliptic curve 、 And calculates a corresponding temporary public key 、 After the two parties exchange the temporary public key, respectively calculating elliptic curve scalar multiplication results of the own temporary private key and the other party temporary public key as a shared secret key material Finally, the shared key material and the identity of both sides are jointly processed through a second hash function to derive a gateway-terminal layer session key 。
8. 8. A smart grid terminal group secure communication method based on a certificateless public key cryptography according to claim 3, wherein when any smart terminal in the group is revoked or abnormally offline, it takes over the gateway to remove it from the active member list and update the shared group session key immediately, the new key is distributed to the remaining legitimate smart terminals only through the point-to-point secure channel, the key generation center updates the long-term key of the secure gateway and re-performs the full-flow key negotiation periodically or upon triggering of a security event.
9. 9. A smart grid terminal group secure communication device based on a certificateless public key cryptography implementing the method according to any one of claims 1 to 8, comprising: The system initialization unit is used for generating and distributing system parameters of a certificate-free public key cryptosystem based on elliptic curve cryptography by the key generation center; the registration management unit is used for executing the flow of authorizing arbitration and taking over of the security gateway offline registration, intelligent terminal online broadcast registration and security gateway in the group; the key negotiation unit is integrated in the security gateway and supports cross-group two-party key negotiation, group broadcast key negotiation and intelligent terminal point-to-point key negotiation; The encryption communication unit is used for encrypting communication data based on the session keys of all levels and attaching a message authentication code, and simultaneously finishing the verification and decryption of the message authentication code of the received ciphertext; The key updating unit is used for triggering each level of key rotation and safety distribution in response to a timing strategy, member change or safety alarm; the fault take-over unit is used for detecting the heartbeat of the security gateway, triggering the fault self-healing process and completing take-over and key negotiation reconstruction of the fault gateway terminal.
10. 10. The intelligent power grid terminal group safety communication device based on the certificateless public key cryptography according to claim 9, wherein the intelligent terminal is an intelligent ammeter, a power distribution terminal or a load monitoring device, the resources are limited, only lightweight elliptic curve cryptography operation and symmetric encryption operation are supported, and the safety gateway is deployed in a station area concentrator, an edge gateway or an FPGA module and is provided with a complete certificateless public key cryptography protocol stack.

Description

Smart grid terminal group secure communication method and device based on certificateless public key cryptography Technical Field The invention relates to the field of cryptography information security, in particular to a smart grid terminal group secure communication method and device based on a certificateless public key cryptography. Background With the deep promotion of smart power grid construction, massive smart terminals (such as smart electric meters, sensors and power distribution terminals) realize data interaction and remote control with a master station system through a communication network. However, the characteristics of huge number of terminals, wide distribution, limited resources and the like bring serious challenges to secure communication. The traditional authentication scheme based on Public Key Infrastructure (PKI) relies on digital certificates, has the problems of complex certificate management, high storage overhead, low verification efficiency and the like, and is difficult to be applied to intelligent terminals with limited resources. While identity-based cryptosystem (IBC) eliminates certificates, its key is completely mastered by a Key Generation Center (KGC), which presents a serious risk of key escrow, and once KGC is compromised, whole network security will be completely disabled. In order to achieve both non-certification and non-key escrow, a non-certification public key cipher (CERTIFICATELESS PUBLIC KEY CRYPTOGRAPHY, CL-PKC) is proposed and applied to the security architecture of the electric power internet of things. The CL-PKC not only avoids certificate management, but also eliminates the problem of key escrow by splitting the private key of the user into a 'partial private key' generated by KGC and a 'secret value' selected by the user. However, existing CL-PKC schemes still face bottlenecks in the smart grid scenario, including first, the terminal registration mechanism does not adapt to the dynamic group architecture. The existing scheme adopts point-to-point registration, and cannot support automatic discovery and joining of the adjacent group after the intelligent terminal is powered on. Especially at the edge of a platform area, when a plurality of security gateways coexist, an effective arbitration mechanism is lacked to determine a unique agent, registration conflict or repeated access is easy to cause, and second, a key negotiation scheme is not adapted to different communication entities in a layering manner. High-security bidirectional authentication is needed between the data processing center and the security gateway, and the intelligent terminal is limited in resource and only needs lightweight encryption. However, the conventional CL-PKC protocol often adopts a unified negotiation mode, or excessively relies on the long-term private key storage of a terminal, or cannot be practically deployed due to factor structure defects (such as inconsistent shared key materials), and third, lacks fault self-healing capability. The security gateway is used as a group core, and once the security gateway fails, the governed terminal loses the security communication capability. The prior art has no effective automatic takeover and key reconstruction mechanism after gateway failure, and the usability of the system is difficult to guarantee. In addition, aiming at broadcast downlink instructions (such as electricity price adjustment and switching-off commands), the existing scheme adopts unicast to encrypt one by one, the communication efficiency is low, and the forward security and the member traceability are difficult to ensure by simple group key distribution. Disclosure of Invention The invention aims to provide a smart grid terminal group secure communication method and device which are oriented to a smart grid and support dynamic group division, hierarchical key negotiation, light-weight terminal access and fault self-healing and are based on a certificate-free public key cipher. The invention aims to achieve the above purpose by the following technical scheme. A smart grid terminal group secure communication method based on a certificate-free public key cipher is applied to a smart grid system comprising a data processing center, a key generation center (Key Generation Center, KGC), a plurality of Security Gateways (SG) and a large number of smart terminals (SMART TERMINAL, ST), wherein all the smart terminals and the Security gateways divide groups, a plurality of smart terminals and a plurality of Security gateways together form groups, and different groups are logically isolated; the method comprises three stages of system initialization and registration, key negotiation and communication and fault self-healing; the system initialization and registration includes: S1, a key generation center establishes system parameters based on a certificate-free public key cryptosystem of Elliptic Curve Cryptography (ECC), wherein the system parameters comprise a system maste