CN-122001618-A - Method and system for realizing power password definition protocol stack based on information flow interference-free

Abstract

The invention provides a method and a system for realizing an electric power password definition protocol stack based on information flow interference-free, which are based on a main body grade of a transmitting end and an object grade of data to be transmitted, and are characterized in that an information flow label for marking the security grade of the data is added to the data to be transmitted by using an information flow interference-free rule layer, an electric power password adapted to the object grade is selected by using an electric power password definition layer, encryption processing is carried out on the data to be transmitted by using the electric power password to generate a ciphertext, the ciphertext is oriented to a specific transmission channel by using a protocol stack layering adaptation layer, and is packaged according to a set transmission protocol to form a security message, and the security message is transmitted through the specific transmission channel. The method is characterized in that a three-in-one safety protocol stack framework of an information flow non-interference rule layer, a power password definition layer and a protocol stack layering adaptation layer is constructed for the power system, safety grade division is carried out, information flow labels and adapted power passwords are added, and safe and stable operation of the power system can be ensured.

Inventors

• CHEN LU
• LU ZIANG
• FANG WENGAO
• CHEN LIANG
• ZHAO XINJIAN
• WANG TENGYAN
• ZHANG SONG
• MA YUANYUAN
• WU ZICHENG
• DAI ZAOJIAN
• LI NIGE
• LI YONG

Assignees

• 中国电力科学研究院有限公司
• 国网江苏省电力有限公司
• 国网江苏省电力有限公司信息通信分公司
• 国家电网有限公司

Dates

Publication Date

20260508

Application Date

20251225

Claims (13)

1. 1. The method for realizing the power cipher definition protocol stack based on the information flow interference is characterized by comprising the following steps: Based on the subject grade of a transmitting end and the object grade of data to be transmitted, adding an information flow label for marking the security grade of the data to be transmitted to the data to be transmitted by utilizing an information flow non-interference rule layer; Selecting a power password matched with the object level by using a power password definition layer, and encrypting the data to be sent by adopting the power password to generate a ciphertext; the ciphertext is oriented to a specific transmission channel by utilizing a protocol stack layering adaptation layer, and is encapsulated according to a set transmission protocol to form a safety message; And sending the safety message through the specific transmission channel.
2. 2. The method of claim 1, wherein the subject class and the object class are obtained by security classification of core data and interactive subjects in a power system based on a power information security class protection standard; The main body is classified into an H-level main body, an M-level main body and an L-level main body, wherein the H-level main body comprises a core control node, the M-level main body comprises an area control device, and the L-level main body comprises a terminal device; the object grades are divided into an H-grade object, an M-grade object and an L-grade object, wherein the H-grade object comprises a scheduling instruction and/or a relay protection fixed value, the M-grade object comprises power distribution terminal state data and/or new energy grid-connected power data, and the L-grade object comprises power consumption information acquisition data and/or equipment operation and maintenance logs.
3. 3. The method of claim 2, wherein the adding, to the data to be transmitted, a traffic label for marking a security level of the data, using a traffic non-interference rule layer, based on a subject level of a transmitting end and an object level of the data to be transmitted, comprises: Based on the subject grade of a transmitting end and the object grade of data to be transmitted, matching a data-subject-service scene mapping table in an information flow non-interference rule layer, and determining that the data of the subject grade transmitted by equipment of the subject grade belongs to a legal data flow direction and accords with a non-interference rule; adding an information flow label for marking the data security level to the data to be sent in the information flow non-interference rule layer; The information flow tag occupies 2 bytes.
4. 4. The method of claim 3, wherein the non-interference rule comprises at least one of: the physical layer rule is that the data of the H-level object is transmitted by adopting a special channel, and the data of the M-level object and the L-level object share the channel but the corresponding sub-frequency bands are independent; A data link layer rule that if the main body level of the sending end is higher than the main body level of the receiving end and illegal transmission exists based on the data security level in the information flow label, the receiving end refuses to receive the data; A network layer rule, which is to allow the legal stream data stream to be forwarded and prohibit the illegal stream data stream from being forwarded; the transmission layer and application layer rules that there is an access control matrix for the body and data to restrict cross-level access.
5. 5. The method as claimed in claim 3 or 4, wherein the selecting a power password adapted to the object level using the power password definition layer, and encrypting the data to be transmitted using the power password, to generate the ciphertext, includes: invoking a scene password algorithm pool in the electric password definition layer, and selecting an encryption algorithm and an integrity check algorithm of a current transmission scene where the object data are located; a scene key of the current transmission scene is called from a three-level key system of the power password definition layer, and a session key for transmission is generated through the scene key; In the electric power password definition layer, encrypting the data to be sent by adopting the encryption algorithm and the session key to obtain a ciphertext; and generating a check value by using the integrity check algorithm based on the ciphertext.
6. 6. The method of claim 5, wherein the pool of cryptographic algorithms includes algorithms for different transmission scene adaptations, wherein the algorithms for class H scene adaptation include an SM4 symmetric encryption algorithm and an SM3 integrity check algorithm, wherein the algorithms for class M scene adaptation include an SM2 asymmetric encryption algorithm and an SM3 integrity check algorithm, and wherein the algorithms for class L scene adaptation include a lightweight SM4 encryption algorithm; the three-level key system comprises a root key corresponding to an H-level scene, a region key corresponding to an M-level scene and a terminal key corresponding to an L-level scene, wherein the root key is stored in a hardware security module, the region key is generated based on the root key, and the terminal key is generated based on the region key.
7. 7. The method of claim 6, wherein the using a protocol stack hierarchical adaptation layer to direct the ciphertext to a specific transport channel and encapsulate the ciphertext according to a set transport protocol to form a secure message comprises: In a physical layer of a protocol stack layering adaptation layer, the ciphertext is directed to a specific transmission channel, and physical layer frame check sequence encryption pretreatment is carried out on the ciphertext; Embedding the information flow label in the Ethernet frame head and adding the check value in the Ethernet frame tail in the data link layer of the protocol stack layering adaptation layer to form a data link layer frame of the ciphertext; expanding an electric power security option head in a network layer of the protocol stack layering adaptation layer, and adding an information flow grade, an identification of the encryption algorithm and an index of the session key into the electric power security option head to form a network layer message; Adding a mark which passes through interference-free verification for the network layer message in a transmission layer of the protocol stack layering adaptation layer to form a transmission layer message; And in an application layer of the protocol stack layering adaptation layer, adding a security extension field for the transmission layer message to form a security message, wherein the security extension field is used for indicating that the result of the interference-free check and the encrypted result are finished.
8. 8. A system for implementing a power cipher definition protocol stack based on information flow interference-free, comprising: the system comprises a layer processing module, a power password definition layer, a protocol stack layering adaptation layer, a security message and a data transmission module, wherein the layer processing module is used for adding an information flow label for marking the security level of data to be transmitted for the data to be transmitted based on the subject level of a transmitting end and the object level of the data to be transmitted by using an information flow non-interference rule layer; and the sending module is used for sending the safety message through the specific transmission channel.
9. 9. The method for realizing the power cipher definition protocol stack based on the information flow interference is characterized by comprising the following steps: based on the receiving end, extracting ciphertext from the received safety message by utilizing a protocol stack layering adaptation layer; decrypting and restoring the ciphertext based on the ciphertext-adapted session key by using a power password definition layer to obtain a plaintext; and clearing the information flow label in the plaintext by using the information flow non-interference rule layer to obtain final plaintext data.
10. 10. The method of claim 9, wherein the extracting ciphertext from the received security message based on the receiving end using a protocol stack hierarchical adaptation layer comprises: the receiving end decrypts the frame check sequence of the received safety message by utilizing the physical layer of the protocol stack layered adaptation layer to obtain a physical layer decrypted message; Extracting information flow labels in the physical layer decryption message from a data link layer of the protocol stack hierarchical adaptation layer, verifying that the information flow labels pass through interference-free verification, and carrying out integrity verification on the verification value in the physical layer decryption message; Analyzing the power security option header in the decryption message of the data link layer in the network layer of the protocol stack layering adaptation layer to obtain option header information comprising information flow grade, the identification of an encryption algorithm and the index of a session key; calling a session key after reading the mark which passes through the interference-free check in a transmission layer of the protocol stack layering adaptation layer to obtain a transmission layer message; Analyzing the safety expansion field in the application layer of the protocol stack layering adaptation layer, determining the transmission layer message as a compliance safety message, and stripping the safety expansion field of the transmission layer message to obtain a ciphertext.
11. 11. The method of claim 10, wherein decrypting the ciphertext using a power password definition layer based on the ciphertext-adapted session key to obtain plaintext comprises: In the electric power password definition layer, the session key is called to decrypt and restore the ciphertext to obtain a plaintext; And carrying out integrity check on the ciphertext to obtain an integrity check result.
12. 12. The method of claim 11, wherein said utilizing the information flow non-interference rule layer to clear information flow labels in said plaintext to obtain final plaintext data comprises: Verifying that the ciphertext belongs to the legal data flow direction and accords with the interference rule by utilizing a data-main body-service scene mapping table in the information flow interference-free rule layer; and clearing the information flow label in the plaintext to obtain final plaintext data.
13. 13. A system for implementing a power cipher definition protocol stack based on information flow interference-free, comprising: The receiving module is used for receiving the security message; the system comprises a layer processing module, a power cipher definition layer, a message flow non-interference rule layer and a message flow rule layer, wherein the layer processing module is used for extracting cipher text from the security message by utilizing a protocol stack layered adaptation layer based on a receiving end, decrypting and restoring the cipher text by utilizing a power cipher definition layer based on a session key adapted by the cipher text to obtain a plaintext, and clearing a message flow label from the plaintext by utilizing the message flow non-interference rule layer to obtain final plaintext data.

Description

Method and system for realizing power password definition protocol stack based on information flow interference-free Technical Field The invention relates to the technical field of security defense of power systems, in particular to a method and a system for realizing a power password definition protocol stack based on information flow interference-free. Background The power system is used as a key infrastructure, and a communication network of the power system carries core data such as scheduling instructions, equipment state monitoring, electricity consumption information acquisition and the like, and once the power system encounters security attack, the power grid is directly threatened to stably run and even public security. Along with the promotion of the 'double-carbon' target, the electric power system is transformed into digital and intelligent, the scenes of new energy grid connection, distributed power distribution and the like are increased, the number of communication nodes is increased, the complexity of data interaction is improved, and the limitation of the existing safety protocol stack is more and more remarkable. The power data has definite security level division, for example, a scheduling instruction is a high security level, and the power consumption statistical data is a medium security level, but the existing protocol stack can only realize end-to-end encryption, and the control is not carried out on the information exchange interaction of the data with different security levels, so that the safe and stable operation of the power system is affected. Disclosure of Invention In order to overcome the defect that the current protocol stack can only realize end-to-end encryption and does not control information exchange interaction of data with different security levels to influence the safe and stable operation of a power system, the invention provides a power password definition protocol stack implementation method based on information flow interference, which comprises the following steps: Based on the subject grade of a transmitting end and the object grade of data to be transmitted, adding an information flow label for marking the security grade of the data to be transmitted to the data to be transmitted by utilizing an information flow non-interference rule layer; Selecting a power password matched with the object level by using a power password definition layer, and encrypting the data to be sent by adopting the power password to generate a ciphertext; the ciphertext is oriented to a specific transmission channel by utilizing a protocol stack layering adaptation layer, and is encapsulated according to a set transmission protocol to form a safety message; And sending the safety message through the specific transmission channel. Optionally, the subject level and the object level are obtained by performing security level division on core data and interaction subjects in the power system based on a power information security level protection standard; The main body is classified into an H-level main body, an M-level main body and an L-level main body, wherein the H-level main body comprises a core control node, the M-level main body comprises an area control device, and the L-level main body comprises a terminal device; the object grades are divided into an H-grade object, an M-grade object and an L-grade object, wherein the H-grade object comprises a scheduling instruction and/or a relay protection fixed value, the M-grade object comprises power distribution terminal state data and/or new energy grid-connected power data, and the L-grade object comprises power consumption information acquisition data and/or equipment operation and maintenance logs. Optionally, the adding, based on the subject level of the transmitting end and the object level of the data to be transmitted, an information flow tag for marking the security level of the data to be transmitted by using an information flow non-interference rule layer includes: Based on the subject grade of a transmitting end and the object grade of data to be transmitted, matching a data-subject-service scene mapping table in an information flow non-interference rule layer, and determining that the data of the subject grade transmitted by equipment of the subject grade belongs to a legal data flow direction and accords with a non-interference rule; adding an information flow label for marking the data security level to the data to be sent in the information flow non-interference rule layer; The information flow tag occupies 2 bytes. Optionally, the non-interference rule includes at least one of the following: the physical layer rule is that the data of the H-level object is transmitted by adopting a special channel, and the data of the M-level object and the L-level object share the channel but the corresponding sub-frequency bands are independent; A data link layer rule that if the main body level of the sending end is higher than the main