Search

CN-122027302-A - Encryption method and system based on cryptographic algorithm

CN122027302ACN 122027302 ACN122027302 ACN 122027302ACN-122027302-A

Abstract

The invention provides an encryption method and system based on a national encryption algorithm, wherein physical layer characteristic information of electric power terminal equipment and topology structure information of a current network are used as session context parameters, a potential attack path is simulated through a network security deduction engine based on the session context parameters, a security policy constraint set aiming at the current communication session is output, a session master key is generated based on the security policy constraint set and the session context parameter negotiation, communication load data is encrypted by an SM4 national encryption block cipher algorithm based on the session master key to obtain encrypted communication data, a communication package containing dynamic verification factors is generated based on the encrypted communication data and the security policy constraint set, decryption and integrity verification are completed by combining the session master key and the dynamic verification factors at a receiving end based on the communication package, and original communication load data is obtained. The invention improves the anti-attack capability and the key life cycle safety of the communication system in the power industry.

Inventors

  • CHEN JINGCAI
  • SU XUN
  • WANG HAILEI
  • YI CHAO

Assignees

  • 深圳市海雷新能源股份有限公司

Dates

Publication Date
20260512
Application Date
20260226

Claims (10)

  1. 1. An encryption method based on a cryptographic algorithm is characterized by comprising the following steps: the physical layer characteristic information of the power terminal equipment and the topology structure information of the current network are taken as session context parameters, potential attack paths are simulated through a network security deduction engine based on the session context parameters, and a security policy constraint set aiming at the current communication session is output; Negotiating with the session context parameters to generate a session master key based on the security policy constraint set; Encrypting communication load data by adopting an SM4 national cipher block cipher algorithm based on the session master key to obtain encrypted communication data, and generating a communication package containing a dynamic verification factor based on the encrypted communication data and the security policy constraint set; And based on the communication packet, the decryption and the integrity verification are completed by utilizing the session master key and the dynamic verification factor at the receiving end to obtain the original communication load data.
  2. 2. The cryptographic method based on the cryptographic algorithm of claim 1, wherein the step of obtaining the security policy constraint set comprises: analyzing the physical access point, the link medium type and the topological adjacent relation of the adjacent network node of the power terminal equipment in the current network based on the physical layer characteristic information and the topological structure information to obtain a communication reachability view of the power terminal equipment in the current network; path enumeration is carried out based on the communication reachability view, and all end-to-end communication paths from the external network boundary nodes to the power terminal equipment are identified; Based on the intermediate network nodes and the corresponding protocol interaction capability of each path in the end-to-end communication paths, carrying out protocol stack exposure surface analysis, and identifying the communication protocol and service port actually started by each intermediate node on a data link layer, a network layer and a transmission layer; and performing known vulnerability matching based on the combination state of the protocol and the service port to obtain the security policy constraint set.
  3. 3. The encryption method based on the cryptographic algorithm of claim 2, wherein the performing known vulnerability matching based on the combination status of the protocol and the service port to obtain the security policy constraint set includes: Based on the combination state of the protocol and the service port, known vulnerability matching is carried out, intermediate nodes with available security defects are screened out, and a potential attack springboard node set is obtained; Performing attack phase division based on the potential attack gangboard node set and the position sequence of the potential attack gangboard node set in the corresponding communication path so as to decompose each communication path into a plurality of phases, wherein the plurality of phases comprise an initial intrusion phase, a transverse movement phase and a target contact phase; performing attack action sequence modeling based on protocol interaction behaviors and state transition conditions which are required to be completed by an attacker in each stage, and generating multi-stage attack flow description corresponding to each path; and carrying out attack feasibility verification based on the pre-success conditions and the state dependency relations required by each stage in the multi-stage attack flow description to obtain the security policy constraint set.
  4. 4. The encryption method based on the cryptographic algorithm according to claim 3, wherein the performing attack feasibility verification based on the pre-success condition and the state dependency relationship required by each stage in the multi-stage attack flow description, to obtain the security policy constraint set, includes: based on the pre-success conditions and state dependency relations required by each stage in the multi-stage attack flow description, carrying out attack feasibility verification, and eliminating attack flows which cannot be completed due to lack of necessary protocol support, unreachable states or physical isolation, so as to obtain residual feasible attack flows; carrying out attack path convergence based on the residual feasible attack flow, and merging paths with the same key springboard node and similar protocol utilization modes to obtain a target attack path set; Based on the key springboard node, the protocol utilization point and the state transition trigger point of each path in the target attack path set, carrying out defending intervention opportunity identification, and determining target intervention opportunities capable of implementing active blocking or behavior restriction in the process of communication session establishment, data exchange or session maintenance; and performing defensive action mapping based on the target intervention opportunity to obtain the security policy constraint set.
  5. 5. The cryptographic method based on a cryptographic algorithm of claim 4, wherein the performing defensive action mapping based on the target intervention occasion to obtain the security policy constraint set comprises: performing defensive action mapping based on the target intervention opportunities to associate each target intervention opportunity to a corresponding communication control mechanism, wherein the communication control mechanism comprises a connection direction limit, a protocol field validity check and a session state machine constraint; Constructing a session-level policy element based on the communication control mechanism, the protocol type, the interaction mode and the expected life cycle of the current communication session, and generating a group of policy control elements directly bound with the current communication context, wherein the policy control elements comprise an allowed communication direction, a forbidden protocol field value range, a session maximum duration and an abnormal interaction response mode; Carrying out policy structured packaging based on the policy control element to obtain a security policy constraint item; and carrying out policy consistency verification based on the security policy constraint item to obtain a security policy constraint set.
  6. 6. The encryption method based on the cryptographic algorithm according to claim 5, wherein the performing policy consistency check based on the security policy constraint item to obtain a security policy constraint set includes: Performing policy consistency verification based on the security policy constraint items, so that all constraints do not conflict with each other in terms of protocol semantics, time sequence logic and resource availability and can take effect simultaneously; performing policy scope definition based on the verified security policy constraint items to limit each constraint item to the source destination node pair, protocol session identification and communication load type range of the current communication session; Performing policy output integration based on a security policy constraint item set limited by a scope so as to classify all constraint items according to a communication stage to obtain a stage classification result, wherein the stage classification result comprises a communication establishment stage, a data transmission stage and a communication termination stage; And outputting the security policy constraint set based on the stage classification result and the corresponding execution triggering condition.
  7. 7. The cryptographic algorithm-based encryption method according to any one of claims 1 to 6, wherein the generating a communication packet including a dynamic authentication factor based on the encrypted communication data and the security policy constraint set comprises: Based on the session maximum duration and the communication direction permission state in the security policy constraint set, extracting a creation time stamp and an allowed data stream of a current communication session, and splicing based on the session running duration calculated by the creation time stamp and the current system time, the allowed data stream and the last ciphertext packet of the encrypted communication data to obtain a byte sequence; Performing SM3 password hash operation on the byte sequence to obtain a 256-bit dynamic verification factor, taking the encrypted communication data as a main body, and generating an initial packet load body by taking the dynamic verification factor added to the encrypted communication data as an auxiliary factor; Based on the abnormal interaction response mode in the security policy constraint set, determining a response type to be adopted by a receiving end when verification fails, and inserting a control code which is coded into 1 byte by the response type into the initial position of the initial packet load body to obtain a target packet load body; And carrying out communication package packaging operation on the target package loading body according to a communication protocol format adopted by the power terminal to obtain the communication package.
  8. 8. A cryptographic system based on a cryptographic algorithm, applied to the cryptographic method based on a cryptographic algorithm as recited in any one of claims 1 to 7, the cryptographic system based on a cryptographic algorithm comprising: the security constraint module is used for simulating a potential attack path through the network security deduction engine based on session context parameters by taking physical layer characteristic information of the power terminal equipment and topology structure information of a current network as session context parameters and outputting a security policy constraint set for the current communication session; The key negotiation module is used for negotiating with the session context parameters to generate a session master key based on the security policy constraint set; The national encryption module is used for encrypting the communication load data by adopting an SM4 national encryption block cipher algorithm based on the session master key to obtain encrypted communication data, and generating a communication package containing a dynamic verification factor based on the encrypted communication data and the security policy constraint set; And the encryption transmission module is used for completing decryption and integrity verification by combining the session master key and the dynamic verification factor at a receiving end based on the communication packet to obtain original communication load data.
  9. 9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the cryptographic algorithm-based encryption method of any one of claims 1 to 7 when the program is executed by the processor.
  10. 10. A non-transitory computer readable storage medium having stored therein a computer software program, wherein the processor implements the cryptographic algorithm-based encryption method of any one of claims 1 to 7 when executing the program.

Description

Encryption method and system based on cryptographic algorithm Technical Field The invention relates to the technical field of computers, in particular to an encryption method and system based on a cryptographic algorithm. Background In the network security protection system of the current power industry, one common encryption communication method is a symmetric encryption mechanism based on a pre-shared key (PSK). The method is generally that the two communication parties pre-configure the same secret key in the system deployment stage, and the secret key is used for encrypting and decrypting the communication content in the subsequent data transmission process. However, this method has a significant technical disadvantage in that once the pre-shared key is compromised or reverse cracked in any one of the terminal devices, the security of the entire communication link is completely destroyed and dynamic updating and isolation control of the key cannot be achieved. Especially in high security requirement scenes such as power dispatching, remote monitoring of a transformer substation and the like, static keys are difficult to cope with continuously evolving network attack means, so that the system faces long-term and global security risks. Therefore, there is a need for an encryption method that can be dynamically generated, securely distributed, and provided with anti-leakage capabilities to address the static and vulnerability issues inherent in pre-shared key mechanisms. Disclosure of Invention The invention provides an encryption method and an encryption system based on a national encryption algorithm, which are used for fundamentally solving the problem of global security risk caused by static state of a pre-shared secret key mechanism and improving the anti-attack capability and secret key life cycle security of a communication system in the power industry. In a first aspect, the present invention provides an encryption method based on a cryptographic algorithm, including: the physical layer characteristic information of the power terminal equipment and the topology structure information of the current network are taken as session context parameters, potential attack paths are simulated through a network security deduction engine based on the session context parameters, and a security policy constraint set aiming at the current communication session is output; Negotiating with the session context parameters to generate a session master key based on the security policy constraint set; Encrypting communication load data by adopting an SM4 national cipher block cipher algorithm based on the session master key to obtain encrypted communication data, and generating a communication package containing a dynamic verification factor based on the encrypted communication data and the security policy constraint set; And based on the communication packet, the decryption and the integrity verification are completed by utilizing the session master key and the dynamic verification factor at the receiving end to obtain the original communication load data. In a second aspect, the present invention further provides an encryption system based on a cryptographic algorithm, which is applied to the encryption method based on a cryptographic algorithm according to any one of the first aspect, where the encryption system based on a cryptographic algorithm includes: the security constraint module is used for simulating a potential attack path through the network security deduction engine based on session context parameters by taking physical layer characteristic information of the power terminal equipment and topology structure information of a current network as session context parameters and outputting a security policy constraint set for the current communication session; The key negotiation module is used for negotiating with the session context parameters to generate a session master key based on the security policy constraint set; The national encryption module is used for encrypting the communication load data by adopting an SM4 national encryption block cipher algorithm based on the session master key to obtain encrypted communication data, and generating a communication package containing a dynamic verification factor based on the encrypted communication data and the security policy constraint set; And the encryption transmission module is used for completing decryption and integrity verification by combining the session master key and the dynamic verification factor at a receiving end based on the communication packet to obtain original communication load data. The invention also provides electronic equipment which comprises a memory and a processor, wherein the memory is used for storing a computer software program, and the processor is used for reading and executing the computer software program so as to realize the encryption method based on the cryptographic algorithm. The present invention also provides a non-tra