CN114422118B - Multicast communication key distribution method and system for industrial controller - Google Patents
Multicast communication key distribution method and system for industrial controller Download PDFInfo
- Publication number
- CN114422118B CN114422118B CN202111555495.0A CN202111555495A CN114422118B CN 114422118 B CN114422118 B CN 114422118B CN 202111555495 A CN202111555495 A CN 202111555495A CN 114422118 B CN114422118 B CN 114422118B
- Authority
- CN
- China
- Prior art keywords
- multicast
- key
- key distribution
- information
- group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000006854 communication Effects 0.000 title claims abstract description 305
- 238000004891 communication Methods 0.000 title claims abstract description 305
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000012795 verification Methods 0.000 claims abstract description 16
- 238000013475 authorization Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000004590 computer program Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004092 self-diagnosis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明涉及一种工业控制器多播通讯密钥分发方法及系统,该方法应用于组成员与密钥分发服务器之间,该方法包括:组成员生成多播密钥请求信息,并对该多播密钥请求信息进行签名,获取第一签名信息,以及进一步基于该多播密钥请求信息和该第一签名信息生成多播密钥请求报文,并发送至密钥分发服务器;密钥分发服务器根据该多播密钥请求报文,并使用组成员设备标识查询其所存储的组成员所在多播组地址以及多播组通讯密钥,基于该多播密钥请求报文、多播组地址、多播组通讯密钥生成多播通讯密钥分发报文并发送至组成员;组成员对该多播通讯密钥分发报文进行验证,并存储验证结果为正确的多播通讯密钥分发报文中所对应的多播通讯密钥及多播组地址。
The present invention relates to a method and system for distributing a multicast communication key of an industrial controller. The method is applied between a group member and a key distribution server. The method comprises: a group member generates a multicast key request message, signs the multicast key request message, obtains first signature information, and further generates a multicast key request message based on the multicast key request message and the first signature information, and sends the message to the key distribution server; the key distribution server uses a group member device identifier to query the multicast group address and the multicast group communication key stored in the multicast key request message for the group member, generates a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key, and sends the message to the group member; the group member verifies the multicast communication key distribution message, and stores the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message whose verification result is correct.
Description
Technical Field
The invention relates to the technical field of industrial information security, in particular to a method and a system for distributing multicast communication keys of an industrial controller.
Background
The DCS system comprises a deployment DCS controller, an operator station, an engineer, a configuration server, a historical data server and the like, and the operation station (engineer station) needs to perform operations such as configuration, data acquisition, command issuing, firmware upgrading and the like on the controller through a relevant communication protocol. The DCS communication network has various communication modes, including unicast communication, multicast communication and broadcast communication, wherein the multicast communication is generally used for informing a plurality of objects (such as controller status data, self-diagnosis information release and cooperative control) for a certain type of message, thereby reducing communication traffic and improving network communication efficiency. In the traditional control system, the multicast communication of the control system does not consider a security mechanism, such as encryption communication and identity authentication mechanism, and the communication information is transmitted in a plaintext manner, so that the communication process is easy to monitor, an attacker can attack by a man-in-the-middle, falsify a data packet carrying an error state or a control instruction, deceive the control node or a monitoring node of the control system, damage the system, and enable a user to fail to discover the abnormality of the control system in time. Therefore, from the practical application point of view, the safety of multicast communication of the control system will have an important influence on the overall safety of the control system. Therefore, considering the addition of the multicast communication authentication and communication encryption method applicable to the control system based on the characteristics of the control system, the method becomes a urgent problem to be solved.
The control system has high requirements on communication instantaneity and reliability, and furthermore, the controller has limited calculation resources and cannot support a secure encryption protocol with large calculation capacity, such as a TLS/DTLS protocol. On the other hand, the traditional equipment mostly adopts a public key encryption technology based on a digital certificate to carry out identity authentication, and the digital certificate has the problem of complicated and inconvenient maintenance of a daily system.
Disclosure of Invention
First, the technical problem to be solved
In view of the above-mentioned drawbacks and shortcomings of the prior art, the present invention provides a method and a system for distributing multicast communication keys of an industrial controller, which solve the technical problems that multicast communication involved in a traditional DCS control system cannot establish an effective secure communication mechanism, and there are multiple security risks caused by the failure of identity authentication of multicast group members and the unencrypted multicast data.
(II) technical scheme
In order to achieve the above purpose, the main technical scheme adopted by the invention comprises the following steps:
in a first aspect, an embodiment of the present invention provides a method for distributing multicast communication keys of an industrial controller, where the method is applied between a group member and a key distribution server, where the group member is any one of multicast participating communication terminal node devices in a DCS control network, and the method includes:
S1, generating multicast key request information by group members, signing the multicast key request information, acquiring first signature information, further generating a multicast key request message based on the multicast key request information and the first signature information, and transmitting the multicast key request message to a key distribution server;
the multicast key request information comprises a group member random number, a group member equipment identifier and a group member time stamp;
s2, the key distribution server queries the stored multicast group address of the group member and the multicast group communication key by using the group member equipment identifier according to the multicast key request message, further generates a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key, and transmits the multicast communication key distribution message to the group member;
And S3, the group member verifies the multicast communication key distribution message and stores the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result.
Preferably, the S1 includes:
s11, generating multicast key request information by group members;
s12, signing the multicast key request information by using a group member equipment certificate private key by a group member to acquire first signature information;
S13, the group member encrypts the multicast key request information and the first signature information by using a root certificate public key of the key distribution server to generate a multicast key request message, and sends the multicast key request message to the key distribution server.
Preferably, the S2 includes:
S21, the key distribution server receives the multicast key request message, decrypts the multicast key request message by using a private key of a root certificate of the key distribution server, and acquires multicast key request information and first signature information;
s22, the key distribution server adopts the public key of the device certificate to verify whether the first signature information is correct, and if so, the multicast key request information is recorded;
S23, the key distribution server uses the group member equipment identification to inquire the multicast group address where the group member stored in the key distribution server is located and the multicast group communication key;
And S24, if the inquiry is successful, the key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address and the multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further transmits the multicast communication key distribution message to the group members.
Preferably, the S24 includes:
s241, the key distribution server generates multicast communication key distribution information based on the group member random number, the multicast group address and the multicast group communication key in the multicast key request information;
The multicast communication key distribution information comprises group member random numbers, group member multicast group addresses, multicast communication keys and key distribution server timestamp information;
S242, the key distribution server signs the multicast communication key distribution information by using the root certificate private key to acquire second signature information;
S243, the key distribution server encrypts the multicast communication key distribution information and the second signature information by using the public key of the equipment certificate contained in the equipment certificate of the group member to obtain a multicast communication key distribution message, and sends the multicast communication key distribution message to the group member.
Preferably, the S3 includes:
S31, the group member receives the multicast communication key distribution message, decrypts the multicast communication key distribution message by using the group member equipment certificate private key, and acquires second signature information and multicast communication key distribution information;
S32, the group member uses the root certificate public key to verify whether the second signature information and the group member random number contained in the multicast communication key distribution information and the time stamp information of the key distribution server are correct;
And S33, if the multicast communication key distribution information is correct, the group member stores the multicast communication key and the multicast group address in the multicast communication key distribution information with the correct verification result.
On the other hand, the embodiment also provides a multicast communication key distribution system of the industrial controller, which comprises:
The group member is used for generating multicast key request information, signing the multicast key request information, acquiring first signature information, further generating a multicast key request message based on the multicast key request information and the first signature information, and transmitting the multicast key request message to the key distribution server;
the multicast key request information comprises a group member random number, a group member equipment identifier and a group member time stamp;
The key distribution server is used for inquiring the stored multicast group address of the group member and the multicast group communication key by using the group member equipment identifier according to the multicast key request message, generating a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key, and transmitting the multicast communication key distribution message to the group member;
And the group member is also used for verifying the multicast communication key distribution message and storing the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result.
Preferably, the method comprises the steps of,
The group member is configured to generate multicast key request information, sign the multicast key request information, obtain first signature information, generate a multicast key request message further based on the multicast key request information and the first signature information, and send the multicast key request message to the key distribution server, and specifically includes:
Generating multicast key request information by group members;
signing the multicast key request information by using a group member equipment certificate private key by a group member to acquire first signature information;
The group member encrypts the multicast key request information and the first signature information by using a root certificate public key of a key distribution server to generate a multicast key request message, and sends the multicast key request message to the key distribution server;
the key distribution server searches the multicast group address and the multicast group communication key of the stored group member by using the group member equipment identifier according to the multicast key request message, and further generates a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key and sends the multicast communication key distribution message to the group member, and the key distribution server specifically comprises:
the key distribution server receives the multicast key request message, decrypts the multicast key request message by using a private key of a root certificate of the key distribution server, and acquires multicast key request information and first signature information;
The key distribution server adopts the public key of the device certificate contained in the key distribution server to verify whether the first signature information is correct, and if so, the multicast key request information is recorded;
the key distribution server uses the group member equipment identification to inquire the multicast group address where the group member stored in the key distribution server is located and the multicast group communication key;
if the inquiry is successful, the key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address and the multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further transmits the multicast communication key distribution message to group members;
The group member verifies the multicast communication key distribution message and stores the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result, and the method specifically comprises the following steps:
The group members receive the multicast communication key distribution message, and decrypt the multicast communication key distribution message by using the group member equipment certificate private key to obtain second signature information and multicast communication key distribution information;
The group member uses the root certificate public key to verify whether the second signature information and the group member random number contained in the multicast communication key distribution information and the time stamp information of the key distribution server are correct;
if the multicast communication key distribution information is correct, the group member stores the multicast communication key and the multicast group address in the multicast communication key distribution information with the correct verification result.
Preferably, the method comprises the steps of,
The key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address and the multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further sends the multicast communication key distribution message to group members, and specifically comprises:
The key distribution server generates multicast communication key distribution information based on the group member random number, the multicast group address and the multicast group communication key in the multicast key request information;
The multicast communication key distribution information comprises group member random numbers, group member multicast group addresses, multicast communication keys and key distribution server timestamp information;
The key distribution server signs the multicast communication key distribution information by using the root certificate private key to acquire second signature information;
The key distribution server encrypts the multicast communication key distribution information and the second signature information by using a device certificate public key contained in the group member device certificate to obtain a multicast communication key distribution message, and sends the multicast communication key distribution message to the group member.
Preferably, the method comprises the steps of,
The key distribution server is further configured to generate multicast communication key update information, and generate a message authentication code HMAC of the multicast communication key update information by using the multicast communication key; the key distribution server encrypts the multicast communication key update information and the message authentication code HMAC by using the multicast communication key and then sends the encrypted information and the encrypted message to the group members as multicast communication key update messages;
The multicast communication key update information comprises a key update time stamp and a multicast communication update key;
And the group member is further configured to decrypt the multicast communication key update message by using the multicast communication key after receiving the multicast communication key update message, obtain and verify the multicast communication key update information and the message authentication code HMAC, and if the multicast communication key update information is correct, use the multicast communication update key in the multicast communication key update information as a new multicast communication key.
Preferably, the method comprises the steps of,
The key distribution server is further configured to store the group member device identifier, the device certificate and the multicast group address to complete group member registration authorization.
(III) beneficial effects
The method and the system for distributing the multicast communication key of the industrial controller have the beneficial effects that the identity legitimacy authentication of the group members and the encryption of the multicast data are realized by adopting the multicast key request message and the multicast communication key distribution message between the group members and the key distribution server, so that the safety is improved, and on the other hand, the simplification of the communication flow is realized by a lightweight communication key distribution mechanism.
Drawings
Fig. 1 is a schematic diagram of a multicast communication key distribution method of an industrial controller according to the present invention;
FIG. 2 is a topology of a DCS multicast communication network in accordance with an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an industrial controller multicast communication key distribution system according to the present invention.
Detailed Description
The invention will be better explained by the following detailed description of the embodiments with reference to the drawings.
In order that the above-described aspects may be better understood, exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Referring to fig. 1, the present embodiment provides a method for distributing multicast communication keys of an industrial controller, where the method is applied between a group member and a key distribution server, where the group member is any one of multicast participating communication terminal node devices in a DCS control network, and the method includes:
S1, generating multicast key request information by group members, signing the multicast key request information, acquiring first signature information, further generating a multicast key request message based on the multicast key request information and the first signature information, and transmitting the multicast key request message to a key distribution server.
The multicast key request information includes a group member random number, a device identification of the group member, and a group member time stamp.
S2, the key distribution server queries the stored multicast group address of the group member and the multicast group communication key by using the group member equipment identification according to the multicast key request message, further generates a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key, and transmits the multicast communication key distribution message to the group member.
And S3, the group member verifies the multicast communication key distribution message and stores the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result.
The method for distributing the multicast communication key of the industrial controller is applied to multi-communication identity authentication and communication encryption among a DCS controller, an operation station and engineers in a DCS control system. A typical DCS multicast communication network topology is shown in fig. 2. The method involves multicasting group members (i.e., group members) and a key distribution server, wherein the group members can be any one of the participating multicast communication terminal node devices in the DCS control network, such as DCS controllers, operator stations, engineer stations.
In a practical application of this embodiment, the S1 includes:
s11, generating multicast key request information by group members;
s12, signing the multicast key request information by using a group member equipment certificate private key by a group member to acquire first signature information;
S13, the group member encrypts the multicast key request information and the first signature information by using a root certificate public key of the key distribution server to generate a multicast key request message, and sends the multicast key request message to the key distribution server.
In a practical application of this embodiment, the S2 includes:
S21, the key distribution server receives the multicast key request message, decrypts the multicast key request message by using the private key of the root certificate of the key distribution server, and acquires multicast key request information and first signature information.
S22, the key distribution server adopts the public key of the device certificate to verify whether the first signature information is correct, if so, the multicast key request information is recorded, and the public key information of the device certificate is stored on the key distribution server.
S23, the key distribution server uses the group member equipment identification to inquire the multicast group address where the group member stored in the key distribution server is located and the multicast group communication key.
Specifically, the key distribution server stores the device identification, device certificate and multicast group address thereof in the group member for which authorization has been registered.
And S24, if the inquiry is successful, the key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address and the multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further transmits the multicast communication key distribution message to the group members.
Specifically, if the query fails (i.e., the device identification, device certificate, and multicast group address of the group member are not queried in the key distribution server), the subsequent flow is stopped. The device is a digital certificate, which is one article representing identity, and contains public key information and corresponds to private key information.
In a practical application of the present embodiment, the S24 includes:
s241, the key distribution server generates multicast communication key distribution information based on the group member random number, the multicast group address and the multicast group communication key in the multicast key request information;
The multicast communication key distribution information comprises group member random numbers, group member multicast group addresses, multicast communication keys and key distribution server timestamp information;
and S242, the key distribution server signs the multicast communication key distribution information by using a root certificate private key to obtain second signature information, wherein the root certificate is prestored on group member equipment and is a digital certificate owned by the key distribution server.
S243, the key distribution server encrypts the multicast communication key distribution information and the second signature information by using the public key of the equipment certificate contained in the equipment certificate of the group member to obtain a multicast communication key distribution message, and sends the multicast communication key distribution message to the group member.
In a practical application of this embodiment, the S3 includes:
S31, the group member receives the multicast communication key distribution message, and decrypts the multicast communication key distribution message by using the group member equipment certificate private key to acquire second signature information and multicast communication key distribution information.
S32, the group member uses the root certificate public key to verify whether the second signature information and the group member random number contained in the multicast communication key distribution information and the key distribution server time stamp information are correct.
And S33, if the multicast communication key distribution information is correct, the group member stores the multicast communication key and the multicast group address in the multicast communication key distribution information with the correct verification result.
In another aspect, referring to fig. 3, the present embodiment further provides an industrial controller multicast communication key distribution system, including:
and the group member is used for generating multicast key request information, signing the multicast key request information, acquiring first signature information, further generating a multicast key request message based on the multicast key request information and the first signature information, and transmitting the multicast key request message to the key distribution server.
The multicast key request information includes a group member random number, a device identification of the group member, and a group member time stamp.
And the key distribution server is used for inquiring the stored multicast group address of the group member and the multicast group communication key by using the group member equipment identifier according to the multicast key request message, generating a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key, and transmitting the multicast communication key distribution message to the group member.
And the group member is also used for verifying the multicast communication key distribution message and storing the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result.
In an actual application of this embodiment, the group member is configured to generate multicast key request information, sign the multicast key request information, obtain first signature information, further generate a multicast key request packet based on the multicast key request information and the first signature information, and send the multicast key request packet to the key distribution server, where the method specifically includes:
The group members generate multicast key request information.
And signing the multicast key request information by using the group member equipment certificate private key by the group member to acquire first signature information.
And the group member encrypts the multicast key request information and the first signature information by using a root certificate public key of the key distribution server to generate a multicast key request message, and sends the multicast key request message to the key distribution server.
The key distribution server searches the multicast group address and the multicast group communication key of the stored group member by using the group member equipment identifier according to the multicast key request message, and further generates a multicast communication key distribution message based on the multicast key request message, the multicast group address and the multicast group communication key and sends the multicast communication key distribution message to the group member, and the key distribution server specifically comprises:
The key distribution server receives the multicast key request message, decrypts the multicast key request message by using a private key of a root certificate of the key distribution server, and acquires multicast key request information and first signature information.
The key distribution server uses the public key of the device certificate contained in the key distribution server to verify whether the first signature information is correct, and if so, the multicast key request information is recorded.
The key distribution server uses the group member device identification to query the multicast group address and the multicast group communication key where the group member stored in the key distribution server in advance is located.
If the inquiry is successful, the key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address and the multicast group communication key, acquires a multicast communication key distribution message based on the multicast communication key distribution information, and further transmits the multicast communication key distribution message to the group members.
The group member verifies the multicast communication key distribution message, and stores the multicast communication key and the multicast group address corresponding to the multicast communication key distribution message with the correct verification result, which specifically comprises.
And the group members receive the multicast communication key distribution message, decrypt the multicast communication key distribution message by using the group member equipment certificate private key, and acquire second signature information and multicast communication key distribution information.
The group member uses the root certificate public key to verify whether the second signature information and the group member random number contained in the multicast communication key distribution information and the key distribution server time stamp information are correct.
If the multicast communication key distribution information is correct, the group member stores the multicast communication key and the multicast group address in the multicast communication key distribution information with the correct verification result.
In an actual application of this embodiment, the key distribution server generates multicast communication key distribution information based on the multicast key request information, the multicast group address, and the multicast group communication key, and obtains a multicast communication key distribution message based on the multicast communication key distribution information, and further sends the multicast communication key distribution message to group members, which specifically includes:
the key distribution server is based on the group member random number in the multicast key request information multicast group address and multicast group communication key, generating multicast communications key distribution information.
The multicast communication key distribution information comprises a group member random number, a group member multicast group address, a multicast communication key and key distribution server time stamp information.
The key distribution server signs the multicast communication key distribution information by using the root certificate private key to acquire second signature information.
The key distribution server encrypts the multicast communication key distribution information and the second signature information by using a device certificate public key contained in the group member device certificate to obtain a multicast communication key distribution message, and sends the multicast communication key distribution message to the group member.
In practical application of the embodiment, the key distribution server is further configured to generate multicast communication key update information and generate a message authentication code HMAC of the multicast communication key update information by using the multicast communication key, and the key distribution server encrypts the multicast communication key update information and the message authentication code HMAC by using the multicast communication key and then sends the encrypted multicast communication key update information and the encrypted message authentication code HMAC as a multicast communication key update message to the group members.
The multicast communication key update information includes a key update timestamp and a multicast communication update key.
The multicast communication key distribution system of the industrial controller in the embodiment realizes the function of updating the multicast key, realizes the source authenticity identification of the communication information updated by the multicast key and the encryption of the communication data based on the shared key technology, and has high efficiency compared with the public key encryption technology, so that the multicast key is updated at a high speed, the communication safety is ensured, and the key distribution efficiency is improved. By periodically updating the multicast communication key, the system security is improved.
And the group member is further configured to decrypt the multicast communication key update message by using the multicast communication key after receiving the multicast communication key update message, obtain and verify the multicast communication key update information and the message authentication code HMAC, and if the multicast communication key update information is correct, use the multicast communication update key in the multicast communication key update information as a new multicast communication key.
In an actual application of this embodiment, the key distribution server is further configured to store the group member device identifier, the device certificate and the multicast group address thereof to complete the group member registration authorization.
According to the multicast communication key distribution method and system of the industrial controller, due to the fact that the multicast key request message and the multicast communication key distribution message are adopted between the group members and the key distribution server, identity legitimacy authentication of the group members and multicast data encryption are achieved, safety is improved, and on the other hand, simplification of communication flow is achieved through a lightweight communication key distribution mechanism.
Since the system described in the foregoing embodiments of the present invention is a system for implementing the method of the foregoing embodiments of the present invention, those skilled in the art will be able to understand the specific structure and modification of the system/device based on the method of the foregoing embodiments of the present invention, and thus will not be described in detail herein. All systems used in the methods of the above embodiments of the present invention are within the scope of the present invention.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the terms first, second, third, etc. are for convenience of description only and do not denote any order. These terms may be understood as part of the component name.
Furthermore, it should be noted that in the description of the present specification, the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., refer to a specific feature, structure, material, or characteristic described in connection with the embodiment or example being included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art upon learning the basic inventive concepts. Therefore, the appended claims should be construed to include preferred embodiments and all such variations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, the present invention should also include such modifications and variations provided that they come within the scope of the following claims and their equivalents.
Claims (8)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111555495.0A CN114422118B (en) | 2021-12-17 | 2021-12-17 | Multicast communication key distribution method and system for industrial controller |
| PCT/CN2022/134182 WO2023109468A1 (en) | 2021-12-17 | 2022-11-24 | Multicast communication key distribution method and system for industrial controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111555495.0A CN114422118B (en) | 2021-12-17 | 2021-12-17 | Multicast communication key distribution method and system for industrial controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114422118A CN114422118A (en) | 2022-04-29 |
| CN114422118B true CN114422118B (en) | 2024-11-29 |
Family
ID=81266725
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111555495.0A Active CN114422118B (en) | 2021-12-17 | 2021-12-17 | Multicast communication key distribution method and system for industrial controller |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114422118B (en) |
| WO (1) | WO2023109468A1 (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114422118B (en) * | 2021-12-17 | 2024-11-29 | 中控技术股份有限公司 | Multicast communication key distribution method and system for industrial controller |
| CN115460134A (en) * | 2022-09-05 | 2022-12-09 | 国网智能电网研究院有限公司 | A MEC data multicast forwarding method for power 5G services |
| CN115567192B (en) * | 2022-09-29 | 2025-07-01 | 中电信量子科技有限公司 | Method and system for transparent encryption and decryption of multicast data using quantum key distribution |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6295361B1 (en) * | 1998-06-30 | 2001-09-25 | Sun Microsystems, Inc. | Method and apparatus for multicast indication of group key change |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4554264B2 (en) * | 2004-04-19 | 2010-09-29 | エヌ・ティ・ティ・ソフトウェア株式会社 | Digital signature processing method and program therefor |
| CN100403814C (en) * | 2004-11-25 | 2008-07-16 | 华为技术有限公司 | A key control method for multicast broadcast service |
| CN101155027B (en) * | 2006-09-27 | 2012-07-04 | 华为技术有限公司 | Key sharing method and system |
| US8762707B2 (en) * | 2009-07-14 | 2014-06-24 | At&T Intellectual Property I, L.P. | Authorization, authentication and accounting protocols in multicast content distribution networks |
| CN108737430B (en) * | 2018-05-25 | 2020-07-17 | 全链通有限公司 | Encryption communication method and system for block chain node |
| US11368325B2 (en) * | 2020-02-11 | 2022-06-21 | Honeywell International Inc. | System for communication on a network |
| CN112653551A (en) * | 2020-10-11 | 2021-04-13 | 黑龙江头雁科技有限公司 | Centralized key management method based on key distribution multicast |
| CN112350826A (en) * | 2021-01-08 | 2021-02-09 | 浙江中控技术股份有限公司 | Industrial control system digital certificate issuing management method and encrypted communication method |
| CN114422118B (en) * | 2021-12-17 | 2024-11-29 | 中控技术股份有限公司 | Multicast communication key distribution method and system for industrial controller |
-
2021
- 2021-12-17 CN CN202111555495.0A patent/CN114422118B/en active Active
-
2022
- 2022-11-24 WO PCT/CN2022/134182 patent/WO2023109468A1/en not_active Ceased
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6295361B1 (en) * | 1998-06-30 | 2001-09-25 | Sun Microsystems, Inc. | Method and apparatus for multicast indication of group key change |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114422118A (en) | 2022-04-29 |
| WO2023109468A1 (en) | 2023-06-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114422118B (en) | Multicast communication key distribution method and system for industrial controller | |
| US11784788B2 (en) | Identity management method, device, communications network, and storage medium | |
| JP5975594B2 (en) | Communication terminal and communication system | |
| JP5288210B2 (en) | Unicast key management method and multicast key management method in network | |
| CN101420686B (en) | Implementation method of secure communication in industrial wireless network based on key | |
| US20170111357A1 (en) | Authentication method and authentication system | |
| US20160066354A1 (en) | Communication system | |
| CN112311537B (en) | Device access authentication system and method based on blockchain | |
| CN101356759A (en) | Token-based distributed generation of security keying material | |
| PT1362444E (en) | Method for storing and distributing encryption keys | |
| KR20240000161A (en) | Method, device and system for dds communication | |
| US20160080340A1 (en) | Communication control device | |
| CN109474432A (en) | Digital certificate management method and device | |
| CN102447679A (en) | Method and system for guaranteeing data security of peer-to-peer network | |
| CN107409048A (en) | public key based network | |
| CN113992418A (en) | IoT (Internet of things) equipment management method based on block chain technology | |
| US20050111668A1 (en) | Dynamic source authentication and encryption cryptographic scheme for a group-based secure communication environment | |
| CN102905199A (en) | Implement method and device of multicast service and device thereof | |
| US20040096063A1 (en) | Group admission control apparatus and methods | |
| CN105981028B (en) | Network element certification on communication network | |
| CN112235290A (en) | Block chain-based Internet of things equipment management method and first Internet of things equipment | |
| CN103312495B (en) | The forming method of a kind of CA in groups and device | |
| WO2020029859A1 (en) | Terminal and server communication method and apparatus | |
| JP4239802B2 (en) | Multicast transmission method | |
| CN115378585B (en) | A quantum key lifecycle management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Country or region after: China Address after: No. 309 Liuhe Road, Binjiang District, Hangzhou City, Zhejiang Province (High tech Zone) Applicant after: Zhongkong Technology Co.,Ltd. Address before: No. six, No. 309, Binjiang District Road, Hangzhou, Zhejiang Applicant before: ZHEJIANG SUPCON TECHNOLOGY Co.,Ltd. Country or region before: China |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |