[go: up one dir, main page]

CN114614984B - Time-sensitive network secure communication method based on cryptographic algorithm - Google Patents

Time-sensitive network secure communication method based on cryptographic algorithm Download PDF

Info

Publication number
CN114614984B
CN114614984B CN202210210365.1A CN202210210365A CN114614984B CN 114614984 B CN114614984 B CN 114614984B CN 202210210365 A CN202210210365 A CN 202210210365A CN 114614984 B CN114614984 B CN 114614984B
Authority
CN
China
Prior art keywords
message
snmp
tsn
key
pdu
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210210365.1A
Other languages
Chinese (zh)
Other versions
CN114614984A (en
Inventor
王浩
赵明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Post and Telecommunications
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN202210210365.1A priority Critical patent/CN114614984B/en
Publication of CN114614984A publication Critical patent/CN114614984A/en
Application granted granted Critical
Publication of CN114614984B publication Critical patent/CN114614984B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及一种基于国密算法的时间敏感网络安全通信方法,属于通信技术领域。引入时间敏感网络CNC,采用SM2认证算法与SM3杂凑算法对TSN交换机进行身份认证与密钥协商,验证TSN交换机是否可信并分配会话密钥。对TSN交换机之间采用SM3杂凑算法生成消息认证码,SM4加/解密算法实现端到端的安全通信。在尽可能降低存储空间和通信开销的同时,实现一套在时间敏感网络标准和密码算法上都自主可控的安全传输协议,从根本上保障工业通信过程中的安全、可靠、可控,是目前亟需解决的问题。

The invention relates to a time-sensitive network security communication method based on a national secret algorithm, belonging to the technical field of communication. Introduce time-sensitive network CNC, use SM2 authentication algorithm and SM3 hash algorithm to perform identity authentication and key negotiation on TSN switches, verify whether TSN switches are credible and distribute session keys. The SM3 hash algorithm is used to generate message authentication codes between TSN switches, and the SM4 encryption/decryption algorithm realizes end-to-end secure communication. While reducing storage space and communication overhead as much as possible, it is necessary to realize a set of independent and controllable secure transmission protocols based on time-sensitive network standards and cryptographic algorithms, and fundamentally ensure the safety, reliability and controllability of industrial communication processes. current problems that need to be resolved.

Description

一种基于国密算法的时间敏感网络安全通信方法A Time Sensitive Network Security Communication Method Based on National Secret Algorithm

技术领域technical field

本发明属于通信技术领域,涉及一种基于国密算法的时间敏感网络安全通信方法。The invention belongs to the technical field of communication, and relates to a time-sensitive network security communication method based on a national secret algorithm.

背景技术Background technique

TSN在优化工业网络通信性能的同时,安全性也成为了制约时间敏感网络通信应用普及的关键问题,TSN标准作为一套不断发展并走向成熟的工业网络协议,亟需建立一套自主可控的安全机制,从根本上保障工业通信过程中的安全问题。While TSN is optimizing the performance of industrial network communication, security has also become a key issue restricting the popularization of time-sensitive network communication applications. As a set of industrial network protocols that are constantly developing and becoming mature, the TSN standard urgently needs to establish an The security mechanism fundamentally guarantees the security issues in the process of industrial communication.

目前关于时间敏感网络安全的研究主要在着眼于TSN关键协议的配置与调度等问题,并未在安全领域有过多的深入。同时由于安全功能实现的复杂性,时间敏感网标准中并未指定具体的安全方案或密码技术来保障时间敏感网络安全通信,所以需要一套适合时间敏感网络的安全体系架构,针对时间敏感网络的身份认证、密钥管理以及安全数据流传输,并利用相关的加密算法和哈希算法,实现端到端的安全数据传输,并在数据加密校验过程中定义密钥管理机制,完成密钥的分发和更新,以此来保障时间敏感网络的安全通信。The current research on time-sensitive network security mainly focuses on the configuration and scheduling of TSN key protocols, and has not gone too far in the security field. At the same time, due to the complexity of implementing security functions, the time-sensitive network standards do not specify specific security schemes or cryptographic techniques to ensure secure communications over time-sensitive networks. Therefore, a set of security architecture suitable for time-sensitive networks is required. Identity authentication, key management and secure data stream transmission, and use related encryption algorithms and hash algorithms to realize end-to-end secure data transmission, and define a key management mechanism in the process of data encryption verification to complete key distribution and updates to secure communications over time-sensitive networks.

密码算法是保障信息安全的核心技术,在保障工业网络安全数据传输的过程中起着关键性作用。国家密码管理局公布了多种国密算法,分别适用于不同的应用场景,其中SM2公钥密码算法可以用来进行数字签名及安全认证,SM3杂凑算法可以用来验证消息认证码与随机数的生成,SM4分组密码算法可以用来实现数据的加密/解密,以保证数据的机密性。将国密算法SM2与SM3相结合,既可以有效地进行身份认证与密钥协商,同时拥有较高的安全性;将国密算法SM3与SM4相结合,既可以进行消息认证码的生成与数据加解密,同时拥有较高的独立自主性。Cryptographic algorithm is the core technology to ensure information security, and plays a key role in the process of ensuring safe data transmission in industrial networks. The State Cryptography Administration has announced a variety of national secret algorithms, which are suitable for different application scenarios. Among them, the SM2 public key cryptographic algorithm can be used for digital signature and security authentication, and the SM3 hash algorithm can be used to verify the message authentication code and random number. Generated, the SM4 block cipher algorithm can be used to implement data encryption/decryption to ensure data confidentiality. Combining the national secret algorithm SM2 and SM3 can not only effectively perform identity authentication and key negotiation, but also has high security; combining the national secret algorithm SM3 and SM4 can not only generate message authentication codes and data Encryption and decryption, while having a high degree of independence.

针对上述问题,结合工业互联网产业联盟标准中对时间敏感网络的安全技术要求,设计一种基于国密算法的会话协商与安全通信方案,用来解决时间敏感网络安全威胁的问题。在尽可能降低存储空间和通信开销的同时,实现一套在时间敏感网络标准和密码算法上都自主可控的安全传输协议,从根本上保障工业通信过程中的安全、可靠、可控,是目前亟需解决的问题。In view of the above problems, combined with the security technical requirements for time-sensitive networks in the standards of the Industrial Internet Industry Alliance, a session negotiation and secure communication scheme based on the national secret algorithm is designed to solve the problem of time-sensitive network security threats. While reducing storage space and communication overhead as much as possible, it is necessary to realize a set of independent and controllable secure transmission protocols based on time-sensitive network standards and cryptographic algorithms, and fundamentally ensure the safety, reliability and controllability of industrial communication processes. current problems that need to be resolved.

发明内容Contents of the invention

有鉴于此,本发明的目的在于提供一种基于国密算法的时间敏感网络安全通信方法。In view of this, the object of the present invention is to provide a time-sensitive network security communication method based on a national secret algorithm.

为达到上述目的,本发明提供如下技术方案:To achieve the above object, the present invention provides the following technical solutions:

一种基于国密算法的时间敏感网络安全通信方法,该方法包括以下步骤:A time-sensitive network security communication method based on a national secret algorithm, the method comprising the following steps:

S1:时间敏感网络初始化;S1: time-sensitive network initialization;

时间敏感网络部署一个由时间敏感网络流量发生器及多台TSN交换机通过有线连接组成的时间敏感有线网络;同时配置一个时间敏感网络CNC,CNC会加载设备状态控制单元所需参数;首先TSN交换机需要利用LLDP协议获取相邻设备的拓扑相关的信息,这些信息会以LLDP报文的形式保存在一个管理信息库MIB中,然后TSN CNC通过SNMP协议获取存储在MIB中的拓扑相关信息,包括各个TSN交换机的对象标识符OID信息,包括设备系统名和设备IP地址;将这些OID信息作为TSN交换机的身份标识IDi,1≤i≤n为接入网络的所有TSN交换机总和;A time-sensitive network deploys a time-sensitive wired network composed of a time-sensitive network traffic generator and multiple TSN switches through wired connections; at the same time, a time-sensitive network CNC is configured, and the CNC will load the parameters required by the device status control unit; first, the TSN switch needs Use the LLDP protocol to obtain topology-related information of adjacent devices, which will be stored in a management information base MIB in the form of LLDP messages, and then TSN CNC obtains the topology-related information stored in the MIB through the SNMP protocol, including each TSN The object identifier OID information of the switch, including the device system name and the device IP address; use these OID information as the identity ID i of the TSN switch, and 1≤i≤n is the sum of all TSN switches connected to the network;

SNMPv3定义新的报文格式,报文格式包括IP首部、UDP首部、版本、报头数据、安全参数、Context Engine ID、Context name和SNMP PDU;SNMPv3 defines a new message format, which includes IP header, UDP header, version, header data, security parameters, Context Engine ID, Context name and SNMP PDU;

SNMP报文中的字段定义如下:The fields in the SNMP message are defined as follows:

版本:表示SNMP的版本,SNMPv3报文则对应字段值为2;Version: Indicates the version of SNMP, and the corresponding field value of SNMPv3 message is 2;

报头数据:包含消息发送者所能支持的最大消息尺寸、消息采用的安全模式的描述内容;Header data: contains the description content of the maximum message size supported by the message sender and the security mode adopted by the message;

安全参数:包含SNMP实体引擎的相关信息、用户名、认证参数和加密参数的安全信息;Security parameters: security information including the relevant information of the SNMP entity engine, user name, authentication parameters and encryption parameters;

Context EngineID:SNMP唯一标识符,和PDU类型一起决定应该发往哪个应用程序;Context EngineID: SNMP unique identifier, which together with the PDU type determines which application should be sent to;

Context Name:用于确定Context EngineID对被管理设备的MIB视图;Context Name: used to determine the MIB view of the managed device by Context EngineID;

SNMPv3 PDU:包含PDU类型、请求标识符和变量绑定列表;其中SNMPv3 PDU包括GetRequest PDU、GetNextRequest PDU、SetRequest PDU、Response PDU、Trap PDU、GetBulkRequest*PDU和InformRequest PDU;SNMPv3 PDU: contains PDU type, request identifier and variable binding list; SNMPv3 PDU includes GetRequest PDU, GetNextRequest PDU, SetRequest PDU, Response PDU, Trap PDU, GetBulkRequest*PDU and InformRequest PDU;

标识不同PDU的命令名称、对应的编码及功能为:The command names, corresponding codes and functions that identify different PDUs are:

GetRequest编码为0,功能为:管理站至代理,查询指定变量的值;The code of GetRequest is 0, and the function is: from the management station to the agent, query the value of the specified variable;

GetNextRequest编码为1,功能为:管理站至代理,查询下一变量的值;The code of GetNextRequest is 1, and the function is: from the management station to the agent, query the value of the next variable;

Response编码为2,功能为:代理至管理站,回送执行结果;The Response code is 2, and the function is: proxy to the management station, and return the execution result;

SetRequest编码为3,功能为:管理站至代理,设置代理维护的某个变量的值;The code of SetRequest is 3, and the function is: from the management station to the agent, setting the value of a variable maintained by the agent;

GetBulkRequest编码为4,功能为:管理站至代理,传递批量信息;The code of GetBulkRequest is 4, and its function is: transfer bulk information from the management station to the agent;

InformRequest编码为5,功能为:管理站至管理站,传递参数处理请求;The code of InformRequest is 5, and its function is: from management station to management station, transfer parameters to process the request;

Trap编码为6,功能为:代理至管理站的警告消息;The Trap code is 6, and the function is: a warning message from the agent to the management station;

Report编码为7,功能为:Snmpv2未定义;snmpv3定义为在消息的PDU部分不能解密时,发起报告;The report code is 7, and the function is: SNMPv2 is undefined; snmpv3 is defined as initiating a report when the PDU part of the message cannot be decrypted;

报头包括:The header includes:

msgID:消息标识符,用来标识PDU;取值范围是0~231-1;msgID: message identifier, used to identify the PDU; the value range is 0~2 31 -1;

msgMaxSize:表示消息发送器支持的最大消息尺寸,取值范围是484~231-1;msgMaxSize: indicates the maximum message size supported by the message sender, and the value range is 484~2 31 -1;

msgFlags:包含若干标志的8位位组字符串,有3个特征位:reportableFlag、privFlag、authFlag;msgFlags: An octet string containing several flags, with 3 flags: reportableFlag, privFlag, authFlag;

msgSecurityModel:消息安全模型,用于标识发送方用于生成该消息的安全模型,发送方和接收方必须采用相同的安全模型;msgSecurityModel: message security model, used to identify the security model used by the sender to generate the message, the sender and receiver must adopt the same security model;

msgSecurityParamters:安全参数,由发送方的安全子系统生成的安全参数,用户名、消息鉴别码MAC、加密参数,用于保护消息传输的安全,并由接收方安全子系统来对消息进行解密和鉴别等安全处理;msgSecurityParamters: Security parameters, security parameters generated by the security subsystem of the sender, user name, message authentication code MAC, encryption parameters, used to protect the security of message transmission, and decrypted and authenticated by the security subsystem of the receiver and other safe handling;

contextEngineID:唯一识别SNMP实体的标识符;对于流入消息,该字段用于确定将PDU递交给哪个应用进行处理;对于流出消息,该值由上层应用提供,并代表那个应用程序;contextEngineID: an identifier that uniquely identifies an SNMP entity; for incoming messages, this field is used to determine which application the PDU is delivered to for processing; for outgoing messages, this value is provided by the upper-layer application and represents that application;

contextName:携带的管理对象所在的上下文的名称;contextName: the name of the context where the managed object is carried;

PDU:带有对象绑定列表的PDU;PDU: PDU with object binding list;

其中最后三个字段contextEngineID、contextName和PDU合起来称为scoped PDU;The last three fields contextEngineID, contextName and PDU are collectively called scoped PDU;

管理端与代理端进行数据交互时需要调用的函数名及其作用为:The function names and functions that need to be called when the management end and the agent end perform data interaction are:

函数名为snmp_pdu_create,用于创建SNMP报文;The function name is snmp_pdu_create, which is used to create SNMP messages;

函数名为snmp_add_var,用于填充SNMP报文;The function name is snmp_add_var, which is used to fill SNMP messages;

函数名为snmp_send,用于发送SNMP报文;The function name is snmp_send, which is used to send SNMP messages;

函数名为snmp_synch_response,用于接收并读取SNMP报文;The function name is snmp_synch_response, which is used to receive and read SNMP messages;

函数名为snmp_close,用于关闭会话并释放PDU占用的空间;The function name is snmp_close, which is used to close the session and release the space occupied by the PDU;

S2:身份认证;S2: identity authentication;

S21:TSN CNC向TSN交换机发送get-request数据包获取MIB信息,解析MIB中的OID信息,利用SM2公钥算法生成公私钥对(KeyD,KeyB),并发送给TSN交换机;S21: The TSN CNC sends a get-request packet to the TSN switch to obtain MIB information, parses the OID information in the MIB, generates a public-private key pair (KeyD, KeyB) using the SM2 public key algorithm, and sends it to the TSN switch;

S22:TSN交换机端调用snmp_pdu_create函数创建SNMP报文,通过随机数生成器生成随机数Ni,使用认证公钥KeyD通过SM2加密认证算法对身份标识IDi以及随机数Ni进行加密,生成身份认证信息Ci=SM2KeyD(IDi||Ni),调用snmp_add_var函数向PDU中填充加密后的身份认证信息;S22: The TSN switch calls the snmp_pdu_create function to create an SNMP message, generates a random number N i through a random number generator, uses the authentication public key Key D to encrypt the identity ID i and the random number N i through the SM2 encryption authentication algorithm, and generates an identity Authentication information C i =SM2 KeyD (ID i ||N i ), call the snmp_add_var function to fill the encrypted identity authentication information in the PDU;

S23:使用认证公钥KeyD通过SM3杂凑算法对身份标识IDi与随机数Ni进行处理,生成一个消息认证码TAG=SM3KeyD(IDi||Ni),调用snmp_add_var函数将生成的消息认证码插入到msgAuthenticationParameters字段,并将生成的身份认证信息Ci及消息认证码TAG构造成身份认证请求信息Requesti=Ci||TAG,调用snmp_send函数将SNMP报文发送给TSNCNC;S23: Use the authentication public key Key D to process the identity ID i and the random number N i through the SM3 hash algorithm, generate a message authentication code TAG=SM3 KeyD (ID i ||N i ), and call the snmp_add_var function to generate the message The authentication code is inserted into the msgAuthenticationParameters field, and the generated identity authentication information C i and message authentication code TAG are constructed into identity authentication request information Request i = C i ||TAG, and the snmp_send function is called to send the SNMP message to TSNCNC;

S24:TSN CNC侧通过snmp_synch_response接收并读取SNMP报文,使用认证私钥KeyB通过SM2算法对读取到的身份认证信息进行解密得到身份标识IDi'和随机数Ni',首先判断IDi'的合法性,使用认证公钥KeyD通过SM3杂凑算法对身份标识IDi'与随机数Ni'进行处理,得到消息认证码TAG'=SM3KeyD(IDi'||Ni'),如果TAG=TAG',则身份认证成功,否则,身份认证失败,调用snmp_colse函数关闭会话,无法进行后续的密钥协商流程;S24: The TSN CNC side receives and reads the SNMP message through snmp_synch_response, uses the authentication private key Key B to decrypt the read identity authentication information through the SM2 algorithm to obtain the identity ID i ' and the random number N i ', and first determines the ID To verify the legitimacy of i ', use the authentication public key Key D to process the identity ID i ' and the random number N i ' through the SM3 hash algorithm, and obtain the message authentication code TAG'=SM3 KeyD (ID i '||N i ') , if TAG=TAG', the identity authentication is successful, otherwise, the identity authentication fails, the snmp_colse function is called to close the session, and the subsequent key negotiation process cannot be performed;

TSN交换机完成身份认证过程,通过TSN CNC身份认证的TSN交换机,将与TSN CNC进行密钥协商。The TSN switch completes the identity authentication process, and the TSN switch that has passed the TSN CNC identity authentication will conduct key negotiation with the TSN CNC.

可选的,所述密钥协商具体为:Optionally, the key negotiation is specifically:

S31:TSN CNC端调用snmp_pdu_create函数创建SNMP报文,为现场设备生成会话密钥Ks并存储,随机数发生器生成随机数RiS31: The TSN CNC end calls the snmp_pdu_create function to create an SNMP message, generates and stores the session key K s for the field device, and the random number generator generates a random number R i ;

S32:TSN CNC对获取到的随机数Ni'、自身生成的随机数Ri以及生成的会话密钥Ks进行拼接,使用认证私钥KeyB通过SM2算法对拼接的数据(Ni'||Ri||Ks)进行加密,生成加密信息E=SM2KeyB(Ni'||Ri||Ks),使用认证公钥KeyD通过SM3杂凑算法对拼接的数据(Ni'||Ri)进行处理,生成消息认证码MAC=SM3KeyD(Ni'||Ri),调用snmp_add_var函数将加密信息E填充进PDU,并将生成的消息认证码MAC插入到调用snmp_send函数将PDU发送给TSN交换机;S32: TSN CNC splices the obtained random number N i ', the random number R i generated by itself, and the generated session key K s , and uses the authentication private key Key B to process the spliced data (N i '| |R i ||K s ) is encrypted to generate encrypted information E=SM2 KeyB (N i '||R i ||K s ), and the spliced data (N i ' ||R i ) to process, generate message authentication code MAC=SM3 KeyD (N i '||R i ), call snmp_add_var function to fill encrypted information E into PDU, and insert generated message authentication code MAC into call snmp_send function Send the PDU to the TSN switch;

S33:TSN交换机端通过snmp_synch_response接收并读取PDU,使用认证公钥KeyD通过SM3杂凑算法对读取到的消息认证码MAC'进行处理,得到(Ni'||Ri),验证Ni'=Ni是否成立,若成立,则存储随机数Ri',并使用认证公钥KeyD通过SM2算法对接收到的加密信息进行解密,得到会话密钥Ks,使用会话密钥Ks通过SM2算法对随机数Ri'进行加密,生成密钥协商确认信息调用snmp_add_var函数将密钥协商确认信息填充进PDU,调用snmp_send函数将SNMP报文发送给TSN CNC,若不成立,则丢弃该报文;S33: The TSN switch side receives and reads the PDU through snmp_synch_response, uses the authentication public key KeyD to process the read message authentication code MAC' through the SM3 hash algorithm, obtains (N i '||R i ), and verifies N i ' = Whether N i is true, if true, store the random number R i ', and use the authentication public key KeyD to decrypt the received encrypted information through the SM2 algorithm to obtain the session key K s , use the session key K s through SM2 The algorithm encrypts the random number R i ', and generates key agreement confirmation information Call the snmp_add_var function to fill the key negotiation confirmation information into the PDU, call the snmp_send function to send the SNMP message to the TSN CNC, if not established, discard the message;

S34:TSN CNC通过snmp_synch_response接收并读取SNMP报文,使用会话密钥Ks通过SM2算法对读取到的密钥协商确认信息进行解密,获取到随机数Ri',并验证Ri'=Ri是否成立,若成立,则密钥协商成功,否则,密钥协商失败;S34: TSN CNC receives and reads the SNMP message through snmp_synch_response, uses the session key K s to decrypt the read key agreement confirmation information through the SM2 algorithm, obtains the random number R i ', and verifies that R i '= Whether R i is established, if established, the key agreement is successful, otherwise, the key agreement fails;

时间敏感网络的TSN交换机与TSN CNC之间完成密钥协商过程,TSN交换机利用协商成功的会话密钥Ks进行后续的安全通信。The key negotiation process is completed between the TSN switch of the time-sensitive network and the TSN CNC, and the TSN switch uses the successfully negotiated session key K s for subsequent secure communication.

可选的,所述安全通信具体为:Optionally, the secure communication is specifically:

S41:TSN交换机1解析TSN数据帧,获取数据载荷,使用会话密钥Ks通过SM4加密算法加密明文M,生成密文C;S41: The TSN switch 1 parses the TSN data frame, obtains the data payload, uses the session key K s to encrypt the plaintext M through the SM4 encryption algorithm, and generates a ciphertext C;

S42:TSN交换机1使用会话密钥Ks通过SM3杂凑算法生成SM3消息认证码Tag,将安全控制字段、密文C以及消息认证码Tag作为安全通信报文E发送给TSN交换机2;S42: TSN switch 1 uses session key K s to generate SM3 message authentication code Tag through SM3 hash algorithm, and sends the security control field, ciphertext C and message authentication code Tag to TSN switch 2 as a secure communication message E;

S43:TSN交换机2获取到报文之后,首先会解析安全控制字段,如果安全控制字段显示为01,表明此报文经过加密,否则,直接转发该报文;S43: After the TSN switch 2 obtains the message, it first parses the security control field, if the security control field is displayed as 01, it indicates that the message is encrypted, otherwise, directly forwards the message;

S44:TSN交换机2使用会话密钥Ks通过SM3杂凑算法生成SM3消息认证码Tag’,验证Tag=Tag’是否成立,若成立,则执行解密程序,否则,丢弃该报文;S44: The TSN switch 2 uses the session key K s to generate the SM3 message authentication code Tag' through the SM3 hash algorithm, and verifies whether Tag=Tag' is established, and if established, executes the decryption procedure, otherwise, discards the message;

S45:通过消息认证码认证成功的报文,TSN交换机2使用会话密钥Ks通过SM4解密算法对密文C进行解密得到TSN明文;S45: For the message successfully authenticated by the message authentication code, the TSN switch 2 uses the session key K s to decrypt the ciphertext C through the SM4 decryption algorithm to obtain the TSN plaintext;

时间敏感网络完成安全通信过程,经过TSN交换机1端口加密处理之后的报文,会在TSN交换机2的端口进行解密,以此来保障数据传输的机密性与完整性。After the time-sensitive network completes the secure communication process, the encrypted message at the port of TSN switch 1 will be decrypted at the port of TSN switch 2, so as to ensure the confidentiality and integrity of data transmission.

本发明的有益效果在于:The beneficial effects of the present invention are:

解决了时间敏感网络安全威胁的问题。在尽可能降低存储空间和通信开销的同时,实现一套在时间敏感网络标准和密码算法上都自主可控的安全传输协议,从根本上保障工业通信过程中的安全、可靠、可控。Addresses the issue of time-sensitive network security threats. While reducing storage space and communication overhead as much as possible, realize a set of secure transmission protocols that are independently controllable in time-sensitive network standards and cryptographic algorithms, fundamentally guarantee the safety, reliability and controllability of industrial communication processes.

本发明的其他优点、目标和特征在某种程度上将在随后的说明书中进行阐述,并且在某种程度上,基于对下文的考察研究对本领域技术人员而言将是显而易见的,或者可以从本发明的实践中得到教导。本发明的目标和其他优点可以通过下面的说明书来实现和获得。Other advantages, objects and features of the present invention will be set forth in the following description to some extent, and to some extent, will be obvious to those skilled in the art based on the investigation and research below, or can be obtained from It is taught in the practice of the present invention. The objects and other advantages of the invention may be realized and attained by the following specification.

附图说明Description of drawings

为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作优选的详细描述,其中:In order to make the purpose of the present invention, technical solutions and advantages clearer, the present invention will be described in detail below in conjunction with the accompanying drawings, wherein:

图1为时间敏感网络安全拓扑图;Figure 1 is a time-sensitive network security topology diagram;

图2为系统初始化数据交互流程;Figure 2 is the system initialization data interaction process;

图3为SNMPv3报文格式;Fig. 3 is SNMPv3 message format;

图4为时间敏感网络身份认证过程;Figure 4 is a time-sensitive network identity authentication process;

图5为时间敏感网络密钥协商流程图;FIG. 5 is a flowchart of time-sensitive network key negotiation;

图6为时间敏感网络帧格式;Fig. 6 is time-sensitive network frame format;

图7为消息构造格式;Fig. 7 is a message construction format;

图8为时间敏感网络安全通信流程图。Fig. 8 is a flow chart of time-sensitive network security communication.

具体实施方式Detailed ways

以下通过特定的具体实例说明本发明的实施方式,本领域技术人员可由本说明书所揭露的内容轻易地了解本发明的其他优点与功效。本发明还可以通过另外不同的具体实施方式加以实施或应用,本说明书中的各项细节也可以基于不同观点与应用,在没有背离本发明的精神下进行各种修饰或改变。需要说明的是,以下实施例中所提供的图示仅以示意方式说明本发明的基本构想,在不冲突的情况下,以下实施例及实施例中的特征可以相互组合。Embodiments of the present invention are described below through specific examples, and those skilled in the art can easily understand other advantages and effects of the present invention from the content disclosed in this specification. The present invention can also be implemented or applied through other different specific implementation modes, and various modifications or changes can be made to the details in this specification based on different viewpoints and applications without departing from the spirit of the present invention. It should be noted that the diagrams provided in the following embodiments are only schematically illustrating the basic concept of the present invention, and the following embodiments and the features in the embodiments can be combined with each other in the case of no conflict.

其中,附图仅用于示例性说明,表示的仅是示意图,而非实物图,不能理解为对本发明的限制;为了更好地说明本发明的实施例,附图某些部件会有省略、放大或缩小,并不代表实际产品的尺寸;对本领域技术人员来说,附图中某些公知结构及其说明可能省略是可以理解的。Wherein, the accompanying drawings are for illustrative purposes only, and represent only schematic diagrams, rather than physical drawings, and should not be construed as limiting the present invention; in order to better illustrate the embodiments of the present invention, some parts of the accompanying drawings may be omitted, Enlargement or reduction does not represent the size of the actual product; for those skilled in the art, it is understandable that certain known structures and their descriptions in the drawings may be omitted.

本发明实施例的附图中相同或相似的标号对应相同或相似的部件;在本发明的描述中,需要理解的是,若有术语“上”、“下”、“左”、“右”、“前”、“后”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述本发明和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此附图中描述位置关系的用语仅用于示例性说明,不能理解为对本发明的限制,对于本领域的普通技术人员而言,可以根据具体情况理解上述术语的具体含义。In the drawings of the embodiments of the present invention, the same or similar symbols correspond to the same or similar components; , "front", "rear" and other indicated orientations or positional relationships are based on the orientations or positional relationships shown in the drawings, which are only for the convenience of describing the present invention and simplifying the description, rather than indicating or implying that the referred devices or elements must It has a specific orientation, is constructed and operated in a specific orientation, so the terms describing the positional relationship in the drawings are for illustrative purposes only, and should not be construed as limiting the present invention. For those of ordinary skill in the art, the understanding of the specific meaning of the above terms.

在时间敏感网络中,大部分功能由部署在应用层的各类TSN应用实现,如网络用户通过控制层北向接口开放的API实现对网络资源的调配以及网络信息的获取,按需向用户提供时间敏感网络的能力,因此攻击者对应用层的攻击会逐步影响到整个TSN网络,需要预先加以防范。In a time-sensitive network, most of the functions are implemented by various TSN applications deployed at the application layer. For example, network users can allocate network resources and obtain network information through the APIs opened on the northbound interface of the control layer, and provide users with time on demand. Sensitive network capabilities, so the attacker's attack on the application layer will gradually affect the entire TSN network, which needs to be prevented in advance.

时间敏感网络应用层安全威胁包括:Time-sensitive network application layer security threats include:

欺骗:攻击者可以伪装成一个TSN控制器,骗取用户数据(用户密钥、证书等)、SLA、业务逻辑等信息,从而为进一步的攻击行为做准备;Spoofing: The attacker can pretend to be a TSN controller to swindle user data (user key, certificate, etc.), SLA, business logic and other information, so as to prepare for further attacks;

抵赖:用户或管理员可以否认其曾经执行过的恶意网络策略,如将特定网络配置策略;Denial: Users or administrators can deny that they have ever executed malicious network policies, such as configuring specific network policies;

信息泄露:在获得用户认证信息后,攻击者可以伪装成一个合法用户,通过TSN应用向网络注入伪造信息流,以获取更多的网络数据;Information leakage: After obtaining the user authentication information, the attacker can pretend to be a legitimate user and inject a fake information flow into the network through the TSN application to obtain more network data;

应用程序自身漏洞:攻击者可以通过利用TSN应用程序自身漏洞(如代码缺陷等)获取相应的网络资源(例如:SLA,用户数据,业务逻辑等),从而为实施进一步攻击做准备。此外,第三方恶意应用可以伪装成为合法的应用程序来获取相应的网络资源。Vulnerabilities of the application itself: Attackers can obtain corresponding network resources (such as SLA, user data, business logic, etc.) by exploiting the vulnerabilities of the TSN application itself (such as code defects, etc.), so as to prepare for further attacks. In addition, third-party malicious applications can pretend to be legitimate applications to obtain corresponding network resources.

在本文中,我们设计了一种基于国密算法的时间敏感网络安全通信方案,在TSNCNC与TSN交换机之间进行身份认证与密钥协商之后,在TSN交换机之间进行保密的数据传输,保障时间敏感网络数据流传输的完整性与机密性。In this paper, we design a time-sensitive network security communication scheme based on the national secret algorithm. After identity authentication and key negotiation between TSNCNC and TSN switches, confidential data transmission is performed between TSN switches to ensure time Integrity and confidentiality of sensitive network data stream transmission.

如图1所示,工作流程如下:As shown in Figure 1, the workflow is as follows:

(1)搭建时间敏感网络安全通信网络模型;(1) Build a time-sensitive network security communication network model;

(2)设备初始化,TSN CNC加载设备状态控制单元所需参数;(2) Device initialization, TSN CNC loads the parameters required by the device state control unit;

(3)TSN CNC根据设备参数采用SM2/SM3对TSN交换机进行身份认证与密钥协商;(3) TSN CNC uses SM2/SM3 to perform identity authentication and key negotiation on the TSN switch according to the equipment parameters;

(4)两台TSN交换机之间采用SM3/SM4实现保密通信。(4) SM3/SM4 is used to realize confidential communication between two TSN switches.

本方案所提方法的创新在于:1.对上面步骤(3)中,引入时间敏感网络CNC,采用SM2认证算法与SM3杂凑算法对TSN交换机进行身份认证与密钥协商,验证TSN交换机是否可信并分配会话密钥。2.对上面步骤(4)中TSN交换机之间采用SM3杂凑算法生成消息认证码,SM4加/解密算法实现端到端的安全通信。The innovation of the method proposed in this scheme lies in: 1. For the above step (3), introduce the time-sensitive network CNC, use the SM2 authentication algorithm and the SM3 hash algorithm to perform identity authentication and key negotiation on the TSN switch, and verify whether the TSN switch is trustworthy and assign a session key. 2. The SM3 hash algorithm is used to generate message authentication codes between the TSN switches in the above step (4), and the SM4 encryption/decryption algorithm realizes end-to-end secure communication.

(一)身份认证(1) Identity authentication

本文设计的基于国密算法SM2与SM3的身份认证方案,主要分为时间敏感网络初始化及身份认证过程。其中,时间敏感网络初始化包括成功搭建时间敏感网络后的初始设备状态控制单元所需参数过程,身份认证主要认证TSN交换机的合法性,只有通过身份认证的TSN交换机才能进行后续的密钥协商与安全通信流程。The identity authentication scheme based on the national secret algorithm SM2 and SM3 designed in this paper is mainly divided into time-sensitive network initialization and identity authentication process. Among them, the time-sensitive network initialization includes the parameter process required by the initial device state control unit after the successful construction of the time-sensitive network. The identity authentication mainly authenticates the legitimacy of the TSN switch. Only the TSN switch that has passed the identity authentication can perform subsequent key negotiation and security. communication process.

1.系统初始化1. System initialization

时间敏感网络部署一个由时间敏感网络流量发生器及多台TSN交换机通过有线连接组成的时间敏感有线网络。同时配置一个时间敏感网络CNC,CNC会加载设备状态控制单元所需参数。首先TSN交换机需要利用LLDP协议获取相邻设备的拓扑相关的信息,这些信息会以LLDP报文的形式保存在一个管理信息库(MIB)中,然后TSN CNC通过SNMP协议获取存储在MIB中的拓扑相关信息,包括各个TSN交换机的OID(对象标识符)信息,如设备系统名、设备IP地址等,将这些OID信息作为TSN交换机的身份标识IDi(1≤i≤n),n为接入网络的所有TSN交换机总和。具体交互流程如图2所示。The time-sensitive network deploys a time-sensitive wired network composed of time-sensitive network traffic generators and multiple TSN switches through wired connections. At the same time, configure a time-sensitive network CNC, and the CNC will load the parameters required by the equipment status control unit. First, the TSN switch needs to use the LLDP protocol to obtain topology-related information of adjacent devices, which will be stored in a management information base (MIB) in the form of LLDP packets, and then the TSN CNC obtains the topology stored in the MIB through the SNMP protocol Relevant information, including OID (object identifier) information of each TSN switch, such as device system name, device IP address, etc., use these OID information as the identity ID i (1≤i≤n) of the TSN switch, and n is the access The sum of all TSN switches of the network. The specific interaction process is shown in Figure 2.

SNMPv3定义了新的报文格式,报文格式如图3所示。SNMPv3 defines a new message format, as shown in Figure 3.

SNMP报文中的主要字段定义如下:The main fields in the SNMP message are defined as follows:

版本:表示SNMP的版本,SNMPv3报文则对应字段值为2。Version: Indicates the SNMP version, and the corresponding field value of SNMPv3 message is 2.

报头数据:主要包含消息发送者所能支持的最大消息尺寸、消息采用的安全模式等描述内容。Header data: mainly includes descriptions such as the maximum message size supported by the message sender and the security mode adopted by the message.

安全参数:包含SNMP实体引擎的相关信息、用户名、认证参数、加密参数等安全信息。Security parameters: Contains security information such as the relevant information of the SNMP entity engine, user name, authentication parameters, and encryption parameters.

Context EngineID:SNMP唯一标识符,和PDU类型一起决定应该发往哪个应用程序。Context EngineID: SNMP unique identifier, which together with the PDU type determines which application should be sent.

Context Name:用于确定Context EngineID对被管理设备的MIB视图。Context Name: used to determine the MIB view of the managed device by the Context EngineID.

SNMPv3 PDU:包含PDU类型、请求标识符、变量绑定列表等信息。其中SNMPv3 PDU包括GetRequest PDU、GetNextRequest PDU、SetRequest PDU、Response PDU、Trap PDU、GetBulkRequest*PDU和InformRequest PDU。SNMPv3 PDU: Contains information such as PDU type, request identifier, and variable binding list. Among them, SNMPv3 PDU includes GetRequest PDU, GetNextRequest PDU, SetRequest PDU, Response PDU, Trap PDU, GetBulkRequest*PDU and InformRequest PDU.

标识不同PDU的命令名称、对应的编码及功能说明如表1所示。The command names, corresponding codes, and function descriptions that identify different PDUs are shown in Table 1.

表1不同PDU的命令名称、对应的编码及功能说明Table 1 Command names, corresponding codes and function descriptions of different PDUs

报头由下列部分组成:The header consists of the following parts:

----msgID:消息标识符,用来标识PDU。取值范围是0~231-1;----msgID: message identifier, used to identify the PDU. The value range is 0~2 31 -1;

----msgMaxSize:表示消息发送器支持的最大消息尺寸,取值范围是484~231-1;----msgMaxSize: indicates the maximum message size supported by the message sender, and the value range is 484~2 31 -1;

----msgFlags:包含若干标志的8位位组字符串,有3个特征位:reportableFlag、privFlag、authFlag。----msgFlags: An octet string containing several flags, with 3 feature bits: reportableFlag, privFlag, and authFlag.

----msgSecurityModel:消息安全模型,用于标识发送方用于生成该消息的安全模型,发送方和接收方必须采用相同的安全模型。----msgSecurityModel: Message security model, used to identify the security model used by the sender to generate the message, the sender and receiver must use the same security model.

----msgSecurityParamters:安全参数,由发送方的安全子系统生成的安全参数,例如用户名、消息鉴别码(MAC)、加密参数等,用于保护消息传输的安全,并由接收方安全子系统来对消息进行解密和鉴别等安全处理。----msgSecurityParamters: Security parameters, security parameters generated by the security subsystem of the sender, such as user name, message authentication code (MAC), encryption parameters, etc., are used to protect the security of message transmission, and are determined by the security subsystem of the receiver The system performs security processing such as decryption and authentication on the message.

----contextEngineID:唯一识别SNMP实体的标识符。对于流入消息,该字段用于确定将PDU递交给哪个应用进行处理;对于流出消息,该值由上层应用提供,并代表那个应用程序。----contextEngineID: an identifier that uniquely identifies an SNMP entity. For incoming messages, this field is used to determine which application the PDU will be delivered to for processing; for outgoing messages, this value is provided by the upper-layer application and represents that application.

----contextName:携带的管理对象所在的上下文的名称。----contextName: The name of the context where the managed object is carried.

----PDU:带有对象绑定列表的PDU。----PDU: PDU with object binding list.

其中最后三个字段(contextEngineID、contextName和PDU)合起来称为scopedPDU。The last three fields (contextEngineID, contextName and PDU) are collectively called scopedPDU.

管理端与代理端进行数据交互时需要调用的函数名及其作用如表2所示。Table 2 shows the function names and functions that need to be called when the management end and the agent end perform data interaction.

表2系统初始化函数调用表Table 2 System initialization function call table

函数名Function name 作用effect snmp_pdu_createsnmp_pdu_create 创建SNMP报文Create SNMP message snmp_add_varsnmp_add_var 填充SNMP报文Fill SNMP message snmp_sendsnmp_send 发送SNMP报文Send SNMP message snmp_synch_responsesnmp_synch_response 接收并读取SNMP报文Receive and read SNMP messages snmp_closesnmp_close 关闭会话并释放PDU占用的空间Close the session and release the space occupied by the PDU

2.身份认证2. Identity authentication

本文设计的时间敏感网络身份认证的方案流程如图4所示。主要分为以下步骤:The process flow of the time-sensitive network authentication scheme designed in this paper is shown in Figure 4. It is mainly divided into the following steps:

步骤一:TSN CNC向TSN交换机发送get-request数据包获取MIB信息,解析MIB中的OID信息,利用SM2公钥算法生成公私钥对(KeyD,KeyB),并发送给TSN交换机;Step 1: TSN CNC sends a get-request packet to the TSN switch to obtain MIB information, parses the OID information in the MIB, uses the SM2 public key algorithm to generate a public-private key pair (KeyD, KeyB), and sends it to the TSN switch;

步骤二:TSN交换机端调用snmp_pdu_create函数创建SNMP报文,通过随机数生成器生成随机数Ni,使用认证公钥KeyD通过SM2加密认证算法对身份标识IDi以及随机数Ni进行加密,生成身份认证信息Ci=SM2KeyD(IDi||Ni),调用snmp_add_var函数向PDU中填充加密后的身份认证信息;Step 2: The TSN switch side calls the snmp_pdu_create function to create an SNMP message, generates a random number N i through a random number generator, uses the authentication public key Key D to encrypt the identity ID i and the random number N i through the SM2 encryption authentication algorithm, and generates Identity authentication information C i =SM2 KeyD (ID i ||N i ), call the snmp_add_var function to fill the encrypted identity authentication information in the PDU;

步骤三:使用认证公钥KeyD通过SM3杂凑算法对身份标识IDi与随机数Ni进行处理,生成一个消息认证码TAG=SM3KeyD(IDi||Ni),调用snmp_add_var函数将生成的消息认证码插入到msgAuthenticationParameters字段,并将生成的身份认证信息Ci及消息认证码TAG构造成身份认证请求信息Requesti=Ci||TAG,调用snmp_send函数将SNMP报文发送给TSNCNC;Step 3: Use the authentication public key Key D to process the identity ID i and the random number N i through the SM3 hash algorithm, generate a message authentication code TAG=SM3 KeyD (ID i ||N i ), call the snmp_add_var function to generate The message authentication code is inserted into the msgAuthenticationParameters field, and the generated identity authentication information C i and the message authentication code TAG are constructed into identity authentication request information Request i =C i ||TAG, and the snmp_send function is called to send the SNMP message to TSNCNC;

步骤四:TSN CNC侧通过snmp_synch_response接收并读取SNMP报文,使用认证私钥KeyB通过SM2算法对读取到的身份认证信息进行解密得到身份标识IDi'和随机数Ni',首先判断IDi'的合法性,使用认证公钥KeyD通过SM3杂凑算法对身份标识IDi'与随机数Ni'进行处理,得到消息认证码TAG'=SM3KeyD(IDi'||Ni'),如果TAG=TAG',则身份认证成功,否则,身份认证失败,调用snmp_colse函数关闭会话,无法进行后续的密钥协商流程。Step 4: The TSN CNC side receives and reads the SNMP message through snmp_synch_response, uses the authentication private key Key B to decrypt the read identity authentication information through the SM2 algorithm to obtain the identity ID i ' and the random number N i ', first judge To verify the validity of ID i ', use the authentication public key Key D to process the identity ID i ' and the random number N i ' through the SM3 hash algorithm, and obtain the message authentication code TAG'=SM3 KeyD (ID i '||N i ' ), if TAG=TAG', the identity authentication is successful, otherwise, the identity authentication fails, the snmp_colse function is called to close the session, and the subsequent key negotiation process cannot be performed.

即此,TSN交换机完成身份认证过程,通过TSN CNC身份认证的TSN交换机,将与TSNCNC进行密钥协商流程。That is to say, the TSN switch completes the identity authentication process, and the TSN switch that has passed the TSN CNC identity authentication will perform a key negotiation process with TSNCNC.

(二)密钥协商(2) Key negotiation

本文设计的基于国密算法SM2与SM3的密钥协商方案,主要包括生成会话密钥及确认过程,以及后续在时间敏感网络中进行安全通信所需的安全参数。The key agreement scheme based on the national secret algorithm SM2 and SM3 designed in this paper mainly includes the session key generation and confirmation process, as well as the security parameters required for subsequent secure communication in time-sensitive networks.

1.密钥协商1. Key negotiation

本文设计的时间敏感网络密钥协商的方案流程如图5所示。主要分为以下步骤:The process flow of the time-sensitive network key agreement designed in this paper is shown in Figure 5. It is mainly divided into the following steps:

步骤一:TSN CNC端调用snmp_pdu_create函数创建SNMP报文,为现场设备生成会话密钥Ks并存储,随机数发生器生成随机数RiStep 1: The TSN CNC end calls the snmp_pdu_create function to create an SNMP message, generates and stores the session key K s for the field device, and the random number generator generates a random number R i ;

步骤二:TSN CNC对获取到的随机数Ni'、自身生成的随机数Ri以及生成的会话密钥Ks进行拼接,使用认证私钥KeyB通过SM2算法对拼接的数据(Ni'||Ri||Ks)进行加密,生成加密信息E=SM2KeyB(Ni'||Ri||Ks),使用认证公钥KeyD通过SM3杂凑算法对拼接的数据(Ni'||Ri)进行处理,生成消息认证码MAC=SM3KeyD(Ni'||Ri),调用snmp_add_var函数将加密信息E填充进PDU,并将生成的消息认证码MAC插入到调用snmp_send函数将PDU发送给TSN交换机;Step 2: TSN CNC splices the acquired random number N i ', the random number R i generated by itself and the generated session key K s , and uses the authentication private key Key B to process the spliced data (N i ' ||R i ||K s ) to encrypt, generate encrypted information E=SM2 KeyB (N i '||R i ||K s ), use the authentication public key Key D to use the SM3 hash algorithm to splice the data (N i '||R i ), generate message authentication code MAC=SM3 KeyD (N i '||R i ), call snmp_add_var function to fill encrypted information E into PDU, and insert generated message authentication code MAC into call snmp_send The function sends the PDU to the TSN switch;

步骤三:TSN交换机端通过snmp_synch_response接收并读取PDU,使用认证公钥KeyD通过SM3杂凑算法对读取到的消息认证码MAC'进行处理,得到(Ni'||Ri),验证Ni'=Ni是否成立,若成立,则存储随机数Ri',并使用认证公钥KeyD通过SM2算法对接收到的加密信息进行解密,得到会话密钥Ks,使用会话密钥Ks通过SM2算法对随机数Ri'进行加密,生成密钥协商确认信息调用snmp_add_var函数将密钥协商确认信息填充进PDU,调用snmp_send函数将SNMP报文发送给TSN CNC,若不成立,则丢弃该报文;Step 3: The TSN switch receives and reads the PDU through snmp_synch_response, uses the authentication public key KeyD to process the read message authentication code MAC' through the SM3 hash algorithm, obtains (N i '||R i ), and verifies N i Whether '=N i is established, if it is established, store the random number R i ', and use the authentication public key KeyD to decrypt the received encrypted information through the SM2 algorithm to obtain the session key K s , use the session key K s to pass The SM2 algorithm encrypts the random number R i ', and generates key agreement confirmation information Call the snmp_add_var function to fill the key negotiation confirmation information into the PDU, call the snmp_send function to send the SNMP message to the TSN CNC, if not established, discard the message;

步骤四:TSN CNC通过snmp_synch_response接收并读取SNMP报文,使用会话密钥Ks通过SM2算法对读取到的密钥协商确认信息进行解密,获取到随机数Ri',并验证Ri'=Ri是否成立,若成立,则密钥协商成功,否则,密钥协商失败。Step 4: TSN CNC receives and reads the SNMP message through snmp_synch_response, uses the session key K s to decrypt the read key agreement confirmation information through the SM2 algorithm, obtains the random number R i ', and verifies R i ' =Whether R i is established, if established, the key agreement is successful, otherwise, the key agreement fails.

即此,时间敏感网络的TSN交换机与TSN CNC之间完成密钥协商过程,TSN交换机利用协商成功的会话密钥Ks进行后续的安全通信。That is to say, the key negotiation process is completed between the TSN switch of the time-sensitive network and the TSN CNC, and the TSN switch uses the successfully negotiated session key K s for subsequent secure communication.

(三)安全通信(3) Secure communication

本文设计的基于SM3与SM4算法的安全通信方案,主要包括时间敏感网络数据加密与数据解密过程。TSN交换机在数据加密阶段采用SM3算法生成消息认证码,采用SM4算法加密数据,以此来来保障时间敏感网络传输数据的完整性与机密性。其中SM4算法采用ECB模式进行加解密,加密算法与密钥轮扩展算法均采用32轮非线性迭代结构。The secure communication scheme based on SM3 and SM4 algorithms designed in this paper mainly includes the process of time-sensitive network data encryption and data decryption. In the data encryption stage, the TSN switch uses the SM3 algorithm to generate a message authentication code, and uses the SM4 algorithm to encrypt data, so as to ensure the integrity and confidentiality of time-sensitive network transmission data. Among them, the SM4 algorithm adopts the ECB mode for encryption and decryption, and both the encryption algorithm and the key round expansion algorithm adopt a 32-round nonlinear iterative structure.

时间敏感网络帧格式与传统以太网大体相同,根据IEEE 802.1Q标准定义,时间敏感网络帧格式是在传统以太网的帧格式基础上加入一个长度为4字节的802.1Q标签。标签中定义了标签协议标识(TPID)、优先级(PCP)、规范格式指示位(CFI)和虚拟局域网序号(VLAN-ID),其帧格式如图6所示。The time-sensitive network frame format is roughly the same as that of traditional Ethernet. According to the definition of IEEE 802.1Q standard, the time-sensitive network frame format is to add a 4-byte 802.1Q tag on the basis of the traditional Ethernet frame format. Tag protocol identification (TPID), priority (PCP), canonical format indicator (CFI) and virtual local area network serial number (VLAN-ID) are defined in the tag, and its frame format is shown in Figure 6.

时间敏感网络安全通信过程中,需要事先构造MAC层消息格式,具体的消息构造格式如图7所示。In the process of time-sensitive network security communication, it is necessary to construct the MAC layer message format in advance, and the specific message construction format is shown in Figure 7.

在对TSN数据帧进行解析时,首先可以拿到TSN数据载荷,对数据载荷进行加密生成密文,在数据载荷之前填充1字节的数据作为安全控制字段,安全控制字段默认情况下是全0的,当对数据载荷加密完成之后,将最后一位置为1,表明该条消息已经过加密,同时在数据载荷之后填充生成的消息认证码进行安全校验,将这样一个整体作为安全通信的报文发送给接收方。另一端收到报文之后,首先查看安全控制字段部分,再验证消息认证码,认证成功之后,执行解密程序。When parsing the TSN data frame, you can first get the TSN data payload, encrypt the data payload to generate ciphertext, and fill in 1 byte of data before the data payload as the security control field. The security control field is all 0 by default. Yes, after the encryption of the data payload is completed, set the last bit to 1, indicating that the message has been encrypted, and at the same time fill in the generated message authentication code after the data payload for security verification, and use such a whole as a report of secure communication The text is sent to the recipient. After the other end receives the message, it first checks the security control field, and then verifies the message authentication code. After the authentication is successful, it executes the decryption program.

整个时间敏感网络安全通信流程如图8所示。The entire time-sensitive network security communication process is shown in Figure 8.

步骤一:TSN交换机1解析TSN数据帧,获取数据载荷,使用会话密钥Ks通过SM4加密算法加密明文M,生成密文C;Step 1: The TSN switch 1 parses the TSN data frame, obtains the data payload, encrypts the plaintext M with the SM4 encryption algorithm using the session key K s , and generates the ciphertext C;

步骤二:TSN交换机1使用会话密钥Ks通过SM3杂凑算法生成SM3消息认证码Tag,将安全控制字段、密文C以及消息认证码Tag作为安全通信报文E发送给TSN交换机2;Step 2: TSN switch 1 uses session key K s to generate SM3 message authentication code Tag through SM3 hash algorithm, and sends the security control field, ciphertext C and message authentication code Tag to TSN switch 2 as a secure communication message E;

步骤三:TSN交换机2获取到报文之后,首先会解析安全控制字段,如果安全控制字段显示为01,表明此报文经过加密,否则,直接转发该报文;Step 3: After the TSN switch 2 obtains the message, it first parses the security control field. If the security control field is displayed as 01, it indicates that the message has been encrypted; otherwise, it forwards the message directly;

步骤四:TSN交换机2使用会话密钥Ks通过SM3杂凑算法生成SM3消息认证码Tag’,验证Tag=Tag’是否成立,若成立,则执行解密程序,否则,丢弃该报文;Step 4: The TSN switch 2 uses the session key K s to generate the SM3 message authentication code Tag' through the SM3 hash algorithm, and verifies whether Tag=Tag' is established, and if established, then executes the decryption program, otherwise, discards the message;

步骤五:通过消息认证码认证成功的报文,TSN交换机2使用会话密钥Ks通过SM4解密算法对密文C进行解密得到TSN明文。Step 5: For the message successfully authenticated by the message authentication code, the TSN switch 2 uses the session key K s to decrypt the ciphertext C through the SM4 decryption algorithm to obtain the TSN plaintext.

即此,时间敏感网络完成安全通信过程,经过TSN交换机1端口加密处理之后的报文,会在TSN交换机2的端口进行解密,以此来保障数据传输的机密性与完整性。That is to say, after the time-sensitive network completes the secure communication process, the encrypted message at the port of TSN switch 1 will be decrypted at the port of TSN switch 2, so as to ensure the confidentiality and integrity of data transmission.

最后说明的是,以上实施例仅用以说明本发明的技术方案而非限制,尽管参照较佳实施例对本发明进行了详细说明,本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本技术方案的宗旨和范围,其均应涵盖在本发明的权利要求范围当中。Finally, it is noted that the above embodiments are only used to illustrate the technical solutions of the present invention without limitation. Although the present invention has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that the technical solutions of the present invention can be carried out Modifications or equivalent replacements, without departing from the spirit and scope of the technical solution, should be included in the scope of the claims of the present invention.

Claims (3)

1. A time sensitive network safety communication method based on a national cryptographic algorithm is characterized in that: the method comprises the following steps:
s1: initializing a time sensitive network;
the time sensitive network deploys a time sensitive wired network formed by a time sensitive network flow generator and a plurality of TSN switches through wired connection; simultaneously configuring a time-sensitive network CNC, wherein the CNC can load parameters required by a device state control unit; firstly, a TSN exchanger needs to acquire topology related information of adjacent equipment by using an LLDP protocol, the information is stored in a management information base MIB in the form of LLDP messages, and then a TSNCNC acquires the topology related information stored in the MIB through the SNMP protocol, wherein the topology related information comprises object identifier OID information of each TSN exchanger, and the object identifier includes equipment system names and equipment IP addresses; using these OID information as the ID of TSN switch i I is more than or equal to 1 and n is the sum of all TSN switches connected to the network;
SNMPv3 defines a new message format including an IP header, UDP header, version, header data, security parameters, contextEngineID, contextname, and SNMPPDU;
the fields in SNMP messages are defined as follows:
version: representing the version of SNMP, and the SNMPv3 message corresponds to a field value of 2;
header data: the description content of the security mode adopted by the message comprises the maximum message size which can be supported by the message sender;
safety parameters: security information including related information of the SNMP entity engine, a user name, authentication parameters, and encryption parameters;
ContextEngineID: an SNMP unique identifier that, along with the PDU type, determines to which application should be sent;
ContextName: a MIB view for determining a ContextEngineID pair managed device;
SNMPv3PDU: contains PDU type, request identifier and variable binding list; wherein SNMPv3PDU includes GetRequestPDU, getNextRequestPDU, setRequestPDU, responsePDU, trapPDU, getBulkRequest x PDU and infrmrequestpdu;
the command names, corresponding codes and functions for identifying different PDUs are as follows:
GetRequest is coded as 0 and functions as: the management station sends the agent to inquire the value of the appointed variable;
GetNextRequest encodes a 1, functions as: the management station sends the agent to inquire the value of the next variable;
response code 2, functions: the agent sends back an execution result to the management station;
SetRequest codes 3, functions: the management station sends the agent to set the value of a certain variable maintained by the agent;
GetBulkRequest encodes 4, functions: the management station transmits batch information to the agent;
InformaRequest is coded as 5, and functions as: the management station transmits a parameter processing request to the management station;
trap code is 6, and functions are: a warning message proxied to the management station;
report code 7, functions: snmpv2 is undefined; snmpv3 is defined to initiate a report when the PDU portion of the message cannot be decrypted;
the header includes:
msgID: a message identifier for identifying the PDU; the value range is 0 to 2 31 -1;
msgMaxSize: representing the maximum message size supported by the message sender, the range of values is 484-2 31 -1;
msgfrags: an 8-bit group string containing several flags, with 3 characteristic bits: reportableFlag, privFlag, authFlag;
msgSecurityModel: a message security model for identifying a security model used by a sender to generate the message, the sender and the receiver having to employ the same security model;
msgSecurityParamters: the security parameters, the user name, the message authentication code MAC and the encryption parameters generated by the security subsystem of the sender are used for protecting the security of message transmission and the security subsystem of the receiver is used for decrypting and authenticating the message;
contextEngineid: an identifier uniquely identifying the SNMP entity; for an incoming message, this field is used to determine to which application to submit the PDU for processing; for outgoing messages, this value is provided by the upper layer application and represents that application;
contextName: the name of the context in which the carried management object is located;
PDU: a PDU with an object binding list;
wherein the last three fields contextEngineID, contextName and the PDU are collectively referred to as a scopedPDU;
the function name to be called when the management end and the proxy end perform data interaction is as follows:
the function name is snmp_pdu_create, which is used for creating an SNMP message;
the function name is snmp_add_var, which is used for filling SNMP message;
the function name is snmp_send, which is used for sending SNMP message;
the function name is snmp_synch_response, which is used for receiving and reading SNMP messages;
the function name is snmp_close, which is used for closing the session and releasing the space occupied by the PDU;
s2: identity authentication;
s21: the TSNCNC sends a get-request data packet to the TSN switch to acquire MIB information, analyzes OID information in the MIB, generates a public-private key pair (KeyD, keyB) by using an SM2 public key algorithm, and sends the public-private key pair (KeyD, keyB) to the TSN switch;
s22: the TSN exchanger end calls the snmp_pdu_create function to create an SNMP message, and generates a random number N through a random number generator i Using an authenticated public Key D Identification ID through SM2 encryption authentication algorithm i Random number N i Encryption is carried out to generate identity authentication information C i =SM2 KeyD (ID i ||N i ) Calling a snmp_add_var function to fill encrypted identity authentication information into the PDU;
s23: using authenticated public Key Key D Identification ID through SM3 hash algorithm i And random number N i Processing to generate a message authentication code tag=sm3 KeyD (ID i ||N i ) Calling the snmp_add_var function inserts the generated message authentication code into the msg authentication parameters field and generates identity authentication information C i The message authentication code TAG is constructed into identity authentication Request information Request i =C i The TAG is called, and the snmp_send function is called to send an SNMP message to the TSNCNC;
s24: the TSNCNC side receives and reads the SNMP message through the snmp_sync_response, and uses an authentication private Key B Decrypting the read identity authentication information through SM2 algorithm to obtain an identity ID i ' and random number N i ' first judge ID i ' legitimacy, using authentication public Key Key D Identification ID through SM3 hash algorithm i ' random number N i 'processing, obtaining a message authentication code TAG' =sm3 KeyD (ID i '||N i ') if tag=tag', the identity authentication is successful, otherwise, the identity authentication fails, the snmp_colse function is called to close the session, and the subsequent key negotiation flow cannot be performed;
the TSN switch completes the identity authentication process, and the TSN switch which passes through the TSNCNC identity authentication carries out key negotiation with the TSNCNC.
2. The time-sensitive network security communication method based on the cryptographic algorithm as in claim 1, wherein: the key agreement is specifically:
s31: the TSNCNC end calls a snmp_pdu_create function to create an SNMP message, and generates a session key K for the field device s And stores, the random number generator generates a random number R i
S32: TSNCNC pairs the acquired random number N i ' self-generated random number R i Generated session key K s Splicing, and using an authentication private Key Key B Spliced data (N) is subjected to SM2 algorithm i '||R i ||K s ) Encryption is performed to generate encryption information e=sm2 KeyB (N i '||R i ||K s ) Using an authenticated public Key D Spliced data (N) is subjected to SM3 hash algorithm i '||R i ) Processing is performed to generate a message authentication code mac=sm3 KeyD (N i '||R i ) Calling a snmp_add_var function to fill encryption information E into the PDU, and inserting a generated message authentication code MAC into the call snmp_send function to send the PDU to the TSN switch;
s33: the TSN exchanger receives and reads PDU through snmp_sync_response, uses authentication public key Key D to process the read message authentication code MAC' through SM3 hash algorithm to obtain (N) i '||R i ) Verify N i '=N i Whether or not it is true, if so, storing the random number R i ' and decrypting the received encrypted information by SM2 algorithm by using authentication public key KeyD to obtain session key K s Using session key K s For random number R by SM2 algorithm i ' encryption, generation of key agreement confirm information ack=sm2 KS (R i '), call the snmp_add_var function to fill the key negotiation confirmation information into PDU, call the snmp_send function to send SNMP message to TSNCNC, if not, discard the message;
s34: the TSNCNC receives and reads the SNMP message through the snmp_sync_response and uses the session key K s Decrypting the read key negotiation confirmation information through SM2 algorithm to obtain a random number R i ' and checkingSyndrome R of i '=R i If so, the key negotiation is successful, otherwise, the key negotiation fails;
the key negotiation process is completed between the TSN switch and the TSNCNC of the time sensitive network, and the TSN switch utilizes the successfully negotiated session key K s Subsequent secure communications are conducted.
3. The time-sensitive network security communication method based on the cryptographic algorithm as in claim 2, wherein: the secure communication is specifically:
s41: TSN exchanger 1 analyzes TSN data frame, obtains data load, uses session key K s Encrypting a plaintext M through an SM4 encryption algorithm to generate a ciphertext C;
s42: TSN switch 1 uses session key K s Generating an SM3 message authentication code Tag through an SM3 hash algorithm, and sending a security control field, a ciphertext C and the message authentication code Tag as a security communication message E to the TSN switch 2;
s43: after the TSN switch 2 obtains the message, firstly, the security control field is analyzed, if the security control field is displayed as 01, the message is indicated to be encrypted, otherwise, the message is directly forwarded;
s44: TSN switch 2 uses session key K s Generating an SM3 message authentication code Tag 'through an SM3 hash algorithm, verifying whether tag=tag' is satisfied, executing a decryption program if so, otherwise, discarding the message;
s45: the TSN switch 2 uses the session key K to authenticate a successful message via the message authentication code s Decrypting the ciphertext C through an SM4 decryption algorithm to obtain a TSN plaintext;
the time sensitive network completes the safety communication process, and the message after the encryption processing of the port of the TSN switch 1 is decrypted at the port of the TSN switch 2, so that the confidentiality and the integrity of data transmission are ensured.
CN202210210365.1A 2022-03-04 2022-03-04 Time-sensitive network secure communication method based on cryptographic algorithm Active CN114614984B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210210365.1A CN114614984B (en) 2022-03-04 2022-03-04 Time-sensitive network secure communication method based on cryptographic algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210210365.1A CN114614984B (en) 2022-03-04 2022-03-04 Time-sensitive network secure communication method based on cryptographic algorithm

Publications (2)

Publication Number Publication Date
CN114614984A CN114614984A (en) 2022-06-10
CN114614984B true CN114614984B (en) 2023-08-29

Family

ID=81861693

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210210365.1A Active CN114614984B (en) 2022-03-04 2022-03-04 Time-sensitive network secure communication method based on cryptographic algorithm

Country Status (1)

Country Link
CN (1) CN114614984B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115225333B (en) * 2022-06-23 2023-05-12 中国电子科技集团公司第三十研究所 TSN encryption method and system based on software definition
CN119232482B (en) * 2024-11-28 2025-05-27 中国交通信息科技集团有限公司 A secure communication method and system based on national secret algorithm and improved Modbus TCP protocol
CN119363491A (en) * 2024-12-28 2025-01-24 东方通信股份有限公司 A time-sensitive network security authentication and authorization method for industrial applications

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6813255B1 (en) * 1999-08-24 2004-11-02 Alcatel Method to assign upstream timeslots and codes to a network terminal and medium access controller to perform such a method
CN108965171A (en) * 2018-07-19 2018-12-07 重庆邮电大学 Industrial wireless WIA-PA network and time-sensitive network conversion method and device
CN111327540A (en) * 2020-02-25 2020-06-23 重庆邮电大学 A Deterministic Scheduling Method for Industrial Time-Sensitive Network Data
CN112332940A (en) * 2020-11-06 2021-02-05 北京东土科技股份有限公司 Data transmission method based on time synchronization network and related equipment
CN113709191A (en) * 2021-10-27 2021-11-26 之江实验室 Method for safely adjusting deterministic time delay

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6741856B2 (en) * 2000-08-14 2004-05-25 Vesuvius Inc. Communique system for virtual private narrowcasts in cellular communication networks
US7103772B2 (en) * 2003-05-02 2006-09-05 Giritech A/S Pervasive, user-centric network security enabled by dynamic datagram switch and an on-demand authentication and encryption scheme through mobile intelligent data carriers

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6813255B1 (en) * 1999-08-24 2004-11-02 Alcatel Method to assign upstream timeslots and codes to a network terminal and medium access controller to perform such a method
CN108965171A (en) * 2018-07-19 2018-12-07 重庆邮电大学 Industrial wireless WIA-PA network and time-sensitive network conversion method and device
CN111327540A (en) * 2020-02-25 2020-06-23 重庆邮电大学 A Deterministic Scheduling Method for Industrial Time-Sensitive Network Data
CN112332940A (en) * 2020-11-06 2021-02-05 北京东土科技股份有限公司 Data transmission method based on time synchronization network and related equipment
CN113709191A (en) * 2021-10-27 2021-11-26 之江实验室 Method for safely adjusting deterministic time delay

Also Published As

Publication number Publication date
CN114614984A (en) 2022-06-10

Similar Documents

Publication Publication Date Title
CN1883176B (en) System and method for provisioning and authenticating via a network
Congdon et al. IEEE 802.1 X remote authentication dial in user service (RADIUS) usage guidelines
US6976177B2 (en) Virtual private networks
US7865727B2 (en) Authentication for devices located in cable networks
CN114614984B (en) Time-sensitive network secure communication method based on cryptographic algorithm
US12316619B2 (en) Methods and systems for internet key exchange re-authentication optimization
CN101459506A (en) Cipher key negotiation method, system, customer terminal and server for cipher key negotiation
JP2004295891A (en) Method for authenticating packet payload
WO2005048524A1 (en) Protected dynamic provisioning of credentials
CN113904809B (en) Communication method, device, electronic equipment and storage medium
KR20060030995A (en) How to automatically generate and accept addresses in next generation internet and data structure for them
Rabiah et al. A lightweight authentication and key exchange protocol for IoT
CN113972999B (en) A method and device for MACSec communication based on PSK
Cho et al. Secure open fronthaul interface for 5G networks
CN114386020B (en) Quantum-safe fast secondary identity authentication method and system
CN114760093B (en) Communication method and device
CN1658553B (en) A Strong Authentication Method Using Public Key Cryptography Algorithm Encryption Mode
WO2007073659A1 (en) Terminal access method based on h.323 protocol applied to packet network
CN119155106B (en) Link layer communication encryption method and system
Yang et al. Link-layer protection in 802.11 i WLANS with dummy authentication
CN210839642U (en) Device for safely receiving and sending terminal data of Internet of things
CN114928503A (en) Method for realizing secure channel and data transmission method
CN120675819B (en) QUIC protocol-based distributed node unified identity authentication method and system
Li Communication Engineering Data Transmission System Based on IPV6 Encryption Technology
CN116684768A (en) A management method for secure cloud OLT equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant