基于國產(chǎn)密碼算法的數(shù)控網(wǎng)絡(luò)的認(rèn)證與驗(yàn)證模型研究及安全評估

夏曉峰; 向宏; 肖震宇; 蔡挺

doi:10.11999/JEIT190893

基于國產(chǎn)密碼算法的數(shù)控網(wǎng)絡(luò)的認(rèn)證與驗(yàn)證模型研究及安全評估

doi: 10.11999/JEIT190893 cstr: 32379.14.JEIT190893

夏曉峰¹,
向宏^1, ,,
肖震宇²,
蔡挺²

1.
信息物理社會可信服務(wù)計(jì)算教育部重點(diǎn)實(shí)驗(yàn)室重慶 400044
2.
重慶大學(xué)大數(shù)據(jù)與軟件學(xué)院重慶 400044

基金項(xiàng)目: 國家重點(diǎn)研發(fā)計(jì)劃(2017YFB0802400)，國家十三五密碼發(fā)展基金(MMJJ20180211)，重慶市研究生導(dǎo)師團(tuán)隊(duì)建設(shè)項(xiàng)目，重慶市研究生教育教學(xué)改革研究項(xiàng)目(yjg192003)

詳細(xì)信息

作者簡介:
夏曉峰：男，1980年生，副教授，研究方向?yàn)樾畔踩?/p>
向宏：男，1964年生，教授，研究方向?yàn)樾畔踩?/p>

通訊作者:
向宏　xianghong@cqu.edu.cn

中圖分類號: TN918; TP309.2
計(jì)量
- 文章訪問數(shù): 1993
- HTML全文瀏覽量: 589
- PDF下載量: 119
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2019-11-07
- 修回日期: 2020-05-31
- 網(wǎng)絡(luò)出版日期: 2020-06-23
- 刊出日期: 2020-08-18

Research and Security Evaluation of AUTH-VRF Model for NCS Network Based on Domestic Cryptographic Algorithms

1.
Key Laboratory of Dependable Service Computing in Cyber Physical Society, Ministry of Education, Chongqing 400044, China
2.
School of Bigdata and Software Engineering, Chongqing University, Chongqing 400044, China

Funds: The National Key Research and Development Project (2017YFB0802400), The National 13th Five Year Code Development Fund (MMJJ20180211), Chongqing Postgraduate Tutor Team Construction Project, Chongqing Graduate Education and Teaching Reform Research Project (yjg192003)

摘要

摘要: 該文針對工業(yè)控制系統(tǒng)安全，提出面向數(shù)控系統(tǒng)(NCS)網(wǎng)絡(luò)安全保護(hù)技術(shù)框架，選用國產(chǎn)密碼系列算法中的SM2, SM3, SM4算法，設(shè)計(jì)并建立了數(shù)控網(wǎng)絡(luò)(CNC)認(rèn)證與驗(yàn)證模型(AUTH-VRF)，分內(nèi)外兩層為數(shù)控網(wǎng)絡(luò)提供安全防護(hù)。外層為數(shù)控網(wǎng)絡(luò)設(shè)備間通信與傳輸進(jìn)行安全認(rèn)證實(shí)現(xiàn)網(wǎng)段隔離，內(nèi)層驗(yàn)證通信協(xié)議完整性以確?，F(xiàn)場設(shè)備接收運(yùn)行程序的正確性與有效性；通過基于SM2, SM3, SM4算法設(shè)計(jì)和部署的外層防護(hù)裝置，為分布式數(shù)控(DNC)設(shè)備與數(shù)控系統(tǒng)之間的通信提供身份認(rèn)證與文件加密傳輸；同時(shí)針對工業(yè)控制網(wǎng)絡(luò)的S7Comm工業(yè)通信協(xié)議數(shù)據(jù)，通過SM3算法驗(yàn)證專有工業(yè)協(xié)議數(shù)據(jù)完整性。通過網(wǎng)絡(luò)攻擊實(shí)驗(yàn)證明，AUTH-VRF模型可以為數(shù)控網(wǎng)絡(luò)中工業(yè)生產(chǎn)數(shù)據(jù)提供有效的安全認(rèn)證和資源完整性保護(hù)，為滿足我國關(guān)鍵基礎(chǔ)設(shè)施“國內(nèi)、國外工業(yè)控制系統(tǒng)產(chǎn)品共同安全可控”和“安全技術(shù)深入工業(yè)控制系統(tǒng)各個(gè)層級”的需求提供了實(shí)際可行的技術(shù)參考方案。
- 國產(chǎn)密碼算法 /
- 數(shù)控網(wǎng)絡(luò) /
- 安全認(rèn)證 /
- 完整性驗(yàn)證
Abstract: For the security of industrial control system, a framework for Numerical Control System(NCS) network security protection technology is proposed. The SM2, SM3 and SM4 algorithms in the domestic cryptographic algorithms are used to design and establish the AUTHentication and VRFfication (AUTH-VRF) model of the Computerized Numerical Control(CNC) network, which provides security protection for both internal and external sides. The external side conducts the security authentication for communication and transmission between CNC network devices to achieve network segment isolation. The internal side verifies communication protocol integrity to ensure that the operating procedures received by the field devices are correct and valid. The external protection device designed and deployed based on the SM2, SM3 and SM4 algorithms provides identity authentication and file encryption transmission for communication between the Distributed Numerical Control(DNC) device and the CNC system. At the same time, for the proprietary industrial communication protocol data in the CNC network, the SM3 algorithm is used to verify its integrity. The network attack experiments prove that the AUTH-VRF model can provide effective security certification and integrity protection for industrial production data in CNC networks. It also provides a practical technical approach to meet the requirements of ‘secure and controllable both for domestic and foreign products’, as well as ‘a(chǎn)pplying security technique to all layers of Industrial Control Systems’ for protecting the critical infrastructure.
- Domestic cryptographic algorithm /
- Computerized Numerical Control(CNC) network /
- Security certificate /
- Integrity verification

HTML全文

圖 1 NCS網(wǎng)絡(luò)AUTH-VRF模型安全認(rèn)證流程

下載: 全尺寸圖片幻燈片

圖 2 NCS網(wǎng)絡(luò)AUTH-VRF模型安全驗(yàn)證流程

下載: 全尺寸圖片幻燈片

圖 3 AUTH-VRF模型實(shí)現(xiàn)場景部署

下載: 全尺寸圖片幻燈片

圖 4 外層防護(hù)裝置部署概況

下載: 全尺寸圖片幻燈片

圖 5 內(nèi)層防護(hù)裝置部署概況

下載: 全尺寸圖片幻燈片

圖 6 利用ettercap攻擊嗅探NCS網(wǎng)絡(luò)并劫持未保護(hù)的G代碼文件

下載: 全尺寸圖片幻燈片

參考文獻(xiàn)(20)

陳清明, 朱少輝. 關(guān)于工業(yè)控制系統(tǒng)網(wǎng)絡(luò)安全審查工作的思考[J]. 信息安全與通信保密, 2018(6): 59–67. doi: 10.3969/j.issn.1009-8054.2018.06.011

CHEN Qingming and ZHU Shaohui. Considerations on the network security censor of industrial control systems[J]. Information Security and Communications Privacy, 2018(6): 59–67. doi: 10.3969/j.issn.1009-8054.2018.06.011

賴英旭, 劉增輝, 蔡曉田, 等. 工業(yè)控制系統(tǒng)入侵檢測研究綜述[J]. 通信學(xué)報(bào), 2017, 38(2): 143–156. doi: 10.11959/j.issn.1000-436x.2017036

LAI Yingxu, LIU Zenghui, CAI Xiaotian, et al. Research on intrusion detection of industrial control system[J]. Journal on Communications, 2017, 38(2): 143–156. doi: 10.11959/j.issn.1000-436x.2017036

尚文利, 安攀峰, 萬明, 等. 工業(yè)控制系統(tǒng)入侵檢測技術(shù)的研究及發(fā)展綜述[J]. 計(jì)算機(jī)應(yīng)用研究, 2017, 34(2): 328–333, 342. doi: 10.3969/j.issn.1001-3695.2017.02.002

SHANG Wenli, AN Panfeng, WAN Ming, et al. Research and development overview of intrusion detection technology in industrial control system[J]. Application Research of Computers, 2017, 34(2): 328–333, 342. doi: 10.3969/j.issn.1001-3695.2017.02.002

YANG Dayu, USYNIN A, and HINES W. Anomaly-based Intrusion Detection for SCADA Systems[C]. The 5th International Topical Meeting on Nuclear Plant Instrumentation Controls, and Human Machine Interface Technology, Albuquerque, 2006: 797–802.

黃海, 馮新新, 劉紅雨, 等. 基于隨機(jī)加法鏈的高級加密標(biāo)準(zhǔn)抗側(cè)信道攻擊對策[J]. 電子與信息學(xué)報(bào), 2019, 41(2): 348–354. doi: 10.11999/JEIT171211

HUANG Hai, FENG Xinxin, LIU Hongyu, et al. Random addition-chain based countermeasure against side-channel attack for advanced encryption standard[J]. Journal of Electronics &Information Technology, 2019, 41(2): 348–354. doi: 10.11999/JEIT171211

屠袁飛, 蘇清健, 楊庚. 一種適用于工業(yè)控制系統(tǒng)的加密傳輸方案[J]. 電子與信息學(xué)報(bào), 2020, 42(2): 348–354. doi: 10.11999/JEIT190187

TU Yuanfei, SU Qingjian, and YANG Geng. An encryption transmission scheme for industrial control system[J]. Journal of Electronics &Information Technology, 2020, 42(2): 348–354. doi: 10.11999/JEIT190187

馮登國. 國內(nèi)外密碼學(xué)研究現(xiàn)狀及發(fā)展趨勢[J]. 通信學(xué)報(bào), 2002, 23(5): 18–26. doi: 10.3321/j.issn:1000-436X.2002.05.005

FENG Dengguo. Status quo and trend of cryptography[J]. Journal of China Institute of Communications, 2002, 23(5): 18–26. doi: 10.3321/j.issn:1000-436X.2002.05.005

國家密碼管理局. GM/T 0003.1-2012 SM2橢圓曲線公鑰密碼算法第1部分: 總則[S]. 北京: 中國標(biāo)準(zhǔn)出版社, 2012.

State Password Administration. GM/T 0003.1-2012 Public key cryptographic algorithm SM2 based on elliptic curves-Part 1: General[S]. Beijing: China Standard Press, 2012.

國家密碼管理局. GM/T 0003.2-2012 SM2橢圓曲線公鑰密碼算法第2部分: 數(shù)字簽名算法[S]. 北京: 中國標(biāo)準(zhǔn)出版社, 2012.

State Password Administration. GM/T 0003.2-2012 Public key cryptographic algorithm SM2 based on elliptic curves-Part 2: Digital signature algorithm[S]. Beijing: China Standard Press, 2012.

國家密碼管理局. GM/T 0003.3-2012 SM2橢圓曲線公鑰密碼算法第3部分: 密鑰交換協(xié)議[S]. 北京: 中國標(biāo)準(zhǔn)出版社, 2012.

State Password Administration. GM/T 0003.3-2012 Public key cryptographic algorithm SM2 based on elliptic curves-Part 3: Key exchange protocol[S]. Beijing: China Standard Press, 2012.

國家密碼管理局. GM/T 0003.4-2012 SM2橢圓曲線公鑰密碼算法第4部分: 公鑰加密算法[S]. 北京: 中國標(biāo)準(zhǔn)出版社, 2012.

State Password Administration. GM/T 0003.4-2012 Public key cryptographic algorithm SM2 based on elliptic curves-Part 4: Public key encryption algorithm[S]. Beijing: China Standard Press, 2012.

國家密碼管理局. GM/T 0003.5-2012 SM2橢圓曲線公鑰密碼算法第5部分: 參數(shù)定義[S]. 北京: 中國標(biāo)準(zhǔn)出版社, 2012.

State Password Administration. GM/T 0003.5-2012 Public key cryptographic algorithm SM2 based on elliptic curves-Part 5: Parameter definition[S]. Beijing: China Standard Press, 2012.

STINSON D R, 馮登國, 譯. 密碼學(xué)原理與實(shí)踐[M]. 2版. 北京: 電子工業(yè)出版社, 2003: 131–142.

STINSON D R, FENG D G, translation. Cryptography Theory and Practice[M]. 2nd ed. Beijing: Publishing House of Electronics Industry, 2003: 131–142.

趙軍, 曾學(xué)文, 郭志川. 支持國產(chǎn)密碼算法的高速PCIe密碼卡的設(shè)計(jì)與實(shí)現(xiàn)[J]. 電子與信息學(xué)報(bào), 2019, 41(10): 2402–2408. doi: 10.11999/JEIT190003

ZHAO Jun, ZENG Xuewen, and GUO Zhichuan. Design and implementation of high speed PCIe cipher card supporting GM algorithms[J]. Journal of Electronics &Information Technology, 2019, 41(10): 2402–2408. doi: 10.11999/JEIT190003

國家密碼管理局. GM/T 0004-2012 SM3密碼雜湊算法[S]. 北京: 中國標(biāo)準(zhǔn)出版社, 2012.

State Password Administration. GM/T 0004-2012 SM3 cryptographic hash algorithm[S]. Beijing: China Standard Press, 2012.

國家密碼管理局. GM/T 0002-2012 SM4分組密碼算法[S]. 北京: 中國標(biāo)準(zhǔn)出版社, 2012.

State Password Administration. GM/T 0002-2012 SM4 block cipher algorithm[S]. Beijing: China Standard Press, 2012.

ZIMMERMANN P R. The Official PGP User’s Guide[M]. Cambridge: MIT Press, 1995: 152–188.

KURNIAWAN Y, ALBONE A, and RAHYUWIBOWO H. The design of mini PGP security[C]. 2011 International Conference on Electrical Engineering and Informatics, Bandung, Indonesia, 2011: 6021726.

李強(qiáng), 馮登國, 張立武, 等. 標(biāo)準(zhǔn)模型下增強(qiáng)的基于屬性的認(rèn)證密鑰協(xié)商協(xié)議[J]. 計(jì)算機(jī)學(xué)報(bào), 2013, 36(10): 2156–2167.

LI Qiang, FENG Dengguo, ZHANG Liwu, et al. Enhanced attribute-based authenticated key agreement protocol in the standard model[J]. Chinese Journal of Computers, 2013, 36(10): 2156–2167.

LI Yong, SHA Xuejun, and WANG Kun. Hybrid carrier communication with partial FFT demodulation over underwater acoustic channels[J]. IEEE Communications Letters, 2013, 17(12): 2260–2263. doi: 10.1109/LCOMM.2013.102613.131651

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問統(tǒng)計(jì)