Research and Security Evaluation of AUTH-VRF Model for NCS Network Based on Domestic Cryptographic Algorithms
-
摘要: 该文针对工业控制系统安全,提出面向数控系统(NCS)网络安全保护技术框架,选用国产密码系列算法中的SM2, SM3, SM4算法,设计并建立了数控网络(CNC)认证与验证模型(AUTH-VRF),分内外两层为数控网络提供安全防护。外层为数控网络设备间通信与传输进行安全认证实现网段隔离,内层验证通信协议完整性以确保现场设备接收运行程序的正确性与有效性;通过基于SM2, SM3, SM4算法设计和部署的外层防护装置,为分布式数控(DNC)设备与数控系统之间的通信提供身份认证与文件加密传输;同时针对工业控制网络的S7Comm工业通信协议数据,通过SM3算法验证专有工业协议数据完整性。通过网络攻击实验证明,AUTH-VRF模型可以为数控网络中工业生产数据提供有效的安全认证和资源完整性保护,为满足我国关键基础设施“国内、国外工业控制系统产品共同安全可控”和“安全技术深入工业控制系统各个层级”的需求提供了实际可行的技术参考方案。Abstract: For the security of industrial control system, a framework for Numerical Control System(NCS) network security protection technology is proposed. The SM2, SM3 and SM4 algorithms in the domestic cryptographic algorithms are used to design and establish the AUTHentication and VRFfication (AUTH-VRF) model of the Computerized Numerical Control(CNC) network, which provides security protection for both internal and external sides. The external side conducts the security authentication for communication and transmission between CNC network devices to achieve network segment isolation. The internal side verifies communication protocol integrity to ensure that the operating procedures received by the field devices are correct and valid. The external protection device designed and deployed based on the SM2, SM3 and SM4 algorithms provides identity authentication and file encryption transmission for communication between the Distributed Numerical Control(DNC) device and the CNC system. At the same time, for the proprietary industrial communication protocol data in the CNC network, the SM3 algorithm is used to verify its integrity. The network attack experiments prove that the AUTH-VRF model can provide effective security certification and integrity protection for industrial production data in CNC networks. It also provides a practical technical approach to meet the requirements of ‘secure and controllable both for domestic and foreign products’, as well as ‘applying security technique to all layers of Industrial Control Systems’ for protecting the critical infrastructure.
-
陈清明, 朱少辉. 关于工业控制系统网络安全审查工作的思考[J]. 信息安全与通信保密, 2018(6): 59–67. doi: 10.3969/j.issn.1009-8054.2018.06.011CHEN Qingming and ZHU Shaohui. Considerations on the network security censor of industrial control systems[J]. Information Security and Communications Privacy, 2018(6): 59–67. doi: 10.3969/j.issn.1009-8054.2018.06.011 赖英旭, 刘增辉, 蔡晓田, 等. 工业控制系统入侵检测研究综述[J]. 通信学报, 2017, 38(2): 143–156. doi: 10.11959/j.issn.1000-436x.2017036LAI Yingxu, LIU Zenghui, CAI Xiaotian, et al. Research on intrusion detection of industrial control system[J]. Journal on Communications, 2017, 38(2): 143–156. doi: 10.11959/j.issn.1000-436x.2017036 尚文利, 安攀峰, 万明, 等. 工业控制系统入侵检测技术的研究及发展综述[J]. 计算机应用研究, 2017, 34(2): 328–333, 342. doi: 10.3969/j.issn.1001-3695.2017.02.002SHANG Wenli, AN Panfeng, WAN Ming, et al. Research and development overview of intrusion detection technology in industrial control system[J]. Application Research of Computers, 2017, 34(2): 328–333, 342. doi: 10.3969/j.issn.1001-3695.2017.02.002 YANG Dayu, USYNIN A, and HINES W. Anomaly-based Intrusion Detection for SCADA Systems[C]. The 5th International Topical Meeting on Nuclear Plant Instrumentation Controls, and Human Machine Interface Technology, Albuquerque, 2006: 797–802. 黄海, 冯新新, 刘红雨, 等. 基于随机加法链的高级加密标准抗侧信道攻击对策[J]. 电子与信息学报, 2019, 41(2): 348–354. doi: 10.11999/JEIT171211HUANG Hai, FENG Xinxin, LIU Hongyu, et al. Random addition-chain based countermeasure against side-channel attack for advanced encryption standard[J]. Journal of Electronics &Information Technology, 2019, 41(2): 348–354. doi: 10.11999/JEIT171211 屠袁飞, 苏清健, 杨庚. 一种适用于工业控制系统的加密传输方案[J]. 电子与信息学报, 2020, 42(2): 348–354. doi: 10.11999/JEIT190187TU Yuanfei, SU Qingjian, and YANG Geng. An encryption transmission scheme for industrial control system[J]. Journal of Electronics &Information Technology, 2020, 42(2): 348–354. doi: 10.11999/JEIT190187 冯登国. 国内外密码学研究现状及发展趋势[J]. 通信学报, 2002, 23(5): 18–26. doi: 10.3321/j.issn:1000-436X.2002.05.005FENG Dengguo. Status quo and trend of cryptography[J]. Journal of China Institute of Communications, 2002, 23(5): 18–26. doi: 10.3321/j.issn:1000-436X.2002.05.005 国家密码管理局. GM/T 0003.1-2012 SM2椭圆曲线公钥密码算法 第1部分: 总则[S]. 北京: 中国标准出版社, 2012.State Password Administration. GM/T 0003.1-2012 Public key cryptographic algorithm SM2 based on elliptic curves-Part 1: General[S]. Beijing: China Standard Press, 2012. 国家密码管理局. GM/T 0003.2-2012 SM2椭圆曲线公钥密码算法 第2部分: 数字签名算法[S]. 北京: 中国标准出版社, 2012.State Password Administration. GM/T 0003.2-2012 Public key cryptographic algorithm SM2 based on elliptic curves-Part 2: Digital signature algorithm[S]. Beijing: China Standard Press, 2012. 国家密码管理局. GM/T 0003.3-2012 SM2椭圆曲线公钥密码算法 第3部分: 密钥交换协议[S]. 北京: 中国标准出版社, 2012.State Password Administration. GM/T 0003.3-2012 Public key cryptographic algorithm SM2 based on elliptic curves-Part 3: Key exchange protocol[S]. Beijing: China Standard Press, 2012. 国家密码管理局. GM/T 0003.4-2012 SM2椭圆曲线公钥密码算法 第4部分: 公钥加密算法[S]. 北京: 中国标准出版社, 2012.State Password Administration. GM/T 0003.4-2012 Public key cryptographic algorithm SM2 based on elliptic curves-Part 4: Public key encryption algorithm[S]. Beijing: China Standard Press, 2012. 国家密码管理局. GM/T 0003.5-2012 SM2椭圆曲线公钥密码算法 第5部分: 参数定义[S]. 北京: 中国标准出版社, 2012.State Password Administration. GM/T 0003.5-2012 Public key cryptographic algorithm SM2 based on elliptic curves-Part 5: Parameter definition[S]. Beijing: China Standard Press, 2012. STINSON D R, 冯登国, 译. 密码学原理与实践[M]. 2版. 北京: 电子工业出版社, 2003: 131–142.STINSON D R, FENG D G, translation. Cryptography Theory and Practice[M]. 2nd ed. Beijing: Publishing House of Electronics Industry, 2003: 131–142. 赵军, 曾学文, 郭志川. 支持国产密码算法的高速PCIe密码卡的设计与实现[J]. 电子与信息学报, 2019, 41(10): 2402–2408. doi: 10.11999/JEIT190003ZHAO Jun, ZENG Xuewen, and GUO Zhichuan. Design and implementation of high speed PCIe cipher card supporting GM algorithms[J]. Journal of Electronics &Information Technology, 2019, 41(10): 2402–2408. doi: 10.11999/JEIT190003 国家密码管理局. GM/T 0004-2012 SM3密码杂凑算法[S]. 北京: 中国标准出版社, 2012.State Password Administration. GM/T 0004-2012 SM3 cryptographic hash algorithm[S]. Beijing: China Standard Press, 2012. 国家密码管理局. GM/T 0002-2012 SM4分组密码算法[S]. 北京: 中国标准出版社, 2012.State Password Administration. GM/T 0002-2012 SM4 block cipher algorithm[S]. Beijing: China Standard Press, 2012. ZIMMERMANN P R. The Official PGP User’s Guide[M]. Cambridge: MIT Press, 1995: 152–188. KURNIAWAN Y, ALBONE A, and RAHYUWIBOWO H. The design of mini PGP security[C]. 2011 International Conference on Electrical Engineering and Informatics, Bandung, Indonesia, 2011: 6021726. 李强, 冯登国, 张立武, 等. 标准模型下增强的基于属性的认证密钥协商协议[J]. 计算机学报, 2013, 36(10): 2156–2167.LI Qiang, FENG Dengguo, ZHANG Liwu, et al. Enhanced attribute-based authenticated key agreement protocol in the standard model[J]. Chinese Journal of Computers, 2013, 36(10): 2156–2167. LI Yong, SHA Xuejun, and WANG Kun. Hybrid carrier communication with partial FFT demodulation over underwater acoustic channels[J]. IEEE Communications Letters, 2013, 17(12): 2260–2263. doi: 10.1109/LCOMM.2013.102613.131651 -
下载:
图(6)
计量
- 文章访问数: 1869
- HTML全文浏览量: 537
- PDF下载量: 113
- 被引次数: 0
下载:
