工业控制系统安全监控协议的设计与优化研究

doi:10.3969/j.issn.1671-1122.2019.02.008

摘要/Abstract

摘要：

工业监控协议面临的安全威胁主要有完整性、新鲜性和机密性等方面的攻击,而现有工业监控协议在设计时通常将传输数据的可用性放在首位,对协议的安全性研究主要集中于对协议机密性的改进,对协议完整性认证考虑不足。针对上述问题,文章采用消息认证码技术增强监控消息完整性,采用随机数与Diffie-Hellman密钥交换算法原理相结合的技术生成会话对称密钥,避免Diffie-Hellman密钥交换过程的中间人攻击。针对一些特殊工业控制系统资源受限等工作环境特点,文章在确保完整性的前提下对设计的协议进行优化,以提高监控协议运行效率。通过安全性与性能分析可知,整套协议方案可以有效地解决监控消息完整性认证、抵抗重放攻击等安全问题。

关键词: 工业控制系统, 监控协议, 完整性认证, 消息认证码, 密钥协商

Abstract:

The security threats to industrial monitoring and controlling protocols mainly include integrity, freshness and confidentiality. In contrast, existing industrial monitoring and controlling protocols usually place the first priority on the availability of transmitted data. The study on the security of protocols mainly focuses on the improvement of the confidentiality of the protocols but lack consideration for integrity. Aiming at issues above, the paper uses message authentication code technology to enhance the integrity of monitoring messages and uses a combination of random numbers and the Diffie-Hellman key exchange algorithm to generate the session symmetric key, to avoid the man-in-the-middle attack in the process of Diffie-Hellman key exchange. For the characteristics of the operating environment of special industrial control systems such as limited resources, the paper optimizes the designed protocol on the premise of ensuring the integrity, in order to improve the runtime efficiency of the protocol. Through the analysis of security and performance, the protocol scheme can effectively solve security problems such as source and target authentication, monitoring message integrity authentication, and resistance to reply attacks, etc.

Key words: industrial control system, monitoring and controlling protocol, integrity authentication, message authentication code, key agreement

中图分类号:

TP309

陈瑞滢, 陈泽茂, 王浩. 工业控制系统安全监控协议的设计与优化研究[J]. 信息网络安全, 2019, 19(2): 60-69.

Ruiying CHEN, Zemao CHEN, Hao WANG. Design and Optimization of Security Monitoring and Controlling Protocol in Industrial Control Systems[J]. Netinfo Security, 2019, 19(2): 60-69.

图/表 4

参考文献 19

[1]	WANG Xiaoshan, YANG An, SHI Zhiqiang, et al.New Trend of Information Security in Industrial Control Systems[J]. Netinfo Security, 2015, 15(1): 6-11.
	王小山,杨安,石志强,等. 工业控制系统信息安全新趋势[J]. 信息网络安全,2015,15(1):6-11.
[2]	CHEN Xing, JIA Zhuosheng.Industrial Control Network Information Security Threats and Vulnerability Analysis and Research[J]. Computer Science, 2012, 39(s2): 188-190.
	陈星,贾卓生. 工业控制网络的信息安全威胁与脆弱性分析与研究[J]. 计算机科学,2012,39(s2):188-190.
[3]	SHI Xi, CHEN Zhen, WANG Dongsheng, et al.A Research of the Key Technology of the Aggregative Security Gateway of Internet of Things[J]. Netinfo Security, 2012, 12(6): 85-89.
	石希,陈震,汪东升,等. 物联网汇聚安全网关关键技术研究[J]. 信息网络安全,2012,12(6):85-89.
[4]	HOU Weiyan, FEI Minrui.PROFIBUS Protocol Analysis and System Application[M]. Beijing: Tsinghua University Press, 2006.
	侯维岩,费敏锐. PROFIBUS协议分析和系统应用[M]. 北京:清华大学出版社,2006.
[5]	XU Shanshan.Research of Lightweight Data Security Transmission for Industrial Control System[D]. Hangzhou: Zhejiang University, 2016.
	徐珊珊. 工业控制系统轻量级数据安全传输的研究[D]. 杭州:浙江大学,2016.
[6]	CHEN L, CHENG Z, SMART N P.Identity-based Key Agreement Protocols from Pairings[J]. International Journal of Information Security, 2007, 6(4): 213-241.
[7]	FAN Wenbin.Analysis of Security Protection on Industrial Control Protocol[J]. Electronic Science & Technology, 2015, 2(3): 334-337.
	范文斌. 工业控制协议安全防护分析[J]. 电子科学技术,2015,2(3):334-337.
[8]	CARLSEN U.Cryptographic Protocol Flaws: Know Your Enemy[C]//IEEE. The Computer Security Foundations Workshop VII, June 14-16, 1994, Franconia, NH, USA. New Jersey: IEEE, 1994: 192-200.
[9]	ZHANG Xiaomei, WU Fusheng, PENG Changgen.Random Key Agreement Protocol for Provable Security[J]. Modern Electronics Technique, 2017, 40(13): 87-90.
	张小梅,吴福生,彭长根. 可证明安全的随机密钥协商协议[J]. 现代电子技术,2017,40(13):87-90.
[10]	ZHANG Shaolan.Design and Security Analysis on Several Cryptograpy Hash Functions[D]. Beijing: Beijing University of Posts and Telecommunications, 2011.
	张绍兰. 几类密码Hash函数的设计和安全性分析[D]. 北京:北京邮电大学,2011.
[11]	XU Jin, WEN Qiaoyan, WANG Dayin.A New Message Authentication Code Based on Hash Function and Block Cipher[J]. Chinese Journal of Computers, 2015, 38(4): 793-803.
	徐津,温巧燕,王大印. 一种基于Hash函数和分组密码的消息认证码[J]. 计算机学报,2015,38(4):793-803.
[12]	LU Anping, YANG Jimin, LI Feng, et al.A Comparative Study of Several Lightweight Encryption Algorithms[J]. Modern Electronics Technique, 2014(12): 37-41.
	路安平,杨济民,李锋,等. 几种轻量级加密算法的比较研究[J]. 现代电子技术,2014(12):37-41.
[13]	ZHOU Yanwei, YANG Bo, ZHANG Wenzheng.An Improved Two-party Authenticated Certificateless Key Agreement Protocol[J]. Chinese Journal of Computers, 2017, 40(5): 1181-1191.
	周彦伟,杨波,张文政. 一种改进的无证书两方认证密钥协商协议[J]. 计算机学报,2017,40(5):1181-1191.
[14]	LI Yue, LI Wei, CAO Yanqin, et al.Performance Analysis on Several Lightweight Block Cipher Algorithms[J]. Computer Applications and Software, 2016, 33(10): 317-320.
	李悦,李玮,曹艳琴,等. 几种轻量级分组密码算法的性能分析[J]. 计算机应用与软件,2016,33(10):317-320.
[15]	WANG Ya, WEI Guoheng.A Research Summary on Lightweight Cryptographic Algorithms for RFID[J]. Computer Applications and Software, 2017, 34(1): 9-14.
	汪亚,魏国珩. 适用于RFID的轻量级密码算法研究综述[J]. 计算机应用与软件,2017,34(1):9-14.
[16]	YANG Wei, WAN Wunan, CHEN Yun, et al.Review on Lightweight Cryptography Suitable for Constrained Devices[J]. Journal of Computer Applications, 2014, 34(7): 1871-1877.
	杨威,万武南,陈运,等. 适用于受限设备的轻量级密码综述[J]. 计算机应用,2014,34(7):1871-1877.
[17]	BOGDANOV A, KNUDSEN L R, LEANDER G, et al.Present: An Ultra-lightweigtht Block Cipher[C]//Springer. 9th International Workshop on Cryptographic Hardware and Embedded Systems, September 10-13, 2007, Vienna, Austria. Heidelberg: Springer, 2007: 450-466.
[18]	ZHANG Bo, ZHAO Ting, XU Xingkun, et al.Industrial Control System Security Analysis and Communication Protocol Enhancement Design[J]. Electric Power, 2015, 48(8): 150-154.
	张波,赵婷,徐兴坤,等. 工业控制系统安全性分析及通信协议增强设计[J]. 中国电力,2015,48(8):150-154.
[19]	FU Ge, ZHOU Nianrong, WEN Hong.The Study of Security Issues for the Industrial Control System Communication Protocols in Smart Grid[J]. Information Security and Technology, 2014, 5(1): 36-38.
	傅戈,周年荣,文红. 智能电网工业系统通信控制协议的安全研究[J]. 信息安全与技术,2014,5(1):36-38.

认证协议	消息交互数/次
SMCP-EOV协议	2
SSL/TLS	7
文献[18]的工业控制协议	2