电力监管信息系统安全接入设备关键技术研究

三峡大学硕士学位论文电力监管信息系统安全接入设备关键技术研究姓名：王洪俭申请学位级别：硕士专业：电力系统及其自动化指导教师：王斌;杜光耀20080401II“”()()1IPSecVPN(IPSecurityVirtualPrivateNetwork)AES(AdvancedEncryptionStandard)2IPSecVPNAESIPSecVPNIPSecAESAES3Ice(InternetCommunicationEngine)IEC61970IEC61970CIS(CommonInterfaceStandard)IceIIIAbstractThecontradictionbetweenexistenceof‘informationisland’inelectricalpowerindustryanddeepdevelopmentofelectricalpowermarketization,forcestheconstructionofverticalintegratedinformationplatformsamongthewholeelectricalpowerindustry.TheElectricityRegulatoryMISinthispaper,whichisdirectedbyStateElectricityRegulatoryCommission,isjustoneofthesesystems.Itsconstructionintegratesmanytechnologies,suchasenterprisebusinessapplication,networkplan,systemintegration.etc.ThispaperpresentsaprimarystudyonthesystemarchitectureofElectricityRegulatoryMIS,andthekeytechnologiesoftheSecuredAccessingDevice,whichisitscriticaldevice.1ThearchitectureofElectricityRegulatoryMISFirstly,thispapergivesabriefanalysisofthearchitectureofElectricityRegulatoryMIS.Then,showshowtobuildasystematicalnetworkplatform,pointingatpracticabilityandefficiency,andimportsAES(AdvancedEncryptionStandard)dataencryptionalgorithmtoensuresecurity.2IPSecVPNandDataEncryptiontechnologiesIPSecVPN(IPSecurityVirtualPrivateNetwork)technologyhasbeenwidelyusedbecauseofitssecurity.ThispapershowshowtobuildaexperimentalVPNplatformfollowingIPSecprotocols,givesacomprehensivedescriptionoftheprincipleoftheadoptedAESalgorithmandhowtorealizeitinC/C++programminglanguage.3TheinterfacedesignofSecuredAccessingDevicebasedonInternetCommunicationEngineandIEC61970seriesstandardAsanimportantdataacquisitiondevice,theSecuredAccessingDevice’sinterfacedesignhastofollowthespecialstandardsinelectricalpowerindustry.IEC61970seriesstandardshavebeenwidelyappliedinelectricalpowerindustrymanagementinformationsystems.ThispapergivesagoodintroductionofIEC61970firstly,andthenmapsitsCIS(ComponentInterfaceStandards)intoICE(InternetCommunicationEngine)fortheinterfacedesignofSecuredAccessingDevice.Keywords:VPNDataEncryptionDataCompressionIEC61970InternetCommunicationsEngineI112060“”————“”1.1(),21.220021)2)3)4)5)1.360“”1.3.12002(“”)20052()31.3.2SG1862006429“SG186”“SG186”“”“”[1]1)“1”,“SG186”“1”“”“”2)“8”,“SG186”“8”()“”3)“6”,“SG186”“”41.3.3(SCADA/EMS)SCADA(AGC/EDC)(DTS)(DMIS)SCADA/EMSEMS()[2]SCADA/EMS1)2)SCADA3)PAS4)(DTS)SCADA/EMS(DTS)SCADA/EMSDTSSCADA/EMS5)AGC/EDC(AGC/EDC)6)SCADA/EMS1.3.4SIS5(SIS)(MIS)SIS[3]SIS1)2)3)4)SIS5)SIS61.3.5OA1.4IPSecVPN72InternetInternetInternetInternetInternet(VPN,VirtualPrivateNetworks)VPNVPNVPNInternet2.12.1[4-5]82.12.2[5]2.2[5]92.3[5]2.32.3,102.22.4VPNAgentTCP/IP/TCP/IPAgentTCP/IP/AgentTCP/IP/2.4111)Agent2)3)4)5)LZO6)PKI7)2.5------------------VPNInternet2.5VPN2.512133IPSecVPN(VPN)“()”“LAN”“Internet”Internet(IETFInternetEngineeringTaskForce)VPNInternetIP[6-10]VPNVPNInternetVPNVPN[8-11]1)VPNVPN(PPTP-Point-to-PointTunnelingProtocol)(L2TP-Layer2TunnelingProtocol)IPSec(IPSecurity)Internet2)VPNVPNInternetIPSecVPNIP3)VPN14VPNVPN(RADIUS-RemoteAuthorizationDial-InUserService)VPNRADIUSVPNIPVPNVPN3.1IPSecInternetIPSec[11-14]IPSec(AHAuthenticationHeader)(ESP,EncapsulatingSecurityPayload)IKE()1)AHIP(MD5SHA1)2)ESPIP()AHESP3)IKESA(SecurityAssociation)IKEIPSecIKESAAHESP3.1IPSecIPAHESP3.1IPSecIPSecInternetVPNIP15IPIPIPSec(AHESP)IPIP3.2IPESPIPESPIPInternetIPIPIPSec(AHESP)IP3.3(TCPUDPICMP)IP[11,13]3.2IPSecVPN3.43.53.5IP202.1.1.100202.1.1.200()(192.168.5.1192.168.6.1)16IP202.1.1.199IP192.168.5.2Internet3.4202.1.1.100Switch202.1.1.200Switch192.168.6.1192.168.6.2202.1.1.199192.168.5.2192.168.5.1192.168.5.3192.168.6.100192.168.6.1013.5202.1.1.200()VPNIPSecIP192.168.6.100(VPN)202.1.1.199()VPNIP192.168.6.101“”202.1.1.199()VPN“”()VMwareWorkstationIPSecLinuxFreeS/WANOpenswanStrongswanIPsec(Kernelstack)KLIPS2.6BSDKAMEKAME17IPSecOpenswanFreeS/WANOpenswanStrongswanOpenswanLinuxOpenswanNAT-TNAT-TOpenswanKLIPSNAT-TKLIPSNAT-TAESOpenswanNet-to-NetNetWorksRoadWarrior(Host-to-Net)RoadWarriorVPN/etc/ipsec.confconnsd1esp=aes-sha1left=202.1.1.200leftid=@GateWayleftsubnet=192.168.6.0/24leftrsasigkey=0sAQOC3M800rightnexthop=%defaultrouteright=%anyrightid=@SD1rightrsasigkey=0sAQNjDlqHvauto=addconnsd1esp=aes-sha1left=202.1.1.199#%defaultrouteIP%defaultrouteleftnexthop=%defaultrouteleftid=@SD1leftrsasigkey=0sAQNjDlqHvright=202.1.1.20018rightsubnet=192.168.6.0/24rightid=@GateWayrightrsasigkey=0sAQOC3M800auto=addRoadWarriorleftrightNet-to-NetNet-to-Netleftrightconnespleftrightright=%anyIPIPleftIP%defaultrouteDHCPIP%defaultrouteleftrsasigkeyrightrsasigkey3.3AESIPSecIKEIPSecVPN3.3.1[15-18]()()MData=Encrypt(Data,EKey)(3.1)DataMdataEkey()Data=Decrypt(Mdata,DKey)(3.2)MdataDataDkey3.619DATADATAMDATAMDATADATADATAKEYEncryptDecrypt3.6()EncryptDecryptData=Decrypt(Encrypt(Data,key1),key2)(3.3)Data=Decrypt(Encrypt(Data,key2),key1)(3.4)Datakey1key2ABABBA3.7DATADATAMDATAMDATADATADATAKEY1KEY2EncryptDecryptDATADATAMDATAMDATADATADATAKEY2KEY1EncryptDecrypt3.720key1,key2(PublicKey)(PrivateKey)[16-18]——3.8DATA1DATA1MDATA1MDATA1EncryptDATA2DATA2MDATA2MDATA2Encrypt3.83.3.2IPSecVPNI