2016 International Conference on Electronic Information Technology and Intellectualization (ICEITI 2016) ISBN: 978-1-60595-364-9
The Research of Communication Encryption
Technology in Power Information System
Fei Yang
ABSTRACT
With the enhancement of information security needs, more and more information security technology has been introduced into the power information system. As one of the most powerful technologies, communication encryption technology plays an important role in the power information protection of data confidentiality and integrity. In this paper, we designed the encrypted application architecture, studied the confidentiality and non-repudiation protection methods, and discussed the communication mode. It was proved that communication encryption technology can effectively protect communication data from being tampered or eavesdropped and can improve the overall safety level of the power information system.
INTRODUCTION
Nowadays, more and more enterprises began to build information system to improve the level of office automation. In the power system, the power grid enterprises had built a large power monitoring and management information system to control the power generation, transmission, distribution and marketing [1]. However, the rapid growth of power information system brought considerable information security risk to the power information system, since those information system vendors didn’t consider the information requirement at the beginning design; besides the TCP/IP protocols do lack the information security design [2].
Communication encryption technology is an effectively way to protect the data confidentiality and integrity. In the power grid enterprises, the management
_________________________
information system uses communication encryption technology to protect the remote access process of the system; the SCADA (supervisory control and data acquisition) system uses communication encryption technology to protect the data between the master station and the transformer substation. In the paper, we carried out a comprehensive research of communication encryption technology in the power information system. Firstly, we designed the encrypted application architecture in the power of information system. Secondly, we studied the confidentiality and non-repudiation protection methods for the communication data. Finally, we discussed the communication mode for the power information system. It was proved that communication encryption technology can effectively protect communication data from being tampered or eavesdropped and can improve the overall safety level of the power information system.
THE ARCHITECTURE OF COMMUNICATION ENCRYPTION
General Speaking, communication encryption technology is mainly fulfilled by the VPN technology. According to the implemented level of the TCP/IP protocol suite, the VPN technology can be divided into the link layer VPN (Virtual Private Network), the network layer VPN and the application layer VPN accordingly.
The link layer VPN mainly concludes PPTP (Point to Point Tunneling Protocol), L2F (Layer 2 Forwarding Protocol) and L2TP (Layer 2 Tunneling Protocol). The Network layer VPN mainly concludes IPsec VPN which is defined as a set of security protocol. The IPsec VPN is an open standard framework developed by the IETF IPsec working group, and many companies have modified the IPsec VPN encryption algorithm to strengthen the data protection. The application layer VPN mainly concludes the SSL (Secure Sockets Layer) protocol [3-4].
In power information system, there are three typical application scenarios for the communication encryption technology[3,4,5].
1) Gateway to gateway: This application scenario is mainly used between large master station and substation. In this scenario, these gateways are placed at the outlet of the system and used to build encrypted communication tunnel, each data packet send from the internal server to the target server in the substation will be encrypted and decrypted automatically at the gateway.
2) Server to server: The encrypted channel is established between servers, this application scenario is mainly used to build peer to peer encrypted communication and requires the server to have additional configuration.
is mainly used between master station and transformer substation or power plant, it is designed to protect the control signal, the current and voltage signals.
THE CONFIDENTIALITY AND NON-REPUDIATION METHODS
In order to illustrate the confidentiality and non-repudiation protection methods, we should firstly introduce the encryption and decryption principle used in the power information system. There are two typical encryption and decryption algorithm, the symmetric cryptographic and asymmetric cryptographic algorithm.
The symmetric cryptographic algorithm uses the same key to encrypt the plaintext and decrypt the cipher text. Since the encrypted communication process is mainly protected by the secret key which can be leaked by improper use, the symmetric cryptographic algorithm is always used with the asymmetric cryptographic algorithm together.
The asymmetric cryptographic algorithm uses a pair of keys to encryption and decryption. The pair of keys (k1, k2) are called public and private key separately. The public key and private key must be used together, besides, the private key should be saved safely by users and the public key can be released through official channels [6].
In the power information system, the asymmetric cryptographic algorithm can be applied as follows way to achieve the protection of information system. Just as Fig. 1 shown, user A sends data to the user B, the public and private key pairs for user A and user B are(PubA, PriA) and (PubB, PriB) respectively.
1) The method of data confidentiality guarantee: User A uses user B's public key PubB to encrypt application data, and send encrypted date to user B. Since only the user B has the correct key of the encrypted date, thus only user B can decrypt the data received. As a result, we can protect the data from being eavesdropped by others through this way [6].
2) The method of undeniable identity guarantee: User A uses its private key PriA to encrypt application data, and send encrypted date to user B. After receiving the encrypted date, user B decrypt the date with user A's public key. If the encrypted date can be decrypted correctly, it can be inferred that the data must be issued by user since only user A has the correct private key [6].
User A
Public PubA Private PriA
User B
Public PubB Private PriB
( )
priA
E data
( ( )) / ( ( ))
priA pubB pubB priA
E E data E E data
( )
pubB
[image:4.612.121.488.85.156.2]E data
Figure 1.The application of asymmetric cryptographic algorithm.
THE COMMUNICATION MODE
There are two kinds of communication mode for the encrypted communication technology, the tunnel mode and the transport mode. Besides, there are two kinds of packet encapsulation method, the authentication header encapsulation method and encapsulated security payload encapsulation method. The combination of different packet encapsulation method and different communication mode can fulfill different user needs.
1)The Tunnel Mode
Since the TCP/IP protocol stack is combined with different layers, for the authentication header encapsulation method, the system uses new IP header, authentication header and original IP packet to compose a new IP packet. The original IP packet is encapsulated as the application data in the new IP packet. Besides, the authentication head will signs the entire packet for integrity and authentication [6-7].
For the ESP encapsulation method in the tunnel mode, the system firstly encrypt the original IP header, original IP payload and ESP trailer as its application layer data, and then encapsulate the other new IP header, ESP header and ESP authentication trailer to compose a new IP packet. The ESP authentication trailer is the signature of ESP header || Encrypt(original IP header and payload||ESP trailer).
The encapsulation format for the tunnel mode is shown in Fig. 2. It can be concluded that in the tunnel mode, the system will add new IP header to the new packet. As a result, the tunnel mode is mainly used for the gateway-to-gateway scenarios [8].
2) The Transport Mode
[image:4.612.115.521.600.656.2]Figure 3. The data encapsulation format for transport mode.
CONCLUSION
This paper conducted a comprehensive research of communications encryption method in the power information system. We firstly designed the encrypted application architecture. Afterwards, we studied the confidentiality and non-repudiation protection methods for the communication data. And last, we discussed the communication mode for the power information system. It was proved that communication encryption technology can effectively protect communication data from being tampered or eavesdropped and can improve the overall safety level of the power information systems.
REFERENCES
1. Song Lei, Luo Qiliang, Luo Yi, Tu Guangyu. "Encryption on Power Systems Real-Time Data Communication". Automation of Electric Power Systems [J], 2004, 28(14), PP76-81.
2. Hu Yan, Dong Mingchui. "Strengthening the Security of Network Applications with SSL Protocol". Automation of Electric Power Systems [J], 2002, 26(15), PP 70-77.
3. Gao Zhuo, Luo Yi, Tu Guangyu, Wu Tong, "Analysis of Computer Network Security in Substation". Automation of Electric Power Systems [J], 2002, PP 53-57.
4. Shao Guangqiang, Wang Yue. "Application of OpenSSL in IEC61850 communication security". Telecommunications for Electric Power System [J], 2008, 29(188), pp 30-33.
5. Shaw T. “Using Internet Technologies for Secure Substation Access and Control”. Power Engineering Society Summer Meeting. 2000. PP 363-368
6. Yuan Hong; Li Jiguo. "Simulation on Encryption Algorithm for Communication under Public Key Cryptosystems". Computer Simulation [J]. 2015, 32(3), pp 331-334.
7. Cao Wanpeng,Bi Wei. "Adaptive and Dynamic Mobile Phone Data Encryption Method".
China Communications [J]. 2014, (1), pp 103-109.
8. Wu Ban, Wu Junsheng. "Application of Encrypted Communications and Identify Technique in Electronic Commerce". Aeronautical Computing Technique [J], 2006, 36(2), PP 70-73.
