基于CFL的工控系统认证通信方案  

作　　者：兰松柏 李方晓 石乐义[1] LAN Songbai;LI Fangxiao;SHI Leyi(College of Computer Science and Technology,China University of Petroleum(East China),Qingdao Shandong 266580,China)

机构地区：[1]中国石油大学(华东)计算机科学与技术学院,山东青岛266580

出　　处：《计算机应用》2023年第4期1183-1190,共8页journal of Computer Applications

基　　金：国家自然科学基金资助项目(61772551);山东省自然科学基金资助项目(ZR2019MF034)。

摘　　要：针对工控系统(ICS)中广泛采用的中心认证方案所存在的密钥泄露、单点失效、通信开销大的问题,将具有国内自主知识产权的密码基础逻辑(CFL)认证技术引入ICS的认证与通信过程中,并提出一种基于CFL的ICS认证通信方案。首先,通信双方通过交换并验证基于彼此身份标识和权限信息所生成的动态含权证书,实现双方身份的去中心认证和会话密钥的协商;然后,通过会话密钥、CFL动态签名和访问控制规则保证双方的安全通信;最后,将控制过程详细日志进行加密存储,以实现可溯源过程。理论分析和实验结果表明,所提方案在身份验证阶段不再需要远程认证中心的参与,并实现了工控设备间的本地高效认证。在面对大量认证请求时,与公钥基础设施(PKI)方案、基于身份加密(IBE)方案相比,所提方案的系统吞吐量分别至少提升了92.53%和141.37%,意味着所提方案能够更好地满足ICS的大规模认证和毫秒级安全通信的需求。Aiming at the problems of key leakage,single point of failure and high communication overhead in the central authentication scheme widely used in Industrial Control Systems(ICSs),the Cryptography Fundamental Logics(CFL)authentication technology with domestic independent intellectual property right was introduced into the authentication and communication process of ICSs,and a CFL-based authentication and communication scheme for ICS was proposed.Firstly,between two communicating parties,the dynamic certificates with right,which were generated by the identity label and authority information of each other were exchanged and verified,so that the decentralized authentication of the identities of the two parties and the negotiation of the session key were realized.Secondly,the session key,CFL dynamic signature and access control rules were used to ensure the secure communication between the two parties.Finally,the detailed logs of control process were encrypted and stored to realize traceable process.Theoretical analysis and experimental results show that this scheme no longer needs the participation of remote authentication center in the authentication stage,and realizes the local and efficient authentication among industrial control equipments.The minimum system throughput improvement of the proposed scheme is 92.53%compared to the Public Key Infrastructure(PKI)scheme and 141.37%compared to the Identity-Based Encryption(IBE)scheme when facing a large number of authentication requests,which means that the proposed scheme can better meet the requirements of large-scale authentication and millisecond-level security communication in ICSs.

关 键 词：工控系统 密码基础逻辑认证 认证通信 安全套接层协议 BAN逻辑 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]