Identity authentication method in smart grid environment and computer device
By generating exclusive session keys for the power grid information center and digital twin entities in the smart grid system and transmitting them in encrypted form, the problem of vulnerability to attacks in smart grid system communication is solved, achieving low-cost and efficient identity authentication and user privacy protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- GUIZHOU POWER GRID CO LTD
- Filing Date
- 2022-11-08
- Publication Date
- 2026-06-05
AI Technical Summary
Existing smart grid systems lack effective authentication methods during information transmission, making communication vulnerable to attacks and user privacy difficult to protect.
The registration center generates exclusive session keys for the power grid information center and the digital twin entity, and transmits them in an encrypted manner to ensure that only the communication objects can decrypt them, thus establishing secure communication between the two parties.
It achieves low-cost and efficient identity authentication, resists offline password guessing, privileged insider attacks, replay attacks, device theft attacks, and user impersonation attacks, protects user privacy, and has forward security.
Smart Images

Figure CN115765995B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of communication encryption technology, and in particular to an identity authentication method and computer equipment in a smart grid environment. Background Technology
[0002] Digital twin technology collects and analyzes metering data for each smart grid user, establishing a unique digital twin entity for each user. The power grid information center can then interact with this digital twin to design more targeted and personalized electricity metering methods, leading to more accurate power distribution planning. Furthermore, digital twin technology can assist the power grid information center in metering electricity consumption for smart grid users. It can model complex electricity consumption processes, allowing the power grid information center to use equipment to extract intuitive data, thus making electricity metering more efficient. In summary, all integration of digital twin technology with smart grids relies heavily on information transmission. Currently, there is an urgent need for an authentication method to ensure secure communication within the smart grid system. Summary of the Invention
[0003] The purpose of this application is to address at least one of the aforementioned technical deficiencies, and in particular, to propose a low-cost, high-efficiency identity authentication method.
[0004] Firstly, from the perspective of the registration center, this application provides an identity authentication method for a smart grid system, the method including:
[0005] Based on the first registration request, a first registration code is generated that is unique to the power grid information center corresponding to the first registration request, and the first registration code is sent to the power grid information center corresponding to the first registration request.
[0006] Based on the second registration request, a second registration code is generated that is unique to the digital twin entity corresponding to the second registration request, and the second registration code is sent to the digital twin server to which the digital twin entity corresponding to the second registration request belongs;
[0007] When any registered power grid information center needs to communicate with a registered digital twin entity, the power grid information center is taken as the target power grid information center and the digital twin entity is taken as the target entity. A first string is generated based on the communication request of the target power grid information center and the first registration code corresponding to the target power grid information center, and a second string is generated based on the communication request of the target entity and the second registration code corresponding to the target entity.
[0008] Generate a first random number, and generate a session key unique to the target power grid information center and the target entity based on the first random number, the first string, and the second string;
[0009] The session key is encrypted using the first registration code corresponding to the target power grid information center to obtain the first encrypted session key. The session key is then encrypted using the second registration code corresponding to the target entity to obtain the second encrypted session key. The first encrypted session key is sent to the target power grid information center, and the second encrypted session key is sent to the target entity.
[0010] In one embodiment, the first registration request includes a first identity code and a first pseudo password of the power grid information center corresponding to the first registration request. The first pseudo password is a first password that has undergone first encryption. The first identity code and the first password are used to log in to the power grid information center.
[0011] Based on the first registration request, a first registration code unique to the power grid information center corresponding to the first registration request is generated, including:
[0012] The first key, the first identity code, and the first pseudo-password are hashed to obtain the first registration code.
[0013] In one embodiment, the communication request of the target power grid information center includes a first pseudo registration code and a first identity code, wherein the first pseudo registration code is a first registration code that has undergone a second encryption process.
[0014] A first string is generated based on the communication request from the target power grid information center and the first registration code corresponding to the target power grid information center, including:
[0015] Based on the first identification code of the target power grid information center, find the first registration code corresponding to the target power grid information center;
[0016] The first registration code and the first pseudo registration code corresponding to the target power grid information center are XORed to obtain the first string.
[0017] In one embodiment, the second registration request includes a second identity code and a second pseudo password of the digital twin entity corresponding to the second registration request. The second pseudo password is a second password that has undergone third encryption. The second identity code and the second password are used to log in to the digital twin entity.
[0018] Based on the second registration request, a second registration code is generated that is unique to the digital twin entity corresponding to the second registration request, including:
[0019] The first key, the second identity code, and the second pseudo-password are hashed to obtain the second registration code.
[0020] In one embodiment, the communication request of the target entity includes a second pseudo registration code and a second identity code, wherein the second pseudo registration code is a second registration code that has undergone a fourth encryption process;
[0021] Based on the second registration request, a second registration code is generated that is unique to the digital twin entity corresponding to the second registration request, including:
[0022] Based on the target entity's second identity code, find the target entity's corresponding second registration code;
[0023] The second registration code and the second pseudo registration code corresponding to the target entity are XORed to obtain the second string.
[0024] In one embodiment, a session key unique to the target power grid information center and the target entity is generated based on a first random number, a first string, and a second string, including:
[0025] Perform a hash operation on the first random number, the first string, and the second string to obtain the session key.
[0026] In one embodiment, the session key is encrypted based on the first registration code corresponding to the target power grid information center to obtain a first encrypted session key, including:
[0027] The first encrypted session key is obtained by performing an XOR operation between the session key and the first registration code corresponding to the target power grid information center.
[0028] The session key is encrypted using the second registration code corresponding to the target entity to obtain the second encrypted session key, which includes:
[0029] The second encrypted session key is obtained by XORing the session key and the second registration code corresponding to the target entity.
[0030] Secondly, from the perspective of the power grid information center, this application also provides an identity authentication method for a smart grid system, the method including:
[0031] Send the first registration request to the registration center;
[0032] Receive the first registration code from the registration center;
[0033] When it is necessary to communicate with a registered digital twin entity, a communication request is sent to the registry center with that digital twin entity as the target entity.
[0034] Receive the first encrypted session key from the registry center;
[0035] The first encrypted session key is decrypted using the first registration code to obtain the session key.
[0036] Thirdly, from the perspective of a digital twin server, this application also provides an identity authentication method for a smart grid system, the method comprising:
[0037] Send a second registration request to the registration center;
[0038] Receive the second registration code from the registration center;
[0039] When it is necessary to communicate with a registered power grid information center, a communication request is sent to the registration center with that power grid information center as the target power grid information center;
[0040] Receive the second encrypted session key from the registration center;
[0041] The second encrypted session key is decrypted using the second registration code to obtain the session key.
[0042] Fourthly, embodiments of this application also provide a computer device, including one or more processors and a memory, the memory storing computer-readable instructions, which, when executed by one or more processors, perform the steps of the authentication method in any of the above embodiments.
[0043] As can be seen from the above technical solutions, the embodiments of this application have the following advantages:
[0044] Based on any of the above embodiments, the power grid information center and the digital twin entity first need to register with the registration center. The registration center generates highly confidential, exclusive session keys for the registered power grid information center and digital twin entity. These session keys are then encrypted using a method that only the communicating parties can decrypt, ensuring that the session keys cannot be cracked. This method solves the problem of vulnerability to attacks in communication between the power grid information center and the digital twin entity by establishing a session key between the two parties, effectively protecting user privacy. Furthermore, the implementation of the above functions has the advantages of low cost and high efficiency. Attached Figure Description
[0045] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0046] Figure 1 This is an application scenario diagram of the identity authentication method provided in the embodiments of this application;
[0047] Figure 2 A flowchart illustrating an identity authentication method applied to a registration center, as provided in an embodiment of this application;
[0048] Figure 3 A flowchart illustrating the identity authentication method applied to a power grid information center, as provided in an embodiment of this application;
[0049] Figure 4 A flowchart illustrating an identity authentication method applied to a digital twin server, provided in an embodiment of this application;
[0050] Figure 5 This is a schematic diagram illustrating the multi-terminal interaction of the identity authentication method provided in the embodiments of this application;
[0051] Figure 6 This is an internal structural diagram of a computer device provided in an embodiment of this application. Detailed Implementation
[0052] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of this application.
[0053] Please see Figure 1 The smart grid system in this application includes a registration center 102, a power grid information center 104, and a digital twin server 106. There can be one or more power grid information centers and digital twin servers 106. The digital twin server 106 is configured with multiple digital twin entities, with each smart grid user having a corresponding digital twin entity. Each digital twin entity stores detailed electricity consumption data for the smart grid user. The digital twin entities can establish a unique electricity consumption model for each smart grid user by collecting electricity consumption information and metering data from sensors deployed around the user. The power grid information center 104 can use the digital twin entities to perform power distribution and electricity metering for users. This application aims to ensure secure communication between the power grid information center 104 and the digital twin entities in the aforementioned system.
[0054] From the perspective of the registry center, please refer to Figure 2 This application provides an identity authentication method for a smart grid system, the method including steps S202 to S210.
[0055] S202, Based on the first registration request, generate a first registration code that is unique to the power grid information center corresponding to the first registration request, and send the first registration code to the power grid information center corresponding to the first registration request.
[0056] Understandably, to ensure security, a power grid information center needs to register with a registration center before communicating with its digital twin entity. An unregistered power grid information center registers by sending a first registration request to the registration center. Upon receiving the first registration request, the registration center generates a first registration code corresponding to the power grid information center and sends this code back to the power grid information center to complete the registration. In some embodiments, to further ensure security, communication between the power grid information center and the registration center needs to be conducted through a secure channel.
[0057] S204. Based on the second registration request, generate a second registration code specific to the digital twin entity corresponding to the second registration request, and send the second registration code to the digital twin server to which the digital twin entity corresponding to the second registration request belongs.
[0058] Similarly, digital twin entities also need to register with a registry center. Unregistered digital twin entities send a second registration request to the registry center through their respective digital twin servers. Upon receiving the second registration request, the registry center generates a second registration code corresponding to the digital twin entity and sends this code back to the digital twin server to complete the registration of the digital twin entity. In some embodiments, to further ensure security, communication between the digital twin server and the registry center needs to be conducted through a secure channel.
[0059] S206, when any registered power grid information center needs to communicate with a registered digital twin entity, the power grid information center is taken as the target power grid information center and the digital twin entity is taken as the target entity. A first string is generated based on the communication request of the target power grid information center and the first registration code corresponding to the target power grid information center, and a second string is generated based on the communication request of the target entity and the second registration code corresponding to the target entity.
[0060] If a registered power grid information center needs to communicate with a registered digital twin entity, it needs to generate a session key through the registration center. Both the power grid information center and the digital twin entity send communication requests to the registration center. Based on the communication requests, the registration center can identify the two communicating parties and extract the required first and second registration codes. The first and second registration codes are then encrypted to obtain a first string and a second string, respectively. In some embodiments, to defend against replay attacks, the registration center only executes step S206 when it simultaneously receives communication requests from both the target power grid information center and the target entity, thus neutralizing the replay attack.
[0061] S208, generate a first random number, and generate a session key unique to the target power grid information center and the target entity based on the first random number, the first string, and the second string.
[0062] Since the first string is generated based on a first registration code unique to the target power grid information center, and the second string is generated based on a second registration code unique to the target entity, the session key obtained by combining these two strings is unique to both the target power grid information center and the target entity. To enhance confidentiality, a first random number is added to the first and second strings to obtain the final session key. In one specific embodiment, if the current first random number has been used for more than a certain period of time, the registration center will invite the target power grid information center and the target entity to resend the communication request to update the session key using the newly generated first random number, thereby increasing confidentiality.
[0063] S210, encrypt the session key according to the first registration code corresponding to the target power grid information center to obtain the first encrypted session key, encrypt the session key according to the second registration code corresponding to the target entity to obtain the second encrypted session key, send the first encrypted session key to the target power grid information center, and send the second encrypted session key to the target entity.
[0064] To prevent the session key from being intercepted during transmission, a first registration code, known only to the registration center and the target power grid information center, is used to encrypt the session key, resulting in a first encrypted session key. Even if this first encrypted session key is intercepted, the true session key cannot be decrypted without knowing the encryption method and the first registration code. Since the power grid information center is trusted and knows the decryption method, it can obtain the session key by decrypting it using the first registration code after acquiring the first encrypted session key. The second encrypted session key operates on a similar principle and will not be elaborated further.
[0065] Based on the authentication method in this embodiment, the power grid information center and the digital twin entity first need to register with the registration center. The registration center generates highly confidential, exclusive session keys for the registered power grid information center and digital twin entity. Then, the session keys are encrypted using a method that only the communicating parties can decrypt, ensuring that the session keys cannot be cracked. This method solves the problem of vulnerability to attacks in communication between the power grid information center and the digital twin entity by establishing a session key between the two parties, effectively protecting user privacy. Furthermore, the implementation of the above functions has the advantages of low cost and high efficiency.
[0066] In one embodiment, the first registration request includes a first identity code and a first pseudo password corresponding to the power grid information center. The first pseudo password is a first password that has undergone a first encryption process. The first identity code and the first password are used to log in to the power grid information center. It is understood that when a user needs to use the functions related to the power grid information center, they need to log in using the first identity code and the first password. Only users who pass the login verification can use the power grid information center. In order to complete registration in the registration center and generate a registration code unique to the power grid information center, relevant information unique to the power grid information center needs to be provided. The first identity code and the first password can meet this requirement. However, if the first identity code and the first password are directly transmitted to the registration center, interception during transmission may lead to password leakage. Therefore, this embodiment also encrypts the first password to obtain a first pseudo password. Even if malicious actors intercept the first identity code and the first pseudo password, they cannot use them to log in to the power grid information center.
[0067] In this embodiment, the registration center obtains the first registration code by performing a hash operation on the first key, the first identity code, and the first pseudo-password. The registration center can establish a correspondence between the first registration code and the first identity code of the power grid information center, and then store this correspondence for easy reference in subsequent registrations based on the first identity code. Hash operations have low computational overhead, ensuring low overhead and low latency in the registration process, enabling rapid registration of the power grid information center. This method also features forward security: forward security means that even if an attacker obtains the registration center's first key, the attacker cannot obtain the power grid information center's identity and password, and therefore cannot obtain the session key, thus providing forward security.
[0068] In one embodiment, the first encryption process involves performing a hash operation on the first identity code and the first password to obtain a first pseudo password.
[0069] In one embodiment, the communication request from the target power grid information center includes a first pseudo registration code and a first identity code, wherein the first pseudo registration code is a first registration code that has undergone a second encryption process. Similarly, to prevent the first registration code from being directly obtained, the target power grid information center also performs a second encryption process on the first registration code. To facilitate the registration center in confirming the target entity corresponding to the target power grid information center, the communication request may also include the target entity's identification information, such as the target entity's second identity code, device ID, etc.
[0070] A first string is generated based on the communication request from the target power grid information center and the first registration code corresponding to the target power grid information center, including:
[0071] (1) Based on the first identity code of the target power grid information center, find the first registration code corresponding to the target power grid information center.
[0072] (2) Perform an XOR operation on the first registration code and the first pseudo registration code corresponding to the target power grid information center to obtain the first string.
[0073] In one embodiment, the second encryption process may be: generating a second random number, and performing an XOR operation between the second random number and the first registration code to obtain a first pseudo registration code.
[0074] In one embodiment, the second registration request includes a second identity code and a second pseudo-password for the digital twin entity corresponding to the second registration request. The second pseudo-password is a second password that has undergone a third encryption process. The second identity code and the second password are used to log in to the digital twin entity. It is understood that in order to complete registration at the registration center and generate a registration code unique to the digital twin entity, relevant information unique to the digital twin entity needs to be provided. The second identity code and the second password can meet this requirement. However, if the second identity code and the second password are directly transmitted to the registration center, interception during transmission could lead to password leakage. Therefore, this embodiment also encrypts the second password to obtain a second pseudo-password. Even if malicious actors intercept the second identity code and the second pseudo-password, they cannot use them to log in to the digital twin entity.
[0075] In this embodiment, the registration center obtains the second registration code by performing a hash operation on the first key, the second identity code, and the second pseudo-password. The registration center can establish a correspondence between the second registration code and the second identity code of the digital twin entity, and then store this correspondence for easy reference in subsequent registrations based on the second identity code. Hash operations have low computational overhead, ensuring low overhead and low latency in the registration process, enabling rapid registration of the digital twin entity. This method also features forward security: forward security means that even if an attacker obtains the registration center's first key, the attacker cannot obtain the identity and password of the digital twin entity, and therefore cannot obtain the session key, thus providing forward security.
[0076] In one embodiment, the third encryption process involves hashing the second identity code and the second password to obtain a second pseudo-password.
[0077] In one embodiment, the communication request of the target entity includes a second pseudo-registration code and a second identity code, wherein the second pseudo-registration code is a second registration code that has undergone a fourth encryption process. Similarly, to prevent the second registration code from being directly obtained, the target entity also performs a fourth encryption process on the second registration code. To facilitate the registration center's confirmation of the target power grid information center corresponding to the target entity, the communication request may also include the identification information of the target power grid information center, such as the first identity code of the target power grid information center, device ID, etc.
[0078] Based on the second registration request, a second registration code is generated that is unique to the digital twin entity corresponding to the second registration request, including:
[0079] (1) Based on the second identity code of the target entity, find the second registration code corresponding to the target entity.
[0080] (2) Perform an XOR operation on the second registration code and the second pseudo registration code corresponding to the target entity to obtain the second string.
[0081] In one embodiment, the fourth encryption process may be: generating a third random number, performing an XOR operation between the third random number and the second registration code to obtain a second pseudo registration code.
[0082] In one embodiment, generating a session key specific to the target power grid information center and the target entity based on a first random number, a first string, and a second string includes: performing a hash operation on the first random number, the first string, and the second string to obtain the session key.
[0083] In one embodiment, encrypting the session key according to the first registration code corresponding to the target power grid information center to obtain the first encrypted session key includes: performing an XOR operation on the session key and the first registration code corresponding to the target power grid information center to obtain the first encrypted session key.
[0084] The session key is encrypted according to the second registration code corresponding to the target entity to obtain the second encrypted session key, including: performing an XOR operation on the session key and the second registration code corresponding to the target entity to obtain the second encrypted session key.
[0085] It is understandable that, based on the characteristics of the XOR operation, when decrypting the first encrypted session key or the second encrypted session key, the session key can be decrypted by performing an XOR operation on the first encrypted session key and the first registration code, and the session key can be decrypted by performing an XOR operation on the second encrypted session key and the second registration code.
[0086] From the perspective of the power grid information center, please refer to Figure 3 This application also provides an identity authentication method for a smart grid system, the method including steps S302 to S310.
[0087] S302, Send the first registration request to the registration center.
[0088] The power grid information center needs to register with the registration center first, which can be done by sending a first registration request to the registration center. In one specific embodiment, the first registration request includes a first identity code and a first pseudo-password corresponding to the power grid information center. The first pseudo-password is a first password that has undergone a first encryption process. The first identity code and the first password are used to log in to the power grid information center. The first encryption process can be a hash operation on the first identity code and the first password to obtain the first pseudo-password. That is, the power grid information center obtains the first pseudo-password by hashing the first identity code and the first password, and then generates the first registration request based on the first identity code and the first pseudo-password, and sends it to the registration center.
[0089] S304, the first registration code received from the registration center.
[0090] Upon receiving the first registration code, the power grid information center indicates that registration is complete and stores the first registration code in memory. The first pseudo-password can also be stored in this memory. In one specific embodiment, the storage device used by the power grid information center is a TEE (Trusted Execution Environment) secure storage device. It can only be used for specific calculations and is difficult to decompile or perform data analysis operations to extract internal data, thus possessing high security.
[0091] S306, when it is necessary to communicate with a registered digital twin entity, send a communication request to the registration center with the digital twin entity as the target entity.
[0092] Once the power grid information center has completed registration, it can communicate with a registered digital twin entity. The communication request can include the target entity's identification information, allowing the registration center to generate a session key unique to both the target entity and the target power grid information center. When communicating with a registered digital twin entity using the power grid information center, the user needs to log in to the power grid information center. The power grid information center will perform a first encryption process on the user's input password and then determine if the processed password matches the first pseudo-password corresponding to their entered identity code. If they match, the user is considered legitimate and passes login verification; otherwise, they are considered an illegitimate user and cannot proceed to the session key generation process.
[0093] S308 receives the first encrypted session key from the registry center.
[0094] In response to the communication request, the registration center will generate a session key for the target entity and the target power grid information center, and then encrypt it into a first encrypted session key and transmit it back to the power grid information center.
[0095] S310, decrypt the first encrypted session key according to the first registration code to obtain the session key.
[0096] During the registration phase, since the first registration code has been received from the registration center, it can be used to decrypt the first encrypted session key. After obtaining the session key, it can be used to communicate with the target entity. For example, if the first encrypted session key is obtained by XORing the first registration code with the session key, the power grid information center can obtain the session key by XORing the first encrypted session key with the first registration code.
[0097] Thirdly, from the perspective of digital twin servers, please refer to [link / reference]. Figure 4 This application also provides an identity authentication method for a smart grid system, the method including steps S402 to S410.
[0098] S402, send a second registration request to the registration center.
[0099] In other words, digital twin entities need to register with the registration center first, which can be done by sending a second registration request to the registration center. In one specific embodiment, the second registration request corresponds to the second identity code and second pseudo-password of the digital twin entity. The second pseudo-password is a second password that has undergone third encryption processing. The second identity code and second password are used to log in to the digital twin entity. The second encryption processing can be a hash operation on the second identity code and second password to obtain the second pseudo-password. That is, when there is a digital twin entity that needs to be registered in the digital twin service, the digital twin server obtains the second pseudo-password by hashing the second identity code and second password of the digital twin entity, and then generates a second registration request to register the digital twin entity based on the second identity code and second pseudo-password, and sends it to the registration center.
[0100] S404, receiving the second registration code from the registration center.
[0101] Upon receiving the second registration code, the digital twin server indicates that registration is complete and stores the second registration code in its memory. The second pseudo-password can also be stored in this memory. In one specific embodiment, the storage device used by the digital twin server is a TEE secure storage device.
[0102] S406, when it is necessary to communicate with a registered power grid information center, send a communication request to the registration center with that power grid information center as the target power grid information center.
[0103] Once a digital twin entity has completed registration, it can communicate with a registered power grid information center. The communication request can include the target power grid information center's identification information, allowing the registration center to generate a session key unique to both the target entity and the target power grid information center. When communicating with a registered digital twin entity through the power grid information center, the user needs to log in to the power grid information center, and simultaneously log in to the corresponding digital twin entity. The digital twin entity obtains the identity code and password of the entity to be logged in, performs a third encryption on the obtained password, and then checks whether the processed password matches the second pseudo-password corresponding to the obtained identity code. If they match, the entity is considered legitimate and passes the login verification; otherwise, it is an illegitimate entity and cannot proceed to the session key generation process.
[0104] S408, receive the second encrypted session key fed back from the registry center.
[0105] In response to the communication request, the registration center will generate a session key for the target entity and the target power grid information center, and then encrypt it into a second encrypted session key and transmit it back to the digital twin server.
[0106] S410, decrypt the second encrypted session key according to the second registration code to obtain the session key.
[0107] During the registration phase, since a second registration code has been received from the registration center, this code can be used to decrypt the second encrypted session key. Once the session key is obtained, it can be used to communicate with the target power grid information center. For example, if the second encrypted session key is obtained by XORing the second registration code with the session key, the power grid information center can obtain the session key by XORing the second encrypted session key with the second registration code.
[0108] From the perspective of multi-terminal interaction, this application also provides an identity authentication method for a smart grid system. Please refer to [link to relevant documentation]. Figure 5 This includes steps S502 to S520.
[0109] S502, the power grid information center sends the first registration request to the registration center.
[0110] S504, the registration center generates a first registration code specific to the power grid information center corresponding to the first registration request based on the first registration request, and sends the first registration code to the power grid information center corresponding to the first registration request.
[0111] S506, the digital twin server sends a second registration request to the registration center.
[0112] S508, the registration center generates a second registration code specific to the digital twin entity corresponding to the second registration request based on the second registration request, and sends the second registration code to the digital twin server to which the digital twin entity corresponding to the second registration request belongs.
[0113] S510, the registered power grid information center sends a communication request to the registration center.
[0114] S512, a digital twin server with a registered digital twin entity sends a communication request to the registration center.
[0115] S514, the power grid information center corresponding to the communication request from the registration center is the target power grid information center, and the digital twin entity corresponding to the communication request is the target entity. A first string is generated based on the communication request from the target power grid information center and the first registration code corresponding to the target power grid information center. A second registration code specific to the digital twin entity corresponding to the second registration request is generated based on the second registration request. A first random number is generated, and a session key specific to the target power grid information center and the target entity is generated based on the first random number, the first string, and the second string. The session key is encrypted based on the first registration code corresponding to the target power grid information center to obtain a first encrypted session key, and the session key is encrypted based on the second registration code corresponding to the target entity to obtain a second encrypted session key.
[0116] S516, the registration center sends the first encrypted session key to the target power grid information center and the first encrypted session key to the digital twin server where the target entity is located.
[0117] S518, the power grid information center decrypts the first encrypted session key based on the first registration code to obtain the session key.
[0118] S520: The digital twin server decrypts the second encrypted session key based on the second registration code to obtain the session key.
[0119] For a detailed explanation of steps S502 to S520, please refer to the above text, and it will not be repeated here.
[0120] In summary, by applying the authentication methods described in the above embodiments, the smart grid system can possess the following characteristics:
[0121] 1. Resistance to offline password guessing attacks: Attackers find it difficult to simultaneously guess the identity codes and passwords of both the digital twin entity and the power grid information center. Even if they succeed in guessing, the session key cannot be cracked due to layers of encryption. Therefore, this scheme can resist offline password guessing attacks.
[0122] 2. Resistance to Privileged Insider Attacks: Even if the attacker is an insider at the service meter, the critical information in the digital twin entity is stored in the reliable memory of the digital twin server. The attacker cannot access the key parameters used to generate the session key, thus preventing them from cracking the session key between the power grid information center and the digital twin entity. Therefore, this solution can resist privileged insider attacks.
[0123] 3. Forward Security: Forward security means that even if an attacker obtains the initial key from the registration center, they still cannot obtain the session key established between the user and the sensor. Although the attacker obtains the initial key from the registration center, because the password received by the registration center is a fake password, they cannot obtain the identity and password of the power grid information center, and therefore cannot obtain the session key. Therefore, this scheme possesses forward security.
[0124] 4. Resistance to theft of electrical equipment: Resistance to theft of smartphones means that even if an attacker steals a user's smartphone, they cannot extract the private information stored in the memory of the electrical equipment. Therefore, the attacker cannot obtain the session key between the two parties, so this solution can resist theft of electrical equipment.
[0125] 5. Resisting Replay Attacks: Resisting replay attacks refers to attackers continuously sending commands to the digital twin entity, power grid information center, or registration center based on intercepted public channel information, thereby wasting system resources. This solution can effectively resist such attacks.
[0126] 6. Resistance to User Impersonation Attacks: User impersonation attacks refer to attackers using information intercepted on public channels to impersonate a legitimate user and establish communication with the registry center or digital twin entity, thereby stealing critical information stored in the digital twin server and then carrying out illegal activities. This solution addresses this type of attack.
[0127] Fourthly, embodiments of this application also provide a computer device, including one or more processors and a memory, the memory storing computer-readable instructions, which, when executed by one or more processors, perform the steps of the authentication method in any of the above embodiments.
[0128] Indicatively, such as Figure 6 As shown, Figure 6 This is a schematic diagram of the internal structure of a computer device 600 provided in an embodiment of this application. The computer device 600 can be provided as a server. (Refer to...) Figure 6The computer device 600 includes a processing component 602, which further includes one or more processors, and memory resources represented by memory 601 for storing instructions, such as application programs, that can be executed by the processing component 602. The application programs stored in memory 601 may include one or more modules, each corresponding to a set of instructions. Furthermore, the processing component 602 is configured to execute instructions to perform the text recognition method of any of the above embodiments.
[0129] The computer device 600 may also include a power supply component 603 configured to perform power management of the computer device 600, a wired or wireless network interface 604 configured to connect the computer device 600 to a network, and an input / output (I / O) interface 605. The computer device 600 may operate on an operating system stored in memory 601, such as Windows Server™, Mac OS X™, Unix™, Linux™, Free BSD™, or similar.
[0130] Those skilled in the art will understand that Figure 6 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0131] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0132] The various embodiments in this specification are described in a progressive manner. Each embodiment focuses on the differences from other embodiments. The various embodiments can be combined as needed, and the same or similar parts can be referred to each other.
[0133] The above description of the disclosed embodiments enables those skilled in the art to make or use this application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of this application. Therefore, this application is not to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims
1. An identity authentication method in a smart grid environment, characterized in that, Applied to a registry center, the method includes: Based on the first registration request, a first registration code is generated that is unique to the power grid information center corresponding to the first registration request, and the first registration code is sent to the power grid information center corresponding to the first registration request. Based on the second registration request, a second registration code is generated that is unique to the digital twin entity corresponding to the second registration request, and the second registration code is sent to the digital twin server to which the digital twin entity corresponding to the second registration request belongs; When any registered power grid information center needs to communicate with a registered digital twin entity, the power grid information center is taken as the target power grid information center and the digital twin entity is taken as the target entity. A first string is generated according to the communication request of the target power grid information center and the first registration code corresponding to the target power grid information center, and a second string is generated according to the communication request of the target entity and the second registration code corresponding to the target entity. Generate a first random number, and generate a session key unique to the target power grid information center and the target entity based on the first random number, the first string, and the second string; The session key is encrypted using the first registration code corresponding to the target power grid information center to obtain a first encrypted session key. The session key is then encrypted using the second registration code corresponding to the target entity to obtain a second encrypted session key. The first encrypted session key is sent to the target power grid information center, and the second encrypted session key is sent to the target entity. The communication request from the target power grid information center includes a first pseudo registration code and a first identity code, wherein the first pseudo registration code is the first registration code that has undergone second encryption processing. The step of generating a first string based on the communication request from the target power grid information center and the first registration code corresponding to the target power grid information center includes: Based on the first identity code of the target power grid information center, find the first registration code corresponding to the target power grid information center; The first registration code and the first pseudo registration code corresponding to the target power grid information center are XORed to obtain the first string.
2. The method according to claim 1, characterized in that, The first registration request includes a first identity code and a first pseudo password corresponding to the power grid information center. The first pseudo password is a first password that has undergone a first encryption process. The first identity code and the first password are used to log in to the power grid information center. The step of generating a first registration code specific to the power grid information center corresponding to the first registration request, based on the first registration request, includes: The first key, the first identity code, and the first pseudo-password are hashed to obtain the first registration code.
3. The method according to claim 1, characterized in that, The second registration request includes a second identity code and a second pseudo password of the digital twin entity corresponding to the second registration request. The second pseudo password is a second password that has undergone a third encryption process. The second identity code and the second password are used to log in to the digital twin entity. The step of generating a second registration code specific to the digital twin entity corresponding to the second registration request, based on the second registration request, includes: The first key, the second identity code, and the second pseudo-password are hashed to obtain the second registration code.
4. The method according to claim 3, characterized in that, The communication request of the target entity includes a second pseudo registration code and a second identity code, wherein the second pseudo registration code is the second registration code that has undergone a fourth encryption process; The step of generating a second registration code specific to the digital twin entity corresponding to the second registration request, based on the second registration request, includes: Based on the second identity code of the target entity, find the second registration code corresponding to the target entity; The second registration code and the second pseudo registration code corresponding to the target entity are XORed to obtain the second string.
5. The method according to claim 1, characterized in that, The step of generating a session key specific to the target power grid information center and the target entity based on the first random number, the first string, and the second string includes: The session key is obtained by performing a hash operation on the first random number, the first string, and the second string.
6. The method according to claim 1, characterized in that, The step of encrypting the session key according to the first registration code corresponding to the target power grid information center to obtain the first encrypted session key includes: The first encrypted session key is obtained by performing an XOR operation between the session key and the first registration code corresponding to the target power grid information center. The step of encrypting the session key according to the second registration code corresponding to the target entity to obtain the second encrypted session key includes: The second encrypted session key is obtained by XORing the session key and the second registration code corresponding to the target entity.
7. An identity authentication method in a smart grid environment, characterized in that, Applied to power grid information centers, the method includes: A first registration request is sent to the registration center, which generates a first registration code specific to the power grid information center corresponding to the first registration request, and sends the first registration code to the power grid information center corresponding to the first registration request. Receive the first registration code fed back by the registration center; When communication with a registered digital twin entity is required, a communication request is sent to the registration center with the digital twin entity as the target entity. The communication request includes a first pseudo-registration code and a first identity code, wherein the first pseudo-registration code is the first registration code after being encrypted in a second manner. The communication request is used to enable the registration center to find the first registration code based on the first identity code, and to perform an XOR operation on the first registration code and the first pseudo-registration code to obtain a first string. Based on the communication request of the target entity and the second registration code corresponding to the target entity, a second string is generated, and a first random number is generated. Based on the first random number, the first string, and the second string, a session key unique to the power grid information center and the target entity is generated. The session key is encrypted based on the first registration code to obtain a first encrypted session key. The session key is then encrypted based on the second registration code corresponding to the target entity to obtain a second encrypted session key. The first encrypted session key is sent to the power grid information center, and the second encrypted session key is sent to the target entity. Receive the first encrypted session key fed back by the registration center; The first encrypted session key is decrypted using the first registration code to obtain the session key.
8. An identity authentication method in a smart grid environment, characterized in that, Applied to a digital twin server, the method includes: A second registration request is sent to the registration center, which then generates a second registration code specific to the digital twin entity corresponding to the second registration request, and sends the second registration code to the digital twin server to which the digital twin entity corresponding to the second registration request belongs. Receive the second registration code fed back by the registration center; When communication with a registered power grid information center is required, a communication request is sent to the registration center with the registered power grid information center as the target power grid information center. The communication request enables the registration center to generate a second string based on the communication request and the second registration code, and to find the first registration code corresponding to the target power grid information center based on the first identity code of the target power grid information center. The registration center then performs an XOR operation on the first registration code and the first pseudo-registration code corresponding to the target power grid information center to obtain a first string, generates a first random number, and generates a session key unique to the target power grid information center and the digital twin entity based on the first random number, the first string, and the second string. The session key is then encrypted based on the first registration code corresponding to the target power grid information center to obtain a first encrypted session key, and further encrypted based on the second registration code corresponding to the digital twin entity to obtain a second encrypted session key. The first encrypted session key is then sent to the target power grid information center, and the second encrypted session key is sent to the digital twin server. The first pseudo-registration code is the first registration code after undergoing a second encryption process. Receive the second encrypted session key fed back by the registration center; The second encrypted session key is decrypted using the second registration code to obtain the session key.
9. A computer device, characterized in that, It includes one or more processors and a memory storing computer-readable instructions that, when executed by the one or more processors, perform the steps of the authentication method as described in any one of claims 1 to 8.