A method and system for communication network authentication for a power distribution automation system
By introducing a certificate authority into the power distribution automation system, certificate issuance and online verification are achieved, solving the problem of lack of identity authentication in the IEC 61850-90-5 standard and improving the communication security and trust guarantee of the power distribution automation system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ELECTRIC POWER RES INST OF GUANGXI POWER GRID CO LTD
- Filing Date
- 2026-03-19
- Publication Date
- 2026-06-19
AI Technical Summary
The lack of explicit authentication in existing distribution automation terminal communication networks based on the IEC 61850-90-5 standard leads to man-in-the-middle attack vulnerabilities, threatening the communication security of power systems.
By introducing a Certificate Authority (CA) as a trusted third party, a two-way trust relationship is established between the terminal and the key distribution center through certificate issuance, certificate presentation, online verification, and authorization decision-making processes, ensuring that only legitimate terminals can access the network.
Effectively prevents man-in-the-middle attacks, improves the communication security of wide-area measurement systems in power distribution networks, ensures the security of key distribution, and enhances the source trust guarantee of power distribution automation systems.
Smart Images

Figure CN122247629A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of power communication security technology, and in particular to a communication network authentication method and system for power distribution automation systems. Background Technology
[0002] With the widespread application of synchronous phasor measurement technology in wide-area monitoring and control systems, distribution automation terminals collect dynamic data of the power grid at high sampling rates and transmit it to the master station via the network. The security of this communication is directly related to the stable operation of the power grid. The IEC 61850-90-5 standard provides a framework for wide-area communication, but the existing security mechanisms have authentication deficiencies, and there is an urgent need for enhanced authentication schemes to ensure the communication security of the power system.
[0003] In existing network security solutions for distribution automation terminal communication based on the IEC 61850-90-5 standard, the initial authentication phase of key exchange between the key distribution center and the terminal lacks a mandatory and effective authentication mechanism. Specifically, while the standard recommends authentication, it does not specify its implementation. This leads to the common use of public key exchange protocols such as Diffie-Hellman, which lack authentication functionality, in practical applications, leaving serious authentication vulnerabilities in the communication link. This vulnerability makes the system highly susceptible to man-in-the-middle attacks. Attackers can impersonate legitimate terminals or key distribution centers, intercept and tamper with key exchange information, thereby stealing session keys and eavesdropping on, tampering with, or injecting false power grid measurement and control data. This seriously jeopardizes the accuracy of power system state estimation, the reliability of protection and control, and the overall operational stability. Summary of the Invention
[0004] To address the vulnerability of the GDOI protocol in existing technologies to man-in-the-middle attacks due to the lack of explicit authentication, this invention provides a method and system for explicit certificate authentication based on a Certificate Authority (CA). This ensures that only terminals holding certificates issued by a legitimate CA can access the network, effectively preventing man-in-the-middle attacks, guaranteeing the security of key distribution, and improving the communication security of wide-area measurement systems in power distribution networks. The specific technical solution is as follows: This application provides a communication network authentication method for a power distribution automation system, applicable to a system including at least one power distribution automation terminal, a key distribution center, and a certificate authority, comprising: The power distribution automation terminal generates a key pair, and based on the public key in the key pair and the identity information of the power distribution automation terminal, generates a certificate signing request and sends the certificate signing request to the certificate authority. The certificate authority issues a digital certificate using its private key based on the certificate signing request and returns the digital certificate to the power distribution automation terminal. In response to the power distribution automation terminal initiating a key exchange process with the key distribution center, the power distribution automation terminal sends the digital certificate to the key distribution center; The key distribution center forwards the digital certificate to the certificate authority, requesting online verification. The certificate authority verifies the digital certificate, including verifying the validity of its signature, the validity period of the certificate, and the revocation status of the certificate, and generates a verification result to return to the key distribution center. The key distribution center determines whether to authorize the power distribution automation terminal to continue key exchange based on the verification result.
[0005] Preferably, the certificate authority issues a digital certificate using its private key based on the certificate signing request, including: The certificate authority performs a hash operation on the information in the certificate request and encrypts the hash value with its private key to generate a signature; the certificate authority then attaches the signature to the certificate to form a complete digital certificate.
[0006] Preferably, the verification of the digital certificate by the certificate authority includes: The signature of the digital certificate is decrypted using the public key of the certificate authority to obtain a first hash value; the identity information in the digital certificate is recalculated to obtain a second hash value; the first hash value and the second hash value are compared to see if they are consistent; and the validity period and revocation status of the digital certificate are checked.
[0007] Preferably, the check of revocation status is performed via an online certificate status protocol or a certificate revocation list.
[0008] Preferably, a communication network authentication method for a power distribution automation system further includes: If the number of verification requests received by the key distribution center within a preset time window exceeds a preset threshold, the certificate authority performs batch signature verification on the multiple verification requests. The batch signature verification is achieved by simultaneously verifying the signatures of multiple digital certificates through a single bilinear pairing operation.
[0009] Preferably, the key distribution center determines whether to authorize the distribution automation terminal to continue key exchange based on the verification result, including: If the certificate authority returns a verification result indicating that the certificate is invalid, expired, or revoked, the key distribution center will add the identification information of the power distribution automation terminal to the blacklist. The key distribution center will reject any key requests from the blacklisted power distribution automation terminals within a subsequent preset time window.
[0010] Preferably, a communication network authentication method for a power distribution automation system further includes: The key distribution center receives the incremental certificate revocation list periodically pushed by the certificate authority; The key distribution center dynamically updates its local blacklist based on the incremental certificate revocation list.
[0011] Preferably, the key exchange process follows the GDOI protocol defined in the IEC61850-90-5 standard, and in the GROUPKEY-PULL stage of the GDOI protocol, the power distribution automation terminal sends the digital certificate to the key distribution center.
[0012] Preferably, the certificate authority includes a root certificate authority and multiple regional certificate authorities; The regional certificate authority is responsible for issuing digital certificates for distribution automation terminals within its jurisdiction. When verifying the digital certificate, the key distribution center initiates an online verification request to the regional certificate authority. If the regional certificate authority is unable to respond, the key distribution center initiates a verification request to the root certificate authority.
[0013] This application also provides a communication network authentication system for a power distribution automation system, which applies the aforementioned communication network authentication method for a power distribution automation system and includes at least one power distribution automation terminal, a key distribution center, and a certificate authority. The power distribution automation terminal includes: The key generation module is used to generate public and private key pairs; The certificate request module is used to generate a certificate signing request based on the public key and the identity information of the power distribution automation terminal, and send it to the certificate authority. The certificate storage module is used to receive and store digital certificates issued by the certificate authority; The authentication initiation module is used to provide the digital certificate to the key distribution center when key exchange with the key distribution center is required, and to receive the authorization decision returned by the key distribution center based on the online verification result of the certificate; The key distribution center includes: A communication interface for communicating with at least one distribution automation terminal and a certificate authority; The access control module is used to receive the digital certificate provided by the distribution automation terminal when initiating key exchange, forward the digital certificate to the certificate authority for online verification, and decide whether to allow the distribution automation terminal to participate in the subsequent key exchange process based on the verification result returned by the certificate authority. The certificate issuing authorities include: The certificate issuance module is used to receive a certificate signing request sent by the power distribution automation terminal, issue a digital certificate based on the request, and return it to the power distribution automation terminal. The online verification module is used to receive digital certificate verification requests forwarded by the key distribution center, perform online verification of the digital certificate, and return the verification result to the key distribution center.
[0014] Compared with the prior art, the beneficial effects of the present invention are as follows: This invention discloses a communication network authentication method and system for power distribution automation systems. By introducing a Certificate Authority (CA) as a trusted third party, it inserts certificate issuance, certificate presentation, online verification, and authorization decision-making steps into the key exchange process, thus establishing a two-way trust relationship between the terminal and the key distribution center. By reliably binding the device identity to its public key, attackers cannot launch man-in-the-middle attacks by forging identities. This fundamentally solves the deficiency of identity authentication in the key exchange stage of the IEC 61850-90-5 standard, providing strong source trust protection for power distribution automation systems. Attached Figure Description
[0015] To more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the accompanying drawings used in the description of the specific embodiments or the prior art will be briefly introduced below. In all the drawings, similar elements or parts are generally identified by similar reference numerals. In the drawings, the elements or parts are not necessarily drawn to scale.
[0016] Figure 1 A timing flowchart of a communication network authentication method for a power distribution automation system provided in an embodiment of the present invention.
[0017] Figure 2 This is a flowchart of a communication network authentication method for a power distribution automation system, provided as an embodiment of the present invention.
[0018] Figure 3 This is a schematic diagram illustrating an attack where an intruder tamperes with the certificate signature, provided as an embodiment of the present invention.
[0019] Figure 4 This is a schematic diagram illustrating an attack where an intruder replaces an encryption certificate, as provided in an embodiment of the present invention.
[0020] Figure 5This is a schematic diagram of a communication network authentication system for a power distribution automation system, provided as an embodiment of the present invention. Detailed Implementation
[0021] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0022] It should be understood that, when used in this specification, the terms “comprising” and “including” indicate the presence of the described features, integrals, steps, operations, elements and / or components, but do not exclude the presence or addition of one or more other features, integrals, steps, operations, elements, components and / or collections thereof.
[0023] It should also be understood that the terminology used in this specification is for the purpose of describing particular embodiments only and is not intended to limit the invention. As used in this specification and the appended claims, the singular forms “a,” “an,” and “the” are intended to include the plural forms unless the context clearly indicates otherwise.
[0024] It should also be further understood that the term "and / or" as used in this specification refers to any combination of one or more of the associated listed items, as well as all possible combinations, and includes such combinations.
[0025] Please refer to the following examples. Figures 1 to 5 .
[0026] Please see Figure 1 and Figure 2 This application provides a communication network authentication method for a power distribution automation system, applicable to a system including at least one power distribution automation terminal, a key distribution center (KDC), and a certificate authority (CA). This embodiment uses a system including a synchronization phasor measurement unit (PMU) as the power distribution automation terminal, a KDC, and a CA as an example. The communication network authentication method includes the following steps: Step S1: The power distribution automation terminal generates a key pair, and based on the public key in the key pair and the identity information of the power distribution automation terminal, generates a certificate signing request and sends the certificate signing request to the certificate authority. In this step, the Distribution Automation Terminal (PMU) needs to apply for identity credentials from a certificate authority before connecting to the network for the first time. The specific implementation process is as follows: To generate a key pair, the synchronization phasor measurement unit locally calls the cryptography library to execute the key generation algorithm Keygen(), generating a pair of asymmetric keys: a private key PMU_PR_KEY and a public key PMU_PUB_KEY. The private key is securely stored by the synchronization phasor measurement unit; the public key is used to construct certificates.
[0027] Construct the certificate request information, and synchronize the phasor measurement unit to fill in the certificate fields according to the X.509 standard format, including: Device Name: name ← 'Synchronous Phasor Measurement Unit_Station_A', declares the device identity; Issuer name: issuer_name ← 'Certificate Authority_PowerGrid', specifies the target certificate authority; Serial number: serial_number ← rand(), generates a unique identifier; Validity period: validity ← ['2024-01-01', '2025-12-31']; Public key: pub_key ← PMU_PUB_KEY, binds the public key to the certificate.
[0028] Generate a Certificate Signing Request (CSR) and package the above information into a CSR file, such as pmu_a.csr, and send it to the Certificate Authority via a pre-configured TLS connection.
[0029] Step S2: The certificate authority issues a digital certificate using its private key based on the certificate signing request, and returns the digital certificate to the power distribution automation terminal. Specifically, the certificate authority that issues digital certificates includes: The certificate authority performs a hash operation on the information in the certificate request and encrypts the hash value with its private key to generate a signature; the certificate authority then attaches the signature to the certificate to form a complete digital certificate.
[0030] After receiving the CSR sent by the synchronized phasor measurement unit, the certificate authority signs it to generate a formal digital certificate. The specific process is as follows: The request information is extracted, the Certificate Authority parses the CSR, and obtains the identity information of the Synchronization Phasor Measurement Unit, denoted as PMU_ID, including name, public key, validity period, etc.
[0031] To generate a hash value, the Certificate Authority uses a secure hash algorithm to calculate the PMU_ID, resulting in the first hash value h1.
[0032] The certificate authority signs the h1 using its private key. The certificate authority calls the signature function SIG_k, which encrypts h1 using its own private key to generate the signature value Sign(h1).
[0033] The certificate authority generates a formal certificate by combining the original request information with the signature value Sign(h1) to form a digital certificate conforming to the X.509 standard, such as pmu_a.cer, and returns it to the synchronization phasor measurement unit.
[0034] Step S3: In response to the key exchange process initiated by the power distribution automation terminal with the key distribution center, the power distribution automation terminal sends the digital certificate to the key distribution center; In this embodiment, the key exchange process follows the GDOI protocol defined in the IEC61850-90-5 standard, and in the GROUPKEY-PULL stage of the GDOI protocol, the power distribution automation terminal sends the digital certificate to the key distribution center.
[0035] Based on the IEC 61850-90-5 standard, the certificate authentication mechanism is embedded in the GROUPKEY-PULL stage of the GDOI protocol. The specific implementation process is as follows: The distribution automation terminal (PMU) and the key distribution center use the GDOI protocol for group key negotiation; The presentation and verification of the certificate are limited to the GROUPKEY-PULL phase of the GDOI protocol, which is the initial interaction between the terminal and the key distribution center to request the group key. In the GROUPKEY-PULL request message of the GDOI protocol, a new payload field with a type value of CERT is added. The distribution automation terminal fills the digital certificate (X.509 format) obtained in step S2 into this CERT payload and sends it to the key distribution center along with the key request message.
[0036] By embedding a certificate authentication process in the GROUPKEY-PULL phase of the GDOI protocol, the standard security mechanism is enhanced without breaking the original protocol framework.
[0037] When a synchronization phasor measurement unit needs to connect to a multicast group managed by a key distribution center to transmit power grid synchronization phasor data, it initiates a key exchange procedure with the key distribution center. The specific process is as follows: Triggering key exchange, the phasor measurement unit, in accordance with the IEC 61850-90-5 standard, sends a key request message to the key distribution center during the GROUPKEY-PULL phase of the GDOI protocol.
[0038] Carrying the digital certificate, the phasor measurement unit appends the digital certificate (pmu_a.cer) obtained in step S2 to the extended field of the request message. For example, a payload with a type value of CERT is added to the SA TEK PAYLOAD of the GDOI protocol to carry the certificate. The key request message carrying the certificate is then sent to the key distribution center over the network.
[0039] Step S4: The key distribution center forwards the digital certificate to the certificate authority, requesting online verification; After receiving the key request and digital certificate from the synchronization phasor measurement unit, the key distribution center cannot directly verify the authenticity of the certificate and needs to request an online verification from the certificate authority. The specific process is as follows: The certificate is extracted by the key distribution center, which parses the received GDOI message and extracts the digital certificate pmu_a.cer from the CERT payload.
[0040] Construct a verification request, establish a secure connection between the key distribution center and the certificate authority, such as based on TLS, and construct a certificate verification request message containing the complete digital certificate content.
[0041] When forwarding a certificate, the key distribution center sends a verification request to the certificate authority, requesting the certificate authority to verify the authenticity, integrity, and validity of the certificate.
[0042] Step S5: The certificate authority verifies the digital certificate, including verifying the validity of its signature, the validity period of the certificate, and the revocation status of the certificate, and generates a verification result to be returned to the key distribution center. After receiving a certificate verification request forwarded by the key distribution center, the certificate authority performs a comprehensive verification of the certificate and returns the verification result. The specific process is as follows: The signature of the digital certificate is decrypted using the public key of the certificate authority to obtain a first hash value; the identity information in the digital certificate is recalculated to obtain a second hash value; the first hash value and the second hash value are compared to see if they are consistent; and the validity period and revocation status of the digital certificate are checked.
[0043] Verifying signature validity includes: The certificate authority uses its public key to decrypt the signature value Sign(h1) in the certificate, obtaining the first hash value h1'.
[0044] The certificate authority re-hashes the identity information in the current certificate to generate a second hash value h2.
[0045] Compare h1' and h2 to see if they match. If they match, it proves that the certificate has not been tampered with and was indeed issued by the certificate authority; if they do not match, the verification fails.
[0046] Checking the validity period includes: the certificate authority reading the validity field in the certificate to determine whether the current time is within the validity period.
[0047] Checking the revocation status includes: the Certificate Authority checking the local Certificate Revocation List (CRL) or using the Online Certificate Status Protocol (OCSP) service to confirm whether the certificate has been revoked.
[0048] The certificate authority returns the verification result, encapsulates the result into a response message, and returns it to the key distribution center.
[0049] This step ensures that only certificates that are recognized by a certificate authority, have not been tampered with, and are within their validity period can pass verification, thus building a robust certificate verification defense and effectively preventing unauthorized terminals from accessing the network using expired, forged, or revoked certificates.
[0050] Step S6: The key distribution center determines whether to authorize the power distribution automation terminal to continue key exchange based on the verification result.
[0051] Specifically, the key distribution center determines whether to authorize the distribution automation terminal to continue key exchange based on the verification result, including: If the certificate authority returns a verification result indicating that the certificate is invalid, expired, or revoked, the key distribution center adds the identification information of the distribution automation terminal to a blacklist. Within a subsequent preset time window, the key distribution center rejects any key requests from distribution automation terminals on the blacklist. The specific process is as follows: The verification result is analyzed. If the certificate authority returns acceptance, the certificate is valid, and the key distribution center allows the synchronization phasor measurement unit to continue the subsequent GDOI key exchange process and negotiate the session key. The synchronization phasor measurement unit successfully joins the multicast group and begins transmitting encrypted power grid phasor data. If the certificate authority returns rejection, the certificate is invalid, the key distribution center immediately terminates the key exchange process with the synchronization phasor measurement unit, rejects its access request, adds the synchronization phasor measurement unit's identification information to the local blacklist, and generates an alarm log to report to the power grid management system.
[0052] Within a preset time window, such as 30 minutes, the key distribution center rejects any key requests from the same synchronous phasor measurement unit.
[0053] When a certificate verification result is invalid, expired, or revoked, the key distribution center adds the corresponding terminal to a blacklist and rejects any key requests from it within a preset time window. This prevents unauthorized terminals from repeatedly attempting to access the system within a short period, effectively curbing malicious attacks and enhancing the system's proactive defense capabilities.
[0054] In the communication network authentication method for a power distribution automation system based on the embodiments of this application, when an intruder's power distribution automation terminal attempts to authenticate itself by changing the signature in the certificate or generating a self-signed certificate, such as... Figure 3 As shown, the intruder's Power Distribution Automation (PMU) intercepts the certificate signature and replaces it with its own to verify itself. However, during the certificate verification process, the Certificate Authority (CA)-based certificate mechanism can identify this fake certificate because the signatures do not match. When the intruder's PMU sends its own certificate for authentication, such as... Figure 4 As shown, when a distribution automation terminal sends its signing certificate to a key distribution center for authentication, it encrypts the entire certificate using its own private key. If an intruder's distribution automation terminal intercepts the encrypted certificate and replaces it with its own encrypted certificate, the key distribution center will attempt to decrypt the received file using the original distribution automation terminal's public key. This will result in file corruption, indicating that the certificate is invalid for authentication. Therefore, the certificate mechanism effectively eliminates MITM attacks in the distribution automation terminal communication network.
[0055] During the verification process, a message indicating that the intruder's power distribution automation terminal certificate could not be obtained was detected: "Unable to obtain local issuer certificate." This error message is displayed when a signed certificate cannot be verified. Therefore, it is concluded that the power distribution automation terminal is illegitimate and has not been signed by a Certificate Authority (CA). Of the two existing power distribution automation terminal communication standards, IEEE C37.118 does not address network security issues, while IEC 61850-90-5 only recommends different security schemes without specific implementation details. To address this knowledge gap, a certificate-based power distribution automation terminal network node authentication method is used to mitigate MITM attacks during key exchange in the power distribution automation terminal network. This ensures the secure operation of the IEC 61850-90-5-based power distribution automation terminal network.
[0056] This invention discloses a communication network authentication method and system for power distribution automation systems. By introducing a Certificate Authority (CA) as a trusted third party, it inserts certificate issuance, certificate presentation, online verification, and authorization decision-making steps into the key exchange process, thus establishing a two-way trust relationship between the terminal and the key distribution center. By reliably binding the device identity to its public key, attackers cannot launch man-in-the-middle attacks by forging identities. This fundamentally solves the deficiency of identity authentication in the key exchange stage of the IEC 61850-90-5 standard, providing strong source trust protection for power distribution automation systems.
[0057] Specifically, in a preferred embodiment of this application, the check of revocation status is performed through an online certificate status protocol or a certificate revocation list.
[0058] In practice, when verifying digital certificates, certificate authorities, in addition to verifying signature validity and checking validity periods, also need to confirm whether the certificate has been revoked. Revocation status checks can be achieved through checks based on Certificate Revocation Lists (CRLs), and the specific implementation process is as follows: A Certificate Revocation List (CRL) is a list published periodically by a Certificate Authority (CA) that contains all revoked certificate serial numbers and bears the CA's digital signature. CRLs are suitable for batch verification scenarios where some delay is permissible.
[0059] Certificate Authorities or Key Distribution Centers periodically download the complete CRL file based on the URL specified in the extended field of the CRL Distribution Point (CDP). The CRL file format conforms to the RFC 5280 standard and includes the issuer, current update date, next update date, a list of revoked certificates, and key signature information. Certificate Authorities or Key Distribution Centers store downloaded CRL files in a local cache. For large-scale distribution automation systems, distributed caching can be deployed to improve access efficiency.
[0060] Before using a CRL, the certificate authority must verify the authenticity and integrity of the CRL itself: When verifying terminal certificates, certificate authorities or key distribution centers perform the following operations: Extract the serial number field from the digital certificate to be verified; Iterate through the list of revoked certificates in the CRL to find if there is an entry that matches the serial number; If the serial number exists in the CRL, the certificate is determined to have been revoked, and the verification result is rejected. If the serial number does not exist in the CRL and the current time is before the next update time of the CRL, the certificate status is determined to be unrevoked. If the CRL has expired, you need to download the latest CRL and re-verify it.
[0061] In another embodiment, the revocation status check can also be implemented through a check based on the Online Certificate Status Protocol (OCSP), as detailed below: The Online Certificate Status Protocol (OCSP) allows verifiers to query the current status of individual certificates in real time, making it suitable for scenarios with high real-time requirements.
[0062] When a key distribution center needs to verify the revocation status of a PMU certificate, it can initiate a query to the OCSP server on behalf of the certificate authority or a cooperating certificate authority. The OCSP request includes the protocol version, service request identifier, and target certificate identifier information.
[0063] The key distribution center or certificate authority sends the constructed OCSP request to the OCSP server via HTTP or HTTPS protocol. Upon receiving the request, the OCSP server queries its database to determine the current status of the certificate and generates an OCSP response. The response includes the certificate status, response generation time, next update time, revocation information, and signature.
[0064] Upon receiving the OCSP response, the key distribution center or certificate authority performs the following verification: Verify the signature of the OCSP response to ensure it was issued by a trusted OCSP server; check the `thisUpdate` and `nextUpdate` fields in the response to confirm it is valid; parse the certificate status field to obtain the verification result.
[0065] Specifically, in a preferred embodiment of this application, a communication network authentication method for a power distribution automation system further includes: If the number of verification requests received by the key distribution center within a preset time window exceeds a preset threshold, the certificate authority performs batch signature verification on the multiple verification requests. The batch signature verification is achieved by simultaneously verifying the signatures of multiple digital certificates through a single bilinear pairing operation.
[0066] In practice, suppose that after a power grid failure, a large number of PMUs in a distribution automation system simultaneously restart and attempt to reconnect to the network. The key distribution center receives certificate verification requests from 150 PMUs within one second, and a threshold is set. This triggers batch verification.
[0067] The key distribution center will distribute these 150 certificates (including their respective signatures) and identity information Package and send to the certificate authority.
[0068] Certificate issuing authorities extract all signatures to Calculate aggregate signature ,in .
[0069] Calculate the hash of the identity information for each certificate. And find the product. For each message Calculate hash value Then calculate the product of these hash values: in, Represents the aggregate hash value; Indicates the first i Identity information of the certificate The group element obtained after performing a hash operation; Using bilinear mapping : Use the properties of to verify whether the following equation holds true: in, , , Describe the three prime factorial groups required for bilinear pairing, where there exists a bilinear mapping e: ; If all signatures are valid, that is, each ,but .
[0070] therefore, .
[0071] in, For the group Generators; This represents the private key of the certificate authority, used to sign certificates; This represents the public key of the Certificate Authority (CA), used to verify the validity of the CA's signature. The certificate authority immediately returns all valid results to the key distribution center, which then authorizes the 150 PMUs to continue key exchange. The entire process requires only one pairing operation, avoiding the computational overhead of 150 individual verifications.
[0072] If the equation holds true, all N certificate signatures are valid, and the Certificate Authority (CA) returns a result indicating all verifications passed to the Key Distribution Center (KDC). If the equation does not hold true, it means at least one certificate signature is invalid. In this case, the CA needs to further locate the invalid signature. Typically, a binary search or step-by-step verification can be used to find the invalid certificate. However, considering that batch verification scenarios involve a large number of requests, and invalid signatures should be in the minority, the CA can verify each signature individually and return the identifier of the invalid certificate to the KDC. For example, in a batch verification, if a PMU's certificate is tampered with, resulting in an invalid signature, the pairing equation does not hold. The CA then verifies each of the 150 signatures, locates the invalid certificate, and returns the certificate's identifier and verification failure information to the KDC. Based on this, the KDC rejects the access request of that PMU and authorizes the remaining 149 PMUs normally.
[0073] This embodiment introduces a batch signature verification mechanism for scenarios with large-scale concurrent terminal access. When the number of verification requests exceeds a preset threshold, multiple digital certificate signatures are verified simultaneously through a single bilinear pairing operation, significantly reducing the computational overhead and verification latency for certificate authorities. This solves the performance bottleneck problem that may be caused by the simultaneous access of massive distribution automation terminals and improves the system's processing efficiency in high-concurrency scenarios.
[0074] Specifically, in a preferred embodiment of this application, a communication network authentication method for a power distribution automation system further includes: The key distribution center receives the incremental certificate revocation list periodically pushed by the certificate authority; The key distribution center dynamically updates its local blacklist based on the incremental certificate revocation list.
[0075] In distribution automation systems, Certificate Authorities (CAs) are responsible for managing the lifecycle of digital certificates for all Distribution Automation Units (PMUs). When the trust of certain PMUs needs to be revoked due to reasons such as equipment retirement, key leakage, or unauthorized operation, the CA must add the serial numbers of these certificates to the revocation list and notify all dependent parties (such as key distribution centers) to update the blacklist in a timely manner to prevent the revoked certificates from being used.
[0076] However, under the full CRL mechanism, each update requires downloading the complete CRL file, consuming significant network bandwidth and storage resources, and the update frequency is limited, leading to delays in certificate status change response. The incremental CRL mechanism effectively solves these problems by transmitting only revocation records added since the last update. The specific implementation process is as follows: Certificate Authorities (CAs) generate incremental certificate revocation lists at preset intervals (e.g., every hour). These incremental CRLs only contain revocation records added since the last full CRL release. After being signed by the CA with its private key, the CRLs are periodically pushed to the key distribution center via a secure connection. After receiving the incremental CRL, the key distribution center verifies its signature validity, parses it to obtain the newly added revocation certificate serial number, inserts these serial numbers into the locally maintained blacklist, and records the update source and timestamp. During subsequent certificate verification, the key distribution center first checks its local blacklist. If the serial number of the certificate to be verified exists in the blacklist, the request is rejected directly without being forwarded to the certificate authority.
[0077] A dynamic blacklist update mechanism based on incremental certificate revocation lists has been introduced. By receiving incremental revocation lists periodically pushed by certificate authorities, the key distribution center can keep abreast of the latest certificate revocation information and dynamically update its local blacklist. This ensures the timeliness and accuracy of the blacklist and avoids the incorrect authorization of terminals with revoked certificates due to information lag.
[0078] Specifically, in a preferred embodiment of this application, the certificate authority includes a root certificate authority and multiple regional certificate authorities; The regional certificate authority is responsible for issuing digital certificates for distribution automation terminals within its jurisdiction. When verifying the digital certificate, the key distribution center initiates an online verification request to the regional certificate authority. If the regional certificate authority is unable to respond, the key distribution center initiates a verification request to the root certificate authority.
[0079] The specific implementation of a multi-level certificate authority architecture is as follows: The Root Certificate Authority (RCA) is located at the top level and is responsible for issuing certificates to regional certificate authorities, establishing a global trust anchor. Regional certificate authorities are deployed according to geographical regions or administrative divisions. Each regional certificate authority is authorized by the root certificate authority and is responsible for issuing and managing digital certificates for distribution automation units (PMUs) within its jurisdiction.
[0080] After generating a Certificate Signing Request (CSR), the PMU within the region sends it to the regional certificate authority. After verifying the PMU's identity, the regional certificate authority issues a digital certificate for it using its own private key. The regional certificate authority periodically synchronizes certificate revocation information with the root certificate authority.
[0081] When the PMU initiates a key exchange and presents a certificate to the Key Distribution Center, the Key Distribution Center first parses the issuer information in the certificate to identify the regional certificate authority that issued the certificate. The Key Distribution Center then sends an online certificate verification request (OCSP or CRL query) to the regional certificate authority. Under normal circumstances, the regional certificate authority responds and returns the verification result, which the Key Distribution Center uses to decide whether to authorize. In abnormal situations, if the regional certificate authority cannot respond due to network failure, equipment downtime, or other reasons, the Key Distribution Center automatically switches over after a timeout and sends a verification request to the root certificate authority. After receiving the request, the root certificate authority queries the global certificate database and returns the current status of the certificate.
[0082] The key distribution center can cache the response results of regional certificate authorities and directly use the cache when repeatedly querying the same certificate in a short period of time, reducing the burden on certificate authorities. If neither the regional certificate authorities nor the root certificate authorities can respond, the key distribution center can decide to reject the request or allow temporary access based on local policies.
[0083] By introducing a multi-level certificate authority architecture, including a root certificate authority and multiple regional certificate authorities, the authentication responsibility is distributed and managed. Each regional certificate authority is responsible for issuing certificates to terminals within its jurisdiction. Simultaneously, a disaster recovery mechanism for the root certificate authority in case of a regional certificate authority failure prevents authentication service interruptions caused by single points of failure. This feature enhances the reliability and disaster recovery capabilities of authentication services in cross-regional, large-scale distribution automation networks, making it suitable for the deployment needs of provincial and even national wide-area monitoring systems.
[0084] Please see Figure 5 This application also provides a communication network authentication system for a power distribution automation system, which applies the aforementioned communication network authentication method for a power distribution automation system and includes at least one power distribution automation terminal, a key distribution center, and a certificate authority. The power distribution automation terminal includes: The key generation module is used to generate public and private key pairs; The certificate request module is used to generate a certificate signing request based on the public key and the identity information of the power distribution automation terminal, and send it to the certificate authority. The certificate storage module is used to receive and store digital certificates issued by the certificate authority; The authentication initiation module is used to provide the digital certificate to the key distribution center when key exchange with the key distribution center is required, and to receive the authorization decision returned by the key distribution center based on the online verification result of the certificate; The key distribution center includes: A communication interface for communicating with at least one distribution automation terminal and a certificate authority; The access control module is used to receive the digital certificate provided by the distribution automation terminal when initiating key exchange, forward the digital certificate to the certificate authority for online verification, and decide whether to allow the distribution automation terminal to participate in the subsequent key exchange process based on the verification result returned by the certificate authority. The certificate issuing authorities include: The certificate issuance module is used to receive a certificate signing request sent by the power distribution automation terminal, issue a digital certificate based on the request, and return it to the power distribution automation terminal. The online verification module is used to receive digital certificate verification requests forwarded by the key distribution center, perform online verification of the digital certificate, and return the verification result to the key distribution center.
[0085] The communication network authentication system for power distribution automation systems in this embodiment has the same technical effect as the communication network authentication method for power distribution automation systems, and will not be described again here.
[0086] Those skilled in the art will recognize that the units of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of the invention.
[0087] In the embodiments provided by the present invention, it should be understood that the division of units is only a logical functional division. In actual implementation, there may be other division methods, such as multiple units can be combined into one unit, one unit can be split into multiple units, or some features can be ignored.
[0088] Furthermore, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.
[0089] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, read-only memory (ROM), random access memory (RAM), portable hard drives, magnetic disks, or optical disks.
[0090] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present invention, and they should all be covered within the scope of the specification of the present invention.
Claims
1. A communication network authentication method for a power distribution automation system, applied to a system including at least one power distribution automation terminal, a key distribution center, and a certificate authority, characterized in that, include: The power distribution automation terminal generates a key pair, and based on the public key in the key pair and the identity information of the power distribution automation terminal, generates a certificate signing request and sends the certificate signing request to the certificate authority. The certificate authority issues a digital certificate using its private key based on the certificate signing request and returns the digital certificate to the power distribution automation terminal. In response to the power distribution automation terminal initiating a key exchange process with the key distribution center, the power distribution automation terminal sends the digital certificate to the key distribution center; The key distribution center forwards the digital certificate to the certificate authority, requesting online verification. The certificate authority verifies the digital certificate, including verifying the validity of its signature, the validity period of the certificate, and the revocation status of the certificate, and generates a verification result to return to the key distribution center. The key distribution center determines whether to authorize the power distribution automation terminal to continue key exchange based on the verification result.
2. The communication network authentication method for a power distribution automation system according to claim 1, characterized in that, The certificate authority issues a digital certificate using its private key based on the certificate signing request, including: The certificate authority performs a hash operation on the information in the certificate request and encrypts the hash value with its private key to generate a signature; the certificate authority then attaches the signature to the certificate to form a complete digital certificate.
3. The communication network authentication method for a power distribution automation system according to claim 1, characterized in that, The verification of the digital certificate by the certificate authority includes: The signature of the digital certificate is decrypted using the public key of the certificate authority to obtain a first hash value; the identity information in the digital certificate is recalculated to obtain a second hash value; the first hash value and the second hash value are compared to see if they are consistent; and the validity period and revocation status of the digital certificate are checked.
4. The communication network authentication method for a power distribution automation system according to claim 3, characterized in that, The check of revocation status is performed through an online certificate status protocol or a certificate revocation list.
5. The communication network authentication method for a power distribution automation system according to claim 3, characterized in that, Also includes: If the number of verification requests received by the key distribution center within a preset time window exceeds a preset threshold, the certificate authority performs batch signature verification on the multiple verification requests. The batch signature verification is achieved by simultaneously verifying the signatures of multiple digital certificates through a single bilinear pairing operation.
6. The communication network authentication method for a power distribution automation system according to claim 3, characterized in that, Based on the verification result, the key distribution center determines whether to authorize the distribution automation terminal to continue performing key exchange, including: If the certificate authority returns a verification result indicating that the certificate is invalid, expired, or revoked, the key distribution center will add the identification information of the power distribution automation terminal to the blacklist. The key distribution center will reject any key requests from the blacklisted power distribution automation terminals within a subsequent preset time window.
7. The communication network authentication method for a power distribution automation system according to claim 6, characterized in that, Also includes: The key distribution center receives the incremental certificate revocation list periodically pushed by the certificate authority; The key distribution center dynamically updates its local blacklist based on the incremental certificate revocation list.
8. The communication network authentication method for a power distribution automation system according to claim 1, characterized in that, The key exchange process follows the GDOI protocol defined in the IEC61850-90-5 standard, and in the GROUPKEY-PULL stage of the GDOI protocol, the power distribution automation terminal sends the digital certificate to the key distribution center.
9. The communication network authentication method for a power distribution automation system according to claim 1, characterized in that, The certificate authorities include root certificate authorities and multiple regional certificate authorities; The regional certificate authority is responsible for issuing digital certificates for distribution automation terminals within its jurisdiction. When verifying the digital certificate, the key distribution center initiates an online verification request to the regional certificate authority. If the regional certificate authority is unable to respond, the key distribution center initiates a verification request to the root certificate authority.
10. A communication network authentication system for a power distribution automation system, employing the communication network authentication method for a power distribution automation system according to any one of claims 1-9, characterized in that, This includes at least one power distribution automation terminal, a key distribution center, and a certificate authority; The power distribution automation terminal includes: The key generation module is used to generate public and private key pairs; The certificate request module is used to generate a certificate signing request based on the public key and the identity information of the power distribution automation terminal, and send it to the certificate authority. The certificate storage module is used to receive and store digital certificates issued by the certificate authority; The authentication initiation module is used to provide the digital certificate to the key distribution center when key exchange with the key distribution center is required, and to receive the authorization decision returned by the key distribution center based on the online verification result of the certificate; The key distribution center includes: A communication interface for communicating with at least one distribution automation terminal and a certificate authority; The access control module is used to receive the digital certificate provided by the distribution automation terminal when initiating key exchange, forward the digital certificate to the certificate authority for online verification, and decide whether to allow the distribution automation terminal to participate in the subsequent key exchange process based on the verification result returned by the certificate authority. The certificate issuing authorities include: The certificate issuance module is used to receive a certificate signing request sent by the power distribution automation terminal, issue a digital certificate based on the request, and return it to the power distribution automation terminal. The online verification module is used to receive digital certificate verification requests forwarded by the key distribution center, perform online verification of the digital certificate, and return the verification result to the key distribution center.