A non-interactive lightweight data security transmission method for power wireless local area network

By employing a pre-configured and non-interactive key generation method, the issues of channel resource consumption and key security in high-concurrency scenarios of power wireless LANs are resolved, achieving low-overhead, high-efficiency data transmission and security assurance, and adapting to the hardware and network environment of power sensor nodes.

CN122395588APending Publication Date: 2026-07-14STATE GRID FUJIAN ELECTRIC POWER RES INST +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
STATE GRID FUJIAN ELECTRIC POWER RES INST
Filing Date
2026-04-14
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing power wireless LAN communication solutions suffer from high channel resource consumption, high transmission latency, and high packet loss rates in high-concurrency scenarios. Furthermore, existing lightweight security solutions lack sufficient key security, cannot effectively resist attacks, and have excessive computational and communication overhead.

Method used

During the pre-configuration phase, each sensor node is assigned a node identifier, a pre-shared key, an initialization vector, an initial packet sequence number, a key update interval, and an old key retention period. The sensor nodes and the central aggregation node synchronously store these parameters before deployment. During the runtime phase, session keys are generated without interaction, and packet sequence numbers are used for key updates and replay attack verification, thereby achieving data encryption, authentication, and key updates.

Benefits of technology

It reduces communication overhead, minimizes channel congestion, extends battery life, and provides data confidentiality, integrity verification, identity authentication, and replay attack resistance. It is compatible with low-power, low-computing-power power sensor node hardware and meets power industry safety standards.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122395588A_ABST
    Figure CN122395588A_ABST
Patent Text Reader

Abstract

The application provides a non-interactive lightweight data security transmission method for a power wireless local area network, wherein a wireless sensing node synchronously generates a session key based on a local current packet sequence number and a pre-shared key, encrypts service data by using the session key and an initial vector, generates an authentication tag, assembles a data packet, and sends the data packet to a central convergence node; after sending is completed, the local stored packet sequence number is updated by increment; after the central convergence node receives the data packet, the same session key is synchronously generated based on the current packet sequence number and the pre-shared key, the ciphertext is decrypted and the authentication tag is checked by using the session key and the initial vector, and after the checking is passed, the latest legal packet sequence number stored locally is updated as the current packet sequence number in the data packet; the wireless sensing node and the central convergence node independently monitor the local stored packet sequence number, and when a preset key update interval is reached, the latest packet sequence number and the pre-shared key are used to synchronously generate a new session key by both sides.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of power wireless communication technology, specifically relating to a non-interactive, lightweight, secure data transmission method for power wireless local area networks. Background Technology

[0002] Power wireless local area networks (WLANs) are the core communication carrier for sensor data acquisition in low-voltage power distribution systems. They primarily handle the uploading of operational status, metering data, and fault alarm information from various power sensor nodes within the distribution area. In these scenarios, power sensor nodes typically employ low-power, low-computing-power embedded hardware designs, mostly equipped with only 8-bit or 16-bit microcontrollers, with available memory not exceeding 10KB. They are also often battery-powered or powered by current sensing, imposing strict limitations on communication and computing power consumption. Furthermore, a single central aggregation node usually needs to connect dozens to hundreds of sensor nodes, resulting in limited channel resources and a high risk of channel congestion in high-concurrency transmission scenarios.

[0003] Current mainstream communication security solutions mostly employ interactive key negotiation logic, such as transport layer security protocols and IoT standard key negotiation protocols. These require at least two to three handshakes between the communicating parties before transmitting business data to complete session key synchronization, and additional update commands are also needed during the key update phase. When applied in power sensing scenarios, these additional interactive messages consume significant channel resources, easily exacerbating channel congestion in high-concurrency scenarios, increasing transmission latency and packet loss rates. Furthermore, multiple interactions increase the communication power consumption of sensing nodes and shorten the lifespan of battery-powered nodes.

[0004] Some lightweight security solutions designed for low-power scenarios use a fixed pre-shared key for end-to-end encryption, eliminating the need for interactive negotiation. However, the key in these solutions remains unchanged over a long period, allowing attackers to capture large amounts of ciphertext for offline cracking, making their security insufficient for protecting power data. Furthermore, key updates still require the central node to broadcast update commands, incurring additional overhead and increasing the risk of key synchronization issues due to packet loss among some nodes.

[0005] In addition, most existing lightweight security solutions do not fully cover security capabilities. Some solutions only implement data encryption and do not provide integrity verification and anti-replay capabilities, making them unable to resist data tampering, forgery and replay attacks. Although some solutions cover full security capabilities, they require adding a large number of extra verification fields to the data packets, increasing the message length and further aggravating the occupation of channel resources. Summary of the Invention

[0006] To address the shortcomings and deficiencies of existing technologies, this invention provides a non-interactive, lightweight data security transmission method and system for power WLANs. This method addresses the hardware limitations of power sensor nodes—low power consumption, low computing power, and battery power—as well as the limited channel resources and network congestion characteristics in high-concurrency scenarios. In a pre-configuration phase, each sensor node is assigned a unique set of parameters, including a node identifier, a pre-shared key, an initialization vector, an initial packet sequence number, a key update interval, and the retention period for the old key. All parameters are synchronously stored in the local secure areas of the central aggregation node and the corresponding sensor node before deployment, without being transmitted through the wireless channel. During the operational phase, both communicating parties independently and synchronously generate the same session key using the same algorithm based on the locally stored current packet sequence number and the pre-shared key, achieving zero-interaction key negotiation. The sensor node uses the current session key and the initialization vector to encrypt service data and generate an authentication tag. It then assembles a data packet containing the node identifier, current packet sequence number, initialization vector, ciphertext, and authentication tag and sends it to the central aggregation node, incrementally updating the local packet sequence number after transmission. After receiving data packets, the central aggregation node retrieves the corresponding parameters based on the node identifier, verifies that the packet sequence number is greater than the latest valid packet sequence number locally to resist replay attacks, independently generates a session key based on the same logic, completes decryption and authentication verification, and updates the local packet sequence number after successful verification. Key updates are triggered independently by both communicating parties. When the difference between the current packet sequence number and the packet sequence number recorded at the time of the last key update reaches a preset update interval, both parties generate a new session key based on the latest packet sequence number and the pre-shared key, and cache the old key for a preset time to cope with network latency. This invention, through a triple reuse design of the packet sequence number as the freshness value for key generation, the verification basis for replay attacks, and the triggering factor for non-interactive key updates, simultaneously achieves data confidentiality, integrity verification, identity authentication, replay attack resistance, and dynamic key updates without any additional interactive messages, significantly reducing communication overhead and computational complexity, and adapting to high-concurrency, low-power application scenarios of power wireless LANs.

[0007] The specific technical solution adopted by this invention to solve its technical problem is as follows:

[0008] A non-interactive, lightweight, secure data transmission method for a power grid wireless local area network (WLAN), the WLAN comprising a central aggregation node and several wireless sensor nodes communicating with the central aggregation node, comprising the following steps:

[0009] Before the deployment of wireless sensor nodes, the central aggregation node assigns a node identifier, a pre-shared key, an initialization vector, an initial packet sequence number, a key update interval, and an old key retention period to each wireless sensor node. The above parameters are stored synchronously in the local secure storage area of ​​the central aggregation node and the corresponding wireless sensor node, and both parties synchronously record the packet sequence number at the time of the last key update.

[0010] The wireless sensor node independently and without interaction generates a session key based on the local current packet sequence number and the pre-shared key. It uses the session key and the initialization vector to encrypt the service data and generate an authentication tag. It assembles a data packet containing the node identifier, current packet sequence number, initialization vector, ciphertext and authentication tag and sends it to the central aggregation node. After sending, it increments and updates the packet sequence number stored locally.

[0011] After receiving the data packet, the central aggregation node retrieves the local storage parameters of the corresponding wireless sensor node according to the node identifier, verifies that the current packet sequence number in the data packet is greater than the latest valid packet sequence number corresponding to the node stored locally, and generates the same session key independently and without interaction based on the current packet sequence number and the pre-shared key. The session key and the initialization vector are used to complete the ciphertext decryption and authentication tag verification. After the verification is passed, the latest valid packet sequence number stored locally is updated to the current packet sequence number in the data packet.

[0012] The wireless sensor node and the central aggregation node independently monitor the packet sequence number stored locally. When the difference between the current packet sequence number and the packet sequence number recorded during the last key update reaches the preset key update interval, the two parties independently and without interaction synchronously generate a new session key based on the latest packet sequence number and the pre-shared key.

[0013] Furthermore, before the deployment of wireless sensor nodes, all pre-configured and allocated parameters are stored only in the local secure storage area of ​​the central aggregation node and the corresponding wireless sensor node, and are not transmitted over the air via wireless channels.

[0014] Furthermore, the specific method by which the wireless sensing node and the central aggregation node independently and synchronously generate session keys is as follows: the current packet sequence number and the pre-shared key are concatenated byte by byte, the concatenation result is input into a cryptographic hash function to obtain the session key seed, and the session key seed is processed by a key sequence generation algorithm that meets the requirements of cryptographic randomness to obtain a session key of the corresponding length.

[0015] Furthermore, the packet sequence number is also used as the fresh value derived from the session key, the verification basis for resisting replay attacks, and the triggering factor for non-interactive key updates.

[0016] Furthermore, when the wireless sensor node generates an authentication tag, it uses its own node identifier as associated data input to the authentication encryption algorithm to participate in the generation of the authentication tag; when the central aggregation node verifies the authentication tag, it uses the node identifier of the corresponding wireless sensor node as associated data input to the algorithm.

[0017] Furthermore, the central aggregation node verifies the packet sequence number based on the monotonicity of the increasing packet sequence number, eliminating the need for time synchronization across all network nodes.

[0018] Furthermore, after the central aggregation node and the wireless sensor node generate a new session key, the old session key to be replaced is stored in the local cache for a preset old key retention period. During the cache period, the old session key can be used to decrypt legitimate data packets.

[0019] Furthermore, while the wireless sensing node and the central aggregation node generate a new session key, a new initial vector is derived based on the session key seed corresponding to the newly generated session key, replacing the original initial vector.

[0020] And, a non-interactive lightweight data security transmission system for power wireless local area networks, including a central aggregation node and several wireless sensing nodes communicating with the central aggregation node;

[0021] The central aggregation node is equipped with a pre-configuration unit, a decryption verification unit, and a first key operation unit;

[0022] The wireless sensor node is equipped with a local storage unit, an encrypted transmission unit, and a second key operation unit.

[0023] The pre-configuration unit is used to assign a node identifier, a pre-shared key, an initialization vector, an initial packet sequence number, a key update interval, and an old key retention period to each wireless sensor node before deployment, and to complete the synchronous storage of the above parameters between the central aggregation node and the corresponding wireless sensor node, and to synchronously record the packet sequence number at the time of the last key update.

[0024] The first key operation unit and the second key operation unit are used to independently and without interaction synchronously generate a consistent session key based on the local current packet sequence number and the pre-shared key; they are also used to monitor the local packet sequence number, and when the difference between the current packet sequence number and the packet sequence number recorded at the last key update reaches the key update interval, they independently and without interaction synchronously generate a new session key based on the latest packet sequence number and the pre-shared key.

[0025] The encrypted transmission unit is used to encrypt business data using the current session key and initialization vector, generate an authentication tag, assemble and send data packets, and increment and update the locally stored packet sequence number after sending.

[0026] The decryption verification unit is used to receive data packets, retrieve the local storage parameters of the corresponding wireless sensor node according to the node identifier, verify that the current packet sequence number in the data packet is greater than the latest legal packet sequence number corresponding to the node stored locally, call the first key operation unit to generate the corresponding session key, complete the ciphertext decryption and authentication tag verification, and update the latest legal packet sequence number stored locally after the verification is passed.

[0027] Furthermore, the system only transmits business data packets throughout the entire process and does not generate any additional interactive messages related to key negotiation or key update.

[0028] Compared to existing technologies, this invention and its preferred solution significantly reduce the communication overhead of power wireless LAN data transmission. No additional interaction beyond service data packets is required throughout the process, effectively alleviating channel congestion in high-concurrency scenarios. Simultaneously, it reduces the communication power consumption of sensor nodes, adapting to the needs of low-power power sensor nodes. The overall computational complexity of the solution is low, and the cryptographic mechanisms employed are all lightweight and mature implementations, requiring no additional hardware encryption modules. It can run stably on low-computing-power embedded sensor nodes, adapting to the hardware configuration characteristics of sensor nodes in power scenarios. The solution possesses comprehensive security protection capabilities, simultaneously achieving data confidentiality protection and data... Integrity verification, data source authentication, anti-replay attack, and dynamic key updates can resist common attacks such as forgery, tampering, replay, and key prediction during power data transmission, meeting the communication security requirements of the power industry. The solution has good network environment adaptability. Through the old key caching mechanism, it can adapt to common network out-of-order and transmission delay scenarios in power wireless LANs, avoiding the accidental discarding of legitimate data packets and ensuring the continuity and stability of service transmission. At the same time, the solution can achieve reliable anti-replay protection without the need for time synchronization of all network nodes, simplifying the system implementation logic, reducing the complexity of deployment and operation and maintenance, and has good engineering application value. Attached Figure Description

[0029] The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments:

[0030] Figure 1 This is a schematic diagram illustrating the implementation process of an embodiment of the present invention. Detailed Implementation

[0031] To make the features and advantages of the present invention more apparent and understandable, specific embodiments are described below in detail:

[0032] It should be noted that the following detailed descriptions are exemplary and intended to provide further explanation of this application. Unless otherwise specified, all technical and scientific terms used in this specification have the same meaning as commonly understood by one of ordinary skill in the art to which this application pertains.

[0033] It should be noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the exemplary embodiments according to this application. As used herein, the singular form is intended to include the plural form as well, unless the context clearly indicates otherwise. Furthermore, it should be understood that when the terms "comprising" and / or "including" are used in this specification, they indicate the presence of features, steps, operations, devices, components, and / or combinations thereof.

[0034] This invention proposes a non-interactive, lightweight data security transmission method for power WLANs to improve the security and reliability of data transmission. This method belongs to high-security wireless encryption transmission technology, achieving security with low computational overhead and reduced interaction frequency. Specifically, the method first pre-allocates node serial numbers, pre-shared keys, initialization vectors, packet serial numbers, key update intervals, and key storage times for wireless nodes by a central aggregation node. Next, a hash function is used to process the packet serial numbers and pre-shared keys, and a key sequence generation algorithm is applied to the calculation results to generate a session key, ensuring high randomness and timeliness. Then, the power wireless sensor node updates the initialization vector and packet serial number, and calls ChaCha20-Poly1305 to generate ciphertext and authentication tags for the data to be encrypted and the node serial number, achieving data confidentiality, integrity, and replay resistance. The central aggregation node securely decrypts the data packets. Finally, the method determines whether to update the session key based on the key update interval preset during node registration to ensure key freshness, and the old key is stored for a preset time to cope with network latency. This invention ensures security without requiring multiple interactions, effectively resisting forgery, tampering, replay, and key prediction attacks, while also being lightweight and possessing engineering application value. Addressing the issue of data transmission from multiple sensor nodes to a central node, it optimizes the negotiation process for key generation and update, effectively reducing overall network communication overhead and ensuring secure data transmission, thus achieving more secure and reliable data transmission among multiple wireless power sensor nodes in power scenarios.

[0035] like Figure 1 As shown, the implementation steps of the non-interactive lightweight data security transmission method for power WLAN provided by the present invention include:

[0036] S1: Before deployment, the power wireless sensor node is assigned a node sequence number, pre-shared key, initialization vector, packet sequence number, key update interval, and key retention time by the central aggregation node;

[0037] S2: The power wireless sensor node and the central aggregation node directly synchronize to calculate the session key required for subsequent encryption;

[0038] S3: Update the initial vector and packet sequence number of the current power wireless sensor node, and call the ChaCha20-Poly1305 authentication and encryption algorithm to generate ciphertext and authentication tag for the data to be encrypted and the power wireless sensor node sequence number. The central aggregation node decrypts the data packet.

[0039] S4: Determine whether the session key needs to be updated based on the key update interval preset during the registration phase of the power wireless sensor node, and save the previous session key for a preset time.

[0040] Specifically, in step S1, the first One power wireless sensor node Before deployment, the nodes must first register at the central aggregation node, which will then act as the power wireless sensor nodes. Assign node sequence number Pre-shared key Initial vector Package number Key update interval and key storage time And save it, including the power wireless sensor node. Indicates the first One power wireless sensor node.

[0041] Specifically, in step S2, the packet sequence number allocated in step S1 is... and pre-shared key After concatenation, input the result into a hash function to obtain a random number seed. for Seed the random number The session key is obtained by feeding it into an existing key sequence generation algorithm, where... Represents a hash function. Indicates the package number and pre-shared key splicing.

[0042] Specifically, in step S3, the power wireless sensing node Initialization vector before sending data to the central aggregation node Package number Perform increment operations separately, i.e., increment each one by 1, then the power wireless sensor node Ciphertext is generated by calling the ChaCha20-Poly1305 authentication encryption algorithm. and certification labels Wireless power sensing node The data sent to the central aggregation node includes the node sequence number of the power wireless sensor node. Initial vector Package number ciphertext and certification labels .

[0043] Specifically, in step S3, after receiving the data packet, the central aggregation node determines the communication target as a power wireless sensor node based on the node sequence number in the data packet. Then, the sequence number validity is checked: the sequence number carried in the data packet is determined. Is the sequence number greater than the latest valid packet number stored locally on this node? If not, discard the packet. If it is greater, further determine the sequence number carried in the packet. Local packet sequence number stored with the central aggregation node Is the difference greater than or equal to the key update interval pre-allocated in step S1? If the value is greater than 1, the session key is updated first, and then the data packet decryption operation is performed; otherwise, the data packet decryption operation is performed directly.

[0044] Specifically, in step S3, the central aggregation node calls the ChaCha20-Poly1305 authentication and encryption algorithm to verify the node sequence number. and ciphertext Recalculate the authentication label If recalculated and authentication tags in data packets If they are equal, then the ciphertext is correct. Decrypt the data packet; otherwise, discard it.

[0045] Specifically, in step S4, the key update interval is set in step S1. Then, using the session key generation method in step S2, the session key between the power wireless sensor node and the central aggregation node is actively updated, and the previous session key is saved for the same duration as the key saving time set in step S1. .

[0046] The following describes this solution through more specific embodiments:

[0047] This embodiment is applied to a power wireless local area network scenario consisting of one central aggregation node and several power wireless sensor nodes. The overall implementation is divided into two parts: a pre-configuration phase and an operation phase. The pre-configuration phase is completed during the production or debugging process before the sensor nodes are deployed, and there is no over-the-air transmission of parameters. The operation phase is the entire communication cycle between the sensor nodes and the central aggregation node after deployment. Throughout the entire process, no additional interaction between the sensor nodes and the central aggregation node is required except for the transmission of service data packets, which can achieve complete communication security protection with low overhead.

[0048] The specific implementation process of the solution in this embodiment is as follows:

[0049] (a) Implementation of the pre-configuration phase

[0050] During the pre-configuration phase, the central aggregation node generates and stores parameters. Specifically, the central aggregation node generates an independent, dedicated parameter set for each power wireless sensor node to be deployed. Each parameter set contains six items: a unique identifier for the sensor node, a pre-shared key, an initialization vector, an initial packet sequence number, a key update interval, and the retention period for the old key. All parameters are stored in a secure local storage area on both the central aggregation node and the corresponding sensor node, accessible only to the respective party and will not be leaked to external parties.

[0051] As a further preferred implementation, the central aggregation node and each sensor node synchronously maintain two core record values: one is the packet sequence number at the time of the last key update, that is, the packet sequence number value of the corresponding sensor node when the session key update was completed last time, which is used to determine the timing of the key update; the other is the latest valid packet sequence number, that is, the packet sequence number of the data packet that the corresponding sensor node has recently successfully decrypted and verified, which is used for anti-replay attack verification.

[0052] As a further preferred implementation, the length of the pre-shared key can be set to 16 bytes or 32 bytes, which can meet the key length requirements of mainstream symmetric encryption algorithms; the length of the initial vector can be set to 12 bytes, which can adapt to the input requirements of subsequent authentication encryption algorithms; the initial value of the initial packet sequence number can be set to 0 or a random positive integer, as long as the initial value of the central aggregation node is consistent with that of the corresponding sensor node; the key update interval can be set to 100, 1000, or 10000 data packet transmissions according to the business security level requirements, and the higher the security requirements, the shorter the interval should be; the old key retention time can be set to 1.5 to 2 times the transmission time corresponding to the key update interval, which can adapt to common network out-of-order and transmission delay scenarios in power wireless LANs.

[0053] (II) Operation Phase - Session Key Generation Logic

[0054] During the operational phase, the session key is independently calculated and generated by both the sensor node and the central aggregation node. This ensures complete consistency between the session keys generated by both ends without any interaction. The specific generation logic is as follows: based on the currently stored packet sequence number and the pre-shared key, both communicating parties first concatenate the two parameters byte-by-byte, and then calculate the session key seed using a hash function. The calculation formula is as follows:

[0055]

[0056] in This is the session key seed. For cryptographic hash functions, Let be the current packet sequence number of the i-th sensor node. Let be the pre-shared key for the i-th sensor node. This indicates a byte concatenation operation.

[0057] After obtaining the session key seed, both communicating parties use the same key sequence generation algorithm to process the seed and obtain the session key of the corresponding length. Three types of well-known implementations that meet the requirements of cryptographic randomness can be used for the key sequence generation algorithm: the first type is the HKDF key derivation function, which uses the session key seed as input key material to directly derive the session key of the corresponding length; the second type is hash output truncation, where if the hash output length of the session key seed is greater than the required length of the session key, the first N bits of the output are directly taken as the session key, where N is the bit length of the required session key; the third type is stream cipher key generation logic, which uses the session key seed as the initial key for the stream cipher and outputs the first N bits of the key stream as the session key.

[0058] As a further preferred embodiment, the hash function can be a publicly verified commercial cryptographic hash function such as SM3 or SHA-256; the key sequence generation algorithm is preferably implemented using HKDF-SHA256, and the generated session key length is preferably 32 bytes to meet the key length requirements of subsequent authentication encryption algorithms. The pre-shared key, known only to the communicating parties, ensures the confidentiality of the session key, while the synchronously updated packet sequence numbers ensure the dynamism of the session key. The combination of these two aspects can simultaneously satisfy the unpredictability of the key and the consistency requirements of both ends without interaction, overcoming the shortcomings of existing interactive key negotiation schemes that require additional interaction.

[0059] (III) Operational Phase - Encrypted Transmission Process (Sensor Node Side)

[0060] After the sensor nodes are deployed and online, when business data needs to be uploaded, they first call the ChaCha20-Poly1305 authentication and encryption algorithm. Using the currently active session key and the locally stored initialization vector as encryption input, the collected plaintext business data is encrypted, and a corresponding data authentication tag is generated. After encryption, the sensor node assembles the transmission data packet. The data packet contains, in sequence, the sensor node's unique identifier, the currently stored packet sequence number, the currently used initialization vector, the encrypted business data, and the authentication tag. After the data packet is assembled, the sensor node sends it to the central aggregation node. Immediately after sending, it increments the locally stored packet sequence number by 1, waiting for the next data transmission.

[0061] When calling the ChaCha20-Poly1305 algorithm, the unique identifier of the sensor node is used as the associated data (AAD) input to the algorithm to participate in the generation of the authentication tag;

[0062] It is important to note that before the sensor node calls the ChaCha20-Poly1305 algorithm, it needs to increment the locally stored initial vector IV_i by 1, and use it together with the incremented packet sequence number as the encryption input parameter.

[0063] (iv) Operational Phase - Decryption and Verification Process (Central Aggregation Node Side)

[0064] As a further explanation of this embodiment, this scheme involves two types of core packet sequence number variables: one is the current packet sequence number carried in the data packet on the sensor node side. Secondly, the latest valid packet sequence number of the corresponding sensor node is stored locally at the central aggregation node. The initial values ​​of the two are exactly the same; the central aggregation node will only update the value after all data packets have passed decryption and verification. .

[0065] After receiving the data packet uploaded by the sensor node, the central aggregation node first indexes all parameters of the corresponding node stored locally based on the unique identifier of the sensor node in the data packet. First, it performs packet sequence number validity verification (the central aggregation node independently maintains and records the latest valid packet sequence number for each connected sensor node; this sequence number is the packet sequence number carried by the data packet that most recently passed decryption verification for the corresponding sensor node, and this value can only be updated after the current data packet has passed decryption and authentication tag verification). It checks whether the packet sequence number carried by the data packet is greater than the latest valid packet sequence number of the node stored locally. If it is less than or equal to, it is determined to be a duplicate data packet or a replay attack data packet, and is directly discarded without proceeding to the next step; if it is greater, it proceeds to the subsequent decryption verification process. After completing the packet sequence number validity verification, it first checks whether the difference between the packet sequence number carried by the current data packet and the packet sequence number recorded during the last key update reaches the preset key update interval. If it does, a new session key is generated according to the rules, and then the subsequent decryption verification operation is performed using the new key; otherwise, the currently effective session key is used directly to perform the decryption verification.

[0066] When the central node verifies the authentication label, the node identity identifier carried in the data packet must be used as the associated data input algorithm to ensure that the verification logic is consistent with that of the encryption end.

[0067] Next, the central aggregation node uses its locally stored, currently active session key, combined with the initialization vector carried in the data packet, to decrypt the ciphertext and simultaneously verify the validity of the authentication tag. If the authentication tag verification fails, the data is deemed to have been tampered with or forged, and the data packet is discarded. If the verification passes, the decrypted plaintext business data is transmitted to the upper-layer business system, and the latest valid packet sequence number stored locally for that node is updated to the packet sequence number carried in this data packet.

[0068] The design mechanism of packet sequence number monotonicity verification in this step is that it can achieve anti-replay attack capability without adding additional random numbers or timestamp fields, preventing attackers from replaying previously captured legitimate data packets. Compared with traditional timestamp verification schemes, it does not require full network time synchronization, further reducing system implementation complexity and synchronization overhead.

[0069] (v) Operational Phase - Key Update Process

[0070] Key updates are triggered independently by both the sensing nodes and the central aggregation node, without requiring any update notifications to the other, enabling seamless key synchronization. Specifically, both communicating parties independently monitor the difference between the current packet sequence number and the packet sequence number at the time of the last key update. When the difference reaches a preset key update interval, both ends simultaneously trigger the key update process.

[0071] During the update, both communicating parties use the latest packet sequence number and the locally stored pre-shared key to calculate a new session key seed using the seed generation formula. Then, they generate a new session key using the same key sequence generation algorithm, replacing the original active session key, which will be used as the key for subsequent encrypted transmissions. Simultaneously, both parties store the replaced old session key in their local cache for a preset old key retention period. Within this cache period, if a legitimate data packet encrypted with the old key is received, decryption and verification can still be completed normally. After the cache period expires, the old session key is automatically deleted to avoid the risk of key leakage.

[0072] As a further preferred embodiment, if the business scenario has extremely high security requirements, the initial vector can be updated synchronously with each update of the session key. The update logic is consistent with the session key. Both communicating parties use the newly generated session key seed to derive a new 12-byte initial vector, which replaces the original initial vector, further improving the randomness of the encryption process and reducing the risk of the ciphertext being cracked.

[0073] In summary, this solution is designed specifically for the characteristics of power wireless LAN scenarios and offers several advantages. First, it has extremely low communication overhead, with no additional interactive messages besides service data packets throughout the entire process. This significantly reduces channel resource consumption, effectively alleviating channel congestion issues in high-concurrency sensor node transmission scenarios, while also reducing the communication power consumption of sensor nodes and extending the lifespan of battery-powered nodes. Second, it has low computational complexity. The cryptographic algorithms used are all lightweight and mature, requiring no additional hardware encryption modules. They can run quickly on low-computing-power embedded sensor nodes and are compatible with the hardware configuration of power sensor nodes. Third, it offers comprehensive security capabilities, covering data confidentiality protection, data integrity verification, data source authentication, replay attack resistance, and dynamic key updates, meeting the communication security standards of the power industry. Fourth, it offers high transmission reliability. The legacy session key caching mechanism is adaptable to common network out-of-order and transmission delay scenarios in power wireless LANs, preventing legitimate data packets from being mistakenly discarded and ensuring the continuity of service transmission.

[0074] It should be noted that, unless otherwise defined, the technical or scientific terms used in this invention should have the ordinary meaning understood by one of ordinary skill in the art to which this invention pertains. The terms "first," "second," and similar terms used in this invention do not indicate any order, quantity, or importance, but are merely used to distinguish different components. Terms such as "comprising" or "including" mean that the element or object preceding the word encompasses the elements or objects listed following the word and their equivalents, without excluding other elements or objects. Terms such as "connected" or "linked" are not limited to physical or mechanical connections, but can include electrical connections, whether direct or indirect. Terms such as "upper," "lower," "left," and "right" are used only to indicate relative positional relationships; when the absolute position of the described object changes, the relative positional relationship may also change accordingly.

[0075] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention in any other way. Any person skilled in the art may make changes or modifications to the above-disclosed technical content to create equivalent embodiments. However, any simple modifications, equivalent changes, and modifications made to the above embodiments based on the technical essence of the present invention without departing from the scope of the present invention shall still fall within the protection scope of the present invention.

[0076] This invention is not limited to the preferred embodiment described above. Anyone inspired by this invention can derive various other forms of non-interactive lightweight data security transmission methods for power WLANs. All equivalent variations and modifications made within the scope of the claims of this invention should be considered within the scope of this invention.

Claims

1. A non-interactive, lightweight, secure data transmission method for a power grid wireless local area network, wherein the power grid wireless local area network includes a central aggregation node and several wireless sensor nodes communicating with the central aggregation node, characterized in that, Includes the following steps: Before the deployment of wireless sensor nodes, the central aggregation node assigns a node identifier, a pre-shared key, an initialization vector, an initial packet sequence number, a key update interval, and an old key retention period to each wireless sensor node. The above parameters are stored synchronously in the local secure storage area of ​​the central aggregation node and the corresponding wireless sensor node, and both parties synchronously record the packet sequence number at the time of the last key update. The wireless sensor node independently and without interaction generates a session key based on the local current packet sequence number and the pre-shared key. It uses the session key and the initialization vector to encrypt the service data and generate an authentication tag. It assembles a data packet containing the node identifier, current packet sequence number, initialization vector, ciphertext and authentication tag and sends it to the central aggregation node. After sending, it increments and updates the packet sequence number stored locally. After receiving the data packet, the central aggregation node retrieves the local storage parameters of the corresponding wireless sensor node according to the node identifier, verifies that the current packet sequence number in the data packet is greater than the latest valid packet sequence number corresponding to the node stored locally, and generates the same session key independently and without interaction based on the current packet sequence number and the pre-shared key. The session key and the initialization vector are used to complete the ciphertext decryption and authentication tag verification. After the verification is passed, the latest valid packet sequence number stored locally is updated to the current packet sequence number in the data packet. The wireless sensor node and the central aggregation node independently monitor the packet sequence number stored locally. When the difference between the current packet sequence number and the packet sequence number recorded during the last key update reaches the preset key update interval, the two parties independently and without interaction synchronously generate a new session key based on the latest packet sequence number and the pre-shared key.

2. The non-interactive lightweight data security transmission method for power WLANs according to claim 1, characterized in that: Before the deployment of wireless sensor nodes, all pre-configured and allocated parameters are stored only in the local secure storage area of ​​the central aggregation node and the corresponding wireless sensor node, and are not transmitted over the air through wireless channels.

3. The non-interactive lightweight data security transmission method for power WLANs according to claim 1, characterized in that: The specific method for the wireless sensor node and the central aggregation node to independently and synchronously generate session keys is as follows: the current packet sequence number and the pre-shared key are concatenated byte by byte, the concatenation result is input into a cryptographic hash function to obtain the session key seed, and the session key seed is processed by a key sequence generation algorithm that meets the requirements of cryptographic randomness to obtain a session key of the corresponding length.

4. The non-interactive lightweight data security transmission method for power WLANs according to claim 1, characterized in that: The packet sequence number is used simultaneously as the fresh value derived from the session key, the verification basis for resisting replay attacks, and the triggering factor for non-interactive key updates.

5. A non-interactive lightweight data security transmission method for power WLANs according to claim 1, characterized in that: When the wireless sensor node generates an authentication tag, it uses its own node identifier as associated data input to the authentication encryption algorithm to participate in the generation of the authentication tag; when the central aggregation node verifies the authentication tag, it uses the node identifier of the corresponding wireless sensor node as associated data input to the algorithm.

6. A non-interactive lightweight data security transmission method for power WLANs according to claim 1, characterized in that: The central aggregation node verifies the packet sequence number based on the monotonicity of the increasing packet sequence number, without requiring time synchronization across all nodes in the network.

7. A non-interactive lightweight data security transmission method for power WLANs according to claim 1, characterized in that: After the central aggregation node and the wireless sensor node generate a new session key, the old session key to be replaced is stored in the local cache for a preset old key retention period. During the cache period, the old session key can be used to decrypt legitimate data packets.

8. A non-interactive lightweight data security transmission method for power line wireless local area networks according to claim 1, characterized in that: While the wireless sensing node and the central aggregation node generate a new session key, a new initial vector is derived based on the session key seed corresponding to the newly generated session key, replacing the original initial vector.

9. A non-interactive, lightweight, secure data transmission system for power line wireless local area networks, characterized in that, It includes a central aggregation node and several wireless sensor nodes that communicate with the central aggregation node; The central aggregation node is equipped with a pre-configuration unit, a decryption verification unit, and a first key operation unit; The wireless sensor node is equipped with a local storage unit, an encrypted transmission unit, and a second key operation unit. The pre-configuration unit is used to assign a node identifier, a pre-shared key, an initialization vector, an initial packet sequence number, a key update interval, and an old key retention period to each wireless sensor node before deployment, and to complete the synchronous storage of the above parameters between the central aggregation node and the corresponding wireless sensor node, and to synchronously record the packet sequence number at the time of the last key update. The first key operation unit and the second key operation unit are used to independently and without interaction generate a consistent session key based on the local current packet sequence number and the pre-shared key; they are also used to monitor the local packet sequence number, and when the difference between the current packet sequence number and the packet sequence number recorded at the last key update reaches the key update interval, they independently and without interaction generate a new session key based on the latest packet sequence number and the pre-shared key. The encrypted transmission unit is used to encrypt business data using the current session key and initialization vector, generate an authentication tag, assemble and send data packets, and increment and update the locally stored packet sequence number after sending. The decryption verification unit is used to receive data packets, retrieve the local storage parameters of the corresponding wireless sensor node according to the node identifier, verify that the current packet sequence number in the data packet is greater than the latest legal packet sequence number corresponding to the node stored locally, call the first key operation unit to generate the corresponding session key, complete the ciphertext decryption and authentication tag verification, and update the latest legal packet sequence number stored locally after the verification is passed.

10. A non-interactive lightweight data security transmission system for power line wireless local area networks according to claim 9, characterized in that, The system only transmits business data packets throughout the entire process and does not generate any additional interactive messages related to key negotiation or key update.