CFL-based authentication and communication scheme for industrial control system

doi:10.11772/j.issn.1001-9081.2022030451

Journal of Computer Applications ›› 2023, Vol. 43 ›› Issue (4): 1183-1190.DOI: 10.11772/j.issn.1001-9081.2022030451

• Cyber security • Previous Articles

CFL-based authentication and communication scheme for industrial control system

Songbai LAN, Fangxiao LI, Leyi SHI()

College of Computer Science and Technology，China University of Petroleum （East China），Qingdao Shandong 266580，China

Received:2022-04-08 Revised:2022-06-12 Accepted:2022-06-17 Online:2023-04-11 Published:2023-04-10
Contact: Leyi SHI
About author:LAN Songbai， born in 1999， M. S. candidate. His research interests include industrial control system security， blockchain technology， active defense.
LI Fangxiao， born in 1999， M. S. candidate. His research interests include industrial control system security， active defense.
Supported by:
National Natural Science Foundation of China(61772551);Natural Science Foundation of Shandong Province(ZR2019MF034)

基于CFL的工控系统认证通信方案

兰松柏, 李方晓, 石乐义()

中国石油大学（华东）计算机科学与技术学院，山东青岛 266580

通讯作者: 石乐义
作者简介:兰松柏（1999—），男，江西萍乡人，硕士研究生，主要研究方向：工控系统安全、区块链、主动防御；
李方晓（1999—），男，山东临朐人，硕士研究生，主要研究方向：工控系统安全、主动防御；
基金资助:
国家自然科学基金资助项目(61772551);山东省自然科学基金资助项目(ZR2019MF034)

Abstract

Abstract:

Aiming at the problems of key leakage， single point of failure and high communication overhead in the central authentication scheme widely used in Industrial Control Systems （ICSs）， the Cryptography Fundamental Logics （CFL） authentication technology with domestic independent intellectual property right was introduced into the authentication and communication process of ICSs， and a CFL-based authentication and communication scheme for ICS was proposed. Firstly， between two communicating parties， the dynamic certificates with right， which were generated by the identity label and authority information of each other were exchanged and verified， so that the decentralized authentication of the identities of the two parties and the negotiation of the session key were realized. Secondly， the session key， CFL dynamic signature and access control rules were used to ensure the secure communication between the two parties. Finally， the detailed logs of control process were encrypted and stored to realize traceable process. Theoretical analysis and experimental results show that this scheme no longer needs the participation of remote authentication center in the authentication stage， and realizes the local and efficient authentication among industrial control equipments. The minimum system throughput improvement of the proposed scheme is 92.53% compared to the Public Key Infrastructure （PKI） scheme and 141.37% compared to the Identity-Based Encryption （IBE） scheme when facing a large number of authentication requests， which means that the proposed scheme can better meet the requirements of large-scale authentication and millisecond-level security communication in ICSs.

Key words: Industrial Control System (ICS), Cryptography Fundamental Logics (CFL) authentication, authentication and communication, Secure Sockets Layer or Transport Layer Security (SSL/TLS) protocol, BAN logic

摘要：

针对工控系统（ICS）中广泛采用的中心认证方案所存在的密钥泄露、单点失效、通信开销大的问题，将具有国内自主知识产权的密码基础逻辑（CFL）认证技术引入ICS的认证与通信过程中，并提出一种基于CFL的ICS认证通信方案。首先，通信双方通过交换并验证基于彼此身份标识和权限信息所生成的动态含权证书，实现双方身份的去中心认证和会话密钥的协商；然后，通过会话密钥、CFL动态签名和访问控制规则保证双方的安全通信；最后，将控制过程详细日志进行加密存储，以实现可溯源过程。理论分析和实验结果表明，所提方案在身份验证阶段不再需要远程认证中心的参与，并实现了工控设备间的本地高效认证。在面对大量认证请求时，与公钥基础设施（PKI）方案、基于身份加密（IBE）方案相比，所提方案的系统吞吐量分别至少提升了92.53%和141.37%，意味着所提方案能够更好地满足ICS的大规模认证和毫秒级安全通信的需求。

关键词: 工控系统, 密码基础逻辑认证, 认证通信, 安全套接层协议, BAN逻辑

CLC Number:

TP309

Songbai LAN, Fangxiao LI, Leyi SHI. CFL-based authentication and communication scheme for industrial control system[J]. Journal of Computer Applications, 2023, 43(4): 1183-1190.

兰松柏, 李方晓, 石乐义. 基于CFL的工控系统认证通信方案[J]. 《计算机应用》唯一官方网站, 2023, 43(4): 1183-1190.

Figures/Tables 7

References 21

1	陈华平，北京博文广成信息安全技术有限公司. 基于标识的证书认证体制CFL： 201110250009.4［P］. 2013-03-06. 10.4236/jis.2015.63020
	CHEN H P， Beijing Bowen Guangcheng Information Security Technology Co. Ltd. Identification based certificate authentication system CFL： 201110250009.4［P］. 2013-03-06. 10.4236/jis.2015.63020
2	RAO N， SRIVASTAVA S， SREEKANTH K S. PKI deployment challenges and recommendations for ICS networks［J］. International Journal of Information Security and Privacy， 2017， 11（2）： 38-48. 10.4018/ijisp.2017040104
3	魏珊珊，韩庆敏，郭肖旺，等. 基于国密算法的PKI在工控系统中的应用研究［J］. 计算机与现代化， 2018（11）：1-6. 10.3969/j.issn.1006-2475.2018.11.001
	WEI S S， HAN Q M， GUO X W， et al. Research on Application of PKI based on nation secret algorithm in ICS［J］. Computer and Modernization， 2018（11）： 1-6. 10.3969/j.issn.1006-2475.2018.11.001
4	许峰，齐玉国，黄皓，等. 基于开放源码的企业自建CA系统的研究与实现［J］. 计算机工程， 2006， 32（5）：128-130. 10.3969/j.issn.1000-3428.2006.05.046
	XU F， QI Y G， HUANG H， et al. Research and implementation of private enterprise CA based on open source code［J］. Computer Engineering， 2006， 32（5）： 128-130. 10.3969/j.issn.1000-3428.2006.05.046
5	BONEH D， FRANKLIN M. Identity-based encryption from the Weil pairing［J］. SIAM Journal on Computing， 2003， 32（3）： 586-615. 10.1137/s0097539701398521
6	WATERS B. Efficient identity-based encryption without random oracles［C］// Proceedings of the 2005 Annual International Conference on the Theory and Applications of Cryptographic Techniques， LNCS 3494. Berlin： Springer， 2005： 114-127.
7	GENTRY C， PEIKERT C， VAIKUNTANATHAN V. Trapdoors for hard lattices and new cryptographic constructions［C］// Proceedings of the 40th Annual ACM Symposium on Theory of Computing. New York： ACM， 2008： 197-206. 10.1145/1374376.1374407
8	SARVABHATLA M， VORUGUNTI C S. A secure and robust dynamic ID-based mutual authentication scheme with smart card using elliptic curve cryptography［C］// Proceedings of the 7th International Workshop on Signal Design and Its Applications in Communications. Piscataway： IEEE， 2015： 75-79. 10.1109/iwsda.2015.7458418
9	KIM S Y， KIM H， LEE D H. An efficient ID-based mutual authentication secure against privileged-insider attack［C］// Proceedings of the 5th International Conference on IT Convergence and Security. Piscataway： IEEE， 2015：1-4. 10.1109/icitcs.2015.7292941
10	LINDELL Y. Fast secure two-party ECDSA signing［C］// Proceedings of the 2017 Annual International Cryptology Conference， LNCS 10402. Cham： Springer， 2017： 613-644.
11	DOERNER J， KONDI Y， LEE E， et al. Secure two-party threshold ECDSA from ECDSA assumptions［C］// Proceedings of the 2018 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2018： 980-997. 10.1109/sp.2018.00036
12	CASTAGNOS G， CATALANO D， LAGUILLAUMIE F， et al. Two-party ECDSA from hash proof systems and efficient instantiations［C］// Proceedings of the 2019 Annual International Cryptology Conference， LNCS 11694. Cham： Springer， 2019： 191-221.
13	闫少勃. 国产化PLC上下位机安全通信技术研究［D］. 西安：西安电子科技大学， 2017： 2-16.
	YAN S B. Research on the secure communication technology of the upper and lower computer in domestic PLC［D］. Xi’an： Xidian University， 2017： 2-16.
14	惠敦炎. PROFIsafe： PROFIBUS和PROFINET的安全通信技术［J］.自动化博览， 2012， 29（S1）： 47-48.
	HUI D Y. PROFIsafe： safe communication technology for PROFIBUS and PROFINET［J］. Automation Panorama， 2012， 29（S1）： 47-48.
15	CANVEL B， HILTGEN A， VAUDENAY S，et al. Password interception in a SSL/TLS channel［C］// Proceedings of the 2003 Annual International Cryptology Conference，LNCS 2729.Berlin： Springer， 2003： 583-599.
16	廉文娟，赵朵朵，范修斌. 基于CFL_BLP模型的CFL SSL安全通信协议［J］. 计算机工程， 2021， 47（6）：152-163.
	LIAN W J， ZHAO D D， FAN X B. CFL SSL secure communication protocol based on CFL_BLP model［J］. Computer Engineering， 2021， 47（6）：152-163.
17	全国信息安全标准化技术委员会. 信息安全技术 SM2椭圆曲线公钥密码算法第4部分：公钥加密算法：［S］. 北京：中国标准出版社， 2016：2-6.
	National Information Technology Standardization Technical Committee. Information security technology - public key cryptographic algorithm SM2 based on elliptic curves - part 4： public key encryption algorithm：［S］. Beijing： Standards Press of China， 2016： 2-6.
18	全国信息安全标准化技术委员会. 信息安全技术 SM4分组密码算法：［S］. 北京：中国标准出版社， 2016：1-12.
	National Information Technology Standardization Technical Committee. Information security technology - SM4 block cipher algorithm：［S］. Beijing： Standards Press of China， 2016：1-12.
19	ONIGA B， FARR S H， MUNTEANU A， et al. IoT infrastructure secured by TLS level authentication and PKI identity system［C］// Proceedings of the 2nd World Conference on Smart Trends in Systems， Security and Sustainability. Piscataway： IEEE， 2018：78-83. 10.1109/worlds4.2018.8611563
20	Chengdu Huawei Symantec Technologies Co.， Ltd. Method， system， and device for obtaining keys： US 8769287B2［P］. 2014-07-01.
21	KILINC H H， YANIK T. A survey of SIP authentication and key agreement schemes［J］. IEEE Communications Surveys and Tutorials， 2014， 16（2）：1005-1023. 10.1109/surv.2013.091513.00050

方案	通信开销	计算开销	总开销
PKI-SSL	2（3RV+2RC）	2（6H+8PM+6PA+4R）	（6RV+4RC）+（12H+16PM+12PA+8R）
IBE-SSL	2（3RV+2RC）	2（5H+IBS+5PM+4PA+IBV+4R）	（6RV+4RC）+（10H+10PM+8PA+8R+2IBS+2IBV）
本文方案	2（2RV）	2（6H+11PM+7PA+2R）	（4RV）+（12H+22PM+14PA+4R）

方案	通信开销	计算开销	总开销
PKI-SSL	2（3RV+2RC）	2（6H+8PM+6PA+4R）	（6RV+4RC）+（12H+16PM+12PA+8R）
IBE-SSL	2（3RV+2RC）	2（5H+IBS+5PM+4PA+IBV+4R）	（6RV+4RC）+（10H+10PM+8PA+8R+2IBS+2IBV）
本文方案	2（2RV）	2（6H+11PM+7PA+2R）	（4RV）+（12H+22PM+14PA+4R）

[1]	ZHAO Guoxin, DING Ruofan, YOU Jianzhou, LYU Shichao, PENG Feng, LI Fei, SUN Limin. Design and implementation of high-interaction programmable logic controller honeypot system based on industrial control business simulation [J]. Journal of Computer Applications, 2020, 40(9): 2650-2656.
[2]	LIU Yukun, ZHUGE Jianwei, WU Yixiong. Threat and defense of new ransomware worm in industrial control system [J]. Journal of Computer Applications, 2018, 38(6): 1608-1613.
[3]	ZHANG Nan ZHANG Jianhua. Research and security analysis on open RFID mutual authentication protocol [J]. Journal of Computer Applications, 2013, 33(01): 131-134.
[4]	ZHANG Xue-jun CAI Wen-qi WANG Yu. Enhanced minimalist mutual-authentication protocol for RFID system [J]. Journal of Computer Applications, 2012, 32(09): 2395-2399.
[5]	ZHOU Chao ZHOU Cheng GUO Liang. Security analysis and improvement of IEEE 802.1X [J]. Journal of Computer Applications, 2011, 31(05): 1265-1270.
[6]	ZHAO Hua-wei,LI Da-xing. Action of one-way function in public-key authentication protocols [J]. Journal of Computer Applications, 2005, 25(11): 2509-2511.

CFL-based authentication and communication scheme for industrial control system

基于CFL的工控系统认证通信方案

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 21

Related Articles 6

Recommended Articles

Metrics