[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN110868370B - Method, device and computer-readable storage medium for substation communication - Google Patents

Method, device and computer-readable storage medium for substation communication Download PDF

Info

Publication number
CN110868370B
CN110868370B CN201810979654.1A CN201810979654A CN110868370B CN 110868370 B CN110868370 B CN 110868370B CN 201810979654 A CN201810979654 A CN 201810979654A CN 110868370 B CN110868370 B CN 110868370B
Authority
CN
China
Prior art keywords
access point
identity information
configuration file
information
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810979654.1A
Other languages
Chinese (zh)
Other versions
CN110868370A (en
Inventor
胡能辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Schneider Electric Industries SAS
Original Assignee
Schneider Electric Industries SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Schneider Electric Industries SAS filed Critical Schneider Electric Industries SAS
Priority to CN201810979654.1A priority Critical patent/CN110868370B/en
Publication of CN110868370A publication Critical patent/CN110868370A/en
Application granted granted Critical
Publication of CN110868370B publication Critical patent/CN110868370B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for monitoring a server in substation communication is provided, wherein the server stores a first configuration file and a second configuration file, the first configuration file comprises identity information of an access point, and the second configuration file comprises the identity information of the access point and corresponding first security attribute information, the method comprises the following steps: determining whether the identity information of the one or more access points in the first configuration file is contained in a second configuration file; and when the identity information of one or more access points is contained in the second configuration file, determining the communication port for monitoring by the one or more access points according to the corresponding first security attribute information of the identity information of the one or more access points in the second configuration file. The present invention achieves downward compatibility through synchronization of two profiles and allows independent use of the two profiles.

Description

Method, device and computer-readable storage medium for substation communication
Technical Field
The invention relates to a method and a device for server monitoring in substation communication, a method and a device for client-initiated connection in substation communication, and a computer-readable storage medium.
Background
With the development of the field of automation of electric power systems, the engineering operation standardization of the intelligent substation has been realized, so that the engineering implementation of the intelligent substation becomes standard, uniform and transparent. The IEC61850 standard is an international standard of a substation automation system based on a general network communication platform, and provides a public communication standard, and a series of devices are normalized to form a standard output, so that seamless connection of the system is realized. The abstract data model defined in IEC61850 may currently be mapped to ISO 9506-MMS (Manufacturing Message Specification), which defines the ports 102 for communication.
Referring to fig. 1, a security Profile uses a combination of transport layer (T-Profile) security and application layer (a-Profile) security in accordance with IEC62351-4 protocol communications. Transport layer security uses TLS (as specified by IETF RFC 5246) to provide encryption and node authentication at the transport layer, while application layer security provides peer-to-peer authentication at the application layer during association establishment. According to IEC61850-6, the communication parts in the IED instance configuration file (i.e. CID file) and the total station system configuration description file (i.e. SCD file) describe the direct communication connection possibilities between logical nodes through the IED access points, and the IEC62351 standard defines a port for secure communication 3782. Service information (i.e., service information that can be provided) and access point information (access point when the present IED device communicates with other IEC devices) are described in the IED.
Disclosure of Invention
There are many drawbacks in the current IEC61850 standard. In particular, in the IEC61850 standard, referring to fig. 2, if communication of security information needs to be implemented, a security Profile listing settings related to a security attribute (T-Profile/a-Profile) for configuring an access point is often required. However, the CID file and the SCD file are not defined to be able to write information related to security settings.
According to one aspect of the present disclosure, a method for server monitoring in substation communication is provided, wherein the server stores a first configuration file and a second configuration file, wherein the first configuration file contains identity information and configuration information of an access point, and the second configuration file contains identity information, configuration information and first security attribute information of the access point, the method includes: determining whether identity information of one or more access points in the first profile is contained in the second profile; if the identity information of the one or more access points is contained in the second profile, comparing whether the configuration information of the one or more access points in the first profile is the same as the configuration information of the one or more access points in the second profile; and if the configuration information of the one or more access points in the first configuration file is the same as the configuration information of the one or more access points in the second configuration file, determining the communication port for monitoring by the one or more access points according to the corresponding first security attribute information of the identity information of the one or more access points in the second configuration file.
According to another aspect of the present disclosure, a method for a client to initiate a connection in substation communication is provided, where the client stores a first configuration file and a second configuration file, where the first configuration file contains identity information and configuration information of an access point, and the second configuration file contains identity information, configuration information, and security attribute information of the access point, the method including: acquiring identity information of a local access point and a remote access point; respectively judging the security attribute of the local access point and the security attribute of the remote access point according to whether the identity information of the local access point and the remote access point is contained in the first configuration file and the second configuration file and the security attribute information in the second configuration file; and if the security attribute of the local access point is matched with the security attribute of the remote access point, determining a communication port for initiating connection between the local access point and the remote access point according to first security attribute information in the security attributes. And if the security attribute of the local access point is matched with the security attribute of the remote access point, determining whether to initiate user authentication when the local access point is connected with the remote access point according to a second security attribute in the security attributes.
According to another aspect of the present disclosure, there is provided a server apparatus for substation communication, the server apparatus comprising: a processor; a memory; and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the steps of the above method for server snooping in substation communication.
According to another aspect of the present disclosure, there is provided a client device for substation communication, the device comprising: a processor; a memory; and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the steps in the above method for client initiated connection in substation communication.
According to another aspect of the present invention, there is provided a computer readable storage medium having stored thereon a computer program, characterized in that the program, when executed by a processor, implements the steps in the above-described method for server listening in substation communication or for client initiated connection in substation communication.
The present disclosure proposes a security profile adaptation mechanism for selecting ports (for servers) to listen to access points and to initiate ports and security measures (for clients) to connect to access points, which can enable secure and non-secure communication in substation communication. Embodiments of the present disclosure may also enable downward compatibility of substation communications, and physical isolation of secure and non-secure connections.
Drawings
The above and other objects and features of the present invention will become more apparent from the following description and preferred embodiments thereof, given in conjunction with the accompanying drawings, in which:
FIG. 1 shows a communication architecture diagram according to the IEC62351 protocol;
FIG. 2 is a diagram illustrating file contents of one example of a first configuration file in accordance with the present invention;
FIG. 3 is a diagram illustrating file contents of one example of a second configuration file in accordance with the present invention;
FIG. 4 shows a flow chart according to a first embodiment of the invention;
fig. 5 shows a flow chart of an example according to a first embodiment of the invention;
FIG. 6 is a diagram illustrating network communication data in accordance with a first embodiment of the present invention;
FIG. 7 shows a flow chart according to a second embodiment of the invention;
FIG. 8 shows a flowchart of an example according to a second embodiment of the present invention;
fig. 9 shows a diagram of sending and receiving packets when a client initiates a connection, captured according to a second embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The CID file in the existing IEC61850 communication is not defined to be able to write information related to security settings, and in order to achieve communication of security information, security attribute settings may be configured in the CID file, but this may make the configured CID file downward incompatible and thus make the configuration process of the access point more complicated and error-prone for the user, and if the security settings are configured only in the private part of the CID file, the configuration may not be correctly identifiable in the products of other manufacturers. Another solution may be to not use a CID file but only rely on an extensible markup language file (i.e., an XML file) to write security setting related information, but this requires that the XML file not only have the security setting related information, but also that the content in the CID file needs to be incorporated therein, i.e., that the XML file needs to be additionally reconfigured.
In view of this, the present disclosure further proposes a technical solution capable of implementing secure and non-secure communication in substation communication, which enables downward compatibility of communication. According to the embodiment of the present disclosure, secure and non-secure substation communication may be achieved using configuration files (e.g., CID files, SCD files, XML files) in existing communication standards.
It should be noted that the present disclosure takes communication based on the IEC61850 standard as an example, but the present disclosure is not limited to communication based on the IEC61850 standard, and is applicable to any technology for substation communication.
First embodiment
The first embodiment of the invention is applicable to a server monitoring method in substation communication, and particularly, the invention according to the first embodiment determines communication ports for monitoring safety and non-safety information by judging and comparing access point information in a first configuration file and a second configuration file.
According to a first embodiment, the server stores a first configuration file and a second configuration file, wherein the first configuration file includes identity information and configuration information of the access point, and the second configuration file includes identity information, configuration information and first security attribute information of the access point. The first configuration file may be a CID file or an SCD file, and the CID file or the SCD file includes identity information and configuration information of the access point, and the CID file is described as an example below; the second configuration file may be a configuration file such as an XML file, and the XML file, as shown in fig. 3, includes the identity information of the access point, the first security attribute information, and the configuration information. In the present disclosure, "identity information" of an access point refers to name information that can uniquely determine the access point if the configuration is correct; the "configuration information" of an access point refers to configuration information containing an IP address of the access point and other MMS parameters (such as TSEL, SSEL, PSEL, Ae-Qualifier, Ae-Title parameters), and if the configuration information of two access points is different (the appearance is the same and the appearance is substantially different) under the condition that the identity information is the same, it indicates that the two access points have a configuration error, that is, the access point corresponding to the identity information is not available for monitoring or initiating a link; the "first security attribute information" of the access point refers to information whether the access point transport layer is encrypted, for example, "SSL" (encrypted by SSL) indicating encryption (i.e., "secure") and "NONE" indicating non-encryption (i.e., "non-secure").
As shown in fig. 4, in step S10, it is determined whether the identity information of one or more access points in the first configuration file is contained in the second configuration file. The server storing the first configuration file and the second configuration file may, for each of the access points included in the first configuration file, traverse the second configuration file to determine whether identity information for that access point is also included in the second configuration file. Access points with different security attributes may be configured with different IP network segments in the first configuration file and in the second configuration file, e.g., if the security attribute of a certain access point is secure, its IP address may be "192.168.1. x" with network segment "1"; and if the security attribute of an access point is non-secure, its IP address may be "192.168.2. x" with a network segment of "2". The IP network segments of the access points of the same security attribute may be the same or different.
If the determination result of step S10 is "yes", that is, if the identity information of the one or more access points is contained in the second configuration file, step S11 is entered, otherwise, the same communication port (that is, "first communication port") as the communication port adopted by the access point whose security attribute information indicates non-security in the second configuration file is used for listening.
In step S11, the server compares the configuration information of the one or more access points in the first configuration file with the configuration information of the one or more access points in the second configuration file, and specifically, the server determines whether the access points corresponding to the same access point names in the first configuration file and the second configuration file are substantially the same access point by comparing the configuration information of the access points in the first configuration file and the second configuration file. If the other configuration information corresponding to the access point corresponding to the same access point name in the first configuration file and the second configuration file is not completely the same, indicating that the other configuration information is only two different access points with the same name, returning a configuration error and performing the process of the next access point; otherwise, the process proceeds to step S12.
In step S12, the server determines, according to the first security attribute information corresponding to the identity information of the one or more access points in the second configuration file, a communication port for listening to by the one or more access points. Specifically, when the server analyzes the first security attribute information of the access points corresponding to the identity information of the one or more access points in the second configuration file and determines that the first security attribute information represents 'non-security', the server monitors by using the first communication port; and when the server analyzes the first security attribute information of the access points corresponding to the identity information of the one or more access points in the second configuration file and determines that the first security attribute information represents 'security', using a second communication port different from the first communication port to monitor.
In some embodiments, the server may establish a list of access points corresponding to the first communication port and a list of access points corresponding to the second communication port. If the identity information of one or more access points is only contained in the first configuration file, adding the information of the access point corresponding to the identity information of one or more access points into an access point list corresponding to the first communication port; and if the identity information of one or more access points is contained in the second configuration file, adding the IP address information, the port number and the identity information of the access point corresponding to the identity information of the one or more access points into a corresponding access point list (an access point list corresponding to the first communication port or an access point list corresponding to the second communication port) according to the first security attribute information corresponding to the identity information of the one or more access points in the second configuration file. Before adding the IP address information, the port number and the identity information of the access points corresponding to the identity information of one or more access points into the corresponding access point list, for each access point corresponding to the identity information of one or more access points, traversing the corresponding access point list and judging whether the IP address information, the port number and the identity information of the access point corresponding to the identity information of one or more access points are already contained in the corresponding access point list, and only when judging that the information of the access point corresponding to the identity information of one or more access points is not contained in the corresponding access point list, adding the information of the access point corresponding to the identity information of one or more access points into the corresponding access point list. In this way, the use efficiency of the port resources can be improved. Here, "information of the access point" indicates information of an access point currently being judged among one or more access points.
In one embodiment, the method is applied to communication of the IEC61850 protocol.
An example of the first embodiment will be described below, with reference to fig. 5:
first, the server is powered on, so that all applications are initialized, and then, the server loads the first configuration file (i.e., CID file or SCD file) stored therein in step S101, and specifically, the server adds the relevant information (locAR) about the local access point in the CID file to the created temporary list (loc _ dib _ table), wherein the relevant information of the local access point may include identity information and configuration information of the access point.
After step S101, the relevant information of all access points in the CID file has been added to the temporary list, and in step S102, for each item in the temporary list, the item is retrieved in the second configuration file according to the identity information of the access point, and it is determined whether the item can be found in the second configuration file, and if the item cannot be retrieved in the second configuration file for the identity information of the currently determined access point (i.e., the second configuration file does not contain the identity information of the currently determined access point), step S108 is performed.
If the identity information of the currently determined access point can be retrieved from the second configuration file (i.e., the second configuration file includes the identity information of the currently determined access point), step S103 is continued, in step S103, the server compares the configuration information of the access point corresponding to the identity information of the access point extracted from the first configuration file with the other configuration information of the access point corresponding to the identity information of the access point extracted from the second configuration file, and in step S104, determines whether the access point in the first configuration file is the same as the access point in the second configuration file according to the comparison result. And if the judgment results are not the same, proceeding to step S111, otherwise, continuing to step S105.
In step S105, the server extracts the security attribute information (locArSec) of the access point corresponding to the identity information of the access point from the second configuration file through the identity information of the access point, and determines in step S106 whether the security attribute information is secure, for example, whether the encryption mode in the security attribute information is "SSL" or "None". If it is determined in step S106 that the security attribute information is secure (i.e., the encryption mode is "SSL"), step S107 is entered, otherwise step S108 is entered.
The server determines in step S107 whether the currently judged identity information, IP address information, and port number of the access point already exist in a temporary list (nsc _ lis _ dib _ table) indicating access points for communication using the first communication port; in contrast, it is determined in step S108 whether the identity information, the IP address information, and the port number of the currently judged access point are already present in the temporary list (sec _ lis _ dib _ table) indicating the access point for communication using the second communication port.
If the determination results in steps S107 and S108 are no, the server adds the identity information, the IP address information, and the port number of the access point to the temporary list for indicating the access point for communication using the first communication port and the temporary list for indicating the access point for communication using the second communication port, respectively, in steps S109 and S110.
If the determination in steps S107 and S108 is yes, the server ends the processing for the currently determined access point, and proceeds to step S111: it is determined whether all local access points in the first configuration file have been traversed, i.e. whether all entries of the created temporary list (loc _ dib _ table) have been traversed. If all the local access points have been traversed, the judgment process is ended, and whether each access point uses the first communication port for communication or the second communication port for communication is determined from the information indicating all the access points in the temporary list of access points that use the first communication port for communication and the temporary list of access points that use the second communication port for communication.
In some embodiments, step S107 and step S108 may be omitted.
In some embodiments, the first communication port is a TCP port 102 defined for IEC61850 protocol communication, which is used for non-secure (e.g., non-encrypted information) communication; and the second communication port is a Transmission Control Protocol (TCP) port 3782 defined for IEC62351 protocol communications, which is used for communication of security information (e.g., encryption information).
Fig. 6 shows a diagram of network communication data according to a first embodiment of the present invention, wherein the network data statistics described in the diagram can be seen by using "netstat" in the command box, including network adapter listening of the intelligent electronic device IED and sockets of the established TCP. As shown, the IP Address of the Local access point in the column ("Local Address") representing the IP Address of the Local access point with the security attribute of non-secure is "192.168.2. x" with the network segment "2" and each uses port "102" (i.e., the first communication port corresponding to "non-secure") to listen on); the IP address of the local access point with security attribute as secure is 192.168.1.x "with network segment" 1 "and all uses port" 3782 "(i.e. listening to the second communication port corresponding to" secure ").
The invention described above achieves advantageous technical effects: and comparing the first configuration file with the second configuration file in the monitoring process, so that the monitoring process becomes completely downward compatible, namely, even if the safety configuration does not exist, the communication port can be determined according to the access point in the CID file according to the IEC61850 standard to monitor for the server. Meanwhile, when the first configuration file (e.g., CID file) does not exist, the client can also listen only on the second configuration file (e.g., XML file). Further, the process of comparing the first profile to the second profile allows the availability of the non-secure access point in the first profile to be maintained while the secure/non-secure access point in the second profile is configured. In addition, by distinguishing between secure and non-secure access points and listening with a dedicated IP address (network segment) and communication port, secure and non-secure connections can be physically isolated when they are listening.
Second embodiment
A second embodiment of the present invention will be described below, and detailed descriptions of steps, definitions, and the like, which are partially the same as those of the first embodiment, will be omitted.
The second embodiment of the invention is applicable to a method for initiating connection of a client in substation communication, and particularly, according to the second embodiment of the invention, through judgment and comparison of access point information in a first configuration file and a second configuration file, communication ports of the client and a server are determined for safe and non-safe information when the client initiates connection.
The client stores a first configuration file and a second configuration file, wherein the first configuration file comprises identity information and configuration information of the access point, and the second configuration file comprises the identity information, the configuration information and the security attribute information of the access point. The first configuration file may be a CID file or an SCD file, and the CID file or the SCD file includes identity information and configuration information of the access point, and the CID file is described as an example below; the second configuration file may be a configuration file such as an XML file, and the XML file, as shown in fig. 3, includes identity information, security attribute information, and configuration information of the access point. The "identity information" of the access point refers to name information that can uniquely determine the access point under the condition of correct configuration, and in this embodiment, the "identity information" may be the identity information of the access point that is generated by renaming after the initial identity information of the local access point is combined with the identity information of the corresponding intelligent electronic device; the "configuration information" of an access point refers to configuration information containing an IP address of the access point and other MMS parameters (such as TSEL, SSEL, PSEL, Ae-Qualifier, Ae-Title parameters), and if the configuration information of two access points is different (the appearance is the same and the appearance is substantially different) under the condition that the identity information is the same, it indicates that the two access points have a configuration error, that is, the access point corresponding to the identity information is not available for monitoring or initiating a link; "security attribute information" of an access point refers to information indicating attributes of the access point used for secure or non-secure communication at various layers, such as a transport layer and an application layer, and specifically, may include first security attribute information indicating whether the transport layer is encrypted or not and second security attribute information indicating whether the application layer requires user authentication, and may be, for example, "SSL" (encrypted by SSL) indicating encryption (i.e., "security") and "NONE" indicating non-encryption (i.e., "non-security"); the "second security attribute information" may be, for example, "MACE" (MMS application certificate exchange) indicating that user authentication is required (i.e., "secure") and "NONE" indicating that user authentication is not required (i.e., "non-secure"), which will be described below using an XML file as an example.
As shown in fig. 7, the identity information of the local access point and the remote access point is acquired in step S20. The client may obtain identity information about the local access point and the remote access point from a user interface acquisition Application Programming Interface (API).
Next, in steps S21 and S22, the security attribute of the local access point and the security attribute of the remote access point are respectively determined according to whether the identity information of the local access point and the remote access point is contained in the security attribute information of the first configuration file and the second configuration file, and the security attribute information of the second configuration file.
The following description will be given taking a local access point as an example, the procedure of the remote access point is similar to that of the local access point, and the detailed description will be omitted.
For the local access point, the client may first determine whether the identity information of the client is contained in the first configuration file, then determine whether the identity information of the client is contained in the second configuration file, and determine the security attribute of the local access point according to the corresponding security attribute information in the second configuration file if the identity information of the local access point is determined to be contained in the second configuration file.
Specifically, if the identity information of the local access point is contained in the first configuration file and not contained in the second configuration file, both the first security attribute and the second security attribute of the local access point are non-secure; if the identity information of the local access point is contained in the second configuration file and not contained in the first configuration file, the security attribute of the local access point corresponding to the security attribute information is safe when the security attribute information in the second configuration file represents safe, and the security attribute of the local access point corresponding to the security attribute information is non-safe when the security attribute information in the second configuration file represents non-safe, for example, the first security attribute of the local access point is safe when the first security attribute information in the second configuration file represents safe, and the second security attribute of the local access point is non-safe when the second security attribute information in the second configuration file represents non-safe; if the identity information of the local access point is contained in the first configuration file and the second configuration file at the same time, when the configuration information of the local access point in the first configuration file and the configuration information of the local access point in the second configuration file are judged to be the same, if the corresponding security attribute information in the second configuration file represents security, the security attribute of the local access point corresponding to the security attribute information is safe, and if the corresponding security attribute information in the second configuration file represents non-security, the security attribute of the local access point corresponding to the security attribute information is non-security; otherwise, when the configuration information of the local access point in the first configuration file is judged to be different from the configuration information of the local access point in the second configuration file, directly returning a configuration error.
Then, in step S23, if the security attribute of the local access point matches the security attribute of the remote access point, a communication port for initiating a connection between the local access point and the remote access point is determined according to the first security attribute information in the security attribute information. Specifically, when the first security attribute and the second security attribute of the local access point are corresponding to and identical to the first security attribute and the second security attribute of the remote access point (whether the first security attribute and the second security attribute are "safe" or not is not required to be consistent), the security attribute of the local access point is considered to be matched with the security attribute of the remote access point; if any one of the first security attribute or the second security attribute of the local access point and the remote access point is different, the security attribute information of the local access point and the remote access point is not considered to be matched.
When the security attributes of the local access point and the remote access point are judged not to be matched, returning connection failure; and when the security attributes of the local access point and the remote access point are judged to be matched, the client determines a communication port for initiating connection between the local access point and the remote access point. For example, if the first security attribute information of the local access point and the remote access point is both non-secure, the first communication port is used for connection; and if the first security attribute information of the local access point and the first security attribute information of the remote access point are both secure, connecting by using the second communication port. In some embodiments, when the security attribute of the local access point matches the security attribute of the remote access point, it is further determined whether to initiate user authentication for connecting between the local access point and the remote access point according to second security attribute information in the security attribute information. Specifically, if the identity information of one or more access points is represented as safe in the corresponding second security attribute information in the second configuration file, initiating user authentication when connecting; and if the corresponding second security attribute information of the identity information of the one or more access points in the second configuration file is represented as non-security or if the identity information of the one or more access points is not in the second configuration file, not initiating user authentication during connection.
For example, in some embodiments, the following may occur: 1) application layer and transport layer are both secure if the first security attribute information of the local access point and the remote access point both indicate security (i.e., "SSL") and the second security attribute of the local access point and the remote access point both indicate security (i.e., "MACE"), then the local access point and the remote access point both use the second communication port corresponding to security to connect when initiating a connection and initiate user authentication when connecting; 2) insecure if the first security attribute information of the local access point and the remote access point both indicate insecurity (i.e., "NONE") and the second security attribute of the local access point and the remote access point both indicate insecurity (i.e., "NONE"), then the local access point and the remote access point both use the first communication port corresponding to insecurity to connect when initiating a connection and do not initiate user authentication when connecting; 3) application-only security if the first security attributes of the local access point and the remote access point both indicate non-security (i.e., "NONE") and the second security attributes of the local access point and the remote access point both are secure (i.e., "MACE"), then the local access point and the remote access point both use the first communication port corresponding to non-security to connect when initiating the connection, and user authentication needs to be initiated while connecting; 4) transport layer security only if the first security attributes of the local access point and the remote access point both indicate security (i.e., "SSL") and the second security attributes of the local access point and the remote access point both are not security (i.e., "NONE"), then both the local access point and the remote access point use a second communication port corresponding to security to connect when initiating a connection and do not initiate user authentication 5 when connecting) [ mismatch ] if the first security attribute information of the local access point and the remote access point do not match and/or the second security attribute information of the local access point and the remote access point do not match, then a connection failure is returned.
An example of the second embodiment will be described below, with reference to fig. 8:
first, the client obtains Application Programming Interface (API) parameters from the user interface in step S201, where the parameters include a set of identity information of a local Intelligent Electronic Device (IED), initial identity information of a local access point, identity information of a remote IED, and initial identity information of a remote access point, and in one embodiment, the client parses the initial identity information of the local access point, the initial identity information of the remote access point, and the identity information of the local intelligent electronic device, and the identity information of the remote intelligent electronic device (e.g., intelligent electronic device name) from the API parameters. Then, the subsequent processing is performed for the local access point and the remote access point in step S202 and step S212, respectively.
Next, for the local access point, the client combines the local access point name and the name of the intelligent electronic device corresponding to the local access point for renaming in step S202 to generate identity information of the local access point.
In step S203, the client determines whether the identity information of the access point is included in the first configuration file. If the identity information of the local access point is contained in the first profile, proceed to step S204, otherwise, proceed to step S205.
The client continues to determine whether the identity information of the local access point is included in the second configuration file in step S204. If the second profile contains information of an access point corresponding to the identity information of the local access point, proceed to step S206, otherwise, determine the security attribute (e.g., "insecure") of the local access point in step S209.
In step S206, the client compares the configuration information of the local access point in the first configuration file with the configuration information in the second configuration file, and in step S207, determines whether the configuration information of the local access point in the first configuration file is the same as the configuration information of the local access point in the second configuration file. If it is determined in step S207 that the configuration information of the local access point in the first configuration file is the same as the configuration information of the local access point in the second configuration file, the client extracts, in step S208, the security attribute information (locArSec) of the access point corresponding to the identity information of the local access point from the second configuration file through the identity information of the local access point, and determines whether the security attribute information is secure.
When it is determined in step S203 that the first configuration file does not include the information of the access point corresponding to the identity information of the local access point, the client continuously determines whether the identity information corresponding to the local access point can be found in the second configuration file, that is, whether the second configuration file includes the information of the access point corresponding to the identity information of the local access point. If the identity information of the local access point is contained in the second configuration file, in step S210, the security attribute information (locArSec) of the access point corresponding to the identity information of the local access point is extracted from the second configuration file according to the identity information of the local access point, and it is determined whether the security attribute information is secure. And if the identity information of the local access point is not contained in the second configuration file, directly returning.
For the remote access point, the client combines the remote access point name and the corresponding intelligent electronic device name to rename the identity information of the remote access point in step S212.
In step S213, the client determines whether the identity information of the local access point is included in the second configuration file. If the second configuration file contains the information of the access point corresponding to the identity information of the local access point, the process proceeds to step S214, otherwise, the process proceeds to step S215.
The client continues to determine whether the identity information corresponding to the local access point can be found in the second configuration file in step S214, that is, whether the second configuration file includes information of the access point corresponding to the identity information of the local access point. If the second profile contains information of an access point corresponding to the identity information of the local access point, proceed to step S216, otherwise, determine the security attributes (e.g., "insecure") of the remote access point in step S219.
In step S216, the client compares the configuration information of the local access point in the first configuration file with the configuration information in the second configuration file, and determines in step S217 whether the configuration information of the remote access point in the first configuration file is the same as the configuration information of the remote access point in the second configuration file. If it is determined in step S217 that the configuration information of the remote access point in the first configuration file is the same as the configuration information of the remote access point in the second configuration file, the client extracts security attribute information (remArSec) of an access point corresponding to the identity information of the local access point in the second configuration file through the identity information of the access point and determines whether the security attribute information is secure.
When it is determined in step S213 that the first configuration file does not include information of an access point corresponding to the identity information of the local access point, the client continuously determines whether the identity information corresponding to the local access point can be found in the second configuration file, that is, whether the second configuration file includes information of an access point corresponding to the identity information of the local access point. If the identity information of the local access point is contained in the second configuration file, in step S220, the security attribute information (remarkec) of the access point corresponding to the identity information of the local access point is extracted from the second configuration file according to the identity information of the access point, and it is determined whether the security attribute information is secure. And if the identity information of the local access point is not contained in the second configuration file, directly returning.
After the security attributes of the local access point and the remote access point are determined in S208, S209, S210 and S218, S219, S220, respectively, the client matches the security attributes of the local access point and the remote access point in step S221, if the first security attributes of the local access point and the remote access point are simultaneously secure or simultaneously insecure and if the second security attributes of the local access point and the remote access point are simultaneously secure or simultaneously insecure (it is not required that the first security attribute and the second security attribute are consistent), it indicates that the security attribute of the local access point and the security attribute of the remote access point can be matched, step S222 is entered, otherwise, when the security attribute of the local access point and the security attribute of the remote access point cannot be matched, a connection failure is returned.
When the security attributes of the local access point and the remote access point can match, step S222 determines whether to initiate user authentication when connecting according to the first security attributes of the local access point or the remote access point and according to the second security attributes, for example, if the first security attributes of the local access point and the remote access point are simultaneously non-secure, the local device and the remote device both use the first communication port (for example, port "102") for communication; if the security attributes of the local access point and the remote access point are both secure, then both the local device and the remote device communicate using a second communication port (e.g., port "3782"); if the second security attributes of the local access point and the remote access point are simultaneously non-secure, user authentication is not needed when connection is initiated between the local device and the remote device; if the security attributes of the local access point and the remote access point are both secure, user authentication is required when the local device and the remote device initiate a connection. After determining the communication port and determining whether to initiate user authentication, step S223 is executed to initiate an ACSI connection request.
Fig. 9 is a diagram illustrating network communication data according to a second embodiment of the present invention, where messages generated by a user after initiating an ACSI connection request (both application layer and transport layer secure) captured by a client through a WireShark network message packet capturing tool include messages sent and received in an SSL handshake phase and messages sent and received in an MMS initialization phase. In the example shown, the IP addresses of local access points in a column ("Source") representing the IP addresses of local access points for which the security attribute is secure are each "192.168.1.191" (port number in the particular contents of the message, not shown), and the IP addresses of remote access points for which the security attribute is secure are each "192.168.1.21" (port number in the particular contents of the message, not shown). When the client sends the message, the local access point is used as an original address to send, and the remote access point is used as a target address to receive. When the client receives the message, the remote access point is used as an original address to send, and the local access point is used as a target address to receive.
The invention described above achieves advantageous technical effects: the first configuration file is compared with the second configuration file during the connection initiation process so that the connection process becomes fully downward compatible, i.e. the access point in the CID file can be used as a client device to initiate a non-secure connection request according to the IEC61850 standard even if a secure configuration does not exist. Meanwhile, when the first configuration file (e.g., CID file) does not exist, the client can also initiate a connection relying only on the second configuration file (e.g., XML file). Further, the process of comparing the first profile to the second profile allows the availability of the non-secure access point in the first profile to be maintained while the secure/non-secure access point in the second profile is configured.
Third embodiment
The third embodiment of the present invention is applied to a server apparatus in substation communication. Wherein the client device comprises a processor, a memory and a computer program stored on and executable on the memory, wherein the processor may be data processing hardware and comprise all kinds of devices, apparatuses and machines for processing data, which may for example comprise a programmable processor, a computer or a plurality of processors or computers. The apparatus may also be or further comprise special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit) for an intelligent substation device. The apparatus can optionally include, in addition to hardware, code that creates an execution environment for the computer program, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of one or more of them.
The memory may be a computer readable medium suitable for storing computer program instructions and data, including all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks or removable disks, magneto-optical disks, and CD ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
The computer program, when executed by a processor, is capable of carrying out some or all of the steps as in the first embodiment.
Fourth embodiment
The fourth embodiment of the invention is applicable to the client device in the substation communication. Wherein the client device comprises a processor, a memory and a computer program stored on and executable on the memory, wherein the processor may be data processing hardware and comprise all kinds of devices, apparatuses and machines for processing data, which may for example comprise a programmable processor, a computer or a plurality of processors or computers. The apparatus may also be or further comprise special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit) for an intelligent substation device. The apparatus can optionally include, in addition to hardware, code that creates an execution environment for the computer program, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of one or more of them.
The memory may be a computer readable medium suitable for storing computer program instructions and data, including all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks or removable disks, magneto-optical disks, and CD ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
The computer program, when executed by a processor, is capable of carrying out some or all of the steps as in the first embodiment.
Furthermore, all of the above embodiments may be implemented in computer hardware, in digital electronic circuitry in a tangible implementation of computer software or firmware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them. Embodiments of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions encoded on a tangible, non-transitory program carrier for execution by, or to control the operation of, data processing apparatus. Alternatively or in addition, the program instructions may be encoded on an artificially generated propagated signal (e.g., a machine-generated electrical, optical, or electromagnetic signal) that is generated to encode information for transmission to suitable receiver apparatus for execution by data processing apparatus. The computer storage medium may be a machine-readable storage device, a machine-readable storage substrate, a random or serial access memory device, or a combination of one or more of them.
The invention can be written in any form of programming language, including compiled or interpreted languages, or declarative or procedural languages, as a computer program that may also be referred to as a program, software application, module, software module, script, or code, and that may be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program may, but need not, correspond to a file in a file system. A program can be stored in a portion of a file that holds other programs or data (e.g., one or more scripts stored in a markup language document), in a single file dedicated to the program in question, or in multiple coordinated files, such as files that store one or more modules, sub programs, or portions of code. A computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network.
The processes described in this specification can be performed by one or more processors executing one or more computer programs to perform functions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
Computers suitable for executing computer programs include, by way of example, general or special purpose microprocessors or both, or any other type of central processing unit. Generally, a central processing unit will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a central processing unit for executing or carrying out instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. However, the computer need not have such a device. Further, the computer may be embedded in another device, e.g., a mobile telephone, a Personal Digital Assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device, e.g., a Universal Serial Bus (USB) flash drive.

Claims (17)

1. A method for server monitoring in substation communication, wherein the server stores a first configuration file and a second configuration file, wherein the first configuration file contains identity information and configuration information of an access point, and the second configuration file contains identity information, configuration information, and first security attribute information of the access point, the method comprising:
determining whether identity information of one or more access points in the first profile is contained in the second profile;
if the identity information of the one or more access points is contained in the second profile, comparing whether the configuration information of the one or more access points in the first profile is the same as the configuration information of the one or more access points in the second profile;
and if the configuration information of the one or more access points in the first configuration file is the same as the configuration information of the one or more access points in the second configuration file, determining the communication port for monitoring by the one or more access points according to the corresponding first security attribute information of the identity information of the one or more access points in the second configuration file.
2. The method of claim 1, wherein if the identity information of the one or more access points is contained in the second profile:
if the identity information of the one or more access points indicates non-safety in the corresponding first safety attribute information in the second configuration file, using a first communication port for monitoring; and is
And if the identity information of the one or more access points indicates security in the corresponding first security attribute information in the second configuration file, using a second communication port different from the first communication port for monitoring.
3. The method of claim 1 or 2,
and if the identity information of the one or more access points is not contained in the second configuration file, using the same first communication port as the communication port adopted by the access point which is represented by the first security attribute information in the second configuration file and is not secure to listen.
4. The method of claim 1 or 2,
access points with different security attributes are configured with different network segments.
5. The method according to claim 1 or 2, wherein the method further comprises:
for different communication ports, a corresponding access point list is established,
adding IP address information, port number and identity information of an access point corresponding to the identity information of the one or more access points to an access point list corresponding to the first communication port if the identity information of the one or more access points is not included in the second profile, and
and if the identity information of the one or more access points is contained in the second configuration file, adding the IP address information, the port number and the identity information of the access point corresponding to the identity information of the one or more access points into an access point list corresponding to a corresponding communication port according to the first security attribute information corresponding to the identity information of the one or more access points in the second configuration file.
6. The method of claim 5, wherein if the IP address information, the port number, and the identity information of the access point corresponding to the identity information of the one or more access points are already included in the corresponding access point list, the IP address information, the port number, and the identity information of the access point corresponding to the identity information of the one or more access points are not added.
7. The method according to any one of claims 1 or 2, applied in communication of the IEC61850 protocol.
8. A method for a client to initiate connection in substation communication, wherein the client stores a first configuration file and a second configuration file, the first configuration file contains identity information and configuration information of an access point, and the second configuration file contains identity information, configuration information and security attribute information of the access point, the method comprising:
acquiring identity information of a local access point and a remote access point;
respectively judging the security attribute of the local access point and the security attribute of the remote access point according to whether the identity information of the local access point and the remote access point is contained in the first configuration file and the second configuration file and the security attribute information in the second configuration file; and
and if the security attribute of the local access point is matched with the security attribute of the remote access point, determining a communication port for initiating connection between the local access point and the remote access point according to first security attribute information in the security attributes.
9. The method of claim 8, wherein,
and if the security attribute of the local access point is matched with the security attribute of the remote access point, determining whether to initiate user authentication when the local access point is connected with the remote access point according to a second security attribute in the security attributes.
10. The method according to claim 8 or 9, wherein the determining the security attributes of the local access point and the remote access point according to whether the identity information of the local access point and the remote access point is included in the security attribute information of the first configuration file and the second configuration file and the security attribute information of the second configuration file comprises:
if the identity information of the local access point and/or the remote access point is contained in the first configuration file and not contained in the second configuration file, judging that the security attribute of the local access point and/or the remote access point is non-security;
if the identity information of the local access point and/or the remote access point is contained in the second configuration file and is not contained in the first configuration file, judging the security attribute of the local access point and/or the remote access point according to the corresponding security attribute information of the identity information of the local access point and/or the remote access point in the second configuration file; and
if the identity information of the local access point and/or the remote access is contained in the first configuration file and the second configuration file at the same time, and the corresponding configuration information of the identity information of the local access point and/or the remote access point in the first configuration file is the same as the corresponding configuration information of the identity information of the local access point and/or the remote access point in the second configuration file, the security attribute of the local access point and/or the remote access point is judged according to the corresponding security attribute information of the identity information of the local access point and/or the remote access point in the second configuration file.
11. The method of claim 8 or 9, wherein the determining a communication port for initiating a connection between the local access point and the remote access point from a first one of the security attributes comprises:
if the first security attributes of the local access point and the remote access point are judged to be non-security, initiating connection by using a first communication port; and is
And if the first security attributes of the local access point and the remote access point are both judged to be secure, initiating connection by using a second communication port different from the first communication port.
12. The method of claim 9, wherein the determining from a second of the security attributes whether to initiate user authentication for connecting between the local access point and the remote access point comprises:
if the second security attributes of the local access point and the remote access point are both judged to be safe, initiating user authentication during connection; and is
And if the second security attributes of the local access point and the remote access point are judged to be non-secure, not initiating user authentication during connection.
13. The method according to claim 8 or 9, applied in communication of IEC61850 protocol.
14. The method of claim 8 or 9, wherein the obtaining identity information of the local access point and the remote access point comprises:
acquiring initial identity information of a local access point and identity information of corresponding intelligent electronic equipment, and acquiring initial identity information of a remote access point and identity information of corresponding intelligent electronic equipment; and
and combining the initial identity information of the local access point with the identity information of the corresponding intelligent electronic device to generate the identity information of the local access point, and combining the initial identity information of the remote access point with the identity information of the corresponding intelligent electronic device to generate the identity information of the remote access point.
15. A server device for substation communication, the server device comprising:
a processor;
a memory; and
computer program stored on the memory and executable on a processor, characterized in that the processor implements the method according to any of claims 1-7 when executing the program.
16. A client device for substation communication, the device comprising:
a processor;
a memory; and
computer program stored on the memory and executable on a processor, characterized in that the processor implements the method according to any of claims 8-14 when executing the program.
17. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-14.
CN201810979654.1A 2018-08-27 2018-08-27 Method, device and computer-readable storage medium for substation communication Active CN110868370B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810979654.1A CN110868370B (en) 2018-08-27 2018-08-27 Method, device and computer-readable storage medium for substation communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810979654.1A CN110868370B (en) 2018-08-27 2018-08-27 Method, device and computer-readable storage medium for substation communication

Publications (2)

Publication Number Publication Date
CN110868370A CN110868370A (en) 2020-03-06
CN110868370B true CN110868370B (en) 2021-09-21

Family

ID=69650893

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810979654.1A Active CN110868370B (en) 2018-08-27 2018-08-27 Method, device and computer-readable storage medium for substation communication

Country Status (1)

Country Link
CN (1) CN110868370B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114650284B (en) * 2022-03-08 2024-05-28 国网江苏省电力有限公司电力科学研究院 A method and device for automatically synchronizing files and directories based on a set protocol

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101432612A (en) * 2006-04-24 2009-05-13 Abb研究有限公司 Intelligent electronic device configuration verification
CN103631921A (en) * 2013-12-03 2014-03-12 国家电网公司 Method and device for detecting configuration information of transformer substation

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9785173B2 (en) * 2013-03-15 2017-10-10 General Electric Company Wireless communication systems and methods for intelligent electronic devices

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101432612A (en) * 2006-04-24 2009-05-13 Abb研究有限公司 Intelligent electronic device configuration verification
CN103631921A (en) * 2013-12-03 2014-03-12 国家电网公司 Method and device for detecting configuration information of transformer substation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
智能变电站通信自适应IEC 62351的研究;丛春涛等;《信息技术与信息化》;20161225(第12期);全文 *

Also Published As

Publication number Publication date
CN110868370A (en) 2020-03-06

Similar Documents

Publication Publication Date Title
CN109889589B (en) System and method for realizing embedded hardware OTA (over the air) upgrading based on block chain
US20190222426A1 (en) Smart Object Identification In The Digital Home
EP3576379B1 (en) Service layer interworking using mqtt protocol
US20100034386A1 (en) Device manager repository
CN112468518B (en) Access data processing method and device, storage medium and computer equipment
CN101288063B (en) Wireless device discovery and configuration
CN102035904A (en) Method for converting TCP network communication server into client
CN103168450B (en) The method of accesses virtual dedicated network, device and gateway device
CN113507358B (en) Communication system, authentication method, electronic device, and storage medium
WO2021057802A1 (en) Das system management method and device, electronic device, and storage medium
CN111541776A (en) Safe communication device and system based on Internet of things equipment
CN113037761A (en) Login request verification method and device, storage medium and electronic equipment
US20180183584A1 (en) IKE Negotiation Control Method, Device and System
CN102984025B (en) The method of testing of gateway device virtual tunnel performance, Apparatus and system
CN104955036B (en) Safe networking method and apparatus under public Wi-Fi environment
US10243741B2 (en) Key exchange and mutual authentication in low performance devices
CN110868370B (en) Method, device and computer-readable storage medium for substation communication
CN104038931B (en) Adapted electrical communication system and its communication means based on LTE network
CN102647432A (en) Authentication information transmission method, device and authentication middleware
CN111343083A (en) Instant messaging method, instant messaging device, electronic equipment and readable storage medium
CN103401751B (en) Internet safety protocol tunnel establishing method and device
CN114697954A (en) Method and system for realizing remote card writing by using equipment long connection
CN103067282B (en) Data back up method, apparatus and system
EP4354799A2 (en) Cross-domain secure connect transmission method
CN116528394B (en) Equipment communication connection method, mobile terminal system and equipment terminal system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant