Research on trusted DNP3-BAE protocol based on hash chain

摘要

To solve the security problem of industrial Ethernet DNP3 protocol broadcast authentication, the attack vector and security requirements of trusted DNP3 protocol are analysed. First, the paper adopts a trusted platform into the control network and authenticates the identity and security status of the DNP3 client and server to prevent node sensitive information from being compromised. Second, a trusted DNP3-BAE broadcast authentication encryption protocol is proposed based on the hash chain method to solve the problem of missing message security authentication mechanism in broadcast mode, which only needs a key to complete the broadcast message authentication for multiple slaves. The new scheme can use the DNP3-SA encryption primitive, without a major upgrade to the existing platform. The protocol is verified by the SPAN tool; the results show that there is no intrusion path, which ensures the integrity, authenticity, freshness, and confidentiality of the communication nodes. At present, there is no public document to introduce a trusted platform into the DNP3 protocol to solve security problems. Performance analysis shows that our solution reduces the overhead of large-scale broadcast authentication at the expense of increased less processing and storage overhead.