Modbus TCP的安全机制研究与实现
|
摘要
针对Modbus TCP协议设计存在的安全问题,基于密码学原理提出一种安全的Modbus协议(Modbus-E协议):采用对称密钥和数字签名技术实现数据的保密性和可认证性,利用同步性原理和哈希函数的单向性原理保证数据的唯一性,通过"白名单"方法保证指令的可控性,最终在不增加通信过程的情况下实现安全通信。通过实验验证和分析,Modbus-E协议能够防止攻击者针对指令的认证类攻击、中间人攻击及重放攻击,与已有方法相比,该方法安全性更高,可以全面提高Modbus TCP通信的安全性。
Considering the security problem in the design of Modbus TCP protocol,this paper proposes a secure protocol( Modbus-E) based on the principle of cryptography. It uses symmetric key and digital signature technology to ensure the confidentiality and authentication of the data,uses the synchronization principle and the mono-direction principle of the hash function to ensure the uniqueness of the data,uses the method of "white list " to guarantee the controllability of instruction, without increasing communication process. Through experimental verification and analysis,Modbus-E protocol can prevent the authentication attack,man-in-the-middle attack and replay attack of the instruction from the attacker.Compared with existing methods,this method is more secure and can comprehensively improve the security of Modbus TCP communication.
Considering the security problem in the design of Modbus TCP protocol,this paper proposes a secure protocol( Modbus-E) based on the principle of cryptography. It uses symmetric key and digital signature technology to ensure the confidentiality and authentication of the data,uses the synchronization principle and the mono-direction principle of the hash function to ensure the uniqueness of the data,uses the method of "white list " to guarantee the controllability of instruction, without increasing communication process. Through experimental verification and analysis,Modbus-E protocol can prevent the authentication attack,man-in-the-middle attack and replay attack of the instruction from the attacker.Compared with existing methods,this method is more secure and can comprehensively improve the security of Modbus TCP communication.
引文
[1]徐凤亮,史斌斌. Modbus/TCP协议的分析与应用[J].科教文汇,2009(27):223.
[2]杨金奇,刘学军.工业以太网技术及应用现状与发展[J].四川工业学院学报,2002,21(3):34-37.
[3]王昱镔,陈思,程楠.工业控制系统信息安全防护研究[J].信息网络安全,2016(9):35-39.
[4]陈星,贾卓生.工业控制网络的信息安全威胁与脆弱性分析与研究[J].计算机科学,2012(A2):188-190.
[5]詹乃松,乔振亚.工业控制系统信息安全防护的研究[J].网络空间安全,2017(12):66-70.
[6]杨静. SCADA系统的Modbus/TCP协议安全研究[D].北京:北京工业大学,2016.
[7]Fovino I N,Carcano A,Masera M,et al. Design And Implementation Of A Secure Modbus Protocol[J]. International Conference on Critical Infrastruc,2009(311):83-96.
[8] Hayes G,El-Khatib K. Securing modbus transactions using hashbased message authentication codes and stream transmission control protocol[C]. 2013 Third International Conference on Communications and Information Technology. Seoul,2013:146-155.
[9]Phan,R. C.-W. Authenticated Modbus Protocol for Critical Infrastructure Protection[J]. IEEE Transactions on Power Delivery,2012,27(3):1687-1689.
[10]Shahzad A,Musa S,Aborujilah A,et al. Secure Cryptography Testbed Implementation for SCADA Protocols Security[C]. 2013 International Conference on Advanced Computer Science Applications and Technologies. Sarawak,2013.
[11]吕雪峰,蒋烈辉,孟奂.基于MODBUS的SCADA系统网络威胁与入侵检测[J].计算机工程与应用,2017,53(24):122-128.
[12]张玉鹏,温蜜,李婧,等.面向Modbus的安全认证通信机制分析[J].上海电力学院学报,2017,33(4):372-377.
[13]刘飞,张仁斌,李钢,等.基于哈希链与同步性机制的Modbus/TCP安全认证协议[J].计算机应用研究,2018,35(4):1169-1173.
[14]张仁斌,李思娴,刘飞,等.基于modbus功能码细粒度过滤算法的研究[J].计算机应用研究,2018,35(1):277-281.
[15]万明,尚文利,曾鹏,等.基于功能码深度检测的Modbus/TCP通信访问控制方法[J].信息与控制,2016,45(2):248-256.
[2]杨金奇,刘学军.工业以太网技术及应用现状与发展[J].四川工业学院学报,2002,21(3):34-37.
[3]王昱镔,陈思,程楠.工业控制系统信息安全防护研究[J].信息网络安全,2016(9):35-39.
[4]陈星,贾卓生.工业控制网络的信息安全威胁与脆弱性分析与研究[J].计算机科学,2012(A2):188-190.
[5]詹乃松,乔振亚.工业控制系统信息安全防护的研究[J].网络空间安全,2017(12):66-70.
[6]杨静. SCADA系统的Modbus/TCP协议安全研究[D].北京:北京工业大学,2016.
[7]Fovino I N,Carcano A,Masera M,et al. Design And Implementation Of A Secure Modbus Protocol[J]. International Conference on Critical Infrastruc,2009(311):83-96.
[8] Hayes G,El-Khatib K. Securing modbus transactions using hashbased message authentication codes and stream transmission control protocol[C]. 2013 Third International Conference on Communications and Information Technology. Seoul,2013:146-155.
[9]Phan,R. C.-W. Authenticated Modbus Protocol for Critical Infrastructure Protection[J]. IEEE Transactions on Power Delivery,2012,27(3):1687-1689.
[10]Shahzad A,Musa S,Aborujilah A,et al. Secure Cryptography Testbed Implementation for SCADA Protocols Security[C]. 2013 International Conference on Advanced Computer Science Applications and Technologies. Sarawak,2013.
[11]吕雪峰,蒋烈辉,孟奂.基于MODBUS的SCADA系统网络威胁与入侵检测[J].计算机工程与应用,2017,53(24):122-128.
[12]张玉鹏,温蜜,李婧,等.面向Modbus的安全认证通信机制分析[J].上海电力学院学报,2017,33(4):372-377.
[13]刘飞,张仁斌,李钢,等.基于哈希链与同步性机制的Modbus/TCP安全认证协议[J].计算机应用研究,2018,35(4):1169-1173.
[14]张仁斌,李思娴,刘飞,等.基于modbus功能码细粒度过滤算法的研究[J].计算机应用研究,2018,35(1):277-281.
[15]万明,尚文利,曾鹏,等.基于功能码深度检测的Modbus/TCP通信访问控制方法[J].信息与控制,2016,45(2):248-256.