一种高效的GOOSE报文完整性认证方法

当前主流研究采用HASH信息验证码(HMAC)认证方法保障面向通用对象的变电站事件(GOOSE)报文的完整性,但分析发现HMAC对经典的GOOSE这类短报文来说效率并不高。设计一种直接采用密钥和顺序调整后的报文作为HASH函数输入的GOOSE报文认证方法,利用GOOSE报文显性长度域、统一报文格式和时序性等属性,降低碰撞攻击和避免长度扩展攻击、重放攻击等风险;将GOOSE心跳报文的时变内容置于待认证报文末端,可重复利用同系列心跳报文中相同内容的HASH压缩运算的中间结果。嵌入式平台验证结果表明算法的高效性。

Efficient Integrity Authentication Method for GOOSE Packet

Today''s popular study suggests HASH message authentication code(HMAC)method for generic object oriented substation event(GOOSE)to insure message integrity. However, elaborate study finds that HMAC method is not efficient to classic message whose length is short. An authentication method of getting the encrypted key and sequence adjusted information as direct inputs of the HASH function is proposed. GOOSE attributes of explicit length, unified message format and time factor are used in the method to resist length-expanded attacks and replay attacks. The time-varying content of heartbeat GOOSE is reorganized at the end of the message so that the intermediate result of HASH compressive computation to the unvaried content of the same series of heartbeats GOOSE can be efficiently used. Testing results in the embedded platform have proved the high efficiency of the proposed method. This work is supported by National Natural Science Foundation of China(No. 51477057).