Research on a Secure Communication Protocol Based on National Secret SM2 Algorithm

Most of the public key algorithms used in the exchange of information for power data transmission protocols are RSA. The core of the key part of this kind of algorithm system has not been announced. For the domestic sensitive information data field, there are threats such as preset backdoors and security vulnerabilities. In response to the above problems, the article introduces a secure communication protocol based on the optimized Secret SM2 algorithm, which uses socket programming to achieve two-way encrypted communication between clients and services, and is able to complete the security protection of data encryption transmission, authentication, data tampering, etc., and proves through experiments that the security protocol is more secure than traditional methods, can effectively identify each other, carry out stable and controllable data encryption transmission, and has good applicability.


Introduction
In recent years, with the intensified construction of power grid informatization and the country's high requirements for the integration of urban intelligence, traditional electric energy meters are faced with energy that integrates key information from households and community users in addition to meeting the standard high-precision measurement of electric energy parameters. By building a power user information collection system with good performance and multi-functional feedback, it is of great importance not to be underestimated for the strategic layout of the macro-control of power prices and the guidance of rea- communication protocol interaction process, designed an information protection platform that satisfies the state's independent and controllable standards for the power information industry. This information security platform can ensure the accuracy of the identities of the communication parties. It is correct and protects the privacy of the authority of whether different users can access normally, and realizes the personalized management and control of different roles, but it is impossible to implement the layout of the park in a small area. Literature [7] Dong Weiwei et al. proposed the use of RSA-AES-HASH authentication scheme, using a hybrid cryptosystem to realize the identity authentication of the electric meter and the data center, which can integrate the advantages of convenience, security and speed of key management. However, this authentication method consumes a lot of time and is not conducive to real-time delivery. Literature [8] Chen Yalin and others used a symmetric broadcast protocol to calculate the key for the stable operation of the active distribution network, which improved the physical equipment's high requirements for time performance and the difficulty of broadcast authentication. At the same time, the secure communication protocol based on asymmetric keys passed Digital signatures effectively prevent malicious thirdparty attacks such as denial of service attacks. Due to the adoption of the public key system of the national secret SM2 algorithm, the security has been greatly improved. However, this method does not conduct an overall study on collection protection, and cannot avoid the possibility of man-in-the-middle attacks. Reference [9] Zuo Gao et al. aimed at the problem that power distribution automation terminal equipment needs to be powered off during the upgrade and transformation process, the national secret SM2 algorithm is used as the encryption module to authenticate the information integrity of the command message and the identity of the communicating parties. This method can meet Intelligent power distribution terminals have basic requirements for information security protection integrity and authentication, but the design of this encryption module does not introduce timestamps to improve the anti-attack of data signatures. It is prone to brute force cracking by illegal intrusions and has certain security risks exist.
In summary, this research method is based on such a background to study the security of the intelligent electricity information collection system in the perception layer, an important component of the "Power Internet of Things", through the embedded main control chip and The three-phase electric energy special collection chip builds a small user power information collection system, and transmits it to the display development platform of Alibaba Cloud server in real time through the MQTT protocol. The article is based on a real experimental environment to study the information collection technology and the key technology of active transmission for the security of power information. The article mainly studies the communication security protocol transmission data based on the optimization of the national secret algorithm SM2, mainly including the analysis of the SM2 algorithm, the network communication protocol, the realization of the simulated client server communication, and the experimental security analysis. Through the process of designing and implementing the protocol, the programming code design of network communication is carried out, and different system protection schemes are compared at the same time, and finally it is proved that the communication protocol is safe and efficient.
The article first discusses the digital signature algorithm, puts forward that the algorithm can be optimized and improved, and analyzes and proves its mathematical security logic, and then combines the commonly used protocol development basis to implement the design and development of the protocol process, and finally proposes the use of SM2. Security protection, mixed use of SM3/SM4 to strengthen the strict security of the communication protocol, the use of network programming to achieve the experimental process of the secure communication protocol proves the feasibility of the proposed scheme in this paper.

Digital Signature SM2 Algorithm Optimization and Improvement
Identity authentication SM2 algorithm [10] [11] [12] is that a signer generates a valid digital signature for the data that needs to be processed, and a verifier verifies the authenticity of the signature. Since the mechanism of SM2 is also based on an elliptic curve, the difference from ECDSA is that the selected curve equation is not the same. The specific curve used by the former is secp25k1, while SM2 uses the 256-bit element field GF(p). The elliptic curve sm2p256v1. This signature algorithm is different from ECDSA which directly processes the digest value of the message. Two preprocessing steps are required before signature verification: First, the message sender mixes the user ID and the public key of the message receiver into the elliptic curve parameters and passes through the cryptographic hash algorithm SM3 [13] obtains a result, and then uses the result and the message to be processed to further process the digest based on the hash function. Based on the traditional SM2 digital signature algorithm, on the one hand, the source of randomness numbers is the use of pseudo-random number generators (PRNGs), which are vulnerable to brute force attacks for their collision resistance, and time stamps can be introduced to prevent replay attacks; On the one hand, the reference calculation steps given by the National Secret Standard are relatively redundant. In order to increase the calculation speed, the calculation process can be processed in parallel at the same time to reduce communication costs and improve signature efficiency. In order to solve the above problems, this section optimizes the complete SM2 identity authentication algorithm through discussion and analysis. The specific operation flow of the optimized algorithm is discussed below. The flowchart of the SM2 algorithm signature calculation process after optimization is shown in Figure 1.
The optimized SM2 algorithm signature generation steps are described as follows: Input: the public parameters on the elliptic curve, the private key d of the signing party and the message M to be processed; Output: signature value (r, s); Step 1: Let =  , Z denote the output result obtained by the above preprocessing process; Step 2: calculation Step 3: Introduce a random number generator algorithm with coordination time to generate random numbers Step 4: Calculate , IF r = 0 or r + k = n, then return to step 3; Step 5: Calculate , IF s = 0, then return to step 3; The SM2 verification signature calculation process after optimization is shown in Figure 2.
The steps of the optimized SM2 signature verification algorithm are described as follows: Input: system public parameters params, public key P, signature (r', s') Output: true or false  Step 1: Step 2: Set Step 3: IF  2) It is also ensured 0 r ≠ and 0 s ≠ when signing, if 0 mod t r s n = + = is an integer multiple of n, and when signing, it is ensured that r s + it is not an integer multiple of n, it is not an integer multiple of n, otherwise because d is a positive integer, it will result in Integer multiples ( ) ( ) 3) On the one hand, , and if x and e are correct, then there is e e ′ = , 1 x x ′ ′ = , so the signature authentication is passed; Secondly, the random number generation of the traditional digital signature authentication algorithm SM2 does not specify what standard to use. In previous studies, it is often only generated by a very common pseudo-random number generator, and the randomness of random number generation is not carried out. Research in this area. Generally speaking, the random number function should have ran domness, unpredictability, and non-reproducibility at the same time, and the relationship between them is strictly increasing. The definition of Coor-dinated Universal Time (UTC) refers to the number of seconds that have elapsed from the computer UNIX timestamp on January 1, 1970 to the current operation being executed. Obviously, this time is changing all the time and rising continuously. By introducing this time method, the randomness of the random number generator can be effectively in creased.

Communication Protocol Foundation
A series of steps that need to be operated in order to complete a specific goal be- scenarios. The secure socket protocol [13] is the transition protocol between the protocol and the application layer. According to the model classification, it can be regarded as the recording layer and the handshake layer. Each layer will perform corresponding operations to complete the corresponding service. There is an interface for mutual exchange with the layer. Specifically, the record layer protocol provides basic functions such as encryption and compression, and the handshake layer completes identity authentication and is responsible for key distribution on this basis. The protocol uses digital certificates to determine whether the entities of both parties in communication are authentic, uses public key cryptographic algorithms for key negotiation, uses symmetric encryption algorithms to encrypt data before transmission to ensure data confidentiality, and calculates a digital digest to verify that the data is in Whether it has been tampered with or forged during the transmission process, it provides a safe mechanism for the transmission of sensitive data of the user's power information on the communication channel. This protocol can prevent such incidents from occurring. Although the communication protocol is diverse, the transformation and optimization of the security protocol is still a very worthy research direction. Next, the specific design and development process of the security protocol will be discussed.

Security Protocol Process
Regarding the data acquired by the power information collection system, the OpenSSL-based development environment [14] is an open cryptographic algorithm library. By optimizing the library, the security protocol design is not only good for portability, but also compatible with different development platforms. The integration level is very high, very suitable for expansion. The security pro-tocol communication operation process based on this design and development of this program is shown in Figure 3.
The realization of the idea in the specific communication process can be carried out according to the following steps: 1) Negotiate the session communication protocol. Before starting the SSL session, select a protocol acceptable to both parties in this session. Such protocols must be compatible with each other, otherwise the normal communication connection cannot be established; 2) Prepare the content required for this session environment. After applying for this session environment, specify the verification method of the certificate in the handshake phase and load the public key certificate. At the same time, load the digital certificate of the message publisher, the certificate contains the public key used to encrypt the key to provide a verification method for identity confirmation, load the user's private key and verify whether the private key and the certificate are equal; 3) The SSL socket service is established normally, and the socket bound by the command is based on the ordinary TCP socket; 4) Completing the session handshake phase. During the handshake process, both parties in communication will negotiate to inquire about the certificate information of both parties in order to perform corresponding verification, and the certificate information can be obtained later;

5)
Encrypted data transmission. After the above-mentioned handshake is completed, the data can be secured during the transmission process; 6) End the secure protocol communication. After the two parties complete the data secure communication, the SSL resources that have been applied for are released, and the entire secure communication process ends.
Finally, the above-mentioned security protocol communication process is summarized as the following points: First, A sends a request dialogue to B, and jointly negotiates the use of the transfer encryption algorithm SM4; then B sends a digital certificate issued by itself to determine its identity and contains the public key. A determines whether it needs to establish reliable communication with the other party by verifying the identity of B, avoiding information exchange with the wrong receiver, and ensuring that both parties in normal communication are accurate; further A will generate a random number as a temporary session key, Using the idea of hybrid encryption, the session key is encrypted with the public key in the certificate sent by B before transmission, which effectively solves the problem of key distribution; finally, B obtains the session key for this communication After that, the common key used by both parties for this communication will be obtained under the premise of their own private key, which ensures the security of the key. After the process of the above-mentioned security protocol, the data can be transmitted in a secure channel.

Communication Programming Design
Network communication programming [15] can be implemented through sockets. Different processes use port number binding to determine what service applications are used. Sockets are created to complete the mutual communication between different processes.
First, the server will take the initiative to create a socket, because each process identifier in the communication process will specify the allocated resources according to the IP address and port number, so the server can bind it. At this time, the server socket has not been opened, but Complete the initialization work for accepting applications from the client; Secondly, the client also creates a socket and establishes a connection with the server through the provided IP address and port number. The connection status is divided into three handshake interactions, and finally the connection success status Establisted is sent to the server, and the server confirms the receipt through the accept method. After the two ends establish communication through the above operations, they can respectively receive/send data with each other, and the data can be switched back and forth through the buffer to the buffer area. After a series of communication and exchange of information, each one is closed one after another, and the entire complete communication process ends since then.
Based on the above-mentioned communication process, the main program interaction process of the designed safety communication protocol is shown in Figure 4.

Experimental Verification and Analysis
The main part of the two-way communication simulation experiment built in this article will be carried out according to the following steps: First create the EC parameters and optimize the SM2 algorithm to generate the private key file, and check the specific content of the private key file as shown in Figure 5.
Then use the public key cryptosystem idea to use its private key to derive the corresponding SM2 public key file, and the file content is expanded as shown in Figure 6.
After the above preparation, the key pair of SM2 has been generated. Due to the introduction of an asymmetric cryptographic algorithm in the digital signature algorithm, although it can prevent denial, the sender cannot determine whether the received public key is the only paired public key generated by the receiver's private key pair, so it is vulnerable to man-in-the-middle attacks. In order to prevent man-in-the-middle attacks, a self-signed certificate needs to be generated to determine the identity. This digital signature certificate has a five-year validity period. The result of the certificate generation is shown in Figure 7.
In order to further see the specific key information of the certificate, the above certificate is formatted to be able to visually see the content of the digital certificate. The certificate can be obtained mainly using the SM2 digital signature algorithm based on SM3, and the validity period of the certificate is 5 For the year, who is responsible for signing the issuance, the public key corresponding to the person responsible for the issuance is a 256-bit string, and the certificate generation result is shown in Figure 8.
After the above preparation process, the following safety protocol is used to      When the client is running, the communication interface is shown in Figure   10. During the information exchange process, the ECDHE-SM2-SM4-SM3 is used for information protection, the ECDHE generates the key selection materials, SM2 completes the digital signature and encryption key, and SM4 is used for the communication channel. The above data encryption process, SM3 is used for data integrity verification, through the above-mentioned colaborative work, it can complete the verification of the identity of the communicating parties, the key generation and exchange during the session, and the verification of whether the exchanged data is completely lost during the transmission process, thereby Perfectly guarantee confidentiality and integrity. During the communication process, the client first confirms the server-side certificate and prints out its information, and then starts the session communication. After completing the two-way data exchange, it releases resources and ends the SSL communication process.
Use wireshark software to capture data packets in the above-mentioned dualterminal analog communication process, and the packet capture results are shown in Figure 11. The generated random number is 32 bytes in total. The 28 bytes that are actually generated by the random number generator algorithm and the random number of random numbers needed in the subsequent signing process to enhance the key generation and the subsequent signing process are mixed by adding the universal coordinated time as a parameter. It is through this method of introducing timestamps that it can effectively resist collision attacks.
The entire communication interaction process is shown in Figure 12. First, the client sends an inquiry, and then the server responds and performs the corresponding key exchange. After the server responds, the client starts to prepare for key generation. After these communication sessions, the secure communication channel The establishment is successful, and then the communication data between the two ends are protected by security.
The time-consuming results of using the SM2-SM4-SM3 hybrid cryptographic system compared with other schemes are shown in Figure 13. It can be seen that the scheme in this paper is less time-consuming than the previous two, and the respective algorithms themselves are more secure, which proves the scheme Feasible and suitable for further related research. Since the transmission of power     authentic, to ensure the confidentiality of communication data, whether the integrity of the exchanged information is lost, and the non-repudiation of the sender itself, which is more practical and valuable than a single encryption protection. It's safe and reliable.

Conclusion
This article mainly introduces the experimental process of the secure communication protocol, and uses the national secret algorithm to carry out the two-way communication process of the protocol, from which it can be seen that the data sent from the client to the server can be safely transmitted, ensuring the confidentiality of the data during the transmission process. The experiment shows that the protocol is safe and effective. The secure communication protocol proposed in this paper is a comprehensive utilization of multiple algorithms. Each type of algorithm application has its specific application occasions. The use of a certain technique alone cannot ensure the absolute security of the current application. In addition, the algorithm itself is mathematically safe. It does not mean that the physical equipment that actually uses the algorithm is safe. Therefore, in the next research work, we should strengthen the attack experiment on the physical equipment that actually uses the cryptographic algorithm to improve performance, so as to find a more secure program.