标准摘要
[中文适用范围]: 本部分 IEC 62351 规定了密码密钥管理,主要关注长期密钥的管理,这些密钥通常是非对称密钥对,如公钥证书和相应的私钥。由于证书是基础,本文档为许多 IEC 62351 服务奠定了基础(另见附录 A)。对称密钥管理也被考虑,但仅针对 IEC 62351-6 中应用的基于组通信的会话密钥。本文档的目标是通过指定或限制要使用的密钥管理选项来定义实现密钥管理互操作性的要求和技术。 本文档假设一个组织(或一组组织)已经定义了安全策略来选择将使用的密钥类型和加密算法,这些可能需要与其他标准或法规要求保持一致。因此,本文档仅指定这些选定密钥和密码基础设施的管理技术。本文档假设读者对密码学和密钥管理原则有基本的了解。 通信协议中成对对称(会话)密钥的管理要求在 IEC 62351 的以下部分中规定,这些部分利用或指定成对通信: • IEC 62351-3 用于 TLS,通过分析 TLS 选项 • IEC 62351-4 用于应用层端到端安全 • IEC TS 62351-5 用于 IEC 60870-5-101/104 和 IEEE 1815 (DNP3) 的应用层安全机制 在电力系统通信协议中,对称组密钥的管理要求在 IEC 62351-6 中规定,用于利用组安全保护 GOOSE 和 SV 通信。IEC 62351-9 利用 GDOI 作为已经由 IETF 指定的基于组的密钥管理协议来管理组安全参数,并增强该协议以携带 GOOSE、SV 和 PTP 的安全参数。 本文档还定义了特定条件的安全事件,这些事件可能识别可能需要错误处理的问题。然而,组织对这些错误条件的响应行动超出了本文档的范围,预计将由组织的安全策略定义。 未来,随着公钥密码学因量子计算机的发展而受到威胁,本文档还将在一定程度上考虑后量子密码学。请注意,目前尚未提供具体措施。 [外文原描述]: IEC 62351-9:2023 specifies cryptographic key management, primarily focused on the management of long-term keys, which are most often asymmetric key pairs, such as public-key certificates and corresponding private keys. As certificates build the base this document builds a foundation for many IEC 62351 services (see also Annex A). Symmetric key management is also considered but only with respect to session keys for group-based communication as applied in IEC 62351-6. The objective of this document is to define requirements and technologies to achieve interoperability of key management by specifying or limiting key management options to be used. This document assumes that an organization (or group of organizations) has defined a security policy to select the type of keys and cryptographic algorithms that will be utilized, which may have to align with other standards or regulatory requirements. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. This document assumes that the reader has a basic understanding of cryptography and key management principles. The requirements for the management of pairwise symmetric (session) keys in the context of communication protocols is specified in the parts of IEC 62351 utilizing or specifying pairwise communication such as: • IEC 62351-3 for TLS by profiling the TLS options • IEC 62351-4 for the application layer end-to-end security • IEC TS 62351-5 for the application layer security mechanism for IEC 60870-5-101/104 and IEEE 1815 (DNP3) The requirements for the management of symmetric group keys in the context of power system communication protocols is specified in IEC 62351-6 for utilizing group security to protect GOOSE and SV communication. IEC 62351-9 utilizes GDOI as already IETF specified group-based key management protocol to manage the group security parameter and enhances this protocol to carry the security parameter for GOOSE, SV, and PTP. This document also defines security events for specific conditions which could identify issues which might require error handling. However, the actions of the organisation in response to these error conditions are beyond the scope of this document and are expected to be defined by the organizations security policy. In the future, as public-key cryptography becomes endangered by the evolution of quantum computers, this document will also consider post-quantum cryptography to a certain extent. Note that at this time being no specific measures are provided. This second edition cancels and replaces the first edition published in 2017. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: a) Certificate components and verification of the certificate components have been added; b) GDOI has been updated to include findings from interop tests; c) GDOI operation considerations have been added; d) GDOI support for PTP (IEEE 1588) support has been added as specified by IEC/IEEE 61850-9-3 Power Profile; e) Cyber security event logging has been added as well as the mapping to IEC 62351-14; f) Annex B with background on utilized cryptographic algorithms and mechanisms has been added.
英文名称Power systems management and associated information exchange - Data and communications security - Part 9: Cyber security key management for power system equipment