CN101741827A - Network safety processing equipment and method - Google Patents
Network safety processing equipment and method Download PDFInfo
- Publication number
- CN101741827A CN101741827A CN200810228686A CN200810228686A CN101741827A CN 101741827 A CN101741827 A CN 101741827A CN 200810228686 A CN200810228686 A CN 200810228686A CN 200810228686 A CN200810228686 A CN 200810228686A CN 101741827 A CN101741827 A CN 101741827A
- Authority
- CN
- China
- Prior art keywords
- data
- message
- network safety
- network
- processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses network safety processing equipment and a network safety processing method and relates to the technical field of network communications. The invention aims to provide the network safety processing equipment and the network safety processing method, which realize a simple and convenient process for encrypting and identifying data messages without influencing the system performance of a host. The network safety processing equipment provided by the invention comprises an input buffer module and a packet header processing module, wherein the input buffer module receives the data messages needing encryption and identification and the corresponding SA safety associated data and then sends the data messages and the SA safety associated data to the package header processing module after buffering; and the package header processing module receives the data messages and the SA data, processes the data message header and then sends the processing result together with the SA data to an encryption/decryption/Hash unit.
Description
Technical field
The present invention relates to network communications technology field.
Background technology
At present, the user who inserts IP (Internet protocol) network is increasing, and for this reason, the safety that guarantees network service just becomes needs the major issue that solves in the communication network.At present, in IP network safety, adopted the internet network security protocol to realize network security morely, secure authentication technology comprises two kinds of security protocols, authentication authorization and accounting head agreement and encapsulating security payload (esp), these two kinds of agreements and the common use of internet key exchange protocol just can reach and guarantee the reliable purpose of Network Communicate Security.To the integrality of data and the checking of Data Source, if promptly message is distorted or is not that specific object sends, authentication will can not passed through; The function that described ESP agreement provides is encryption and the authentication to message load; The operation of currently used binding is exactly to use ESP and AH agreement to handle to same IP message, thereby makes and can encrypt and authenticate the IP message simultaneously, has guaranteed the fail safe and the confidentiality of the message that transmits in the network fully.
Be by setting up the corresponding SA data of Security Association (SA) carrying in the packet; a kind of agreements that SA is two communication entities through consulting to set up, SA data carried by data have defined and have been used for effective life period etc. of ipsec protocol, encryption and decryption/identifying algorithm, key and key of protected data bag safety.For the recipient, search corresponding SA data among IP destination address, IP security protocol type and the SPI that comprises by data packet head information, according to the content of SA data, the IP datagram literary composition is encrypted and authenticated, with the confidentiality that guarantees data and reliability, integrality.The Internet Key Exchange is of paramount importance part, before with IP packet of protection.
Because of message is encrypted and is authenticated need be bigger operand, so in the communication system that security performance is had relatively high expectations, use custom-designed network security processor that the message of realizing based on agreement that transmits in network is handled usually.When the encryption of carrying out the IP message and authentication processing, the network security processor need all be read processor inside to the SA data of IP datagram literary composition and message, behind the identification IP message, SA data according to the message correspondence are handled message, and the partial content in the renewal SA data, then the data message of finishing dealing with is sent.
Summary of the invention
Because existing in prior technology problem, the purpose of this invention is to provide a kind of network safety processing equipment and method thereof, to overcome the existing in prior technology problem, realize more easyly to the encryption and the verification process of data message, and do not influence the systematic function of main frame.
The present invention for achieving the above object, the invention provides a kind of network safety processing equipment, comprise: input buffer module: receive data message and the corresponding SA security association data that to encrypt with authentication processing, send to the packet header processing module behind the row cache of going forward side by side; The packet header processing module: receiving data packets and SA data, and to the data message the head handle the back together send to encryption and decryption/Hash unit with the SA data.
Beneficial effect of the present invention:
After the both sides of communication were holding consultation, main frame was in the SA deposit data and main memory of consulting, just SA data and system's shared drive; When receiving that data message finds to carry out encryption, the mode by the message descriptor is data message and SA data notification dma module; Dma module is according to the information of descriptor, by dma mode the SA data are read by the total money of PCI and to be carried out buffer memory in the input-buffer, then data message is then read SA data and data message by the universal network safe processor from input-buffer, and by the packet header processing module message is carried out head and handle;
If the data message is bound when handling, then, need data message be read from input-buffer according to data, and carry out following processing successively carrying out for the second time the reading in the process of SA data and data message; The unit is encrypted or authentication processing message, sends to bag tail processing module after the processing; The result that bag tail processing module is finished dealing with according to encryption/decryption element carries out the afterbody of message and handles, and a data message of finishing dealing with is placed on to help in the output buffers deposits; For the data message of finishing dealing with, dma module returns to main frame with data message by the conventional data bus; Simultaneously, dma module upgrades the content of SA data in the host memory again by the conventional data bus after write-back is finished data, finish and once wrap processing procedure.Handle the processing of binding if desired, promptly if support the processing of binding, data message will pass in and out chip repeatedly by data/address bus, and this will cause the reduction of systematic function.
Description of drawings:
Fig. 1 is a flow chart of the present invention.
Embodiment:
Input buffer module of the present invention links to each other with host memory with the conventional data bus by dma module respectively with output buffer module, and links to each other with local storage with rambus by dma module.Also be connected with the compression processing module between input buffer module and packet header processing module, this module sends to the packet header processing module after receiving the data message that input-buffer sends and compressing processing; Be connected with the decompression processing module between processing module and described output buffer module, this module receives the data message that bag tail processing module is sent, and carries out sending to output buffer module after the decompression.Receiving data packets and SA data, and disposable for data message inserts the security header of the processing that is used to bind, together send to encryption and decryption/Hash unit with the SA data simultaneously.Receive data message and SA data that the packet header processing module is sent, and carry out giving the AH processing module after corresponding encryption and decryption and/or the authentication processing according to SA; AH processing module: receive data message and SA data that the ESP processing module is sent, and carry out sending to bag tail processing module after the corresponding operation processing according to the SA data.The SA data are issued in the local storage by the conventional data bus and the network safety processing equipment of system, and the data message that receives is stored in the system host internal memory; Network safety processing equipment will be by the data message in the conventional data bus calling system host memory, and calls SA data in the local storage by rambus; Network safety processing equipment carries out corresponding network security processing according to the SA data of calling acquisition and data message.
Claims (1)
1. network safety processing equipment and method thereof is characterized in that input buffer module: receive data message and the corresponding SA security association data that need encrypt with authentication processing, send to the packet header processing module behind the row cache of going forward side by side; The packet header processing module: receiving data packets and SA data, and to the data message the head handle the back together send to encryption and decryption/Hash unit with the SA data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810228686A CN101741827A (en) | 2008-11-11 | 2008-11-11 | Network safety processing equipment and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810228686A CN101741827A (en) | 2008-11-11 | 2008-11-11 | Network safety processing equipment and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101741827A true CN101741827A (en) | 2010-06-16 |
Family
ID=42464719
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810228686A Pending CN101741827A (en) | 2008-11-11 | 2008-11-11 | Network safety processing equipment and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101741827A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103200187A (en) * | 2013-03-20 | 2013-07-10 | 汉柏科技有限公司 | System and method of fast message decryption |
| CN103701819A (en) * | 2013-12-30 | 2014-04-02 | 北京网康科技有限公司 | Hypertext transfer protocol decoding processing method and device |
| CN105656655A (en) * | 2014-11-14 | 2016-06-08 | 华为技术有限公司 | Method, device and system for network security management |
-
2008
- 2008-11-11 CN CN200810228686A patent/CN101741827A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103200187A (en) * | 2013-03-20 | 2013-07-10 | 汉柏科技有限公司 | System and method of fast message decryption |
| CN103200187B (en) * | 2013-03-20 | 2017-04-19 | 汉柏科技有限公司 | System and method of fast message decryption |
| CN103701819A (en) * | 2013-12-30 | 2014-04-02 | 北京网康科技有限公司 | Hypertext transfer protocol decoding processing method and device |
| CN105656655A (en) * | 2014-11-14 | 2016-06-08 | 华为技术有限公司 | Method, device and system for network security management |
| CN105656655B (en) * | 2014-11-14 | 2019-07-23 | 华为技术有限公司 | A kind of network safety managing method, device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110999248B (en) | Secure communication acceleration using system-on-chip (SoC) architecture | |
| Pereira et al. | The ESP CBC-mode cipher algorithms | |
| US8468337B2 (en) | Secure data transfer over a network | |
| CN101262405B (en) | High-speed secure virtual private network channel based on network processor and its realization method | |
| US7502925B2 (en) | Method and apparatus for reducing TCP frame transmit latency | |
| CN107004097B (en) | Security plug-in for system-on-chip platform | |
| US8351445B1 (en) | Network interface systems and methods for offloading segmentation and/or checksumming with security processing | |
| JP2018534884A (en) | Client-cloud or remote server secure data or file object encryption gateway | |
| CN102118426B (en) | Network security payment terminal and network security payment method thereof | |
| JP2010259081A (en) | Network processing employing ipsec | |
| US20100306540A1 (en) | Encryption processing method and encryption processing device | |
| US7526085B1 (en) | Throughput and latency of inbound and outbound IPsec processing | |
| CN107181716A (en) | A kind of secure communication of network system and method based on national commercial cipher algorithm | |
| US20050198498A1 (en) | System and method for performing cryptographic operations on network data | |
| CN101521667B (en) | Method and device for safety data communication | |
| CN114422256B (en) | High-performance security access method and device based on SSAL/SSL protocol | |
| US7818563B1 (en) | Method to maximize hardware utilization in flow-thru IPsec processing | |
| CN111614692A (en) | Inbound message processing method and device based on power gateway | |
| US7624263B1 (en) | Security association table lookup architecture and method of operation | |
| CN101741827A (en) | Network safety processing equipment and method | |
| US7564976B2 (en) | System and method for performing security operations on network data | |
| CN100502348C (en) | Network safety processing equipment and method thereof | |
| US7603549B1 (en) | Network security protocol processor and method thereof | |
| EP2558946B1 (en) | Method and system for cryptographic processing core | |
| CN209731292U (en) | Safe distribution of electric power communication terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20100616 |