CN108055268A - A kind of method based on PCIe link data penetration transmission encryption and decryption - Google Patents
A kind of method based on PCIe link data penetration transmission encryption and decryption Download PDFInfo
- Publication number
- CN108055268A CN108055268A CN201711359486.8A CN201711359486A CN108055268A CN 108055268 A CN108055268 A CN 108055268A CN 201711359486 A CN201711359486 A CN 201711359486A CN 108055268 A CN108055268 A CN 108055268A
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- pcie
- decryption
- link layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Communication Control (AREA)
Abstract
The invention discloses a kind of method based on PCIe link data penetration transmission encryption and decryption, this method adds encryption/decryption module on hardware between host computer and equipment end, and this method, which is divided into, sends and receives both direction.Encryption process in PCIe system is displaced downwardly to data link layer by the present invention by application layer, is allowed to for application layer user, fully transparent.The stability of encryption and decryption work can be strengthened by so doing, and in the case where application program is not made an amendment, can also realize the encryption and decryption demand of project, change existing encryption technology application layer easily exposes the problem of, add the security of implementation.
Description
Technical field
The invention belongs to field of data transmission, are specifically a kind of method based on PCIe link data penetration transmission encryption and decryption.
Background technology
PCIe is current popular computer bus framework, especially in the desktop grade platform using X86-based as core
And it in server platform computing system, has a very wide range of applications.But PCIe data stream all uses in transmission process
It carries out in plain text, therefore, traditional encryption process is that the data that will have encryption and decryption demand complete encryption and decryption action in application side
Afterwards, then by PCIe link to external equipment send.
Due to the fast development of mobile internet, the quantity of networked devices is in eruptive growth.Correspondingly, networked devices
Safety issue, become the problem of becoming increasingly conspicuous.The demand of data safety is more and more stronger, adds solution in the data of each level
Secret skill art is used widely.(five layers are application layer, transmission respectively from the five-layer structure of network protocol stack general at present
Layer, internetwork layer, data link layer and physical layer) it can be seen that, safe encryption and decryption functions can be in application layer, transport layer, internet
Layer, data link layer are implemented, but would generally select to implement in application layer.
Common computer system encryption process usually by the primary processor of system, is called with encryption and decryption functions
Module, encryption and decryption functions can also be realized by hardware by software.This encryption and decryption mode is for application program
It is opaque, encryption process must call corresponding encryption and decryption functions to realize by application flow.
It is higher in the safe encryption and decryption functions degree of exposure that application layer is implemented from the point of view of network protocol stack, closer to
The encryption and decryption technology of bottom, degree of exposure are lower;Simultaneously for application program user, the transparency of encryption and decryption functions
It is higher.
The content of the invention
In view of the deficiencies of the prior art, the technical issues of present invention intends to solve is to provide a kind of based on PCIe link data
The method of transparent transmission encryption and decryption.
The technical solution that the present invention solves the technical problem is to provide one kind based on PCIe link data penetration transmission encryption and decryption
Method, it is characterised in that this method adds encryption/decryption module on hardware between host computer and equipment end, this method point
To send and receive both direction, following steps are specifically included:
Sending direction:
(1) data flow of host computer is transferred by PCIe physical layer high speed serial transmission passage, passes through PCIe data link
Layer carries out data transmission workflow management, and parsing is completed by the command resolution unit of encryption/decryption module in PCIe data link layer;
The data parsed provided for encryption/decryption module the physical address information of downstream communication, action type, valid data length and
The key messages such as check code;
(2) according to the specific requirement of application item, using extracted critical data segment, data segment contents are write plus solved
The be-encrypted data storage section of close module;
(3) encryption unit of encryption/decryption module is called, operation is encrypted the content in be-encrypted data memory block,
Encryption uses symmetric encipherment algorithm;
It (4) will be between the data storage area to be sent that encrypted data write-in encryption/decryption module be completed;
(5) realize encapsulating again for encryption data in PCIe data link layer, PCIe objects are sent to from PCIe data link layer
Layer is managed, retransmits to equipment end, completes data sending;
Receive direction:
(1) data packet of equipment end is transferred by PCIe physical layer high speed serial transmission passage, passes through PCIe data link
Layer carries out data transmission workflow management, is received in PCIe data link layer by the reception resolution unit parsing of encryption/decryption module
Data packet, extract effective control information, such as data length etc.;
(2) according to the specific requirement of application item, using the effective encryption data section of extracted, by effective encryption data section
Between the data storage area to be decrypted of content write-in encryption/decryption module;
(3) decryption unit of encryption/decryption module is called, operation is decrypted in the content treated in ciphertext data storage section,
Decryption uses symmetrical decipherment algorithm;
It (4) will be between the data storage area to be read of data write-in encryption/decryption module that decryption be completed;
(5) reported to host computer and receive affairs interruption, initiated to read transaction operation, PCIe data link layer root by host computer
According to the specific transaction types that host computer is initiated, the response of respective transaction frame is completed, ciphertext data is realized in PCIe data link layer
Encapsulate again, be sent to PCIe physical layer from PCIe data link layer, retransmit to host computer, complete data receiver.
Compared with prior art, advantageous effect of the present invention is:
(1) encryption process in PCIe system is displaced downwardly to data link layer by the present invention by application layer, is allowed to application
It is fully transparent for layer user.The stability of encryption and decryption work can be strengthened by so doing, and can not also be made an amendment in application program
In the case of, it realizes the encryption and decryption demand of project, changes existing encryption technology application layer easily exposes the problem of, increase
The security implemented.
(2) PCIe transmission processes are according to the particular content of transmission, in that case it can be decided that encrypted section maintains data encryption
The flexibility of journey.
(3) by parsing PCIe data link layer transfer content, content crucial in data link layer is subjected to data and is added
Decryption, then data transmission is completed by PCIe upstream devices, upstream application layer is not required to participate in, improves PCIe link data transmission
Security and encryption and decryption action concealment.
Specific embodiment
Specific embodiments of the present invention are given below.Specific embodiment is only used for that the present invention is further described, unlimited
The application scope of the claims processed.
The present invention provides a kind of methods (abbreviation method) based on PCIe link data penetration transmission encryption and decryption, it is characterised in that
Encryption/decryption module is added between host computer and equipment end on hardware, this method, which is divided into, sends and receives both direction, tool
Body comprises the following steps:
Sending direction:
(1) data flow of host computer is transferred by PCIe physical layer high speed serial transmission passage, passes through PCIe data link
Layer carries out data transmission workflow management, and parsing is completed by the command resolution unit of encryption/decryption module in PCIe data link layer;
The data parsed provided for encryption/decryption module the physical address information of downstream communication, action type, valid data length and
The key messages such as check code;
(2) according to the specific requirement of application item, using extracted critical data segment, data segment contents are write plus solved
The be-encrypted data storage section of close module;
(3) encryption unit of encryption/decryption module is called, operation is encrypted the content in be-encrypted data memory block,
Encryption uses symmetric encipherment algorithm;
It (4) will be between the data storage area to be sent that encrypted data write-in encryption/decryption module be completed;
(5) realize encapsulating again for encryption data in PCIe data link layer, PCIe objects are sent to from PCIe data link layer
Layer is managed, retransmits to equipment end, completes data sending;
Receive direction:
(1) data packet of equipment end is transferred by PCIe physical layer high speed serial transmission passage, passes through PCIe data link
Layer carries out data transmission workflow management, is received in PCIe data link layer by the reception resolution unit parsing of encryption/decryption module
Data packet, extract effective control information, such as data length etc.;
(2) according to the specific requirement of application item, using the effective encryption data section of extracted, by effective encryption data section
Between the data storage area to be decrypted of content write-in encryption/decryption module;
(3) decryption unit of encryption/decryption module is called, operation is decrypted in the content treated in ciphertext data storage section,
Decryption uses symmetrical decipherment algorithm;
It (4) will be between the data storage area to be read of data write-in encryption/decryption module that decryption be completed;
(5) reported to host computer and receive affairs interruption, initiated to read transaction operation, PCIe data link layer root by host computer
According to the specific transaction types that host computer is initiated, the response of respective transaction frame is completed, ciphertext data is realized in PCIe data link layer
Encapsulate again, be sent to PCIe physical layer from PCIe data link layer, retransmit to host computer, complete data receiver.
The encryption/decryption module can parse the data flow of PCIe data link layer, analyze data-link layer transfer
The action type of content directly forwards command type, and data type is extracted and carries out encryption and decryption action;
The host computer is the source of transparent transmission encryption data and the place to go of transparent transmission ciphertext data;
The equipment end is the source of transparent transmission ciphertext data and the place to go of transparent transmission encryption data.
The present invention does not address part and is suitable for the prior art.
Claims (1)
- A kind of 1. method based on PCIe link data penetration transmission encryption and decryption, it is characterised in that this method on hardware host computer with Encryption/decryption module is added between equipment end, this method, which is divided into, sends and receives both direction, specifically includes following steps:Sending direction:(1)The data flow of host computer by PCIe physical layer high speed serial transmission passage transfer, by PCIe data link layer into Row data transfer process management completes parsing in PCIe data link layer by the command resolution unit of encryption/decryption module;Parsing The data gone out provide physical address information, action type, valid data length and the verification of downstream communication for encryption/decryption module The key messages such as code;(2)According to the specific requirement of application item, using extracted critical data segment, data segment contents are write into encryption and decryption mould The be-encrypted data storage section of block;(3)The encryption unit of encryption/decryption module is called, operation is encrypted the content in be-encrypted data memory block, is encrypted Use symmetric encipherment algorithm;(4)It will be between the data storage area to be sent that complete encrypted data write-in encryption/decryption module;(5)Encapsulating again for encryption data is realized in PCIe data link layer, and PCIe physical layer is sent to from PCIe data link layer, It retransmits to equipment end, completes data sending;Receive direction:(1)The data packet of equipment end by PCIe physical layer high speed serial transmission passage transfer, by PCIe data link layer into Row data transfer process management, in the number that PCIe data link layer is received by the reception resolution unit parsing of encryption/decryption module According to bag, effective control information, such as data length etc. are extracted;(2)According to the specific requirement of application item, using the effective encryption data section of extracted, by effective encryption data section content It writes between the data storage area to be decrypted of encryption/decryption module;(3)The decryption unit of encryption/decryption module is called, operation is decrypted in the content treated in ciphertext data storage section, decrypts Use symmetrical decipherment algorithm;(4)It will be between the data storage area to be read of data write-in encryption/decryption module that complete decryption;(5)It is reported to host computer and receives affairs interruption, initiated to read transaction operation by host computer, PCIe data link layer is according to upper The specific transaction types that position machine is initiated, complete the response of respective transaction frame, and ciphertext data is realized again in PCIe data link layer Encapsulation, PCIe physical layer is sent to from PCIe data link layer, is retransmited to host computer, is completed data receiver.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711359486.8A CN108055268A (en) | 2017-12-17 | 2017-12-17 | A kind of method based on PCIe link data penetration transmission encryption and decryption |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711359486.8A CN108055268A (en) | 2017-12-17 | 2017-12-17 | A kind of method based on PCIe link data penetration transmission encryption and decryption |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108055268A true CN108055268A (en) | 2018-05-18 |
Family
ID=62133531
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711359486.8A Pending CN108055268A (en) | 2017-12-17 | 2017-12-17 | A kind of method based on PCIe link data penetration transmission encryption and decryption |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108055268A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110099062A (en) * | 2019-05-07 | 2019-08-06 | 山东渔翁信息技术股份有限公司 | A kind of encryption method of network data, decryption method and relevant apparatus |
CN113961481A (en) * | 2021-12-23 | 2022-01-21 | 苏州浪潮智能科技有限公司 | CPU interconnection bus architecture and electronic equipment |
CN116070295A (en) * | 2023-02-27 | 2023-05-05 | 赛芯半导体技术(北京)有限公司 | Data processing system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102130768A (en) * | 2010-12-20 | 2011-07-20 | 西安西电捷通无线网络通信股份有限公司 | Terminal equipment having capability of encrypting and decrypting link layer and data processing method thereof |
CN105592107A (en) * | 2016-03-01 | 2016-05-18 | 南京富岛信息工程有限公司 | Device and method for safely collecting industrial process data on basis of FPGA |
CN106295375A (en) * | 2016-08-23 | 2017-01-04 | 记忆科技(深圳)有限公司 | A kind of encryption hard disk supporting PCI E interface |
CN106326754A (en) * | 2016-08-23 | 2017-01-11 | 记忆科技(深圳)有限公司 | Data transmission encryption device implemented based on PCIE (Peripheral Component Interface Express) interface |
CN106549970A (en) * | 2016-11-25 | 2017-03-29 | 济南浪潮高新科技投资发展有限公司 | A kind of PCIE interface data encipher-decipher methods based on FPGA |
US20170139867A1 (en) * | 2015-11-16 | 2017-05-18 | Apacer Technology Inc. | PCIe BRIDGE TRANSFORMATION DEVICE AND METHOD THEREOF |
-
2017
- 2017-12-17 CN CN201711359486.8A patent/CN108055268A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102130768A (en) * | 2010-12-20 | 2011-07-20 | 西安西电捷通无线网络通信股份有限公司 | Terminal equipment having capability of encrypting and decrypting link layer and data processing method thereof |
US20170139867A1 (en) * | 2015-11-16 | 2017-05-18 | Apacer Technology Inc. | PCIe BRIDGE TRANSFORMATION DEVICE AND METHOD THEREOF |
CN105592107A (en) * | 2016-03-01 | 2016-05-18 | 南京富岛信息工程有限公司 | Device and method for safely collecting industrial process data on basis of FPGA |
CN106295375A (en) * | 2016-08-23 | 2017-01-04 | 记忆科技(深圳)有限公司 | A kind of encryption hard disk supporting PCI E interface |
CN106326754A (en) * | 2016-08-23 | 2017-01-11 | 记忆科技(深圳)有限公司 | Data transmission encryption device implemented based on PCIE (Peripheral Component Interface Express) interface |
CN106549970A (en) * | 2016-11-25 | 2017-03-29 | 济南浪潮高新科技投资发展有限公司 | A kind of PCIE interface data encipher-decipher methods based on FPGA |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110099062A (en) * | 2019-05-07 | 2019-08-06 | 山东渔翁信息技术股份有限公司 | A kind of encryption method of network data, decryption method and relevant apparatus |
CN113961481A (en) * | 2021-12-23 | 2022-01-21 | 苏州浪潮智能科技有限公司 | CPU interconnection bus architecture and electronic equipment |
CN116070295A (en) * | 2023-02-27 | 2023-05-05 | 赛芯半导体技术(北京)有限公司 | Data processing system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105592107B (en) | A kind of safe harvester of industrial process data based on FPGA and method | |
CN105530263B (en) | A kind of extra lightweight RFID mutual authentication methods based on tag ID | |
CN111859472B (en) | Security plug-in for system-on-chip platform | |
CN102138300B (en) | Message authentication code pre-computation with applications to secure memory | |
CN108432205A (en) | Use the system and method for the multi-party communication of the safety of agency | |
CN103701598B (en) | It is a kind of that endorsement method and digital signature device are checked based on SM2 signature algorithms | |
US10715332B2 (en) | Encryption for transactions in a memory fabric | |
CN104992119B (en) | A kind of safe transmission method and system of sensitive information Anti-theft | |
CN108055268A (en) | A kind of method based on PCIe link data penetration transmission encryption and decryption | |
CN107533471A (en) | Virtualization applications performance is improved by disabling unnecessary function | |
CN105357218A (en) | Router with hardware encryption and decryption function and encryption and decryption method of router | |
CN106330869A (en) | Data security protection system and method based on cloud application | |
CN108173652A (en) | IPSec VPN cipher machines based on quantum key distribution | |
CN108322488A (en) | The system that trust data is shared and distributes is realized in multiple car networkings | |
CN107342861A (en) | A kind of data processing method, apparatus and system | |
CN110061967A (en) | Business datum providing method, device, equipment and computer readable storage medium | |
CN109977685A (en) | Web page contents encryption method, encryption device and system | |
CN108173769A (en) | A kind of message transmitting method, device and computer readable storage medium | |
CN107172028A (en) | A kind of fieldbus data sharing method and device | |
CN104602208B (en) | A kind of SMS encryption communication means based on mobile network | |
CN102325025B (en) | Data processing method and system for verifying provision source authenticity | |
CN106452752A (en) | Method and system of modifying cipher, client, server and smart device | |
CN103873245B (en) | Dummy machine system data ciphering method and equipment | |
CN116488919B (en) | Data processing method, communication node and storage medium | |
CN107317819A (en) | Encryption method, decryption method and its device of conventional data based on trust data form |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180518 |