CN108055268A - A kind of method based on PCIe link data penetration transmission encryption and decryption - Google Patents

A kind of method based on PCIe link data penetration transmission encryption and decryption Download PDF

Info

Publication number
CN108055268A
CN108055268A CN201711359486.8A CN201711359486A CN108055268A CN 108055268 A CN108055268 A CN 108055268A CN 201711359486 A CN201711359486 A CN 201711359486A CN 108055268 A CN108055268 A CN 108055268A
Authority
CN
China
Prior art keywords
data
encryption
pcie
decryption
link layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711359486.8A
Other languages
Chinese (zh)
Inventor
鲁毅
付彦淇
何全
王晓璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin Jinhang Computing Technology Research Institute
Original Assignee
Tianjin Jinhang Computing Technology Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin Jinhang Computing Technology Research Institute filed Critical Tianjin Jinhang Computing Technology Research Institute
Priority to CN201711359486.8A priority Critical patent/CN108055268A/en
Publication of CN108055268A publication Critical patent/CN108055268A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Communication Control (AREA)

Abstract

The invention discloses a kind of method based on PCIe link data penetration transmission encryption and decryption, this method adds encryption/decryption module on hardware between host computer and equipment end, and this method, which is divided into, sends and receives both direction.Encryption process in PCIe system is displaced downwardly to data link layer by the present invention by application layer, is allowed to for application layer user, fully transparent.The stability of encryption and decryption work can be strengthened by so doing, and in the case where application program is not made an amendment, can also realize the encryption and decryption demand of project, change existing encryption technology application layer easily exposes the problem of, add the security of implementation.

Description

A kind of method based on PCIe link data penetration transmission encryption and decryption
Technical field
The invention belongs to field of data transmission, are specifically a kind of method based on PCIe link data penetration transmission encryption and decryption.
Background technology
PCIe is current popular computer bus framework, especially in the desktop grade platform using X86-based as core And it in server platform computing system, has a very wide range of applications.But PCIe data stream all uses in transmission process It carries out in plain text, therefore, traditional encryption process is that the data that will have encryption and decryption demand complete encryption and decryption action in application side Afterwards, then by PCIe link to external equipment send.
Due to the fast development of mobile internet, the quantity of networked devices is in eruptive growth.Correspondingly, networked devices Safety issue, become the problem of becoming increasingly conspicuous.The demand of data safety is more and more stronger, adds solution in the data of each level Secret skill art is used widely.(five layers are application layer, transmission respectively from the five-layer structure of network protocol stack general at present Layer, internetwork layer, data link layer and physical layer) it can be seen that, safe encryption and decryption functions can be in application layer, transport layer, internet Layer, data link layer are implemented, but would generally select to implement in application layer.
Common computer system encryption process usually by the primary processor of system, is called with encryption and decryption functions Module, encryption and decryption functions can also be realized by hardware by software.This encryption and decryption mode is for application program It is opaque, encryption process must call corresponding encryption and decryption functions to realize by application flow.
It is higher in the safe encryption and decryption functions degree of exposure that application layer is implemented from the point of view of network protocol stack, closer to The encryption and decryption technology of bottom, degree of exposure are lower;Simultaneously for application program user, the transparency of encryption and decryption functions It is higher.
The content of the invention
In view of the deficiencies of the prior art, the technical issues of present invention intends to solve is to provide a kind of based on PCIe link data The method of transparent transmission encryption and decryption.
The technical solution that the present invention solves the technical problem is to provide one kind based on PCIe link data penetration transmission encryption and decryption Method, it is characterised in that this method adds encryption/decryption module on hardware between host computer and equipment end, this method point To send and receive both direction, following steps are specifically included:
Sending direction:
(1) data flow of host computer is transferred by PCIe physical layer high speed serial transmission passage, passes through PCIe data link Layer carries out data transmission workflow management, and parsing is completed by the command resolution unit of encryption/decryption module in PCIe data link layer; The data parsed provided for encryption/decryption module the physical address information of downstream communication, action type, valid data length and The key messages such as check code;
(2) according to the specific requirement of application item, using extracted critical data segment, data segment contents are write plus solved The be-encrypted data storage section of close module;
(3) encryption unit of encryption/decryption module is called, operation is encrypted the content in be-encrypted data memory block, Encryption uses symmetric encipherment algorithm;
It (4) will be between the data storage area to be sent that encrypted data write-in encryption/decryption module be completed;
(5) realize encapsulating again for encryption data in PCIe data link layer, PCIe objects are sent to from PCIe data link layer Layer is managed, retransmits to equipment end, completes data sending;
Receive direction:
(1) data packet of equipment end is transferred by PCIe physical layer high speed serial transmission passage, passes through PCIe data link Layer carries out data transmission workflow management, is received in PCIe data link layer by the reception resolution unit parsing of encryption/decryption module Data packet, extract effective control information, such as data length etc.;
(2) according to the specific requirement of application item, using the effective encryption data section of extracted, by effective encryption data section Between the data storage area to be decrypted of content write-in encryption/decryption module;
(3) decryption unit of encryption/decryption module is called, operation is decrypted in the content treated in ciphertext data storage section, Decryption uses symmetrical decipherment algorithm;
It (4) will be between the data storage area to be read of data write-in encryption/decryption module that decryption be completed;
(5) reported to host computer and receive affairs interruption, initiated to read transaction operation, PCIe data link layer root by host computer According to the specific transaction types that host computer is initiated, the response of respective transaction frame is completed, ciphertext data is realized in PCIe data link layer Encapsulate again, be sent to PCIe physical layer from PCIe data link layer, retransmit to host computer, complete data receiver.
Compared with prior art, advantageous effect of the present invention is:
(1) encryption process in PCIe system is displaced downwardly to data link layer by the present invention by application layer, is allowed to application It is fully transparent for layer user.The stability of encryption and decryption work can be strengthened by so doing, and can not also be made an amendment in application program In the case of, it realizes the encryption and decryption demand of project, changes existing encryption technology application layer easily exposes the problem of, increase The security implemented.
(2) PCIe transmission processes are according to the particular content of transmission, in that case it can be decided that encrypted section maintains data encryption The flexibility of journey.
(3) by parsing PCIe data link layer transfer content, content crucial in data link layer is subjected to data and is added Decryption, then data transmission is completed by PCIe upstream devices, upstream application layer is not required to participate in, improves PCIe link data transmission Security and encryption and decryption action concealment.
Specific embodiment
Specific embodiments of the present invention are given below.Specific embodiment is only used for that the present invention is further described, unlimited The application scope of the claims processed.
The present invention provides a kind of methods (abbreviation method) based on PCIe link data penetration transmission encryption and decryption, it is characterised in that Encryption/decryption module is added between host computer and equipment end on hardware, this method, which is divided into, sends and receives both direction, tool Body comprises the following steps:
Sending direction:
(1) data flow of host computer is transferred by PCIe physical layer high speed serial transmission passage, passes through PCIe data link Layer carries out data transmission workflow management, and parsing is completed by the command resolution unit of encryption/decryption module in PCIe data link layer; The data parsed provided for encryption/decryption module the physical address information of downstream communication, action type, valid data length and The key messages such as check code;
(2) according to the specific requirement of application item, using extracted critical data segment, data segment contents are write plus solved The be-encrypted data storage section of close module;
(3) encryption unit of encryption/decryption module is called, operation is encrypted the content in be-encrypted data memory block, Encryption uses symmetric encipherment algorithm;
It (4) will be between the data storage area to be sent that encrypted data write-in encryption/decryption module be completed;
(5) realize encapsulating again for encryption data in PCIe data link layer, PCIe objects are sent to from PCIe data link layer Layer is managed, retransmits to equipment end, completes data sending;
Receive direction:
(1) data packet of equipment end is transferred by PCIe physical layer high speed serial transmission passage, passes through PCIe data link Layer carries out data transmission workflow management, is received in PCIe data link layer by the reception resolution unit parsing of encryption/decryption module Data packet, extract effective control information, such as data length etc.;
(2) according to the specific requirement of application item, using the effective encryption data section of extracted, by effective encryption data section Between the data storage area to be decrypted of content write-in encryption/decryption module;
(3) decryption unit of encryption/decryption module is called, operation is decrypted in the content treated in ciphertext data storage section, Decryption uses symmetrical decipherment algorithm;
It (4) will be between the data storage area to be read of data write-in encryption/decryption module that decryption be completed;
(5) reported to host computer and receive affairs interruption, initiated to read transaction operation, PCIe data link layer root by host computer According to the specific transaction types that host computer is initiated, the response of respective transaction frame is completed, ciphertext data is realized in PCIe data link layer Encapsulate again, be sent to PCIe physical layer from PCIe data link layer, retransmit to host computer, complete data receiver.
The encryption/decryption module can parse the data flow of PCIe data link layer, analyze data-link layer transfer The action type of content directly forwards command type, and data type is extracted and carries out encryption and decryption action;
The host computer is the source of transparent transmission encryption data and the place to go of transparent transmission ciphertext data;
The equipment end is the source of transparent transmission ciphertext data and the place to go of transparent transmission encryption data.
The present invention does not address part and is suitable for the prior art.

Claims (1)

  1. A kind of 1. method based on PCIe link data penetration transmission encryption and decryption, it is characterised in that this method on hardware host computer with Encryption/decryption module is added between equipment end, this method, which is divided into, sends and receives both direction, specifically includes following steps:
    Sending direction:
    (1)The data flow of host computer by PCIe physical layer high speed serial transmission passage transfer, by PCIe data link layer into Row data transfer process management completes parsing in PCIe data link layer by the command resolution unit of encryption/decryption module;Parsing The data gone out provide physical address information, action type, valid data length and the verification of downstream communication for encryption/decryption module The key messages such as code;
    (2)According to the specific requirement of application item, using extracted critical data segment, data segment contents are write into encryption and decryption mould The be-encrypted data storage section of block;
    (3)The encryption unit of encryption/decryption module is called, operation is encrypted the content in be-encrypted data memory block, is encrypted Use symmetric encipherment algorithm;
    (4)It will be between the data storage area to be sent that complete encrypted data write-in encryption/decryption module;
    (5)Encapsulating again for encryption data is realized in PCIe data link layer, and PCIe physical layer is sent to from PCIe data link layer, It retransmits to equipment end, completes data sending;
    Receive direction:
    (1)The data packet of equipment end by PCIe physical layer high speed serial transmission passage transfer, by PCIe data link layer into Row data transfer process management, in the number that PCIe data link layer is received by the reception resolution unit parsing of encryption/decryption module According to bag, effective control information, such as data length etc. are extracted;
    (2)According to the specific requirement of application item, using the effective encryption data section of extracted, by effective encryption data section content It writes between the data storage area to be decrypted of encryption/decryption module;
    (3)The decryption unit of encryption/decryption module is called, operation is decrypted in the content treated in ciphertext data storage section, decrypts Use symmetrical decipherment algorithm;
    (4)It will be between the data storage area to be read of data write-in encryption/decryption module that complete decryption;
    (5)It is reported to host computer and receives affairs interruption, initiated to read transaction operation by host computer, PCIe data link layer is according to upper The specific transaction types that position machine is initiated, complete the response of respective transaction frame, and ciphertext data is realized again in PCIe data link layer Encapsulation, PCIe physical layer is sent to from PCIe data link layer, is retransmited to host computer, is completed data receiver.
CN201711359486.8A 2017-12-17 2017-12-17 A kind of method based on PCIe link data penetration transmission encryption and decryption Pending CN108055268A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711359486.8A CN108055268A (en) 2017-12-17 2017-12-17 A kind of method based on PCIe link data penetration transmission encryption and decryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711359486.8A CN108055268A (en) 2017-12-17 2017-12-17 A kind of method based on PCIe link data penetration transmission encryption and decryption

Publications (1)

Publication Number Publication Date
CN108055268A true CN108055268A (en) 2018-05-18

Family

ID=62133531

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711359486.8A Pending CN108055268A (en) 2017-12-17 2017-12-17 A kind of method based on PCIe link data penetration transmission encryption and decryption

Country Status (1)

Country Link
CN (1) CN108055268A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110099062A (en) * 2019-05-07 2019-08-06 山东渔翁信息技术股份有限公司 A kind of encryption method of network data, decryption method and relevant apparatus
CN113961481A (en) * 2021-12-23 2022-01-21 苏州浪潮智能科技有限公司 CPU interconnection bus architecture and electronic equipment
CN116070295A (en) * 2023-02-27 2023-05-05 赛芯半导体技术(北京)有限公司 Data processing system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130768A (en) * 2010-12-20 2011-07-20 西安西电捷通无线网络通信股份有限公司 Terminal equipment having capability of encrypting and decrypting link layer and data processing method thereof
CN105592107A (en) * 2016-03-01 2016-05-18 南京富岛信息工程有限公司 Device and method for safely collecting industrial process data on basis of FPGA
CN106295375A (en) * 2016-08-23 2017-01-04 记忆科技(深圳)有限公司 A kind of encryption hard disk supporting PCI E interface
CN106326754A (en) * 2016-08-23 2017-01-11 记忆科技(深圳)有限公司 Data transmission encryption device implemented based on PCIE (Peripheral Component Interface Express) interface
CN106549970A (en) * 2016-11-25 2017-03-29 济南浪潮高新科技投资发展有限公司 A kind of PCIE interface data encipher-decipher methods based on FPGA
US20170139867A1 (en) * 2015-11-16 2017-05-18 Apacer Technology Inc. PCIe BRIDGE TRANSFORMATION DEVICE AND METHOD THEREOF

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130768A (en) * 2010-12-20 2011-07-20 西安西电捷通无线网络通信股份有限公司 Terminal equipment having capability of encrypting and decrypting link layer and data processing method thereof
US20170139867A1 (en) * 2015-11-16 2017-05-18 Apacer Technology Inc. PCIe BRIDGE TRANSFORMATION DEVICE AND METHOD THEREOF
CN105592107A (en) * 2016-03-01 2016-05-18 南京富岛信息工程有限公司 Device and method for safely collecting industrial process data on basis of FPGA
CN106295375A (en) * 2016-08-23 2017-01-04 记忆科技(深圳)有限公司 A kind of encryption hard disk supporting PCI E interface
CN106326754A (en) * 2016-08-23 2017-01-11 记忆科技(深圳)有限公司 Data transmission encryption device implemented based on PCIE (Peripheral Component Interface Express) interface
CN106549970A (en) * 2016-11-25 2017-03-29 济南浪潮高新科技投资发展有限公司 A kind of PCIE interface data encipher-decipher methods based on FPGA

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110099062A (en) * 2019-05-07 2019-08-06 山东渔翁信息技术股份有限公司 A kind of encryption method of network data, decryption method and relevant apparatus
CN113961481A (en) * 2021-12-23 2022-01-21 苏州浪潮智能科技有限公司 CPU interconnection bus architecture and electronic equipment
CN116070295A (en) * 2023-02-27 2023-05-05 赛芯半导体技术(北京)有限公司 Data processing system

Similar Documents

Publication Publication Date Title
CN105592107B (en) A kind of safe harvester of industrial process data based on FPGA and method
CN105530263B (en) A kind of extra lightweight RFID mutual authentication methods based on tag ID
CN111859472B (en) Security plug-in for system-on-chip platform
CN102138300B (en) Message authentication code pre-computation with applications to secure memory
CN108432205A (en) Use the system and method for the multi-party communication of the safety of agency
CN103701598B (en) It is a kind of that endorsement method and digital signature device are checked based on SM2 signature algorithms
US10715332B2 (en) Encryption for transactions in a memory fabric
CN104992119B (en) A kind of safe transmission method and system of sensitive information Anti-theft
CN108055268A (en) A kind of method based on PCIe link data penetration transmission encryption and decryption
CN107533471A (en) Virtualization applications performance is improved by disabling unnecessary function
CN105357218A (en) Router with hardware encryption and decryption function and encryption and decryption method of router
CN106330869A (en) Data security protection system and method based on cloud application
CN108173652A (en) IPSec VPN cipher machines based on quantum key distribution
CN108322488A (en) The system that trust data is shared and distributes is realized in multiple car networkings
CN107342861A (en) A kind of data processing method, apparatus and system
CN110061967A (en) Business datum providing method, device, equipment and computer readable storage medium
CN109977685A (en) Web page contents encryption method, encryption device and system
CN108173769A (en) A kind of message transmitting method, device and computer readable storage medium
CN107172028A (en) A kind of fieldbus data sharing method and device
CN104602208B (en) A kind of SMS encryption communication means based on mobile network
CN102325025B (en) Data processing method and system for verifying provision source authenticity
CN106452752A (en) Method and system of modifying cipher, client, server and smart device
CN103873245B (en) Dummy machine system data ciphering method and equipment
CN116488919B (en) Data processing method, communication node and storage medium
CN107317819A (en) Encryption method, decryption method and its device of conventional data based on trust data form

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180518