CN110851888A - High-performance security encryption system with double-path heterogeneous function - Google Patents
High-performance security encryption system with double-path heterogeneous function Download PDFInfo
- Publication number
- CN110851888A CN110851888A CN201910967854.XA CN201910967854A CN110851888A CN 110851888 A CN110851888 A CN 110851888A CN 201910967854 A CN201910967854 A CN 201910967854A CN 110851888 A CN110851888 A CN 110851888A
- Authority
- CN
- China
- Prior art keywords
- processing module
- module
- data
- heterogeneous
- service processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012545 processing Methods 0.000 claims abstract description 76
- 238000005259 measurement Methods 0.000 claims abstract description 23
- 238000005520 cutting process Methods 0.000 claims abstract description 6
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000000034 method Methods 0.000 abstract description 6
- 238000003860 storage Methods 0.000 abstract description 6
- 230000008569 process Effects 0.000 abstract description 5
- 238000007726 management method Methods 0.000 description 23
- 230000006378 damage Effects 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000004377 microelectronic Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a high-performance safety encryption system with double-path heterogeneous function, which comprises: the business processing module is used for encrypting and decrypting the input data; the heterogeneous processing module is used as the other path for encrypting and decrypting the input data and adopts a software and hardware architecture different from that of the service processing module; and the measurement module is used for receiving the encryption and decryption outputs of the service processing module and the heterogeneous processing module, measuring the consistency of output results, and cutting off data input if the output results are inconsistent. The invention can prevent the data from being tampered in the encryption and decryption process and improve the security of encryption and storage.
Description
Technical Field
The invention relates to the technical field of information and security data encryption, in particular to a high-performance security encryption system with a double-path heterogeneous function based on a domestic cryptographic algorithm.
Background
With the national emphasis on information security technology, many organizations and enterprises currently require the use of a domestic algorithm to protect their information data. Based on the current situation, many manufacturers develop the cipher cards based on interfaces such as the PCIE. With the large increase of the user scale, higher requirements are also put forward on the security and the reliability of the encryption and decryption processing of the password card.
The existing data encryption and decryption storage method based on the domestic cryptographic algorithm is shown in fig. 1, data to be encrypted and stored enters an interface module through a PCIE interface, the interface module distributes the data to a service processing module for encryption and decryption, the encrypted and decrypted data is sent back to the interface module and is sent out through the PCIE interface, and encryption and decryption processing on the data to be stored is completed.
For the conventional encryption storage scheme, if data entering the PCIE interface is tampered, or data is tampered in the encryption and decryption algorithm processing process in the service processing module, the device cannot detect the data, so that the security and reliability of the conventional encryption storage scheme are greatly reduced.
Disclosure of Invention
The invention is a high-performance security encryption system with dual-path heterogeneous function, the invention adopts two paths of completely different interfaces, different chips and links with different protocols to encrypt and decrypt the received data at the same time, and finally compares the encryption and decryption results of the two links with the key data, if the results are inconsistent, the data is probably falsified, the invention can prevent the data from being falsified in the encryption and decryption process, improve the security of encryption storage, and see the following description in detail:
a high performance secure encryption system with two-way heterogeneous functionality, the system comprising:
the business processing module is used for encrypting and decrypting the input data;
the heterogeneous processing module is used as the other path for encrypting and decrypting the input data and adopts a software and hardware architecture different from that of the service processing module;
and the measurement module is used for receiving the encryption and decryption outputs of the service processing module and the heterogeneous processing module, measuring the consistency of output results, and cutting off data input if the output results are inconsistent.
The measurement module is further used for performing integrity measurement on data during operation of the business processing module.
Further, the system further comprises:
the interface module is used for processing data transmission between the PCIE interface and the application host, forwarding data received by the PCIE interface to the service processing module and the heterogeneous processing module, and sending out the data processed by the service processing module through the PCIE interface;
and the PCIE interface is also used for cutting off input data of the PCIE interface according to the control signal of the measurement module.
Wherein the system further comprises:
and the micro-electric protection module is used for detecting whether the shell is abnormally opened or not, destroying the startup component stored inside if the shell is abnormally opened, and informing the configuration management module to destroy other data.
The technical scheme provided by the invention has the beneficial effects that:
1. the device adopts a modular design, has the functions of double-path heterogeneous measurement, cryptographic algorithm key data measurement and the like, finds an abnormality, immediately reports the abnormality and generates an alarm in an acoustic-optical mode, and meanwhile, the device can block data receiving and transmitting of a PCIE interface, has certain capability of resisting unknown attacks, and has higher safety and reliability;
2. the encryption and decryption rate of the whole machine is more than or equal to 400Mbps, and the encryption delay is less than or equal to 1 ms;
3. the invention relates to high-speed data encryption equipment realized based on FPGA programming, which has a resource management function, supports password algorithm replacement and local classified destruction of password resources and has an emergency switch destruction measure.
Drawings
FIG. 1 is a schematic diagram of a prior art encrypted storage;
FIG. 2 is a schematic structural diagram of a secure encryption system provided by the present invention;
FIG. 3 is a detailed structural diagram of a secure encryption system provided by the present invention;
fig. 4 is a schematic diagram of a hardware structure of the secure encryption system provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention are described in further detail below.
Example 1
A high-performance security encryption system with dual-path heterogeneous function is disclosed, the structure of which is shown in figure 2, and the detailed structure of which is shown in figure 3, the system comprises: the system comprises a service processing module 1 responsible for encryption and decryption, a heterogeneous processing module 2, a measurement module 3, an interface module 4, a configuration management module 5, a configuration management host 6, a PCIE interface 7, a micro-electric protection module 8 and an application host 9.
The heterogeneous processing module 2 realizes the same function as the service processing module 1, but adopts a software and hardware architecture different from the service processing module 1, and the measurement module 3 has the functions of receiving the encryption and decryption outputs of the service processing module 1 and the heterogeneous processing module 2, performing consistency measurement, and performing integrity measurement on key data during the operation of the service processing module 1.
When abnormal conditions such as inconsistent encryption and decryption outputs of the business processing module 1 and the heterogeneous processing module 2, tampering of key data during operation of the business processing module 1 and the like are found, the data input of the interface module 4 is cut off, and the business processing module stops working. Therefore, the safety and the reliability of the whole data link are improved.
The system composition of the safety encryption equipment mainly comprises the following parts:
1. service processing module 1
The data encryption and decryption service based on the domestic cryptographic algorithm is provided for users, and SM2, SM3 and SM4 are supported. The SM4 algorithm is realized based on FPGA, and the SM2 and SM3 algorithms are realized based on special chips.
2. Heterogeneous processing module 2
The function of the system is the same as that of the service processing module 1, but the system uses hardware and software which are completely different from the service processing module 1.
3. Metrology module 3
And receiving the encryption and decryption outputs of the business processing module 1 and the heterogeneous processing module 2, performing consistency measurement, and performing integrity measurement on key data during the operation of the business processing module 1.
And when the encryption and decryption outputs of the business processing module 1 and the heterogeneous processing module 2 are inconsistent, and the key data in the running of the business processing module 1 is tampered, the data input of the interface module 4 is cut off, so that the business processing module stops working. And simultaneously notifies the configuration management module 5 of an abnormal state by an indicator lamp or the like.
4. Interface module 4
And processing data transmission between the PCIE interface 7 and the application host 9, forwarding the data received by the PCIE interface 7 to the service processing module 1 and the heterogeneous processing module 2 through corresponding interfaces, and sending out the data processed by the service processing module 1 through the PCIE interface 7. If an abnormal condition occurs, the data of the PCIE interface 7 is cut off according to the control signal of the measurement module 3.
5. Configuration management module 5
The processor without an operating system is used for receiving data such as parameters, keys, security policies, firmware and the like transmitted by the configuration management host 6, providing data such as device information, device states, log information and the like for the configuration management host 6, and providing functions such as power-on self-check, algorithm self-check, noise self-check, FPGA configuration, security policy and password resource distribution, data destruction, indicator light state indication and the like for the system.
6. Configuration management host 6
The system is connected to a configuration management module 5 through a configuration management interface, and a special processing interface library, production software and test software are deployed on a configuration management host 6, so that the system has the functions of equipment management, key management, security audit, log query, production acceptance and the like.
7. Micro-electric protection module 8
The device uses main electricity work when being electrified, uses button cell work when cutting off the power supply for whether the detection equipment shell is opened by the anomaly. When the abnormal starting is found, the micro-electric protection module 8 destroys the startup component stored inside, and informs the configuration management module 5 to destroy other data.
8. Application host machine 9
The PCIE interface 7 is directly connected with the interface module 4, and an application is deployed on the application host machine 9 to provide data encryption and decryption functions for users. The application host machine 9 supports a PC terminal, and the support operating system comprises kylin (Feiteng, X86 platform, kernel version 4.X), windows7 and windows 10.
Example 2
The scheme of example 1 is described in detail below with reference to fig. 2-4, and is described in detail below:
the hardware structure of the safety encryption equipment is a mainboard, power is supplied through a PCIE interface, a configuration management port, a destruction button and an indicator light are reserved. As shown in fig. 4, the hardware structure of the security encryption device is divided into 6 modules, which are an interface module 4, a service processing module 1, a heterogeneous processing module 2, a measurement module 3, a configuration management module 5, and a micro-protection module 8, and details will be described in sequence below.
Service processing module 1
The service processing module 1 performs encryption and decryption processing on data of the application host 9.
A) The FPGA selects XC7K325tffg, is communicated with an interface by adopting a parallel bus with 66MHz and 16bits bit width and is connected with a configuration management module through an SPI.
B) An SM2/SM3 algorithm is needed in the encryption and decryption process, the algorithm is realized through a plug-in algorithm chip, and the algorithm chip selects HSM2-H1 of macrostem electrons. The chip can realize the digital signature of the SM2 algorithm of 2.0 ten thousand times/second and the digital signature verification of the SM2 algorithm of 1.0 ten thousand times/second. The SM3 hash algorithm performance can reach 1.0 Gbps.
C) An SM4 symmetric algorithm is used in the encryption and decryption process and is realized by an FPGA, and the speed is 800 Mbps.
Second, heterogeneous processing module 2
The heterogeneous processing module 2 and the service processing module 1 realize the same service function, but adopt completely different chips and protocols.
A) The core of the system is a high-performance 8-core DSP chip TMS320C6678, which is communicated with an interface FPGA by selecting SRIO, and is different from a communication interface between a service processing module and the interface FPGA;
B) an SM2/SM3 algorithm is needed in encryption and decryption, the algorithm is realized through a plug-in algorithm chip, and SSX1510 of Qinghua microelectronics is selected and is different from an algorithm chip HSM2-H1 of a business processing module.
Third, measure module 3
The measurement module 3 has the function of receiving data of the service processing module 1 and the heterogeneous processing module 2 for measurement, the main body is an FPGA, XC7K325tffg is selected, and is connected with the service processing module 1 through 66MHz and 16bits and connected with the heterogeneous processing module 2 through SRIO. The SPI is connected with the interface module 4, and the measurement error is found to immediately send a command to the interface module 4 to cut off transmission.
Fourth, interface module 4
Wherein, the interface FPGA selects XC7K325tffg from Xilinx company.
A) The PCIE interface is used as a terminal device to communicate with a host end through a PCIE interface, and the maximum speed can reach 5 GT/s;
B) the service processing module 1 adopts a 66MHz and 16bits bit wide parallel bus for communication;
C) the heterogeneous processing module 2 adopts Serial Rapid IO (SRIO) communication to realize heterogeneous in a communication mode; the single Lane transmission rate is 3.125-5 Gbps.
Fifthly, configuring the management module 5
The configuration management module 5 can be connected to a configuration management system (computer + configuration management software) 6 through a configuration management interface (USB2.0) for receiving data such as parameters, keys, security policies, etc., and has a core of STM32F401VBT6, and is connected to the service processing module 1, the heterogeneous processing module 2, and the measurement module 3 through a bus extension FPGA to implement management and configuration of corresponding modules. Is connected with the micro-electric protection module 8 through RS 232.
Sixth, micro-electric protection module 8
After the host computer is powered off, the micro-electric protection module 8 can continue to provide functions of cover opening detection, button destruction and the like for the equipment. The micro-protection main control chip is an ultra-low power consumption singlechip HC32L110, the working current under low power consumption is only 1.6Ua, and the micro-protection unit can continuously work for 17 years by matching with a button battery CR 2032.
In the embodiment of the present invention, except for the specific description of the model of each device, the model of other devices is not limited, as long as the device can perform the above functions.
Those skilled in the art will appreciate that the drawings are only schematic illustrations of preferred embodiments, and the above-described embodiments of the present invention are merely provided for description and do not represent the merits of the embodiments.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (4)
1. A high performance secure encryption system with two-way heterogeneous functionality, the system comprising:
the business processing module is used for encrypting and decrypting the input data;
the heterogeneous processing module is used as the other path for encrypting and decrypting the input data and adopts a software and hardware architecture different from that of the service processing module;
and the measurement module is used for receiving the encryption and decryption outputs of the service processing module and the heterogeneous processing module, measuring the consistency of output results, and cutting off data input if the output results are inconsistent.
2. The system of claim 1, wherein the measurement module is further configured to perform integrity measurement on data during operation of the service processing module.
3. A two-way heterogeneous high performance secure encryption system according to claim 1, further comprising:
the interface module is used for processing data transmission between the PCIE interface and the application host, forwarding data received by the PCIE interface to the service processing module and the heterogeneous processing module, and sending out the data processed by the service processing module through the PCIE interface;
and the PCIE interface is also used for cutting off input data of the PCIE interface according to the control signal of the measurement module.
4. A two-way heterogeneous high performance secure encryption system according to claim 1, further comprising:
and the micro-electric protection module is used for detecting whether the shell is abnormally opened or not, destroying the startup component stored inside if the shell is abnormally opened, and informing the configuration management module to destroy other data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910967854.XA CN110851888A (en) | 2019-10-12 | 2019-10-12 | High-performance security encryption system with double-path heterogeneous function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910967854.XA CN110851888A (en) | 2019-10-12 | 2019-10-12 | High-performance security encryption system with double-path heterogeneous function |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110851888A true CN110851888A (en) | 2020-02-28 |
Family
ID=69597849
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910967854.XA Pending CN110851888A (en) | 2019-10-12 | 2019-10-12 | High-performance security encryption system with double-path heterogeneous function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110851888A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111970348A (en) * | 2020-08-07 | 2020-11-20 | 苏州唐云信息技术有限公司 | Cloud desktop management platform |
| CN112910891A (en) * | 2021-01-29 | 2021-06-04 | 南京十方网络科技有限公司 | Network security interconnection system based on FPGA high-speed encryption and decryption |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH0522282A (en) * | 1991-07-10 | 1993-01-29 | Hitachi Ltd | Communication data ciphering system between end systems |
| JP2000134195A (en) * | 1998-10-28 | 2000-05-12 | Mitsubishi Materials Corp | Encryption device, decoder, method and its recoding medium |
| JP2001256190A (en) * | 2000-03-09 | 2001-09-21 | Ricoh Co Ltd | Electronic document management method, electronic document management system and recording medium |
| US6742015B1 (en) * | 1999-08-31 | 2004-05-25 | Accenture Llp | Base services patterns in a netcentric environment |
| US20060026442A1 (en) * | 2004-07-27 | 2006-02-02 | Canon Kabushiki Kaisha | Encryption apparatus and decryption apparatus |
| JP2008171487A (en) * | 2007-01-10 | 2008-07-24 | Ricoh Co Ltd | Data input unit, data output unit, and data processing system |
| US20120278608A1 (en) * | 2011-04-28 | 2012-11-01 | Fujitsu Semiconductor Limited | Information processing apparatus, secure module, information processing method and computer product |
| CN102799819A (en) * | 2012-07-04 | 2012-11-28 | 北京京航计算通讯研究所 | Embedded software safety protection system |
| DE102014209037A1 (en) * | 2014-05-13 | 2015-11-19 | Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. | Apparatus and method for protecting the integrity of operating system instances |
| CN107147488A (en) * | 2017-03-24 | 2017-09-08 | 广东工业大学 | A kind of signature sign test system and method based on SM2 enciphering and deciphering algorithms |
-
2019
- 2019-10-12 CN CN201910967854.XA patent/CN110851888A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH0522282A (en) * | 1991-07-10 | 1993-01-29 | Hitachi Ltd | Communication data ciphering system between end systems |
| JP2000134195A (en) * | 1998-10-28 | 2000-05-12 | Mitsubishi Materials Corp | Encryption device, decoder, method and its recoding medium |
| US6742015B1 (en) * | 1999-08-31 | 2004-05-25 | Accenture Llp | Base services patterns in a netcentric environment |
| JP2001256190A (en) * | 2000-03-09 | 2001-09-21 | Ricoh Co Ltd | Electronic document management method, electronic document management system and recording medium |
| US20060026442A1 (en) * | 2004-07-27 | 2006-02-02 | Canon Kabushiki Kaisha | Encryption apparatus and decryption apparatus |
| JP2008171487A (en) * | 2007-01-10 | 2008-07-24 | Ricoh Co Ltd | Data input unit, data output unit, and data processing system |
| US20120278608A1 (en) * | 2011-04-28 | 2012-11-01 | Fujitsu Semiconductor Limited | Information processing apparatus, secure module, information processing method and computer product |
| CN102799819A (en) * | 2012-07-04 | 2012-11-28 | 北京京航计算通讯研究所 | Embedded software safety protection system |
| DE102014209037A1 (en) * | 2014-05-13 | 2015-11-19 | Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. | Apparatus and method for protecting the integrity of operating system instances |
| CN107147488A (en) * | 2017-03-24 | 2017-09-08 | 广东工业大学 | A kind of signature sign test system and method based on SM2 enciphering and deciphering algorithms |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111970348A (en) * | 2020-08-07 | 2020-11-20 | 苏州唐云信息技术有限公司 | Cloud desktop management platform |
| CN111970348B (en) * | 2020-08-07 | 2024-02-02 | 苏州唐云信息技术有限公司 | Cloud desktop management platform |
| CN112910891A (en) * | 2021-01-29 | 2021-06-04 | 南京十方网络科技有限公司 | Network security interconnection system based on FPGA high-speed encryption and decryption |
| CN112910891B (en) * | 2021-01-29 | 2021-12-14 | 南京十方网络科技有限公司 | Network security interconnection system based on FPGA high-speed encryption and decryption |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1331017C (en) | Safety chip | |
| US20120192271A1 (en) | Apparatus and Method for Enhancing Security of Data on a Host Computing Device and a Peripheral Device | |
| CN206712810U (en) | A kind of high speed password card based on PCI E buses | |
| CN102844762A (en) | Secure environment management during switches between different modes of multicore systems | |
| CN107995617A (en) | A kind of solid storage device for supporting telesecurity to destroy design | |
| CN110851888A (en) | High-performance security encryption system with double-path heterogeneous function | |
| CN108200094A (en) | A kind of secure communication device, method and system of gas meter, flow meter | |
| CN115549911B (en) | Encryption and decryption system, method, processor and server | |
| CN107798224A (en) | A kind of terminal control method and device, user terminal | |
| CN114500068B (en) | Information data exchange system based on safety isolation gatekeeper | |
| CN115174157A (en) | Relay protection remote operation and maintenance network security multistage blocking method and system | |
| CN110602107B (en) | Zynq-based network cipher machine and network data encryption and decryption method | |
| CN104777761A (en) | Method and circuit for realizing safety of MCU (micro controller unit) | |
| CN201917912U (en) | Monitoring and management system of USB (Universal Serial Bus) storage device | |
| CN101996285A (en) | Electronic equipment | |
| CN201051744Y (en) | A secure encryption network card device | |
| CN116186744B (en) | Computer data transmission system and method | |
| CN102063942B (en) | Trusted wireless storage equipment for wireless power supply and application method thereof | |
| CN106372541A (en) | U disk security encryption management method | |
| CN110768982A (en) | Network security interconnection device based on homemade SOC | |
| CN107317925A (en) | Mobile terminal | |
| CN110298183B (en) | Method for protecting data security in grading manner | |
| CN114340051A (en) | Portable gateway based on high-speed transmission interface | |
| CN219105481U (en) | Isolation encryption card based on PCI-E | |
| CN112600799A (en) | Encryption system and operation mode for data transmission |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 4, Floor 1, No. 139 Shenzhou Avenue, Binhai High-tech Zone, Binhai New Area, Tianjin, 300392 Applicant after: JUNENG SPECIAL COMMUNICATION EQUIPMENT CO.,LTD., TOEC GROUP CO.,LTD. Address before: No.6, Taishan Road, Hexi District, Tianjin 300210 Applicant before: JUNENG SPECIAL COMMUNICATION EQUIPMENT CO.,LTD., TOEC GROUP CO.,LTD. |
|
| CB02 | Change of applicant information | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200228 |
|
| WD01 | Invention patent application deemed withdrawn after publication |