CN114389884B - Single-port Ethernet isolation card and isolation method thereof - Google Patents
Single-port Ethernet isolation card and isolation method thereof Download PDFInfo
- Publication number
- CN114389884B CN114389884B CN202210042479.XA CN202210042479A CN114389884B CN 114389884 B CN114389884 B CN 114389884B CN 202210042479 A CN202210042479 A CN 202210042479A CN 114389884 B CN114389884 B CN 114389884B
- Authority
- CN
- China
- Prior art keywords
- card
- message
- port
- address
- isolation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 95
- 238000004891 communication Methods 0.000 claims abstract description 40
- 230000005540 biological transmission Effects 0.000 claims abstract description 34
- 238000001914 filtration Methods 0.000 claims abstract description 22
- 238000000034 method Methods 0.000 claims abstract description 22
- 230000008569 process Effects 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
The application belongs to the technical field of communication safety, and particularly relates to a single-port Ethernet isolation card and an isolation method thereof; the isolation method based on the single-port Ethernet isolation card is characterized in that the isolation card is used as a transmitting card for encrypting and transmitting data, and the configured isolation algorithm of the transmitting card is as follows: s1: receiving an Ethernet frame sent by the sending terminal, and filtering the Ethernet frame from the outermost layer; s2: and for the request message meeting the filtering condition, acquiring a corresponding secret key from an encryption module of the sending card, encrypting the request message according to the secret key and based on an encryption algorithm, and then sending the encrypted request message to the receiving card. The application provides a new single-port Ethernet isolation card and an isolation method thereof, which do not need to additionally increase a hardware encryption module, the encryption module and a common control module are integrated on the same network card, no key transmission is needed in the encryption and decryption process, and the key is always stored on the isolation card, thereby improving the safety and the transmission rate.
Description
Technical Field
The application belongs to the technical field of communication safety, and particularly relates to a single-port Ethernet isolation card and an isolation method thereof.
Background
With the increasing popularity of network products, there is a growing demand for transmission performance and security. Safety has become an important measure for data transmission of network hardware products in institutions such as military industry and scientific research institutions. Typical hardware transmission product network cards in the market at present do not have encryption protection for transmission data. Some similar products, even if able to encrypt the transmission data, also make a big discount on the network card transmission rate. Taking 10100 megabandwidth transmission as an example, currently, encrypted transmission is only about 250 Mb/S. Some rely on software to encrypt data transmissions, and lack the independence and efficiency of hardware encryption itself.
Disclosure of Invention
Aiming at the problems, the application provides a novel single-port Ethernet isolation card and an isolation method thereof.
The specific technical scheme of the application is as follows:
the application provides an isolation method based on a single-port Ethernet isolation card, wherein the isolation card is used as a transmitting card for encrypting and transmitting data, the transmitting card is arranged on a transmitting terminal, and the isolation algorithm of the transmitting card is configured as follows:
s1: receiving an Ethernet frame sent by the sending terminal, filtering the Ethernet frame from the outermost layer, and filtering out a message meeting the condition;
s2: and for the request message meeting the filtering condition, acquiring a corresponding secret key from an encryption module of the sending card, encrypting the request message according to the secret key and based on an encryption algorithm, and then sending the encrypted request message to a corresponding receiving card.
An isolation method of a single-port Ethernet isolation card, the isolation card is also used as a receiving card for decrypting and receiving data, the receiving card is arranged on a receiving terminal, and an isolation algorithm configured by the receiving card is as follows:
s1011: receiving a request message sent by a corresponding sending terminal, and filtering the request message from the outermost layer to obtain a message meeting the condition;
s1012: and for the request message meeting the filtering condition, acquiring a corresponding secret key from an encryption and decryption module of the receiving card, and decrypting the request message according to the secret key and based on a decryption algorithm.
The single-port Ethernet isolation card is a transmitting card, the transmitting card comprises a circuit board, an encryption module, a control module and a power module are integrated on the circuit board, the encryption module and the power module are connected with the control module, the encryption module comprises an encryption chip and a memory chip, an encryption algorithm is burnt in the encryption chip, a secret key, a released IP address list or a released port address list is stored in the memory chip, and the encryption chip is used for encrypting a received request message based on the secret key;
preferably, the isolation card is a receiving card, the receiving card comprises a circuit board, a decryption module, a control module and a power module are integrated on the circuit board, the decryption module and the power module are both connected with the control module, the decryption module comprises a decryption chip and a storage chip, a decryption algorithm is burnt in the decryption chip, a secret key, a released IP address list or a released port address list are stored in the storage chip, and the decryption chip is used for decrypting the received request message based on the secret key.
The beneficial effects of the application are as follows:
the application provides a new single-port Ethernet isolation card and an isolation method thereof, which do not need to additionally increase a hardware encryption module, the encryption module and a common control module are integrated on the same network card and are smoothly linked, a secret key is not required to be transmitted in the encryption and decryption process, and the secret key is always stored on the isolation card, so that the safety and the transmission rate are improved.
Drawings
FIG. 1 is a flow chart of a sending card in the present application;
FIG. 2 is a flow chart of a receiving card according to the present application;
FIG. 3 is a flow chart of an isolation method based on a single port Ethernet isolation card in the application;
FIG. 4 is a logic diagram of an isolation method based on a single port Ethernet isolation card according to the application;
FIG. 5 is a flow chart of a protocol determination method according to the present application
FIG. 6 is a flow chart of a method for determining IP addresses and ports according to the present application;
FIG. 7 is a flow chart of a method for determining IP addresses and ports according to the present application;
FIG. 8 is a circuit block diagram of a transmit card of the present application;
fig. 9 is a circuit block diagram of a receiving card in the present application.
Detailed Description
The present application is further described below with reference to the drawings and examples, which are only for explaining the present application and are not intended to limit the scope of the present application.
The steps illustrated by the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions. Although a logical order is depicted in the flowchart, in some cases the steps described may be performed in a different order than presented herein.
In some embodiments, the present application provides a single-port ethernet-based isolation card and an isolation method thereof, as shown in fig. 1, the isolation card is used as a transmitting card for encrypting and transmitting data, the transmitting card is arranged on a transmitting terminal, and the isolation algorithm configured by the transmitting card is as follows:
s1: receiving an Ethernet frame sent by the sending terminal, filtering the Ethernet frame from the outermost layer, and filtering out a message meeting the condition;
s2: and for the request message meeting the filtering condition, acquiring a corresponding secret key from an encryption module of the sending card, encrypting the request message according to the secret key and based on an encryption algorithm, and then sending the encrypted request message to a corresponding receiving card.
The application provides a new isolation method based on a single-port Ethernet isolation card, which does not need to additionally increase a hardware encryption module, the encryption module and a common control module are integrated on the same network card and are smoothly linked, a secret key is not required to be transmitted in the encryption and decryption process, and the secret key is always stored on the isolation card, so that the safety and the transmission rate are improved.
As shown in fig. 2, in an isolation method based on a single-port ethernet isolation card, the isolation card is also used as a receiving card for decrypting and receiving data, the receiving card is arranged on a receiving terminal, and the isolation algorithm configured by the receiving card is as follows:
s1011: receiving a request message sent by a corresponding sending terminal, and filtering the request message from the outermost layer to obtain a message meeting the condition;
s1012: and for the request message meeting the filtering condition, acquiring a corresponding secret key from an encryption and decryption module of the receiving card, and decrypting the request message according to the secret key and based on a decryption algorithm.
The encryption algorithm and the decryption algorithm in this embodiment are the same algorithm, the names are different to distinguish the sending end and the receiving end, and whether the sending card or the receiving card is an isolation card, only one end is used as the sending end, the other end is used as the receiving end, the algorithms are all burnt on the two ends, and the transmission indexes under the ipv4 are the same, and the specific transmission indexes are shown in table 1:
table 1 technical index
As can be seen from table 1, the transmission rate of the isolation card in the data encryption mode in this embodiment is greater than the transmission rate 1020Mb/S (disclosed in the background art) in the encryption mode in the prior art, and the transmission rates in the normal network card mode and the intranet protection mode are also improved.
As shown in fig. 3, in this embodiment, the filtering content of the request packet includes a protocol, an IP address, and a port from outside to inside, where the outermost layer is the protocol of the packet in the ethernet frame, the next outer layer is the IP address, and the innermost layer is the port.
As shown in fig. 4, in the operating system, the transport layer is responsible for receiving and sending TCP and UDP packets, the network layer is responsible for receiving and sending IPV4 and IPV6 packets, and the MAC layer, that is, the layer where the isolation card is located, needs to perform the following functions at this layer:
1) Filtering IPV4 and IPV6 messages from the Ethernet frames;
2) According to the configuration data of the network card which is burnt in advance: encryption protocol types (TCP, UDP), encryption IP list, release IP list, encryption port filter analysis to Ethernet frame;
3) Encrypting or decrypting the corresponding data according to the filtering analysis result;
the specific implementation method of the functions is as follows:
as shown in fig. 5, the method for determining the protocol in S1 is as follows:
s11: after receiving the request message, judging whether the message is an IPV4 message, if yes, performing step S12, and if not, deleting the corresponding request message if the request message is not sent by the sending terminal;
s12: judging whether the IPV4 message is a UDP protocol message, if so, performing step S14, and if not, performing step S13;
s13: judging whether the IPV4 message is a TCP protocol message, if so, performing step S14, and if not, deleting the request message;
s14: judging whether the message meets the condition of frame protocol encryption according to the communication configuration parameters encapsulated in the request message;
preferably, the method for judging the protocol in S101 is as follows:
s1011: after receiving the request message, judging whether the message is an IPV4 message, if yes, performing step S1012, if not, deleting the corresponding request message if the request message is not sent by the sending terminal;
s1012: judging whether the IPV4 message is a UDP protocol message, if so, proceeding to step S1014, otherwise proceeding to step S1013;
s1013: judging whether the IPV4 message is a TCP protocol message, if so, proceeding to step S1014, and if not, deleting the request message;
s1014: judging whether the message meets the condition of frame protocol decryption according to the communication configuration parameters encapsulated in the request message.
As shown in fig. 6, the method for determining the IP address and the port in step S1 in this embodiment is as follows:
s15: when the request message meets the frame protocol encryption condition, step S2 is carried out, after the message is subjected to protocol encryption, whether the communication configuration parameters are matched with the IP address release conditions or not is judged, if so, the IP address is released, the message is sent to the corresponding receiving card, and if not, step S16 is carried out;
s16: judging whether the communication configuration parameters are matched with the port release conditions, releasing the port if the communication configuration parameters are matched with the port release conditions, sending a message to a corresponding receiving card, and if the communication configuration parameters are not matched with the port release conditions, performing step S2 to encrypt message data;
the method for judging the IP address and the port in step S101 is as follows:
s1015: when the request message meets the frame protocol decryption condition, step S102 is carried out, after the message is subjected to protocol decryption, whether the communication configuration parameters are matched with the IP address release conditions or not is judged, if so, the IP address is released, the message is sent to the corresponding receiving terminal, and if not, step S1016 is carried out;
s1016: judging whether the communication configuration parameters are matched with the port release conditions, releasing the port if the communication configuration parameters are matched with the port release conditions, sending a message to the corresponding receiving terminal, and if the communication configuration parameters are not matched with the port release conditions, performing step S102 to decrypt the message data.
As shown in fig. 7, the method for determining the IP address and the port in step S1 in this embodiment is as follows:
s17: when the message does not meet the protocol encryption condition, judging whether the communication configuration parameters are matched with the IP address release conditions, if so, releasing the IP address, and sending the message to the corresponding receiving card, and if not, performing step S18;
s18: judging whether the encrypted IP list stored in the sending card is empty, if so, performing step S102, and if not, performing step S19;
s19: judging whether to encrypt the IP address according to the communication configuration parameters, if yes, executing a step S2, executing a step S102 after encrypting the address of the message, and if not, transmitting the message to a corresponding receiving card;
s102: judging whether to encrypt a transmission port according to the communication configuration parameters, if so, performing step S2, encrypting the address of the message, and then transmitting the message to a corresponding receiving card, and if not, transmitting the message to the corresponding receiving card;
the method for judging the IP address and the port in step S101 is as follows:
s1017: when the message does not meet the protocol decryption condition, judging whether the communication configuration parameters are matched with the IP address release conditions, if so, releasing the IP address, and sending the message to the corresponding receiving terminal, and if not, performing step S1018;
s1018: judging whether the decrypted IP list stored in the receiving card is empty, if so, performing step S1020, and if not, performing step S1019;
s1019: judging whether to decrypt the IP address according to the communication configuration parameters, if yes, executing step S102, executing step S1020 after decrypting the address of the message, and if not, transmitting the message to the corresponding receiving terminal;
s1020: and judging whether to decrypt the transmission port according to the communication configuration parameters, if yes, performing step S102, performing address decryption on the message, and then transmitting the message to the corresponding receiving terminal, and if not, transmitting the message to the corresponding receiving terminal.
The communication configuration parameters in the sending card in this embodiment include an encryption protocol, an encryption address, an encryption port, a release address, and a release port; the communication configuration parameters in the receiving card comprise a decryption protocol, a decryption address, a decryption port, a release address or a release port.
In this embodiment, for the sending card, the condition of frame protocol encryption includes whether there is an encryption protocol in the message, when judging whether there is an address encryption or a port encryption, it needs to judge whether there is an encryption address or an encryption port in the message, and a released IP address list or a released port address list is stored in an encryption module in the sending card, when judging that an IP address or a port is released, it needs to judge whether the released address or a released port in the message is matched with the IP address or the port in the list; a protocol list, an IP address list and a port list which need to be encrypted are written in advance in a chip of the sending card, when judging, the protocol, the IP address or the port in the message are required to be matched with the corresponding list, and when the matching condition is met, the corresponding encryption is carried out;
preferably, for the receiving card, the condition of frame protocol decryption includes whether there is a decryption protocol in the message, when judging whether there is an address decryption or a port decryption, it is required to judge whether there is a decryption address or a decryption port in the message, a released IP address list or a released port address list is stored in a decryption module in the receiving card, and when judging that an IP address or a port is released, it is required to judge whether the released address or the released port in the message is matched with the IP address or the port in the list. The chip of the receiving card is written with a protocol list, an IP address list and a port list which need to be decrypted in advance, when judging, the protocol, the IP address or the port in the message are required to be matched with the corresponding list, and when the matching condition is met, the corresponding decryption is carried out.
In the embodiment, the encryption and decryption of the protocol adopt the same algorithm, the encryption and decryption of the IP address adopt the same algorithm, the encryption and decryption of the port adopt the same algorithm, and the names are different to distinguish the sending end from the receiving end; in addition, the terminal provided with the isolation card can be used as a transmitting end and a receiving end, namely the isolation card arranged on the same terminal can be used as a transmitting card and a receiving card.
The algorithm in this embodiment includes a symmetric algorithm and/or an asymmetric algorithm, where the symmetric algorithm includes a cryptographic algorithm and a cryptographic algorithm, and preferably, the cryptographic algorithm is encrypted by the cryptographic SM4 ECB 128 algorithm, and the cryptographic algorithm is encrypted by the cryptographic AES ECB 128 algorithm, and the cryptographic algorithm is burnt in the isolation card, so that the transmission rate can be improved, and its technical indexes are shown in table 2:
table 2 technical index of algorithm
| Algorithm name | Transmission rate | Error rate |
| SM4 ECB 128 | 421Mb/S | 0 |
| AES ECB 128 | 4102Mb/S | 0 |
In this embodiment, taking symmetric algorithm SM4 ECB 128 and commercial cipher AES ECB 128 as examples, it can be seen from table 2 that the transmission rate of the two algorithms is far higher than that of the prior art, so that the transmission rate can be improved by using the isolation card with the encryption module.
In this embodiment, normal communication between terminals with the isolation card inserted therein is ensured. Any terminal without an isolation card cannot participate in the communication of the isolation card terminal.
The excellent properties of the isolation card of the application include:
1) The encryption module and the common control module are integrated on the same network card and are smoothly linked without adding additional hardware encryption modules.
2) Independent operation can be realized by one-time configuration and burning without depending on encryption and decryption support of upper software.
3) The original data blocks do not need to be aligned, and the size of the data source is not changed.
4) And simultaneously, two algorithms of national density and commercial density are supported.
5) The topology of the existing network is not changed.
6) In the encryption and decryption process, key transmission is not needed. The secret key is always stored on the hardware intelligent management and control card.
The application characteristics include:
1) Application environment suitable for all common network cards
2) Is especially suitable for military industry, scientific research institutes and other institutions with high confidentiality of data transmission
3) The IP address and the port to be controlled can be flexibly configured according to the requirements of clients.
The system characteristics include:
1) The network interface card exists in the form of a common network card, is compatible with any operating system, and does not change network data stream transmission.
2) The method integrates data transmission, encryption and control, and is used for seamlessly connecting any hardware environment required by a common network card.
The isolation card in the application supports three factory configuration modes in total: wide area network encryption, local area network encryption, intranet protection:
wide area network mode selection: a wide area network check button is checked, a TCP check button is checked, and a UDP check button is checked;
selecting a local area network mode: the wide area network check button is not checked, the TCP check button is checked, and the UDP check button is checked;
intranet protection mode: only the internal network protection mode check button is checked, and other check buttons are not checked;
2) Three modes of the isolation card are described:
wide area network mode: the client transmits the encrypted data point to point on the internet;
local area network mode: the client transmits the encrypted data point to point in the enterprise;
intranet protection mode: the enterprise only allows the isolation cards to communicate with each other and prohibits staff from accessing the external network.
In the embodiment, when a key update instruction is received in step S2, a key stored in the encryption module is updated;
preferably, in step S102, when a key update instruction is received, the key stored in the decryption module is updated.
The key stored in the isolation card in this embodiment may be updated remotely, and when the receiving card or the sending card receives the update instruction, the receiving card or the sending card receives the new key and updates the key in the encryption module or the decryption module.
As shown in fig. 8, a single-port ethernet isolation card is a transmitting card, an encryption module 1, a control module 2 and a power module 3 are integrated on the circuit board, the encryption module 1 and the power module 3 are both connected with the control module 2, the encryption module 1 comprises an encryption chip 11 and a memory chip 12, an encryption algorithm is burnt in the encryption chip 11, a secret key, a released IP address list or a released port address list is stored in the memory chip 12, and the encryption chip 11 is used for encrypting a received request message based on the secret key;
preferably, as shown in fig. 9, the isolation card is a receiving card, the receiving card includes a circuit board, a decryption module 101, a control module 102 and a power module 103 are integrated on the circuit board, the decryption module 101 and the power module 103 are both connected with the control module 102, the decryption module 101 includes a decryption chip 1011 and a storage chip 1012, a decryption algorithm is burned in the decryption chip 1011, a secret key, a released IP address list or a released port address list is stored in the storage chip 1012, and the decryption chip 1011 is used for decrypting the received request message based on the secret key.
The application provides a new single-port Ethernet isolation card, which does not need to additionally increase a hardware encryption module, the encryption module and a common control module are integrated on the same network card and are smoothly linked, the key transmission is not needed in the encryption and decryption process, and the key is always stored on the isolation card, so that the safety and the transmission rate are improved.
In this embodiment, the encryption module and the decryption module are the same module, the encryption chip and the decryption chip are the same chip, the encryption algorithm and the decryption algorithm are the same algorithm, and the names are different to distinguish the receiving end and the transmitting end.
The above examples are merely illustrative of the preferred embodiments of the present application and are not intended to limit the scope of the present application, and various modifications and improvements made by those skilled in the art to the technical solution of the present application should fall within the scope of protection defined by the claims of the present application without departing from the spirit of the present application.
Claims (14)
1. An isolation method based on a single-port Ethernet isolation card is characterized in that the isolation card is used as a transmitting card for encrypting and transmitting data, the transmitting card is arranged on a transmitting terminal, and the isolation algorithm of the transmitting card is configured as follows:
s1: receiving an Ethernet frame sent by the sending terminal, filtering the Ethernet frame from the outermost layer, and filtering out a message meeting the condition;
s2: for the request message meeting the filtering condition, acquiring a corresponding secret key from an encryption module of the sending card, encrypting the request message according to the secret key and based on an encryption algorithm, and then sending the encrypted request message to a corresponding receiving card;
the judgment method of the protocol in S1 is as follows:
s11: after receiving the request message, judging whether the message is an IPV4 message, if yes, performing step S12, and if not, deleting the corresponding request message if the request message is not sent by the sending terminal;
s12: judging whether the IPV4 message is a UDP protocol message, if so, performing step S14, and if not, performing step S13;
s13: judging whether the IPV4 message is a TCP protocol message, if so, performing step S14, and if not, deleting the request message;
s14: judging whether the message meets the condition of frame protocol encryption according to the communication configuration parameters encapsulated in the request message;
s15: when the request message meets the frame protocol encryption condition, judging whether the communication configuration parameters are matched with the IP address release conditions, if so, releasing the IP address, sending the message to the corresponding receiving card, and if not, executing step S16;
s16: judging whether the communication configuration parameters are matched with the port release conditions, releasing the port if the communication configuration parameters are matched with the port release conditions, sending a message to the corresponding receiving card, and if the communication configuration parameters are not matched with the port release conditions, performing step S2 to encrypt message data.
2. The isolation method based on the single-port ethernet isolation card according to claim 1, wherein the filtering of the request message is from outside to inside, and the filtered content includes a protocol, an IP address and a port, wherein the outermost layer is the protocol of the message in the ethernet frame, the second outer layer is the IP address, and the innermost layer is the port.
3. The isolation method based on the single-port ethernet isolation card according to claim 2, wherein the method for judging the IP address and the port in S1 further comprises the steps of:
s17: when the message does not meet the protocol encryption condition, judging whether the communication configuration parameters are matched with the IP address release conditions, if so, releasing the IP address, and sending the message to the corresponding receiving card, and if not, performing step S18;
s18: judging whether the encrypted IP list stored in the sending card is empty, if so, performing step S20, and if not, performing step S19;
s19: judging whether to encrypt the IP address according to the communication configuration parameters, if so, executing step S20, and if not, sending a message to the corresponding receiving card;
s20: and judging whether to encrypt the transmission port according to the communication configuration parameters, if so, performing step S2, encrypting the message data, then sending the message to the corresponding receiving card, and if not, sending the message to the corresponding receiving card.
4. A single port ethernet based isolation card according to claim 3, in which the communication configuration parameters in the transmitting card comprise encryption protocol, encryption address, encryption port, release address, release port.
5. The isolation method based on a single-port ethernet isolation card according to claim 4, wherein for the transmitting card, the condition of frame protocol encryption includes whether there is an encryption protocol in the message, and when judging whether there is an encryption address or an encryption port in the message, it is required to judge whether there is an encryption address or an encryption port in the message, and when judging that the IP address or the port is released, it is required to judge whether the release address or the release port in the message is matched with the IP address or the port in the list.
6. The isolation method based on a single port ethernet isolation card according to claim 5, wherein in step S2, when a key update command is received, the key stored in the encryption module is updated.
7. The single-port Ethernet isolation card is characterized in that the isolation card is a transmission card, the transmission card comprises a circuit board, an encryption module (1), a control module (2) and a power module (3) are integrated on the circuit board, the encryption module (1) and the power module (3) are connected with the control module (2), the encryption module (1) comprises an encryption chip (11) and a storage chip (12), an encryption algorithm is burnt in the encryption chip (11), a secret key, a released IP address list or a released port address list are stored in the storage chip (12), and the encryption chip (11) is used for encrypting a received request message based on the secret key; the transmitting card being configured to implement the method of any one of claims 1-6.
8. An isolation method based on a single-port Ethernet isolation card is characterized in that the isolation card is used as a receiving card for decrypting and receiving data, the receiving card is arranged on a receiving terminal, and the isolation algorithm of the receiving card is configured as follows:
s101: receiving a request message sent by a corresponding sending terminal, and filtering the request message from the outermost layer to obtain a message meeting the condition;
s102: for the request message meeting the filtering condition, acquiring a corresponding secret key from an encryption and decryption module of the receiving card, and decrypting the request message based on a decryption algorithm according to the secret key;
the method for judging the protocol in S101 is as follows:
s1011: after receiving the request message, judging whether the message is an IPV4 message, if yes, performing step S1012, if not, deleting the corresponding request message if the request message is not sent by the sending terminal;
s1012: judging whether the IPV4 message is a UDP protocol message, if so, proceeding to step S1014, otherwise proceeding to step S1013;
s1013: judging whether the IPV4 message is a TCP protocol message, if so, proceeding to step S1014, and if not, deleting the request message;
s1014: judging whether the message meets the condition of frame protocol decryption according to the communication configuration parameters encapsulated in the request message;
s1015: when the request message meets the frame protocol decryption condition, judging whether the communication configuration parameter is matched with the IP address release condition, if so, releasing the IP address, and sending the message to the corresponding receiving terminal, and if not, performing step S1016;
s1016: judging whether the communication configuration parameters are matched with the port release conditions, releasing the port if the communication configuration parameters are matched with the port release conditions, sending a message to the corresponding receiving terminal, and if the communication configuration parameters are not matched with the port release conditions, performing step S102 to decrypt the message data.
9. The isolation method based on the single-port ethernet isolation card according to claim 8, wherein the filtering of the request message is from outside to inside, and the filtered content includes a protocol, an IP address and a port, wherein the outermost layer is the protocol of the message in the ethernet frame, the second outer layer is the IP address, and the innermost layer is the port.
10. The isolation method based on a single port ethernet isolation card according to claim 9, wherein,
the method for judging the IP address and the port in step S101 is as follows:
s1017: when the message does not meet the protocol decryption condition, judging whether the communication configuration parameters are matched with the IP address release conditions, if so, releasing the IP address, and sending the message to the corresponding receiving terminal, and if not, performing step S1018;
s1018: judging whether the decrypted IP list stored in the receiving card is empty, if so, performing step S1020, and if not, performing step S1019;
s1019: judging whether to decrypt the IP address according to the communication configuration parameters, if yes, performing step S1020, and if not, sending a message to a corresponding receiving terminal;
s1020: and judging whether to decrypt the transmission port according to the communication configuration parameters, if yes, performing step S102, after decrypting the message data, transmitting the message to the corresponding receiving terminal, and if not, transmitting the message to the corresponding receiving terminal.
11. The isolation method based on a single port ethernet isolation card according to claim 10, wherein the communication configuration parameters in the receiving card comprise a decryption protocol, a decryption address, a decryption port, a release address, or a release port.
12. The isolation method based on a single-port ethernet isolation card according to claim 11, wherein for the receiving card, the condition of frame protocol decryption includes whether there is a decryption protocol in the message, and when judging whether there is an address decryption or a port decryption, it is required to judge whether there is a decryption address or a decryption port in the message, and when judging that the IP address or the port is released, it is required to judge whether the release address or the release port in the message is matched with the IP address or the port in the list.
13. The isolation method based on a single port ethernet isolation card according to claim 12, wherein in step S102, when a key update command is received, the key stored in the decryption module is updated.
14. The single-port Ethernet isolation card is characterized in that the isolation card is a receiving card, the receiving card comprises a circuit board, a decryption module (101), a control module (102) and a power module (103) are integrated on the circuit board, the decryption module (101) and the power module (103) are connected with the control module (102), the decryption module (101) comprises a decryption chip (1011) and a storage chip (1012), a decryption algorithm is burnt in the decryption chip (1011), a secret key, a released IP address list or a released port address list are stored in the storage chip (1012), and the decryption chip (1011) is used for decrypting a received request message based on the secret key; the receiving card being configured to implement the method of any one of claims 8-13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210042479.XA CN114389884B (en) | 2022-01-14 | 2022-01-14 | Single-port Ethernet isolation card and isolation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210042479.XA CN114389884B (en) | 2022-01-14 | 2022-01-14 | Single-port Ethernet isolation card and isolation method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114389884A CN114389884A (en) | 2022-04-22 |
| CN114389884B true CN114389884B (en) | 2023-11-24 |
Family
ID=81201477
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210042479.XA Active CN114389884B (en) | 2022-01-14 | 2022-01-14 | Single-port Ethernet isolation card and isolation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114389884B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108810023A (en) * | 2018-07-19 | 2018-11-13 | 北京智芯微电子科技有限公司 | Safe encryption method, key sharing method and safety encryption isolation gateway |
| CN109450937A (en) * | 2018-12-24 | 2019-03-08 | 深圳市华讯方舟卫星产业科技有限公司 | Information secure communications method, system, network interface card and storage medium |
| CN111614683A (en) * | 2020-05-25 | 2020-09-01 | 成都卫士通信息产业股份有限公司 | Data processing method, device and system and network card |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102035845B (en) * | 2010-12-20 | 2012-07-18 | 西安西电捷通无线网络通信股份有限公司 | Switching equipment for supporting link layer secrecy transmission and data processing method thereof |
| US10454928B2 (en) * | 2016-10-25 | 2019-10-22 | Cisco Technology, Inc. | Apparatus and method for inssec packet generation |
-
2022
- 2022-01-14 CN CN202210042479.XA patent/CN114389884B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108810023A (en) * | 2018-07-19 | 2018-11-13 | 北京智芯微电子科技有限公司 | Safe encryption method, key sharing method and safety encryption isolation gateway |
| CN109450937A (en) * | 2018-12-24 | 2019-03-08 | 深圳市华讯方舟卫星产业科技有限公司 | Information secure communications method, system, network interface card and storage medium |
| CN111614683A (en) * | 2020-05-25 | 2020-09-01 | 成都卫士通信息产业股份有限公司 | Data processing method, device and system and network card |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114389884A (en) | 2022-04-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8775790B2 (en) | System and method for providing secure network communications | |
| US7310424B2 (en) | Encryption key distribution and network registration system, apparatus and method | |
| US6076168A (en) | Simplified method of configuring internet protocol security tunnels | |
| CN1926839B (en) | Two parallel engines for high speed transmit IPSEC processing | |
| EP1427164B1 (en) | Tagging mechanism for data path security processing | |
| US8843735B2 (en) | Method and apparatus of communicating security/encryption information to a physical layer transceiver | |
| US8583912B2 (en) | Communication system of client terminals and relay server and communication method | |
| US7353380B2 (en) | Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols | |
| US6704866B1 (en) | Compression and encryption protocol for controlling data flow in a network | |
| JP3599552B2 (en) | Packet filter device, authentication server, packet filtering method, and storage medium | |
| CN109344639A (en) | A kind of distribution automation double protection safety chip, data transmission method and equipment | |
| CN110691074B (en) | IPv6 data encryption method and IPv6 data decryption method | |
| JPH06318939A (en) | Cipher communication system | |
| CN114389884B (en) | Single-port Ethernet isolation card and isolation method thereof | |
| CN111464550B (en) | HTTPS transparent protection method for message processing equipment | |
| JP6529694B2 (en) | Transfer device and communication network | |
| US20050198500A1 (en) | System and method for performing security operations on network data | |
| CN114244626B (en) | Message processing method and device based on MACSec network | |
| CN100583891C (en) | Communication encryption method and system | |
| CN101783791B (en) | System and method for realizing network access authentication, transmission encryption and UTM | |
| CN216086667U (en) | Encryption communication device and multi-terminal interaction system based on encryption communication device | |
| CN115529180B (en) | IPSec encryption and decryption unloading method | |
| CN115065535B (en) | Non-invasive secure communication and access control system and application method thereof | |
| CN1859404B (en) | Safety processing device, system and method | |
| KR101594897B1 (en) | Secure Communication System and Method for Building a Secure Communication Session between Lightweight Things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |