CN117221012A - Decryption and encryption method and device - Google Patents
Decryption and encryption method and device Download PDFInfo
- Publication number
- CN117221012A CN117221012A CN202311474395.4A CN202311474395A CN117221012A CN 117221012 A CN117221012 A CN 117221012A CN 202311474395 A CN202311474395 A CN 202311474395A CN 117221012 A CN117221012 A CN 117221012A
- Authority
- CN
- China
- Prior art keywords
- message
- header
- cpu
- encapsulation
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000005538 encapsulation Methods 0.000 claims abstract description 113
- 238000012545 processing Methods 0.000 claims description 61
- 101100435070 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) APN2 gene Proteins 0.000 claims description 12
- 101100268779 Solanum lycopersicum ACO1 gene Proteins 0.000 claims description 12
- 101100401199 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) SAM2 gene Proteins 0.000 claims description 11
- 238000004806 packaging method and process Methods 0.000 claims description 8
- 230000006870 function Effects 0.000 claims description 7
- 230000008569 process Effects 0.000 abstract description 17
- 230000005540 biological transmission Effects 0.000 description 21
- 238000010586 diagram Methods 0.000 description 19
- 230000006855 networking Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a decryption and encryption method and device, which are applied to network equipment comprising an encryption and decryption Engine, an exchange chip and a CPU. In the decryption method, the exchange chip matches a message to be decrypted and sends the message to an engine, the engine decrypts the message according to a decryption algorithm and a secret key in an SA table item pre-issued by the CPU, the decrypted message is sent to the CPU through the exchange chip, and the CPU processes the message according to a plaintext; in the encryption method, a CPU determines a message to be encrypted and an index of an SA table item corresponding to the message and transmits the message to an engine, so that the engine finds the corresponding SA table item according to the SA index, the message is encrypted by utilizing an encryption algorithm and a key in the table item, and the encrypted message is directly transmitted to a network link by a switching chip, so that the message is not required to be repeatedly transmitted back to the CPU in an IPSec encapsulation encryption/decryption process, and the performance of the IPSec encapsulation encryption/decryption process is obviously improved.
Description
Technical Field
The present application relates to the field of network communications, and in particular, to a decryption and encryption method and apparatus.
Background
Currently, in order to solve a series of challenges of better network flexibility, higher performance requirements and the like faced by a wide area network, an Application-driven wide area network AD-WAN (Application-driven Wide Area Network) branch solution is proposed.
The ADWAN packet in the AD-WAN network is a non-standard protocol packet, and for security, the internet security protocol IPSec (Internet ProtocolSecurity) is generally used for encapsulation protection.
However, the conventional IPSec encapsulation encryption/decryption process is complex in steps, high in time consumption and low in performance.
Disclosure of Invention
In view of this, the present application provides a decryption and encryption method and device, so as to improve the overall process performance of IPSec encapsulation encryption/decryption.
In a first aspect of the present application, there is provided a decryption method applied to a network device, the network device comprising at least: encryption and decryption Engine Inline Engine, exchange chip and CPU, include:
receiving a message forwarded by a tunnel between the device and the opposite terminal device through the exchange chip, and if the message carries data to be decrypted, if the data to be decrypted, which need to be decrypted, is determined, adding a first exchange head on the message, and redirecting the message to the Inline Engine; the first exchange head at least carries the incoming interface information of the message received by the equipment;
analyzing the unencrypted message characteristic information carried by the message and the security parameter index SPI information in an unencrypted encapsulation security payload ESP field carried by the message by the Inline Engine, obtaining an SA table item matched with the message characteristic information and the SPI information from the obtained first security alliance SA table item information, and decrypting the data to be decrypted by using a decryption algorithm and a decryption key in the SA table item to obtain a first plaintext; the first plaintext and the input interface information are sent to the exchange chip through the Inline Engine so as to be forwarded to the CPU through the exchange chip;
And carrying out corresponding data processing on the first plaintext according to the input interface information by the CPU, and forwarding a processing result.
In a second aspect of the present application, there is provided an encryption method applied to a network device, the network device comprising at least: encryption and decryption Engine Inline Engine, exchange chip and CPU, include:
the method comprises the steps that an original message needing encryption is received through a CPU, the original message is packaged based on a tunnel used for transmitting the original message, a third packaged message is obtained, and the third packaged message is sent to the exchange chip so as to be forwarded to the Inline Engine through the exchange chip; the third encapsulation message at least carries a tunnel header, a message characteristic information field, an encapsulation security load ESP field corresponding to the tunnel and a logic header FPGA-OUT; the FPGA-OUT carries a security alliance SA table index, wherein the SA table index is an index of an SA table obtained from the obtained second security alliance SA table information based on security parameter index SPI information in the ESP field by the CPU;
and receiving the third encapsulation message through the line Engine, obtaining an SA table item matched with the SA index from the obtained second security alliance SA table item information based on the SA table item index in the logic header FPGA-OUT carried by the third encapsulation message, encrypting the data to be encrypted carried by the third encapsulation message by utilizing an encryption algorithm and an encryption key in the SA table item and forwarding the data to be encrypted to the exchange chip so as to forward a ciphertext through the tunnel by the exchange chip, wherein the data to be encrypted at least comprises the original message.
In a third aspect of the present application, there is provided a decryption apparatus applied to a network device including at least: encryption and decryption Engine Inline Engine, exchange chip and CPU, include:
a receiving unit, configured to receive, through the switch chip, a packet forwarded by a tunnel between the device and an opposite device, and if it is determined that the data to be decrypted carried by the packet needs to be decrypted, add a first switch header to the packet and redirect the packet to the Inline Engine; the first exchange head at least carries the incoming interface information of the message received by the equipment;
the decryption unit is used for resolving unencrypted message characteristic information carried by the message and security parameter index SPI information in an unencrypted encapsulation security payload ESP field carried by the message through the line Engine, obtaining an SA table item matched with the message characteristic information and the SPI information from the obtained first security alliance SA table item information, and decrypting the data to be decrypted by utilizing a decryption algorithm and a decryption key in the SA table item to obtain a first plaintext; the first plaintext and the input interface information are sent to the exchange chip through the Inline Engine so as to be forwarded to the CPU through the exchange chip;
And the processing unit is used for carrying out corresponding data processing on the first plaintext according to the input interface information through the CPU and forwarding a processing result.
In a fourth aspect of the present application, there is provided an encryption apparatus applied to a network device including at least: encryption and decryption Engine Inline Engine, exchange chip and CPU, include:
the receiving processing unit is used for receiving an original message to be encrypted through the CPU, packaging the original message based on a tunnel used for transmitting the original message to obtain a third packaged message, and sending the third packaged message to the exchange chip so as to be forwarded to the Inline Engine through the exchange chip; the third encapsulation message at least carries a tunnel header, a message characteristic information field, an encapsulation security load ESP field corresponding to the tunnel and a logic header FPGA-OUT; the FPGA-OUT carries a security alliance SA table index, wherein the SA table index is an index of an SA table obtained from the obtained second security alliance SA table information based on security parameter index SPI information in the ESP field by the CPU;
and the encryption unit is used for receiving the third encapsulation message through the line Engine, obtaining an SA table item matched with the SA index from the obtained second security alliance SA table item information based on the SA table item index in the logic header FPGA-OUT carried by the third encapsulation message, encrypting the data to be encrypted carried by the third encapsulation message by utilizing an encryption algorithm and an encryption key in the SA table item and forwarding the data to be encrypted to the exchange chip so as to forward a ciphertext through the tunnel by the exchange chip, wherein the data to be encrypted at least comprises the original message.
In a fifth aspect of the application there is provided an electronic device comprising a processor and a memory storing machine executable instructions executable by the processor for executing the machine executable instructions to implement any of the methods provided in the first to second aspects.
In a sixth aspect of the application, there is provided a machine-readable storage medium having stored thereon machine-executable instructions which when executed by a processor implement any of the methods provided in the first to second aspects.
The technical proposal can be seen that the application improves the message processing flow from the internet security protocol IPSec encryption/decryption mode to the Inline mode, namely the message is encrypted and decrypted in time in the transmission process. In the decryption method, after a message to be decrypted is determined by the exchange chip, the message is sent to an Inline Engine, the Inline Engine finds a corresponding SA table entry and decrypts the message to be decrypted according to a decryption algorithm and a decryption key in the SA table entry to obtain a plaintext, the plaintext is sent to the exchange chip through the Inline Engine so as to be forwarded to a CPU (central processing unit) by the exchange chip, and the CPU continuously processes and forwards the received plaintext; in the encryption method, a CPU determines a message to be encrypted, finds an SA table item corresponding to the message to be encrypted, fills an index of the SA table item into a logic header FPGA-OUT of the message to be encrypted, receives and analyzes the message to be encrypted, finds a corresponding SA table item according to the index of the SA table item carried by the logic header FPGA-OUT, encrypts the message to be encrypted according to an encryption algorithm and an encryption key in the SA table item to obtain a ciphertext, and sends the ciphertext to a switching chip through the Inline Engine so as to forward the ciphertext through a tunnel. The technical proposal ensures that the IPSec encapsulation encryption/decryption process does not need to repeatedly send the message back to the CPU, thereby obviously improving the performance of the IPSec encapsulation encryption/decryption process.
Drawings
FIG. 1 is a flowchart of a decryption method according to an embodiment of the present application;
fig. 2 is a block diagram of a network device according to an embodiment of the present application;
FIG. 3 is a diagram illustrating a first message format according to an embodiment of the present application;
FIG. 4 is a diagram illustrating a second message format according to an embodiment of the present application;
FIG. 5 is a diagram illustrating a third message format according to an embodiment of the present application;
FIG. 6 is a diagram illustrating a fourth message format according to an embodiment of the present application;
FIG. 7 is a diagram illustrating a fifth message format according to an embodiment of the present application;
FIG. 8 is a flowchart of an encryption method according to another embodiment of the present application;
fig. 9 is a block diagram of a network device according to another embodiment of the present application;
FIG. 10 is a diagram illustrating a sixth message format according to another embodiment of the present application;
FIG. 11 is a diagram illustrating a seventh message format according to another embodiment of the present application;
FIG. 12 is a diagram illustrating an eighth message format according to another embodiment of the present application;
FIG. 13 is a schematic diagram of a decryption device according to an embodiment of the present application;
FIG. 14 is a schematic diagram of an encryption device according to another embodiment of the present application;
fig. 15 is a schematic hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to better understand the technical solution provided by the embodiments of the present application and make the above objects, features and advantages of the embodiments of the present application more obvious, the technical solution in the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
In the embodiment of the application, in order to improve the performance of the internet security protocol IPSec (Internet ProtocolSecurity) encapsulation encryption/decryption flow of the message, the embodiment improves the traditional IPSec encapsulation encryption/decryption flow into an Inline mode, namely the timely encryption/decryption of the message in the transmission process, and the message does not need to be repeatedly sent back to the CPU as the traditional IPSec encapsulation encryption/decryption flow.
In the embodiment of the application, a network architecture is used as an Application-driven wide area network AD-WAN (Application-driven Wide Area Network) networking to develop and explain, and the ADWAN message in the AD-WAN networking is a non-standard protocol message, so that IPSec encapsulation encryption/decryption protection is required for safety.
Referring to fig. 1, fig. 1 is a flowchart of a message decryption method provided in this embodiment, where the method is applied to a network device, and the network device at least includes: the encryption and decryption Engine comprises an input Engine, a switching chip and a CPU.
Fig. 2 is a block diagram of a network device according to the present embodiment, where the block diagram is used to enable a person skilled in the art to better understand the technical solution provided by the embodiment of the present application, and is not intended to limit the structural relationship among an line Engine, a switch chip and a CPU in the present application.
More specifically, the Inline Engine may be a programmable encryption/decryption Engine or any programmable device, such as a field programmable gate array FPGA (Field Programmable Gate Array), a complex programmable logic device CPLD (Complex Programmable logic device), etc. In this embodiment, the above-mentioned Inline Engine is used as an FPGA development description.
More specifically, the CPU is connected with the exchange chip and the FPGA is connected with the exchange chip through an Ethernet link, and the CPU is connected with the FPGA through a control link; the Ethernet link is a data transmission link and is mainly used for transmission and exchange of actual data; the control link belongs to a link of a control plane and is used for network equipment management and configuration and transmission of network equipment configuration information.
More specifically, the FPGA receives the first security association SA (Security Association) entry information issued by the CPU in advance. Before the AD-WAN networking is established, negotiation of the connection of the transmission tunnel endpoint TTE (Transport Tunnel Endpoint) is performed, and in the TTE connection negotiation stage, the CPU sends first SA table item information pre-configured by a network manager or a developer to the FPGA in advance through a control link between the CPU and the FPGA.
More specifically, the first SA entry information is SA entry information for decrypting an ADWAN message, where the first SA entry information stores one or more SA entries, and any SA entry stores five-tuple information, security parameter index SPI (Security Parameter Index) information, and a corresponding decryption algorithm and decryption key.
As shown in fig. 1, a message decryption method provided by an embodiment of the present application may include the following steps:
step 101: receiving a message forwarded by a tunnel between the device and the opposite terminal device through the exchange chip, and if the message carries data to be decrypted, if the data to be decrypted, which need to be decrypted, is determined, adding a first exchange head on the message, and redirecting the message to the Inline Engine; the first exchange head at least carries the incoming interface information of the message received by the equipment.
In this embodiment, the exchange chip receives a message forwarded by a tunnel between the device and the opposite device.
More specifically, in the decryption process, the ingress interface of the exchange chip is a WAN port shown in fig. 2, where the WAN port is connected to at least one tunnel, and any tunnel is further connected to the opposite device. The exchange chip receives the message forwarded by the tunnel between the device and the opposite terminal device through the WAN port, and the specific message transmission direction is shown as 201 in fig. 2. The message forwarded by the tunnel can be a message in any message encapsulation format, and the exchange chip does not distinguish the packet received by the WAN port.
In this embodiment, if it is determined that the data to be decrypted carried by the packet needs to be decrypted, a first exchange header is added to the packet and redirected to the Inline Engine; the first exchange head at least carries the incoming interface information of the message received by the equipment.
More specifically, after the exchange chip receives the message forwarded by the tunnel between the device and the opposite terminal device, it needs to determine whether the unencrypted destination port number carried by the message is the port number of the device, and whether the port number is marked with a decryption tag. Wherein, the decryption label of the port number is configured in advance by ADWAN service in the TTE connection negotiation stage.
When the unencrypted destination port number carried by the message forwarded by the tunnel is the port number of the device and the port number is marked with a decryption tag, it is determined that the data to be decrypted carried by the message needs to be decrypted, where the message format of the message is shown in fig. 3, ethernet (Ethernet), IP, user datagram protocol UDP (User Datagram Protocol), encapsulation security payload ESP (Encapsulate Security Payload) and authentication Auth (Authentication) are public header plaintext, and ADWAN, inner layer IP, data and Tail are public header ciphertext. Based on the message format of the above message shown in fig. 3, the message forwarded by the tunnel between the device to be decrypted and the peer device is referred to as an ADWAN message to be decrypted in the following description.
More specifically, after determining the ADWAN message to be decrypted, the switching chip adds a first switching head to the message and redirects the message to the FPGA, where the first switching head carries information of an ingress interface of the ADWAN message to be decrypted into the switching chip, as shown in fig. 2, and the ingress interface is the WAN port in fig. 2. The first switch head also carries the output interface information of the message transmitted from the switch chip to the FPGA, as shown in fig. 2, where the output interface is 21 in fig. 2. The first exchange head marks the transmission path of the ADWAN message to be decrypted in the exchange chip, so that the exchange chip can recognize and stream the message, and the accurate processing of the data stream is achieved.
In this embodiment, after the step of determining the ADWAN packet to be decrypted and the step of adding the first switch header to the ADWAN packet to be decrypted are completed, the switch chip sends the ADWAN packet to be decrypted carrying the first switch header to the FPGA, where the message format of the ADWAN packet to be decrypted carrying the first switch header is shown in fig. 4, and the specific message transmission direction is shown in 202 in fig. 2, and the message is transmitted from 21 ports of the switch chip to 22 ports of the FPGA.
Step 102: analyzing the unencrypted message characteristic information carried by the message and the security parameter index SPI information in an unencrypted encapsulation security payload ESP field carried by the message by the Inline Engine, obtaining an SA table item matched with the message characteristic information and the SPI information from the obtained first security alliance SA table item information, and decrypting the data to be decrypted by using a decryption algorithm and a decryption key in the SA table item to obtain a first plaintext; and sending the first plaintext and the input interface information to the exchange chip through the Inline Engine so as to be forwarded to the CPU through the exchange chip.
In this embodiment, after receiving an ADWAN message to be decrypted transmitted by the switch chip, the FPGA analyzes the unencrypted message feature information carried by the message and the SPI information in the unencrypted ESP field carried by the message, and obtains an SA entry matching the message feature information and the SPI information from the obtained first SA entry information.
More specifically, after receiving the ADWAN message to be decrypted, the FPGA analyzes an ESP header of the ADWAN message to be decrypted to obtain SPI information carried by the ESP header. The length of the ESP header is variable, but the first 8 bytes are fixed, namely SPI (4 bytes) and Sequence Number (4 bytes), the FPGA identifies the first 4 bytes of the ESP header of the ADWAN message to be decrypted, and obtains the SPI information carried by the ESP header.
After the SPI information carried by the ADWAN message to be decrypted is obtained, the FPGA searches target SPI information consistent with the SPI information in the first SA table item information, and the SA table item where the target SPI information is located is the matched SA table item.
After determining the matched SA table item, the FPGA checks the unencrypted message characteristic information carried by the ADWAN message to be decrypted, namely the outer five-tuple information of the ADWAN message to be decrypted. Specifically, the FPGA parses outer five-tuple information of the ADWAN message to be decrypted, and checks the outer five-tuple information with five-tuple information stored in the first target SA entry.
When the outer five-tuple information of the ADWAN message to be decrypted is consistent with the five-tuple information stored in the first target SA table item, the FPGA performs the subsequent decryption step, namely, decrypts the ADWAN message to be decrypted according to the decryption algorithm and the decryption key stored in the matched SA table item;
Otherwise, the FPGA does not perform subsequent decryption steps so as to prevent the attack message from negatively affecting the performance of the decryption flow.
In this embodiment, the FPGA decrypts the data to be decrypted by using the decryption algorithm and the decryption key in the SA entry, to obtain the first plaintext.
More specifically, the FPGA decrypts the data to be decrypted in the ADWAN message to be decrypted by using the decryption algorithm and the decryption key in the matched SA entry, and then performs decapsulation processing to obtain the first plaintext. The message format of the first plaintext is shown in fig. 5, and carries an ADWAN header, an inner IP address, and data to be transmitted.
In this embodiment, the first plaintext and the ingress interface information are sent to the switch chip by the FPGA, so as to be forwarded to the CPU by the switch chip.
More specifically, the FPGA encapsulates the first plaintext to obtain a first encapsulated packet, where a packet format of the first encapsulated packet is shown in fig. 6. Specifically, the first encapsulation message is a first plaintext encapsulated with a private ethernet header ETH1, a logic header fpga_in, and a second exchange header corresponding to a private protocol negotiated by the FPGA and the CPU;
the logic head FPGA-IN carries the interface information of the ADWAN message to be decrypted entering the exchange chip, and after receiving the ADWAN message to be decrypted carrying the first exchange head, the FPGA reads the interface information of the ADWAN message to be decrypted carried by the first exchange head entering the exchange chip and adds the interface information into the logic head FPGA-IN. According to the above description, the above ADWAN message to be decrypted enters the interface information of the exchange chip, as shown in FIG. 2, and the interface is the WAN port in FIG. 2.
The private ethernet header ETH1 carries a private ethernet protocol type, and the private ethernet protocol type identifies a private ethernet protocol, so that the CPU parses the first encapsulated packet according to the private ethernet protocol. The format of the private ethernet header itself is not specified by the ethernet protocol, and may be used to carry custom information and control information in the data packet, where the private ethernet protocol type is a field of the private ethernet header, and in this embodiment, the private ethernet protocol type is not known, and is determined by negotiating between the FPGA and the CPU.
The second exchange head carries the information of the first encapsulation message entering the exchange chip and the information of the first encapsulation message transmitting from the exchange chip to the CPU. As shown in fig. 2, the inlet is 24 ports in fig. 2, and the outlet is 25 ports in fig. 2. The second exchange head marks the transmission path of the first encapsulated message in the exchange chip, so that the exchange chip can recognize and drain the message, and the accurate processing of the data stream can be realized.
In this embodiment, the FPGA may send a first encapsulated packet to the switch chip, specifically, as shown in 203 in fig. 2, where the first encapsulated packet is transmitted from 23 ports of the FPGA to 24 ports of the switch chip.
The second switch header is added to the first plaintext by an FPGA. More specifically, in the above-mentioned TTE connection negotiation stage, the CPU may also issue, in advance, a fixed format of the switch header and an ingress interface of the message entering the CPU to the FPGA, as shown in fig. 2, where the ingress interface of the message entering the CPU is the 26 port in fig. 2, and since the 25 port of the switch chip is physically connected with the 26 port of the CPU, the 26 port of the ingress interface may be equivalent to the 25 port of the switch chip. After the FPGA obtains the first plaintext, according to the fixed format of the exchange header and the input interface of the message entering the CPU, which are issued by the CPU in advance, a second exchange header is added to the first plaintext, so that the exchange chip transmits the first package message to the CPU according to the input interface of the message entering the CPU carried by the second exchange header, as shown in fig. 2, the transmission direction of the first package message is 204 in fig. 2, and the transmission direction of the first package message is from 25 ports of the exchange chip to 26 ports of the CPU.
Step 103: and carrying out corresponding data processing on the first plaintext according to the input interface information by the CPU, and forwarding a processing result.
In this embodiment, after receiving the first plaintext and the ingress interface information transmitted by the switch chip, the CPU performs corresponding data processing on the first plaintext according to the ingress interface information.
More specifically, the CPU receives the first transparent text which is transmitted by the exchange chip and is packaged, namely, the CPU receives the first packaging message which is transmitted by the exchange chip, analyzes the private Ethernet header ETH1 and the logic header FPGA-IN carried by the first packaging message, obtains the interface entering information of the ADWAN message to be decrypted carried IN the logic header FPGA-IN and enters the exchange chip, and carries out corresponding data processing on the first packaging message according to the interface entering information.
The CPU analyzes the private Ethernet header ETH1 carried by the first encapsulation message, specifically, the CPU analyzes the private Ethernet protocol type field carried by the private Ethernet header ETH1, and obtains the private Ethernet protocol negotiated by the FPGA and the CPU. And the CPU analyzes the logic head FPGA-IN according to the private Ethernet protocol negotiated by the FPGA and the CPU to acquire the interface entering information carried by the logic head FPGA-IN.
The interface types of the ingress interface may be various, such as a physical interface, a sub-interface, or a aggregation interface of three layers, and the CPU needs to find a corresponding ingress interface on the switch chip according to the obtained ingress interface information, and perform data processing on the first encapsulation packet according to a processing function configured on the ingress interface.
In this embodiment, the CPU forwards the processing result of the data processing described above.
More specifically, the CPU encapsulates the inner IP address and the processing result of the data processing for IP forwarding, to obtain a second encapsulated packet, and forwards the second encapsulated packet. The encapsulation for IP forwarding is specifically to cut the header of the first encapsulated packet after data processing, strip the encapsulation header of the logic header FPGA-IN, the private ethernet header ETH1 and the ADWAN packet format, and add the ethernet header ETH. The message format of the second encapsulated message is shown in fig. 7.
Thus, the decryption flow shown in fig. 1 is completed.
In the embodiment, in the decryption process, the exchange chip determines whether to decrypt the data to be decrypted carried by the message, the FPGA finds the corresponding SA table entry and decrypts the message according to the decryption algorithm and the decryption key stored in the SA table entry, so that part of the decryption task of the CPU is realized by the exchange chip and the FPGA, the message does not need to be repeatedly returned to the CPU, and the performance of the IPSec encapsulation decryption process is improved.
Further, in this embodiment, the transmission path of the message in the switching chip is identified by using the switching head, so that the switching chip identifies and drains the message, thereby realizing accurate processing of the data stream.
Referring to fig. 8, fig. 8 is a flowchart of a message encryption method according to another embodiment of the present application, where the method is applied to a network device, and the network device at least includes: the encryption and decryption Engine comprises an input Engine, a switching chip and a CPU.
Fig. 9 is a block diagram of a network device according to another embodiment of the present application, where the block diagram is used to enable a person skilled in the art to better understand the technical solution provided by the embodiment of the present application, and is not intended to limit the structural relationship among an line Engine, a switch chip and a CPU in the present application.
More specifically, the Inline Engine may be a programmable encryption/decryption Engine or any programmable device, such as a field programmable gate array FPGA (Field Programmable Gate Array), a complex programmable logic device CPLD (Complex Programmable logic device), etc. In another embodiment, the above-mentioned Inline Engine is developed for FPGA.
More specifically, the CPU is connected with the exchange chip and the FPGA is connected with the exchange chip through an Ethernet link, and the CPU is connected with the FPGA through a control link; the Ethernet link is a data transmission link and is mainly used for transmission and exchange of actual data; the control link belongs to a link of a control plane and is used for network equipment management and configuration and transmission of network equipment configuration information.
More specifically, the FPGA receives the second security association SA (Security Association) entry information issued by the CPU in advance. Before the AD-WAN networking is established, negotiation of the connection of the transmission tunnel endpoint TTE (Transport Tunnel Endpoint) is performed, and in the TTE connection negotiation stage, the CPU sends second SA table item information pre-configured by a network manager or a developer to the FPGA in advance through a control link between the CPU and the FPGA.
More specifically, the second SA entry information is SA entry information for encrypting the ADWAN message, where the second SA entry information stores one or more SA entries, and any SA entry stores security parameter index SPI (Security Parameter Index) information, and a corresponding encryption algorithm and encryption key. Any SA table item is provided with an SA index, the SA index is a quick index subscript or an address and is used for uniquely identifying the SA table item, distinguishing and identifying different SA table items are realized, and corresponding SA table items can be quickly accessed and retrieved according to the SA index.
As shown in fig. 8, a method for encrypting a message according to another embodiment of the present application may include the following steps:
step 801: the method comprises the steps that an original message needing encryption is received through a CPU, the original message is packaged based on a tunnel used for transmitting the original message, a third packaged message is obtained, and the third packaged message is sent to the exchange chip so as to be forwarded to the Inline Engine through the exchange chip; the third encapsulation message at least carries a tunnel header, a message characteristic information field, an encapsulation security load ESP field corresponding to the tunnel and a logic header FPGA-OUT; the FPGA-OUT carries a security alliance SA table index, and the SA table index is an index of an SA table obtained from the obtained second security alliance SA table information based on security parameter index SPI information in the ESP field by the CPU.
In another embodiment, the original message requiring encryption is received by the CPU.
More specifically, the message format of the original message that needs to be encrypted is shown in fig. 10.
More specifically, after receiving the original message, the LAN port of the switch chip directly uploads the original message to the CPU. Specifically, as shown in 901 in fig. 9, a LAN port of the switching chip receives an original message; as shown in 902 in fig. 9, after receiving the original message, the switch chip directly sends the message to the CPU, and the message is transmitted from the 91 port of the switch chip to the 92 port of the CPU.
More specifically, after the CPU receives the original message uploaded by the switch chip, the CPU determines the message to be encrypted from the original message.
The CPU searches a transmission path of an original message in a pre-configured routing table according to a destination IP carried by the original message; when the transmission path passes through the WAN port of the switching chip shown in fig. 9 to the tunnel, the original message is the original message to be encrypted.
In another embodiment, the CPU encapsulates the original packet based on a tunnel used for transmitting the original packet, to obtain a third encapsulated packet; the third encapsulation message at least carries a tunnel header, a message characteristic information field, an encapsulation security load ESP field corresponding to the tunnel and a logic header FPGA-OUT; the FPGA-OUT carries a security alliance SA table index, and the SA table index is an index of an SA table obtained from the obtained second security alliance SA table information based on security parameter index SPI information in the ESP field by the CPU.
More specifically, the message format of the third encapsulated message is shown in fig. 11, where the third encapsulated message is an original message encapsulated with a third switch header, a private ethernet header ETH2 corresponding to a private protocol negotiated by the CPU and the FPGA, a logic header FPGA-OUT, a tunnel header of the tunnel, a message characteristic information field (i.e., outer five-tuple information), an ESP header corresponding to the tunnel, and an ADWAN header.
The third switch head is used for indicating the switch chip to forward the third encapsulation message to the FPGA. The third switch carries the information of the ingress interface of the third encapsulated packet into the switch chip, as shown in fig. 9, where the ingress interface is the 94 ports in fig. 9; the third switch head also carries the output interface information of the third encapsulation message transmitted from the switch chip to the FPGA, as shown in fig. 9, where the output interface is the 95 ports in fig. 9. The third exchange head marks the transmission path of the third encapsulated message in the exchange chip, so that the exchange chip can recognize and drain the message, and the accurate processing of the data stream can be realized.
The private ethernet header ETH2 carries a private ethernet protocol type, and the private ethernet protocol type identifies a private ethernet protocol, so that the FPGA parses the third encapsulated packet according to the private ethernet protocol. The format of the private ethernet header itself is not specified by the ethernet protocol, and may be used to carry custom information and control information in the data packet, where the private ethernet protocol type is a field of the private ethernet header, and in this embodiment, the private ethernet protocol type is not known, and is determined by negotiating between the FPGA and the CPU.
Wherein, the logic header FPGA-OUT carries SA table entry index. The acquisition process of the SA table entry index specifically comprises the following steps: and the CPU analyzes the ESP header of the third encapsulation message and acquires SPI information carried by the ESP header. The length of the ESP header is variable, but the first 8 bytes are fixed, namely SPI (4 bytes) and Sequence Number (4 bytes), and the CPU recognizes the first 4 bytes of the ESP header and acquires the SPI information carried by the same. After the SPI information is obtained, the CPU searches the second SA table information for target SPI information consistent with the SPI information, and the SA table in which the target SPI information is located is the matched SA table. After finding the matched SA entry, the CPU fills the index of the matched SA entry into the logic header FPGA-OUT.
The logical header FPGA-OUT further carries the outbound interface information of the tunnel on the network device, as shown in fig. 9, where the outbound interface is the WAN port in fig. 9.
Wherein, the ADWAN message header is in an ADWAN message encapsulation format in the AD-WAN networking. The ESP head corresponding to the tunnel is added to the original message by the IPSec module of the CPU, and the outer five-tuple information is added to the original message by the forwarding module of the CPU.
In another embodiment, after completing the step 801, the CPU sends the third encapsulated packet to the switch chip, as shown in 903 in fig. 9, where the third encapsulated packet is transmitted from port 93 of the CPU to port 94 of the switch chip. After the switch chip receives the third encapsulation message, the third encapsulation message is forwarded to the FPGA according to the interface output information in the third switch header carried by the third encapsulation message, as shown in 904 in fig. 9, and the third encapsulation message is transmitted from the 95 ports of the switch chip to the 96 ports of the FPGA.
Step 802: and receiving the third encapsulation message through the line Engine, obtaining an SA table item matched with the SA index from the obtained second security alliance SA table item information based on the SA table item index in the logic header FPGA-OUT carried by the third encapsulation message, encrypting the data to be encrypted carried by the third encapsulation message by utilizing an encryption algorithm and an encryption key in the SA table item and forwarding the data to be encrypted to the exchange chip so as to forward a ciphertext through the tunnel by the exchange chip, wherein the data to be encrypted at least comprises the original message.
In another embodiment, the FPGA receives a third encapsulation packet transmitted from the switch chip, and obtains an SA entry matching the SA index from the obtained second security association SA entry information based on the SA entry index in the logic header FPGA-OUT carried by the third encapsulation packet.
More specifically, after receiving the third encapsulation message transmitted by the exchange chip, the FPGA analyzes the private ethernet header ETH2 carried by the third encapsulation message, and specifically, the FPGA analyzes the private ethernet protocol type field carried by the private ethernet header ETH2, to obtain the private ethernet protocol negotiated by the FPGA and the CPU. The FPGA analyzes the logic head FPGA-OUT according to the private Ethernet protocol negotiated by the FPGA and the CPU, and the SA table item index and the interface outlet information carried by the logic head FPGA-OUT are obtained.
After acquiring the above-mentioned SA entry index, the FPGA quickly accesses a corresponding SA entry according to the SA entry index, where the SA entry is "the SA entry matched with the SA index" described in another embodiment.
In another embodiment, the FPGA encrypts the data to be encrypted carried by the third packet by using the encryption algorithm and the encryption key in the SA entry and forwards the encrypted data to the switch chip.
More specifically, the FPGA encrypts the data to be encrypted carried by the third encapsulation packet by using the encryption algorithm and the encryption key in the SA entry, and strips the logic header FPGA-OUT, the private ethernet header ETH2 and the third exchange header carried by the third encapsulation packet, and newly adds a fourth exchange header to the third encapsulation packet. The fourth exchange head carries the outgoing interface information, specifically, the FPGA analyzes the logic header FPGA-OUT of the third encapsulation message to obtain the outgoing interface information, and the FPGA adds the outgoing interface information to the fourth exchange head.
After the encryption and processing operations are completed, the FPGA transmits the processed third encapsulated packet to the switch chip, where the packet format of the processed third encapsulated packet is shown in fig. 12, and the ADWAN, the inner IP, the data and the Tail in fig. 12 are public header ciphertext. As shown in 905 of fig. 9, the processed third encapsulated packet is transmitted from the 97 port of the FPGA to the 98 port of the switch chip.
In another embodiment, after receiving the processed third encapsulation message transmitted by the FPGA, the switching chip forwards the ciphertext through the tunnel.
More specifically, after receiving the processed third encapsulation message, the switching chip strips the fourth switching head carried by the third encapsulation message, and sends the ciphertext from the corresponding output interface based on the output interface information carried by the fourth switching head. As shown in 906 in fig. 9, the switch chip sends the ciphertext from the corresponding WAN port based on the above-mentioned outbound interface information carried by the fourth switch head. The message format of the ciphertext is shown in fig. 3, ETH, IP, UDP, ESP and Auth in fig. 3 are public header ciphertext, and ADWAN, inner layer IP, data and Tail are public header ciphertext.
Thus, the encryption flow shown in fig. 8 is completed.
In another embodiment, in the encryption process, the exchange chip directly sends the ciphertext from the corresponding output interface according to the exchange head, and the FPGA executes partial encapsulation operation, so that partial encapsulation and encryption tasks of the CPU are realized by the exchange chip and the FPGA, and the message does not need to be repeatedly returned to the CPU, thereby realizing the improvement of the performance of the IPSec encapsulation encryption process.
Further, in this embodiment, the transmission path of the message in the switching chip is identified by using the switching head, so that the switching chip identifies and drains the message, thereby realizing accurate processing of the data stream.
The foregoing describes the method provided by the present application. The device provided by the application is described below:
fig. 13 is a schematic structural diagram of a decryption device according to an embodiment of the present application.
As shown in fig. 13, the apparatus may include:
a determining unit 1301, configured to receive, through the switch chip, a packet forwarded by a tunnel between the device and an opposite device, and if it is determined that the data to be decrypted carried by the packet needs to be decrypted, add a first switch header to the packet and redirect the packet to the Inline Engine; the first exchange head at least carries the incoming interface information of the message received by the equipment;
a decryption unit 1302, configured to parse, through the line Engine, the unencrypted packet feature information carried by the packet and the security parameter index SPI information in the unencrypted encapsulation security payload ESP field carried by the packet, obtain, from the obtained first security association SA entry information, a SA entry matching the packet feature information and the SPI information, and decrypt the data to be decrypted by using a decryption algorithm and a decryption key in the SA entry, so as to obtain a first plaintext; the first plaintext and the input interface information are sent to the exchange chip through the Inline Engine so as to be forwarded to the CPU through the exchange chip;
And the processing unit 1303 is configured to perform corresponding data processing on the first plaintext according to the input interface information by using the CPU, and forward a processing result.
In some embodiments, in the determining unit 1301, the determining that the data to be decrypted carried by the packet needs to be decrypted includes:
determining that the unencrypted destination port number carried by the message is the port number of the device and the port number is marked with a decryption tag, and determining that the data to be decrypted carried by the message needs to be decrypted;
wherein, any port number is marked with a decryption tag for indicating that encrypted data carried by a message with the destination port number being the port number needs to be decrypted.
In some embodiments, in the decryption unit 1302, the sending, by the Inline Engine, the first plaintext and the inbound interface information to the switch chip further includes:
packaging the first plaintext to obtain a first package message, wherein the first package message is a first plaintext packaged with a private Ethernet header ETH1, a logic header FPGA-IN and a second exchange header, wherein the private Ethernet header ETH1 corresponds to a private protocol negotiated by the Inline Engine and the CPU; the logic head FPGA-IN carries the interface entering information, and the second exchange head is used for indicating the exchange chip to forward the first encapsulation message to the CPU;
And sending the first encapsulation message to the exchange chip.
In some embodiments, the first plaintext carry application drives a wide area network ADWAN header, an inner layer IP address, and data to be transmitted;
in the processing unit 1303, the performing, by the CPU, corresponding data processing on the first plaintext according to the ingress interface information includes: finding a processing function with an input interface configured according to the input interface information through the CPU, and performing data processing on the first plaintext based on the processing function;
in the processing unit 1303, the forwarding the processing result includes: encapsulating the inner layer IP address and the processing result for IP forwarding to obtain a second encapsulated message; and forwarding the second encapsulation message.
Fig. 14 is a schematic structural diagram of an encryption device according to another embodiment of the present application.
As shown in fig. 14, the apparatus may include:
a processing unit 1401, configured to receive, by using a CPU, an original packet that needs to be encrypted, encapsulate the original packet based on a tunnel used to transmit the original packet, obtain a third encapsulated packet, and send the third encapsulated packet to the switch chip, so as to forward the third encapsulated packet to the Inline Engine through the switch chip; the third encapsulation message at least carries a tunnel header, a message characteristic information field, an encapsulation security load ESP field corresponding to the tunnel and a logic header FPGA-OUT; the FPGA-OUT carries a security alliance SA table index, wherein the SA table index is an index of an SA table obtained from the obtained second security alliance SA table information based on security parameter index SPI information in the ESP field by the CPU;
An encryption unit 1402, configured to receive the third encapsulated packet through the line Engine, obtain, from the obtained second security alliance SA entry information, an SA entry matching the SA index based on the SA entry index in the logic header FPGA-OUT carried by the third encapsulated packet, encrypt data to be encrypted carried by the third encapsulated packet by using an encryption algorithm and an encryption key in the SA entry, and forward the encrypted data to the switch chip, so that the switch chip forwards ciphertext through the tunnel, where the data to be encrypted at least includes the original packet.
In some embodiments, the third encapsulation packet further carries a private ethernet header ETH2 corresponding to the private protocol negotiated by the CPU and the Inline Engine, and a third exchange header; the third exchange head is used for indicating the exchange chip to forward the third encapsulation message to the Inline Engine;
in the encrypting unit 1402, encrypting the data to be encrypted carried by the third encapsulation packet by using the encryption algorithm and the encryption key in the SA entry and forwarding the encrypted data to the switch chip includes:
the following processing is carried out on the third encapsulation message: encrypting the data to be encrypted carried by the third encapsulation message by utilizing an encryption algorithm and an encryption key in the SA table item, stripping a logic header FPGA-OUT, a private Ethernet header ETH2 and a third exchange header carried by the third encapsulation message, and newly adding a fourth exchange header into the third encapsulation message;
Forwarding the processed third encapsulation message to the exchange chip;
the logic head FPGA-OUT also carries the interface outlet information of the tunnel on the device; the fourth exchange head carries the outgoing interface information, so that the exchange chip strips the fourth exchange head after receiving the processed third encapsulation message and forwards the message based on the outgoing interface information carried by the fourth exchange head;
and/or the number of the groups of groups,
in the encryption unit 1402, the data to be encrypted further includes a tunnel header, where the tunnel header is an application driven wide area network ADWAN header.
The embodiment of the application provides an electronic device, which comprises a processor and a memory, wherein the memory stores machine executable instructions capable of being executed by the processor, and the processor is used for executing the machine executable instructions to realize the encryption/decryption method.
Fig. 15 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application. The electronic device may include a processor 1501, a memory 1502 storing machine executable instructions. The processor 1501 and the memory 1502 may communicate via a system bus 1503. Also, the processor 1501 can perform the encryption/decryption method described above by reading and executing machine-executable instructions corresponding to encryption/decryption logic in the memory 1502.
The memory 1502 referred to herein may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state drive, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
It is noted that relational terms such as target and object, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.
Claims (16)
1. A decryption method, characterized in that the method is applied to a network device, said network device comprising at least: encryption and decryption Engine input Engine, exchange chip and CPU; the method comprises the following steps:
receiving a message forwarded by a tunnel between the device and the opposite terminal device through the exchange chip, and if the message carries data to be decrypted, if the data to be decrypted, which need to be decrypted, is determined, adding a first exchange head on the message, and redirecting the message to the Inline Engine; the first exchange head at least carries the incoming interface information of the message received by the equipment;
analyzing the unencrypted message characteristic information carried by the message and the security parameter index SPI information in an unencrypted encapsulation security payload ESP field carried by the message by the Inline Engine, obtaining an SA table item matched with the message characteristic information and the SPI information from the obtained first security alliance SA table item information, and decrypting the data to be decrypted by using a decryption algorithm and a decryption key in the SA table item to obtain a first plaintext; the first plaintext and the input interface information are sent to the exchange chip through the Inline Engine so as to be forwarded to the CPU through the exchange chip;
And carrying out corresponding data processing on the first plaintext according to the input interface information by the CPU, and forwarding a processing result.
2. The method according to claim 1, wherein the determining that the data to be decrypted carried by the message needs to be decrypted includes:
determining that the unencrypted destination port number carried by the message is the port number of the device and the port number is marked with a decryption tag, and determining that the data to be decrypted carried by the message needs to be decrypted;
wherein, any port number is marked with a decryption tag for indicating that encrypted data carried by a message with the destination port number being the port number needs to be decrypted.
3. The method of claim 1, wherein said sending the first plaintext and the ingress interface information to the switch chip via the Inline Engine further comprises:
packaging the first plaintext to obtain a first package message, wherein the first package message is a first plaintext packaged with a private Ethernet header ETH1, a logic header FPGA_IN and a second exchange header, wherein the private Ethernet header ETH1 corresponds to a private protocol negotiated by the Inline Engine and the CPU; the logic header FPGA_IN carries the interface entering information, and the second exchange header is used for indicating the exchange chip to forward the first encapsulation message to the CPU;
And sending the first encapsulation message to the exchange chip.
4. The method of claim 1, wherein the first plaintext carries an application driven wide area network ADWAN header, an inner layer IP address, and data to be transmitted;
the data processing corresponding to the first plaintext according to the input interface information by the CPU comprises the following steps: finding a processing function with an input interface configured according to the input interface information through the CPU, and performing data processing on the first plaintext based on the processing function;
the forwarding of the processing result comprises the following steps: encapsulating the inner layer IP address and the processing result for IP forwarding to obtain a second encapsulated message; and forwarding the second encapsulation message.
5. An encryption method, characterized in that the method is applied to a network device, said network device comprising at least: encryption and decryption Engine input Engine, exchange chip and CPU; the method comprises the following steps:
the method comprises the steps that an original message needing encryption is received through a CPU, the original message is packaged based on a tunnel used for transmitting the original message, a third packaged message is obtained, and the third packaged message is sent to the exchange chip so as to be forwarded to the Inline Engine through the exchange chip; the third encapsulation message at least carries a tunnel header, a message characteristic information field, an encapsulation security load ESP field corresponding to the tunnel and a logic header FPGA-OUT; the FPGA-OUT carries a security alliance SA table index, wherein the SA table index is an index of an SA table obtained from the obtained second security alliance SA table information based on security parameter index SPI information in the ESP field by the CPU;
And receiving the third encapsulation message through the line Engine, obtaining an SA table item matched with the SA index from the obtained second security alliance SA table item information based on the SA table item index in the logic header FPGA-OUT carried by the third encapsulation message, encrypting the data to be encrypted carried by the third encapsulation message by utilizing an encryption algorithm and an encryption key in the SA table item and forwarding the data to be encrypted to the exchange chip so as to forward a ciphertext through the tunnel by the exchange chip, wherein the data to be encrypted at least comprises the original message.
6. The method of claim 5, wherein the third encapsulation message further carries a private ethernet header ETH2 corresponding to the private protocol negotiated by the CPU with the Inline Engine, and a third switch header; the third switch head is configured to instruct the switch chip to forward the third encapsulation packet to the Inline Engine.
7. The method of claim 6, wherein encrypting the data to be encrypted carried by the third encapsulated packet and forwarding the encrypted data to the switch chip using the encryption algorithm and the encryption key in the SA entry comprises:
the following processing is carried out on the third encapsulation message: encrypting the data to be encrypted carried by the third encapsulation message by utilizing an encryption algorithm and an encryption key in the SA table item, stripping a logic header FPGA-OUT, a private Ethernet header ETH2 and a third exchange header carried by the third encapsulation message, and newly adding a fourth exchange header into the third encapsulation message;
Forwarding the processed third encapsulation message to the exchange chip;
the logic head FPGA-OUT also carries the interface outlet information of the tunnel on the device; and the fourth exchange head carries the outgoing interface information, so that the exchange chip strips the fourth exchange head after receiving the processed third encapsulation message and forwards the message based on the outgoing interface information carried by the fourth exchange head.
8. The method of claim 5, wherein the data to be encrypted further comprises a tunnel header, the tunnel header being an application driven wide area network ADWAN header.
9. A decryption apparatus, the apparatus being applied to a network device, the network device comprising at least: the device comprises an encryption and decryption Engine, an exchange chip and a CPU, and comprises:
a determining unit, configured to receive, through the switch chip, a packet forwarded by a tunnel between the device and an opposite device, and if it is determined that the data to be decrypted carried by the packet needs to be decrypted, add a first switch header to the packet and redirect the packet to the Inline Engine; the first exchange head at least carries the incoming interface information of the message received by the equipment;
The decryption unit is used for resolving the unencrypted message characteristic information carried by the message and the security parameter index SPI information in the unencrypted encapsulation security payload ESP field carried by the message through the line Engine, obtaining an SA table item matched with the message characteristic information and the SPI information from the obtained first security alliance SA table item information, and decrypting the data to be decrypted by utilizing a decryption algorithm and a decryption key in the SA table item to obtain a first plaintext; the first plaintext and the input interface information are sent to the exchange chip through the Inline Engine so as to be forwarded to the CPU through the exchange chip;
and the processing unit is used for carrying out corresponding data processing on the first plaintext according to the input interface information through the CPU and forwarding a processing result.
10. The apparatus of claim 9, wherein the determining, in the determining unit, that the data to be decrypted carried by the message needs to be decrypted includes:
determining that the unencrypted destination port number carried by the message is the port number of the device and the port number is marked with a decryption tag, and determining that the data to be decrypted carried by the message needs to be decrypted;
Wherein, any port number is marked with a decryption tag for indicating that encrypted data carried by a message with the destination port number being the port number needs to be decrypted.
11. The apparatus of claim 9, wherein said sending, by said line Engine, said first plaintext and said ingress interface information to said switch chip further comprises:
packaging the first plaintext to obtain a first package message, wherein the first package message is a first plaintext packaged with a private Ethernet header ETH1, a logic header FPGA-IN and a second exchange header, wherein the private Ethernet header ETH1 corresponds to a private protocol negotiated by the Inline Engine and the CPU; the logic head FPGA-IN carries the interface entering information, and the second exchange head is used for indicating the exchange chip to forward the first encapsulation message to the CPU;
and sending the first encapsulation message to the exchange chip.
12. The apparatus of claim 9, wherein the first plaintext carry application driven wide area network ADWAN header, inner layer IP address, and data to be transmitted;
in the processing unit, the data processing corresponding to the first plaintext according to the ingress interface information by the CPU includes: finding a processing function with an input interface configured according to the input interface information through the CPU, and performing data processing on the first plaintext based on the processing function;
In the processing unit, the forwarding the processing result includes: encapsulating the inner layer IP address and the processing result for IP forwarding to obtain a second encapsulated message; and forwarding the second encapsulation message.
13. An encryption apparatus, characterized in that the apparatus is applied to a network device, said network device comprising at least: the device comprises an encryption and decryption Engine, an exchange chip and a CPU, and comprises:
the processing unit is used for receiving an original message to be encrypted through the CPU, packaging the original message based on a tunnel used for transmitting the original message to obtain a third packaged message, and sending the third packaged message to the exchange chip so as to be forwarded to the Inline Engine through the exchange chip; the third encapsulation message at least carries a tunnel header, a message characteristic information field, an encapsulation security load ESP field corresponding to the tunnel and a logic header FPGA-OUT; the FPGA-OUT carries a security alliance SA table index, wherein the SA table index is an index of an SA table obtained from the obtained second security alliance SA table information based on security parameter index SPI information in the ESP field by the CPU;
And the encryption unit is used for receiving the third encapsulation message through the line Engine, obtaining an SA table item matched with the SA index from the obtained second security alliance SA table item information based on the SA table item index in the logic header FPGA-OUT carried by the third encapsulation message, encrypting the data to be encrypted carried by the third encapsulation message by utilizing an encryption algorithm and an encryption key in the SA table item and forwarding the data to be encrypted to the exchange chip so as to forward a ciphertext through the tunnel by the exchange chip, wherein the data to be encrypted at least comprises the original message.
14. The apparatus of claim 13, wherein the third encapsulation message further carries a private ethernet header ETH2 corresponding to a private protocol negotiated by the CPU with the Inline Engine, and a third switch header; the third exchange head is used for indicating the exchange chip to forward the third encapsulation message to the Inline Engine;
the encrypting unit encrypts the data to be encrypted carried by the third encapsulation packet by using an encryption algorithm and an encryption key in the SA entry and forwards the encrypted data to the switch chip, where the encrypting unit includes:
the following processing is carried out on the third encapsulation message: encrypting the data to be encrypted carried by the third encapsulation message by utilizing an encryption algorithm and an encryption key in the SA table item, stripping a logic header FPGA-OUT, a private Ethernet header ETH2 and a third exchange header carried by the third encapsulation message, and newly adding a fourth exchange header into the third encapsulation message;
Forwarding the processed third encapsulation message to the exchange chip;
the logic head FPGA-OUT also carries the interface outlet information of the tunnel on the device; the fourth exchange head carries the outgoing interface information, so that the exchange chip strips the fourth exchange head after receiving the processed third encapsulation message and forwards the message based on the outgoing interface information carried by the fourth exchange head;
and/or the number of the groups of groups,
in the encryption unit, the data to be encrypted further comprises a tunnel header, wherein the tunnel header is an application driving wide area network ADWAN header.
15. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor for executing the machine executable instructions to implement the method of any of claims 1-8.
16. A machine-readable storage medium having stored thereon machine-executable instructions which, when executed by a processor, implement the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311474395.4A CN117221012B (en) | 2023-11-07 | 2023-11-07 | Decryption and encryption method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311474395.4A CN117221012B (en) | 2023-11-07 | 2023-11-07 | Decryption and encryption method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117221012A true CN117221012A (en) | 2023-12-12 |
| CN117221012B CN117221012B (en) | 2024-01-26 |
Family
ID=89037453
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311474395.4A Active CN117221012B (en) | 2023-11-07 | 2023-11-07 | Decryption and encryption method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117221012B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160364343A1 (en) * | 2015-06-10 | 2016-12-15 | Freescale Semiconductor, Inc. | Systems and methods for data encryption |
| WO2017074432A1 (en) * | 2015-10-30 | 2017-05-04 | Halliburton Energy Services, Inc. | Proppant aggregate particulates for use in subterranean formation operations |
| CN109257174A (en) * | 2018-11-26 | 2019-01-22 | 安徽皖通邮电股份有限公司 | A kind of application method of quantum key in VPWS business |
| CN110995595A (en) * | 2019-12-16 | 2020-04-10 | 新华三大数据技术有限公司 | Message sending method, device, storage medium and node equipment |
| CN115664969A (en) * | 2022-06-13 | 2023-01-31 | 深圳市高德信通信股份有限公司 | SD-WAN system, and use method and device of SD-WAN system |
| CN115913783A (en) * | 2022-12-29 | 2023-04-04 | 苏州盛科通信股份有限公司 | Data encryption and decryption method and device based on Soc chip |
| CN116594567A (en) * | 2023-05-30 | 2023-08-15 | 维沃移动通信有限公司 | Information management method and device and electronic equipment |
-
2023
- 2023-11-07 CN CN202311474395.4A patent/CN117221012B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160364343A1 (en) * | 2015-06-10 | 2016-12-15 | Freescale Semiconductor, Inc. | Systems and methods for data encryption |
| WO2017074432A1 (en) * | 2015-10-30 | 2017-05-04 | Halliburton Energy Services, Inc. | Proppant aggregate particulates for use in subterranean formation operations |
| CN109257174A (en) * | 2018-11-26 | 2019-01-22 | 安徽皖通邮电股份有限公司 | A kind of application method of quantum key in VPWS business |
| CN110995595A (en) * | 2019-12-16 | 2020-04-10 | 新华三大数据技术有限公司 | Message sending method, device, storage medium and node equipment |
| CN115664969A (en) * | 2022-06-13 | 2023-01-31 | 深圳市高德信通信股份有限公司 | SD-WAN system, and use method and device of SD-WAN system |
| CN115913783A (en) * | 2022-12-29 | 2023-04-04 | 苏州盛科通信股份有限公司 | Data encryption and decryption method and device based on Soc chip |
| CN116594567A (en) * | 2023-05-30 | 2023-08-15 | 维沃移动通信有限公司 | Information management method and device and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 任利军: "WLAN网络安全威胁及防御策略", 网络安全技术与应用 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117221012B (en) | 2024-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7398386B2 (en) | Transparent IPSec processing inline between a framer and a network component | |
| US6438612B1 (en) | Method and arrangement for secure tunneling of data between virtual routers | |
| US9967372B2 (en) | Multi-hop WAN MACsec over IP | |
| CN102882789B (en) | A kind of data message processing method, system and equipment | |
| US7346770B2 (en) | Method and apparatus for traversing a translation device with a security protocol | |
| US8775790B2 (en) | System and method for providing secure network communications | |
| US7434045B1 (en) | Method and apparatus for indexing an inbound security association database | |
| US9369550B2 (en) | Protocol for layer two multiple network links tunnelling | |
| CN112491821B (en) | IPSec message forwarding method and device | |
| US9083683B2 (en) | Encryption/decryption device for secure communications between a protected network and an unprotected network and associated methods | |
| US20170359448A1 (en) | Methods and systems for creating protocol header for embedded layer two packets | |
| CN107306198B (en) | Message forwarding method, device and system | |
| WO2016165277A1 (en) | Ipsec diversion implementing method and apparatus | |
| CN112600802B (en) | SRv6 encrypted message and SRv6 message encryption and decryption methods and devices | |
| WO2011079717A1 (en) | Message transmitting method, equipment and system | |
| US10230698B2 (en) | Routing a data packet to a shared security engine | |
| CN117221012B (en) | Decryption and encryption method and device | |
| CN112217769A (en) | Data decryption method, data encryption method, data decryption device, data encryption device, data decryption equipment and data decryption medium based on tunnel | |
| CN111835613A (en) | Data transmission method of VPN server and VPN server | |
| CN114338116B (en) | Encryption transmission method and device and SD-WAN network system | |
| EP4175227A1 (en) | Security for communication protocols | |
| CN116346769A (en) | Service interaction method, device, service system, electronic equipment and medium | |
| CN117640235A (en) | Dual encryption method based on IPsec and quantum key and encryption gateway | |
| CN115766063A (en) | Data transmission method, device, equipment and medium | |
| Güvensan et al. | Protocol Independent Lightweight Secure Communication. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |