CN1642069A - Encryption/decryption module dynamic updating system and method for safety gateway device - Google Patents
Encryption/decryption module dynamic updating system and method for safety gateway device Download PDFInfo
- Publication number
- CN1642069A CN1642069A CN 200410001975 CN200410001975A CN1642069A CN 1642069 A CN1642069 A CN 1642069A CN 200410001975 CN200410001975 CN 200410001975 CN 200410001975 A CN200410001975 A CN 200410001975A CN 1642069 A CN1642069 A CN 1642069A
- Authority
- CN
- China
- Prior art keywords
- enciphering
- deciphering module
- gateway device
- deciphering
- security gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to encrypting/decrypting module dynamic renewing system of the secure gateway machine and its method. It suits to the secure gateway machine. And the secure gateway machine that virtual private network gateway machine accorded with the IPSEC communication protocol is connected to on less than one using end computer system and one network system. The encrypting/decrypting module dynamic renewing system includes one network interface, one module dynamic renewing unit, one custom module unit, and one extending function library. The network interface and the module dynamic renewing unit can make the user easily do single renewing or newly increase the encrypting/decrypting module of the extending function library of the gateway machine; it is no need fixing the whole core code to renew; thus it can save the setting time, improve the operation efficiency, reduce the maintenance cost, and advance the expandability of the encrypting/decrypting module of the secure gateway machine, make the network transmission be safer.
Description
Technical field
The present invention relates to a kind of enciphering/deciphering module update system and method, particularly a kind of enciphering/deciphering module dynamic update system and method that applies to the security gateway device.
Background technology
The most popular on the market security gateway device is a kind of virtual private networks gateway (VirtualPrivate Network Gateway that is called at present, VPN Gateway), wherein so-called virtual private networks is can enter public network environment such as world-wide web (Internet) or asynchronous transmission (ATM) network by any remote site in the whole world for the user, but just enter in-company LAN as Intranet or Extranet as being both on the environment for use, so can take into account the fail safe of the convenience and the internal network of public network simultaneously.Just because of this, utilize this type of virtual private networks, authorized long-range user can set up exclusive connecting channel by connecting world-wide web and other user, company, branch, dealer, customers, to transmit important each other information.As Fig. 1 of the present invention, promptly show a kind of common virtual private networks structure, wherein several are scattered in long-range use side computer system 10,30 and 40 (can be arranged in a LAN) are utilized the virtual private networks gateway 104 of each self-configuring, 304,404 set up VPN channel 602 through a world-wide web 50, to transmit important data each other.When arbitrary long-range use side computer system 10 wherein, 30 and 40 when desiring to enter intra-company's computer system as a server computer system 20 from the outside, virtual private networks gateway 104 under can utilizing separately equally, 304,404 set up the VPN channel to carry out remote data access (Remote Data Access).
The principle of above-mentioned virtual private networks (VPN) is to utilize a kind of Channel Technology (Tunneling); it adopts common IPSEC; PPTP; three kinds of communications protocol such as L2TP one of them; in public network such as world-wide web, construct out one as the safe lane that uses in the internal network environment; and the data packet (Packet) of the private data that transmits with packaged form (Encapsulation) protection use side; prevent to give and stolen by stranger such as hacker attacks transmitting data; the transmission of this private data simultaneously also can cooperate other mechanism as safety certification; status identification (ID Authentication) or enciphering/deciphering mechanism (Decryption/Encryption) etc. are so make the function of this vpn gateway device more be tending towards variation; safe and complete.
The following mostly two kinds of coding patterns of the enciphering/deciphering mechanism of above-mentioned virtual private networks: a kind of is the key coding (Secret key cryptography) of symmetrical expression; And the PKI of another kind of asymmetric coding (Publickey cryptography).For example in aforementioned IPSEC communications protocol, (it is included in network gold key exchange kenel 1 and 2 (IKEPhases 1﹠amp for Internet key exchange, IKE) agreement promptly to use the exchange of a kind of network gold key; 2) in the process, produce a PKI and protect a key to pass to this receiving terminal, so that this receiving terminal uses this key to untie the enciphered data that transmits subsequently.The purposes of this network gold key exchange (IKE) agreement is to set up, authenticates and exchange a Security Parameter Index (Security Association, SA), with Identification Data both sides' identity, link up the encryption/decryption algorithm that will share and produce, exchange and set up golden key each other.About the golden key length of setting up virtual private networks (VPN), enciphering/deciphering calculation form, and enciphering/deciphering carry out description scheme such as function and all be recorded in the enciphering/deciphering module of each vpn gateway device.
Provide the enciphering/deciphering module that separately design and meet industry standard though present most vpn gateway device manufacturer has more, as meet the enciphering/deciphering module of aforementioned IPSEC communications protocol.Yet, be fail safe, stability, execution efficient and the inter-communicating problem of considering total system, the update mechanism of this type of enciphering/deciphering module often combines with the update mechanism of the core code firmware (kernel firmware) of whole vpn gateway device, just when having only the enciphering/deciphering module to need correcting or upgrading, still must earlier whole core code firmware be upgraded together.At present known update mode such as the present invention are shown in Figure 3, at first carry out step S200, promptly a use side computer system (encoding 10 as shown in Figure 1) is online to the website (encoding 20 as shown in Figure 1) of the server end computer system of vpn gateway device manufacturer through its web browser (Browser), world-wide web; Step S210 begins to download whole new core code firmware to the storage device (encoding 102 as shown in Figure 1) of this use side computer system; Step 220 and S230 then, again by vpn gateway device 104 ' user's interface (GUI) 114 ' (see figure 2) itself upload this new core code firmware to gateway 104 ' in; Step S240, utilize vpn gateway device 104 ' working function storehouse 124 ' in core update module 126 ' (see figure 2) with new core code firmware begin to upgrade its core operation procedure 134 '; Then step S250 in the process of core update module 126 ' renewal core code firmware, is included in its enciphering/deciphering module 128 ' (see figure 2) of working function storehouse 124 ' middle renewal; Afterwards as step S260, activate again (Rebooting) vpn gateway device 104 ', can reach shown in the step S270, finish the renewal work of new enciphering/deciphering module.
So above-mentioned known technology has following several shortcomings:
(1) though each enciphering/deciphering sign indicating number module just accounts for one of program code of minimum part in the whole vpn gateway device, for the vpn gateway device, the security functions that this enciphering/deciphering sign indicating number module is provided is very important, can not lack; But the enciphering/deciphering sign indicating number module that each vpn gateway device manufacturer is provided may not necessarily contain or satisfy all users' demand again.With regard to present known way, original configuration and setting when a vpn gateway device dispatches from the factory is that enciphering/deciphering module permanent fixation is positioned in the working function storehouse (Current Library) of vpn gateway device, therefore the user is if use different enciphering/deciphering modules, certainly will be at every turn will be with the core code firmware of entire machine down loading updating together, and manufacturer is for according to the various possibility demands on using thus, just must prepare to comprise the core code firmware of the enciphering/deciphering module of various various combination versions, so not only during mail downloading charge, inefficent and the shortcoming elasticity, also make a mistake easily; For the version of manufacturer's maintenance items, cost is also too high.
(2) the present needed a kind of function of known technology shortcoming, promptly the user of vpn products can need develop and install the enciphering/deciphering module that belongs to themselves voluntarily according to it, but not must use the standard module of industry or the standard module that manufacturer provides.So, if this vpn gateway device product can provide method, allow the user upgrade voluntarily or increase newly/deciphering module, flexible design like this can be described as and increased potential customers widely, and also can significantly promote the extendibility of vpn gateway device to enciphering/deciphering sign indicating number module.
Summary of the invention
For solving the shortcoming of above-mentioned known technology, a main purpose of the present invention is to provide a kind of enciphering/deciphering module dynamic update system and method for security gateway device, by a module dynamic update unit, can allow the user of this gateway only need merely upgrade enciphering/deciphering sign indicating number module in the extended function storehouse (Extended library) of this gateway at every turn, and need not to upgrade together with whole core code firmware again, can save time installation thus, promote operating efficiency, and reduce maintenance cost.
Secondly, another object of the present invention is to provide a kind of enciphering/deciphering module dynamic update system and method for security gateway device, make a modular unit and a module dynamic update unit by oneself by one, conveniently allow the user of this gateway make required enciphering/deciphering sign indicating number module by oneself, and the enciphering/deciphering module of making by oneself that will increase newly places an extended function storehouse (Extended library), convenient for revise renewal in the future, promote the expandability of the enciphering/deciphering sign indicating number module of security gateway device thus, make Network Transmission safer.
A further object of the present invention is to provide a kind of enciphering/deciphering module dynamic update system and method for security gateway device, by a network interface (Web GUI), make things convenient for the user of this security gateway device on window (Window), to select needed enciphering/deciphering sign indicating number module easily, place extended function storehouse (Extended library) with the crypto module that will increase newly or upgrade, so can take into account the convenience of operation and the efficient of system's operation.
To achieve the above object of the invention, enciphering/deciphering module dynamic update system according to a kind of security gateway device of the present invention, be installed in this security gateway device, and this security gateway device is as a virtual private networks gateway that meets the IPSEC communications protocol, it has a working function storehouse, a core operation procedure (Kernel), and a work scheduling unit, and be connected between an at least one use side computer system and the network system.
Above-mentioned enciphering/deciphering module dynamic update system comprises: a network interface, a module dynamic update unit, are made modular unit, an extended function storehouse, an extended function bank interface and a configuration and setting unit by oneself.This network interface wherein can produce at least one window picture with enciphering/deciphering module Dynamic Updating Mechanism in this use side computer system, for the user through this interface according to need selectivity upload the enciphering/deciphering module of a new edition to this security gateway device.This module dynamic update unit, be located in this working function storehouse, it is according to being uploaded to the form of the new edition enciphering/deciphering module of this security gateway device, dynamically updates in the extended function storehouse corresponding existing enciphering/deciphering module or newly-increased this enciphering/deciphering module of uploading and deposits to this extended function storehouse.This extended function storehouse is used to accommodate aforementioned enciphering/deciphering module.This extended function bank interface, auxiliary aforementioned this extended function storehouse are made data with this working function storehouse, core operation procedure respectively and are linked up.And this configuration and setting unit, be a kind of system file, be used to set the execution flow process that meets the IPSEC communications protocol, so after an enciphering/deciphering module was upgraded or be newly-increased, the golden key exchange flow process of its existing network gold key exchange (IKE) also can then be upgraded.
In addition, enciphering/deciphering module dynamic update system according to a kind of security gateway device of the present invention, be applicable in this security gateway device, and this security gateway device is connected between an at least one use side computer system and the network system, the above-mentioned enciphering/deciphering module method that dynamically updates comprises at least:
Be online to the website of gateway manufacturer from the web browser of this use side computer system through this network system, with the program code of the enciphering/deciphering module of downloading a new edition to this use side computer system;
Activate a network interface of this security gateway device, on this use side computer system, to produce at least one window picture with enciphering/deciphering module Dynamic Updating Mechanism;
In the window picture that this network interface provides, the new edition enciphering/deciphering module that selection will be uploaded is as increasing the enciphering/deciphering module of making by oneself;
Selected new edition enciphering/deciphering module is uploaded in this security gateway device;
A module dynamic update unit that makes the security gateway device is according to this enciphering/deciphering type of module of uploading, and dynamically updates in the extended function storehouse corresponding existing enciphering/deciphering module or newly-increased this enciphering/deciphering module of uploading and deposits to this extended function storehouse;
Upgrade the golden key exchange flow process of network gold key exchange (IKE) agreement of security gateway device; And
Make this security gateway think highly of new start to carry out the golden key exchange flow process of upgrading later.
The golden key exchange flow process of network gold key exchange (IKE) agreement of a kind of security gateway device comprises:
(a) Security Parameter Index (SA) of the existing IPSEC agreement of this security gateway device of initialization;
(b) carry out network gold key exchange modality 1 (IKE Phase 1);
(c) when finding a suitable enciphering/deciphering module in the working function storehouse not, further in an extended function storehouse of this security gateway device, take at least one suitable enciphering/deciphering module at this security gateway device;
(d) carry out network gold key exchange modality 2 (IKE Phase 2);
(e) same action of repetition abovementioned steps (c);
(f) finish the golden key exchange flow process that network gold key exchanges kenel 1 and 2; And
(g) notify the network core (kernel) of this security gateway device to upgrade the Security Parameter Index (SA) that has the IPSEC agreement now.
For above-mentioned purpose of the present invention, feature and advantage can be become apparent, especially exemplified by embodiment, and conjunction with figs., be described in detail as follows.
Description of drawings
Fig. 1 applies to the structural representation on the network system for showing a kind of security gateway device according to preferred embodiment of the present invention;
Fig. 2 is for showing a known security gateway device structural representation with enciphering/deciphering module;
Fig. 3 is the renewal flow chart of demonstration according to the enciphering/deciphering module of the known security gateway device of above-mentioned Fig. 2;
Fig. 4 is the structural representation of demonstration according to the enciphering/deciphering module dynamic update system of the security gateway device of preferred embodiment of the present invention;
Fig. 5 dynamically updates the flow chart of method according to the enciphering/deciphering module of the security gateway device of the embodiment of the invention for demonstration; And
Fig. 6 is the flow chart of demonstration according to the golden key exchange flow process of network gold key exchange (IKE) agreement of the security gateway device of the embodiment of the invention.
Wherein, description of reference numerals is as follows:
10,30,40 use side computer systems, 20 server end computer systems
50 network systems, 102 stocking systems
104,304,404,104 ' security gateway device, 110 enciphering/deciphering module dynamic update systems
114,114 ' network interface, 124 working function storehouses
126 module dynamic update unit 128 are made modular unit by oneself
134,124 ' extended function storehouse, 144 extended function bank interfaces
154 configuration and setting unit 164,134 ' core operation procedures
134 extended function storehouses, 144 extended function bank interfaces
174,144 ' work scheduling, 602 virtual private networks channels
126 ' core update module, 128 ' enciphering/deciphering module
S200, S210, S220, S230, S240, S250, S260, S270, S300, S302, S304, S306, S308, S310, S312, S314, S316, S317, S318, S320, S400, S410, S420, S422, S430, S440, S450, S455, S460, S462, S470, S480 are operating procedure
Embodiment
At first ask for an interview Fig. 4, be enciphering/deciphering module dynamic update system 110 according to a kind of security gateway device of preferred embodiment of the present invention, it is installed in the network safety gateway device 104, and this security gateway device 104 as shown in Figure 1, it is the virtual private networks gateway (VPN Gateway) of a connection world-wide web 50, it meets the IPSEC communications protocol, sets up a virtual private networks channel for a use side computer system 10 and comes the safe transfer private data to give other use side computer system 30 and 40.In addition, this security gateway device 104 has a working function storehouse (Current Library) 124 at least, enciphering/deciphering modules A, core operation procedure (Kernel) 164 that can be provided with one fixing (default) in it are the operating system of this security gateway device 104, and a work scheduling unit (Daemon) 174, work such as the storage data that is used for arranging whole gateway to handle in regular turn, send data, upgrade enciphering/deciphering module etc.
Above-mentioned enciphering/deciphering module dynamic update system 110 comprises at least: a network interface 114, a module dynamic update unit 126, are made modular unit 128, an extended function storehouse 134, an extended function bank interface 144 and a configuration and setting unit 154 by oneself.This network interface 114 wherein, on this use side computer system 10, produce at least one window picture with a plurality of enciphering/deciphering module Dynamic Updating Mechanism, to make things convenient for user's easy operation or to set this security gateway device 104, as a mechanism wherein, provide and upgrade existing enciphering/deciphering module in this security gateway device 104, or, provide the user can additionally increase one group of enciphering/deciphering module of making by oneself newly and to this security gateway device 104, deposit as another mechanism.Certainly, the user is before this network interface 114 of activation upgrades with the enciphering/deciphering module of carrying out security gateway device 104, equally must be online to the website (encoding 20 as shown in Figure 1) of this security gateway device manufacturer earlier through world-wide web, but the program code that only need download a new enciphering/deciphering module gets final product to this use side computer system, and the known technology needs are each downloads whole core code firmwares so be different from.
This module dynamic update unit 126 is installed in the working function storehouse (CurrentLibrary) 124 of this security gateway device 104, and, dynamically update or increase newly this enciphering/deciphering module and to this extended function storehouse 134, deposit according to the enciphering/deciphering module type that the user uploads from aforementioned network interface 114.So, can place array enciphering/deciphering module simultaneously in this extended function storehouse 134, the enciphering/deciphering module C that makes by oneself as enciphering/deciphering module B and another group of one group of upgraded edition.
This is made by oneself in the working function storehouse (CurrentLibrary) 124 that modular unit 128 is installed in this security gateway device 104, and make the enciphering/deciphering module machine by oneself with the tool of aforementioned this network interface 114 and be connected, produce the affiliated window picture (not shown) that this makes modular unit 128 by oneself thus, to make things convenient for the user according to this picture indication, the description scheme of inserting the enciphering/deciphering module of desiring to make by oneself in regular turn is in the null field of this window.These description schemes comprise algorithm form, algorithm identified sign indicating number, data encryption block size, golden key length scale, enciphering/deciphering execution function.Wherein this enciphering/deciphering execution function parameters further comprises block address, block size, golden key content, golden key length, initial vector, encryption and decryption mark etc.
When this is made modular unit 128 by oneself and finishes the enciphering/deciphering module C that makes by oneself, must upload the enciphering/deciphering module C that makes by oneself by aforementioned network interface 114 equally, 126 newly-increased these enciphering/deciphering module C that make by oneself deposit to this extended function storehouse 134 for this module dynamic update unit.Wherein this extended function bank interface 144 is used for auxiliary aforementioned this extended function storehouse and does the data communication with working function storehouse 124, the core operation procedure 164 of this security gateway device 104 respectively.
This configuration and setting unit 154, as a kind of system file, be used to set the execution flow process that meets the IPSEC communications protocol, so after an enciphering/deciphering module is upgraded or is newly-increased, its existing network gold key exchange (Internet key exchange, IKE) the golden key exchanger of agreement also can then be updated to following steps: (1) judges whether this working function storehouse 124 has the enciphering/deciphering module of fixing (Default) all earlier in each network gold key exchange modality 1 or 2 (IKE Phase 1 or 2); (2) whether do not have any enciphering/deciphering module that increases newly or upgrade in this extended function storehouse 134 as having, then further judging again, exchange up to the golden key of selecting one group of enciphering/deciphering module; And (3) follow Security Parameter Index (SA) renewal that informing network core (kernel) 164 has the IPSEC agreement now after this network gold key exchange modality (IKE) is finished all golden key exchange flow processs.
In addition, ask for an interview Fig. 5 and dynamically update method for the enciphering/deciphering module according to a kind of security gateway device of preferred embodiment of the present invention, its step comprises:
At first carry out step S300, be online to the website (encoding 20 as shown in Figure 1) of security gateway device manufacturer subordinate server end computer system from the web browser (Browser) of a use side computer system (encoding 10 as shown in Figure 1) through world-wide web;
Step S302 begins to download the enciphering/deciphering module of new edition to the storage device (encoding 102 as shown in Figure 1) of this use side computer system;
Step S304, the network interface (GUI) 114 of activation security gateway device 104;
Step S306 is provided in this network interface (GUI) 114 window pictures that provided by enciphering/deciphering module certainly that will upload.If select to make by oneself enciphering/deciphering module C, then carry out step S308, promptly activate a window picture of making modular unit 128 by oneself, begin to import this for the user and make the description scheme of enciphering/deciphering module by oneself according to this picture indication, comprise as algorithm form, algorithm identified sign indicating number, data encryption block size, golden key length scale, enciphering/deciphering and carry out function that wherein this enciphering/deciphering execution function parameters further comprises block address, block size, golden key content, golden key length, initial vector, encryption and decryption mark etc.After the parameter of making enciphering/deciphering module C by oneself of its input to be confirmed is errorless, carry out step S310, promptly upload this newly-increased enciphering/deciphering module C to security gateway device 104; Otherwise if select the upgraded edition enciphering/deciphering module B of abovementioned steps S304, the enciphering/deciphering module B that then can directly upload this upgraded edition in step S310 is to security gateway device 104;
Step S312 makes the module dynamic update unit 126 of security gateway device 104 judge that these enciphering/deciphering modules of uploading are for the enciphering/deciphering module upgraded or be the newly-increased enciphering/deciphering module of making by oneself.If the enciphering/deciphering module of judged result for upgrading then carried out step S316, corresponding previous version enciphering/deciphering module in the extended function storehouse 134 is upgraded; Otherwise, if judged result is the enciphering/deciphering module of making by oneself, then carry out step S314, be about to this enciphering/deciphering module of making by oneself and be positioned in this extended function storehouse 134;
Follow step S317, the golden key exchange flow process (detailed description after treating) of related network gold key exchange (IKE) agreement in the configuration and setting unit 154 of renewal security gateway device 104;
Then step S318 activates (Rebooting) this security gateway device 104 again, makes this security gateway device 104 carry out renewal golden key exchange flow process later; And
Be shown in the step S320 at last, promptly finish the renewal work of enciphering/deciphering module.
Please further see Fig. 6, the golden key once upgrading network gold key exchange (IKE) agreement later according to Fig. 5 step S318 exchanges flow and method, it applies to a receiving terminal and and sends the communication in advance that relevant private data transmits between the end (use side computer system 10 and 30 as shown in Figure 1), and its step comprises:
Step S400, the existing IPSEC Security Parameter Index (IPSEC SA) of security gateway device 104 carries out initialization;
Step S410 carries out network gold key exchange modality 1 (IKE Phase 1);
Step S420 judges whether there is a suitable enciphering/deciphering module in this working function storehouse 124, as the enciphering/deciphering module of fixing (Default).If, then carry out step S430, promptly select for use the golden key of this fixing enciphering/deciphering module and arithmetic logic to come and the other side such as receiving terminal communication; Otherwise, if do not find in working function storehouse 124 any one group can be received during the enciphering/deciphering module, then carry out step S422, promptly further judge whether there is one group of suitable enciphering/deciphering module in this extended function storehouse 134, as an enciphering/deciphering module that increases newly or upgrade.If, then carry out step S430, promptly select for use this enciphering/deciphering module newly-increased or that upgrade to come and the other side such as receiving terminal communication;
Then step S440 carries out network gold key exchange modality 2 (IKE Phase 2);
Step S450, S455 and S460 repeat the same operation of abovementioned steps S420, S422 to S430 respectively.If in step S422 or S455, do not find any suitable enciphering/deciphering module, then proceed to step S462, promptly system produces an error message;
Final step S470 finishes all golden key exchange flow processs of this network gold key exchange kenel 1 and 2; And
Follow step S480, the network core (kernel) 164 of notifying this security gateway device 104 is to upgrade the Security Parameter Index (SA) of existing IPSEC agreement.
Based on aforementioned, as can be known according to the enciphering/deciphering module dynamic update system and the method for security gateway device of the present invention, by a module dynamic update unit, make the each enciphering/deciphering sign indicating number module that only needs merely to upgrade or increase newly the extended function storehouse of this gateway of user of this gateway, and need not again with as known technology whole core code firmware being upgraded together, so can save time installation, promote operating efficiency, and reduce the cost of manufacturer's maintenance items.In addition,, can conveniently allow the user make required enciphering/deciphering sign indicating number module by oneself, can promote the expandability of the enciphering/deciphering sign indicating number module of security gateway device thus according to modular unit and the interface (GUI) made by oneself of the present invention.
Though the present invention discloses as above with preferred embodiment; right its is not in order to limiting the present invention, anyly is familiar with this technical staff, without departing from the spirit and scope of the present invention; a little change and the retouching done all should belong in the patent claims of the present invention scope required for protection.
Claims (17)
1. the enciphering/deciphering module dynamic update system of a security gateway device, and this security gateway device is connected between a use side computer system and the network system, and wherein enciphering/deciphering module dynamic update system comprises:
One network interface produces at least one window picture with enciphering/deciphering module Dynamic Updating Mechanism in this use side computer system, only can upload the enciphering/deciphering module of a new edition for the user to this security gateway device through this interface;
One module dynamic update unit according to uploading the new edition enciphering/deciphering module of this security gateway device, dynamically updates in the extended function storehouse corresponding existing enciphering/deciphering module or newly-increased this enciphering/deciphering module of uploading and deposits to this extended function storehouse; And
This extended function storehouse is used to accommodate the enciphering/deciphering module.
2. enciphering/deciphering module dynamic update system as claimed in claim 1, wherein this security gateway device is one to meet the virtual private networks gateway of IPSEC communications protocol.
3. enciphering/deciphering module dynamic update system as claimed in claim 1, wherein this security gateway device has a working function storehouse, a core operation procedure at least, and a work scheduling unit, and wherein the module dynamic update unit promptly is arranged in this working function storehouse.
4. enciphering/deciphering module dynamic update system as claimed in claim 1, wherein the enciphering/deciphering module Dynamic Updating Mechanism of the window picture of this network interface also comprises a mechanism, can provide to upgrade existing enciphering/deciphering module in this security gateway device.
5. enciphering/deciphering module dynamic update system as claimed in claim 4, wherein the enciphering/deciphering module Dynamic Updating Mechanism of the window picture of this network interface also comprises another mechanism, can provide newly-increased one group of enciphering/deciphering module of making by oneself to deposit to this security gateway device.
6. enciphering/deciphering module dynamic update system as claimed in claim 5, further comprise and make modular unit by oneself, be connected with the enciphering/deciphering module machine of making by oneself of network interface, window picture under producing one thus, confession user picture according to this indicates the description scheme of inserting the enciphering/deciphering module of desiring to make by oneself.
7. enciphering/deciphering module dynamic update system as claimed in claim 6, the description scheme of wherein making the enciphering/deciphering module by oneself comprises at least: algorithm form, algorithm identified sign indicating number, data encryption block size, golden key length scale and enciphering/deciphering are carried out function, and wherein this enciphering/deciphering execution function parameters further comprises block address, block size, golden key content, golden key length, initial vector, encryption and decryption mark etc.
8. enciphering/deciphering module dynamic update system as claimed in claim 1, this module dynamic update unit wherein, according to this new edition enciphering/deciphering type of module, select to dynamically update in the extended function storehouse corresponding existing enciphering/deciphering module or newly-increased this enciphering/deciphering module of uploading and to this extended function storehouse, deposit.
9. enciphering/deciphering module dynamic update system as claimed in claim 2 further has an extended function bank interface, and auxiliary this extended function storehouse is made data with this working function storehouse, core operation procedure respectively and linked up.
10. enciphering/deciphering module dynamic update system as claimed in claim 1, further has a configuration and setting unit, be a kind of system file, be used to set the execution flow process that meets the IPSEC communications protocol, so after an enciphering/deciphering module was upgraded or be newly-increased, the golden key exchanger of its existing network gold key exchange also can then be upgraded.
11. the enciphering/deciphering module of a security gateway device dynamically updates method, and this security gateway device is connected between a use side computer system and the network system, wherein the enciphering/deciphering module method of dynamically updating comprises:
Download the enciphering/deciphering module of a new edition from this use side computer system to this use side computer system through this network system;
Activate a network interface of this security gateway device, on this use side computer system, to produce at least one window picture with enciphering/deciphering module Dynamic Updating Mechanism;
In the window picture that this network interface provides, the new edition enciphering/deciphering module that selection will be uploaded;
Selected new edition enciphering/deciphering module is uploaded in this security gateway device;
A module dynamic update unit that makes the security gateway device is according to this enciphering/deciphering type of module of uploading, and dynamically updates in the extended function storehouse corresponding existing enciphering/deciphering module or newly-increased this enciphering/deciphering module of uploading and deposits to this extended function storehouse; And
Upgrade the golden key exchange flow process of the network gold key exchange agreement of security gateway device;
12. enciphering/deciphering module as claimed in claim 11 dynamically updates method, wherein the enciphering/deciphering module Dynamic Updating Mechanism of the window picture of this network interface also comprises a mechanism, can provide the user to upgrade existing enciphering/deciphering module in this security gateway device.
13. enciphering/deciphering module as claimed in claim 12 dynamically updates method, wherein the enciphering/deciphering module Dynamic Updating Mechanism of the window picture of this network interface also comprises another mechanism, can provide the newly-increased one group of enciphering/deciphering module made by oneself of user to deposit to this security gateway device.
14. enciphering/deciphering module as claimed in claim 13 dynamically updates method, further comprise: when the enciphering/deciphering module machine of making by oneself is activated, can produce a window picture for the user according to this picture indication insert the description scheme of the enciphering/deciphering module of desiring to make by oneself.
15. enciphering/deciphering module as claimed in claim 14 dynamically updates method, the description scheme of wherein making the enciphering/deciphering module by oneself comprises at least: algorithm form, algorithm identified sign indicating number, data encryption block size, golden key length scale and enciphering/deciphering are carried out function, and wherein this enciphering/deciphering execution function parameters further comprises block address, block size, golden key content, golden key length, initial vector, encryption and decryption mark etc.
16. enciphering/deciphering module as claimed in claim 11 dynamically updates method, further comprises: make this security gateway device carry out renewal golden key exchange flow process later.
17. the golden key exchange flow process of the network of security gateway device gold key exchange agreement comprises:
(a) Security Parameter Index of the existing IPSEC agreement of this security gateway device of initialization;
(b) carry out network gold key exchange modality 1;
(c) when finding a suitable enciphering/deciphering module in the working function storehouse not, further in an extended function storehouse of this security gateway device, take at least one suitable enciphering/deciphering module at this security gateway device;
(d) carry out network gold key exchange modality 2;
(e) same action of repeating step (c);
(f) finish the golden key exchange flow process of network gold key exchange modality 1 and 2; And
(g) notify the network core of this security gateway device to upgrade the Security Parameter Index that has the IPSEC agreement now.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410001975 CN1642069A (en) | 2004-01-16 | 2004-01-16 | Encryption/decryption module dynamic updating system and method for safety gateway device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410001975 CN1642069A (en) | 2004-01-16 | 2004-01-16 | Encryption/decryption module dynamic updating system and method for safety gateway device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1642069A true CN1642069A (en) | 2005-07-20 |
Family
ID=34867242
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410001975 Pending CN1642069A (en) | 2004-01-16 | 2004-01-16 | Encryption/decryption module dynamic updating system and method for safety gateway device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1642069A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102132261A (en) * | 2009-04-01 | 2011-07-20 | 日立系统解决方案有限公司 | Home network system, gateway device, and firmware update method |
| CN110784322A (en) * | 2019-11-08 | 2020-02-11 | 北京金茂绿建科技有限公司 | Method, system, equipment and medium for connecting gateway equipment and cloud platform |
-
2004
- 2004-01-16 CN CN 200410001975 patent/CN1642069A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102132261A (en) * | 2009-04-01 | 2011-07-20 | 日立系统解决方案有限公司 | Home network system, gateway device, and firmware update method |
| CN102132261B (en) * | 2009-04-01 | 2013-10-23 | 株式会社日立解决方案 | Home network system, gateway device, and firmware update method |
| CN110784322A (en) * | 2019-11-08 | 2020-02-11 | 北京金茂绿建科技有限公司 | Method, system, equipment and medium for connecting gateway equipment and cloud platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101076796B (en) | Virtual special purpose network established for roam user | |
| CN101669103B (en) | System and method for providing secure data transmission | |
| CN101479984B (en) | Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks | |
| CN102422593B (en) | HTTP-based authentication | |
| CN1122213C (en) | Method and apparatus for signing and sealing objects | |
| CN103995991A (en) | Method for binding hardware information and secret keys in software copyright protection | |
| CN1926837A (en) | Method, apparatuses and computer program product for sharing cryptographic key with an embedded agent on a network endpoint in a network domain | |
| CN1319294A (en) | Adapter having secure function and computer secure system using it | |
| CN109361508B (en) | Data transmission method, electronic device and computer readable storage medium | |
| CN1722658A (en) | Efficient and secure authentication of computer system | |
| CN101304310B (en) | Method for reinforcing network SSL service | |
| CN103546289A (en) | USB (universal serial bus) Key based secure data transmission method and system | |
| CN1812611A (en) | Key setting method | |
| CN1523808A (en) | Method for encrypting data of an access virtual private network (vpn) | |
| CN1910531A (en) | Method and system used for key control of data resource, related network and computer program product | |
| CN105262773A (en) | A verification method and apparatus for an IOT system | |
| CN108848107A (en) | A kind of method of secure transmission web information | |
| US10999073B2 (en) | Secure network communication method | |
| US20110010544A1 (en) | Process distribution system, authentication server, distribution server, and process distribution method | |
| CN1771691A (en) | Method, system and computer program for the secured management of network devices | |
| CN1925401A (en) | Internet access system and method | |
| CN1759381A (en) | Internet secure communication device and communication method | |
| CN105871926B (en) | A kind of USB device secure sharing method and system based on desktop virtualization | |
| CN1642069A (en) | Encryption/decryption module dynamic updating system and method for safety gateway device | |
| CN1859088A (en) | Method for providing enciphering service and system using said method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20050720 |
|
| C20 | Patent right or utility model deemed to be abandoned or is abandoned |