CN101478390B - Second generation cipher key exchange system and method based on network processor - Google Patents
Second generation cipher key exchange system and method based on network processor Download PDFInfo
- Publication number
- CN101478390B CN101478390B CN2009100366765A CN200910036676A CN101478390B CN 101478390 B CN101478390 B CN 101478390B CN 2009100366765 A CN2009100366765 A CN 2009100366765A CN 200910036676 A CN200910036676 A CN 200910036676A CN 101478390 B CN101478390 B CN 101478390B
- Authority
- CN
- China
- Prior art keywords
- module
- ike
- signal
- packet
- payload
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a secondary-generation key exchange method based on network processor. The realizing system comprises a network processor, at least one static random access memory (SRAM) unit and at least one dynamic random access memory (DRAM) unit, and is characterized in that the network processor comprises a micro-engine (ME), an XScale, at least one SRAM control unit, at least one DRAM control unit, a Hash Unit and a media switch fabric (MSF) module, which are connected with one another via network processor buses. Based on the multithread polling mechanism and the use of exclusive encryption/decryption authentication XScale, the secondary-generation key exchange system greatly shortens the data read/write cycle and shortens the encryption/decryption authentication cycle, is highly integrated with the high-speed route, the firewall and other modules, and achieves the effect of new-generation key exchange with the network peers.
Description
Technical field
The present invention relates to filed of network information security, specifically be meant the second generation key exchange method of processor Network Based.
Background technology
IPSec is a whole set of architecture that is applied to network data security on the IP layer of the IPSec working group definition of IETF (the Internet engineering duty group), comprise authentication protocol (Authentication Header, AH), encapsulating security payload (esp) (Encapsulating Security Payload, ESP), IKMP (InternetKey Exchange, IKE) and be used for some algorithms of network authentication and encryption etc.IPSec has stipulated how to select security protocol between peer layer, has determined security algorithm and cipher key change, Network Security Service such as access control, data source authentication, data encryption upwards are provided.
IKMP (IKE) is one of important protocol of ipsec protocol family, be responsible for dynamic negotiation, Administrative Security association (Security Association, SA).It is that (the English full name of RFCs is Request ForCommentS in the document of leading that the first version (IKEv1) of IKMP (IKE) is defined in RFCs2407,2408,2409, Chinese translation is computer and mechanics of communication file), it has used the language of ISAKMP (Internet security association and IKMP), standard and the key exchange scheme that combines Oakley and SKEME form exclusive authenticated encryption material generation technique and sharing policy Negotiation Technology.Along with the extensive application of IPSec at network, IKEv1 manifests some shortcomings gradually, protocol description complexity, dispersion, and exchange efficiency is not high, and defence capability is not strong.For this reason, IETF begins to organize the drafting of IKEv2 from February, 2002, and becomes RFC with submitting suggestion in September, 2004 to, so far, has been incorporated in the document based on RFCs4306.
Developing rapidly and applying of internet makes people propose constantly to increase the demand of bandwidth and complex services to it.Following network not only needs bigger bandwidth, also requires it can constantly increase new service.For adapting to the network technology of this continuous development, this new microprocessor of network processing unit has appearred.Network processing unit is a kind of microprocessor that is exclusively used in network system, and it makes network system can possess high-performance and flexibility.IXA (Internet Exchange Architecture) is the system configuration of the network processing unit product line that is used for the internet data switching equipment of former Intel Company exploitation.IXP2850 is an IXA new generation network processor, is the enhanced network processor of IXP2800, and it has increased by two encryption function parts on the basis of IXP2800, can realize various encryption and decryption functions.Realizing the function of IPSec on IXP2850, is a kind of effective solution of the IPSec of raising data transmission efficiency.Along with the popularization of IKEv2, realize that on IXP2850 IKEv2 is the only way which must be passed of this type of solution.
Summary of the invention
Purpose of the present invention is exactly in order to solve above-mentioned problems of the prior art, a kind of second generation key exchange method of processor Network Based is proposed, the present invention utilizes the multithreading polling mechanism, utilize proprietary encryption and decryption authentication kernel, a large amount of data reading and writing cycle and encryption and decryption authentication period of shortening, can be integrated by other module height such as, fire compartment walls with the expressway, realize and network peer between cipher key change of new generation.
The objective of the invention is to be achieved through the following technical solutions: the second generation key exchange method of processor Network Based, the second generation cipher key exchange system of its realization system---processor Network Based, comprise network processing unit, at least one SRAM memory cell and at least one DRAM memory cell, described SRAM memory cell and DRAM memory cell link to each other by system bus with network processing unit, and described system bus links to each other with the tension management system.
Wherein, described network processing unit comprises by the interconnective micro engine of network processing unit bus (ME), kernel (XScale), at least one SRAM storage control unit, at least one DRAM storage control unit, Hash (HASH) unit and a MSF (Media Switch Fabric, multimedia switching fabric) module.
The second generation key exchange method of processor Network Based comprises the steps:
A. set up the second generation cipher key exchange system of above-mentioned processor Network Based and carry out initial configuration;
B. interface module is monitored the UDP message bag from udp port, when receiving the UDP message bag, obtains memory address pointer from the memory descriptor of this packet, passes to the network payload processing module, and sends IP bag processing signals to the network payload processing module; The packet that interface module is monitored from the network payload processing module sends request signal, and gives high speed router with data packet delivery;
C. the network payload processing module receives memory address pointer and the IP bag processing signals from interface module, the UDP message bag is carried out verification check, peel off network encapsulation, extract packet decapsulation information such as network source address, destination address and port numbers then and pass to the information exchange administration module, and send the packet entering signal to the information exchange administration module; The network payload processing module receives packet encapsulation signal and the IKE packet from the information exchange administration module, and the IKE packet is carried out network encapsulation, passes to interface module, and sends packet transmission request signal to interface module;
D. the information exchange administration module receives packet decapsulation information and the packet entering signal from the network payload processing module, provide tabulation, service state tabulation to carry out the parameter comparison, analyze with service, the IKE packet of removing UDP load according to the different conditions processing of classifying, and is transmitted IKE load Processing signal and gives the IKE payload module; The information exchange administration module receives from the packet of the IKE payload module signal of going out, swap status to the IKE packet is analyzed, new record more in service state tabulation, untie IKE exchange lock, give the network payload processing module with the IKE data packet delivery, and send foundation exchange (BE) or exchange (E) signal to event processing module, and send all kinds of daily record update signal to system management module, send the packet encapsulation signal to the network payload processing module;
The e.IKE payload module receives the IKE load Processing signal from the information exchange administration module, according to different swap statuses, to the processing of classifying of IKE packet; The IKE payload module receives the corresponding overtime and overtime Restart Signal from event processing module, make up and initiate IKE exchange data packets, structure initiation CHILE_SA_IKE exchange and make up to initiate the INFORMATION exchange data packets, and the transmission packet is gone out signal to the information exchange administration module; Parameter or parameter generation request signal that the IKE payload module will be referred to the key generation pass to the core security module, send the key request signal simultaneously to the core security module, and obtain operation result from the core security module; The IKE payload module will need the IKE packet of encryption and decryption authentication and the parameter that relates to thereof to pass to the encryption and decryption authentication module, and send the ciphertext signal to the encryption and decryption authentication module;
F. the encryption and decryption authentication module receives the ciphertext signal from the IKE payload module, according to the ciphertext signal IKE packet is carried out encryption and decryption and authentication processing;
G. system management module receives the operational order from the keeper, and service is provided tabulation, SAD and SPD content to increase, revises and deletes management, and to event processing module transmission processing signals; System management module receives the signal of other external system relationship modules (authentication protocol (AH), encapsulating security payload (esp) (ESP) module), and corresponding object information is passed to event processing module, and transmission SA sets up signal; System management module receives from all kinds of daily record update signal of information exchange administration module, extracts more new data, forms daily record and passes to the keeper;
H. the event processing module reception is set up signal from processing signals, corresponding object information and the SA of system management module, and the processing of classifying; Event processing module receives from the information exchange administration module and sets up exchange (BE) or exchange (E) signal, resolve the list item of respective service status list, upgrade the exchange timing, and overtime incident handled, corresponding time-out information is passed to the IKE payload module, and send overtime Restart Signal to the IKE payload module; The SA that event processing module receives from the IKE payload module sets up signal, starts the SA timing, and overtime incident is handled; Event processing module supervisory control system IKE swap status when occurring incomplete IKE exchange frequency above threshold values, starts prevention DDOS pattern;
I. the core security module receives parameter or the parameter generation request signal from the IKE payload module, produce Security Parameter Index (SPI, Security Parameters Index), generation is used for the random number of D-H computing and carries out the PKI KX (perhaps KY) that the D-H computing obtains, produce Nonce, and operation result is passed to the IKE payload module; The core security module receives the key request signal from the IKE payload module, finishes D-H private key computing KXY, generates key seed, carries out key material and derive, and the result is passed to the IKE payload module.
Preferably, described network processing unit adopts IXP2850.
Described SRAM memory cell capacity is 32MB, and described DRAM memory cell capacity is 256MB.
Described kernel loads has system management module, event processing module and core security module.
Described micro engine is loaded with interface module, network payload processing module, information exchange administration module, IKE payload module and encryption and decryption authentication module.
Described SRAM memory cell is loaded with Security Policy Database (SPD).
Described DRAM memory cell is loaded with service database and security association database (SAD, SecurityAssociation Database).
Below the transmission of the internal element signal of kernel, micro engine, SRAM memory cell and DRAM memory cell, the association handled are further elaborated:
Described system management module is connected with core security module, event processing module respectively, be connected with interface module, network payload processing module, information exchange administration module, IKE payload module and encryption and decryption authentication module respectively by the network processing unit bus, be used to realize the initialization of above each functional module that connects; Simultaneously, system management module is connected with Security Policy Database (SPD), service database, security association database (SAD) by system bus, is used to realize above each data of database management that connects, log record etc.;
Described core security module is connected with the IKE payload module by the network processing unit bus, be connected with service database, security association database (SAD) respectively by system bus, be used to realize the generation of all kinds of random numbers, D-H (Diffie-Hellman) computing and cipher key derivative;
Described event processing module is connected with IKE payload module, information exchange administration module respectively by the network processing unit bus, be connected with service database, security association database (SAD) respectively by system bus, be used to realize the timing of IKE swap status, the existence management of SA, the triggering management of time window and the triggering of INFORMATION load;
Described interface module is connected with the network payload processing module, is connected with high speed router by the network processing unit bus, is used to realize monitoring reception, the transmission of packet;
Described network payload processing module also is connected with the information exchange administration module, is used to realize that the decapsulation of IKE packet network payload segment and IKE load enter the preceding network payload encapsulation of network;
Described information exchange administration module also is connected with the IKE payload module, be connected with Security Policy Database (SPD), service database and security association database (SAD) respectively by system bus, be used to realize the registration of each Phase I KE exchange message upgrade and upload, response events processing module and packet filtering;
Described IKE payload module also is connected with the encryption and decryption authentication module, be connected with Security Policy Database (SPD), service database and security association database (SAD) respectively by system bus, be used to realize that protocol processes, each stage security parameter management and above-mentioned each database related data that connects of each Phase I KE load upgraded;
Described encryption and decryption authentication module is connected with service database, security association database (SAD) respectively by system bus, is used to realize that each Phase I KE exchange encryption and decryption authentication, digital signature generate;
Described Security Policy Database (SPD) is connected with security association database (SAD) by system bus, be used to realize management, rule-based filtering, the ESP (ESP of security strategy, EncapsulationSecurity Payload) and the security strategy index of authentication header (AH, Authentication Header);
The service of storing of described service database provides tabulation, service state tabulation, is used to realize IKE exchange of management, all kinds of interim parameter management;
Described security association database (SAD) also is connected with service database by system bus, be used to realize management, the ESP (ESP of security association, Encapsulation Security Payload) and the safety management index of authentication header (AH, Authentication Header).
The present invention has the following advantages with respect to prior art:
(1) the present invention utilizes the multithreading polling mechanism, utilize proprietary encryption and decryption authentication kernel, a large amount of data reading and writing cycles and encryption and decryption authentication period of shortening can be integrated by other module height such as, fire compartment walls with the expressway, realize and network peer between cipher key change of new generation;
(2) the present invention is that hardware foundation is realized the IKEv2 IKE with network processing unit IXP2850, the high efficiency of micro engine (ME) and the flexibility of kernel (XScale) have been made full use of, utilize proprietary encryption kernel, the mode that adopts layering to handle, reach the efficient high-speed deal with data, request memory is little, and has certain opposing Replay Attack ability, for the server that has the VPN function based on IXP2850 provides more effective safe and secret mechanism.
Description of drawings
Fig. 1 is kernel (XScale) structural representation that the present invention is based in the second generation cipher key exchange system of network processing unit;
Fig. 2 is micro engine (ME) structural representation that the present invention is based in the second generation cipher key exchange system of network processing unit;
Fig. 3 the present invention is based on the micro engine (ME) in the second generation cipher key exchange system of network processing unit, the internal structure schematic diagram between the kernel (XScale);
Fig. 4 is the structure connection layout between micro engine (ME), kernel (XScale), SRAM memory cell and the DRAM memory cell that the present invention is based in the second generation cipher key exchange system of network processing unit;
Fig. 5 is the schematic flow sheet that the present invention is based on the second generation key exchange method of network processing unit.
Embodiment
Below in conjunction with embodiment and accompanying drawing, the present invention is described in further detail, but embodiments of the present invention are not limited thereto.
Embodiment
The present invention is based on the second generation cipher key exchange system of network processing unit, comprise network processing unit, at least one SRAM memory cell and at least one DRAM memory cell, described SRAM memory cell and DRAM memory cell link to each other by system bus with network processing unit, and described system bus links to each other with the tension management system.
Wherein, described network processing unit comprises by the interconnective micro engine of network processing unit bus (ME), kernel (XScale), at least one SRAM storage control unit, at least one DRAM storage control unit, Hash (HASH) unit and a MSF (Media Switch Fabric, multimedia switching fabric) module.
Preferably, described network processing unit adopts IXP2850.
Described SRAM memory cell capacity is 32MB, and described DRAM memory cell capacity is 256MB.
Described SRAM memory cell is loaded with Security Policy Database (SPD).
Described DRAM memory cell is loaded with service database and security association database (SAD, SecurityAssociation Database).
As shown in Figure 1, described kernel loads has system management module, event processing module and core security module.
As shown in Figure 2, described micro engine is loaded with interface module, network payload processing module, information exchange administration module, IKE payload module and encryption and decryption authentication module.
Below the transmission of the internal element signal of kernel, micro engine, SRAM memory cell and DRAM memory cell, the association handled are further elaborated, as shown in Figure 3, Figure 4:
Described system management module is connected with core security module, event processing module respectively, be connected with interface module, network payload processing module, information exchange administration module, IKE payload module and encryption and decryption authentication module respectively by the network processing unit bus, be used to realize the initialization of above each functional module that connects; Simultaneously, system management module is connected with Security Policy Database (SPD), service database, security association database (SAD) by system bus, is used to realize above each data of database management that connects, log record etc.;
Described core security module is connected with the IKE payload module by the network processing unit bus, be connected with service database, security association database (SAD) respectively by system bus, be used to realize the generation of all kinds of random numbers, D-H (Diffie-Hellman) computing and cipher key derivative;
Described event processing module is connected with IKE payload module, information exchange administration module respectively by the network processing unit bus, be connected with service database, security association database (SAD) respectively by system bus, be used to realize the timing of IKE swap status, the existence management of SA, the triggering management of time window and the triggering of INFORMATION load;
Described interface module is connected with the network payload processing module, is connected with high speed router by the network processing unit bus, is used to realize monitoring reception, the transmission of packet;
Described network payload processing module also is connected with the information exchange administration module, is used to realize that the decapsulation of IKE packet network payload segment and IKE load enter the preceding network payload encapsulation of network;
Described information exchange administration module also is connected with the IKE payload module, be connected with Security Policy Database (SPD), service database and security association database (SAD) respectively by system bus, be used to realize the registration of each Phase I KE exchange message upgrade and upload, response events processing module and packet filtering;
Described IKE payload module also is connected with the encryption and decryption authentication module, be connected with Security Policy Database (SPD), service database and security association database (SAD) respectively by system bus, be used to realize that protocol processes, each stage security parameter management and above-mentioned each database related data that connects of each Phase I KE load upgraded;
Described encryption and decryption authentication module is connected with service database, security association database (SAD) respectively by system bus, is used to realize that each Phase I KE exchange encryption and decryption authentication, digital signature generate;
Described Security Policy Database (SPD) is connected with security association database (SAD) by system bus, be used to realize management, rule-based filtering, the ESP (ESP of security strategy, EncapsulationSecurity Payload) and the security strategy index of authentication header (AH, Authentication Header);
The service of storing of described service database provides tabulation, service state tabulation, is used to realize IKE exchange of management, all kinds of interim parameter management;
Described security association database (SAD) also is connected with service database by system bus, be used to realize management, the ESP (ESP of security association, Encapsulation Security Payload) and the safety management index of authentication header (AH, Authentication Header).
The key exchange method of the second generation cipher key exchange system of above-mentioned processor Network Based as shown in Figure 5, comprises the steps:
A. set up system and carry out initial configuration;
B. interface module is monitored the UDP message bag from port 500 or 4500, when receiving the UDP message bag, from the memory descriptor of this packet, obtain memory address pointer, pass to the network payload processing module, and send IP bag processing signals to the network payload processing module; The packet that interface module is monitored from the network payload processing module sends request signal, and gives high speed router with data packet delivery;
C. the network payload processing module receives memory address pointer and the IP bag processing signals from interface module, the UDP message bag is carried out verification check, peel off network encapsulation, extract packet decapsulation information such as network source address, destination address and port numbers then and pass to the information exchange administration module, and send the packet entering signal to the information exchange administration module; The network payload processing module receives packet encapsulation signal and the IKE packet from the information exchange administration module, and the IKE packet is carried out network encapsulation, passes to interface module, and sends packet transmission request signal to interface module;
D. the information exchange administration module receives packet decapsulation information and the packet entering signal from the network payload processing module, provide tabulation, service state tabulation to carry out the parameter comparison, analyze with service, the IKE packet of removing UDP load according to the different conditions processing of classifying, and is transmitted IKE load Processing signal and gives the IKE payload module; The information exchange administration module receives from the packet of the IKE payload module signal of going out, swap status to the IKE packet is analyzed, new record more in service state tabulation, untie IKE exchange lock, give the network payload processing module with the IKE data packet delivery, and send foundation exchange (BE) or exchange (E) signal to event processing module, and send all kinds of daily record update signal to system management module, send the packet encapsulation signal to the network payload processing module;
The e.IKE payload module receives the IKE load Processing signal from the information exchange administration module, according to different swap statuses, to the processing of classifying of IKE packet; The IKE payload module receives the corresponding overtime and overtime Restart Signal from event processing module, make up and initiate IKE exchange data packets, structure initiation CHILE_SA_IKE exchange and make up to initiate the INFORMATION exchange data packets, and the transmission packet is gone out signal to the information exchange administration module; Parameter or parameter generation request signal that the IKE payload module will be referred to the key generation pass to the core security module, send the key request signal simultaneously to the core security module, and obtain operation result from the core security module; The IKE payload module will need the IKE packet of encryption and decryption authentication and the parameter that relates to thereof to pass to the encryption and decryption authentication module, and send the ciphertext signal to the encryption and decryption authentication module;
F. the encryption and decryption authentication module receives the transmission ciphertext signal from the IKE payload module, according to sending the ciphertext signal IKE packet is carried out encryption and decryption and authentication processing;
G. system management module receives the operational order from the keeper, and service is provided tabulation, SAD and SPD content to increase, revises and deletes management, and to event processing module transmission processing signals; System management module receives the signal of other external system relationship modules (authentication protocol (AH), encapsulating security payload (esp) (ESP) module), and corresponding object information is passed to event processing module, and transmission SA sets up signal; System management module receives from all kinds of daily record update signal of information exchange administration module, extracts more new data, forms daily record and passes to the keeper;
H. the event processing module reception is set up signal from processing signals, corresponding object information and the SA of system management module, and the processing of classifying; Event processing module receives from the information exchange administration module and sets up exchange (BE) or exchange (E) signal, resolve the list item of respective service status list, upgrade the exchange timing, and overtime incident handled, corresponding time-out information is passed to the IKE payload module, and send overtime Restart Signal to the IKE payload module; The SA that event processing module receives from the IKE payload module successfully sets up signal, starts the SA timing, and overtime incident is handled; Event processing module supervisory control system IKE swap status when occurring incomplete IKE exchange frequency above threshold values, starts prevention DDOS pattern;
I. the core security module receives parameter or the parameter generation request signal from the IKE payload module, produce Security Parameter Index (SPI, Security Parameters Index), generation is used for the random number of D-H computing and carries out the PKI KX (perhaps KY) that the D-H computing obtains, produce Nonce, and operation result is passed to the IKE payload module; The core security module receives the key request signal from the IKE payload module, finishes D-H private key computing KXY, generates key seed, carries out key material and derive, and the result is passed to the IKE payload module.
For the better said method of realizing, below the concrete steps of said method are further elaborated:
1, the described initial configuration of step a specifically comprises following operation:
A.1 with system management module, event processing module, core security module application configuration in XScale;
A.2 interface module, network payload processing module, information exchange administration module, IKE payload module, encryption and decryption authentication module are disposed among the ME;
A.3 initialization SRAM memory cell and DRAM memory cell, the memory allocated space, open up the Security Policy Database (SPD) of memory space storage in the SRAM memory cell, open up memory space stores service database, security association database (SAD) in the DRAM memory cell based on SPI HASH computing;
Step a.3 described in the main stores service of service database the tabulation of tabulation, service state is provided, wherein, service provides the HASH computing storage of tabulation based on source address, by the system management module management, store legal IKE station address, reservation certificate memory space; The service state tabulation comprises the parameter in each stage of INIT IKE based on the HASH computing storage of source address, keeps the space of storage both sides cookie;
2, the reception of the described information exchange administration module of steps d is from packet entering signal, the information of network payload processing module, provide tabulation, service state tabulation to carry out the parameter comparison, analyze with service, the IKE packet data bag of removing UDP load according to the different conditions processing of classifying, is specifically comprised following operation:
D.1 under normal mode,, obtain SPI, source address, destination address, FLAG, MESSAGE ID, TYPE parameter for the IKE packet that enters:
If d.1.1 this packet is that INIT_SA_IKE initiates bag, in providing tabulation, service carries out HASH computing addressing based on source address, ask if hit then pass through, check whether support concurrent IKE, set up corresponding service state tabulation, store interim parameter, open IKE exchange lock, set up exchange (BE) signal, information to the event processing module transmission, set up switch log update signal, information to the system management module transmission, otherwise abandon this packet, to the illegal switch log update signal of system management module transmission, information;
If d.1.2 this packet is that non-INIT_SA_IKE initiates bag, in the service state tabulation, carry out HASH computing addressing based on source address, if hit then check IKE exchange lock, otherwise abandon this packet, to the illegal switch log update signal of system management module transmission, information; If IKE and non-locking are then compared parameter, otherwise abandon this packet, to the illegal switch log update signal of system management module transmission, information; Comparison coupling then with this packet and obtained parameter, respective service status list address passes to the IKE payload module, in service state tabulation locking IKE exchange lock, give the IKE payload module with data packet delivery, send IKE load Processing signal to this module, to event processing module transmission exchange (E) signal, information, transmit switch log update signal, information to system management module, otherwise abandon this packet, to the illegal switch log update signal of system management module transmission, information;
D.2DDOS under the defence pattern, module increases the cookie parametric test, if coupling then should wrap and respective service status list address passes to the IKE payload module, the transmission signal wakes IKE payload module thread up, otherwise abandons this bag;
Simultaneously, the described IKE of steps d exchange is latched and is stored in each service state corresponding list item of tabulating, and when service provides when supporting concurrent IKE exchange in the tabulation, same peer server is supported a plurality of IKE exchange locks, can distinguish concurrent IKE, and keep out and repeat to give out a contract for a project;
3, the described IKE payload module of step e receives IKE load Processing signal, the information from the information exchange administration module, according to different swap statuses, to the processing of classifying of target data bag, specifically comprises following operation:
If e.1 this packet is the IKE bag, resolve the payload header parameter, read respective service status list list item, obtain existing switching phase D-H parameter, Nonce, load header parameter:
If e.1.1 this packet is that INIT_SA_IKE initiates bag, choose payload, if the proposal type that does not have book server to support in this proposal load, then structure is proposed invalid information or is proposed effectively to propose and pass to the information exchange administration module, send the packet signal of going out, abandon former IKE packet; Otherwise, INIT_SA_IKE D-H parameter, Nonce are passed to the core security module and the wait operation result passes back, structure INIT_SA_IKE respond packet, all actual parameters and INIT_SA are stored in the service state corresponding list item of tabulating, the INIT_SA_IKE respond packet is passed to the information exchange administration module, send the packet signal of going out;
If e.1.2 this packet is the INIT_SA_IKE respond packet, read payload, if for proposing invalid information then choose the load new INIT_SA_IKE of the initiation request of laying equal stress on of proposing again; If for response side proposal load then choose payload; Otherwise, INIT_SA_IKE D-H parameter, Nonce are passed to the core security module and the wait operation result passes back, structure IKE_AUTH initiates bag, produce IKE_AUTH D-H parameter, Nonce by the core security module, to need encrypting and authenticating data passes and INIT_SA_IKE key parameter transmission encryption and decryption authentication module and wait operation result to pass back, all actual parameters and INIT_SA are stored in the service state corresponding list item of tabulating, IKE_AUTH is initiated bag pass to the information exchange administration module, send the packet signal of going out;
If e.1.3 this packet is that IKE_AUTH initiates bag, read respective service status list parameter, with the packet encryption section and the INIT_SA_IKE key parameter passes to the encryption and decryption authentication module and the wait operation result passes back,, authentication abandons this packet if makeing mistakes and to system management module transmission make mistakes daily record lastest imformation, signal; Otherwise, IKE_AUTH D-H parameter, Nonce are passed to the core security module and the wait operation result passes back, the SA that obtains is that IKE_SA is stored in SAD, structure IKE_AUTH respond packet, to need encrypting and authenticating data passes and INIT_SA_IKE key parameter transmission encryption and decryption authentication module and wait operation result to pass back, all actual parameters and IKE_SA are stored in service state tabulate corresponding list item in order to the re-transmission demand, the IKE_AUTH respond packet is passed to the information exchange administration module, send the packet signal of going out;
If e.1.4 this packet is the IKE_AUTH respond packet, read respective service status list parameter, with the packet encryption section and the INIT_SA_IKE key parameter passes to the encryption and decryption authentication module and the wait operation result passes back,, authentication abandons this packet if makeing mistakes and to system management module transmission make mistakes daily record lastest imformation, signal; Otherwise, IKE_AUTH D-H parameter, Nonce are passed to the core security module and the wait operation result passes back, the SA that obtains is that IKE_SA is stored in SAD, all actual parameters and IKE_SA is stored in service state tabulates corresponding list item in order to the re-transmission demand, sends the packet signal of going out;
If e.1.5 this packet is that CHILD_SA_IKE initiates bag, read respective service status list parameter, with the packet encryption section and the INIT_SA_IKE key parameter passes to the encryption and decryption authentication module and the wait operation result passes back,, authentication abandons this packet if makeing mistakes and to system management module transmission make mistakes daily record lastest imformation, signal; Otherwise, with CHILD_SA D-H parameter, Nonce passes to the core security module and the wait operation result passes back, the CHILD_SA that obtains replaces the original corresponding list item of SAD for the IKE_SA that upgrades, structure CHILD_SA_IKE respond packet, to need encrypting and authenticating data passes and INIT_SA_IKE key parameter transmission encryption and decryption authentication module and wait operation result to pass back, all actual parameters and new IKE_SA are stored in service state tabulate corresponding list item in order to the re-transmission demand, the CHILD_SA_IKE respond packet is passed to the information exchange administration module, transmit SA information to event processing module, send SA and successfully set up signal;
If e.1.6 this packet is the CHILD_SA_IKE respond packet, read respective service status list parameter, with the packet encryption section and the INIT_SA_IKE key parameter passes to the encryption and decryption authentication module and the wait operation result passes back, abandon this packet if authentication makes mistakes and transmit error message, signal to system management module; Otherwise, CHILD_SA D-H parameter, Nonce are passed to the core security module and the wait operation result passes back, the CHILD_SA that obtains replaces the original corresponding list item of SAD for the IKE_SA that upgrades, all actual parameters and new IKE_SA are stored in service state tabulate corresponding list item, send the packet signal of going out in order to the re-transmission demand;
If e.2 this packet is the INFORMATION bag, the resolution data header, read respective service status list or SAD parameter, with the packet encryption section and required key parameter passes to the encryption and decryption authentication module and the wait operation result passes back, the resolving information content is also carried out response, deletes, creates SA or revise configuration, and operation information, signal are passed to event processing module, the tectonic response bag passes to the information exchange administration module with respond packet;
Simultaneously, step 5.1,5.2 will increase cookie load when being under the DDOS attack defending state, and require the exchange peer server that cookie is provided load in checking, with the opposing Replay Attack;
3, the described event processing module of step h receives from system management module various information, signal, and the processing of classifying specifically comprises following operation:
If h.1 the signal of Jie Shouing provides the tabulation erasure signal for service, resolving information is deleted corresponding IKE timing or SA timing, deletes corresponding service state list entry, deletes corresponding SPD list item, deletes corresponding SAD list item;
If the signal that h.2 receives is the SAD erasure signal, resolving information is deleted corresponding SA timing;
Increase signal if the signal that h.3 receives is SAD, resolving information increases corresponding SA timing;
Simultaneously, the described event processing module of step h receives from information exchange administration module signal, information, resolve the list item of respective service status list, upgrade the exchange timing, and overtime incident is treated to: each timer is mark with SPI, when corresponding exchange overtime, send overtime retransmission information to the IKE payload module, signal, the zero setting of corresponding exchange timer, retransmission counter adds one, zero setting when described each counter arrives at the corresponding exchange timing signal of next update, otherwise will increase along with number of retransmissions is linear, when reaching threshold values, judge swap fault, delete corresponding timer, counter, deletion respective service status list list item, IKE exchanges incomplete counter and adds one;
The described event processing module of step h receives signal, the information from the IKE payload module, start the SA timing, and overtime incident is treated to: each timer is mark with SPI, when corresponding INIT_SA overtime, transmit INIT_SA_IKE to the IKE payload module and initiate signal, information; Overtime as corresponding IKE_SA, transmit CHILD_SA_IKE to the IKE payload module and initiate signal, information, delete corresponding timer, delete corresponding SAD list item.
Principle of the present invention is: realize at Intel new generation network processor IXP2850, can be nested in the virtual private network system of processor IXP2850 Network Based, the proprietary encryption and decryption kernel of utilization IXP2850, the utilization hash algorithm carries out matched and searched to Security Parameter Index, realize second generation cipher key change, carry out the maintenance of database update, daily record by micro engine (ME) and kernel (XScale) two-way communication technology.
The foregoing description is a preferred implementation of the present invention; but embodiments of the present invention are not restricted to the described embodiments; other any do not deviate from change, the modification done under spirit of the present invention and the principle, substitutes, combination, simplify; all should be the substitute mode of equivalence, be included within protection scope of the present invention.
Claims (7)
1. the second generation key exchange method of processor Network Based, it is characterized in that: the second generation cipher key exchange system of realizing the processor Network Based of this method, comprise network processing unit, at least one SRAM memory cell and at least one DRAM memory cell, described network processing unit comprises by the interconnective micro engine of network processing unit bus, kernel, at least one SRAM storage control unit, at least one DRAM storage control unit, a hash units and a MSF module;
Described kernel loads has system management module, event processing module and core security module, and system management module is connected with event processing module, core security module respectively;
Described micro engine is loaded with interface module, network payload processing module, information exchange administration module, IKE payload module and encryption and decryption authentication module, and interface module is connected with network payload processing module, information exchange administration module, IKE payload module and encryption and decryption authentication module successively;
The second generation key exchange method of processor Network Based, step is as follows:
A. set up cipher key exchange system and carry out initial configuration;
B. interface module is monitored the UDP message bag from udp port, when receiving the UDP message bag, obtains memory address pointer from the memory descriptor of this packet, passes to the network payload processing module, and sends IP bag processing signals to the network payload processing module; The packet that interface module is monitored from the network payload processing module sends request signal, and gives high speed router with data packet delivery;
C. the network payload processing module receives memory address pointer and the IP bag processing signals from interface module, the UDP message bag is carried out verification check, peel off network encapsulation, extract packet decapsulation information then and pass to the information exchange administration module, and send the packet entering signal to the information exchange administration module; The network payload processing module receives packet encapsulation signal and the IKE packet from the information exchange administration module, and the IKE packet is carried out network encapsulation, passes to interface module, and sends packet transmission request signal to interface module;
D. the information exchange administration module receives packet decapsulation information and the packet entering signal from the network payload processing module, provide tabulation, service state tabulation to carry out the parameter comparison, analyze with service, the IKE packet of removing UDP load according to the different conditions processing of classifying, and is transmitted IKE load Processing signal and gives the IKE payload module; The information exchange administration module receives from the packet of the IKE payload module signal of going out, swap status to the IKE packet is analyzed, new record more in service state tabulation, untie IKE exchange lock, give the network payload processing module with the IKE data packet delivery, and send to set up exchange or switching signal to event processing module, and send all kinds of daily record update signal to system management module, send the packet encapsulation signal to the network payload processing module;
E.IKE load
HandleModule receives the IKE load Processing signal from the information exchange administration module, according to different swap statuses, to the processing of classifying of IKE packet; IKE load
HandleModule receives the corresponding overtime and overtime Restart Signal from event processing module, make up and initiate IKE exchange data packets, structure initiation CHILE_SA_IKE exchange and make up to initiate the INFORMATION exchange data packets, and the transmission packet is gone out signal to the information exchange administration module; Parameter or parameter generation request signal that the IKE payload module will be referred to the key generation pass to the core security module, send the key request signal simultaneously to the core security module, and obtain operation result from the core security module; The IKE payload module will need the IKE packet of encryption and decryption authentication and the parameter that relates to thereof to pass to the encryption and decryption authentication module, and send the ciphertext signal to the encryption and decryption authentication module;
F. the encryption and decryption authentication module receives the ciphertext signal from the IKE payload module, according to the ciphertext signal IKE packet that the needs encryption and decryption authenticates is carried out encryption and decryption and authentication processing;
G. system management module receives the operational order from the keeper, and service is provided tabulation, SAD and SPD content to increase, revises and deletes management, and to event processing module transmission processing signals; System management module receives the signal of other external system relationship modules, and corresponding object information is passed to event processing module, and transmission SA sets up signal; System management module receives from all kinds of daily record update signal of information exchange administration module, extracts more new data, forms daily record and passes to the keeper;
H. the event processing module reception is set up signal from processing signals, corresponding object information and the SA of system management module, and the processing of classifying; Event processing module receives from the information exchange administration module and sets up exchange or switching signal, resolve the list item of respective service status list, upgrade the exchange timing, and overtime incident handled, corresponding time-out information is passed to the IKE payload module, and send overtime Restart Signal to the IKE payload module; The SA that event processing module receives from the IKE payload module sets up signal, starts the SA timing, and overtime incident is handled; Event processing module supervisory control system IKE swap status when occurring incomplete IKE exchange frequency above threshold values, starts prevention DDOS pattern;
I. the core security module receives parameter or the parameter generation request signal from the IKE payload module, produce Security Parameter Index, generation is used for the random number of D-H computing and carries out PKI KX or the KY that the D-H computing obtains, produce Nonce, and operation result is passed to the IKE payload module; The core security module receives the key request signal from the IKE payload module, finishes D-H private key computing KXY, generates key seed, carries out key material and derive, and the result is passed to the IKE payload module.
2. according to the second generation key exchange method of the described processor Network Based of claim 1, it is characterized in that: described network processing unit adopts IXP2850.
3. according to the second generation key exchange method of the described processor Network Based of claim 1, it is characterized in that: described SRAM memory cell capacity is 32MB.
4. according to the second generation key exchange method of the described processor Network Based of claim 1, it is characterized in that: described DRAM memory cell capacity is 256MB.
5. according to the second generation key exchange method of the described processor Network Based of claim 1, it is characterized in that: described SRAM memory cell is loaded with Security Policy Database.
6. according to the second generation key exchange method of the described processor Network Based of claim 1, it is characterized in that: described DRAM memory cell is loaded with service database and security association database.
7. according to the second generation key exchange method of the described processor Network Based of claim 6, it is characterized in that: the service of storing of described service database provides tabulation and service status list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100366765A CN101478390B (en) | 2009-01-15 | 2009-01-15 | Second generation cipher key exchange system and method based on network processor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100366765A CN101478390B (en) | 2009-01-15 | 2009-01-15 | Second generation cipher key exchange system and method based on network processor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101478390A CN101478390A (en) | 2009-07-08 |
| CN101478390B true CN101478390B (en) | 2011-11-02 |
Family
ID=40839025
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100366765A Expired - Fee Related CN101478390B (en) | 2009-01-15 | 2009-01-15 | Second generation cipher key exchange system and method based on network processor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101478390B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI501614B (en) | 2012-10-23 | 2015-09-21 | Univ Nat Sun Yat Sen | Symmetric Dynamic Authentication and Key Exchange System and Its |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002082767A2 (en) * | 2001-03-23 | 2002-10-17 | Megisto Systems | System and method for distributing security processing functions for network applications |
| CN1750460A (en) * | 2004-09-16 | 2006-03-22 | 英特尔公司 | Method for performing modular exponentiations |
| CN101262405A (en) * | 2008-04-11 | 2008-09-10 | 华南理工大学 | High-speed secure virtual private network channel based on network processor and its realization method |
-
2009
- 2009-01-15 CN CN2009100366765A patent/CN101478390B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002082767A2 (en) * | 2001-03-23 | 2002-10-17 | Megisto Systems | System and method for distributing security processing functions for network applications |
| CN1750460A (en) * | 2004-09-16 | 2006-03-22 | 英特尔公司 | Method for performing modular exponentiations |
| CN101262405A (en) * | 2008-04-11 | 2008-09-10 | 华南理工大学 | High-speed secure virtual private network channel based on network processor and its realization method |
Non-Patent Citations (1)
| Title |
|---|
| 冯少少,傅予力.基于网络处理器的防火墙集成虚拟专用网模块.《系统工程与电子技术》.2008,第30卷(第2期),第358和359页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101478390A (en) | 2009-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bouachir et al. | Blockchain and fog computing for cyberphysical systems: The case of smart industry | |
| Alharbi | Deployment of blockchain technology in software defined networks: A survey | |
| CN109302415B (en) | A kind of authentication method, block chain node and storage medium | |
| Xue et al. | Combining data owner-side and cloud-side access control for encrypted cloud storage | |
| Gupta et al. | Lightweight branched blockchain security framework for Internet of Vehicles | |
| CN112418860A (en) | Block chain efficient management framework based on cross-chain technology and working method | |
| US7769994B2 (en) | Content inspection in secure networks | |
| Faika et al. | A blockchain-based Internet of Things (IoT) network for security-enhanced wireless battery management systems | |
| Kang et al. | Toward secure energy harvesting cooperative networks | |
| CN109245894B (en) | Distributed cloud storage system based on intelligent contracts | |
| US8024573B2 (en) | Method for authentication of elements of a group | |
| Saputro et al. | Securing IoT network using lightweight multi-fog (LMF) blockchain model | |
| CN101867588A (en) | Access control system based on 802.1x | |
| Bansal et al. | Lightweight authentication protocol for inter base station communication in heterogeneous networks | |
| Chen et al. | IOV Privacy Protection System Based on Double‐Layered Chains | |
| CN101478390B (en) | Second generation cipher key exchange system and method based on network processor | |
| CN200962603Y (en) | A trustable boundary security gateway | |
| Joshi | Network security: know it all | |
| Pelekoudas-Oikonomou et al. | A tutorial on the implementation of a hyperledger fabric-based security architecture for IoMT | |
| Sivaselvan et al. | Blockchain-based scheme for authentication and capability-based access control in IoT environment | |
| Zhang et al. | Web 3.0: Developments and Directions of the Future Internet Architecture? | |
| Jog et al. | A critical analysis on the security architectures of internet of things: The road ahead | |
| EP2985749A2 (en) | Symmetric encryption device, and method used | |
| Das et al. | Design of a trust-based authentication scheme for blockchain-enabled iov system | |
| Mahbub | Blockchain technologies for securing IOT infrastructure: IOT-blockchain architectonics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20111102 Termination date: 20180115 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |