CN104980497B - ESP encapsulation process devices based on Wishbone buses - Google Patents

ESP encapsulation process devices based on Wishbone buses Download PDF

Info

Publication number
CN104980497B
CN104980497B CN201510253970.7A CN201510253970A CN104980497B CN 104980497 B CN104980497 B CN 104980497B CN 201510253970 A CN201510253970 A CN 201510253970A CN 104980497 B CN104980497 B CN 104980497B
Authority
CN
China
Prior art keywords
data
module
packet
bus
encapsulation process
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510253970.7A
Other languages
Chinese (zh)
Other versions
CN104980497A (en
Inventor
李冰
周岑军
刘勇
陈帅
赵霞
董乾
王刚
张龙飞
刘洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southeast University
Original Assignee
Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southeast University filed Critical Southeast University
Priority to CN201510253970.7A priority Critical patent/CN104980497B/en
Publication of CN104980497A publication Critical patent/CN104980497A/en
Application granted granted Critical
Publication of CN104980497B publication Critical patent/CN104980497B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/565Conversion or adaptation of application format or content
    • H04L67/5651Reducing the amount or size of exchanged application data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching

Abstract

The invention discloses a kind of ESP encapsulation process devices based on Wishbone buses, belong to network security data processing technology field.The device includes:One group of ESP front ends encapsulation process module, one group of ESP rear ends encapsulation process module, a group encryption module, one group of authentication module, and Wishbone bus modules;Wishbone bus modules are connected with above-mentioned each module respectively.The present invention is realized using hardware carries out the processing of IPSec ESP protocol encapsulations to Internet IP packets, while by connecting more set processing systems in Wishbone buses, effectively raises the speed of ESP protocol encapsulations processing.Invention further provides a variety of cipher modes and a variety of authentication modes, the security and practicality of system are improved.

Description

ESP encapsulation process devices based on Wishbone buses
Technical field
The present invention relates to network security data processing technology field, more particularly to a kind of hard-wired it is based on Wishbone The ESP encapsulation process devices of bus.
Background technology
With the Rapid Expansion of internet, it constantly incorporates the life of people, and people can be by it quickly and conveniently Transmission information.Then the guarantee of the safety, privacy of information just becomes abnormal important.The network information security be related to national security and Sovereignty, social stability, national culture are inherited and developed.The transmission of present internet information is mainly built upon on IP agreement, But IP bags are not include any security feature in itself, attacker can the easily source address of spoofed IP bag, destination address, Original content and progress replay attack etc. in modification bag.By IETF(Internet Engineering Task Force)The one group of IP security protocol collection IPSec established defines the security service used in internetwork layer, and its function includes data Encryption, to the access control of NE, data source address verifies, data integrity inspection and prevents Replay Attack.It can be with The effective safety for ensureing transmission information.IPSec ESPs(ESP)Agreement is a master during ipsec protocol is implemented The agreement wanted, it is primarily designed provides security service in IPv4 and IPv6 environment.ESP agreements provide confidentiality, data source Certification, connectionless integrality, anti-anti-replay service and limited information stream confidentiality services.ESP agreements are related to a large amount of encryption and decryption, disappeared Cease the computation-intensives such as certification processing task.With being continuously increased for computer network bandwidth, agreement is realized using software originally Processing speed be difficult to keep up with the speed of data flow, while substantial amounts of resource can be also taken in processing procedure, cause to take The process performance of the critical network devices such as business device, gateway, router and interchanger substantially reduces.Therefore, there is an urgent need to using hard Part realizes this agreement, at a high speed, the network information transfer service of safety support is provided.
In view of this, for existing during current ESP protocol processes the problem of, it is necessary at reason ESP agreement single channels Manage and ESP protocol processes methods are improved in the method for data, effectively improve the speed of data encapsulation process, the release of greater room Resource.
The content of the invention
The technical problems to be solved by the invention are to overcome prior art insufficient, there is provided one kind is based on Wishbone buses ESP encapsulation process devices, existing ESP protocol encapsulations processing speed can be changed, effectively improve the speed of data encapsulation process Degree, the release resource of greater room.
It is of the invention specifically to solve above-mentioned technical problem using following technical scheme:
ESP encapsulation process devices based on Wishbone buses, including:
One group of ESP front ends encapsulation process module, the ESP front ends encapsulation process module are used to receive after SA is matched Packet, then packet is parsed, be sent to after preliminary treatment is carried out to packet by certain data packet format Wishbone bus modules;
One group of ESP rear ends encapsulation process module, the ESP rear ends encapsulation process module are used to receive Wishbone bus moulds The packet handled by encrypting module and/or authentication module transmitted by block, and relevant field in packet is modified To meet IPSec packet protocol specifications, then upper layer module is sent to according to certain data packet format;
One group encryption module, for being parsed to packet, and the load data to needing to encrypt part is encrypted Processing, Reseals packet by certain data packet format again after the completion of encryption, is sent in Wishbone bus modules;
One group of authentication module, for being parsed to packet, and the load data to needing authentication section is authenticated Processing, Reseals packet by certain data packet format again after the completion of certification, is sent in Wishbone bus modules;
Wishbone bus modules, it is connected respectively with above-mentioned each module, for arbitrating the flow direction of data flow between each module;
One group of expression at least two.
Preferably, the Wishbone bus modules include bus arbiter module and are connected respectively with bus arbiter module One group of bus request module and one group of bus decision module, bus request submodule is used to send and occupy to bus arbiter module Bus sends the request signal of packet, and bus determines that submodule is used to send to bus arbiter module and occupies bus reception data The request signal of bag, bus arbitration submodule be used to arbitrating the data packet stream of each intermodule to;Each ESP front ends encapsulation process module It is connected respectively by a bus request module with bus arbiter module, each ESP rear ends encapsulation process module passes through one respectively Bus decision module is connected with bus arbiter module, and each encrypting module is determined by a bus request module and a bus respectively Cover half block is connected with bus arbiter module, and each authentication module passes through a bus request module and a bus decision module respectively It is connected with bus arbiter module.
Further, bus arbitration submodule according to the data packet stream of each intermodule of priority arbitration of each module to adding Close module, authentication module, the priority of ESP rear ends encapsulation process module reduce successively.
Preferably, the ESP front ends encapsulation process module includes:
Data input buffer FIFO submodules, for caching the specific format after SA is matched from upper layer module input Packet;
Selection processing submodule, for obtaining data from data input buffer FIFO submodules, passes through specific data Field obtains and records the length of whole packet and transmission means to be taken, if field shows to use transmission mould Formula, then whole packet is sent to by transmission mode front end encapsulation process submodule according to data packet length, if field shows to want Using tunnel mode, then whole packet is sent to by tunnel mode front end encapsulation process submodule according to data packet length;
Transmission mode front end encapsulation process submodule, for being carried out to packet in a transmission mode at preliminary encapsulation Reason, the cipher mode that simultaneously record data bag needs use is obtained according to specific data field, according to needed for calculating the information The filler length of addition, and add after IP packets, after former IP heads are moved into cipher mode field, SPI words Before section, data output buffering FIFO submodules are then delivered a packet to;
Tunnel mode front end encapsulation process submodule, for being carried out to the packet under tunnel mode at preliminary encapsulation Reason, the IP heads in the cipher mode and IP packets that simultaneously record data bag needs use are obtained according to specific data field, The filler length added according to needed for calculating encryption scheme information, and add after IP packets, by what is recorded IP heads are added in a manner of replicating after cipher mode field, before SPI fields, then deliver a packet to output buffering FIFO submodules;
Data output buffers FIFO submodules, and submodule and tunnel module front end are encapsulated for caching from transport module front end The packet that encapsulation process submodule passes through after preliminary treatment.
Preferably, the ESP rear ends encapsulation process module includes:
Data input buffer FIFO submodules, sended over for caching from Wishbone bus modules encrypted The packet that algorithm and/or identifying algorithm processing are completed;
ESP rear ends encapsulation process submodule, for handling the packet completed to AES and/or identifying algorithm Last processing is done, the cipher mode and authentication mode for obtaining and being used required for record data bag according to specific field, The value for needing to change field in IP heads is calculated according to the information and is modified, while abandons and does not meet IPSec packets association The field of specification, such as start field, trailer field, cipher mode and authentication mode selection field etc. are discussed, after processing Packet is sent to data output buffering FIFO submodules;
Data output buffers FIFO submodules, meets association for caching from after the processing of ESP rear ends encapsulation process submodule Discuss the IPSec packets of specification.
Preferably, the encrypting module includes:
Data input buffer FIFO submodules, for caching the packet sended over from Wishbone bus modules;
Data analyzing sub-module, for the load data for needing to encrypt in packet and the data that need not be encrypted to be distinguished In encryption core submodule and non-encryption data FIFO submodules after being sent to, obtained according to specific field in packet Encryption mode required for packet, the key length according to required for the information calculates encryption are grown with initialization vector Degree, packet is parsed with this, the load data that key, initialization vector, needs are encrypted is sent to encryption core submodule, Remainder data is sent into not encryption data FIFO submodules to be cached;
Not encryption data buffering FIFO submodules, for caching the data do not encrypted, there is provided encapsulate son to data afterwards Module is packaged use;
Encryption core submodule, for the load data encrypted of needs to be encrypted, according to the key sended over Initialization vector, load data is encrypted by AES;
Data encapsulate submodule, the IPSec bag forms of protocol specification are met for again dressing up data envelope, first never Data are read in encryption data FIFO submodules, then reads data from encryption core module and splices in preceding packet afterbody, It is sent to data output buffering FIFO submodules;
Data output buffers FIFO submodules, for caching the packet sended over from data encapsulation submodule.
Preferably, the authentication module includes:
Data input buffer FIFO submodules, for caching the packet sended over from Wishbone bus modules;
Data analyzing sub-module, for the load data that certification is needed in packet to be separately sent into it with former packet In certification key submodule and non-authentication data FIFO submodules afterwards, packet institute is obtained according to specific field in packet The authentication processing mode that needs, the key length according to required for the information calculates certification, packet is parsed with this, will be close Key, the load data of certification is needed to be sent to certification key submodule, former packet is sent to not authentication data FIFO submodules Cached;
Not authentication data buffering FIFO submodules, for caching the complete former packet received;
Certification key submodule, for being authenticated to the load data for needing certification, according to the key sended over, lead to Cross identifying algorithm to be authenticated load data, generate and intercept the certification summary of required length;
Data encapsulate submodule, for data envelope to be dressed up to the IPSec bag forms of protocol specification, first never certification again Complete former packet is read in data fifo module, then the certification summary splicing intercepted after certification key submodule is generated exists Packet afterbody, it is sent to data output buffering FIFO submodules;
Data output buffers FIFO submodules, for caching the packet sended over from data encapsulation submodule.
Compared with prior art, the invention has the advantages that:
The present invention is realized using hardware and the processing of IPSec ESP protocol encapsulations is carried out to Internet IP packets, is led to simultaneously Cross and more set processing systems are connected in Wishbone buses, effectively raise the speed of ESP protocol encapsulations processing.
Invention further provides a variety of cipher modes and a variety of authentication modes, improve security and the practicality of system Property.
Brief description of the drawings
Fig. 1 is the basic framework schematic diagram of a preferred embodiment of ESP encapsulation process device of the present invention;
Fig. 2 is encapsulation process module a kind of principle schematic diagram of preferred embodiment in ESP front ends in preferred embodiment;
Fig. 3 is encapsulation process module a kind of principle schematic diagram of preferred embodiment in ESP rear ends in preferred embodiment;
Fig. 4 is a kind of principle schematic diagram of preferred embodiment of 3DES encryption module in preferred embodiment;
Fig. 5 is a kind of principle schematic diagram of preferred embodiment of AES encryption module in preferred embodiment;
Fig. 6 is a kind of principle schematic diagram of preferred embodiment of HMAC-SHA authentication modules in preferred embodiment;
Fig. 7 is a kind of principle schematic diagram of preferred embodiment of HMAC-MD5 authentication modules in preferred embodiment;
Fig. 8 is a kind of principle schematic diagram of preferred embodiment of Wishbone bus modules in preferred embodiment.
Embodiment
Technical scheme is described in detail below in conjunction with the accompanying drawings:
Lacked for prior art treatment effeciency existing during ESP encapsulation process is carried out is low, occupancy resource is big Falling into, the present invention proposes the encapsulation process device that a kind of devices at full hardware is realized, and by being connected in Wishbone buses at more sets Reason system, greatly improve the speed of ESP protocol encapsulations processing.
Fig. 1 shows a preferred embodiment of ESP encapsulation process device of the present invention, is realized using FPGA.Such as Fig. 1 institutes Show, the device includes:One group of ESP front ends encapsulation process module, one group of ESP rear ends encapsulation process module, one group of 3DES encryption mould Block, one group of AES encryption module, one group of HMAC-SHA authentication module, one group of HMAC-MD5 authentication module, and Wishbone buses Module;Wishbone bus modules are connected with above-mentioned each module respectively.The function of each module is specific as follows in system:
ESP front ends encapsulation process module, received by the data receiver buffer module of inside from upper strata after SA is matched Packet, judge it is that packet is sent using transmission mode or tunnel mode according to specific fields in packet, according to sentencing Disconnected information carries out different preliminary treatments to the IP heads field in IP packets, while is judged according to specific fields in packet The encryption mode used required for the packet, according to judging filling of the information in IP packets afterbody plus different length , the data for then sending data packets to inside send buffer module, and packet is prepared to enter into Wishbone bus modules.
ESP rear ends encapsulation process module, received by the data receiver buffer module of inside and come from Wishbone bus moulds The packet of block, these packets are all the packets completed by encryption and/or authentication processing, according to specific word in packet Section obtains encryption mode and authentication processing mode used by packet, and need in IP head fields are calculated according to the information Change the numerical value of field and modify, while abandon the field for not meeting IPSec data pack protocol specifications, such as banner word Section, trailer field, cipher mode and authentication mode selection field etc., the packet after processing is sent to data output buffering mould Block.
3DES encryption module, the data from Wishbone bus modules are received by the data receiver buffer module of inside Bag, the encryption mode according to required for specific field in packet obtains load data, calculates according to the information and adds Key length and initialization vector length required for close, packet is parsed with this, by key, initialization vector, need plus Close load data is sent to 3DES encryption nucleus module, and remainder data is sent into not encryption data is buffered into capable caching, interior The order that portion's package module reads data is read from encryption core module again according to reading data in first never encryption data buffering The load data for taking encryption to complete is carried out, and the load data splicing of encryption will be completed in not encryption data bag afterbody, then by number Internal data, which is sent to, according to bag sends buffer module.
AES encryption module, the data from Wishbone bus modules are received by the data receiver buffer module of inside Bag, the encryption mode according to required for specific field in packet obtains load data, calculates according to the information and adds Key length and initialization vector length required for close, packet is parsed with this, by key, initialization vector, need plus Close load data is sent to AES encryption nucleus module, and remainder data is sent into not encryption data is buffered into capable caching, internal The order that package module reads data is read from encryption core module again according to reading data in first never encryption data buffering The load data that encryption is completed is carried out, and the load data splicing of encryption will be completed in not encryption data afterbody, then by packet It is sent to internal data and sends buffer module.
HMAC-SHA authentication modules, received by the data receiver buffer module of inside from Wishbone bus modules Packet, the authentication processing mode according to required for specific field in packet obtains load data, is calculated according to the information The key length gone out required for certification, packet is parsed with this, by key, needs the load data of certification to be sent to HMAC- SHA certification nucleus modules, complete former packet are sent to not authentication data buffer module and cached, and enclosed inside module is read The order for evidence of fetching is read from certification nucleus module again according to the complete former packet of reading in first never authentication data buffering Certification summary is carried out, and certification summary is spliced in complete former packet afterbody, then delivers a packet to internal data hair Send buffer module.
HMAC-MD5 authentication modules, received by the data receiver buffer module of inside from Wishbone bus modules Packet, the authentication processing mode according to required for specific field in packet obtains load data, is calculated according to the information The key length gone out required for certification, packet is parsed with this, by key, needs the load data of certification to be sent to HMAC- Md5 authentication nucleus module, complete former packet are sent to not authentication data buffer module and cached, and enclosed inside module is read The order for evidence of fetching is read from certification nucleus module again according to the complete former packet of reading in first never authentication data buffering Certification summary is carried out, and certification summary is spliced in complete former packet afterbody, then delivers a packet to internal data hair Send buffer module.
Wishbone bus modules, when packet enters Wishbone bus modules, Wishbone bus modules can basis Specific field judges all processing services required for packet in packet, and according to 3DES encryption module, AES encryption Module priority is higher than ESP rear ends encapsulation process module higher than HMAC-SHA authentication modules, HMAC-MD5 authentication modules priority The order of priority transmits packets to modules.For example, a packet does not need encryption service, that works as packet Preliminary treatment by ESP front ends encapsulation process module is completed after entering Wishbone bus modules, Wishbone bus modules Packet can be sent to the HMAC-SHA authentication modules or HMAC-MD5 authentication modules specified, packet is complete by authentication processing Wishbone bus modules are beamed back by HMAC-SHA authentication modules or HMAC-MD5 authentication modules again into rear, Wishbone is total Packet can be sent to ESP rear ends encapsulation process module according to priority and do last processing by wire module, formed one and met Upper layer module is sent to after the packet of IPSec packet protocol specifications.
Fig. 2 shows the structure and principle of a kind of preferred embodiment of ESP front ends encapsulation process module.As shown in Fig. 2 should ESP front ends encapsulation process module includes input data buffering fifo module, selection processing module, transmission mode processing module, tunnel Road mode treatment module, data output buffer fifo module.
Wherein, input data buffering fifo module, for caching from upper layer module input by special after the completion of SA matchings The packet for the formula that fixes.
Processing module is selected, for buffering read data packet in FIFO from input data, passes through specific word in packet Section obtains the length of whole packet and transmission means to be taken, if field shows transmission mode to be used, basis Whole packet is sent to transmission mode front end encapsulation process module by data packet length, if field shows tunnel mould to be used Formula, then whole packet is sent to by tunnel mode front end encapsulation process module according to data packet length.
Transmission mode front end encapsulation process module, for being carried out to the packet transmitted in a transmission mode at preliminary encapsulation Reason, the encryption mode used is needed according to specific field acquisition packet in packet, institute is calculated according to the information The filler length that need to be added, and add in IP packet afterbodys, while by IP packets Central Plains IP heads and be moved to encryption side After formula field, before SPI fields, data output buffering fifo module is then delivered a packet to.
Tunnel mode front end encapsulation process module, for being carried out to the packet transmitted under tunnel mode at preliminary encapsulation Reason, the IP in the encryption mode used and IP packets is needed according to specific field acquisition packet in packet Head, the filler length added according to needed for calculating encryption scheme information, and add in IP packet afterbodys, it will record IP heads added in a manner of replicating after cipher mode field, before SPI fields, it is slow then to deliver a packet to output Rush fifo module.
Data output buffers fifo module, is encapsulated for caching from transport module front end package module and tunnel module front end Packet after what processing module sended over complete by preliminary treatment, is sent to Wishbone bus modules afterwards.
The specific data handling procedure of above-mentioned ESP front ends encapsulation process module is:The number that SA modules send over from upper strata Input data buffering fifo module is cached to according to bag;Selection processing module buffers in fifo module from input data and reads data Bag, judge it is to use transmission mode or tunnel mode transmission packet according to specific fields in packet, according to transmission mould Formula then delivers a packet to transmission mode front end encapsulation process module, and tunnel is then delivered a packet to according to tunnel mode Pattern front end encapsulation process module;Transmission mode front end encapsulation process module extracts the IP heads of IP packets, and it is moved on to and carried After the specific fields of cipher mode, before SPI fields, while packet needs are obtained according to specific field in packet The encryption mode of use, the filler length added according to needed for calculating the information, and add in IP packet tails Portion, filler information field is added after filler field, deliver a packet to data output buffering fifo module;Tunnel Road pattern front end encapsulation process module extracts the IP heads of IP packets and retains the IP heads of former IP packets, by the IP heads of extraction It is moved to after the specific fields that cipher mode is provided, before SPI fields, while number is obtained according to specific field in packet The encryption mode for needing to use according to bag, the filler length added according to needed for calculating cipher mode, and add IP packet afterbodys, filler information field is added after filler field, deliver a packet to output buffering FIFO Module.
Fig. 3 shows the structure and principle of a kind of preferred embodiment of ESP rear ends encapsulation process module.As shown in figure 3, should ESP rear ends encapsulation process module includes:Input data buffering fifo module, ESP rear ends encapsulation process submodule, output data are delayed Rush fifo module.Wherein, input data buffering fifo module is used to cache and sended over from Wishbone bus modules The packet that encrypted algorithm and/or identifying algorithm processing is completed.ESP rear ends encapsulation process submodule is used for encrypted calculation The packet that method and/or identifying algorithm processing are completed does last processing, according in specific field modification IP heads in packet Relevant field, while abandon and do not meet the fields of IPSec data pack protocol specifications, the packet after processing is pressed into certain data Bag form is sent to data output buffering fifo module.Data output buffering fifo module is used to cache at the encapsulation of ESP rear ends The IPSec packets for meeting protocol specification after submodule processing are managed, are read for the module on upper strata.
The specific work process of above-mentioned ESP rear ends encapsulation process module is as follows:Input data buffering fifo module receive from Wishbone bus modules send over the packet completed by encryption and/or authentication processing and caching;At the encapsulation of ESP rear ends The packet in submodule reading input data buffering fifo module is managed, packet is obtained according to specific field in packet It is required that encryption, authentication processing mode and packet transmission means, according to the information change packet outermost layer IP head words Section, if the packet of IPv4 forms, then the field to be changed be overall length, agreement, head verification and, if the data of IPv6 forms Bag, then the field to be changed is loaded length, next head, while the field for not meeting IPSec data pack protocol specifications is lost Abandon, such as start field, trailer field, cipher mode, authentication mode, transmission mode selection field etc., it will change what is finished IPSec packets are sent to data output buffer fifo module, for the reading of upper layer module.
Fig. 4 shows the structure and principle of a kind of preferred embodiment of 3DES encryption module.As shown in figure 4,3DES encryption Module includes:Input data buffering fifo module, data resolution module, non-encryption data buffer module, 3DES encryption core mould Block, data package module, data output buffer fifo module.
Wherein, data input buffer fifo module, which is used to cache from what Wishbone bus modules sended over, passes through ESP The packet that front end encapsulation process module preliminary treatment is completed.
Data resolution module, for the load data for needing to encrypt in packet to be sent out respectively with the data that need not be encrypted In 3DES encryption nucleus module and non-encryption data buffer module after being sent to, parsed according to specific field in packet Packet, it would be desirable to which the load data of encryption is sent to 3DES encryption nucleus module, and remainder data is sent into not encryption data Buffer module is cached.
Not encryption data buffer module, for caching the data do not encrypted, there is provided carried out to data package module afterwards Encapsulation uses.
3DES encryption nucleus module, the load data for being encrypted to needs is encrypted, by 3DES algorithms to load Data are encrypted.
Data package module, for data envelope to be dressed up into specific data format again, first never encryption data buffers Data are read in module, then is read from 3DES encryption nucleus module and is encrypted the load data completed and splice in not encryption data Bag afterbody, it is sent to data output buffering fifo module.
Data output buffers fifo module, for caching the packet sended over from data package module, sends afterwards Give Wishbone bus modules.
The specific workflow of above-mentioned 3DES encryption module is as follows:Input data buffering fifo module is received from Wishbone The packet completed by the encapsulation process module preliminary treatment of ESP front ends that bus module sends over, and cache in the module; Data analyzing sub-module buffers read data packet in fifo module from input data, and number is obtained according to specific field in packet According to the encryption mode required for bag(Here key length is to fix 192 used by 3DES cipher mode), according to The information calculates the key and initialization vector length required for encryption, packet is parsed with this, by cipher key initialization VECTOR field data above is sent in not encryption data buffering fifo module and carries out caching process, by cipher key initialization vector word Section and load data are sent in 3DES encryption nucleus module and are encrypted;3DES encryption nucleus module is according in packet Specific fields obtain encryption required for the key that uses and initialization vector length interception key and initialization vector, according to Key and initialization vector, load data is encrypted by 3DES algorithms;Data package module first never delay by encryption data The data for reading and not encrypting in fifo module are rushed, then load data and spelling that encryption is completed are read from 3DES encryption nucleus module The afterbody of not encryption data bag is connected on, is sent to data output buffer fifo module;Data buffering fifo module will have been handled Data pack buffer, wait and be sent to Wishbone bus modules.
Fig. 5 shows the structure and principle of a kind of preferred embodiment of AES encryption module.Its structure and 3DES encryption module It is similar, equally include:Input data buffering fifo module, data resolution module, non-encryption data buffer module, data Encapsulation Moulds Block, data output buffer fifo module, simply encryption core module therein is the AES encryption core using AES encryption algorithm Module.The groundwork flow of the AES encryption module is as follows:Input data buffering fifo module is received from Wishbone bus moulds The packet completed by the encapsulation process module preliminary treatment of ESP front ends that block sends over, and cache in the module;Data solution Analyse module and buffer read data packet in fifo module from input data, according to needed for specific field obtains packet in packet The encryption mode wanted(128 or 192 or 256), according to the information calculate encryption required for key length with Initialization vector length, packet is parsed with this, and cipher key initialization VECTOR field data above is sent to and does not encrypt number According to caching process is carried out in buffering fifo module, cipher key initialization VECTOR field and load data are sent to AES encryption core It is encrypted in module;What AES encryption nucleus module used according to required for the specific fields in packet obtain encryption Key length and initialization vector length interception key and initialization vector, according to key and initialization vector, pass through aes algorithm Load data is encrypted;The data do not encrypted are read in the first never encryption data buffering fifo module of data package module, The load data that encryption is completed is read from AES encryption nucleus module again and is spliced in the packet afterbody do not encrypted, is sent to Data output buffer fifo module;The data pack buffer that data buffering fifo module will have been handled again, waits and is sent to Wishbone bus modules.
Two groups of different encrypting modules have been used in the present embodiment simultaneously(3DES and AES), actually also can be according to reality Need to replace or increase using other existing or encrypting modules by the AES having.
Fig. 6 shows the structure and principle of a kind of preferred embodiment of HMAC-SHA authentication modules.As shown in fig. 6, should HMAC-SHA authentication modules include:Input data buffering fifo module, data resolution module, non-authentication data buffer module, SHA Certification nucleus module, data package module, data output buffer fifo module.
Wherein, data input buffer fifo module, which is used to cache from what Wishbone bus modules sended over, passes through 3DES The packet or directly preliminary by ESP front ends encapsulation process module that encrypting module or the encryption of AES encryption module are completed Handle the packet completed.
Data resolution module, for being sent out the load data that certification is needed in packet according to specific field in packet Give SHA certification nucleus modules to be authenticated handling, complete former packet is sent to not authentication data buffer module progress Caching.
Not authentication data buffer module, for caching the complete former packet received.
SHA certification nucleus modules, for being authenticated by HMAC-SHA algorithms to the load data for needing certification, and The summary of the length-specific of interception certification generation as needed.
Data package module, for data envelope to be dressed up into specific form, first never authentication data buffer module again It is middle to read complete packet, then read certification from SHA certification nucleus modules and make a summary and splice in packet afterbody, it is sent to Data output buffers fifo module;
Data output buffers fifo module, for caching the packet sended over from data package module, sends afterwards Give Wishbone bus modules.
The groundwork flow of above-mentioned HMAC-SHA authentication modules is as follows:Input data buffers fifo module from Wishbone Bus module receives the packet of 3DES encryption module or AES encryption module encryption completion or directly passes through ESP The packet that front end encapsulation process module preliminary treatment is completed, by data pack buffer in the module;Data resolution module is from input Read data packet in data buffering fifo module, the authentication processing according to required for specific field in packet obtains packet Mode, the key length according to required for the information calculates certification, packet is parsed with this, by the deposit of whole packet simultaneously And it is sent to not authentication data buffering, while by certification cipher key field and in the outermost following payload segment of IP heads field SHA certification nucleus modules are all sent to be authenticated handling;SHA certifications nucleus module obtains according to the specific fields in packet Take the key length used needed for certification to intercept key, according to key, load data be authenticated by HMAC-SHA algorithms, And the certification summary of generation is intercepted as needed;Read in the first never authentication data buffer module of data package module Complete former packet, then read certification from SHA certification nucleus modules and make a summary and splice in former packet afterbody, it is sent to defeated Go out data buffering fifo module;Data output buffer fifo module by data pack buffer, waits again and is sent to Wishbone buses Module.
Fig. 7 shows the structure and principle of a kind of preferred embodiment of HMAC-MD5 authentication modules.As shown in fig. 7, its base This structure is similar with HMAC-SHA authentication modules with principle, equally include input data buffering fifo module, data resolution module, Not authentication data buffer module, data package module, data output buffer fifo module, simply certification nucleus module therein be Use the md5 authentication nucleus module of HMAC-MD5 identifying algorithms.The groundwork flow of the HMAC-MD5 authentication modules is as follows:It is defeated Enter data buffering fifo module and receive 3DES encryption module or AES encryption module encryption from Wishbone bus modules The packet of completion or the packet directly completed by the encapsulation process module preliminary treatment of ESP front ends, by data pack buffer In the module;Data resolution module buffers read data packet in fifo module from input data, according to specific word in packet Section obtains the authentication processing mode required for packet, the key length according to required for the information calculates certification, is come with this Packet is parsed, whole packet is deposited and is sent to not authentication data buffering, while by certification cipher key field and place Md5 authentication nucleus module is all sent in the outermost following load data of IP heads field to be authenticated handling;Md5 authentication The key length that nucleus module uses according to needed for the specific fields in packet obtain certification intercepts key, according to key, leads to Cross HMAC-MD5 identifying algorithms to be authenticated load data, and the certification summary of generation is intercepted as needed;Number According to the complete former packet of reading in the first never authentication data buffer module of package module, then read from md5 authentication nucleus module Evidence obtaining is made a summary and spliced in former packet afterbody, is sent to data output buffer fifo module;Data output buffer fifo module Again by data pack buffer, wait and be sent to Wishbone bus modules.
Two groups of different authentication modules have been used in the present embodiment simultaneously(HMAC-SHA and HMAC-MD5), actually It can replace or increase using other authentication modules existing or by the identifying algorithm having according to being actually needed.
Fig. 8 shows a kind of structure of preferred embodiment of Wishbone bus modules, principle.As shown in figure 8, Wishbone bus modules include bus arbiter module and one group of bus request module being connected respectively with bus arbiter module With one group of bus decision module;As illustrated, each ESP front ends encapsulation process module respectively by a bus request module with it is total Line arbitration modules are connected, and each ESP rear ends encapsulation process module is connected by a bus decision module and bus arbiter module respectively Connect, each encrypting module is connected by a bus request module and a bus decision module with bus arbiter module respectively, respectively Authentication module is connected by a bus request module and a bus decision module with bus arbiter module respectively.Wherein each son The function of module is specific as follows:
Bus request module, for sending the request signal for occupying bus and sending packet to bus arbiter module, when upper Packet is just sent to corresponding bus request module when the packet of previous module is ready to, the bus request module is just to total Line arbitration modules send the ready signal of packet;
Bus decision module, the request signal of bus received data packet is occupied for being sent to bus arbiter module, when one When individual packet is sent to next module by bus decision module, the bus decision module is just sent to bus arbiter module can With the signal of received data packet;
Bus arbiter module, for arbitrating in ESP front ends encapsulation process module, encrypting module, authentication module and ESP rear ends The data packet stream of encapsulation process intermodule according to encrypting module priority to being higher than authentication module, authentication module priority is higher than The priority orders of ESP rear ends encapsulation process module, by specific field in packet judge it is required for the packet plus Close processing mode and authentication processing mode, is delivered a packet in the module specified.
The specific workflow of the Wishbone bus modules is as follows:When bus request module receives data sending request letter Number then request signal being sent to bus arbiter module and occupying bus send data;Bus arbiter module is sent out according to bus possession state Echoed induction signal, and when bus arbiter module state is idle, the source of identification signal, is obtained according to the specific fields in packet The cryptographic services and authentication service carried out required for packet are taken, further according to 3DES encryption module, AES encryption module priority most Height, the preferential level of HMAC-SHA authentication modules, HMAC-MD5 authentication modules is high, and ESP rear ends encapsulation process module priority is most Low priority orders, judge the state of all bus decision modules being connected thereto, deliver a packet to the total of free time Line decision module;When bus decision module receives the request for wanting received data packet, bus decision module is beamed back according to state Response signal, if the idle packet then received in bus.

Claims (8)

1. the ESP encapsulation process devices based on Wishbone buses, it is characterised in that including:
One group of ESP front ends encapsulation process module, the ESP front ends encapsulation process module are used to receive the data after SA is matched Bag, is then parsed packet, to being sent to Wishbone by certain data packet format after packet progress preliminary treatment Bus module;
One group of ESP rear ends encapsulation process module, the ESP rear ends encapsulation process module are used to receive Wishbone bus modules institute The packet handled by encrypting module and/or authentication module of transmission, and relevant field in packet is modified to accord with IPSec packet protocol specifications are closed, are then sent to upper layer module according to certain data packet format;
One group encryption module, for being parsed to packet, and the load data to needing to encrypt part is encrypted, Packet is Resealed by certain data packet format again after the completion of encryption, is sent in Wishbone bus modules;
One group of authentication module, for being parsed to packet, and to needing the load data of authentication section to be authenticated handling, Packet is Resealed by certain data packet format again after the completion of certification, is sent in Wishbone bus modules;
Wishbone bus modules, it is connected respectively with above-mentioned each module, for arbitrating the flow direction of data flow between each module;
One group of expression at least two.
2. ESP encapsulation process device as claimed in claim 1, it is characterised in that the group encryption module includes at least two 3DES encryption module and at least two AES encryption modules;One group of authentication module includes at least two HMAC-SHA certification moulds Block and at least two HMAC-MD5 authentication modules.
3. ESP encapsulation process device as claimed in claim 1, it is characterised in that the Wishbone bus modules include bus Arbitration modules and the one group of bus request module and one group of bus decision module being connected respectively with bus arbiter module, bus please Submodule is asked to be used to send the request signal for occupying bus transmission packet to bus arbiter module, bus determines that submodule is used for The request signal for occupying bus received data packet is sent to bus arbiter module, bus arbitration submodule is used to arbitrate each intermodule Data packet stream to;Each ESP front ends encapsulation process module is connected by a bus request module with bus arbiter module respectively, Each ESP rear ends encapsulation process module is connected by a bus decision module with bus arbiter module respectively, each encrypting module point It is not connected by a bus request module and a bus decision module with bus arbiter module, each authentication module passes through respectively One bus request module and a bus decision module are connected with bus arbiter module.
4. ESP encapsulation process device as claimed in claim 3, it is characterised in that bus arbitration submodule is excellent according to each module First level arbitrate the data packet stream of each intermodule to, encrypting module, authentication module, ESP rear ends encapsulation process module priority according to Secondary reduction.
5. the ESP encapsulation process device as described in any one of Claims 1 to 4, it is characterised in that ESP front ends encapsulation process Module includes:
Data input buffer FIFO submodules, for caching the data of specific format after SA is matched from upper layer module input Bag;
Selection processing submodule, for obtaining data from data input buffer FIFO submodules, passes through specific data field Obtain and record the length of whole packet and transmission means to be taken, if field shows transmission mode to be used, Whole packet is sent to by transmission mode front end encapsulation process submodule according to data packet length, if field shows tunnel to be used Road pattern, then whole packet is sent to by tunnel mode front end encapsulation process submodule according to data packet length;
Transmission mode front end encapsulation process submodule, for carrying out preliminary encapsulation process, root to packet in a transmission mode The cipher mode that simultaneously record data bag needs use is obtained according to specific data field, according to needed for calculating encryption scheme information The filler length of addition, and add after IP packets, after former IP heads are moved into cipher mode field, SPI words Before section, data output buffering FIFO submodules are then delivered a packet to;
Tunnel mode front end encapsulation process submodule, for carrying out preliminary encapsulation process, root to the packet under tunnel mode Obtained according to specific data field and record data bag needs IP heads in the cipher mode and IP packets that use, according to adding Close mode information calculate needed for addition filler length, and add after IP packets, by the IP heads recorded with The mode of duplication is added after cipher mode field, before SPI fields, then delivers a packet to output buffering FIFO Module;
Data output buffers FIFO submodules, and submodule and the encapsulation of tunnel module front end are encapsulated for caching from transport module front end Handle the packet that submodule passes through after preliminary treatment.
6. the ESP encapsulation process device as described in any one of Claims 1 to 4, it is characterised in that ESP rear ends encapsulation process Module includes:
Data input buffer FIFO submodules, for caching the AES sended over from Wishbone bus modules And/or the packet that identifying algorithm processing is completed;
ESP rear ends encapsulation process submodule, done most for handling the packet completed to AES and/or identifying algorithm Processing afterwards, the cipher mode and authentication mode for obtaining and being used required for record data bag according to specific field, according to Cipher mode and authentication mode information calculate the value for needing to change field in IP heads and modified, while abandon and do not meet The field of IPSec data pack protocol specifications, the packet after processing is sent to data output buffering FIFO submodules;
Data output buffers FIFO submodules, for caching the symbol sended over after the processing of ESP rear ends encapsulation process submodule Close the IPSec packets of protocol specification.
7. the ESP encapsulation process device as described in any one of Claims 1 to 4, it is characterised in that the encrypting module includes:
Data input buffer FIFO submodules, for caching the packet sended over from Wishbone bus modules;
Data analyzing sub-module, for the load data for needing to encrypt in packet to be sent respectively with the data that need not be encrypted Into encryption core submodule afterwards and non-encryption data FIFO submodules, data are obtained according to specific field in packet Encryption mode required for bag, key length and initialization according to required for encryption mode information calculates encryption Vector length, packet is parsed with this, the load data that key, initialization vector, needs are encrypted is sent to encryption core Submodule, remainder data is sent to not encryption data FIFO submodules and cached;
Not encryption data buffering FIFO submodules, for caching the data do not encrypted, there is provided encapsulate submodule to data afterwards It is packaged use;
Encryption core submodule, the load data for being encrypted to needs are encrypted, according to the key sended over and initially Change vector, load data is encrypted by AES;
Data encapsulate submodule, and the IPSec bag forms of protocol specification are met for again dressing up data envelope, are first never encrypted Data are read in data FIFO submodules, then reads data from encryption core module and splices in preceding packet afterbody, are sent FIFO submodules are buffered to data output;
Data output buffers FIFO submodules, for caching the packet sended over from data encapsulation submodule.
8. the ESP encapsulation process device as described in any one of Claims 1 to 4, it is characterised in that the authentication module includes:
Data input buffer FIFO submodules, for caching the packet sended over from Wishbone bus modules;
Data analyzing sub-module, after the load data that certification is needed in packet is separately sent to former packet In certification key submodule and non-authentication data FIFO submodules, according to required for specific field obtains packet in packet Authentication processing mode, key length according to required for authentication processing mode information calculates certification, data are parsed with this Bag, by key, needs the load data of certification to be sent to certification key submodule, former packet is sent to not authentication data FIFO Submodule is cached;
Not authentication data buffering FIFO submodules, for caching the complete former packet received;
Certification key submodule, for being authenticated to the load data for needing certification, according to the key sended over, according to recognizing Card algorithm is authenticated to load data, is generated and is intercepted the certification summary of required length;
Data encapsulate submodule, and the IPSec bag forms of protocol specification, first never certification are met for again dressing up data envelope Complete former packet is read in data fifo module, then the certification summary splicing intercepted after certification key submodule is generated exists Packet afterbody, it is sent to data output buffering FIFO submodules;
Data output buffers FIFO submodules, for caching the packet sended over from data encapsulation submodule.
CN201510253970.7A 2015-05-18 2015-05-18 ESP encapsulation process devices based on Wishbone buses Active CN104980497B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510253970.7A CN104980497B (en) 2015-05-18 2015-05-18 ESP encapsulation process devices based on Wishbone buses

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510253970.7A CN104980497B (en) 2015-05-18 2015-05-18 ESP encapsulation process devices based on Wishbone buses

Publications (2)

Publication Number Publication Date
CN104980497A CN104980497A (en) 2015-10-14
CN104980497B true CN104980497B (en) 2018-02-27

Family

ID=54276591

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510253970.7A Active CN104980497B (en) 2015-05-18 2015-05-18 ESP encapsulation process devices based on Wishbone buses

Country Status (1)

Country Link
CN (1) CN104980497B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115378705B (en) * 2022-08-22 2024-04-05 中国人民解放军战略支援部队信息工程大学 Protocol-independent multi-mode security method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103218337A (en) * 2013-03-13 2013-07-24 北京安拓思科技有限责任公司 SoC (System on Chip) and method for realizing communication between master modules and between slave modules based on wishbone bus
CN203086485U (en) * 2013-03-08 2013-07-24 华自科技股份有限公司 Protocol decoding system applicable to digital protection device
CN104394148A (en) * 2014-11-26 2015-03-04 东南大学 IPSec (Internet Protocol Security) protocol outgoing processing hardware implementation system under IPv6 (Internet Protocol version 6)

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8169839B2 (en) * 2009-02-11 2012-05-01 Stec, Inc. Flash backed DRAM module including logic for isolating the DRAM

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN203086485U (en) * 2013-03-08 2013-07-24 华自科技股份有限公司 Protocol decoding system applicable to digital protection device
CN103218337A (en) * 2013-03-13 2013-07-24 北京安拓思科技有限责任公司 SoC (System on Chip) and method for realizing communication between master modules and between slave modules based on wishbone bus
CN104394148A (en) * 2014-11-26 2015-03-04 东南大学 IPSec (Internet Protocol Security) protocol outgoing processing hardware implementation system under IPv6 (Internet Protocol version 6)

Also Published As

Publication number Publication date
CN104980497A (en) 2015-10-14

Similar Documents

Publication Publication Date Title
US7774593B2 (en) Encrypted packet, processing device, method, program, and program recording medium
CN112073375A (en) Isolation device and isolation method suitable for power Internet of things client side
CN104394148B (en) The outgoing processing system for implementing hardware of ipsec protocol under IPv6
JP3599552B2 (en) Packet filter device, authentication server, packet filtering method, and storage medium
EP2244416A1 (en) Encryption processing method and encryption processing device
CA2481651A1 (en) Processing a packet using multiple pipelined processing modules
CN110049002B (en) IPSec authentication method based on PUF
CN110690962B (en) Application method and device of service node
CN103457952B (en) A kind of IPSec processing methods and equipment based on crypto engine
CN108964880A (en) A kind of data transmission method and device
CN110690961A (en) Quantum network function virtualization method and device
US8880892B2 (en) Secured embedded data encryption systems
CN113114621A (en) Communication method for bus dispatching system and bus dispatching system
CN111385259A (en) Data transmission method, data transmission device, related equipment and storage medium
CN101471839B (en) Method for asynchronously implementing IPSec vpn through multi-nuclear
CN107276996A (en) The transmission method and system of a kind of journal file
CN104980497B (en) ESP encapsulation process devices based on Wishbone buses
CN103428199B (en) Information leakage-proof method and system suitable for internet protocol version 6 (IPv6)
JP4551112B2 (en) ENCRYPTED PACKET PROCESSING DEVICE, METHOD, PROGRAM, AND PROGRAM RECORDING MEDIUM
CN111031055B (en) IPsec acceleration device and implementation method
CN113839923A (en) Multi-node-oriented high-performance processing method
CN114124416B (en) System and method for quickly exchanging data between networks
CN112019418B (en) Method and device for establishing IPSec tunnel based on brutal mode
CN103490900B (en) Encryption and authentication method and equipment
Luo et al. Routing and security mechanisms design for automotive tsn/can fd security gateway

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant