CN104980497B - ESP encapsulation process devices based on Wishbone buses - Google Patents
ESP encapsulation process devices based on Wishbone buses Download PDFInfo
- Publication number
- CN104980497B CN104980497B CN201510253970.7A CN201510253970A CN104980497B CN 104980497 B CN104980497 B CN 104980497B CN 201510253970 A CN201510253970 A CN 201510253970A CN 104980497 B CN104980497 B CN 104980497B
- Authority
- CN
- China
- Prior art keywords
- data
- module
- packet
- bus
- encapsulation process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/565—Conversion or adaptation of application format or content
- H04L67/5651—Reducing the amount or size of exchanged application data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
Abstract
The invention discloses a kind of ESP encapsulation process devices based on Wishbone buses, belong to network security data processing technology field.The device includes:One group of ESP front ends encapsulation process module, one group of ESP rear ends encapsulation process module, a group encryption module, one group of authentication module, and Wishbone bus modules;Wishbone bus modules are connected with above-mentioned each module respectively.The present invention is realized using hardware carries out the processing of IPSec ESP protocol encapsulations to Internet IP packets, while by connecting more set processing systems in Wishbone buses, effectively raises the speed of ESP protocol encapsulations processing.Invention further provides a variety of cipher modes and a variety of authentication modes, the security and practicality of system are improved.
Description
Technical field
The present invention relates to network security data processing technology field, more particularly to a kind of hard-wired it is based on Wishbone
The ESP encapsulation process devices of bus.
Background technology
With the Rapid Expansion of internet, it constantly incorporates the life of people, and people can be by it quickly and conveniently
Transmission information.Then the guarantee of the safety, privacy of information just becomes abnormal important.The network information security be related to national security and
Sovereignty, social stability, national culture are inherited and developed.The transmission of present internet information is mainly built upon on IP agreement,
But IP bags are not include any security feature in itself, attacker can the easily source address of spoofed IP bag, destination address,
Original content and progress replay attack etc. in modification bag.By IETF(Internet Engineering Task
Force)The one group of IP security protocol collection IPSec established defines the security service used in internetwork layer, and its function includes data
Encryption, to the access control of NE, data source address verifies, data integrity inspection and prevents Replay Attack.It can be with
The effective safety for ensureing transmission information.IPSec ESPs(ESP)Agreement is a master during ipsec protocol is implemented
The agreement wanted, it is primarily designed provides security service in IPv4 and IPv6 environment.ESP agreements provide confidentiality, data source
Certification, connectionless integrality, anti-anti-replay service and limited information stream confidentiality services.ESP agreements are related to a large amount of encryption and decryption, disappeared
Cease the computation-intensives such as certification processing task.With being continuously increased for computer network bandwidth, agreement is realized using software originally
Processing speed be difficult to keep up with the speed of data flow, while substantial amounts of resource can be also taken in processing procedure, cause to take
The process performance of the critical network devices such as business device, gateway, router and interchanger substantially reduces.Therefore, there is an urgent need to using hard
Part realizes this agreement, at a high speed, the network information transfer service of safety support is provided.
In view of this, for existing during current ESP protocol processes the problem of, it is necessary at reason ESP agreement single channels
Manage and ESP protocol processes methods are improved in the method for data, effectively improve the speed of data encapsulation process, the release of greater room
Resource.
The content of the invention
The technical problems to be solved by the invention are to overcome prior art insufficient, there is provided one kind is based on Wishbone buses
ESP encapsulation process devices, existing ESP protocol encapsulations processing speed can be changed, effectively improve the speed of data encapsulation process
Degree, the release resource of greater room.
It is of the invention specifically to solve above-mentioned technical problem using following technical scheme:
ESP encapsulation process devices based on Wishbone buses, including:
One group of ESP front ends encapsulation process module, the ESP front ends encapsulation process module are used to receive after SA is matched
Packet, then packet is parsed, be sent to after preliminary treatment is carried out to packet by certain data packet format
Wishbone bus modules;
One group of ESP rear ends encapsulation process module, the ESP rear ends encapsulation process module are used to receive Wishbone bus moulds
The packet handled by encrypting module and/or authentication module transmitted by block, and relevant field in packet is modified
To meet IPSec packet protocol specifications, then upper layer module is sent to according to certain data packet format;
One group encryption module, for being parsed to packet, and the load data to needing to encrypt part is encrypted
Processing, Reseals packet by certain data packet format again after the completion of encryption, is sent in Wishbone bus modules;
One group of authentication module, for being parsed to packet, and the load data to needing authentication section is authenticated
Processing, Reseals packet by certain data packet format again after the completion of certification, is sent in Wishbone bus modules;
Wishbone bus modules, it is connected respectively with above-mentioned each module, for arbitrating the flow direction of data flow between each module;
One group of expression at least two.
Preferably, the Wishbone bus modules include bus arbiter module and are connected respectively with bus arbiter module
One group of bus request module and one group of bus decision module, bus request submodule is used to send and occupy to bus arbiter module
Bus sends the request signal of packet, and bus determines that submodule is used to send to bus arbiter module and occupies bus reception data
The request signal of bag, bus arbitration submodule be used to arbitrating the data packet stream of each intermodule to;Each ESP front ends encapsulation process module
It is connected respectively by a bus request module with bus arbiter module, each ESP rear ends encapsulation process module passes through one respectively
Bus decision module is connected with bus arbiter module, and each encrypting module is determined by a bus request module and a bus respectively
Cover half block is connected with bus arbiter module, and each authentication module passes through a bus request module and a bus decision module respectively
It is connected with bus arbiter module.
Further, bus arbitration submodule according to the data packet stream of each intermodule of priority arbitration of each module to adding
Close module, authentication module, the priority of ESP rear ends encapsulation process module reduce successively.
Preferably, the ESP front ends encapsulation process module includes:
Data input buffer FIFO submodules, for caching the specific format after SA is matched from upper layer module input
Packet;
Selection processing submodule, for obtaining data from data input buffer FIFO submodules, passes through specific data
Field obtains and records the length of whole packet and transmission means to be taken, if field shows to use transmission mould
Formula, then whole packet is sent to by transmission mode front end encapsulation process submodule according to data packet length, if field shows to want
Using tunnel mode, then whole packet is sent to by tunnel mode front end encapsulation process submodule according to data packet length;
Transmission mode front end encapsulation process submodule, for being carried out to packet in a transmission mode at preliminary encapsulation
Reason, the cipher mode that simultaneously record data bag needs use is obtained according to specific data field, according to needed for calculating the information
The filler length of addition, and add after IP packets, after former IP heads are moved into cipher mode field, SPI words
Before section, data output buffering FIFO submodules are then delivered a packet to;
Tunnel mode front end encapsulation process submodule, for being carried out to the packet under tunnel mode at preliminary encapsulation
Reason, the IP heads in the cipher mode and IP packets that simultaneously record data bag needs use are obtained according to specific data field,
The filler length added according to needed for calculating encryption scheme information, and add after IP packets, by what is recorded
IP heads are added in a manner of replicating after cipher mode field, before SPI fields, then deliver a packet to output buffering
FIFO submodules;
Data output buffers FIFO submodules, and submodule and tunnel module front end are encapsulated for caching from transport module front end
The packet that encapsulation process submodule passes through after preliminary treatment.
Preferably, the ESP rear ends encapsulation process module includes:
Data input buffer FIFO submodules, sended over for caching from Wishbone bus modules encrypted
The packet that algorithm and/or identifying algorithm processing are completed;
ESP rear ends encapsulation process submodule, for handling the packet completed to AES and/or identifying algorithm
Last processing is done, the cipher mode and authentication mode for obtaining and being used required for record data bag according to specific field,
The value for needing to change field in IP heads is calculated according to the information and is modified, while abandons and does not meet IPSec packets association
The field of specification, such as start field, trailer field, cipher mode and authentication mode selection field etc. are discussed, after processing
Packet is sent to data output buffering FIFO submodules;
Data output buffers FIFO submodules, meets association for caching from after the processing of ESP rear ends encapsulation process submodule
Discuss the IPSec packets of specification.
Preferably, the encrypting module includes:
Data input buffer FIFO submodules, for caching the packet sended over from Wishbone bus modules;
Data analyzing sub-module, for the load data for needing to encrypt in packet and the data that need not be encrypted to be distinguished
In encryption core submodule and non-encryption data FIFO submodules after being sent to, obtained according to specific field in packet
Encryption mode required for packet, the key length according to required for the information calculates encryption are grown with initialization vector
Degree, packet is parsed with this, the load data that key, initialization vector, needs are encrypted is sent to encryption core submodule,
Remainder data is sent into not encryption data FIFO submodules to be cached;
Not encryption data buffering FIFO submodules, for caching the data do not encrypted, there is provided encapsulate son to data afterwards
Module is packaged use;
Encryption core submodule, for the load data encrypted of needs to be encrypted, according to the key sended over
Initialization vector, load data is encrypted by AES;
Data encapsulate submodule, the IPSec bag forms of protocol specification are met for again dressing up data envelope, first never
Data are read in encryption data FIFO submodules, then reads data from encryption core module and splices in preceding packet afterbody,
It is sent to data output buffering FIFO submodules;
Data output buffers FIFO submodules, for caching the packet sended over from data encapsulation submodule.
Preferably, the authentication module includes:
Data input buffer FIFO submodules, for caching the packet sended over from Wishbone bus modules;
Data analyzing sub-module, for the load data that certification is needed in packet to be separately sent into it with former packet
In certification key submodule and non-authentication data FIFO submodules afterwards, packet institute is obtained according to specific field in packet
The authentication processing mode that needs, the key length according to required for the information calculates certification, packet is parsed with this, will be close
Key, the load data of certification is needed to be sent to certification key submodule, former packet is sent to not authentication data FIFO submodules
Cached;
Not authentication data buffering FIFO submodules, for caching the complete former packet received;
Certification key submodule, for being authenticated to the load data for needing certification, according to the key sended over, lead to
Cross identifying algorithm to be authenticated load data, generate and intercept the certification summary of required length;
Data encapsulate submodule, for data envelope to be dressed up to the IPSec bag forms of protocol specification, first never certification again
Complete former packet is read in data fifo module, then the certification summary splicing intercepted after certification key submodule is generated exists
Packet afterbody, it is sent to data output buffering FIFO submodules;
Data output buffers FIFO submodules, for caching the packet sended over from data encapsulation submodule.
Compared with prior art, the invention has the advantages that:
The present invention is realized using hardware and the processing of IPSec ESP protocol encapsulations is carried out to Internet IP packets, is led to simultaneously
Cross and more set processing systems are connected in Wishbone buses, effectively raise the speed of ESP protocol encapsulations processing.
Invention further provides a variety of cipher modes and a variety of authentication modes, improve security and the practicality of system
Property.
Brief description of the drawings
Fig. 1 is the basic framework schematic diagram of a preferred embodiment of ESP encapsulation process device of the present invention;
Fig. 2 is encapsulation process module a kind of principle schematic diagram of preferred embodiment in ESP front ends in preferred embodiment;
Fig. 3 is encapsulation process module a kind of principle schematic diagram of preferred embodiment in ESP rear ends in preferred embodiment;
Fig. 4 is a kind of principle schematic diagram of preferred embodiment of 3DES encryption module in preferred embodiment;
Fig. 5 is a kind of principle schematic diagram of preferred embodiment of AES encryption module in preferred embodiment;
Fig. 6 is a kind of principle schematic diagram of preferred embodiment of HMAC-SHA authentication modules in preferred embodiment;
Fig. 7 is a kind of principle schematic diagram of preferred embodiment of HMAC-MD5 authentication modules in preferred embodiment;
Fig. 8 is a kind of principle schematic diagram of preferred embodiment of Wishbone bus modules in preferred embodiment.
Embodiment
Technical scheme is described in detail below in conjunction with the accompanying drawings:
Lacked for prior art treatment effeciency existing during ESP encapsulation process is carried out is low, occupancy resource is big
Falling into, the present invention proposes the encapsulation process device that a kind of devices at full hardware is realized, and by being connected in Wishbone buses at more sets
Reason system, greatly improve the speed of ESP protocol encapsulations processing.
Fig. 1 shows a preferred embodiment of ESP encapsulation process device of the present invention, is realized using FPGA.Such as Fig. 1 institutes
Show, the device includes:One group of ESP front ends encapsulation process module, one group of ESP rear ends encapsulation process module, one group of 3DES encryption mould
Block, one group of AES encryption module, one group of HMAC-SHA authentication module, one group of HMAC-MD5 authentication module, and Wishbone buses
Module;Wishbone bus modules are connected with above-mentioned each module respectively.The function of each module is specific as follows in system:
ESP front ends encapsulation process module, received by the data receiver buffer module of inside from upper strata after SA is matched
Packet, judge it is that packet is sent using transmission mode or tunnel mode according to specific fields in packet, according to sentencing
Disconnected information carries out different preliminary treatments to the IP heads field in IP packets, while is judged according to specific fields in packet
The encryption mode used required for the packet, according to judging filling of the information in IP packets afterbody plus different length
, the data for then sending data packets to inside send buffer module, and packet is prepared to enter into Wishbone bus modules.
ESP rear ends encapsulation process module, received by the data receiver buffer module of inside and come from Wishbone bus moulds
The packet of block, these packets are all the packets completed by encryption and/or authentication processing, according to specific word in packet
Section obtains encryption mode and authentication processing mode used by packet, and need in IP head fields are calculated according to the information
Change the numerical value of field and modify, while abandon the field for not meeting IPSec data pack protocol specifications, such as banner word
Section, trailer field, cipher mode and authentication mode selection field etc., the packet after processing is sent to data output buffering mould
Block.
3DES encryption module, the data from Wishbone bus modules are received by the data receiver buffer module of inside
Bag, the encryption mode according to required for specific field in packet obtains load data, calculates according to the information and adds
Key length and initialization vector length required for close, packet is parsed with this, by key, initialization vector, need plus
Close load data is sent to 3DES encryption nucleus module, and remainder data is sent into not encryption data is buffered into capable caching, interior
The order that portion's package module reads data is read from encryption core module again according to reading data in first never encryption data buffering
The load data for taking encryption to complete is carried out, and the load data splicing of encryption will be completed in not encryption data bag afterbody, then by number
Internal data, which is sent to, according to bag sends buffer module.
AES encryption module, the data from Wishbone bus modules are received by the data receiver buffer module of inside
Bag, the encryption mode according to required for specific field in packet obtains load data, calculates according to the information and adds
Key length and initialization vector length required for close, packet is parsed with this, by key, initialization vector, need plus
Close load data is sent to AES encryption nucleus module, and remainder data is sent into not encryption data is buffered into capable caching, internal
The order that package module reads data is read from encryption core module again according to reading data in first never encryption data buffering
The load data that encryption is completed is carried out, and the load data splicing of encryption will be completed in not encryption data afterbody, then by packet
It is sent to internal data and sends buffer module.
HMAC-SHA authentication modules, received by the data receiver buffer module of inside from Wishbone bus modules
Packet, the authentication processing mode according to required for specific field in packet obtains load data, is calculated according to the information
The key length gone out required for certification, packet is parsed with this, by key, needs the load data of certification to be sent to HMAC-
SHA certification nucleus modules, complete former packet are sent to not authentication data buffer module and cached, and enclosed inside module is read
The order for evidence of fetching is read from certification nucleus module again according to the complete former packet of reading in first never authentication data buffering
Certification summary is carried out, and certification summary is spliced in complete former packet afterbody, then delivers a packet to internal data hair
Send buffer module.
HMAC-MD5 authentication modules, received by the data receiver buffer module of inside from Wishbone bus modules
Packet, the authentication processing mode according to required for specific field in packet obtains load data, is calculated according to the information
The key length gone out required for certification, packet is parsed with this, by key, needs the load data of certification to be sent to HMAC-
Md5 authentication nucleus module, complete former packet are sent to not authentication data buffer module and cached, and enclosed inside module is read
The order for evidence of fetching is read from certification nucleus module again according to the complete former packet of reading in first never authentication data buffering
Certification summary is carried out, and certification summary is spliced in complete former packet afterbody, then delivers a packet to internal data hair
Send buffer module.
Wishbone bus modules, when packet enters Wishbone bus modules, Wishbone bus modules can basis
Specific field judges all processing services required for packet in packet, and according to 3DES encryption module, AES encryption
Module priority is higher than ESP rear ends encapsulation process module higher than HMAC-SHA authentication modules, HMAC-MD5 authentication modules priority
The order of priority transmits packets to modules.For example, a packet does not need encryption service, that works as packet
Preliminary treatment by ESP front ends encapsulation process module is completed after entering Wishbone bus modules, Wishbone bus modules
Packet can be sent to the HMAC-SHA authentication modules or HMAC-MD5 authentication modules specified, packet is complete by authentication processing
Wishbone bus modules are beamed back by HMAC-SHA authentication modules or HMAC-MD5 authentication modules again into rear, Wishbone is total
Packet can be sent to ESP rear ends encapsulation process module according to priority and do last processing by wire module, formed one and met
Upper layer module is sent to after the packet of IPSec packet protocol specifications.
Fig. 2 shows the structure and principle of a kind of preferred embodiment of ESP front ends encapsulation process module.As shown in Fig. 2 should
ESP front ends encapsulation process module includes input data buffering fifo module, selection processing module, transmission mode processing module, tunnel
Road mode treatment module, data output buffer fifo module.
Wherein, input data buffering fifo module, for caching from upper layer module input by special after the completion of SA matchings
The packet for the formula that fixes.
Processing module is selected, for buffering read data packet in FIFO from input data, passes through specific word in packet
Section obtains the length of whole packet and transmission means to be taken, if field shows transmission mode to be used, basis
Whole packet is sent to transmission mode front end encapsulation process module by data packet length, if field shows tunnel mould to be used
Formula, then whole packet is sent to by tunnel mode front end encapsulation process module according to data packet length.
Transmission mode front end encapsulation process module, for being carried out to the packet transmitted in a transmission mode at preliminary encapsulation
Reason, the encryption mode used is needed according to specific field acquisition packet in packet, institute is calculated according to the information
The filler length that need to be added, and add in IP packet afterbodys, while by IP packets Central Plains IP heads and be moved to encryption side
After formula field, before SPI fields, data output buffering fifo module is then delivered a packet to.
Tunnel mode front end encapsulation process module, for being carried out to the packet transmitted under tunnel mode at preliminary encapsulation
Reason, the IP in the encryption mode used and IP packets is needed according to specific field acquisition packet in packet
Head, the filler length added according to needed for calculating encryption scheme information, and add in IP packet afterbodys, it will record
IP heads added in a manner of replicating after cipher mode field, before SPI fields, it is slow then to deliver a packet to output
Rush fifo module.
Data output buffers fifo module, is encapsulated for caching from transport module front end package module and tunnel module front end
Packet after what processing module sended over complete by preliminary treatment, is sent to Wishbone bus modules afterwards.
The specific data handling procedure of above-mentioned ESP front ends encapsulation process module is:The number that SA modules send over from upper strata
Input data buffering fifo module is cached to according to bag;Selection processing module buffers in fifo module from input data and reads data
Bag, judge it is to use transmission mode or tunnel mode transmission packet according to specific fields in packet, according to transmission mould
Formula then delivers a packet to transmission mode front end encapsulation process module, and tunnel is then delivered a packet to according to tunnel mode
Pattern front end encapsulation process module;Transmission mode front end encapsulation process module extracts the IP heads of IP packets, and it is moved on to and carried
After the specific fields of cipher mode, before SPI fields, while packet needs are obtained according to specific field in packet
The encryption mode of use, the filler length added according to needed for calculating the information, and add in IP packet tails
Portion, filler information field is added after filler field, deliver a packet to data output buffering fifo module;Tunnel
Road pattern front end encapsulation process module extracts the IP heads of IP packets and retains the IP heads of former IP packets, by the IP heads of extraction
It is moved to after the specific fields that cipher mode is provided, before SPI fields, while number is obtained according to specific field in packet
The encryption mode for needing to use according to bag, the filler length added according to needed for calculating cipher mode, and add
IP packet afterbodys, filler information field is added after filler field, deliver a packet to output buffering FIFO
Module.
Fig. 3 shows the structure and principle of a kind of preferred embodiment of ESP rear ends encapsulation process module.As shown in figure 3, should
ESP rear ends encapsulation process module includes:Input data buffering fifo module, ESP rear ends encapsulation process submodule, output data are delayed
Rush fifo module.Wherein, input data buffering fifo module is used to cache and sended over from Wishbone bus modules
The packet that encrypted algorithm and/or identifying algorithm processing is completed.ESP rear ends encapsulation process submodule is used for encrypted calculation
The packet that method and/or identifying algorithm processing are completed does last processing, according in specific field modification IP heads in packet
Relevant field, while abandon and do not meet the fields of IPSec data pack protocol specifications, the packet after processing is pressed into certain data
Bag form is sent to data output buffering fifo module.Data output buffering fifo module is used to cache at the encapsulation of ESP rear ends
The IPSec packets for meeting protocol specification after submodule processing are managed, are read for the module on upper strata.
The specific work process of above-mentioned ESP rear ends encapsulation process module is as follows:Input data buffering fifo module receive from
Wishbone bus modules send over the packet completed by encryption and/or authentication processing and caching;At the encapsulation of ESP rear ends
The packet in submodule reading input data buffering fifo module is managed, packet is obtained according to specific field in packet
It is required that encryption, authentication processing mode and packet transmission means, according to the information change packet outermost layer IP head words
Section, if the packet of IPv4 forms, then the field to be changed be overall length, agreement, head verification and, if the data of IPv6 forms
Bag, then the field to be changed is loaded length, next head, while the field for not meeting IPSec data pack protocol specifications is lost
Abandon, such as start field, trailer field, cipher mode, authentication mode, transmission mode selection field etc., it will change what is finished
IPSec packets are sent to data output buffer fifo module, for the reading of upper layer module.
Fig. 4 shows the structure and principle of a kind of preferred embodiment of 3DES encryption module.As shown in figure 4,3DES encryption
Module includes:Input data buffering fifo module, data resolution module, non-encryption data buffer module, 3DES encryption core mould
Block, data package module, data output buffer fifo module.
Wherein, data input buffer fifo module, which is used to cache from what Wishbone bus modules sended over, passes through ESP
The packet that front end encapsulation process module preliminary treatment is completed.
Data resolution module, for the load data for needing to encrypt in packet to be sent out respectively with the data that need not be encrypted
In 3DES encryption nucleus module and non-encryption data buffer module after being sent to, parsed according to specific field in packet
Packet, it would be desirable to which the load data of encryption is sent to 3DES encryption nucleus module, and remainder data is sent into not encryption data
Buffer module is cached.
Not encryption data buffer module, for caching the data do not encrypted, there is provided carried out to data package module afterwards
Encapsulation uses.
3DES encryption nucleus module, the load data for being encrypted to needs is encrypted, by 3DES algorithms to load
Data are encrypted.
Data package module, for data envelope to be dressed up into specific data format again, first never encryption data buffers
Data are read in module, then is read from 3DES encryption nucleus module and is encrypted the load data completed and splice in not encryption data
Bag afterbody, it is sent to data output buffering fifo module.
Data output buffers fifo module, for caching the packet sended over from data package module, sends afterwards
Give Wishbone bus modules.
The specific workflow of above-mentioned 3DES encryption module is as follows:Input data buffering fifo module is received from Wishbone
The packet completed by the encapsulation process module preliminary treatment of ESP front ends that bus module sends over, and cache in the module;
Data analyzing sub-module buffers read data packet in fifo module from input data, and number is obtained according to specific field in packet
According to the encryption mode required for bag(Here key length is to fix 192 used by 3DES cipher mode), according to
The information calculates the key and initialization vector length required for encryption, packet is parsed with this, by cipher key initialization
VECTOR field data above is sent in not encryption data buffering fifo module and carries out caching process, by cipher key initialization vector word
Section and load data are sent in 3DES encryption nucleus module and are encrypted;3DES encryption nucleus module is according in packet
Specific fields obtain encryption required for the key that uses and initialization vector length interception key and initialization vector, according to
Key and initialization vector, load data is encrypted by 3DES algorithms;Data package module first never delay by encryption data
The data for reading and not encrypting in fifo module are rushed, then load data and spelling that encryption is completed are read from 3DES encryption nucleus module
The afterbody of not encryption data bag is connected on, is sent to data output buffer fifo module;Data buffering fifo module will have been handled
Data pack buffer, wait and be sent to Wishbone bus modules.
Fig. 5 shows the structure and principle of a kind of preferred embodiment of AES encryption module.Its structure and 3DES encryption module
It is similar, equally include:Input data buffering fifo module, data resolution module, non-encryption data buffer module, data Encapsulation Moulds
Block, data output buffer fifo module, simply encryption core module therein is the AES encryption core using AES encryption algorithm
Module.The groundwork flow of the AES encryption module is as follows:Input data buffering fifo module is received from Wishbone bus moulds
The packet completed by the encapsulation process module preliminary treatment of ESP front ends that block sends over, and cache in the module;Data solution
Analyse module and buffer read data packet in fifo module from input data, according to needed for specific field obtains packet in packet
The encryption mode wanted(128 or 192 or 256), according to the information calculate encryption required for key length with
Initialization vector length, packet is parsed with this, and cipher key initialization VECTOR field data above is sent to and does not encrypt number
According to caching process is carried out in buffering fifo module, cipher key initialization VECTOR field and load data are sent to AES encryption core
It is encrypted in module;What AES encryption nucleus module used according to required for the specific fields in packet obtain encryption
Key length and initialization vector length interception key and initialization vector, according to key and initialization vector, pass through aes algorithm
Load data is encrypted;The data do not encrypted are read in the first never encryption data buffering fifo module of data package module,
The load data that encryption is completed is read from AES encryption nucleus module again and is spliced in the packet afterbody do not encrypted, is sent to
Data output buffer fifo module;The data pack buffer that data buffering fifo module will have been handled again, waits and is sent to
Wishbone bus modules.
Two groups of different encrypting modules have been used in the present embodiment simultaneously(3DES and AES), actually also can be according to reality
Need to replace or increase using other existing or encrypting modules by the AES having.
Fig. 6 shows the structure and principle of a kind of preferred embodiment of HMAC-SHA authentication modules.As shown in fig. 6, should
HMAC-SHA authentication modules include:Input data buffering fifo module, data resolution module, non-authentication data buffer module, SHA
Certification nucleus module, data package module, data output buffer fifo module.
Wherein, data input buffer fifo module, which is used to cache from what Wishbone bus modules sended over, passes through 3DES
The packet or directly preliminary by ESP front ends encapsulation process module that encrypting module or the encryption of AES encryption module are completed
Handle the packet completed.
Data resolution module, for being sent out the load data that certification is needed in packet according to specific field in packet
Give SHA certification nucleus modules to be authenticated handling, complete former packet is sent to not authentication data buffer module progress
Caching.
Not authentication data buffer module, for caching the complete former packet received.
SHA certification nucleus modules, for being authenticated by HMAC-SHA algorithms to the load data for needing certification, and
The summary of the length-specific of interception certification generation as needed.
Data package module, for data envelope to be dressed up into specific form, first never authentication data buffer module again
It is middle to read complete packet, then read certification from SHA certification nucleus modules and make a summary and splice in packet afterbody, it is sent to
Data output buffers fifo module;
Data output buffers fifo module, for caching the packet sended over from data package module, sends afterwards
Give Wishbone bus modules.
The groundwork flow of above-mentioned HMAC-SHA authentication modules is as follows:Input data buffers fifo module from Wishbone
Bus module receives the packet of 3DES encryption module or AES encryption module encryption completion or directly passes through ESP
The packet that front end encapsulation process module preliminary treatment is completed, by data pack buffer in the module;Data resolution module is from input
Read data packet in data buffering fifo module, the authentication processing according to required for specific field in packet obtains packet
Mode, the key length according to required for the information calculates certification, packet is parsed with this, by the deposit of whole packet simultaneously
And it is sent to not authentication data buffering, while by certification cipher key field and in the outermost following payload segment of IP heads field
SHA certification nucleus modules are all sent to be authenticated handling;SHA certifications nucleus module obtains according to the specific fields in packet
Take the key length used needed for certification to intercept key, according to key, load data be authenticated by HMAC-SHA algorithms,
And the certification summary of generation is intercepted as needed;Read in the first never authentication data buffer module of data package module
Complete former packet, then read certification from SHA certification nucleus modules and make a summary and splice in former packet afterbody, it is sent to defeated
Go out data buffering fifo module;Data output buffer fifo module by data pack buffer, waits again and is sent to Wishbone buses
Module.
Fig. 7 shows the structure and principle of a kind of preferred embodiment of HMAC-MD5 authentication modules.As shown in fig. 7, its base
This structure is similar with HMAC-SHA authentication modules with principle, equally include input data buffering fifo module, data resolution module,
Not authentication data buffer module, data package module, data output buffer fifo module, simply certification nucleus module therein be
Use the md5 authentication nucleus module of HMAC-MD5 identifying algorithms.The groundwork flow of the HMAC-MD5 authentication modules is as follows:It is defeated
Enter data buffering fifo module and receive 3DES encryption module or AES encryption module encryption from Wishbone bus modules
The packet of completion or the packet directly completed by the encapsulation process module preliminary treatment of ESP front ends, by data pack buffer
In the module;Data resolution module buffers read data packet in fifo module from input data, according to specific word in packet
Section obtains the authentication processing mode required for packet, the key length according to required for the information calculates certification, is come with this
Packet is parsed, whole packet is deposited and is sent to not authentication data buffering, while by certification cipher key field and place
Md5 authentication nucleus module is all sent in the outermost following load data of IP heads field to be authenticated handling;Md5 authentication
The key length that nucleus module uses according to needed for the specific fields in packet obtain certification intercepts key, according to key, leads to
Cross HMAC-MD5 identifying algorithms to be authenticated load data, and the certification summary of generation is intercepted as needed;Number
According to the complete former packet of reading in the first never authentication data buffer module of package module, then read from md5 authentication nucleus module
Evidence obtaining is made a summary and spliced in former packet afterbody, is sent to data output buffer fifo module;Data output buffer fifo module
Again by data pack buffer, wait and be sent to Wishbone bus modules.
Two groups of different authentication modules have been used in the present embodiment simultaneously(HMAC-SHA and HMAC-MD5), actually
It can replace or increase using other authentication modules existing or by the identifying algorithm having according to being actually needed.
Fig. 8 shows a kind of structure of preferred embodiment of Wishbone bus modules, principle.As shown in figure 8,
Wishbone bus modules include bus arbiter module and one group of bus request module being connected respectively with bus arbiter module
With one group of bus decision module;As illustrated, each ESP front ends encapsulation process module respectively by a bus request module with it is total
Line arbitration modules are connected, and each ESP rear ends encapsulation process module is connected by a bus decision module and bus arbiter module respectively
Connect, each encrypting module is connected by a bus request module and a bus decision module with bus arbiter module respectively, respectively
Authentication module is connected by a bus request module and a bus decision module with bus arbiter module respectively.Wherein each son
The function of module is specific as follows:
Bus request module, for sending the request signal for occupying bus and sending packet to bus arbiter module, when upper
Packet is just sent to corresponding bus request module when the packet of previous module is ready to, the bus request module is just to total
Line arbitration modules send the ready signal of packet;
Bus decision module, the request signal of bus received data packet is occupied for being sent to bus arbiter module, when one
When individual packet is sent to next module by bus decision module, the bus decision module is just sent to bus arbiter module can
With the signal of received data packet;
Bus arbiter module, for arbitrating in ESP front ends encapsulation process module, encrypting module, authentication module and ESP rear ends
The data packet stream of encapsulation process intermodule according to encrypting module priority to being higher than authentication module, authentication module priority is higher than
The priority orders of ESP rear ends encapsulation process module, by specific field in packet judge it is required for the packet plus
Close processing mode and authentication processing mode, is delivered a packet in the module specified.
The specific workflow of the Wishbone bus modules is as follows:When bus request module receives data sending request letter
Number then request signal being sent to bus arbiter module and occupying bus send data;Bus arbiter module is sent out according to bus possession state
Echoed induction signal, and when bus arbiter module state is idle, the source of identification signal, is obtained according to the specific fields in packet
The cryptographic services and authentication service carried out required for packet are taken, further according to 3DES encryption module, AES encryption module priority most
Height, the preferential level of HMAC-SHA authentication modules, HMAC-MD5 authentication modules is high, and ESP rear ends encapsulation process module priority is most
Low priority orders, judge the state of all bus decision modules being connected thereto, deliver a packet to the total of free time
Line decision module;When bus decision module receives the request for wanting received data packet, bus decision module is beamed back according to state
Response signal, if the idle packet then received in bus.
Claims (8)
1. the ESP encapsulation process devices based on Wishbone buses, it is characterised in that including:
One group of ESP front ends encapsulation process module, the ESP front ends encapsulation process module are used to receive the data after SA is matched
Bag, is then parsed packet, to being sent to Wishbone by certain data packet format after packet progress preliminary treatment
Bus module;
One group of ESP rear ends encapsulation process module, the ESP rear ends encapsulation process module are used to receive Wishbone bus modules institute
The packet handled by encrypting module and/or authentication module of transmission, and relevant field in packet is modified to accord with
IPSec packet protocol specifications are closed, are then sent to upper layer module according to certain data packet format;
One group encryption module, for being parsed to packet, and the load data to needing to encrypt part is encrypted,
Packet is Resealed by certain data packet format again after the completion of encryption, is sent in Wishbone bus modules;
One group of authentication module, for being parsed to packet, and to needing the load data of authentication section to be authenticated handling,
Packet is Resealed by certain data packet format again after the completion of certification, is sent in Wishbone bus modules;
Wishbone bus modules, it is connected respectively with above-mentioned each module, for arbitrating the flow direction of data flow between each module;
One group of expression at least two.
2. ESP encapsulation process device as claimed in claim 1, it is characterised in that the group encryption module includes at least two
3DES encryption module and at least two AES encryption modules;One group of authentication module includes at least two HMAC-SHA certification moulds
Block and at least two HMAC-MD5 authentication modules.
3. ESP encapsulation process device as claimed in claim 1, it is characterised in that the Wishbone bus modules include bus
Arbitration modules and the one group of bus request module and one group of bus decision module being connected respectively with bus arbiter module, bus please
Submodule is asked to be used to send the request signal for occupying bus transmission packet to bus arbiter module, bus determines that submodule is used for
The request signal for occupying bus received data packet is sent to bus arbiter module, bus arbitration submodule is used to arbitrate each intermodule
Data packet stream to;Each ESP front ends encapsulation process module is connected by a bus request module with bus arbiter module respectively,
Each ESP rear ends encapsulation process module is connected by a bus decision module with bus arbiter module respectively, each encrypting module point
It is not connected by a bus request module and a bus decision module with bus arbiter module, each authentication module passes through respectively
One bus request module and a bus decision module are connected with bus arbiter module.
4. ESP encapsulation process device as claimed in claim 3, it is characterised in that bus arbitration submodule is excellent according to each module
First level arbitrate the data packet stream of each intermodule to, encrypting module, authentication module, ESP rear ends encapsulation process module priority according to
Secondary reduction.
5. the ESP encapsulation process device as described in any one of Claims 1 to 4, it is characterised in that ESP front ends encapsulation process
Module includes:
Data input buffer FIFO submodules, for caching the data of specific format after SA is matched from upper layer module input
Bag;
Selection processing submodule, for obtaining data from data input buffer FIFO submodules, passes through specific data field
Obtain and record the length of whole packet and transmission means to be taken, if field shows transmission mode to be used,
Whole packet is sent to by transmission mode front end encapsulation process submodule according to data packet length, if field shows tunnel to be used
Road pattern, then whole packet is sent to by tunnel mode front end encapsulation process submodule according to data packet length;
Transmission mode front end encapsulation process submodule, for carrying out preliminary encapsulation process, root to packet in a transmission mode
The cipher mode that simultaneously record data bag needs use is obtained according to specific data field, according to needed for calculating encryption scheme information
The filler length of addition, and add after IP packets, after former IP heads are moved into cipher mode field, SPI words
Before section, data output buffering FIFO submodules are then delivered a packet to;
Tunnel mode front end encapsulation process submodule, for carrying out preliminary encapsulation process, root to the packet under tunnel mode
Obtained according to specific data field and record data bag needs IP heads in the cipher mode and IP packets that use, according to adding
Close mode information calculate needed for addition filler length, and add after IP packets, by the IP heads recorded with
The mode of duplication is added after cipher mode field, before SPI fields, then delivers a packet to output buffering FIFO
Module;
Data output buffers FIFO submodules, and submodule and the encapsulation of tunnel module front end are encapsulated for caching from transport module front end
Handle the packet that submodule passes through after preliminary treatment.
6. the ESP encapsulation process device as described in any one of Claims 1 to 4, it is characterised in that ESP rear ends encapsulation process
Module includes:
Data input buffer FIFO submodules, for caching the AES sended over from Wishbone bus modules
And/or the packet that identifying algorithm processing is completed;
ESP rear ends encapsulation process submodule, done most for handling the packet completed to AES and/or identifying algorithm
Processing afterwards, the cipher mode and authentication mode for obtaining and being used required for record data bag according to specific field, according to
Cipher mode and authentication mode information calculate the value for needing to change field in IP heads and modified, while abandon and do not meet
The field of IPSec data pack protocol specifications, the packet after processing is sent to data output buffering FIFO submodules;
Data output buffers FIFO submodules, for caching the symbol sended over after the processing of ESP rear ends encapsulation process submodule
Close the IPSec packets of protocol specification.
7. the ESP encapsulation process device as described in any one of Claims 1 to 4, it is characterised in that the encrypting module includes:
Data input buffer FIFO submodules, for caching the packet sended over from Wishbone bus modules;
Data analyzing sub-module, for the load data for needing to encrypt in packet to be sent respectively with the data that need not be encrypted
Into encryption core submodule afterwards and non-encryption data FIFO submodules, data are obtained according to specific field in packet
Encryption mode required for bag, key length and initialization according to required for encryption mode information calculates encryption
Vector length, packet is parsed with this, the load data that key, initialization vector, needs are encrypted is sent to encryption core
Submodule, remainder data is sent to not encryption data FIFO submodules and cached;
Not encryption data buffering FIFO submodules, for caching the data do not encrypted, there is provided encapsulate submodule to data afterwards
It is packaged use;
Encryption core submodule, the load data for being encrypted to needs are encrypted, according to the key sended over and initially
Change vector, load data is encrypted by AES;
Data encapsulate submodule, and the IPSec bag forms of protocol specification are met for again dressing up data envelope, are first never encrypted
Data are read in data FIFO submodules, then reads data from encryption core module and splices in preceding packet afterbody, are sent
FIFO submodules are buffered to data output;
Data output buffers FIFO submodules, for caching the packet sended over from data encapsulation submodule.
8. the ESP encapsulation process device as described in any one of Claims 1 to 4, it is characterised in that the authentication module includes:
Data input buffer FIFO submodules, for caching the packet sended over from Wishbone bus modules;
Data analyzing sub-module, after the load data that certification is needed in packet is separately sent to former packet
In certification key submodule and non-authentication data FIFO submodules, according to required for specific field obtains packet in packet
Authentication processing mode, key length according to required for authentication processing mode information calculates certification, data are parsed with this
Bag, by key, needs the load data of certification to be sent to certification key submodule, former packet is sent to not authentication data FIFO
Submodule is cached;
Not authentication data buffering FIFO submodules, for caching the complete former packet received;
Certification key submodule, for being authenticated to the load data for needing certification, according to the key sended over, according to recognizing
Card algorithm is authenticated to load data, is generated and is intercepted the certification summary of required length;
Data encapsulate submodule, and the IPSec bag forms of protocol specification, first never certification are met for again dressing up data envelope
Complete former packet is read in data fifo module, then the certification summary splicing intercepted after certification key submodule is generated exists
Packet afterbody, it is sent to data output buffering FIFO submodules;
Data output buffers FIFO submodules, for caching the packet sended over from data encapsulation submodule.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510253970.7A CN104980497B (en) | 2015-05-18 | 2015-05-18 | ESP encapsulation process devices based on Wishbone buses |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510253970.7A CN104980497B (en) | 2015-05-18 | 2015-05-18 | ESP encapsulation process devices based on Wishbone buses |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104980497A CN104980497A (en) | 2015-10-14 |
CN104980497B true CN104980497B (en) | 2018-02-27 |
Family
ID=54276591
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510253970.7A Active CN104980497B (en) | 2015-05-18 | 2015-05-18 | ESP encapsulation process devices based on Wishbone buses |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104980497B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115378705B (en) * | 2022-08-22 | 2024-04-05 | 中国人民解放军战略支援部队信息工程大学 | Protocol-independent multi-mode security method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103218337A (en) * | 2013-03-13 | 2013-07-24 | 北京安拓思科技有限责任公司 | SoC (System on Chip) and method for realizing communication between master modules and between slave modules based on wishbone bus |
CN203086485U (en) * | 2013-03-08 | 2013-07-24 | 华自科技股份有限公司 | Protocol decoding system applicable to digital protection device |
CN104394148A (en) * | 2014-11-26 | 2015-03-04 | 东南大学 | IPSec (Internet Protocol Security) protocol outgoing processing hardware implementation system under IPv6 (Internet Protocol version 6) |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8169839B2 (en) * | 2009-02-11 | 2012-05-01 | Stec, Inc. | Flash backed DRAM module including logic for isolating the DRAM |
-
2015
- 2015-05-18 CN CN201510253970.7A patent/CN104980497B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN203086485U (en) * | 2013-03-08 | 2013-07-24 | 华自科技股份有限公司 | Protocol decoding system applicable to digital protection device |
CN103218337A (en) * | 2013-03-13 | 2013-07-24 | 北京安拓思科技有限责任公司 | SoC (System on Chip) and method for realizing communication between master modules and between slave modules based on wishbone bus |
CN104394148A (en) * | 2014-11-26 | 2015-03-04 | 东南大学 | IPSec (Internet Protocol Security) protocol outgoing processing hardware implementation system under IPv6 (Internet Protocol version 6) |
Also Published As
Publication number | Publication date |
---|---|
CN104980497A (en) | 2015-10-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7774593B2 (en) | Encrypted packet, processing device, method, program, and program recording medium | |
CN112073375A (en) | Isolation device and isolation method suitable for power Internet of things client side | |
CN104394148B (en) | The outgoing processing system for implementing hardware of ipsec protocol under IPv6 | |
JP3599552B2 (en) | Packet filter device, authentication server, packet filtering method, and storage medium | |
EP2244416A1 (en) | Encryption processing method and encryption processing device | |
CA2481651A1 (en) | Processing a packet using multiple pipelined processing modules | |
CN110049002B (en) | IPSec authentication method based on PUF | |
CN110690962B (en) | Application method and device of service node | |
CN103457952B (en) | A kind of IPSec processing methods and equipment based on crypto engine | |
CN108964880A (en) | A kind of data transmission method and device | |
CN110690961A (en) | Quantum network function virtualization method and device | |
US8880892B2 (en) | Secured embedded data encryption systems | |
CN113114621A (en) | Communication method for bus dispatching system and bus dispatching system | |
CN111385259A (en) | Data transmission method, data transmission device, related equipment and storage medium | |
CN101471839B (en) | Method for asynchronously implementing IPSec vpn through multi-nuclear | |
CN107276996A (en) | The transmission method and system of a kind of journal file | |
CN104980497B (en) | ESP encapsulation process devices based on Wishbone buses | |
CN103428199B (en) | Information leakage-proof method and system suitable for internet protocol version 6 (IPv6) | |
JP4551112B2 (en) | ENCRYPTED PACKET PROCESSING DEVICE, METHOD, PROGRAM, AND PROGRAM RECORDING MEDIUM | |
CN111031055B (en) | IPsec acceleration device and implementation method | |
CN113839923A (en) | Multi-node-oriented high-performance processing method | |
CN114124416B (en) | System and method for quickly exchanging data between networks | |
CN112019418B (en) | Method and device for establishing IPSec tunnel based on brutal mode | |
CN103490900B (en) | Encryption and authentication method and equipment | |
Luo et al. | Routing and security mechanisms design for automotive tsn/can fd security gateway |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |