CN105471848A - Ethernet controller security enhancement design method - Google Patents
Ethernet controller security enhancement design method Download PDFInfo
- Publication number
- CN105471848A CN105471848A CN201510789678.7A CN201510789678A CN105471848A CN 105471848 A CN105471848 A CN 105471848A CN 201510789678 A CN201510789678 A CN 201510789678A CN 105471848 A CN105471848 A CN 105471848A
- Authority
- CN
- China
- Prior art keywords
- data
- module
- encryption
- decryption
- ethernet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides an Ethernet controller security enhancement design method. An Ethernet controller performs the following operations in an encryption and decryption mode: carrying out control flow and data flow communication with an external host system through an AMBA bus interface module; realizing transmission of data used for access configuration of different buses in the sending and receiving directions through a DMA engine module; parsing and filtering Ethernet frame data in the sending and receiving directions through a protocol filtering and encapsulating module; sending link layer or network layer protocol data needing encryption and decryption to a data encryption and decryption module, and re-encapsulating the returned data; using a hardware algorithm to process the data through the data encryption and decryption module; sending and receiving data buffer through an MAC transaction module; and carrying out data communication with an external PHY chip through a PHY interface module.
Description
Technical field
The present invention relates to electronic information field, the safety relating to a kind of Gigabit Ethernet controller IP kernel towards link layer, network layer and transport layer protocol safe handling strengthens method for designing.
Background technology
At present, network-termination device utilizes special protection wall software, antivirus software or the secure communication of data encrypting and deciphering software simulating usually, this mode needs to resolve the various agreements of network controller transmission and process, there is occupying system resources, shortcoming that CPU usage is higher, and security risk may be caused due to Software for Design leak.
Summary of the invention
In order to overcome the above-mentioned shortcoming of existing network protection capacity of safety protection software mechanism, the invention provides the enhancing method for designing of the Gigabit Ethernet controller IP kernel based on hardware enciphering and deciphering procotol, wherein devise cooperatively interacting of AMBA bus interface module, DMA engine module, protocol filtering package module, data encrypting and deciphering module, MAC transaction module, security management and control module and phy interface module.The data encrypting and deciphering process of this ethernet controller need not system intervention, without overhead, and can not lose network link transmission performance while the transmission of guarantee network data security.
According to the present invention, provide a kind of ethernet controller and strengthen method for designing safely, comprising: by the mode of operation of the pre-configured ethernet controller of security management and control module, wherein mode of operation comprises general mode and encryption and decryption pattern; Ethernet controller is made not carry out the encryption and decryption process of procotol in the normal mode.
Preferably, under encryption and decryption pattern, ethernet controller is made to perform following operation:
Control flow check and data flow communication is carried out by AMBA bus interface module and external host system;
The transmission of both transmit and receive direction for the data of different bus access configuration is realized respectively by DMA engine module;
Respectively by protocol filtering package module the ethernet frame data of both transmit and receive direction is resolved and filtered, the link layer or Network layer Protocol Data that need encryption and decryption are mail to data encrypting and deciphering module, and to the data Reseal returned;
Hardware algorithm deal with data is adopted by data encrypting and deciphering module;
To be transmitted and receive data buffering by MAC transaction module;
Data communication is carried out by phy interface module and outside PHY chip.
Preferably, in ciphering process under encryption and decryption pattern, by ethernet frame data from AMBA bus module through DMA engine module transfer to protocol filtering package module, filter package module and protocol analysis is carried out to dissimilar ethernet frame data, encryption/decryption module is sent to by needing the data of encryption, in encryption/decryption module to needing the data encryption of encryption with after forming encrypt data, encrypt data is returned protocol filtering package module with by the encrypt data of encrypt data Reseal for ethernet frame data form, subsequently the encrypt data of ethernet frame data form is transferred to MAC transaction module, and finally by phy interface module, the encrypt data of ethernet frame data form is sent to PHY chip.
Preferably, in decrypting process under encryption and decryption pattern, phy interface module receives the ethernet frame data from PHY chip, and the ethernet frame data of reception is forwarded to MAC transaction module, after synchronously process, protocol filtering package module is transmitted it to making ethernet frame data, protocol filtering package module carries out protocol analysis to dissimilar frame, encryption/decryption module is sent to by needing data to be decrypted, in encryption/decryption module to needing the data deciphering of deciphering with after forming clear data, clear data is returned the clear data that protocol filtering package module take Reseal as ethernet frame data form, after this clear data of ethernet frame data form is transferred to external host system through transmission DMA engine module and AMBA bus module.
Preferably, mode of operation also comprises disable mode, wherein too net controller in the disable mode only back-up system IO access and not other configuration operations of sending of responding system.
Preferably, this ethernet controller can realize the safe handling of following agreement:
The mac frame agreement of link layer;
Based on the network layer protocol of IPv4/IPv6;
Based on the transport layer protocol of IPv4/IPv6.
Preferably, the data for different bus access configuration have variable data granularity.
The invention provides a kind of Gigabit Ethernet controller IP kernel that can realize hardware enciphering and deciphering.The present invention by hardware designs, carries out bypass, filtration or encryption and decryption process to the different agreement of ethernet link layer, network layer and transport layer, and encryption process need not system intervention, does not take overhead.
Accompanying drawing explanation
By reference to the accompanying drawings, and by reference to detailed description below, will more easily there is more complete understanding to the present invention and more easily understand its adjoint advantage and feature, wherein:
Fig. 1 schematically shows the circuit structure diagram adopted according to the preferred embodiment of the present invention.
Fig. 2 schematically shows the ciphering process of ethernet frame data according to the preferred embodiment of the invention.
Fig. 3 schematically shows the decrypting process of ethernet frame data according to the preferred embodiment of the invention.
It should be noted that, accompanying drawing is for illustration of the present invention, and unrestricted the present invention.Note, represent that the accompanying drawing of structure may not be draw in proportion.Further, in accompanying drawing, identical or similar element indicates identical or similar label.
Embodiment
In order to make content of the present invention clearly with understandable, below in conjunction with specific embodiments and the drawings, content of the present invention is described in detail.
By the mode of operation (such as, mode of operation comprises general mode, disable mode and encryption and decryption pattern) of the pre-configured ethernet controller of security management and control module.
Wherein, ethernet controller does not carry out the encryption and decryption process of procotol in the normal mode.
In the example that there is disable mode, can make too net controller in the disable mode only back-up system IO access and not other configuration operations of sending of responding system.
And, under encryption and decryption pattern, ethernet controller carries out control flow check and data flow communication by AMBA bus interface module and external host system, the transmission of both transmit and receive direction for the data (data can have variable data granularity) of different bus access configuration is realized respectively by DMA engine module, respectively by protocol filtering package module the ethernet frame data of both transmit and receive direction is resolved and filtered, the link layer or Network layer Protocol Data that need encryption and decryption are mail to data encrypting and deciphering module, and to the data Reseal returned, hardware algorithm deal with data is adopted by data encrypting and deciphering module, to be transmitted and receive data buffering by MAC transaction module, and carry out data communication by phy interface module and outside PHY chip.
This ethernet controller can realize the safe handling of following agreement:
(1) all kinds of mac frame agreements of link layer;
(2) based on the disparate networks layer protocol of IPv4/IPv6;
(3) based on all kinds of transport layer protocols of IPv4/IPv6.
Particularly, as shown in Figure 1, AMBA bus interface module 1 connects external host system by AMBA bus, internally connects DMA engine module 2; Protocol filtering package module 3 switches different working modes under the configuration of security management and control module 5, filters and encapsulation respectively under encryption and decryption pattern to transmission, frames received according to carrying out parsing; Data encrypting and deciphering module 4 sends data by hardware algorithm encryption, deciphering receives data; MAC transaction module 6 cushions transmission, receives data; Phy interface module 7, to interior connection MAC transaction module, externally connects PHY chip.
In fig. 2, in ciphering process under encryption and decryption pattern, ethernet frame data is transferred to protocol filtering package module 3 from AMBA bus module 1 through DMA engine module 2, filter package module 3 and protocol analysis is carried out to dissimilar ethernet frame data, encryption/decryption module 4 is sent to by needing the data of encryption, in encryption/decryption module 4 to needing the data encryption of encryption with after forming encrypt data, encrypt data is returned protocol filtering package module 3 with by the encrypt data of encrypt data Reseal for ethernet frame data form, subsequently the encrypt data of ethernet frame data form is transferred to MAC transaction module 6, and finally by phy interface module 7, the encrypt data of ethernet frame data form is sent to PHY chip.
In figure 3, in decrypting process under encryption and decryption pattern, phy interface module 7 receives the ethernet frame data from PHY chip, and the ethernet frame data of reception is forwarded to MAC transaction module 6, after synchronously process, protocol filtering package module 3 is transmitted it to making ethernet frame data, protocol filtering package module 3 carries out protocol analysis to dissimilar frame, encryption/decryption module 4 is sent to by needing data to be decrypted, in encryption/decryption module 4 to needing the data deciphering of deciphering with after forming clear data, clear data is returned the clear data that protocol filtering package module 3 take Reseal as ethernet frame data form, after this clear data of ethernet frame data form is transferred to external host system through transmission DMA engine module 2 and AMBA bus module 1.
The present invention towards the TCP/IP protocol suite based on Ethernet, can carry out safe handling for link layer, network layer and transport layer related protocol.And the present invention, by the independently pre-configured ethernet controller mode of operation of security management and control module, supports common, encryption and decryption and the different pattern of forbidding three kinds.
Topmost technique effect of the present invention is, by the real-time encryption and decryption process of hardware implementing ethernet frame data, ensures that link data transfer is safe and reliable, and does not take overhead.
It should be noted that, unless otherwise indicated, otherwise the term " first " in specification, " second ", " the 3rd " etc. describe only for distinguishing each assembly, element, step etc. in specification, instead of for representing logical relation between each assembly, element, step or ordinal relation etc.
Be understandable that, although the present invention with preferred embodiment disclose as above, but above-described embodiment and be not used to limit the present invention.For any those of ordinary skill in the art, do not departing under technical solution of the present invention ambit, the technology contents of above-mentioned announcement all can be utilized to make many possible variations and modification to technical solution of the present invention, or be revised as the Equivalent embodiments of equivalent variations.Therefore, every content not departing from technical solution of the present invention, according to technical spirit of the present invention to any simple modification made for any of the above embodiments, equivalent variations and modification, all still belongs in the scope of technical solution of the present invention protection.
Claims (7)
1. ethernet controller strengthens a method for designing safely, it is characterized in that comprising: by the mode of operation of the pre-configured ethernet controller of security management and control module, and wherein mode of operation comprises general mode and encryption and decryption pattern; Ethernet controller is made not carry out the encryption and decryption process of procotol in the normal mode.
2. ethernet controller according to claim 1 strengthens method for designing safely, it is characterized in that, under encryption and decryption pattern, makes ethernet controller perform following operation:
Control flow check and data flow communication is carried out by AMBA bus interface module and external host system;
The transmission of both transmit and receive direction for the data of different bus access configuration is realized respectively by DMA engine module;
Respectively by protocol filtering package module the ethernet frame data of both transmit and receive direction is resolved and filtered, the link layer or Network layer Protocol Data that need encryption and decryption are mail to data encrypting and deciphering module, and to the data Reseal returned;
Hardware algorithm deal with data is adopted by data encrypting and deciphering module;
To be transmitted and receive data buffering by MAC transaction module;
Data communication is carried out by phy interface module and outside PHY chip.
3. ethernet controller according to claim 1 and 2 strengthens method for designing safely, it is characterized in that, in ciphering process under encryption and decryption pattern, by ethernet frame data from AMBA bus module through DMA engine module transfer to protocol filtering package module, filter package module and protocol analysis is carried out to dissimilar ethernet frame data, encryption/decryption module is sent to by needing the data of encryption, in encryption/decryption module to needing the data encryption of encryption with after forming encrypt data, encrypt data is returned protocol filtering package module with by the encrypt data of encrypt data Reseal for ethernet frame data form, subsequently the encrypt data of ethernet frame data form is transferred to MAC transaction module, and finally by phy interface module, the encrypt data of ethernet frame data form is sent to PHY chip.
4. ethernet controller according to claim 1 and 2 strengthens method for designing safely, it is characterized in that, in decrypting process under encryption and decryption pattern, phy interface module receives the ethernet frame data from PHY chip, and the ethernet frame data of reception is forwarded to MAC transaction module, after synchronously process, protocol filtering package module is transmitted it to making ethernet frame data, protocol filtering package module carries out protocol analysis to dissimilar frame, encryption/decryption module is sent to by needing data to be decrypted, in encryption/decryption module to needing the data deciphering of deciphering with after forming clear data, clear data is returned the clear data that protocol filtering package module take Reseal as ethernet frame data form, after this clear data of ethernet frame data form is transferred to external host system through transmission DMA engine module and AMBA bus module.
5. ethernet controller according to claim 1 and 2 strengthens method for designing safely, it is characterized in that, mode of operation also comprises disable mode, wherein too net controller in the disable mode only back-up system IO access and not other configuration operations of sending of responding system.
6. ethernet controller according to claim 1 and 2 strengthens method for designing safely, it is characterized in that, this ethernet controller can realize the safe handling of following agreement:
The mac frame agreement of link layer;
Based on the network layer protocol of IPv4/IPv6;
Based on the transport layer protocol of IPv4/IPv6.
7. ethernet controller according to claim 1 and 2 strengthens method for designing safely, it is characterized in that, the data for different bus access configuration have variable data granularity.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510789678.7A CN105471848B (en) | 2015-11-17 | 2015-11-17 | A kind of ethernet controller enhances safely design method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510789678.7A CN105471848B (en) | 2015-11-17 | 2015-11-17 | A kind of ethernet controller enhances safely design method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105471848A true CN105471848A (en) | 2016-04-06 |
| CN105471848B CN105471848B (en) | 2018-07-03 |
Family
ID=55609119
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510789678.7A Active CN105471848B (en) | 2015-11-17 | 2015-11-17 | A kind of ethernet controller enhances safely design method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105471848B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111357247A (en) * | 2017-11-07 | 2020-06-30 | 大陆汽车有限公司 | Method for operating an ethernet communication device and ethernet communication device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101808317A (en) * | 2009-02-18 | 2010-08-18 | 联想(北京)有限公司 | Computer device and method for realizing wireless local area network security measure |
| CN102291405A (en) * | 2011-08-12 | 2011-12-21 | 曙光信息产业(北京)有限公司 | Network card supporting filtration and encryption of network data |
| US20130219507A1 (en) * | 2012-02-16 | 2013-08-22 | Samsung Electronics Co. Ltd. | Method and apparatus for protecting digital content using device authentication |
-
2015
- 2015-11-17 CN CN201510789678.7A patent/CN105471848B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101808317A (en) * | 2009-02-18 | 2010-08-18 | 联想(北京)有限公司 | Computer device and method for realizing wireless local area network security measure |
| CN102291405A (en) * | 2011-08-12 | 2011-12-21 | 曙光信息产业(北京)有限公司 | Network card supporting filtration and encryption of network data |
| US20130219507A1 (en) * | 2012-02-16 | 2013-08-22 | Samsung Electronics Co. Ltd. | Method and apparatus for protecting digital content using device authentication |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111357247A (en) * | 2017-11-07 | 2020-06-30 | 大陆汽车有限公司 | Method for operating an ethernet communication device and ethernet communication device |
| US11252107B2 (en) | 2017-11-07 | 2022-02-15 | Continental Automotive Gmbh | Method for operating an ethernet communication device, and ethernet communication device |
| CN111357247B (en) * | 2017-11-07 | 2022-11-22 | 大陆汽车有限公司 | Method for operating an ethernet communication device and ethernet communication device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105471848B (en) | 2018-07-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109842585B (en) | Network information safety protection unit and protection method for industrial embedded system | |
| US10095634B2 (en) | In-vehicle network (IVN) device and method for operating an IVN device | |
| US11120149B2 (en) | Security system and method for protecting a vehicle electronic system | |
| EP3701690B1 (en) | Method, device, and system for offloading algorithms | |
| CN111859472A (en) | Security plug-in for system-on-chip platform | |
| CN103139222A (en) | Internet protocol security (IPSEC) tunnel data transmission method and device thereof | |
| US9094375B2 (en) | WAN transport of frames with MAC security | |
| CN107612679B (en) | Ethernet bridge scrambling terminal based on state cryptographic algorithm | |
| CN112910932B (en) | Data processing method, device and system | |
| US20190052640A1 (en) | Device, system and method for protecting network devices | |
| CN111262823B (en) | Security gateway and data processing method thereof | |
| CN107832248A (en) | A kind of data ferry-boat module and its data processing method with encryption and decryption functions | |
| DE102019128141A1 (en) | HARDWARE MECHANISMS FOR LEFT ENCRYPTION | |
| CN103763301B (en) | A kind of system and method for use ppp protocol encapsulations IPsec frame structures | |
| CN105471848A (en) | Ethernet controller security enhancement design method | |
| CN102957585B (en) | The data transmission method of a kind of Ethernet and data transmission device | |
| AU2015301504B2 (en) | End point secured network | |
| CN112910646B (en) | Data processing method and device of server cipher machine and server cipher machine | |
| CN105721453A (en) | Network isolation system and network videocorder | |
| CN110995726A (en) | Network isolation system of FPGA chip based on embedded ARM | |
| US11956160B2 (en) | End-to-end flow control with intermediate media access control security devices | |
| CN111600705B (en) | Isolation card based on auto-negotiation mechanism | |
| EP3832951A1 (en) | An electronic system, corresponding method of operation and electronic device | |
| US20120327952A1 (en) | Ethernet tag approach to support networking task offload | |
| CN116405235A (en) | Bidirectional encryption/decryption device for bearer and overlay operations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |