CN107493292B - Heterogeneous multi-channel safety isolation information transmission system and method - Google Patents
Heterogeneous multi-channel safety isolation information transmission system and method Download PDFInfo
- Publication number
- CN107493292B CN107493292B CN201710782879.3A CN201710782879A CN107493292B CN 107493292 B CN107493292 B CN 107493292B CN 201710782879 A CN201710782879 A CN 201710782879A CN 107493292 B CN107493292 B CN 107493292B
- Authority
- CN
- China
- Prior art keywords
- data
- processing circuit
- data processing
- effective
- channel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/067—Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a heterogeneous multichannel safety-isolated information transmission system which comprises a first network unit and a second network unit, wherein a plurality of sending ports are arranged on a first network unit host, the sending ports of the first network unit host are correspondingly connected to a receiving port of a first data processing circuit, the first data processing circuit is connected through a plurality of unidirectional optical fibers and transmits data to a second data processing circuit, and the sending port of the second data processing circuit is connected with the receiving port of the second network unit. The invention also discloses a transmission method of the multichannel safety isolated information. The invention has the advantages of complete data transmission, capability of eliminating possible backdoor generated by physical connection and capability of preventing illegal data exchange caused by virus control computers.
Description
Technical Field
The invention relates to a data transmission technology, in particular to a heterogeneous multi-channel security isolation information transmission system and method which can completely transmit data, eliminate a possible backdoor caused by physical connection and prevent illegal data exchange caused by a virus control computer.
Background
At present, the basic current situation of the main network space in China is shown as follows: the industrial base is poor; the method belongs to tracking type scientific researches on the whole, including network space safety and tracking type scientific researches, and also has some phenomena of hollowing; the independent development is difficult to cover the whole ecological environment and control all links of the safety chain; the cyberspace assumes a "transparent, networked" state.
The following technologies are generally available in the present devices for implementing security isolation and information exchange: ferrying technology (based on switch switching), buffer communication technology (based on switch switching) and one-way channel technology. In the scheme of the ferry technology and the buffer communication technology, two networks are physically connected together (a back door of a hidden channel may exist), and viruses can be disguised as data reverse ferry and pass through a security isolation and information transmission system (illegal data exchange), so that the method is relatively unsafe. The unidirectional channel is a channel in which a receiving link and a transmitting link of communication are completely separated, the feedback of communication cannot be completed in one channel, an attack behavior becomes half-open connection, a hidden bidirectional channel (back door) cannot be formed, secret leakage is caused, and the effect cannot be exerted. The sender only manages sending data, and the data side only manages receiving data. If only one direction exists, the integrity of the data is greatly influenced. For example, data is damaged in the transmission process, the receiver does not inform the sender of the possibility of retransmission, and only discards the data. For the sender, whether the data is available or not is unknown only whether the data is sent out or not and whether the data is received or not. But the one-way channel technology ensures the safety on the basis of damaging the data integrity to a certain extent.
Disclosure of Invention
In order to solve the above problems, the present invention provides a heterogeneous multi-channel security-isolated information transmission system, which can completely eliminate the possible backdoor caused by physical connection and can prevent illegal data exchange caused by virus control computers during data transmission.
The invention is realized by the following technical measures, and the heterogeneous multichannel safety isolation information transmission system comprises a first network unit and a second network unit, and is characterized in that: the first network unit host is provided with a plurality of sending ports, the sending port of the first network unit host is correspondingly connected with a receiving port of a first data processing circuit, the first data processing circuit is connected through a plurality of unidirectional optical fibers and transmits data to a second data processing circuit, and the sending port of the second data processing circuit is connected with the receiving port of a second network unit.
Preferably, the second network unit is provided with a plurality of transmitting ports, the transmitting ports of the second network unit are correspondingly connected with the receiving ports of the third data processing circuit, the third data processing circuit is connected through a plurality of unidirectional optical fibers and transmits data to the fourth data processing circuit, and the transmitting ports of the fourth data processing circuit are connected with the receiving ports of the first network unit.
As a preferable mode, the number of the unidirectional optical fibers connected between the first data processing circuit and the second data processing circuit is equal to the number of the channels between the first network unit host and the first data processing circuit, and a one-to-one correspondence relationship exists between the unidirectional optical fibers and the channels.
As a preferable mode, the number of the unidirectional optical fibers connected between the third data processing circuit and the fourth data processing circuit is equal to the number of the channels between the second network unit host and the third data processing circuit, and a one-to-one correspondence relationship exists between the unidirectional optical fibers and the channels.
Preferably, the first data processing circuit and the second data processing circuit are FPGA data processing circuits.
Preferably, the third data processing circuit and the fourth data processing circuit are FPGA data processing circuits.
The invention also discloses an information transmission method for heterogeneous multi-channel safety isolation, which comprises the following steps:
(11) After the system program is started, the first network unit host firstly generates a first transmission random number, and calculates the serial numbers of at least three effective data channels according to the random number, then sends the serial numbers of the effective data channels to the first data processing circuit, and then sends the serial numbers of the effective data channels to the second data processing circuit through the first data processing circuit, the second data processing circuit saves the received serial numbers of the effective data channels, and performs data verification according to the saved serial numbers of the effective data channels;
(12) When the first network unit host receives external data and needs to send the external data to the second network unit host, the first network unit host encodes the data according to a format corresponding to the current effective channel and then stores the encoded data in a buffer area corresponding to each effective data channel;
(13) The first network element host sends the data of each buffer to the corresponding valid data channel in an asynchronous manner;
(14) After receiving the data of each effective data channel, the first data processing circuit packs the data and then sends the data to the one-way optical fiber corresponding to the effective channel;
(15) Each channel of the second data processing circuit receives data independently, after receiving the fixed-length packet, the number of effective data channels is judged firstly, if the number of the effective data channels exceeds the number of the effective data channels, the data is directly discarded, the error count is increased progressively, and if the error count reaches a set value, an alarm is given; if the channel receiving the data is the current effective data channel, the data of the effective data channel is decoded and checked, the final data is obtained according to a few principles which obey majority, if the data of each channel are different, the data is directly discarded and the error count is increased, and if the error count reaches a set value, an alarm is given;
(16) The second data processing circuit transmits the final data to the second network unit host.
As a preferable mode, the method further comprises the following steps:
(21) After the system program is started, the second network unit host firstly generates a second transmission random number, and calculates the serial numbers of at least three effective data channels according to the random number, then sends the serial numbers of the effective data channels to the third data processing circuit, and then sends the serial numbers of the effective data channels to the fourth data processing circuit through the third data processing circuit, and the fourth data processing circuit stores the received serial numbers of the effective data channels and performs data verification according to the stored serial numbers of the effective data channels;
(22) When the second network unit host receives the data and needs to send the data to the first network unit host, the data is encoded according to the format corresponding to the current effective channel and then is stored in the buffer area corresponding to each effective data channel;
(23) The second network element host sends each buffer data to the corresponding valid data channel in an asynchronous manner;
(24) After receiving the data of each effective data channel, the third data processing circuit packs the data and then sends the data to the one-way optical fiber corresponding to the effective channel;
(25) Each channel of the fourth data processing circuit receives data independently, judges the number of effective data channels after receiving the fixed-length packet, directly discards the data and increases the error count if the number of effective data channels exceeds the number of effective data channels, and gives an alarm if the error count reaches a set value; if the channel receiving the data is the current effective data channel, the data decoding of the effective data channel is checked, the final data is obtained according to a few principles which obey majority, if the data of each channel is different, the data is directly discarded and the error count is increased, and if the error count reaches a set value, an alarm is given;
(26) The fourth data processing circuit transmits the final data to the first network element host.
As a preferable mode, the step (11) is: when the system program is started, the first network unit host firstly generates a first transmission random number, and calculates the serial numbers of at least three effective data channels according to the first transmission random number, then sends the serial numbers of the effective data channels to the first data processing circuit, and then sends the serial numbers of the effective data channels to the second data processing circuit through the first data processing circuit, the second data processing circuit saves the received serial numbers of the effective data channels, and performs data verification according to the saved serial numbers of the effective data channels; after a preset time, the first transmission random number is regenerated, the serial numbers of at least three effective data channels are calculated according to the first transmission random number, then the serial numbers of the effective data channels are sent to the first data processing circuit and then sent to the second data processing circuit through the first data processing circuit, the second data processing circuit stores the received serial numbers of the effective data channels, data verification is carried out according to the stored serial numbers of the effective data channels, and the process is repeated subsequently. .
In a preferred embodiment, the step (21) is: after the system program is started, the second network unit host firstly generates a second transmission random number, and calculates the serial numbers of at least three effective data channels according to the second transmission random number, then sends the serial numbers of the effective data channels to the third data processing circuit, and then sends the serial numbers to the fourth data processing circuit through the third data processing circuit, and the fourth data processing circuit stores the received serial numbers of the effective data channels and performs data verification according to the stored serial numbers of the effective data channels; after a preset time, a second transmission random number is generated again, the serial numbers of at least three effective data channels are calculated according to the second transmission random number, then the serial numbers of the effective data channels are sent to a third data processing circuit and then sent to a fourth data processing circuit through the third data processing circuit, the fourth data processing circuit stores the received serial numbers of the effective data channels, data verification is carried out according to the stored serial numbers of the effective data channels, and the process is repeated subsequently.
The invention adopts the unidirectional optical fiber between the first data processing circuit and the second data processing circuit to completely separate the communication receiving and transmitting links, the feedback of the communication can not be completed in one channel, the attack behavior becomes half-open connection, a hidden bidirectional channel (back door) can not be formed to cause secret leakage, the back door in the aspect of hardware does not exist, in order to solve the defect that the data possibly appears in the unidirectional channel technology is damaged in the transmission process, a plurality of unidirectional optical fibers are adopted to solve the problem, the data of the unidirectional optical fibers are verified and corrected mutually to obtain the final data, the theoretical error rate reaches the level of 10-28, and the practical requirement is met. The system adopts a heterogeneous multi-channel structure, adopts heterogeneous multi-channels to send data, and only the data sent by a plurality of channels are the same, the data can be considered as effective data, compared with the isomorphic multi-channels, the illegal data transmission of viruses is prevented to a certain extent; when the heterogeneous multi-channel is adopted, an effective channel is continuously calculated according to random numbers generated by the system, the system only sends data according to the effective data channel, when a receiving end system checks, effective data can be obtained only when the data of a plurality of channels in the effective data channel are consistent, and when data also exists in a non-effective data channel, illegal transmission is considered to be sent in an attempt of multi-channel sending, a warning is sent out, and the channel is closed; the invention also adopts the application of data format conversion (encryption) technology, the host computer carries out format conversion (or uses different keys for encryption) on the data of different channels, the hardware such as FPGA carries out inverse conversion (or decryption) during the package verification, the keys exist in the firmware and the software program, each device is different, because the virus can not obtain the key of the device, the sent data is converted (or decrypted) during the package verification, the data of each channel is different, the data of the two channels can not be the same, and finally the data is abandoned, thereby achieving the effect of closing the door. The host machine can also run a virtual host machine, and a sending program carried by the system can be run on the virtual host machine so as to isolate the sending program which can be controlled by virus and further control the system due to the connection of the host machine to the first network unit.
Drawings
Fig. 1 is a block diagram of the structure of the embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following examples and drawings.
Referring to fig. 1, two hardware channels are provided in the heterogeneous multichannel security isolation information transmission system of this embodiment, where a first channel is a data channel for sending data from an extranet unit to an intranet unit. The second channel is a data channel for sending data from the internal network unit to the external network unit. In terms of hardware, the external network host 1 and the internal network host 1 select technically Brix 5200 (I5 CPU, memory 16G, hard disk 256G SSD), the first FP GA data processing circuit 3 and the second FPGA data processing circuit 5 select Cy clone V of ALTERA company, the specific model is 5CGXFC9C6, and the data processing circuit can complete data packing, verification and other work data. The connection mode of the external network host 1 to the first FPGA data processing circuit 3 is 1 USB3.0 interface, two PCIe interfaces and two SATA interfaces 2, wherein the two PCIe interfaces are directly connected with corresponding pins of the first FPGA data processing circuit 3 through the external network host 1, the two SATA interfaces are directly connected with corresponding pins of the first FPGA data processing circuit 3 through the external network host 1, the USB3.0 interface is connected with an FX3 module of CyPress company through the external network host 1, and the FX3 is connected with corresponding pins of the first FPGA data processing circuit 3 through a parallel port. The transmitting ports of 5 optical modules on the first FPGA data processing circuit 3 are connected with the receiving ports of the corresponding optical modules of the second FPGA data processing circuit 5 through 5 unidirectional optical fibers 4. The second FPGA data processing circuit 5 is connected to the intranet host 7 through a USB interface, the hardware used in the second channel is completely the same as that used in the first channel, and the difference is that the second FPGA data processing circuit and the fourth data processing circuit have different encoding and decoding modes (or format inverse transformation mode or decryption key and decryption mode) for the received data.
The heterogeneous multi-channel safety isolation information transmission method comprises the following steps:
(11) After the system program is started, the external network host 1 firstly generates a first transmission random number, calculates the serial numbers of a plurality of effective data channels according to the random number, then sends the serial numbers of the effective data channels to the first FPGA data processing circuit 3, and then sends the serial numbers of the effective data channels to the second FPGA data processing circuit 5 through the first FPGA data processing circuit 3, and the second FPGA data processing circuit 5 stores the received serial numbers of the effective data channels and performs data verification according to the stored serial numbers of the effective data channels; when the system does not receive external data, the process is repeated at regular time, and the effective data channel is ensured to be changed all the time;
(12) When the external network host 1 receives external data and needs to send the external data to the internal network host 7,
coding (including but not limited to format conversion, encryption and other modes) data according to a format corresponding to a current effective channel, and storing the data in a buffer area corresponding to each effective data channel;
(13) The external network host 1 respectively sends data to corresponding effective data channels in an asynchronous mode;
(14) After receiving the data of each effective data channel, the first FPGA data processing circuit 3 packs the data and sends the data to the unidirectional optical fiber 4 corresponding to the effective channel;
(15) Each unidirectional optical fiber 4 of the second FPGA data processing circuit 5 independently receives data, judges the number of effective data channels after receiving a fixed-length packet, directly discards the data and increments an error count if the number of the effective data channels exceeds the number of the effective data channels, and gives an alarm if the error count reaches a set value; if the channel receiving the data is the current each effective data channel, the data of the effective data channel is checked after being decoded (including but not limited to format conversion or decryption), the final data is obtained according to a few principles which obey majority, if the data of each channel is different, the data is directly discarded and the error count is increased, and if the error count reaches a set value, an alarm is given;
(16) The second FPGA data processing circuit 5 transmits the final data to the intranet host 7.
In the system, because the unidirectional optical fiber is adopted between the first FPGA data processing circuit and the second FPGA data processing circuit, the two links of receiving and sending of communication are completely separated, the feedback of communication cannot be completed in one channel, the attack behavior becomes half-open connection, a hidden bidirectional channel (back door) cannot be formed to cause secret leakage, the back door in the aspect of hardware does not exist, in order to solve the defect that the data possibly existing in the unidirectional channel technology is damaged in the transmission process, a plurality of unidirectional optical fibers are adopted to solve the problem, the data of the plurality of unidirectional optical fibers are verified mutually to obtain final data, the theoretical error rate reaches the level of 10-28, and the practical requirement is met. The system adopts a heterogeneous multi-channel architecture, adopts heterogeneous multi-channels to send data, and only data sent by a plurality of channels are the same and can be regarded as effective data, so that compared with the homogeneous multi-channel architecture, the system prevents the illegal data transmission of viruses to a certain extent; when the heterogeneous multi-channel is adopted, an effective channel is continuously calculated according to random numbers generated by the system, the system only sends data according to the effective data channel, when a receiving end system checks, effective data can be obtained only when the data of a plurality of channels in the effective data channel are consistent, and when data also exists in a non-effective data channel, illegal transmission is considered to be sent in an attempt of multi-channel sending, a warning is sent out, and the channel is closed; the system also adopts the application of data format coding (including but not limited to format conversion or encryption and the like), the host encodes data of different channels (format conversion or encryption by using different keys), the hardware FPGA performs decoding (inverse conversion or decryption) during package verification, the coding mode or the keys exist in firmware and software programs, each device is different, because viruses cannot obtain the coding mode or the keys of the device, the sent data are subjected to decoding conversion (inverse conversion or decryption operation) during package verification, the data of each channel are different, the data of the two channels cannot be the same, and finally the data are discarded, so that the effect of closing the door is achieved. The host can also run a virtual host, and a sending program carried by the system can be run on the virtual host so as to isolate the situation that the host is connected to the first network unit and is possibly controlled by virus and further control the system sending program.
Through the technology, the probability of virus illegal transmission data passing through the system is extremely low, the same reason is adopted, similar schemes (only different data conversion modes or encryption keys) can be adopted from the intranet host 7 to the extranet host 1, the intranet host 7 is provided with a plurality of sending ports, the sending ports of the intranet host 7 are correspondingly connected with the receiving port of the third FPGA data processing circuit 8, the third FPGA data processing circuit 8 is connected through a plurality of unidirectional optical fibers 4 and transmits the data to the fourth FPGA data processing circuit 9, and the sending port of the fourth FPGA data processing circuit 9 is connected with the receiving port of the extranet host 1. Even if virus disguised data enters the intranet host 7 by means of user operation (or successfully cracks the data transformation and the revolving door to successfully enter the intranet host), and the intranet host 7 is successfully controlled, because the intranet host 7 and the intranet host 1 also adopt different format transformations (or different encryption keys), the virus still can not send out the data. When the intranet host 7 needs to send data to the extranet host 1, the process principle is the same as the mode that the extranet host 1 sends data to the intranet host 7.
In the heterogeneous multi-channel security-isolated information transmission system of the embodiment, referring to fig. 1, based on the foregoing technical solution, specifically, the number of the unidirectional optical fibers connected between the first FPGA data processing circuit and the second FPGA data processing circuit may be equal to and in a one-to-one correspondence with the number of the channels between the external network host and the first FPGA data processing circuit. The number of the unidirectional optical fibers connected between the third FPGA data processing circuit and the fourth FPGA data processing circuit is equal to the number of the channels between the intranet host and the third FPGA data processing circuit, and a one-to-one correspondence relationship exists between the unidirectional optical fibers and the channels
In the heterogeneous multi-channel security-isolated information transmission system of the embodiment, referring to fig. 1, based on the foregoing technical solution, specifically, the sending port of the second FPGA data processing circuit 5 may be connected to the receiving port of the second network unit 7 through a single channel 6, and the sending port of the fourth FPGA data processing circuit 9 may be connected to the receiving port of the first network unit through a single channel.
On the basis of the technical scheme, the heterogeneous multi-channel safety isolation information transmission system of the embodiment can specifically alarm by using sound and light alarm of the system or sending alarm information to an upper computer.
The above is an illustration of the heterogeneous multi-channel security-isolated information transmission system of the present invention for the purpose of understanding the present invention, but the implementation manner of the present invention is not limited by the above-mentioned embodiments, and any changes, modifications, substitutions, combinations, and simplifications which do not depart from the principle of the present invention should be replaced by equivalents, and all such changes are included in the scope of the present invention.
Claims (10)
1. A heterogeneous multi-channel safety isolation information transmission method is characterized by comprising the following steps: (11) After the system program is started, the first network unit host firstly generates a first transmission random number, and calculates the serial numbers of at least three effective data channels according to the random number, then sends the serial numbers of the effective data channels to the first data processing circuit, and then sends the serial numbers of the effective data channels to the second data processing circuit through the first data processing circuit, the second data processing circuit saves the received serial numbers of the effective data channels, and performs data verification according to the saved serial numbers of the effective data channels; (12) When the first network unit host receives external data and needs to send the external data to the second network unit host, the first network unit host encodes the data according to a format corresponding to the current effective channel and then stores the encoded data in a buffer area corresponding to each effective data channel; (13) The first network element host sends the data of each buffer to the corresponding valid data channel in an asynchronous manner; (14) After receiving the data of each effective data channel, the first data processing circuit packs the data and then sends the data to the one-way optical fiber corresponding to the effective channel; (15) Each channel of the second data processing circuit receives data independently, after receiving the fixed-length packet, the number of effective data channels is judged firstly, if the number of the effective data channels exceeds the number of the effective data channels, the data is directly discarded, the error count is increased progressively, and if the error count reaches a set value, an alarm is given; if the channel receiving the data is the current effective data channel, the data of the effective data channel is decoded and checked, the final data is obtained according to a few principles which obey majority, if the data of each channel are different, the data is directly discarded and the error count is increased, and if the error count reaches a set value, an alarm is given; (16) The second data processing circuit transmits the final data to the second network element host.
2. The heterogeneous multi-channel security isolated information transfer method of claim 1, further comprising the steps of: (21) After the system program is started, the second network unit host firstly generates a second transmission random number, and calculates the serial numbers of at least three effective data channels according to the random number, then sends the serial numbers of the effective data channels to the third data processing circuit, and then sends the serial numbers of the effective data channels to the fourth data processing circuit through the third data processing circuit, and the fourth data processing circuit stores the received serial numbers of the effective data channels and performs data verification according to the stored serial numbers of the effective data channels; (22) When the second network unit host receives the data and needs to send the data to the first network unit host, the data is encoded according to the format corresponding to the current effective channel and then is stored in the buffer area corresponding to each effective data channel; (23) The second network unit host sends the data of each buffer to the corresponding effective data channel in an asynchronous mode respectively; (24) After receiving the data of each effective data channel, the third data processing circuit packs the data and then sends the data to the one-way optical fiber corresponding to the effective channel;
(25) Each channel of the fourth data processing circuit receives data independently, judges the number of effective data channels after receiving the fixed-length packet, directly discards the data and increases the error count if the number of effective data channels exceeds the number of effective data channels, and gives an alarm if the error count reaches a set value; if the channel receiving the data is the current each effective data channel, the data decoding of the effective data channel is checked, the final data is obtained according to a few principles which obey majority, if the data of each channel are different, the data is directly discarded and the error count is increased progressively, and if the error count reaches a set value, an alarm is given; (26) The fourth data processing circuit transmits the final data to the first network element host.
3. The heterogeneous multi-channel security-isolated information transfer method of claim 1, wherein: the step (11) is as follows: when the system program is started, the first network unit host firstly generates a first transmission random number, and calculates the serial numbers of at least three effective data channels according to the first transmission random number, then sends the serial numbers of the effective data channels to the first data processing circuit, and then sends the serial numbers of the effective data channels to the second data processing circuit through the first data processing circuit, the second data processing circuit saves the received serial numbers of the effective data channels, and performs data verification according to the saved serial numbers of the effective data channels; after a preset time, the first transmission random number is regenerated, the serial numbers of at least three effective data channels are calculated according to the first transmission random number, then the serial numbers of the effective data channels are sent to the first data processing circuit and then sent to the second data processing circuit through the first data processing circuit, the second data processing circuit stores the received serial numbers of the effective data channels, data verification is carried out according to the stored serial numbers of the effective data channels, and the process is repeated subsequently.
4. The heterogeneous multi-channel security-isolated information transmission method according to claim 2, characterized in that: the step (21) is: when the system program is started, the second network unit host firstly generates a second transmission random number, and calculates the serial numbers of at least three effective data channels according to the second transmission random number, then sends the serial numbers of the effective data channels to the third data processing circuit, and then sends the serial numbers of the effective data channels to the fourth data processing circuit through the third data processing circuit, the fourth data processing circuit saves the received serial numbers of the effective data channels, and performs data verification according to the saved serial numbers of the effective data channels; after the preset time, the second transmission random number is generated again, the serial numbers of at least three effective data channels are calculated according to the second transmission random number, then the serial numbers of the effective data channels are sent to the third data processing circuit and then sent to the fourth data processing circuit through the third data processing circuit, the fourth data processing circuit stores the received serial numbers of the effective data channels, data check is carried out according to the stored serial numbers of the effective data channels, and the process is repeated subsequently.
5. A heterogeneous multi-channel security-isolated information transfer system for performing the heterogeneous multi-channel security-isolated information transfer method of any of claims 1 to 4, comprising a first network element and a second network element, characterized in that: the first network unit host is provided with a plurality of sending ports, the sending port of the first network unit host is correspondingly connected with a receiving port of a first data processing circuit, the first data processing circuit is connected through a plurality of unidirectional optical fibers and transmits data to a second data processing circuit, and the sending port of the second data processing circuit is connected with the receiving port of a second network unit.
6. The heterogeneous multi-channel security-isolated information transfer system of claim 5, wherein: the second network unit is provided with a plurality of sending ports, the sending ports of the second network unit are correspondingly connected with the receiving port of the third data processing circuit, the third data processing circuit is connected through a plurality of unidirectional optical fibers and transmits data to the fourth data processing circuit, and the sending port of the fourth data processing circuit is connected with the receiving port of the first network unit.
7. The heterogeneous multi-channel security-isolated information transfer system of claim 5, wherein: the number of the unidirectional optical fibers connected between the first data processing circuit and the second data processing circuit is equal to the number of the channels between the first network unit host and the first data processing circuit, and a one-to-one correspondence relationship exists.
8. The heterogeneous multi-channel security-isolated information transfer system of claim 6, wherein: the number of the unidirectional optical fibers connected between the third data processing circuit and the fourth data processing circuit is equal to the number of the channels between the second network unit host and the third data processing circuit, and a one-to-one correspondence relationship exists.
9. The heterogeneous multi-channel security-isolated information transfer system of claim 5, wherein: the first data processing circuit and the second data processing circuit are FPGA data processing circuits.
10. The heterogeneous multi-channel security-isolated information transfer system of claim 6, wherein: the third data processing circuit and the fourth data processing circuit are FPGA data processing circuits.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710782879.3A CN107493292B (en) | 2017-09-03 | 2017-09-03 | Heterogeneous multi-channel safety isolation information transmission system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710782879.3A CN107493292B (en) | 2017-09-03 | 2017-09-03 | Heterogeneous multi-channel safety isolation information transmission system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107493292A CN107493292A (en) | 2017-12-19 |
| CN107493292B true CN107493292B (en) | 2023-04-07 |
Family
ID=60651340
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710782879.3A Active CN107493292B (en) | 2017-09-03 | 2017-09-03 | Heterogeneous multi-channel safety isolation information transmission system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107493292B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108429729B (en) * | 2018-01-19 | 2023-07-18 | 昆明理工大学 | Data communication isolation system and isolation method in industrial big data acquisition environment |
| CN109617908B (en) * | 2019-01-07 | 2021-09-17 | 北京航天晨信科技有限责任公司 | Secret-related information transmission method and system of integrated communication unit |
| CN110674509B (en) * | 2019-07-30 | 2021-06-29 | 浙江华云信息科技有限公司 | System for realizing cross-network high-frequency data secure transmission and working method thereof |
| CN110730170A (en) * | 2019-10-10 | 2020-01-24 | 山东超越数控电子股份有限公司 | Internal and external network isolation method and system |
| CN111224931A (en) * | 2019-10-11 | 2020-06-02 | 工业互联网创新中心(上海)有限公司 | Industrial isolation communication system and method |
| CN114095184A (en) * | 2020-07-15 | 2022-02-25 | 中国航发上海商用航空发动机制造有限责任公司 | Data transmission system and transmission method thereof |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601955A (en) * | 2003-09-23 | 2005-03-30 | 北京国保金泰信息安全技术有限公司 | Data one-way transmission system based on one-way isolated hardware channel |
| CN101127680A (en) * | 2007-07-20 | 2008-02-20 | 胡德勇 | Unidirectional physical separation network brake for USB optical fiber |
| CN101867417A (en) * | 2010-07-01 | 2010-10-20 | 中国人民解放军国防科学技术大学 | Unidirectional transmission method based on optical fiber multi-way coupling |
| CN104683352A (en) * | 2015-03-18 | 2015-06-03 | 宁波科安网信通讯科技有限公司 | Industrial communication isolation gap with double-channel ferrying function |
| CN106850156A (en) * | 2016-11-28 | 2017-06-13 | 深圳市鑫之淼科技有限公司 | No-feedback one-way data transmission set and transmission method based on network interface |
| CN106850188A (en) * | 2017-01-24 | 2017-06-13 | 中国航天系统科学与工程研究院 | A kind of data transmission system based on multichannel isomery one-way transmission path |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7941828B2 (en) * | 2007-08-24 | 2011-05-10 | The Boeing Company | Method and apparatus for simultaneous viewing of two isolated data sources |
| KR101593168B1 (en) * | 2014-09-11 | 2016-02-18 | 한국전자통신연구원 | Physical one direction communication device and method thereof |
-
2017
- 2017-09-03 CN CN201710782879.3A patent/CN107493292B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601955A (en) * | 2003-09-23 | 2005-03-30 | 北京国保金泰信息安全技术有限公司 | Data one-way transmission system based on one-way isolated hardware channel |
| CN101127680A (en) * | 2007-07-20 | 2008-02-20 | 胡德勇 | Unidirectional physical separation network brake for USB optical fiber |
| CN101867417A (en) * | 2010-07-01 | 2010-10-20 | 中国人民解放军国防科学技术大学 | Unidirectional transmission method based on optical fiber multi-way coupling |
| CN104683352A (en) * | 2015-03-18 | 2015-06-03 | 宁波科安网信通讯科技有限公司 | Industrial communication isolation gap with double-channel ferrying function |
| CN106850156A (en) * | 2016-11-28 | 2017-06-13 | 深圳市鑫之淼科技有限公司 | No-feedback one-way data transmission set and transmission method based on network interface |
| CN106850188A (en) * | 2017-01-24 | 2017-06-13 | 中国航天系统科学与工程研究院 | A kind of data transmission system based on multichannel isomery one-way transmission path |
Non-Patent Citations (1)
| Title |
|---|
| 杨越.基于多传输通道的单向传输技术研究.计算机应用与软件.2017,第第34卷卷(第第34卷期),第1-7页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107493292A (en) | 2017-12-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107493292B (en) | Heterogeneous multi-channel safety isolation information transmission system and method | |
| CN112887267A (en) | Network isolation system with message authentication function and method thereof | |
| US20160149696A1 (en) | Transparent Serial Encryption | |
| US20060120521A1 (en) | System and method for optimizing error detection to detect unauthorized modification of transmitted data | |
| CN100521598C (en) | Method and system of implementing secure communication between internal and external computer networks based on simplex communication principle | |
| WO2012012266A2 (en) | Secure acknowledgment device for one-way data transfer system | |
| CN105656902A (en) | One-way reliable transmission and control system based on light transmission | |
| CN108259127B (en) | PCIE dual-redundancy ten-gigabit network IP core | |
| CN108810023A (en) | Safe encryption method, key sharing method and safety encryption isolation gateway | |
| CN103209191A (en) | Method for realizing physical partition of internal and external networks | |
| Kiyavash et al. | A timing channel spyware for the CSMA/CA protocol | |
| US20170339191A1 (en) | Transmission/reception apparatus of security gateway for physical unidirectional communication performing security tunneling and data re-transmission, and data transmission method using same | |
| US9515989B1 (en) | Methods and apparatus for silent alarm channels using one-time passcode authentication tokens | |
| KR101063152B1 (en) | One-way data transmission system and method | |
| CN114500068B (en) | Information data exchange system based on safety isolation gatekeeper | |
| CN113612762A (en) | Safe one-way data transmission device for industrial internet | |
| Kent | Encryption-based protection for interactive user/computer communication | |
| CN206506555U (en) | The information transmission system of isomery multichannel security isolation | |
| CN100596350C (en) | Method for encrypting and decrypting industrial control data | |
| CN101478428B (en) | Software and hardware cooperative Ethernet failure security communication system and data transmission method | |
| Harttung et al. | Lightweight authenticated encryption for network-on-chip communications | |
| CN114208258A (en) | Intelligent controller and sensor network bus and system and method including message retransmission mechanism | |
| CN207926637U (en) | The information transmission system of isomery multichannel security isolation | |
| CN109361583B (en) | 1553 bus function safety communication system | |
| Ulz et al. | Towards trustworthy data in networked control systems: A hardware-based approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |