CN108494549B - Key index negotiation device, system and method based on FPGA - Google Patents
Key index negotiation device, system and method based on FPGA Download PDFInfo
- Publication number
- CN108494549B CN108494549B CN201810161967.6A CN201810161967A CN108494549B CN 108494549 B CN108494549 B CN 108494549B CN 201810161967 A CN201810161967 A CN 201810161967A CN 108494549 B CN108494549 B CN 108494549B
- Authority
- CN
- China
- Prior art keywords
- key index
- frame
- terminal
- address
- table entry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a key index negotiation device, a system and a method, belonging to the field of communication. The method comprises the following steps: receiving a data packet to be sent, and searching a table entry with an IP1 address of an opposite end in a mapping table; if not, newly building a key index; sending the first frame to the terminal 2; acquiring a second frame sent by the terminal 2 and storing the second frame in an on-chip RAM; updating the table entry state with the opposite end address of IP2 in the second frame to FIN, and updating the key index field of the corresponding table entry of the terminal 1 to the key index value in the second frame; the third frame is sent to terminal 2. The device, the system and the method can complete the negotiation of the required key index according to the data flow in the current network under the condition of consuming little network overhead; the flexibility of using the key index is greatly improved, the key index is not influenced by the network topology, and the key index can be dynamically generated again even if the whole network topology is changed.
Description
Technical Field
The invention relates to the technical field of point-to-point encryption communication, in particular to a key index negotiation device, system and method based on an FPGA.
Background
Through the development history of cryptography, the security protection of data increasingly presents a new characteristic of secret key based security rather than algorithm security. Therefore, the key management and use become the key point for guaranteeing the data security, and the key management is specifically discussed in many documents and books, and is not repeated herein, and the key use method remains in a more traditional stage, and has sufficient research value and space improvement.
The main problem with the use of keys is the key index, i.e. how to determine which set of keys should be used for the encryption and decryption of a certain terminal address packet. Currently, the general method is to pre-prepare a table entry composed of all addresses and their corresponding key indexes in a full mapping table, where the primary key of the table entry is the terminal address. The key to be used can be determined according to the key index of the terminal address during encryption and decryption. However, this method has many disadvantages, firstly, all terminal addresses must be known when prefabrication is performed, and secondly, when the mapping relationship between the terminal addresses and the key indexes changes, the mapping table modification amount is too large.
In conclusion, the traditional method or system using the key has the disadvantages of inflexibility, high cost and large workload for modifying the mapping table.
Disclosure of Invention
In view of the foregoing analysis, the present invention aims to provide a key index negotiation apparatus, system and method based on FPGA, which solves the problems of inflexible prefabricated mapping table, high cost and large workload for modifying the mapping table in the prior art.
The purpose of the invention is mainly realized by the following technical scheme:
in one aspect, an FPGA-based key index negotiation apparatus is provided, including an FPGA1 and a CPU 1; the FPGA1 includes on-chip RAM 1:
the FPGA1 is configured to search, when receiving a to-be-sent data packet, a table entry with an IP2 address at an opposite end in a mapping table, and if the table entry is not searched, notify the CPU1 of creating a new key index; the processor is also used for acquiring a second frame sent by the terminal 2, storing the second frame in a data area of the on-chip RAM1 and informing the CPU1 of processing;
a CPU1 for performing:
newly building a key index;
transmitting a first frame including a key index value of terminal 1, a frame count, IP1, and IP2, to terminal 2;
when receiving the processing notification, reading out the second frame, adding or updating the table entry state with the opposite end address being IP2 to FIN, and updating the key index field of the table entry to the key index value in the second frame;
transmitting a third frame including the key index value of the terminal 1, the frame count, the IP1, and the IP2 to the terminal 2.
Further, the FPGA1 notifies the CPU1 by way of an interrupt.
Further, the mapping table comprises table entry index, state, home terminal address, opposite terminal address and key index field; the status field is used for indicating the negotiation status of the key index, FIN indicates completion, NEW indicates NEW establishment, and ACK indicates response.
Further, searching and searching the table items through a secondary matching algorithm; the mapping table employs redundancy settings with address conflicts.
Further, the new key index includes: writing IP1 and IP2 to the on-chip RAM1 data area; the IP2 is converted into an H value, and a NEW entry with the state of NEW is added at the position of the mapping table entry index value of the H value.
In a second aspect, a key index negotiation method is provided, which includes the following steps:
receiving a data packet to be sent, and searching a table entry with an IP2 address of an opposite end in a mapping table;
if not, newly building a key index;
transmitting a first frame including a key index value of terminal 1, a frame count, IP1, and IP2, to terminal 2;
acquiring and storing a second frame sent by the terminal 2;
reading out the second frame, adding or updating the table entry state with the opposite end address being IP2 to FIN, and updating the key index field of the table entry to the key index value in the second frame;
transmitting a third frame including the key index value of the terminal 1, the frame count, the IP1, and the IP2 to the terminal 2.
Wherein, IP1 and IP2 are the IP address of terminal 1 and the IP address of terminal 2, respectively.
In a third aspect, an FPGA-based key index negotiation device is provided, which includes an FPGA2 and a CPU2, where the FPGA2 includes an on-chip RAM2 data area;
the FPGA2 is used for capturing a first frame sent by the terminal 1 and storing the first frame in an on-chip RAM2 data area; and is also used for capturing the third frame sent by the terminal 1 and storing in the data area of the on-chip RAM 2;
a CPU2 for performing:
reading out the first frame, searching a table entry with an opposite end address of IP1, adding or updating the state of the table entry to be ACK, and updating a key index field of the table entry to be a key index value in the first frame;
transmitting a second frame to the terminal 1, the second frame including the key index value of the terminal 2, the frame count, the IP1, and the IP 2;
and reading the third frame, adding or updating the state of the table entry with the opposite end address of IP1 to FIN, and updating the key index field of the table entry to the key index value in the third frame.
In a fourth aspect, a key index negotiation method is provided, which includes the following steps:
capturing a first frame sent by a terminal 1 and storing the first frame;
reading out the first frame, searching a table entry with an opposite end address of IP1, adding or updating the state of the table entry to be ACK, and updating a key index field of the table entry to be a key index value in the first frame;
transmitting a second frame to the terminal 1, the second frame including the key index value of the terminal 2, the frame count, the IP1, and the IP 2;
capturing and storing a third frame sent by the terminal 1;
and reading the third frame, adding or updating the state of the table entry with the opposite end address of IP1 to FIN, and updating the key index field of the table entry to the key index value in the third frame.
In a fifth aspect, a two-party key index negotiation system based on FPGA is provided, which includes the key index negotiation apparatus provided in the first aspect connected to the terminal 1 and the key index negotiation apparatus provided in the third aspect connected to the terminal 2.
A sixth aspect provides a two-party key index negotiation method, including the key index negotiation method provided in the second invention and the key index negotiation method provided in the fourth aspect.
The beneficial effects of the above scheme are as follows:
an FPGA1 and a CPU1 are arranged at the two communication terminal 1; an FPGA2 and a CPU2 are arranged at the terminal 2; the RAM1 is arranged in the FPGA1, the RAM2 is arranged in the FPGA2, and the FPGA1 and the FPGA2 are connected through a network interface to realize data transmission and key index negotiation. The negotiation of the required key index can be completed according to the data flow in the current network only by consuming little network overhead.
The method not only greatly improves the flexibility of using the key index, but also is not influenced by the network topology, and the key index can be dynamically generated again even if the whole network topology is changed.
The software and hardware are combined, and the software assists the hardware.
The FPGA and the CPU are informed in an interrupt mode, and data sharing is carried out through the on-chip RAM, so that dynamic negotiation of key index is realized.
The mapping table uses [ opposite terminal address ] as a main key. Address translation determines the number of entries per table to be 1024, which is less than the number of entries in the mapping table in the conventional design. The address conversion result, namely the index value of the table entry, is directly addressed through the index value when the table entry is accessed, which is faster than the traditional index mode, avoids a large amount of time consumption on the aspect of logic operation, and greatly improves the matching efficiency.
A simple and efficient secondary matching algorithm is adopted to design a mapping table and search table entries, and the effect of reducing the mapping table is changed with extremely low address conflict cost.
It can be known from the address translation function that there are situations where multiple address translation results are the same, and it is far from insufficient to use only one table to store the mapping relationship, so that when designing the mapping table, a multi-table parallel method with address conflict redundancy function is adopted, a total of four mapping tables are used, up to four conflict addresses are allowed, and for multiple opposite-end addresses with the same address translation results, the addresses can be respectively placed at the H value positions of the four mapping tables. Meanwhile, inactive table entries are periodically cleaned by judging the hit count value of the table entries, so that the mapping table is idle as much as possible, the address conflict redundancy function is ensured, and the address conflict problem is solved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, wherein like reference numerals are used to designate like parts throughout.
FIG. 1 is a hardware configuration diagram according to embodiment 1 of the present invention;
FIG. 2 is a flow chart of example 2 of the present invention;
FIG. 3 is a hardware configuration diagram according to embodiment 3 of the present invention;
FIG. 4 is a flowchart of embodiment 4 of the present invention;
FIG. 5 is a diagram of a hardware network structure according to embodiment 5 of the present invention;
fig. 6 is a flowchart of key index negotiation according to embodiment 6 of the present invention.
Detailed Description
The preferred embodiments of the present invention will now be described in detail with reference to the accompanying drawings, which form a part hereof, and which together with the embodiments of the invention serve to explain the principles of the invention.
The key index negotiation is completed by the terminal 1 and the terminal 2 communicating with each other, and the IP address of the terminal 1 and the IP address of the terminal 2 are IP1 and IP2, respectively.
Example 1
As shown in fig. 1, the present embodiment relates to a key agreement apparatus at a communication initiator, i.e., a terminal 1. An FPGA1 and a CPU1 are arranged at the terminal 1; the FPGA1 includes on-chip RAM 1.
The FPGA1 is configured to search, when receiving a to-be-sent data packet, a table entry with an IP2 address at an opposite end in a mapping table, and if the table entry is not searched, notify the CPU1 of creating a new key index; the processor is also used for acquiring a second frame sent by the terminal 2, storing the second frame in a data area of the on-chip RAM1 and informing the CPU1 of processing;
a CPU1 for performing: after the key index is newly established, sending a first frame to the terminal 2, wherein the first frame comprises the key index value, the frame count, the IP1 and the IP2 of the terminal 1; when receiving the processing notification, reading out the second frame, adding or updating the table entry state with the opposite end address being IP2 to FIN, and updating the key index field of the table entry to the key index value in the second frame; transmitting a third frame including the key index value of the terminal 1, the frame count, the IP1, and the IP2 to the terminal 2.
And the FPGA with the on-chip RAM is adopted for data sharing, so that the dynamic negotiation of the key index between the terminal 2 and the FPGA is better realized. The device can form data connection with various communication interruptions, is not influenced by a network topology structure, and has wide adaptability; real-time processing is realized, and the time overhead is small; the safety is good when the power is lost; flexible processing and strong expansibility.
The FPGA1 notifies the CPU1 by way of an interrupt. The dynamic real-time performance of negotiation is realized by the interrupt mode communication.
The first frame informs the opposite terminal of the link establishment information, the second frame confirms that the opposite terminal has responded and takes effect, and the third frame informs the opposite terminal that the home terminal has taken effect and enables the opposite terminal to take effect.
The mapping table and the data area in the RAM1 are not the same area. When the FPGA1 searches the table entry with the primary key value IP2 from the mapping table, the mapping table has the information related to IP2. When the new key index is needed, the data area of the RAM1 stores the IP1+ IP2 related information.
It should be noted that the mapping table includes table entry index, state, home address, peer address, and key index field; as shown in table 1, the mapping table has a main field description as shown in table 2.
Table 1 mapping table structure
| Entry index | Status of state | Local terminal address | Opposite terminal address | Key indexing | Hit counting |
| 0 | 0 | 0 | 0 | 0 | |
| 1 | 0 | 0 | 0 | 0 | |
| …… | …… | …… | …… | …… | |
| 102 | FIN | 16842757 | 16842852 | 16 | 2308 |
| …… | …… | …… | …… | …… | |
| 1023 | 0 | 0 | 0 | 0 |
Table 2 mapping table field description
The new key index can be realized by adopting the following modes: writing IP1 and IP2 to the on-chip RAM1 data area; the IP2 is converted into an H value, and a NEW entry with the state of NEW is added at the position of the mapping table entry index value of the H value.
The IP2 may be converted to an H value using the following address conversion function:
H(IP2)=IP2.1+IP2.2+IP2.3+IP2.4
wherein, H (IP2) is the converted H value, and IP2.1, IP2.2, IP2.3 and IP2.4 respectively correspond to the values of four bytes of IP2 address points in a ten-system.
The mapping table uses [ opposite terminal address ] as a main key. Address translation determines the number of entries per table to be 1024, which is less than the number of entries in the mapping table in the conventional design. The address conversion result, namely the index value of the table entry, is directly addressed through the index value when the table entry is accessed, which is faster than the traditional index mode, avoids a large amount of time consumption on the aspect of logic operation, and greatly improves the matching efficiency.
Illustratively, IP2 is 1.1.0.100(No.16842852), and H (IP2) is 1+1+0+100 is 102.
Optionally, the table entry is searched and searched through a secondary matching algorithm. The table item searching is simple and efficient by adopting a simple and efficient secondary matching algorithm, and the effect of reducing the mapping table is achieved at the very low address conflict cost.
The mapping table adopts redundancy setting with address conflict and adopts a multi-table parallel mode.
As known from the address conversion function, a plurality of address conversion results are the same, the condition that the mapping relation is stored by only one table is far from sufficient, and in order to solve the conflict problem, a multi-table parallel method with the address conflict redundancy function can be adopted when a mapping table is designed, so that the conflict problem caused by table item searching is well solved.
For example, the present embodiment may use four mapping tables, allowing up to four conflicting addresses, and for multiple peer addresses with the same address translation result, the mapping tables may be respectively placed at the H value positions of the four mapping tables.
And the inactive table entries can be cleaned regularly by judging the hit count value of the table entries, so that the mapping table is idle as much as possible, the address conflict redundancy function is ensured, and the address conflict problem is solved better.
Example 2
As shown in fig. 2, the present embodiment relates to a key agreement method implemented at a communication transmitting end, i.e., the terminal 1.
The method comprises the following steps:
step S201, receiving a data packet to be sent, and searching a table entry with an IP2 address of an opposite terminal in a mapping table;
step S202, if not, a key index is newly established; otherwise, ending.
Step S203, sending a first frame to the terminal 2, wherein the first frame comprises a key index value of the terminal 1, a frame count, IP1 and IP 2;
step S204, acquiring and storing a second frame sent by the terminal 2;
step S205, reading out the second frame, adding or updating the table entry state with the opposite end address of IP2 to FIN, and updating the key index field of the table entry to the key index value in the second frame;
and step S206, transmitting a third frame to the terminal 2, wherein the third frame comprises the key index value of the terminal 1, the frame count, the IP1 and the IP2.
The present embodiment adopts the same principle as embodiment 1, and the same points can be referred to each other, and the same technical effects can be achieved.
Example 3
The present embodiment relates to a key agreement apparatus at the communication reception end, i.e., the terminal 2. An FPGA2 and a CPU2 are provided at the terminal 2, and the FPGA2 includes an on-chip RAM2 data area.
In particular, the amount of the solvent to be used,
the FPGA2 is used for capturing a first frame sent by the terminal 1 and storing the first frame in an on-chip RAM2 data area; and is also used for capturing the third frame sent by the terminal 1 and storing in the data area of the on-chip RAM 2;
a CPU2 for performing:
reading out the first frame, searching a table entry with an opposite end address of IP1, adding or updating the state of the table entry to be ACK, and updating a key index field of the table entry to be a key index value in the first frame;
transmitting a second frame to the terminal 1, the second frame including the key index value of the terminal 2, the frame count, the IP1, and the IP 2;
and reading the third frame, adding or updating the state of the table entry with the opposite end address of IP1 to FIN, and updating the key index field of the table entry to the key index value in the third frame.
The system of the embodiment dynamically realizes the key index negotiation with the terminal 1 in real time, is not influenced by the network topology change, and has high flexibility and wide adaptability; real-time processing is realized, and the time overhead is small; the safety is good when the power is lost; flexible processing and strong expansibility.
Example 4
As shown in fig. 4, the present embodiment relates to a key index negotiation method at a communication sending-end terminal 2, which includes the following steps:
s401, capturing a first frame sent by a terminal 1 and storing the first frame;
s402, reading out the first frame, searching for a table entry with an opposite end address of IP1, adding or updating the state of the table entry to be ACK, and updating a key index field of the table entry to be a key index value in the first frame;
s403, sending a second frame to the terminal 1, wherein the second frame comprises the key index value of the terminal 2, the frame count, the IP1 and the IP 2;
s404, capturing and storing a third frame sent by the terminal 1;
s405, reading out the third frame, adding or updating the state of the table entry with the opposite end address of IP1 to FIN, and updating the key index field of the table entry to the key index value in the third frame.
The present embodiment and embodiment 3 are based on the same principle, can refer to each other, and can achieve the same effect.
Example 5
In this embodiment, the mutual description of the two communication parties is used to complete the key index negotiation system.
The hardware architecture on which the method is based is shown in fig. 5, namely, the system comprises a system of both embodiment 1 and embodiment 3. An FPGA1 and a CPU1 are arranged at the terminal 1; the FPGA1 includes on-chip RAM 1; an FPGA2 and a CPU2 are arranged at the terminal 2; the FPGA2 includes on-chip RAM 2; the FPGA1 and the FPGA2 are interconnected by a network; various network connection modes, such as wireless and wired, are not described herein.
In the system of the embodiment, the FPGA with the on-chip RAM is adopted for data sharing, so that dynamic negotiation of key indexes is better realized, and the real-time performance of the negotiation is realized through communication in an interrupt mode. The system is connected with the two communication parties, is not influenced by a network topological structure, and has wide adaptability.
Example 6
In this embodiment, the method for completing key index negotiation is described by interaction between two communication parties.
The specific steps are shown in fig. 6, and comprise the following steps:
step S601: when a data packet to be sent of the terminal 1 passes through the FPGA1, the FPGA1 searches a mapping table for an entry with an opposite end address of IP2, if the entry is not searched, the CPU1 is informed through interruption to enter step 602 to newly create a key index, and the IP addresses IP1 and IP2 of a sending end and a receiving end are written into a RAM1 data area of the FPGA 1; if the search is finished, the negotiation is ended;
step S602: the CPU1 reads out the IP1 and IP2 of the data area of the RAM1, converts the IP2 into an H value, and adds a NEW entry in the NEW state at the H value position of the mapping table.
Step S603: the CPU1 transmits information including its key index value, frame count, IP1, and IP2 as a first frame.
Step S604: the FPGA2 captures the first frame that passes through, saves to the data area of the RAM2 and notifies the CPU2 of the processing through an interrupt.
Step S605: the CPU2 reads out the first frame from the RAM2 data area, searches for an entry whose opposite end address is IP1, adds or updates the status of the entry to ACK, and updates the key index field of the entry to the key index value in the first frame.
Step S606: the CPU2 transmits information including its key index value, frame count, IP1, and IP2 to the terminal 1 as a second frame.
Step S607: the FPGA1 captures the second frame that passes through, saves to the data area of the RAM1 and notifies the CPU1 of the processing through an interrupt.
Step S608: the CPU1 reads out the second frame from the RAM1 data area, searches for an entry having an opposite end address of IP2, updates the state of the entry to FIN, and updates the key index field of the entry to the key index value in the second frame.
Step S609: the CPU1 transmits a third frame of information including its key index value, frame count, IP1, and IP2 to the terminal 2.
Step S610: the FPGA2 captures the passing third frame, saves to the data area of the RAM2 and notifies the CPU2 of the processing through an interrupt.
Step S611: the CPU2 reads out the third frame from the RAM2 data area, searches for an entry having an opposite end address of IP1, updates the state of the entry to FIN, and updates the key index field of the entry to the key index value in the third frame.
And the key agreement between the two parties is completed.
Through three negotiations, the mapping relation between the address of the opposite terminal and the key index is established on both sides. The method not only greatly improves the flexibility of using the key index, but also is not influenced by the network topology, and the key index can be dynamically generated again even if the whole network topology is changed.
The mapping table uses [ opposite terminal address ] as a main key. Address translation determines the number of entries per table to be 1024, which is less than the number of entries in the mapping table in the conventional design. The address conversion result, namely the index value of the table entry, is directly addressed through the index value when the table entry is accessed, which is faster than the traditional index mode, avoids a large amount of time consumption on the aspect of logic operation, and greatly improves the matching efficiency.
It should be noted that the same or similar parts may be referred to each other between the above embodiments.
Those skilled in the art will appreciate that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program, which is stored in a computer readable storage medium, to instruct related hardware. The computer readable storage medium is a magnetic disk, an optical disk, a read-only memory or a random access memory.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention.
Claims (8)
1. The key index negotiation device based on the FPGA is characterized by comprising the FPGA1 and a CPU 1; the FPGA1 includes on-chip RAM 1:
the FPGA1 is configured to search a table entry with an IP2 address at an opposite end in a mapping table when receiving a to-be-sent data packet sent by the terminal 1 with the IP1 address, and notify the CPU1 to newly create a key index in the mapping table if the table entry is not searched; the FPGA1 is further configured to obtain a second frame sent by the terminal 2, and notify the CPU1 of processing; IP2 is the address of terminal 2;
the mapping table comprises table item indexes, states, a home terminal address, an opposite terminal address and key index fields; the state field is used for representing the negotiation state of the key index, FIN represents completion, NEW represents NEW establishment, and ACK represents response;
a RAM1 for holding the mapping table and the second frame; the second frame includes a key index value of the terminal 2, a frame count, IP1, and IP 2;
a CPU1 configured to execute the following process:
newly building a key index: writing IP1 and IP2 to the on-chip RAM1 data area; converting IP2 into H value, adding NEW table item with state of NEW at the position where the index value of the table item in the mapping table is H value; the H value converts the IP address by adopting the following address conversion function: h (ip) ═ ip.1+ ip.2+ ip.3+ ip.4; wherein, H (IP) is the value of H after corresponding IP address conversion, and IP.1, IP.2, IP.3 and IP.4 respectively correspond to the value of four decimal bytes of IP address points;
transmitting a first frame including a key index value of terminal 1, a frame count, IP1, and IP2, to terminal 2;
after receiving the processing notification, reading out the second frame, adding or updating the table entry state with the opposite end address being IP2 in the mapping table to FIN, and updating the key index field of the table entry to the key index value in the second frame;
transmitting a third frame including the key index value of the terminal 1, the frame count, the IP1, and the IP2 to the terminal 2.
2. The key index negotiation apparatus of claim 1, wherein the FPGA1 notifies the CPU1 of new key index or process by means of an interrupt.
3. The key index agreement device according to one of claims 1-2, wherein the table entry is searched for by a quadratic matching algorithm; the mapping table employs redundancy settings with address conflicts.
4. A key index negotiation method is characterized by comprising the following steps:
receiving a data packet to be sent by a terminal 1 with an IP1 address, and searching a table entry with an IP2 address at the opposite end in a mapping table;
if not, newly creating a key index: writing IP1 and IP2 to the on-chip RAM1 data area; converting IP2 into H value, adding NEW table item with state of NEW at the position where the index value of the table item in the mapping table is H value; the H value converts the IP address by adopting the following address conversion function: h (ip) ═ ip.1+ ip.2+ ip.3+ ip.4; wherein, H (IP) is the value of H after corresponding IP address conversion, and IP.1, IP.2, IP.3 and IP.4 respectively correspond to the value of four decimal bytes of IP address points;
transmitting a first frame to a terminal 2 addressed to IP2, the first frame including a key index value of the terminal 1, a frame count, IP1, and IP 2;
acquiring and storing a second frame sent by the terminal 2; the second frame includes a key index value of the terminal 2, a frame count, IP1, and IP 2;
reading out the second frame, adding or updating the table entry state with the opposite end address being IP2 in the mapping table to FIN, and updating the key index of the table entry to the key index value in the second frame;
transmitting a third frame including the key index value of the terminal 1, the frame count, the IP1, and the IP2 to the terminal 2.
5. The key index negotiation device based on the FPGA is characterized by comprising the FPGA2 and a CPU2, wherein the FPGA2 comprises an on-chip RAM 2;
the FPGA2 is used for capturing a first frame sent by the terminal 1 and storing the first frame in a data area of the RAM 2; is also used for capturing the third frame sent by the terminal 1 and is stored in the data area of the RAM 2; the address of terminal 1 is IP 1;
a CPU2 for performing:
reading the first frame, and looking up the table entry with the opposite end address IP 1: if not, the CPU2 is notified that the state of adding the table entry is ACK, and the key index field of the table entry is updated to the key index value in the first frame; directly updating the state of the table entry to be ACK after the search is finished, and updating the key index field of the table entry to be the key index value in the first frame;
transmitting a second frame to the terminal 1, the second frame including the key index value of the terminal 2, the frame count, the IP1, and the IP 2;
and reading the third frame, adding or updating the state of the table entry with the opposite end address of IP1 to FIN, and updating the key index field of the table entry to the key index value in the third frame.
6. A key index negotiation method is characterized by comprising the following steps:
capturing and storing a first frame sent by a terminal 1 with an IP1 address;
reading out the first frame, searching a table entry with an opposite end address of IP1, adding or updating the state of the table entry to be ACK, and updating a key index field of the table entry to be a key index value in the first frame;
transmitting a second frame including a key index value of terminal 2 addressed to IP2, a frame count, IP1, and IP2 to terminal 1;
capturing and storing a third frame sent by the terminal 1; the third frame includes a key index value of the terminal 1, a frame count, IP1, and IP 2;
and reading the third frame, adding or updating the state of the table entry with the opposite end address of IP1 to FIN, and updating the key index field of the table entry to the key index value in the third frame.
7. A kind of both sides key index negotiation system based on FPGA, characterized by that: comprising a key index agreement device according to claims 1-3 connected to terminal 1 and a key index agreement device according to claim 5 connected to terminal 2.
8. A two-party key index negotiation method is characterized in that: comprising the key index agreement method according to claim 4 and the key index agreement method according to claim 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810161967.6A CN108494549B (en) | 2018-02-27 | 2018-02-27 | Key index negotiation device, system and method based on FPGA |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810161967.6A CN108494549B (en) | 2018-02-27 | 2018-02-27 | Key index negotiation device, system and method based on FPGA |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108494549A CN108494549A (en) | 2018-09-04 |
| CN108494549B true CN108494549B (en) | 2020-10-02 |
Family
ID=63340886
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810161967.6A Active CN108494549B (en) | 2018-02-27 | 2018-02-27 | Key index negotiation device, system and method based on FPGA |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108494549B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101267295A (en) * | 2006-10-06 | 2008-09-17 | 美国博通公司 | Method and system for processing information in safety communication system |
| CN102195776A (en) * | 2006-10-06 | 2011-09-21 | 美国博通公司 | Method and system for processing information in a safety communication system |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6957346B1 (en) * | 1999-06-15 | 2005-10-18 | Ssh Communications Security Ltd. | Method and arrangement for providing security through network address translations using tunneling and compensations |
| CN101183934A (en) * | 2007-10-23 | 2008-05-21 | 中兴通讯股份有限公司 | Cipher key updating method in passive optical network |
| US8874866B1 (en) * | 2010-01-25 | 2014-10-28 | Altera Corporation | Memory access system |
| US20140067772A1 (en) * | 2012-08-31 | 2014-03-06 | Nokia Corporation | Methods, apparatuses and computer program products for achieving eventual consistency between a key value store and a text index |
| US9516065B2 (en) * | 2014-12-23 | 2016-12-06 | Freescale Semiconductor, Inc. | Secure communication device and method |
| CN104702508B (en) * | 2015-03-24 | 2018-07-10 | 深圳中兴网信科技有限公司 | List item dynamic updating method and system |
| CN105450392B (en) * | 2015-12-04 | 2019-01-25 | 四川九洲电器集团有限责任公司 | A kind of method and device for determining key pair, data processing method |
-
2018
- 2018-02-27 CN CN201810161967.6A patent/CN108494549B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101267295A (en) * | 2006-10-06 | 2008-09-17 | 美国博通公司 | Method and system for processing information in safety communication system |
| CN102195776A (en) * | 2006-10-06 | 2011-09-21 | 美国博通公司 | Method and system for processing information in a safety communication system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108494549A (en) | 2018-09-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP3866466B2 (en) | Data structure management device, data structure management system, data structure management method, and recording medium for storing data structure management program | |
| US9813490B2 (en) | Scheduled network communication for efficient re-partitioning of data | |
| CN103475584A (en) | Query method and query device for ternary content addressable memory (TCAM) | |
| Xiao et al. | Using parallel bloom filters for multiattribute representation on network services | |
| JP2019531563A (en) | Data processing method, storage system, and switching device | |
| CN104462328A (en) | Blended data management method and device based on Hash tables and dual-circulation linked list | |
| CN106170956A (en) | A kind of method for routing and equipment | |
| Von der Weth et al. | Multiterm keyword search in NoSQL systems | |
| Patgiri et al. | Hunting the pertinency of bloom filter in computer networking and beyond: A survey | |
| WO2018227695A1 (en) | Subscription data sending and receiving method, device and system | |
| CN109408517B (en) | Rule multidimensional search method, device and equipment and readable storage medium | |
| CN108494549B (en) | Key index negotiation device, system and method based on FPGA | |
| CN116628285B (en) | Block chain transaction data query method and device | |
| EP3939236B1 (en) | Node and cluster management on distributed self-governed ecosystem | |
| JP2010266952A (en) | Member management device, member management system, member management program, and member management method | |
| CN111294285B (en) | Network data distribution method and load balancer | |
| CN103731454A (en) | Method for responding to requests in point-to-point network and server system | |
| CN114415971B (en) | Data processing method and device | |
| JP5949561B2 (en) | Information processing apparatus, information processing system, information processing method, and information processing program | |
| WO2017206634A1 (en) | Method and device for querying semantics | |
| CN113761300A (en) | Message sampling method, device, equipment and medium based on bitmap calculation | |
| EP3770767B1 (en) | Data processing method and device, and computer readable storage medium | |
| CN117827848B (en) | Hash connection method, device, electronic equipment and storage medium | |
| CN116881310B (en) | Method and device for calculating set of big data | |
| US20210117097A1 (en) | Methods, devices, and computer program products for storage management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |