CN108881022B - Network node device and method for scrambling and look-up table forwarding of datagram - Google Patents

Network node device and method for scrambling and look-up table forwarding of datagram Download PDF

Info

Publication number
CN108881022B
CN108881022B CN201810537863.0A CN201810537863A CN108881022B CN 108881022 B CN108881022 B CN 108881022B CN 201810537863 A CN201810537863 A CN 201810537863A CN 108881022 B CN108881022 B CN 108881022B
Authority
CN
China
Prior art keywords
scrambling
data
operator
scrambler
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810537863.0A
Other languages
Chinese (zh)
Other versions
CN108881022A (en
Inventor
赵博
刘勤让
宋克
沈剑良
吕平
王崇
张兴明
张文建
朱珂
谭力波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Technology Innovation Center Of Tianjin Binhai New Area
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Technology Innovation Center Of Tianjin Binhai New Area
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Technology Innovation Center Of Tianjin Binhai New Area, Information Engineering University of PLA Strategic Support Force filed Critical Information Technology Innovation Center Of Tianjin Binhai New Area
Priority to CN201810537863.0A priority Critical patent/CN108881022B/en
Publication of CN108881022A publication Critical patent/CN108881022A/en
Application granted granted Critical
Publication of CN108881022B publication Critical patent/CN108881022B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/742Route cache; Operation thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/50Queue scheduling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/30Peripheral units, e.g. input or output ports
    • H04L49/3009Header conversion, routing tables or routing tags
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a network node device and a method for scrambling and table look-up forwarding a datagram. The device comprises an analyzer, a message cache, a table lookup logic, a table entry cache and a modifier, and further comprises: scrambler A, scrambler B, descrambler A, descrambler B and scrambling code buffer. Also includes a method for scrambling and forwarding the data report. The invention is based on the general structure of the network forwarding node widely deployed at present, and the scrambler and the descrambler are set to be in a direct-through mode, so that the network forwarding node is changed into a traditional forwarding node, and has good adaptability and compatibility; the method has the advantages that the unknown Trojan attack of the characteristic code can be resisted without knowing the specific information of the built-in Trojan and the characteristic code; the scrambling code can be dynamically updated, and the safety is good; the encryption and the descrambling of the service data and the table data are completely completed by the internal logic of the node, and the service end and the configuration end connected with the node do not need to know the content of the scrambling code, thereby further improving the safety.

Description

Network node device and method for scrambling and look-up table forwarding of datagram
Technical Field
The invention relates to the technical field of network space security, in particular to a network node device and a method for scrambling, table look-up and forwarding data reports.
Background
The network forwarding node device, the network terminal node and the network link constitute the whole information network, wherein the network forwarding node device is responsible for receiving the network message, calculating the route and forwarding the network message according to the route table. The security of the network forwarding nodes has important value to the security of the whole information network.
At present, the threat of the hardware trojan horse is more and more serious because the hardware design is handed to the third party manufacturer for production. Yang (Yang, K., et al, A2: Analog magic Hardware, in IEEE Symposium on Privacy and security.2016.p.18-37) et al describe a Malicious Hardware Trojan named A2, which charges an implanted capacitor with a normally executed instruction, triggers a specific circuit to work after a trigger condition is reached, causes the change of the state of a trigger at a key part, promotes the remote access control authority, and causes information leakage.
The existing defense in the aspect of triggering of the hardware Trojan horse mainly realizes various states of a circuit as much as possible through a detection mechanism, thereby meeting the triggering condition and realizing the detection of the hardware Trojan horse. Salmani (Salmani, H., COTD: Reference-Free Hardware Trojan Detection and Recovery Based on control and update in Gate-Level netlist. IEEE Transactions on Information forms and Security,2017.12(2): p.338-350) et al propose a controllable and observable Gate-Level netlist Trojan Detection technique to perform activation recognition on netlist-Level Hardware Trojan. Zhao Yiqiang (Zhao Yiqiang, Von Zi Zhu, Shi mountain etc. hardware Trojan horse detection method based on shortening activation time [ J ] academic newspaper of science and technology university in Huazhong, 2014(6):85-89) etc. put forward a method of inserting a special module for Trojan horse detection in the integrated circuit design stage to shorten the activation time of hardware Trojan horse. Salmani (Salmani, H., M.Tehranipoor, and J.Plusullic, A Novel Technique for Improving Hardware Trojan Detection and reduction Trojan Activation time. IEEE Transactions on Very Large Scale Integration (VLSI) Systems,2012.20(1): p.112-125) and the like propose a way of using a false trigger to accelerate the Activation of a Hardware Trojan and realize the Detection of the Hardware Trojan. The method adopts a similar 'exhaustion' method to trigger the Trojan horse, traverses all possible states of the circuit, and judges whether the Trojan horse is activated or not through side channel detection and other modes. Traversing all states is an almost impossible task with increasing integrated circuit scale. The continuous optimization of the hardware trojan also leads to the increasing difficulty of detecting whether the trojan is activated.
The feature code activation attack has three defense difficulties for a defender:
(1) whether the components contain the feature codes or not is unknown after the attack;
(2) the signature is unknown, and it is almost impossible to activate the back door (trojan) by traversing all states;
(3) whether the back door (trojan) is activated is difficult to detect.
The above defense difficulties make it difficult to defend against the attack of the feature code.
Disclosure of Invention
Aiming at the problems, the invention provides a network node device and a method for scrambling and table look-up forwarding a datagram, which can resist the attack of activation of the datagram containing a feature code under the condition that the feature code is unknown and the position of a backdoor is unknown.
In order to achieve the purpose, the invention adopts the following technical scheme:
a network node device for scrambling and table look-up forwarding a datagram, comprising an analyzer, a message cache, table look-up logic, table entry cache and a modifier, characterized by further comprising: a scrambler A, a scrambler B, a descrambler A, a descrambler B and scrambling code cache;
the analyzer is used for extracting the head contents of each layer of the network data message and submitting the head contents to table look-up logic;
the message cache is used for storing network data message contents;
the table look-up logic is used for receiving the head contents of each layer of the network data message as input and outputting a table look-up result, and the table look-up result comprises a next hop address and an operation instruction;
the table entry cache is used for storing table entry data of various mapping tables, and the mapping tables comprise routing tables, header fields and mapping tables of operation instructions;
the modifier is used for executing corresponding instructions according to the table look-up result, wherein the instructions comprise invalid message discarding and message head specified content replacing; the scrambler A and the scrambler B are respectively used for scrambling by a scrambling operator SAScrambling operator SBScrambling data to change data presentation forms, wherein the data presentation forms comprise feature code presentation forms, so that the hidden Trojan horse backdoor logic activated by the feature codes cannot identify the feature codes;
the descrambler A and the descrambler B are respectively used for passing through a descrambling operator DADescrambling operator DBDecoding the data to restore the original form of the data;
the scrambling code buffer is used for storing scrambling codes.
A method for forwarding a scrambled look-up table of a datagram comprises the following steps:
step 1: the node receives original service data D, and the original service data D passes through a scrambling operator S of a scrambler AAProcessing to obtain scrambled data DA
DA=SA(D)
Step 2: will DAFirst n bits of DAnSending to parser while sending DASending the message to a message cache; n is determined by the specific message type and the processing flow;
and step 3: dAnThe field F is extracted by the analysis of the analyzerA1、FA2、FA3……FAnScrambling operator S via scrambler BBAfter scrambling operation, obtaining a scrambled field FAB1、FAB2、FAB3……FABn(ii) a Sending the scrambled fields to a table look-up logic for table look-up operation:
FABi=SB(FAi) i∈[1,n]
and 4, step 4: lookup table logical pass field FAB1、FAB2、FAB3……FABnSearching in various mapping tables of table item cache to obtain corresponding table searching result RAB1、RAB2、RAB3……RABnDescrambling operator D via descrambler BBAfter operation, obtaining the descrambled table look-up result RA1、RA2、RA3……RAnAnd sending to a modifier:
RAi=DB(RABi) i∈[1,n]
and 5: dAScrambling operator S via scrambler BBAfter scrambling operation, obtaining message D after scramblingABAnd sending to a message cache:
DAB=SB(DA)
step 6: the data in the message buffer memory passes through a descrambling operator D of a descrambler BBAfter descrambling operation, D is obtainedASending to a modifier for modifying and packaging:
DA=DB(DAB)
and 7: the modifier receives the data D cached in the messageAAnd the output result R of the table look-up logicA1、RA2、RA3……RAnAccording to RA1、RA2、RA3……RAnTo DAModifying to obtain modified message OA
And 8: modified message OADescrambling operator D through descrambler AAAfter processing, obtaining a final output message O:
O=DA(OA)
further, a scrambling operator S of said scrambler AAComprises the following steps:
SA(D)=NOT(D)
the unitary bitwise negation operation of original service data is expressed;
descrambling operator D of the descrambler AAComprises the following steps:
DA(DA)=NOT(DA)
indicating a bitwise inversion of a single element of the scrambled data.
Further, a scrambling operator S of said scrambler BBComprises the following steps:
SB(D)=DXORCO
wherein C isOScrambling for operation; the above formula represents that binary bitwise XOR operation is carried out on the original service data and the operation scrambling codes;
descrambling operator D of the descrambler BBComprises the following steps:
DB(DB)=DBXORCO
wherein DBFor the descrambled data, the above formula represents that binary bitwise exclusive or operation is performed on the descrambled data and the operation scrambling code.
Further, a scrambling operator S of said scrambler BBAlso can be:
S′B(D)=DXNORCO
representing that binary bitwise exclusive OR operation is carried out on original service data and operation scrambling codes;
descrambling operator D of the descrambler BBAlso can be:
D′B(DB)=DBXNORCO
and the operation of binary bitwise exclusive OR operation is performed on the descrambled data and the operation scrambling codes.
Further, the generating process of the operation scrambling code comprises:
assuming that the scrambling code is C and the length is m bits;
if the original service data length L (D)<m, the first L (D) bit of C is taken as operation scrambling code Co
If the original service data length L (D)>m, splicing C to the original data length circularly as operation scrambling code Co
Further, the table entry data configuration process of the various mapping tables of the table entry cache includes:
inputting the table data T through a configuration channel, scrambling by a scrambler A and a scrambler B to obtain scrambled table data TABWriting into table entry cache, scrambled table entry data TABFor use in a lookup table by the lookup table logic:
TAB=SB(SA(T))
when the table data needs to be updated, the table data to be updated is written into the table cache after being scrambled by the scrambler A and the scrambler B.
Compared with the prior art, the invention has the following beneficial effects:
the invention can effectively resist the attack based on the feature code and has the following advantages:
1. based on the general structure of the network forwarding nodes (such as routers and switches) widely deployed at present, the scrambler and the descrambler are set to be in a direct-through mode, and then the network forwarding nodes become traditional forwarding nodes, so that the network forwarding nodes have good adaptability and compatibility;
2. the method has the advantages that the unknown Trojan attack of the characteristic code can be resisted without knowing the specific information of the built-in Trojan and the characteristic code;
3. the scrambling code can be dynamically updated, and the safety is good;
4. the encryption and the descrambling of the service data and the table data are completely completed by the internal logic of the node, and the service end and the configuration end connected with the node do not need to know the content of the scrambling code, thereby further improving the safety.
Drawings
Fig. 1 is a schematic structural diagram of a network node device for scrambling and table look-up forwarding a datagram according to an embodiment of the present invention; the solid and dashed lines in the figure represent different types of data paths.
Fig. 2 is a schematic structural diagram of a typical network forwarding node data processing structure of a network node device for scrambling and forwarding a datagram by a lookup table according to an embodiment of the present invention.
Fig. 3 is a basic flowchart of a method for forwarding a datagram scrambled lookup table according to an embodiment of the present invention.
Fig. 4 is a flow chart of generating operation scrambling codes of a method for scrambling and table look-up forwarding a datagram in an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
the first embodiment is as follows:
as shown in fig. 1, a network node apparatus for forwarding a datagram scrambled lookup table according to the present invention includes a parser 101, a packet buffer 102, a lookup logic 103, a table entry buffer 104, and a modifier 105, and further includes: a scrambler A106, a scrambler B107, a descrambler A108, a descrambler B109 and a scrambling code buffer 110;
the analyzer 101 is configured to extract contents of headers of layers of the network data packet, and to submit the contents to the table look-up logic 103 for table look-up;
the message cache 102 is used for storing network data message contents;
the table look-up logic 103 is configured to receive contents of headers of layers of the network data packet as an input, and output a table look-up result, where the table look-up result includes a next hop address and an operation instruction;
the table entry cache 104 is configured to store table entry data of various mapping tables, including a routing table, a header field, and a mapping table of an operation instruction;
the modifier 105 is used for executing corresponding instructions according to the table look-up result, including discarding invalid messages and replacing the specified content of the message header;
the scrambler A106 and the scrambler B107 are respectively used forBy scrambling operator SAScrambling operator SBScrambling data to change data presentation forms, wherein the data presentation forms comprise feature code presentation forms, so that the hidden Trojan horse backdoor logic activated by the feature codes cannot identify the feature codes;
the descrambler A108 and the descrambler B109 are respectively used for passing through a descrambling operator DADescrambling operator DBDecoding the data to restore the original form of the data;
the scrambling code buffer 110 is used to store scrambling codes.
It should be noted that the parser 101, the message cache 102, the table lookup logic 103, the table entry cache 104, and the modifier 105 form a data processing structure of a current typical network forwarding node, as shown in fig. 2, a data processing structure of a current typical network forwarding node includes a parser 101, a message cache 102, a table lookup logic 103, a table entry cache 104, and a modifier 105. This architecture is typical of all current network forwarding nodes (e.g., routers, switches, etc.), and the present invention is based on this architecture.
Example two:
as shown in fig. 3, a method for forwarding a scrambled look-up table of a datagram of the present invention includes the following steps:
step S201: the node receives original service data D, and the original service data D passes through a scrambling operator S of a scrambler AAProcessing to obtain scrambled data DA
DA=SA(D)
Step S202: will DAFirst n bits of DAnSending to parser while sending DASending the message to a message cache; n is determined by the specific message type and the processing flow;
step S203: dAnThe field F is extracted by the analysis of the analyzerA1、FA2、FA3……FAnScrambling operator S via scrambler BBAfter scrambling operation, obtaining a scrambled field FAB1、FAB2、FAB3……FABn(ii) a Sending the scrambled fields to a table look-up logic for table look-up:
FABi=SB(FAi) i∈[1,n]
Step S204: lookup table logical pass field FAB1、FAB2、FAB3……FABnSearching in various mapping tables of table item cache to obtain corresponding table searching result RAB1、RAB2、RAB3……RABnDescrambling operator D via descrambler BBAfter operation, obtaining the descrambled table look-up result RA1、RA2、RA3……RAnAnd sending to a modifier:
RAi=DB(RABi) i∈[1,n]
step S205: dAScrambling operator S via scrambler BBAfter scrambling operation, obtaining message D after scramblingABAnd sending to a message cache:
DAB=SB(DA)
step S206: the data in the message buffer memory passes through a descrambling operator D of a descrambler BBAfter descrambling operation, D is obtainedASending to a modifier for modifying and packaging:
DA=DB(DAB)
step S207: the modifier receives the data D cached in the messageAAnd the output result R of the table look-up logicA1、RA2、RA3……RAnAccording to RA1、RA2、RA3……RAnTo DAModifying to obtain modified message OA
Step S208: modified message OADescrambling operator D through descrambler AAAfter processing, obtaining a final output message O:
O=DA(OA)
example three:
the invention also discloses a datagram scrambling table look-up forwarding method, which comprises the following steps:
step S301: the node receives the original service data D and scramblesScrambling operator S of device AAProcessing to obtain scrambled data DA
DA=SA(D)
Scrambling operator S of said scrambler AAComprises the following steps:
SA(D)=NOT(D)
the unitary bitwise negation operation of original service data is expressed;
step S302: will DAFirst n bits of DAnSending to parser while sending DASending the message to a message cache; n is determined by the specific message type and the processing flow;
step S303: dAnThe field F is extracted by the analysis of the analyzerA1、FA2、FA3……FAnScrambling operator S via scrambler BBAfter scrambling operation, obtaining a scrambled field FAB1、FAB2、FAB3……FABn(ii) a Sending the scrambled fields to a table look-up logic for table look-up operation:
FABi=SB(FAi) i∈[1,n]
scrambling operator S of said scrambler BBComprises the following steps:
S′B(D)=DXNOR CO
wherein C isOScrambling for operation; the expression shows that binary bitwise exclusive OR operation is carried out on original service data and operation scrambling codes;
step S304: lookup table logical pass field FAB1、FAB2、FAB3……FABnSearching in various mapping tables of table item cache to obtain corresponding table searching result RAB1、RAB2、RAB3……RABnDescrambling operator D via descrambler BBAfter operation, obtaining the descrambled table look-up result RA1、RA2、RA3……RAnAnd sending to a modifier:
RAi=DB(RABi) i∈[1,n]
step S305: dAScrambling operator S via scrambler BBAfter scrambling operation, obtaining message D after scramblingABAnd sending to a message cache:
DAB=SB(DA)
step S306: the data in the message buffer memory passes through a descrambling operator D of a descrambler BBAfter descrambling operation, D is obtainedASending to a modifier for modifying and packaging:
DA=DB(DAB)
descrambling operator D of the descrambler BBComprises the following steps:
D′B(DB)=DBXNOR CO
wherein DBFor the descrambled data, the above formula represents that binary bitwise exclusive nor operation is performed on the descrambled data and the operation scrambling codes.
The method for generating the operation scrambling code is shown in fig. 4, and the process is as follows:
assuming that the scrambling code is C and the length is m bits;
if the original service data length L (D)<m, the first L (D) bit of C is taken as operation scrambling code Co
If the original service data length L (D)>m, splicing C to the original data length circularly as operation scrambling code Co
Step S307: the modifier receives the data D cached in the messageAAnd the output result R of the table look-up logicA1、RA2、RA3……RAnAccording to RA1、RA2、RA3……RAnTo DAModifying to obtain modified message OA
Step S308: modified message OADescrambling operator D through descrambler AAAfter processing, obtaining a final output message O:
O=DA(OA)
descrambling operator D of the descrambler AAComprises the following steps:
DA(DA)=NOT(DA)
indicating a bitwise inversion of a single element of the scrambled data.
The table entry data configuration process of the various mapping tables of the table entry cache is as follows:
inputting configuration data of various mapping tables through a configuration channel as table item data T, scrambling the table item data T by a scrambler A and a scrambler B in sequence to obtain scrambled table item data TABWriting into table entry cache, scrambled table entry data TABFor use in a lookup table by the lookup table logic:
TAB=SB(SA(T))
when the table data needs to be updated, the table data to be updated is written into the table cache after being scrambled by the scrambler A and the scrambler B.
Example four:
the invention also provides a method for scrambling and forwarding the data report by table lookup, which comprises the following steps:
step S401: the node receives original service data D, and the original service data D passes through a scrambling operator S of a scrambler AAProcessing to obtain scrambled data DA
DA=SA(D)
Scrambling operator S of said scrambler AAComprises the following steps:
SA(D)=NOT(D)
the unitary bitwise negation operation of original service data is expressed;
step S402: will DAFirst n bits of DAnSending to parser while sending DASending the message to a message cache; n is determined by the specific message type and the processing flow;
step S403: dAnThe field F is extracted by the analysis of the analyzerA1、FA2、FA3……FAnScrambling operator S via scrambler BBAfter scrambling operation, obtaining a scrambled field FAB1、FAB2、FAB3……FABn(ii) a Sending the scrambled fields to a table look-up logic for table look-up operation:
FABi=SB(FAi) i∈[1,n]
scrambling operator S of said scrambler BBComprises the following steps:
SB(D)=D XOR C0
wherein C is0Scrambling for operation; the above formula represents that binary bitwise XOR operation is carried out on the original service data and the operation scrambling codes;
step S404: lookup table logical pass field FAB1、FAB2、FAB3……FABnSearching in various mapping tables of table item cache to obtain corresponding table searching result RAB1、RAB2、RAB3……RABnDescrambling operator D via descrambler BBAfter operation, obtaining the descrambled table look-up result RA1、RA2、RA3……RAnAnd sending to a modifier:
RAi=DB(RABi) i∈[1,n]
step S405: dAScrambling operator S via scrambler BBAfter scrambling operation, obtaining message D after scramblingABAnd sending to a message cache:
DAB=SB(DA)
step S406: the data in the message buffer memory passes through a descrambling operator D of a descrambler BBAfter descrambling operation, D is obtainedASending to a modifier for modifying and packaging:
DA=DB(DAB)
descrambling operator D of the descrambler BBComprises the following steps:
DB(DB)=DBXORCO
wherein DBFor the descrambled data, the above formula represents that binary bitwise exclusive or operation is performed on the descrambled data and the operation scrambling code.
The generation process of the operation scrambling code comprises the following steps:
assuming that the scrambling code is C and the length is m bits;
if the original service data length L (D)<m, the first L (D) bit of C is taken as operation scrambling code Co
If the original service data length L (D)>m, splicing C to the original data length circularly as operation scrambling code Co
Step S407: the modifier receives the data D cached in the messageAAnd the output result R of the table look-up logicA1、RA2、RA3……RAnAccording to RA1、RA2、RA3……RAnTo DAModifying to obtain modified message OA
Step S308: modified message OADescrambling operator D through descrambler AAAfter processing, obtaining a final output message O:
O=DA(OA)
descrambling operator D of the descrambler AAComprises the following steps:
DA(DA)=NOT(DA)
indicating a bitwise inversion of a single element of the scrambled data.
The table entry data configuration process of the various mapping tables of the table entry cache is as follows:
inputting the table data T through a configuration channel, scrambling by a scrambler A and a scrambler B to obtain scrambled table data TABWriting into table entry cache, scrambled table entry data TABFor use in a lookup table by the lookup table logic:
TAB=SB(SA(T))
when the table data needs to be updated, the table data to be updated is written into the table cache after being scrambled by the scrambler A and the scrambler B.
As an implementable manner, the following describes the working process of the device and the process of preventing the Trojan horse from being activated by the feature code, taking a process that the node receives an IP packet containing the feature code and performs forwarding processing as an example; the scrambler A and the descrambler A perform bitwise negation on input data, the scrambler B and the descrambler B perform binary bitwise XOR operation on the input data and operation scrambling codes, and the scrambling codes are 0 xABB.
First, the IP packet format is shown in table 1.
TABLE 1 IP packet Format
Figure BDA0001678604600000091
Figure BDA0001678604600000101
The content of the IP packet received by the node is shown in table 2, which includes the feature code "0 x 12345678". Since the signature is presented in plain text, if a trojan is implied in any of the parser, message cache, lookup logic, and modifier within the node, the trojan may be activated when the signature data passes through.
Table 2 raw IP packet data containing feature codes
Figure BDA0001678604600000102
In the embodiment of the invention, the message is scrambled by the scrambler A after reaching the node. The data output by scrambler a is shown in table 3:
table 3 IP packet data processed by scrambler a
Figure BDA0001678604600000103
The data shown in table 3 will be sent to the parser and message buffer. It can be seen that the signature code in the original data has been destroyed by the scrambling operation, and no signature code exists in the data shown in table 3, so the parser and the trojan (if any) of the message buffer cannot be activated. The first 20 bytes of the IP packet are sent to the parser, and the fields are parsed and scrambled by scrambler B, and sent to the table lookup logic for table lookup, as shown in table 4:
table 4 field data of IP packet header processed by scrambler B
Figure BDA0001678604600000111
No signature exists in the table, so trojan (if any) in the table lookup logic is not activated.
The data packet is scrambled by the scrambler B and then stored in the packet buffer, and the content of the data packet is shown in table 5:
table 5 IP packet data processed by scrambler B
Figure BDA0001678604600000112
It can be seen that there is no signature "0 x 12345678" present, and there is no signature's anti-code "0 xEDCBA 987" present, so the trojan (if present) in the message buffer will not be activated.
Finally, updating the table look-up result through the modifier, and outputting a data packet as follows:
TABLE 6 modifier output data
Figure BDA0001678604600000113
It can be seen that there is no signature "0 x 12345678" present, so the trojan (if present) in the modifier is not activated.
After descrambling by the descrambler A, the final output is:
TABLE 7 Final output data
Figure BDA0001678604600000121
The load content of the data packet is not damaged, the forwarding process is smoothly completed, and meanwhile, the Trojan horse is not activated by the feature code.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.

Claims (7)

1. A network node device for scrambling and table look-up forwarding a datagram, comprising an analyzer, a message cache, table look-up logic, table entry cache and a modifier, characterized by further comprising: a scrambler A, a scrambler B, a descrambler A, a descrambler B and scrambling code cache; the analyzer is used for extracting the head contents of each layer of the network data message and submitting the head contents to table look-up logic;
the message cache is used for storing network data message contents;
the table look-up logic is used for receiving the head contents of each layer of the network data message as input and outputting a table look-up result, and the table look-up result comprises a next hop address and an operation instruction;
the table entry cache is used for storing table entry data of various mapping tables, and the mapping tables comprise routing tables, header fields and mapping tables of operation instructions;
the modifier is used for executing corresponding instructions according to the table look-up result, wherein the instructions comprise invalid message discarding and message head specified content replacing; the scrambler A and the scrambler B are respectively used for scrambling by a scrambling operator SAScrambling operator SBScrambling data to change data presentation forms, wherein the data presentation forms comprise feature code presentation forms, so that the hidden Trojan horse backdoor logic activated by the feature codes cannot identify the feature codes;
scrambling operator S of said scrambler AAComprises the following steps:
SA(D)=NOT(D)
the unitary bitwise negation operation of the original service data D is expressed;
the descrambler A and the descrambler B are respectively used for descrambling an operator MADescrambling operator MBDecoding the data to restore the original form of the data;
descrambling operator M of the descrambler AAComprises the following steps:
MA(DA)=NOT(DA)
representing the scrambling calculation of the scrambled object ASon SAProcessing the resulting scrambled data DAThe unary bitwise negation operation of (2);
the scrambling code buffer is used for storing scrambling codes.
2. The method of claim 1 for a datagram-scrambled lookup table forwarding in a network node device, comprising:
step 1: the node receives original service data D, and the original service data D passes through a scrambling operator S of a scrambler AAProcessing to obtain scrambled data DA
DA=SA(D)
Step 2: will DAFirst n bits of DAnSending to parser while sending DASending the message to a message cache; n is determined by the specific message type and the processing flow;
and step 3: dAnThe field F is extracted by the analysis of the analyzerA1、FA2、FA3......FAnScrambling operator S via scrambler BBAfter scrambling operation, obtaining a scrambled field FAB1、FAB2、FAB3......FABn(ii) a Sending the scrambled fields to a table look-up logic for table look-up operation:
FABi=SB(FAi)i∈[1,n]
and 4, step 4: lookup table logical pass field FAB1、FAB2、FAB3......FABnSearching in various mapping tables of table item cache to obtain corresponding table searching result RAB1、RAB2、RAB3......RABnDescrambling operator M via descrambler BBAfter operation, obtaining the descrambled table look-up result RA1、RA2、RA3......RAnAnd sending to a modifier:
RAi=MB(RABi)i∈[1,n]
and 5: dAScrambling operator S via scrambler BBAfter scrambling operation, obtaining message D after scramblingABIs sent to the messageCaching:
DAB=SB(DA)
step 6: the data in the message buffer memory passes through the descrambling operator M of the descrambler BBAfter descrambling operation, D is obtainedASending to a modifier for modifying and packaging:
DA=MB(DAB)
and 7: the modifier receives the data D cached in the messageAAnd the output result R of the table look-up logicA1、RA2、RA3......RAnAccording to RA1、RA2、RA3......RAnTo DAModifying to obtain modified message OA
And 8: modified message OADescrambling operator M through descrambler AAAfter processing, obtaining a final output message O:
O=MA(OA)。
3. the method of claim 2, wherein the scrambling operator S of the scrambler a is a scrambling operatorAComprises the following steps:
SA(D)=NOT(D)
the unitary bitwise negation operation of original service data is expressed;
descrambling operator M of the descrambler AAComprises the following steps:
MA(DA)=NOT(DA)
indicating a bitwise inversion of a single element of the scrambled data.
4. The method of claim 2, wherein the scrambling operator S of the scrambler B is a table lookupBComprises the following steps:
SB(D)=D XOR CO
wherein C isOScrambling for operation; the above formula represents that binary bitwise XOR operation is carried out on the original service data and the operation scrambling codes;
descrambling operator M of the descrambler BBComprises the following steps:
MB(DB)=DB XOR CO
wherein DBFor the descrambled data, the above formula represents that binary bitwise exclusive or operation is performed on the descrambled data and the operation scrambling code.
5. The method of claim 4, wherein the scrambling operator S of the scrambler B is a table lookupBAlso can be:
SB(D)=D XNOR CO
representing that binary bitwise exclusive OR operation is carried out on original service data and operation scrambling codes;
descrambling operator M of the descrambler BBAlso can be:
MB(DB)=DB XNOR CO
and the operation of binary bitwise exclusive OR operation is performed on the descrambled data and the operation scrambling codes.
6. The method of claim 4 or 5, wherein the generation of the operation scrambling code comprises:
assuming that the scrambling code is C and the length is m bits;
if the length L (D) of original service data is less than m, the first L (D) bit of C is taken as operation scrambling code Co
If the length L (D) of the original service data is larger than m, C is circularly spliced to the length of the original service data to be used as an operation scrambling code Co
7. The method of claim 2, wherein the table entry data configuration process of the various mapping tables of the table entry cache comprises:
inputting the table data T through a configuration channel, scrambling by a scrambler A and a scrambler B to obtain scrambled table data TABWriting into table entry cacheScrambled entry data TABFor use in a lookup table by the lookup table logic:
TAB=SB(SA(T))
when the table data needs to be updated, the table data to be updated is written into the table cache after being scrambled by the scrambler A and the scrambler B.
CN201810537863.0A 2018-05-30 2018-05-30 Network node device and method for scrambling and look-up table forwarding of datagram Active CN108881022B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810537863.0A CN108881022B (en) 2018-05-30 2018-05-30 Network node device and method for scrambling and look-up table forwarding of datagram

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810537863.0A CN108881022B (en) 2018-05-30 2018-05-30 Network node device and method for scrambling and look-up table forwarding of datagram

Publications (2)

Publication Number Publication Date
CN108881022A CN108881022A (en) 2018-11-23
CN108881022B true CN108881022B (en) 2020-11-10

Family

ID=64336800

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810537863.0A Active CN108881022B (en) 2018-05-30 2018-05-30 Network node device and method for scrambling and look-up table forwarding of datagram

Country Status (1)

Country Link
CN (1) CN108881022B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1744707A (en) * 2004-09-01 2006-03-08 华为技术有限公司 Method and device for protecting broadband audio-video broadcasting content
CN101917248A (en) * 2010-07-20 2010-12-15 北京全路通信信号研究设计院 Method, device and system for processing train control message
CN102006154A (en) * 2010-11-18 2011-04-06 中国人民解放军理工大学 Multi-code channel hybrid automatic repeat request (ARQ) method based on selective repeat
CN103167582A (en) * 2013-04-11 2013-06-19 中国人民解放军信息工程大学 Terminal control method and control base station
CN103368884A (en) * 2013-06-21 2013-10-23 电子科技大学 FFFS (Form Fit Function Specification) coding message decoding method
CN103401741A (en) * 2013-08-14 2013-11-20 北京泽华源科技有限公司 Integrated circuit and data processing method
CN103532854A (en) * 2013-10-22 2014-01-22 迈普通信技术股份有限公司 Storage and forwarding method and device of message
CN105940740A (en) * 2014-11-26 2016-09-14 华为技术有限公司 Method for processing data, network node and terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9459955B2 (en) * 2012-05-24 2016-10-04 Sandisk Technologies Llc System and method to scramble data based on a scramble key

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1744707A (en) * 2004-09-01 2006-03-08 华为技术有限公司 Method and device for protecting broadband audio-video broadcasting content
CN101917248A (en) * 2010-07-20 2010-12-15 北京全路通信信号研究设计院 Method, device and system for processing train control message
CN102006154A (en) * 2010-11-18 2011-04-06 中国人民解放军理工大学 Multi-code channel hybrid automatic repeat request (ARQ) method based on selective repeat
CN103167582A (en) * 2013-04-11 2013-06-19 中国人民解放军信息工程大学 Terminal control method and control base station
CN103368884A (en) * 2013-06-21 2013-10-23 电子科技大学 FFFS (Form Fit Function Specification) coding message decoding method
CN103401741A (en) * 2013-08-14 2013-11-20 北京泽华源科技有限公司 Integrated circuit and data processing method
CN103532854A (en) * 2013-10-22 2014-01-22 迈普通信技术股份有限公司 Storage and forwarding method and device of message
CN105940740A (en) * 2014-11-26 2016-09-14 华为技术有限公司 Method for processing data, network node and terminal

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
CTCS应答器信号与报文检测仪—报文译码与上位机软件设计;贺启波;《电子科技大学》;20140115;全文 *
Low power mapping optimization of loops for dual-Vdd CGRAs;Kaijian Yuan et al;《2017 IEEE 12th International Conference on ASIC (asicon)》;20180111;全文 *
新一代软件定义体系结构;吕平等;《中国科学:信息科学》;20180320;全文 *

Also Published As

Publication number Publication date
CN108881022A (en) 2018-11-23

Similar Documents

Publication Publication Date Title
CN110177046B (en) Security exchange chip based on mimicry thought, implementation method and network exchange equipment
Merkle A fast software one-way hash function
Biham et al. Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials
US9507563B2 (en) System and method to traverse a non-deterministic finite automata (NFA) graph generated for regular expression patterns with advanced features
Becchi et al. A hybrid finite automaton for practical deep packet inspection
Preneel et al. MDx-MAC and building fast MACs from hash functions
US9385957B1 (en) Flow key lookup involving multiple simultaneous cam operations to identify hash values in a hash bucket
US11736515B2 (en) Reconfigurable switch forwarding engine parser capable of disabling hardware trojans
Biham et al. Differential cryptanalysis in stream ciphers
US20060023744A1 (en) Network address-port translation apparatus and method for IP fragment packets
Bai et al. Protect white‐box AES to resist table composition attacks
Biryukov et al. Cryptanalysis of the “kindle” cipher
CN108881022B (en) Network node device and method for scrambling and look-up table forwarding of datagram
US20030210691A1 (en) Network address-port translation apparatus and method
Smith et al. Fast signature matching using extended finite automaton (XFA)
US10608814B2 (en) Equivoe-T: Transposition equivocation cryptography
JP4758824B2 (en) ENCRYPTION DEVICE, DECRYPTION DEVICE, ENCRYPTION METHOD, DECRYPTION METHOD, PROGRAM USING THE METHOD, AND RECORDING MEDIUM
Shiba et al. Integral and impossible‐differential attacks on the reduced‐round Lesamnta‐LW‐BC
Bernstein Polynomial evaluation and message authentication
Hsiao et al. High-throughput intrusion detection system with parallel pattern matching
Shahapure et al. Variation and security enhancement of block ciphers by embedding
Fahrnberger Repetition pattern attack on multi-word-containing securestring 2.0 objects
Posteuca Related-key differential slide attack against Fountain V1
Courtois Self-similarity attacks on block ciphers and application to KeeLoq
Josse White-box attack context cryptovirology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant