CN109067757B - Safety method and system based on IPMI encryption module - Google Patents
Safety method and system based on IPMI encryption module Download PDFInfo
- Publication number
- CN109067757B CN109067757B CN201810962759.6A CN201810962759A CN109067757B CN 109067757 B CN109067757 B CN 109067757B CN 201810962759 A CN201810962759 A CN 201810962759A CN 109067757 B CN109067757 B CN 109067757B
- Authority
- CN
- China
- Prior art keywords
- message
- ipmi
- decryption
- encryption
- format
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 108010028984 3-isopropylmalate dehydratase Proteins 0.000 title claims abstract 23
- 230000005540 biological transmission Effects 0.000 claims abstract description 45
- 238000004806 packaging method and process Methods 0.000 claims abstract description 15
- 230000007246 mechanism Effects 0.000 claims abstract description 12
- 230000001960 triggered effect Effects 0.000 claims abstract description 12
- 238000012545 processing Methods 0.000 claims description 6
- 238000005538 encapsulation Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 4
- 238000007726 management method Methods 0.000 description 38
- 230000006870 function Effects 0.000 description 8
- 238000012423 maintenance Methods 0.000 description 8
- 238000012544 monitoring process Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000013461 design Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/565—Conversion or adaptation of application format or content
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a security method and a security system based on an IPMI encryption module.A remote control end realizes message packaging and packaging of an IPMI message to be transmitted, and realizes whether the message is encrypted or not; realizing network transmission of the message; the server side receives the messages and classifies the messages, if the messages comprise a first encryption type, message decryption is triggered, and if the messages comprise a second encryption type, message transmission is triggered; according to a decryption mechanism, decryption of the message is achieved, if the decryption is successful, message transmission is triggered, and if the decryption is unsuccessful, locking self-destruction is triggered; IPMI message transmission locking is realized. The invention adopts the encryption and decryption unit, locks IPMI transmission when inputting errors for many times, and can start the self-destruction function if necessary, thereby realizing the safety of the IPMI intelligent management platform.
Description
Technical Field
The invention relates to the field of IPMI intelligent management platforms, in particular to a security method and a security system based on an IPMI encryption module.
Background
IPMI refers to an intelligent platform management interface, which is established by four companies, Intel, HP, Dell, and NEC, and can manage a set of interface specifications of peripheral devices of servers of different software and hardware platforms on a single console. Through the IPMI specification, system management personnel can effectively monitor physical health characteristics of the server, such as working states of various components of a power supply, a fan, temperature, a CPU, a memory, a hard disk and the like. The IPMI is composed of a BMC system core, SDR, SEL, FRU, ICMB and IPMB subsystem. BMC refers to a substrate management controller, is the core of control and management of IPMI, is realized on a completely independent chip, is independent of a CPU, a BIOS or an operating system of a server, can provide remote detection, management and recovery functions, is an independent agent-free management subsystem running in a system, provides a middle layer of interaction between system bottom hardware and upper management software, acquires information of each sensor, converts the information into the same message format and sends the same message format to different controllers and management software, and simultaneously sends control commands received from different information channels such as a system internal bus, a network, a serial port, a modem and the like to corresponding controllers, thereby realizing remote management on heterogeneous software and hardware platforms. SDR refers to a sensor database containing information for all sensors in the system, with each individual SDR containing formulas and coefficients to convert sensor readings to standard units; the IPM stores the collected system state information as a system event log in the SEL; IPMI also supports FRU storage and access, and the system can store information of various system components present on the motherboard into the FRU. The IPM standard provides an IPMB interface and an ICMB interface for realizing management of a cross-platform system, and the IPMB interface and the ICMB interface are respectively communicated with different servers. The IPMB is implemented based on the I2C standard and is used to enable communication between different components on a motherboard. The ICMB interface is mainly used for realizing communication between different servers. By means of IPMB and ICMB interfaces, the IPMI standard really realizes the access and management of the software and hardware heterogeneous system.
Since 1998, the IPMI standard has been supported by more than 170 suppliers, which makes it a complete hardware management specification including servers and other systems (such as storage devices, networks and communication devices), and the latest version of the standard is IPMI2.0, which is a much more recent improvement over the prior art, including the management of server systems (including remote power on/off) via serial ports, modems and LANs. With the rapid development of the IT technology, the scale of the data center is gradually enlarged, the system structure is more and more complex, and the difficulty is increased for operation and maintenance management while convenience is brought to people. In order to ensure stable operation of a system, timely repair of faults and efficient maintenance of a data center, the IPMI intelligent management platform is widely applied to cross-platform centralized management and is developed rapidly. But at the same time, the security of the IPMI intelligent management platform becomes a crucial factor of the IPMI intelligent management platform. The IPMI interface provides full-range control capability for the server, but the problem of key hashing by SHA1 used by RAKP in the IPMI protocol is a known and widely existing problem. We can only bypass IPMI by disabling it, but if required for remote control, large vendors introduce NET instead of IPMI. The introduction of NET introduces security issues such as man-in-the-middle attacks, certificate forgery, cross-site attacks, script injection, DDOS, etc., which are becoming increasingly serious. Once the communication is stolen, modified, or embedded into trojan horse, it will cause immeasurable loss to the information security of the enterprise, so it is more necessary to provide all-around protection for IPMI.
Patent document CN107248932A discloses automatic protection of remote server based on IPMI protocol, which relates to the field of remote management server, and adopts IPMI protocol, and collects relevant working state parameters of server system remotely in real time, sets working threshold values of each working state parameter according to actual conditions, and compares and analyzes the real-time working state parameters and the set working threshold values to determine whether the working state parameters reach the set threshold values, if yes, performs corresponding automatic processing operation, otherwise, continues to collect the working state parameters for periodic determination. This patent proposes an automatic protection method for a remote control server, the management being based on the IPMI protocol, the security method involving monitoring the state of the server and automatically handling if it is abnormal.
Patent document CN107566140A discloses a remote upgrading method and system based on IPMI, relating to the technical field of network devices, the method comprises establishing connection between an intelligent platform management interface IPMI and the equipment to be upgraded, the equipment to be upgraded comprises a first operation and maintenance entity and a second operation and maintenance entity, the first operation and maintenance entity is powered off through an interface, and upgrading the second operation maintenance entity to judge whether the upgraded equipment to be upgraded operates normally, if so, the first operation maintenance entity and the second operation maintenance entity are automatically synchronized to the upgraded version, if the upgraded equipment to be upgraded is abnormal in operation, and returning to the version before upgrading, the embodiment of the invention achieves the aim of automatic remote upgrading by adding the IPMI interface based on the existing upgrading process, and easily recovers the version before upgrading when upgrading fails. The patent provides a method for remotely controlling a server based on IPMI, the management is based on IPMI protocol, the connection between an intelligent platform management interface IPMI and equipment to be upgraded is established, the IPMI interface is added, the purpose of automatic remote upgrade is achieved based on the existing upgrade process, and the version before upgrade is easily recovered when the upgrade fails.
Neither of the two patent documents mentioned above relates to a security mechanism for encryption and decryption, and does not encrypt transmitted information, decrypt the transmitted information by using a decryption module at a server side, realize encryption and decryption without setting a password, and have no self-destruction function.
Disclosure of Invention
In view of the defects in the prior art, the present invention aims to provide a security method and system based on an IPMI encryption module.
The security method based on the IPMI encryption module provided by the invention comprises the following steps: IPMI message encapsulation step: packaging the IPMI message to be transmitted as a first format message; message encryption: inquiring whether the first format message needs to be encrypted or not, obtaining a second format message according to the inquiry result, if so, encrypting the first format message, marking the second format message as a first encryption type, and if not, marking the second format message as a second encryption type; a message sending step: and carrying out network transmission on the second format message.
Preferably, the security method based on the IPMI encryption module further comprises the steps of: a message receiving step: receiving the second format message; and message type classification step: classifying the second format message, if the second format message is marked as a first encryption type, triggering a message decryption step to execute, and if the second format message is marked as a second encryption type, triggering message transmission; message decryption: decrypting the second format message according to a decryption mechanism, if the decryption is successful, triggering message transmission, and if the decryption is unsuccessful, triggering a locking self-destruction step to execute; locking and self-destroying: IPMI message transmission locking is realized.
The security system based on the IPMI encryption module comprises the following modules: IPMI message encapsulation module: NET message packaging and packaging are carried out on the IPMI message to be transmitted, and the IPMI message to be transmitted is recorded as a first format message; a message encryption module: inquiring whether the first format message is encrypted or not to obtain a second format message, if the first format message is required to be encrypted, carrying out encryption processing, and marking the first format message as a first encryption type, and if the first format message is not required to be encrypted, marking the second format message as a second encryption type; a message sending module: and realizing network transmission of the second format message.
Preferably, the security system based on the IPMI encryption module further includes the following modules: a message receiving module: enabling reception of the second format message; a message type classification module: classifying the second format message, if the second format message comprises a first encryption type, triggering message decryption, and if the second format message comprises a second encryption type, triggering message transmission; a message decryption module: according to a decryption mechanism, decryption of the second format message is achieved, if decryption is successful, message transmission is triggered, and if decryption is unsuccessful, locking self-destruction is triggered; locking the self-destruction module: IPMI message transmission locking is realized.
Preferably, the network transmission is to package the IPMI message into an IPMI LAN message using NET protocol, and send and receive the IPMI LAN message through a remote IP network in a UDP manner.
Preferably, the decryption mechanism is to set a set value allowing the password to be input incorrectly, if the number of wrong password inputs exceeds the set value, the decryption is unsuccessful, and if the correct password is input or the number of wrong password inputs does not exceed the set value and the correct password is input for the last time, the decryption is successful.
Compared with the prior art, the invention has the following beneficial effects:
1. the IPMI bus is adopted to package the IPMI message into an IPMI LAN message, the IPMI LAN message is encrypted, and the request and the response of the server BMC are sent and received through the remote IP network in a UDP mode, so that the remote software and hardware heterogeneous system can be monitored.
2. The encryption and decryption module is adopted, the encrypted information can be decrypted and converted into a general IPMI message, and then the general IPMI message is sent to the system BMC module for processing, and when the BMC sends a message request, the encryption and decryption module encrypts the general IPMI message and sends the encrypted message to the remote control terminal. The encryption and decryption module can set passwords, and when the passwords are input for many times and are wrong, the module locks the IPMI system, stops transmission of IPMI messages and prevents information from being stolen.
3. The intelligent IPMI intelligent management platform is provided with a self-destruction function, and can be started when necessary, so that the safety method of the IPMI intelligent management platform is really realized.
4. The IPMI intelligent management platform is compatible with a standard IPMI protocol and an encrypted IPMI protocol at the same time. For information which does not need to be transmitted in an encrypted mode, the information which needs to be transmitted in an encrypted mode can be transmitted by adopting a standard IPMI protocol, an encryption channel can be selected for transmission, and the information is decrypted by a decryption module after reaching a server, so that the information is prevented from being stolen and changed.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a schematic block diagram of a hardware implementation of the present invention;
FIG. 2 is a schematic diagram of an encryption module design according to the present invention;
FIG. 3 is a flow chart of IPMI encryption and decryption according to the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
The invention provides a security method of an IPMI intelligent management platform based on an encryption module, which adopts an encryption and decryption unit, the module locks an IPMI system when inputting errors for many times, and can start a self-destruction function if necessary, thereby realizing the security of the IPMI intelligent management platform; the invention is compatible with standard IPMI protocol and encrypted IPMI protocol.
The invention discloses a security method based on an IPMI encryption module, which comprises the following steps of IPMI message packaging: the method comprises the steps of realizing message packaging and packaging of the IPMI message to be transmitted, and recording as a first format message; message encryption: inquiring whether the first format message is encrypted or not to obtain a second format message, if the first format message is required to be encrypted, carrying out encryption processing, and marking the first format message as a first encryption type, and if the first format message is not required to be encrypted, marking the second format message as a second encryption type; a message sending step: and realizing network transmission of the second format message.
Specifically, the security method based on the IPMI encryption module further includes a message receiving step of: enabling reception of the second format message; and message type classification step: classifying the second format message, if the second format message comprises a first encryption type, triggering message decryption, and if the second format message comprises a second encryption type, triggering message transmission; message decryption: according to a decryption mechanism, decryption of the second format message is achieved, if decryption is successful, message transmission is triggered, and if decryption is unsuccessful, locking self-destruction is triggered; locking and self-destroying: IPMI message transmission locking is realized.
Specifically, the network transmission is to package the IPMI message into an IPMI LAN message using NET protocol, and send and receive the IPMI LAN message through a remote IP network in a UDP manner.
Specifically, the decryption mechanism is to set a set value allowing a password to be inputted incorrectly, if the number of wrong password inputs exceeds the set value, the decryption is unsuccessful, and if a correct password is inputted or the number of wrong password inputs does not exceed the set value and a correct password is inputted last time, the decryption is successful.
The invention discloses a security system based on an IPMI encryption module, which comprises the following modules: IPMI message encapsulation module: NET message packaging and packaging are carried out on the IPMI message to be transmitted, and the IPMI message to be transmitted is recorded as a first format message; a message encryption module: inquiring whether the first format message is encrypted or not to obtain a second format message, if the first format message is required to be encrypted, carrying out encryption processing, and marking the first format message as a first encryption type, and if the first format message is not required to be encrypted, marking the second format message as a second encryption type; a message sending module: and realizing network transmission of the second format message.
Specifically, the security system based on the IPMI encryption module further comprises the following modules: a message receiving module: enabling reception of the second format message; a message type classification module: classifying the second format message, if the second format message comprises a first encryption type, triggering message decryption, and if the second format message comprises a second encryption type, triggering message transmission; a message decryption module: according to a decryption mechanism, decryption of the second format message is achieved, if decryption is successful, message transmission is triggered, and if decryption is unsuccessful, locking self-destruction is triggered; locking the self-destruction module: IPMI message transmission locking is realized.
The security system of the IPMI encryption module provided by the invention can be realized by the step flow of the security method of the IPMI encryption module. Those skilled in the art can understand the security method of the IPMI encryption module as a preferred example of the security system of the IPMI encryption module.
The present invention is further described below in terms of hardware and software.
The IPMI intelligent management platform consists of a remote control console, a transmission bus and a server. An Intelligent Platform Management Interface (IPMI) performs hardware management through a remote console, comprises the IPMI interface, is connected with a server through an IPMI bus, and can be managed and accessed by a manager. The IPMI bus can be connected with a network port, an IPMB interface and the like, and the communication with the server is realized remotely through NET and an IPMB protocol. In IPMI, the BMC receives and transmits the same message format. The access of the remote control end to the BMC of the system is packaged into IPMI LAN information, encrypted, and sent and received the request and response of the server BMC through the remote IP network in a UDP mode, thereby realizing the monitoring of remote software and hardware heterogeneous systems.
The server internally comprises an encryption and decryption unit, the module is connected with the IPMI bus and can directly communicate with a LAN controller of the system, the LAN controller can classify data packets on the network and send the data packets to the BMC after passing through the encryption and decryption unit, meanwhile, the data packets sent to the BMC are also sent to the host CPU, and the data packets which are not packaged into a data packet in an RMCP (remote mail inspection protocol) format are only sent to the host CPU. Similarly, when the BMC has a request for receiving or sending messages, the BMC accesses the LAN controller of the system after passing through the encryption and decryption unit and sends data to the remote control end through the NET interface.
The encryption and decryption unit is compatible with a standard IPMI protocol and an encryption IPMI protocol at the same time, and whether encryption and encryption passwords can be set on a human-computer interaction interface such as a WEB interface of a remote control end. When the server receives the IPMI message transmitted by the remote control terminal, the encryption and decryption unit judges whether the message is an encrypted message. And if the message is the common IPMI message, the message is transmitted to the BMC module. If the IPMI message is encrypted, a correct password needs to be input at the server end, and the encryption and decryption unit decrypts the encrypted IPMI message, converts the encrypted IPMI message into a general IPMI message and transmits the general IPMI message to the BMC module. When the number of password errors exceeds a set value, the encryption and decryption unit sends an IPMI command to the BMC module to lock the system. Thereby ensuring the safety of the system. Similarly, when the server needs to transmit information such as server information to the remote control end, the server end can set whether encryption transmission is needed or not and set an encryption transmission password through the user interaction interface. The BMC packages the information into PMI information, and the encryption and decryption unit judges whether the information needs decryption transmission. And if the encryption transmission is not needed, the common IPMI message is transmitted to the LAN controller and is sent to the remote control end. If encryption transmission is needed, the IPMI message is converted into an encrypted IPMI message and then sent to the remote control end through the LAN controller, and the remote control end needs to input a correct password on a user interaction interface of the remote control end after receiving the message, decrypt the encrypted IPMI message and convert the encrypted IPMI message into a general IPMI message.
The invention comprises two parts of hardware design and encryption protocol design. The hardware part is designed into the whole IPMI intelligent management platform system and comprises a remote control end, an IPMI transmission end and a server end. The remote control end comprises an IPMI interface and a NET interface, wherein an IPMI transmission part uses a NET protocol, is packaged into an IPMI LAN message, and is sent and received through a remote IP network in a UDP mode. The server side comprises an IPMI interface, a NET interface and an encryption and decryption module. The encryption protocol design adopts a mode of being compatible with encryption IPMI transmission and standard IPMI, the information which does not need to be transmitted in an encryption mode can be transmitted in a standard IPMI protocol, the information which needs to be transmitted in an encryption mode can be transmitted through a selectable encryption channel, and the information is decrypted through a decryption module after reaching a server, so that the information is prevented from being stolen and changed.
As shown in fig. 1, the server is the core of the entire intelligent management and control platform, and may be composed of a plurality of master control and node management units. The main control management unit comprises a mainboard, a sensor, a BMC unit, a network interface and an encryption and decryption unit; the BMC unit is responsible for receiving sensor information, fan information and other hardware information of the mainboard and realizing hardware state monitoring of the server; the network interface is used for receiving a remote command, sending information to the encryption and decryption unit, decrypting the information into a general IPMI message and sending the general IPMI message to the BMC unit, the BMC unit controls the hardware to be turned on and off or collects the information and packages the information into the general IPMI message according to the received command, the general IPMI message is encrypted by the encryption and decryption unit and sent to the remote control end through the network interface.
As shown in fig. 2, the IPMI intelligent management and control platform needs to implement functions such as intelligent management and control, real-time monitoring, analysis and diagnosis, early warning/alarm, fault handling, and remote management and control, and meets requirements of high efficiency and safety. The IPMB bus protocol is compatible with the I2C bus protocol and is based on the I2C bus. The IPMI specification standard contains a large set of IPMI message commands. IPMI provides remote monitoring of the system, and provides a service server system that can be remotely checked for server system boot, operating system loading, or remotely managed and diagnosed by a management controller, independent of the hardware equipment manufacturer.
The invention is compatible with standard IPMI communication, and the server BMC unit is responsible for receiving the hardware state monitoring information of the server; the network interface is used for receiving a remote command and sending the command to the BMC unit, and the BMC unit controls the hardware to be turned on and turned off or collects information according to the received command, packages the information into a general IPMI message and sends the general IPMI message to the remote control end through the network interface. The encryption protocol design adds an encryption and decryption unit in the server to provide security authentication and encryption and decryption functions, so that the security of data in the remote transmission process is ensured, and the IPMI also provides the functions of establishing a secure remote session and user authentication login.
As shown in fig. 3, the remote control end packages the encrypted IPMI command into NET messages and sends the NET messages to the server end through the network interface, and the remote control end can set whether the IPMI messages need to be encrypted or not and set the encryption password. The network interface of the server end is used for receiving the encrypted IPMI command of the remote control end and sending the information to the encryption and decryption module, the encryption and decryption module judges whether the information is encrypted, and if the information is the common IPMI information, the information is transmitted to the BMC module. If the IPMI message is encrypted, a correct password needs to be input at the server end, and the encryption and decryption unit decrypts the encrypted IPMI message, converts the encrypted IPMI message into a general IPMI message and transmits the general IPMI message to the BMC module. When the number of password errors exceeds a set value, the encryption and decryption unit sends an IPMI command to the BMC module to lock the system. The encrypted information is converted into a general IPMI message after being decrypted and sent to the BMC unit; the BMC unit is responsible for monitoring the hardware state of the server, packaging the monitored hardware information into general IPMI information, sending the IPMI information to the encryption and decryption unit, sending the IPMI information to the BMC unit through the network interface after encryption, controlling the hardware to be turned on and off or collecting information and packaging the information into general IPMI information according to a received command, encrypting the IPMI information through the encryption and decryption unit, and sending the IPMI information to the remote control end through the network interface.
Those skilled in the art will appreciate that, in addition to implementing the systems, apparatus, and various modules thereof provided by the present invention in purely computer readable program code, the same procedures can be implemented entirely by logically programming method steps such that the systems, apparatus, and various modules thereof are provided in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system, the device and the modules thereof provided by the present invention can be considered as a hardware component, and the modules included in the system, the device and the modules thereof for implementing various programs can also be considered as structures in the hardware component; modules for performing various functions may also be considered to be both software programs for performing the methods and structures within hardware components.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.
Claims (2)
1. A security method based on IPMI encryption module is characterized by comprising the following steps:
IPMI message encapsulation step: packaging the IPMI message to be transmitted as a first format message;
message encryption: inquiring whether the first format message needs to be encrypted or not, obtaining a second format message according to the inquiry result, if so, encrypting the first format message, marking the second format message as a first encryption type, and if not, marking the second format message as a second encryption type;
a message sending step: performing network transmission on the second format message;
further comprising the steps of:
a message receiving step: receiving the second format message;
and message type classification step: classifying the second format message, if the second format message is marked as a first encryption type, triggering a message decryption step to execute, and if the second format message is marked as a second encryption type, triggering message transmission;
message decryption: decrypting the second format message according to a decryption mechanism, if the decryption is successful, triggering message transmission, and if the decryption is unsuccessful, triggering a locking self-destruction step to execute;
locking and self-destroying: IPMI message transmission locking is realized;
the network transmission is that IPMI messages are packaged into IPMI LAN messages by using NET protocols, and the IPMI LAN messages are sent and received by a remote IP network in a UDP mode;
the decryption mechanism is to set a set value which allows the password to be input wrongly, if the number of times of inputting the password mistake exceeds the set value, the decryption is unsuccessful, and if the correct password is input or the number of times of inputting the password mistake does not exceed the set value and the correct password is input for the last time, the decryption is successful;
the access of the remote control terminal to the BMC is packaged into IPMI LAN information, encrypted, and sent and received the request and response of the server BMC through the remote IP network in a UDP mode;
the LAN controller classifies the data packets on the network, sends the data packets to the BMC after passing through the encryption and decryption unit, and simultaneously sends the data packets transmitted to the BMC to the host CPU.
2. A security system based on IPMI encryption module is characterized by comprising the following modules:
IPMI message encapsulation module: NET message packaging and packaging are carried out on the IPMI message to be transmitted, and the IPMI message to be transmitted is recorded as a first format message;
a message encryption module: inquiring whether the first format message is encrypted or not to obtain a second format message, if the first format message is required to be encrypted, carrying out encryption processing, and marking the first format message as a first encryption type, and if the first format message is not required to be encrypted, marking the second format message as a second encryption type;
a message sending module: realizing network transmission of the second format message;
the system also comprises the following modules:
a message receiving module: enabling reception of the second format message;
a message type classification module: classifying the second format message, if the second format message comprises a first encryption type, triggering message decryption, and if the second format message comprises a second encryption type, triggering message transmission;
a message decryption module: according to a decryption mechanism, decryption of the second format message is achieved, if decryption is successful, message transmission is triggered, and if decryption is unsuccessful, locking self-destruction is triggered;
locking the self-destruction module: IPMI message transmission locking is realized;
the network transmission is that IPMI messages are packaged into IPMI LAN messages by using NET protocols, and the IPMI LAN messages are sent and received by a remote IP network in a UDP mode;
the decryption mechanism is to set a set value which allows the password to be input wrongly, if the number of times of inputting the password mistake exceeds the set value, the decryption is unsuccessful, and if the correct password is input or the number of times of inputting the password mistake does not exceed the set value and the correct password is input for the last time, the decryption is successful;
the access of the remote control terminal to the BMC is packaged into IPMI LAN information, encrypted, and sent and received the request and response of the server BMC through the remote IP network in a UDP mode;
the LAN controller classifies the data packets on the network, sends the data packets to the BMC after passing through the encryption and decryption unit, and simultaneously sends the data packets transmitted to the BMC to the host CPU.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810962759.6A CN109067757B (en) | 2018-08-22 | 2018-08-22 | Safety method and system based on IPMI encryption module |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810962759.6A CN109067757B (en) | 2018-08-22 | 2018-08-22 | Safety method and system based on IPMI encryption module |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109067757A CN109067757A (en) | 2018-12-21 |
| CN109067757B true CN109067757B (en) | 2021-07-02 |
Family
ID=64755771
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810962759.6A Active CN109067757B (en) | 2018-08-22 | 2018-08-22 | Safety method and system based on IPMI encryption module |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109067757B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110569484B (en) * | 2019-09-09 | 2023-07-21 | 山东浪潮科学研究院有限公司 | Method for determining coefficient of formula calculated by sensor reading and method for measuring physical quantity |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1649314A (en) * | 2004-01-19 | 2005-08-03 | 英业达股份有限公司 | SOL realizing method accorded with IPMI standard |
| CN101030880A (en) * | 2006-03-03 | 2007-09-05 | 环达电脑(上海)有限公司 | Multi-server management system and method |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080307502A1 (en) * | 2007-06-07 | 2008-12-11 | Aten International Co., Ltd. | User message management methods and systems |
| US7792914B2 (en) * | 2008-01-14 | 2010-09-07 | Aten International Co., Ltd. | Server with network-based remote access and server management functions using reduced number of network connections |
| CN104363117A (en) * | 2014-11-04 | 2015-02-18 | 浪潮电子信息产业股份有限公司 | Method for realizing serial port redirection based on IPMI |
| CN106446629A (en) * | 2016-09-13 | 2017-02-22 | 中国电子科技集团公司第三十二研究所 | Security encryption method and system for intelligent mobile terminal |
| US10616348B2 (en) * | 2016-09-13 | 2020-04-07 | American Megatrends International, Llc | System and method for providing multiple IPMI serial over LAN (SOL) sessions in management controller stack |
| CN106657110B (en) * | 2016-12-30 | 2020-12-04 | 北京奇虎科技有限公司 | Encryption transmission method and device for streaming data |
-
2018
- 2018-08-22 CN CN201810962759.6A patent/CN109067757B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1649314A (en) * | 2004-01-19 | 2005-08-03 | 英业达股份有限公司 | SOL realizing method accorded with IPMI standard |
| CN101030880A (en) * | 2006-03-03 | 2007-09-05 | 环达电脑(上海)有限公司 | Multi-server management system and method |
Non-Patent Citations (1)
| Title |
|---|
| "浅谈IPMI标准";娄山林;《科技浪潮》;20070315;第25页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109067757A (en) | 2018-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2571608C (en) | System and method for consolidating, securing and automating out-of-band access to nodes in a data network | |
| US7788366B2 (en) | Centralized network control | |
| US8990923B1 (en) | Protection against unauthorized access to automated system for control of technological processes | |
| CN106599694A (en) | Security protection management methods, computer systems and computer-readable storage media | |
| US10430593B2 (en) | Boot images for units under test | |
| US9734094B2 (en) | Computer security system and method | |
| US9674164B2 (en) | Method for managing keys in a manipulation-proof manner | |
| US8285984B2 (en) | Secure network extension device and method | |
| CN104581008A (en) | Information security protection system and method for video monitoring system | |
| CN109067757B (en) | Safety method and system based on IPMI encryption module | |
| US11250167B2 (en) | Secure external SoC debugging | |
| CN113014592A (en) | Automatic registration system and method for Internet of things equipment | |
| CN114189515B (en) | SGX-based server cluster log acquisition method and device | |
| Falk et al. | Enhancing integrity protection for industrial cyber physical systems | |
| Daily et al. | Secure controller area network logging | |
| RU2571372C1 (en) | System for protecting information containing state secrets from unauthorised access | |
| CN110764827A (en) | Control system and method for computer peripheral equipment | |
| RU2648942C1 (en) | System of protection of information from unauthorized access | |
| CN218630792U (en) | PLC information safety protection device | |
| RU2504835C1 (en) | System for protecting information containing state secrets from unauthorised access | |
| CN117609979A (en) | Commercial system and enterprise authentication system integration method, device, equipment and storage medium | |
| CN117714495A (en) | Verification cloud management system for intelligent electric meter | |
| CN116324733A (en) | Secure collection and communication of computing device operational data | |
| EP4377826A1 (en) | Producing messages | |
| CN118051934A (en) | Data management method and device for transformer substation and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |