CN109842596A - Secure network chip on network intermediary device - Google Patents
Secure network chip on network intermediary device Download PDFInfo
- Publication number
- CN109842596A CN109842596A CN201711217818.9A CN201711217818A CN109842596A CN 109842596 A CN109842596 A CN 109842596A CN 201711217818 A CN201711217818 A CN 201711217818A CN 109842596 A CN109842596 A CN 109842596A
- Authority
- CN
- China
- Prior art keywords
- data
- packet
- data packet
- component
- secure network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The secure network chip that the invention proposes a kind of on network intermediary device is disposed with package assembling and encrypted component along its data direction of transfer on the upstream data channel of secure network chip;The package assembling, for routine data packet to be re-packaged into dedicated packet;Wherein, one or more features data are increased in the dedicated packet;The encrypted component is encrypted for the data segment to the dedicated packet.The present invention reconstructs data packet and encryption by increasing characteristic, routine data packet is transformed into dedicated packet, to avoid dedicated packet from flowing through the safety issue in journey in network, and by carrying out repeatedly audit certification to the characteristic in data packet when receiving, guarantee that private network receiving device can only receive dedicated packet, can prevent from forging the network attacks such as IP address, DOS flood attack.
Description
Technical field
The invention belongs to data information security fields, the secure network chip more particularly, on network intermediary device.
Background technique
Network (cable network and wireless network) is to calculate to carry out most attaching most importance to for data interaction between equipment in modern technologies
Channel is wanted, in order to guarantee the safety of interaction data, encryption software is mostly used to carry out the mode of security strategy processing in the market, this
Kind mode is affected to the interactive performance of computer, and processing speed is slow, and CPU overhead is bigger, therefore occurs in recent years
This kind of secure hardware of PCI/PCIe Encryption Network Card carries out safe handling to data by hardware logic, but PCI/PCIe is encrypted
Network interface card be come as host peripheral using, can be only applied on the host with PCI or PCIe slot, similar notebook or its
He is not just available the network-termination device without such interface, and application range is narrow, in addition current security strategy spininess pair
(such as encryption) is processed in terms of anti-information leakage, in the prior art shortage while compatible anti-network attack and anti-secrets disclosed by net
Technology.
Summary of the invention
In view of this, the secure network chip that it is an object of the invention to a kind of on network intermediary device, with solution
Certainly the problem of the safety of prior art interaction data, interactive device.
In some illustrative embodiments, the secure network chip on network intermediary device, secure network core
Package assembling and encrypted component are disposed with along its data direction of transfer on the upstream data channel of piece;The package assembling,
For routine data packet to be re-packaged into dedicated packet;Wherein, one or more spies are increased in the dedicated packet
Levy data;The encrypted component is encrypted for the data segment to the dedicated packet.
In some preferred embodiments, the previous stage of the package assembling on the upstream data channel is additionally provided with uplink
Audit component;The uplink audit component carries out audit certification to routine data packet for examining the I P head of routine data packet.
In some preferred embodiments, the increased characteristic in the dedicated packet is with next or more
It is a: customized nonstandard protocol number;Sequence number value and the sequence number field for storing sequence number value;The verification of data field and and storage verification
The inspection field of sum.
In some illustrative embodiments, the secure network chip on network intermediary device, secure network core
Decryption component reconciliation package assembling is disposed with along its data direction of transfer on the downlink data channel of piece;The decryption group
Part is decrypted for the data segment to data packet;The deblocking arrangement, for the data packet Jing Guo decryption processing
In one or more characteristics test, determine that the data packet, will be described dedicated for dedicated packet after upchecking
Data packet is reduced into routine data packet.
In some preferred embodiments, the previous stage of the decryption component on the downlink data channel is additionally provided with downlink
Audit component;The downlink audit component carries out audit certification to data packet for the I P head of inspection data packet.
In some preferred embodiments, the downlink audit component carries out the I P head of the inspection data packet, to data
During packet carries out audit certification, comprising: examine whether the protocol number in data packet I P is customized nonstandard association
View number.
In some preferred embodiments, the deblocking arrangement is carried out in the described pair of data packet Jing Guo decryption processing
It during one or more features data are tested, including tests to following one or more features data: serial number
The sequence number field of value and storage sequence number value;The verification of data field and and storage verification sum inspection field.
In some illustrative embodiments, the secure network chip on network intermediary device, secure network core
Package assembling and encrypted component are disposed with along its data direction of transfer on the upstream data channel of piece;The package assembling,
For routine data packet to be re-packaged into dedicated packet;Wherein, one or more spies are increased in the dedicated packet
Levy data;The encrypted component is encrypted for the data segment to the dedicated packet;And secure network core
Decryption component reconciliation package assembling is disposed with along its data direction of transfer on the downlink data channel of piece;The decryption group
Part is decrypted for the data segment to data packet;The deblocking arrangement, for the data packet Jing Guo decryption processing
In one or more characteristics test, determine that the data packet, will be described dedicated for dedicated packet after upchecking
Data packet is reduced into routine data packet.
In some preferred embodiments, the previous stage of the package assembling on the upstream data channel is additionally provided with uplink
Audit component;The uplink audit component carries out audit certification to routine data packet for examining the I P head of routine data packet;
And the previous stage of the decryption component on the downlink data channel is additionally provided with downlink audit component;The downlink audit group
Part carries out audit certification to data packet for the I P head of inspection data packet.
In some preferred embodiments, the secure network chip further include: be located at the upstream data channel under
The first MAC chip and the 2nd MAC chip at row data channel both ends, for realizing the conversion between data packet and data frame.
It is another object of the present invention to propose a kind of network intermediary device, to solve existing in the prior art ask
Topic.
In some illustrative embodiments, the secure network board, have above-mentioned secure network chip, and respectively with
Two PHY chips of the first MAC chip and the connection of the 2nd MAC chip, for realizing turning between data frame and bit stream
It changes.
Compared with prior art, the invention has the following advantages that
The present invention reconstructs data packet and encryption by increasing characteristic, and routine data packet is transformed into exclusive data
Packet, so that dedicated packet be avoided to flow through the safety issue in journey in network, and by data packet when receiving
Characteristic carries out repeatedly audit certification, guarantees that private network receiving device can only receive dedicated packet, can prevent with forging I P
The network attacks such as location, DOS flood attack.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the first exemplary structural schematic diagram of secure network chip in the present invention;
Fig. 2 is the second exemplary structural schematic diagram of secure network chip in the present invention;
Fig. 3 is the exemplary structural schematic diagram of third of secure network chip in the present invention;
Fig. 4 is the logical schematic of secure network chip in the present invention;
Fig. 5 is the structural schematic diagram of network intermediary device in the present invention;
Fig. 6 is the structural schematic diagram of safety network system in the present invention;
Fig. 7 is the first exemplary structural schematic diagram of key generation component in the present invention;
Fig. 8 is the second exemplary structural schematic diagram of key generation component in the present invention;
Fig. 9 is the exemplary structural schematic diagram of third of key generation component in the present invention;
Specific embodiment
The following description and drawings fully show specific embodiments of the present invention, to enable those skilled in the art to
Practice them.Other embodiments may include structure, logic, it is electrical, process and other change.Embodiment
Only represent possible variation.Unless explicitly requested, otherwise individual components and functionality is that optionally, and the sequence operated can be with
Variation.The part of some embodiments and feature can be included in or replace part and the feature of other embodiments.This hair
The range of bright embodiment includes equivalent obtained by the entire scope of claims and all of claims
Object.Herein, these embodiments of the invention can individually or generally be indicated that this is only with term " invention "
For convenience, and if in fact disclosing the invention more than one, the range for being not meant to automatically limit the application is to appoint
What single invention or inventive concept.
And in the following detailed description, a large amount of specific details can be proposed, in order to provide a thorough understanding of the present invention.
It will be understood by those skilled in the art, however, that implementable present invention without these specific details.In addition, in order to avoid
Unnecessarily obscure main thought of the invention, be not described in well-known method, process, component, structure, circuit and
Other feature.
As used in claims, unless otherwise noted, for describing elements/structures/signal/data
The uses of ordinal adjectives " first ", " second ", " third " etc. to be only used for indicator elment/structure/signal/data specific
Example or similar elements/structure/signal/data different instances, and it is not intended to imply that these element/knots so described
Structure/signal/data must in a specific sequence (either temporally, spatially sequence or in any other manner)
Term " communication uplink data ", " communication downlink data " are for the independent network equipment (such as terminal PC machine, service
Device etc. has the non-intermediate equipment of the support communication for the functions such as data transmit-receive, data store, data use) for, " in communication
Row data " refer to the data that equipment is sent out, and " communication downlink data " refer to the data that equipment receives.Term " dedicated network "
Be for the network equipment of interaction data, such as between terminal PC machine and server through the embodiment of the present invention shown in
Method out interacts, then between terminal PC machine and server for just constitute the dedicated network of two equipment.
Term " upstream data channel " refers to that " communication uplink data " carry out the path of every processing, " downlink data channel "
Refer to that " communication downlink data " carry out the path of every processing.
Referring now to fig. 1, Fig. 1 shows in the present invention and shows for first of the secure network chip on network intermediary device
The structural schematic diagram of example, as shown in the drawing, along its data direction of transfer on the upstream data channel of the secure network chip 100
It is disposed with package assembling 110 and encrypted component 120;The package assembling 110, for routine data packet to be re-packaged into
Dedicated packet;Wherein, one or more features data are increased in the dedicated packet;The encrypted component 120, is used for
The data segment of the dedicated packet is encrypted.
The previous stage of package assembling 110 on upstream data channel described in above-described embodiment is additionally provided with uplink audit group
Part 130;The uplink audit component 130 carries out audit certification to routine data packet for examining the I P head of routine data packet.
The increased characteristic in dedicated packet being packaged into above-described embodiment by package assembling 110 is following
It is one or more: customized nonstandard protocol number;Sequence number value and the sequence number field for storing sequence number value;The verification of data field and and
The inspection field of storage verification sum.
Wherein, customized nonstandard protocol number can be used for distinguishing dedicated packet and routine data packet, and sequence number value can be used for
The repeatability of data packet is detected, verify and can be used for detecting the integrality of data packet.Original agreement number can be put
It sets in the data segment of data packet, replaces back original agreement number for I P of data packet when debit's certification waiting passes through parsing.
Referring now to Fig. 2, Fig. 2 shows show in the present invention for second of the secure network chip on network intermediary device
The structural schematic diagram of example, as shown in the drawing, along its data direction of transfer on the downlink data channel of the secure network chip 200
It is disposed with decryption component 210 and conciliates package assembling 220;The decryption component 210 is carried out for the data segment to data packet
Decryption processing;The deblocking arrangement 220, for one or more characteristics in the data packet Jing Guo decryption processing into
Performing check determines the data packet for dedicated packet, the dedicated packet is reduced into routine data packet after upchecking.
The previous stage of decryption component 210 on downlink data channel described in above-described embodiment is additionally provided with downlink audit group
Part 230;The downlink audit component 230 carries out audit certification to data packet for the I P head of inspection data packet.
The audit component 230 of downlink described in above-described embodiment carries out the I P head of the inspection data packet, carries out to data packet
During audit certification, comprising: examine whether the protocol number in data packet I P is customized nonstandard protocol number,
To differentiate whether the data packet received is dedicated packet.
Deblocking arrangement 220 described in above-described embodiment carry out one in the described pair of data packet Jing Guo decryption processing or
It during multiple characteristics are tested, including tests: sequence number value and depositing to following one or more features data
Put the sequence number field of sequence number value;The verification of data field and and storage verification sum inspection field.
Customized nonstandard protocol number can be used for distinguishing dedicated packet and routine data packet, sequence number value in above-described embodiment
It can be used for detecting the repeatability of data packet, verify and can be used for detecting the integrality of data packet.
Show referring now to the third that Fig. 3, Fig. 3 are shown in the present invention for the secure network chip on network intermediary device
The structural schematic diagram of example, as shown in the drawing, along its data direction of transfer on the upstream data channel of the secure network chip 300
It is disposed with package assembling 110 and encrypted component 120;The package assembling 110, for routine data packet to be re-packaged into
Dedicated packet;Wherein, one or more features data are increased in the dedicated packet;The encrypted component 120, is used for
The data segment of the dedicated packet is encrypted;And along it on the downlink data channel of secure network chip 300
Data direction of transfer is disposed with decryption component 210 and conciliates package assembling 220;The decryption component 210, for data packet
Data segment be decrypted;The deblocking arrangement 220, for one or more in the data packet Jing Guo decryption processing
A characteristic is tested, and determines that for dedicated packet, the dedicated packet is reduced into for the data packet after upchecking
Routine data packet.
The previous stage of the package assembling 110 on the upstream data channel in above-described embodiment is additionally provided with uplink audit
Component 130;The uplink audits component 130, for examining the I P head of routine data packet, carries out audit to routine data packet and recognizes
Card;And the previous stage of the decryption component 210 on the downlink data channel is additionally provided with downlink audit component 230;Under described
Row audit component 230 carries out audit certification to data packet for the I P head of inspection data packet.
The secure network chip 300 in above-described embodiment further include: be located at the upstream data channel and lower line number
According to the first MAC chip (Med ia Access Contro l, FDDI sublayer protocol) 310 and second at channel both ends
MAC chip 320, for realizing the conversion between data packet and data frame.
The present invention reconstructs data packet and encryption by increasing characteristic, and routine data packet is transformed into exclusive data
Packet, so that dedicated packet be avoided to flow through the safety issue in journey in network, and by data packet when receiving
Characteristic carries out repeatedly audit certification, guarantees that private network receiving device can only receive dedicated packet, can prevent with forging I P
The network attacks such as location, DOS flood attack.
As shown in figure 4, each component in the present invention in embodiment shown in Fig. 1-Fig. 3 is, it can be achieved that following steps/function
Energy/operation:
Uplink/downlink audits component
Auditing module can be used for realizing network unit access control function.
Uplink processing direction (non-close network interface to encryption network interface direction): uplink audit component solves upstream data packet
Analysis, and access control list is searched, judge purpose I P address whether in table.If tabling look-up hit, data packet is passed into envelope
Arrangement, and the key of corresponding purpose I P address is read, pass to rear class encrypting module;If tabling look-up miss, number is cached
According to packet, and CPU is notified to start verification process.
Downlink processing direction (encryption network interface to non-close network interface direction): downlink audit component solves downlink data packet
Analysis, and access control list is searched, judge source I P address whether in table.If tabling look-up hit, data packet is passed into deblocking
Die-filling piece, and the key of corresponding source IP address is read, pass to rear class deciphering module;If tabling look-up miss, data are abandoned
Packet.
Encapsulation/deblocking arrangement
Encapsulation/decapsulation module is for realizing data integrity inspection, anti-duplicate packages, anti-network attack function.
Uplink handles direction: package module is by increasing a sequence number field come anti-duplicate packages, first according to purpose I P
Serial number table is searched in location, and sequence number value is read from table and adds a serial number as this bag data, is then written to this packet sequence number value
In serial number table.Package module calculates the HASH value of data packet I P and sequence number field, and the HASH value is added to data packet
In, and data packet is exported to encrypting module.
Downlink processing direction: decapsulation module is extracted from data packet from the data packet after deciphering module receiving and deciphering
Then serial number and HASH field value search serial number table according to purpose I P address, if the sequence number value read from table with from data
The sequence number field value extracted in packet is identical, then may determine that this bag data is duplicate packages, then abandon this packet, on the contrary then calculate data
The HASH value of packet IP and sequence number field, and be compared with the HASH field extracted in data packet, this is abandoned if different
Data packet, it is on the contrary then data packet is transmitted to next stage.Anti- network attack function can also be by judging that serial number and HASH field value are real
It is existing, unauthenticated device data packet, extensive aggression packet, I P deception packet etc. may filter that.
Encryption/decryption component
Uplink handles direction: for encrypting module for encrypting to upstream data packet, Encryption Algorithm uses 128bit AES
Algorithm, encryption key are looked into key list by auditing module and are obtained.
Downlink processing direction: for deciphering module for downlink data packet to be decrypted, decipherment algorithm uses 128bit AES
Algorithm, decruption key are looked into key list by auditing module and are obtained.
A kind of network intermediary device for network intermediary device is shown referring now to Fig. 5, Fig. 5, there is Fig. 4 such as to implement
Secure network chip proposed in example, and connect respectively with the first MAC chip 310 and the 2nd MAC chip 320 the
One PHY chip 330, the second PHY chip 340, for realizing the conversion between data frame and bit stream.330 He of PHY chip
PHY340 is also respectively connected with a network interface (such as RJ45 interface), and one end can be connected by cable calculates equipment (such as platform
Formula computer, portable computer etc.), the other end can pass through cable accessing external network equipment (such as router, gateway, interchanger
Deng).
Secure network chip (such as secure network chip 300) in the embodiment of the present invention is to be configured in the net for calculating equipment
On network interface, the upload data for calculating equipment must be by can just be passed after the secure network chip processing by its network
Its target device is transported to, and calculating the downloading data of equipment equally also must be by just can be with after the secure network chip processing
It enters in the calculating equipment.Therefore, independent by calculating device external in the case where not changing calculating equipment itself
Regular network data is transformed into private network data in data transmission procedure by secure network chip, can avoid data by other people
It obtains and his personal data enters in the calculating equipment configured with secure network chip, realize and constructed specially in universal network
With the security mechanism of network.The network system constructed by secure network chip as shown in fig. 6, calculate equipment A within the system
Configured with safety bridge a (having structure as shown in Figure 5), calculate equipment B (has as shown in Figure 5 configured with safety bridge b
Structure), calculate equipment A to calculate equipment B send network data make inside it module data section, be packaged into data packet, encapsulation
At data frame, it is ultimately converted to bit stream, which, which enters in safety bridge a, is converted back to data frame, deblocking into data
Packet, then safety bridge a audits the information in data packet, and the data envelope is dressed up exclusive data after the approval
Packet, then be packaged into data frame and be converted to bit and flow to its calculating equipment B transmission;It calculates equipment B and wants received network number
According to being got first by safety bridge b, data frame, deblocking are converted at data packet, equally (such as to several information in data packet
I P address, the protocol number being newly added, sequence number value, verification and) audited, audit pass through in the case where, unsealed and dress up original
The data packet come, framing and bit stream, which enter, calculates equipment B.
For above-mentioned encryption/decryption component, the invention also provides a kind of preferred embodiments-in phy chip
Key generation component.
It shows in the present invention referring now to Fig. 7, Fig. 7 for the first exemplary of the key generation component in phy chip
Structural schematic diagram discloses a kind of key generation component 400 in phy chip as shown in the drawing, which can wrap
Include randomizer 410, burning unit 420, OTP (One Time Programmab le, One Time Programmable) storage list
Member 430 and cryptologic unit 440.Key generation component 400 may also include any other circuit not shown in FIG. 1,
Structure or logic.The other embodiments of component 400 may include whole, certain in the unit for being shown in FIG. 1 or describing or not have
Have.
Randomizer 410 can be indicated for receiving enable signal (the first signal) and generating one or more groups of random
Several any circuit, structure or other hardware, for example, generator 110 enable port receive high level signal after start, produce
Raw one group 128 or 256 binary system random numbers, i.e., such as 010101011001 ....Preferably, generator 410 generates
The digit of random number is chosen between 32-256.
Burning unit 420 can be indicated for executing the operation of the burned OTP module of random number caused by generator 410
Any circuit, structure or other hardware;Preferably, the dedicated core of X-FAB manufacturer burning produced can be used in burning unit 420
Piece.
OTP memory cell 430 may include several fuses or other one time programmings storage equipment, it may include any quantity
Position, these positions can by special fuse OTP technique carry out assignment solidification, can be used for solidifying produced by randomizer 410
Encoded radio and/or other values for indicating data or state.Preferably, the fuse of 0.18um or less unit can be used in fuse.
Cryptologic unit 440 is represented by by any circuit, the knot of rivest, shamir, adelman (such as ECC algorithm) hypostazation
Structure or other hardware, the interface for having access OTP memory cell 430, receiving control signal, transmitting-receiving data flow, externally export
Data flow may include data flow after decryption, encrypted data flow, the data flow after signature, after sign test data flow and
The public key used is matched with private key.Further, the executable following operation of cryptologic unit 440:
Control signal (second signal) is received, access OTP module obtains private key, generates and match the public affairs used with the private key
Key, and export the public key;
Control signal (third signal) is received, access OTP module obtains private key and selects corresponding encryption/decryption algorithm, right
The data flow received carries out encryption/decryption process;
Wherein, it may include Encryption Control Signal and decryption control signal in the control signal, believe when receiving control extension
After number, access OTP module obtains private key and constitutes corresponding encryption logic, carries out at encryption to the data flow of input
Reason, and export encrypted data flow;After receiving decryption control signal, access OTP module obtains private key and constitutes phase
The data flow of input is decrypted in the decryption logic answered, and exports the data flow after decryption.
Control signal (fourth signal) is received, access OTP module obtains private key and carries out signature/sign test processing;
Wherein, it may include signature control signal and sign test control signal in the control signal, control letter when receiving signature
After number, access OTP module obtains private key and carries out signature processing to the data flow of input, and exports the data flow after signature.
After receiving sign test control signal, access OTP module obtains private key and carries out sign test processing to the data flow of input, and defeated
Data flow after sign test out.
Portion is generated the private key in key generation component in the present invention by unpredictable random number in the chip, then
In burned OTP module, private key value and chip exterior without any relationship and interaction, guarantee private key exclusive property and can not the property found out,
Component external, which either develops designer or attack personnel, can not know private key, to ensure the safety of private key and reliable
Property.Furthermore OTP module is only exported to cryptologic unit, and cryptologic unit only to component external output public key, plaintext,
Ciphertext, signature and sign test data, private key are from start to finish exported without normal direction component external during use, are further ensured
The safety and reliability of private key.It is more again exactly that can prevent attacker from passing through by choosing 0.18um unit fuse below
Reverse engineering cracks, and further increases safety.
Fig. 8 shows the second example in the present invention for the key generation component in phy chip, and the example is Fig. 7's
On the basis of increase converting unit 450, converting unit 450 can be indicated for carrying out again to private key cured in OTP module 430
Any circuit, structure or other hardware of variation, can be by the original of private key cured in OTP module 430 by the converting unit 450
Initial value is converted into the actual value of private key used in cryptologic unit 440, and the variation logic of converting unit 450 is certain
, therefore the actual value of private key used in cryptologic unit 440 is also unique and constant.The present invention passes through increase
Converting unit 450 changes private key again, can improve the cost that private key is cracked again.
Fig. 9 shows the third example in the present invention for the key generation component in phy chip, and the example is Fig. 7's
On the basis of increase volatile memory cell 460, volatile memory cell 460 can be indicated for storing randomizer for the first time
410 generate encoded radios any kind of storage equipment, may include any amount of data register, command register,
Status register, configuration register, control register, other programmable or hard coded register or register group or it is any its
His storage organization.Volatile memory cell 460 can temporarily store the encoded radio of the generation of randomizer 410, such as random number
Generator 410 sequentially generates multiple groups random coded value, and volatile memory cell 460 then can gradually cache randomizer
The 410 every group of random coded values generated include the final complete coding of acquisition to calculating and shifting processing in the process
Value.The present invention can reduce the requirements of type selecting of randomizer by the way that volatile memory cell 460 is added, to reduce seniority top digit
Randomizer space size, reduce the actual physics area of entire component and phy chip on the whole.
It should also be appreciated by one skilled in the art that various illustrative logical boxs, mould in conjunction with the embodiments herein description
Electronic hardware, computer software or combinations thereof may be implemented into block, circuit and algorithm steps.In order to clearly demonstrate hardware and
Interchangeability between software surrounds its function to various illustrative components, frame, module, circuit and step above and carries out
It is generally described.Hardware is implemented as this function and is also implemented as software, depends on specific application and to entire
The design constraint that system is applied.Those skilled in the art can be directed to each specific application, be realized in a manner of flexible
Described function, still, this realization decision should not be construed as a departure from the scope of protection of this disclosure.
The above description of the embodiment is only used to help understand the method for the present invention and its core ideas;Meanwhile for this
The those skilled in the art in field, according to the thought of the present invention, there will be changes in the specific implementation manner and application range,
In conclusion the contents of this specification are not to be construed as limiting the invention.
Claims (11)
1. a kind of secure network chip on network intermediary device, which is characterized in that the upstream data of secure network chip
Package assembling and encrypted component are disposed with along its data direction of transfer on channel;
The package assembling, for routine data packet to be re-packaged into dedicated packet;Wherein, increase in the dedicated packet
One or more features data are added;
The encrypted component is encrypted for the data segment to the dedicated packet.
2. secure network chip according to claim 1, which is characterized in that the package assembling on the upstream data channel
Previous stage be additionally provided with uplink audit component;
The uplink audit component carries out audit certification to routine data packet for examining the I P head of routine data packet.
3. secure network chip according to claim 1, which is characterized in that the increased feature in the dedicated packet
Data are following one or more:
Customized nonstandard protocol number;
Sequence number value and the sequence number field for storing sequence number value;
The verification of data field and and storage verification sum inspection field.
4. a kind of secure network chip on network intermediary device, which is characterized in that the downlink data of secure network chip
Decryption component reconciliation package assembling is disposed with along its data direction of transfer on channel;
The decryption component is decrypted for the data segment to data packet;
The deblocking arrangement, for testing to one or more characteristics in the data packet Jing Guo decryption processing,
The data packet is determined after upchecking for dedicated packet, and the dedicated packet is reduced into routine data packet.
5. secure network chip according to claim 4, which is characterized in that the decryption component on the downlink data channel
Previous stage be additionally provided with downlink audit component;
The downlink audit component carries out audit certification to data packet for the I P head of inspection data packet.
6. secure network chip according to claim 5, which is characterized in that the downlink audit component carries out the inspection
The I P head of data packet, during carrying out audit certification to data packet, comprising:
Examine whether the protocol number in data packet I P is customized nonstandard protocol number.
7. secure network chip according to claim 4, which is characterized in that the deblocking arrangement carries out described pair of process
During one or more characteristics in the data packet of decryption processing are tested, including to following one or more special
Sign data are tested:
Sequence number value and the sequence number field for storing sequence number value;
The verification of data field and and storage verification sum inspection field.
8. a kind of secure network chip on network intermediary device, which is characterized in that the upstream data of secure network chip
Package assembling and encrypted component are disposed with along its data direction of transfer on channel;
The package assembling, for routine data packet to be re-packaged into dedicated packet;Wherein, increase in the dedicated packet
One or more features data are added;
The encrypted component is encrypted for the data segment to the dedicated packet;
And decryption component and deblocking are disposed with along its data direction of transfer on the downlink data channel of secure network chip
Arrangement;
The decryption component is decrypted for the data segment to data packet;
The deblocking arrangement, for testing to one or more characteristics in the data packet Jing Guo decryption processing,
The data packet is determined after upchecking for dedicated packet, and the dedicated packet is reduced into routine data packet.
9. secure network chip according to claim 8, which is characterized in that the package assembling on the upstream data channel
Previous stage be additionally provided with uplink audit component;
The uplink audit component carries out audit certification to routine data packet for examining the I P head of routine data packet;
And
The previous stage of decryption component on the downlink data channel is additionally provided with downlink audit component;
The downlink audit component carries out audit certification to data packet for the I P head of inspection data packet.
10. secure network chip according to claim 9, which is characterized in that further include: it is located at the upstream data channel
With the first MAC chip at downlink data channel both ends and the 2nd MAC chip, for realizing between data packet and data frame turn
It changes.
11. a kind of network intermediary device, which is characterized in that have secure network chip as claimed in claim 10, Yi Jifen
Two PHY chips not connect with the first MAC chip and the 2nd MAC chip, for realizing between data frame and bit stream
Conversion.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711217818.9A CN109842596A (en) | 2017-11-28 | 2017-11-28 | Secure network chip on network intermediary device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711217818.9A CN109842596A (en) | 2017-11-28 | 2017-11-28 | Secure network chip on network intermediary device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109842596A true CN109842596A (en) | 2019-06-04 |
Family
ID=66881239
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711217818.9A Pending CN109842596A (en) | 2017-11-28 | 2017-11-28 | Secure network chip on network intermediary device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109842596A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1191736A2 (en) * | 2000-09-25 | 2002-03-27 | Broadcom Corporation | E-commerce security processor alignment logic |
| CN200962604Y (en) * | 2006-09-14 | 2007-10-17 | 北京科东电力控制系统有限责任公司 | Vertical encryption authentication gateway device special for power |
| CN104954222A (en) * | 2015-05-22 | 2015-09-30 | 东南大学 | Tunnel-mode ESP (electronic stability program) hardware encapsulating device on basis of IPSEC (internet protocol security) protocols |
| CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
-
2017
- 2017-11-28 CN CN201711217818.9A patent/CN109842596A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1191736A2 (en) * | 2000-09-25 | 2002-03-27 | Broadcom Corporation | E-commerce security processor alignment logic |
| CN200962604Y (en) * | 2006-09-14 | 2007-10-17 | 北京科东电力控制系统有限责任公司 | Vertical encryption authentication gateway device special for power |
| CN104954222A (en) * | 2015-05-22 | 2015-09-30 | 东南大学 | Tunnel-mode ESP (electronic stability program) hardware encapsulating device on basis of IPSEC (internet protocol security) protocols |
| CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103679062B (en) | Intelligent electric meter main control chip and security encryption method | |
| CN103595530B (en) | Software secret key updating method and device | |
| CN101834840B (en) | There is efficient key derivation system, the method and apparatus for end-to-end network security of business visuality | |
| CN103888444B (en) | A kind of safe distribution of electric power authentication device and its method | |
| CN102124680B (en) | The method and apparatus of the integrity protection of the data of transmission over networks | |
| CN108345806A (en) | A kind of hardware encryption card and encryption method | |
| CN103746962B (en) | GOOSE electric real-time message encryption and decryption method | |
| CN206712810U (en) | A kind of high speed password card based on PCI E buses | |
| CN107483192A (en) | A kind of data transmission method and device based on quantum communication | |
| CN111259416A (en) | Multi-algorithm security encryption authentication system and method based on FPGA | |
| CN103281299B (en) | A kind of ciphering and deciphering device and information processing method and system | |
| CN109787761A (en) | A kind of equipment certification and key distribution system and method based on physics unclonable function | |
| JP4819286B2 (en) | Cryptographically inspectable identification method for physical units in public wireless telecommunications networks | |
| CN105790927A (en) | Hierarchical bus encryption system | |
| CN110147666A (en) | Lightweight NFC identity identifying method, Internet of Things communications platform under scenes of internet of things | |
| CN113312608A (en) | Electric power metering terminal identity authentication method and system based on timestamp | |
| CN1996830B (en) | Integrated circuit including aes core and wrapper for validating of aes core | |
| CN110321725A (en) | A kind of method and device for preventing from distorting system data and clock | |
| CN104065486A (en) | Encryption strategy matching algorithm module verification platform and realizing method thereof | |
| CN105981346B (en) | Energy conservation in wireless device | |
| CN105721161A (en) | H<2>-MAC (Hash-based Message Authentication Code) message authentication IP (intellectual property) core hardware device based on bus | |
| CN109840431A (en) | Secure network chip and Safety net card and network-termination device | |
| CN109842596A (en) | Secure network chip on network intermediary device | |
| Esiner et al. | Message authentication and provenance verification for industrial control systems | |
| CN105721139B (en) | A kind of the AES encipher-decipher method and circuit of the FPGA suitable for limited I/O resource |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190604 |
|
| WD01 | Invention patent application deemed withdrawn after publication |