CN110166240B - Network isolation password board card - Google Patents
Network isolation password board card Download PDFInfo
- Publication number
- CN110166240B CN110166240B CN201910554982.1A CN201910554982A CN110166240B CN 110166240 B CN110166240 B CN 110166240B CN 201910554982 A CN201910554982 A CN 201910554982A CN 110166240 B CN110166240 B CN 110166240B
- Authority
- CN
- China
- Prior art keywords
- chip
- expansion memory
- fpga
- isolation
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 101
- 230000015654 memory Effects 0.000 claims abstract description 90
- 238000004891 communication Methods 0.000 claims abstract description 35
- 238000012546 transfer Methods 0.000 claims abstract description 8
- 238000013461 design Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 abstract description 8
- 238000000034 method Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 5
- 230000017525 heat dissipation Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000033228 biological regulation Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000010438 heat treatment Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000013021 overheating Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a network isolation password board card, which comprises a communication interface, an FPGA isolation exchange control chip, a security chip, a password algorithm chip, a first expansion memory and a second expansion memory; the safety chip is used for dispatching the FPGA to isolate and exchange data in the control chip, the first expansion memory and the second expansion memory; the FPGA isolation exchange control chip is used for carrying out data transfer among the communication interface, the security chip, the cryptographic algorithm chip and the first expansion memory; the first expansion memory is used for storing data sent by the FPGA isolation exchange control chip; the second expansion memory is used for storing data sent by the security chip; the network isolation password board card integrates the security chip, the FPGA isolation exchange control chip and the password algorithm chip, and an operating system of an upper computer is not needed to be used as a medium for data transmission, so that security accidents such as data leakage and the like caused by the fact that the operating system is cracked are fundamentally avoided, and the security and the reliability are improved.
Description
Technical Field
The invention relates to the technical field of power electronics, in particular to a network isolation password board card.
Background
The internal and external network exchange platform adopts a logic strong isolation and multi-level protection technology to realize the internal and external network isolation and effectively block various Internet viruses, trojan horses, worms and APT attacks (APT, advanced Persistent Threat, advanced persistent threat). Along with the rapid development of the application of the Internet and the enterprise information intranet, the application safety, such as the leakage prevention of sensitive information, the tamper prevention of internal and external network exchange data, the authorization of the internal and external network data exchange application and the like, and the content safety are increasingly paid attention to.
The national energy bureau 2014 issues information security protection technical schemes such as "security protection regulations of electric power monitoring systems", takes security partition, network special, transverse isolation and longitudinal encryption "as an overall security protection core strategy, and provides that each service system in four links of power generation, power transmission, power supply and power consumption must have corresponding information security protection. The isolation technology realizes network attack protection, the encryption technology realizes application authorization and data security, and the two are organically combined, so that a set of internal and external network security isolation technology system with network, application and data trinity security protection capability can be established.
In the prior art, referring to fig. 1, a network isolation board card and a cryptographic algorithm encryption card (national cryptographic algorithm encryption card) are separately arranged as two separate boards, encrypted communication of data between the two boards needs to be transmitted as a data transmission medium through an operating system of an upper computer, and the security degree of the operating system is far lower than that of the network isolation board card and the cryptographic algorithm encryption card, so that once the operating system is attacked or cracked, data leakage can be caused, and thus security accidents are caused.
Therefore, the invention aims to develop a network isolation password board card with higher security and reliability.
Disclosure of Invention
Therefore, the invention aims to provide a network isolation password board card, which improves the safety and the reliability. The specific scheme is as follows:
the network isolation password board card is characterized by comprising a communication interface, an FPGA isolation exchange control chip, a security chip, a password algorithm chip, a first expansion memory and a second expansion memory;
The communication interface, the FPGA isolation exchange control chip and the cryptographic algorithm chip are sequentially connected, the safety chip is connected with the FPGA isolation exchange control chip, the first expansion memory is respectively connected with the safety chip and the FPGA isolation exchange control chip, and the second expansion memory is connected with the safety chip;
The security chip is used for scheduling data in the FPGA isolation exchange control chip, the first expansion memory and the second expansion memory;
The FPGA isolation exchange control chip is used for carrying out data transfer among the communication interface, the security chip, the cryptographic algorithm chip and the first expansion memory;
The cipher algorithm chip is used for encrypting data;
The communication interface is used for establishing communication connection between the FPGA isolation exchange control chip and the upper computer;
the first expansion memory is used for storing data sent by the FPGA isolation exchange control chip;
The second expansion memory is used for storing data sent by the security chip.
Optionally, the communication interface is a PCIE X1 interface.
Optionally, the FPGA isolation exchange control chip comprises an SSX30-E chip, an HSM2-H2 chip and an HSM4-G2 chip.
Optionally, the device further comprises a power supply which is connected with the safety chip and used for supplying power.
Optionally, the power supply adopts a power supply grading design.
Optionally, a safety protection device is connected between the safety chip and the power supply and is respectively connected with the second expansion memory and the power supply and used for realizing weak current protection;
The safety protection device is used for detecting the voltage of the power supply, judging whether the voltage meets a preset safety threshold, and if not, sending a first protection signal to the second expansion memory;
The second expansion memory is further configured to empty locally stored data according to the first protection signal.
Optionally, the security protection device includes a physical protection sensor for detecting the integrity of the shell of the network isolation password board card, and the physical protection sensor is connected with the second expansion memory;
the physical protection sensor is used for acquiring the shell state information and sending a second protection signal to the second expansion memory according to the shell state information;
And the second expansion memory is further used for clearing the locally stored data according to the second protection signal.
Optionally, the system further comprises an indicator light connected with the security chip and used for indicating the working state of the network isolation password board card.
Optionally, the security chip includes a UART interface.
Optionally, the security chip includes a smart card interface;
the smart card interface is used for communicating with a smart card, and authentication data are transmitted between the security chip and the smart card.
The invention discloses a network isolation password board card, which comprises a communication interface, an FPGA isolation exchange control chip, a security chip, a password algorithm chip, a first expansion memory and a second expansion memory; the communication interface, the FPGA isolation exchange control chip and the cryptographic algorithm chip are sequentially connected, the safety chip is connected with the FPGA isolation exchange control chip, the first expansion memory is respectively connected with the safety chip and the FPGA isolation exchange control chip, and the second expansion memory is connected with the safety chip; the safety chip is used for dispatching the FPGA to isolate and exchange data in the control chip, the first expansion memory and the second expansion memory; the FPGA isolation exchange control chip is used for carrying out data transfer among the communication interface, the security chip, the cryptographic algorithm chip and the first expansion memory; the cipher algorithm chip is used for encrypting the data; the communication interface is used for establishing communication connection between the FPGA isolation exchange control chip and the upper computer; the first expansion memory is used for storing data sent by the FPGA isolation exchange control chip; and the second expansion memory is used for storing the data sent by the security chip.
The network isolation password board card integrates the security chip, the FPGA isolation exchange control chip and the password algorithm chip, and the security chip, the FPGA isolation exchange control chip and the password algorithm chip are sequentially connected for direct communication, an operating system of an upper computer is not required to be used as a medium for data transmission between the password algorithm chip and the security chip and between the upper computer and the FPGA isolation exchange control chip, so that security accidents such as data leakage caused by cracking of the operating system are fundamentally avoided, and the security and reliability are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an integrated independent PCI encryption card in the prior art;
Fig. 2 is a schematic diagram of a network isolated password board card according to an embodiment of the present invention;
fig. 3 is a schematic diagram of another network isolated password card according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The embodiment of the invention discloses a network isolation password board card, which is shown in fig. 2, and comprises a communication interface 1, an FPGA (Field-Programmable gate array) isolation switching control chip 2, a security chip 3, a password algorithm chip 4, a first expansion memory 5 and a second expansion memory 6;
the communication interface 1, the FPGA isolation exchange control chip 2 and the cryptographic algorithm chip 4 are sequentially connected, the security chip 3 is connected with the FPGA isolation exchange control chip 2, the first expansion memory 5 is respectively connected with the security chip 3 and the FPGA isolation exchange control chip 2, and the second expansion memory 6 is connected with the security chip 3;
and the security chip 3 is used for dispatching the data in the FPGA isolation exchange control chip 2, the first expansion memory 5 and the second expansion memory 6.
Specifically, the security chip 3 can control the data transmission process of the FPGA isolation switch control chip 2, and can instruct the FPGA isolation switch control chip 2 to send data to the cryptographic algorithm chip 4 or to the first expansion memory 5, the security chip 3 obtains the encrypted data sent by the FPGA isolation switch control chip 2 from the first expansion memory 5 and forwards the encrypted data to the second expansion memory 6, the upper computers corresponding to the first expansion memory 5 and the second expansion memory are different, and the expansion memories accessed by the upper computers with different authorities are different, so that the encrypted data is isolated from one upper computer to another upper computer, and because the encrypted data are stored in two different storage expanders, the physical isolation is realized, and the security of the data is ensured; of course, the security chip 3 may receive the data acquisition request of the upper computer through the FPGA isolation switch control chip 2, and send the corresponding data in the first storage expander or the second storage expander to the upper computer, so as to complete the data transmission task.
Further, the security chip 3 may also obtain the working state of each device, and it is understood that when the security chip 3 interacts with each chip or device in the network isolation password board card, a corresponding interaction instruction is sent to implement an interaction function, which is not described herein.
The FPGA isolation exchange control chip 2 is used for carrying out data transfer among the communication interface 1, the security chip 3, the cryptographic algorithm chip 4 and the first expansion memory 5.
Specifically, after receiving the data to be encrypted sent by the upper computer through the communication interface 1, the FPGA isolation switch control chip 2 may split the data to be encrypted into a plurality of small data, and then send the plurality of small data to the cryptographic algorithm chip 4, so that the cryptographic algorithm chip 4 encrypts each small data, receives the plurality of encrypted small data returned by the cryptographic algorithm chip 4, that is, encrypted data, and then sends the encrypted data to the first expansion memory 5, so that the security chip 3 obtains the encrypted data from the first expansion memory.
And the cipher algorithm chip 4 is used for encrypting the data.
Specifically, the encryption algorithm chip 4 stores encryption information such as an encryption algorithm and a secret key, for example, the encryption algorithm chip 4 may store an identity authentication secret key, an SM1 encryption algorithm, an SM2 encryption algorithm, an SM3 encryption algorithm and an SM4 encryption algorithm, the encryption algorithm chip 4 may firstly perform hash verification on data sent by the FPGA isolation switch control chip 2 by using a hash algorithm, encrypt the data by using the encryption algorithm after the verification is passed, and send the encrypted data to the FPGA isolation switch control chip 2 after the encryption is completed.
Specifically, the cryptographic algorithm chip 4 may select a corresponding encryption algorithm to encrypt according to the type of data sent by the FPGA isolation switch control chip 2, where one encryption algorithm corresponds to one type of data.
Specifically, the cryptographic algorithm chip 4 can be connected with the FPGA isolation exchange control chip 2 through the LocalBus communication interface, so that direct physical communication connection among the cryptographic algorithm chip 4, the FPGA isolation exchange control chip 2 and the security chip 3 is realized, an operating system of an upper computer is not required to be used as a transmission medium of intermediate data, and safety accidents caused by cracking of the operating system are fundamentally avoided.
The communication interface 1 is used for establishing communication connection between the FPGA isolation exchange control chip 2 and the upper computer.
Specifically, the communication interface 1 is used for establishing a communication channel between the whole network isolation password board card and the upper computer, and a large amount of data of the network isolation password board card is interacted with the communication interface 1 and the upper computer through the FPGA isolation exchange control chip 2.
The first expansion memory 5 is used for storing data sent by the FPGA isolation switching control chip 2.
Specifically, the first expansion memory 5 is used as a memory for exchanging data between the security chip 3 and the FPGA isolation and exchange control chip 2, the FPGA isolation and exchange control chip 2 stores encrypted data into the first expansion memory 5, the security chip 3 can read the encrypted data stored in the FPGA isolation and exchange control chip 2 from the first expansion memory 5, and meanwhile, if the security chip 3 needs to send out the data in the second expansion memory 6, the data needs to be stored into the first expansion memory 5 as a transfer, so that the FPGA isolation and exchange control chip 2 can acquire the data from the first expansion memory 5.
The first expansion Memory 5 may be an SRAM (Static Random-Access Memory).
And a second expansion memory 6 for storing data transmitted from the security chip 3.
Specifically, the extended memory is introduced as a data transfer storage place, so that physical isolation between the data can be realized through the security chip 3 and the FPGA isolation exchange control chip 2, meanwhile, the data can be prevented from occupying the storage space of each chip, and the working efficiency of the chip is improved.
The second expansion memory 6 may be a FLASH memory.
Therefore, the security chip 3, the FPGA isolation exchange control chip 2 and the cryptographic algorithm chip 4 are integrated in the network isolation cryptographic board card, and are sequentially connected for direct communication, an operating system of an upper computer is not required to be used as a medium for data transmission between the cryptographic algorithm chip 4 and the security chip 3 and between the cryptographic algorithm chip 2 and the FPGA isolation exchange control chip 2, so that security accidents such as data leakage caused by cracking of the operating system are fundamentally avoided, and safety and reliability are improved.
It can be understood that the cryptographic service interface software design can be set according to the related regulations in GM/T0018-2012 "cryptographic device application interface Specification", and the applicable interfaces can include the above-mentioned communication interface 1, interfaces of each chip and each device.
In order to ensure the heat dissipation of the board card, as the board card is installed in the shell, the shell can be provided with a heat dissipation fan, and in order to ensure heat dissipation, the security chip 3, the FPGA isolation exchange control chip 2 and the cryptographic algorithm chip 4 can be correspondingly arranged at the corresponding positions of the heat dissipation fan of the shell, so that the heat of the high-heat-generation devices can be taken away as soon as possible.
Furthermore, the software or firmware design requirements of each device and chip in the embodiment of the invention all meet the GM/T0028-2014 requirements for cryptographic module security technology, wherein, when the security level is one, the security chip 3 can execute integrity check, and a single authentication code is adopted to perform integrity test, when the security level is two, the security chip 3 software and stirrups are executable codes, and a user cannot debug the security chip 3 through SFMI, HSMI and HFMI interfaces, and when the security level is three or four, the software and firmware are protected by using approved digital signatures.
The embodiment of the invention discloses a specific network isolation password board card, and compared with the previous embodiment, the technical scheme of the embodiment is further described and optimized. See fig. 3 for details:
specifically, the communication interface 1 may be a PCIE X1 interface.
The FPGA isolation exchange control chip 2 comprises an SSX30-E chip, an HSM2-H2 chip and an HSM4-G2 chip.
It can be understood that the network isolation password board card in the embodiment of the invention can also comprise a power supply 7 which is connected with the security chip 3 and used for supplying power; the power supply 7 may be designed in a power stage to prevent electromagnetic leakage.
Further, in order to realize weak current protection, a safety protection device 8 connected with the second expansion memory 6 and the power supply 7 respectively and used for realizing weak current protection may be included between the safety chip 3 and the power supply 7;
the safety protection device 8 is configured to detect a voltage of the power supply 7, determine whether the voltage meets a preset safety threshold, and if not, send a first protection signal to the second expansion memory 6;
The second expansion memory 6 is further configured to flush the locally stored data according to the first protection signal.
Specifically, when an external person wants to tap data, the external person needs to run a corresponding tap program, the load of each chip tends to be increased, and the required power becomes larger, if the power supply requirement is met, the voltage of the power supply 7 will be increased, so the safety protection device 8 detects whether the voltage of the power supply 7 is increased to exceed a preset safety threshold, if so, the chip can indicate that the excessive program is running, and a safety risk is possibly present, at this time, in order to prevent the data from being stolen, the safety protection device 8 can send a first protection signal to the second expansion memory 6, so that the second expansion memory 6 uses the own low-power singlechip to empty the local storage data according to the first protection signal, and the data is ensured not to be stolen, and of course, if the requirement is met, the first protection signal can also be sent to the first expansion memory 5 through the safety chip 3, so that the first expansion memory 5 also deletes the data.
Specifically, in order to prevent the network isolation password card from being broken by physical means to cause data loss, the safety protection device 8 may further include a physical protection sensor 81 for detecting the integrity of the shell of the network isolation password card, where the physical protection sensor 81 is connected to the second expansion memory 6;
A physical protection sensor 81, configured to acquire the shell status information, and send a second protection signal to the second expansion memory 6 according to the shell status information;
The second expansion memory 6 is further configured to flush the locally stored data according to the second protection signal.
Specifically, once the shell of the network isolation password card is damaged, the physical protection sensor 81 generates shell state information according to the change, so as to inform the second expansion memory 6 of deleting data, and the data can be transmitted to the first expansion memory 5 through the security chip 3.
Further, in order to protect the network isolation password card, the safety protection device 8 may further include a temperature detection circuit, detect the working temperature of the network isolation password card, once it is overheated, send a corresponding signal to the safety chip 3, and schedule each chip by the safety chip 3, for example, each chip may enter a low power consumption mode, reduce the heating value, or the safety chip 3 may be externally connected with an indicator light 82 to prompt the working state of the current network isolation password card, for example, a green light may represent everything is normal, a yellow light represents busy, a red light represents in a limit working state or fails, such as overheating, and a device fails.
Specifically, the security chip 3 may include a UART interface for communicating with an external device.
Further, for authentication of the user, the security chip 3 may also comprise a smart card interface;
Specifically, the smart card held by the user can communicate with the security chip 3 through the smart card interface, the security chip 3 will verify the verification information stored in the smart card, identify the user authority and the like, so that the user can only use the operation corresponding to the authority.
Meanwhile, part of keys such as a protection key and an identity authentication key can be stored in the smart card, and in particular, the network isolation password board card can comprise the protection key, the identity authentication key, a session key, a user key and a key encryption key; wherein,
The protection key is a first level key used to protect and manage the secondary and tertiary keys. The protection key may be composed of two components, one of which is stored in the security chip 3 and the other of which is stored in the smart card, and the two components are spliced and then subjected to hash operation to obtain the protection key.
The authentication key, the user key, and the key encryption key are secondary keys. The identity authentication key is a symmetric key and is used for authenticating the identity of the user, and the application system is not opened. The identification secret key can be stored in two places, namely, the encryption is stored in the cipher algorithm chip 4, and the plaintext is stored in the smart card, and the identification secret key in the smart card is protected by using a password and cannot be derived. When an operator logs in, the identity of the operator is authenticated using a method in a mechanism employing a symmetric encryption algorithm.
The user key is a public and private key pair, the user encryption key is a symmetric key, and an application system is opened to perform data encryption, signature verification and session key generation.
The session key is a tertiary key used to encrypt and decrypt session data.
Wherein, the management of the key should satisfy: the use of the device protection key and the device key is not open to the application system; after the key is generated, the key is stored in a safe area and is stored in an encrypted mode; all keys except the public key are provided with an access right control mechanism and are not opened to unauthorized users; the secret keys except the public key do not appear outside the network isolation cipher board card in a plaintext form; the key management operations support generating, importing, storing, backing up, restoring, and destroying the entire key storage period.
It can be appreciated that the device lifecycle states of the network isolated cryptographic board card include: factory state, initial state and ready state. The transfer and storage of state is maintained by the master.
Factory state: and the state when the main control firmware is just downloaded and the equipment has no sensitive safety parameters. The equipment is in the state just produced, or R1 is lost in the process of distribution and use, the destruction key is actively pressed, and the administrator destroys the equipment or the equipment can be converted into the factory state after the maintainer logs in.
The initial assembly state is as follows: the firmware signature value, the state at R1, has been generated within the device, while the corresponding firmware signature private key and protection key have been stored in the device assembly card. The equipment is in the state when being distributed to the user unit for the first time, or can go through the state again after being restored to the factory state when the user uses the equipment;
Ready state: the state when the administrator account and the maintainer account have been generated within the device.
Specifically, because the identity authentication key is introduced, corresponding authority setting can be performed for users with different identities; wherein,
Device administrator: the equipment manager is provided with an equipment manager authentication card, and after logging in two manager accounts, the operations of generating, backing up, recovering and destroying sensitive security parameters in the equipment can be realized;
Equipment maintainer: the equipment maintainer is provided with an equipment maintainer authentication card, certain hardware faults can be primarily judged after login, sensitive safety parameters in the equipment can be cleaned, and the equipment can be used for recovering all equipment to a factory state when more than two faults or loss occur to an administrator card
The equipment operator: the user is provided with a user authentication card, and the device cannot be operated after login, and only security services related to the identity of the user can be used.
It will be appreciated that the administrator authentication card, the equipment maintainer authentication card, and the user authentication card described above are all one form of smart card.
In particular, the smart card may further include the following classifications:
a system smart card: the intelligent card is used for backing up the equipment protection secret key, and when the equipment fails and can not be started, the system intelligent card can be used for recovering the equipment protection secret key;
device management smart card: the intelligent card is used for verifying the identity of the equipment manager, and the equipment-holding management intelligent card can use equipment management software to carry out related equipment management operation;
User smart card: and storing the device startup component for device startup authentication, wherein only the personnel holding the user smart card can operate the network isolation password board card, and the password service provided by the network isolation password board card is used.
It can be understood that the independent functions of the three smart cards can be selectively combined into one card for use according to the actual application requirements, so as to form a new composite smart card.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The foregoing has outlined rather broadly the more detailed description of the invention in order that the detailed description of the invention that follows may be better understood, and in order that the present principles and embodiments may be better understood; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (10)
1. The network isolation password board card is characterized by comprising a communication interface, an FPGA isolation exchange control chip, a security chip, a password algorithm chip, a first expansion memory and a second expansion memory;
The communication interface, the FPGA isolation exchange control chip and the cryptographic algorithm chip are sequentially connected, the safety chip is connected with the FPGA isolation exchange control chip, the first expansion memory is respectively connected with the safety chip and the FPGA isolation exchange control chip, and the second expansion memory is connected with the safety chip;
The security chip is used for scheduling data in the FPGA isolation exchange control chip, the first expansion memory and the second expansion memory;
The FPGA isolation exchange control chip is used for carrying out data transfer among the communication interface, the security chip, the cryptographic algorithm chip and the first expansion memory;
The cipher algorithm chip is used for encrypting data;
The communication interface is used for establishing communication connection between the FPGA isolation exchange control chip and the upper computer;
the first expansion memory is used for storing data sent by the FPGA isolation exchange control chip;
the second expansion memory is used for storing data sent by the security chip;
The security chip is specifically configured to control the FPGA isolation switch control chip to send data to a cryptographic algorithm chip or to the first expansion memory, obtain encrypted data sent by the FPGA isolation switch control chip from the first expansion memory, and forward the encrypted data to the second expansion memory.
2. The network isolated cryptographic board of claim 1, wherein the communication interface is a PCIE X1 interface.
3. The network isolated password card of claim 1, wherein the FPGA isolated switch control chip comprises an SSX30-E chip, an HSM2-H2 chip, and an HSM4-G2 chip.
4. The network isolated code board card of claim 1, further comprising a power supply connected to the security chip for supplying power.
5. The network isolated code board card of claim 4, wherein the power supply is of a power stage design.
6. The network isolation password board card of claim 4, wherein a safety protection device for realizing weak current protection is arranged between the safety chip and the power supply and connected with the second expansion memory and the power supply respectively;
The safety protection device is used for detecting the voltage of the power supply, judging whether the voltage meets a preset safety threshold, and if not, sending a first protection signal to the second expansion memory;
The second expansion memory is further configured to empty locally stored data according to the first protection signal.
7. The network isolated password card of claim 6, wherein the security guard comprises a physical protection sensor for detecting the integrity of the housing of the network isolated password card, the physical protection sensor being coupled to the second expansion memory;
The physical protection sensor is used for acquiring shell state information and sending a second protection signal to the second expansion memory according to the shell state information;
And the second expansion memory is further used for clearing the locally stored data according to the second protection signal.
8. The network isolated code board card of claim 6, further comprising an indicator light coupled to the security chip for indicating an operational status of the network isolated code board card.
9. The network isolated cryptographic board of claim 6, wherein the security chip comprises a UART interface.
10. The network isolated password card of any of claims 1 to 9, wherein the security chip comprises a smart card interface;
the smart card interface is used for communicating with a smart card, and authentication data are transmitted between the security chip and the smart card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910554982.1A CN110166240B (en) | 2019-06-25 | 2019-06-25 | Network isolation password board card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910554982.1A CN110166240B (en) | 2019-06-25 | 2019-06-25 | Network isolation password board card |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110166240A CN110166240A (en) | 2019-08-23 |
| CN110166240B true CN110166240B (en) | 2024-05-03 |
Family
ID=67627015
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910554982.1A Active CN110166240B (en) | 2019-06-25 | 2019-06-25 | Network isolation password board card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110166240B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114697064B (en) * | 2020-12-31 | 2024-05-03 | 宸芯科技股份有限公司 | Data security interaction method and security chip between multiple data modules |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102708632A (en) * | 2012-05-25 | 2012-10-03 | 福建联迪商用设备有限公司 | Method and device for protecting sensitive data in POS (point-of-sale) machine |
| CN104363221A (en) * | 2014-11-10 | 2015-02-18 | 青岛微智慧信息有限公司 | Network safety isolation file transmission control method |
| CN105141599A (en) * | 2015-08-17 | 2015-12-09 | 山东超越数控电子有限公司 | Multi-chip network encryption system based on physical isolation |
| CN105184196A (en) * | 2015-09-02 | 2015-12-23 | 四川九洲电器集团有限责任公司 | Electronic system information security protection system and method |
| CN108243009A (en) * | 2018-01-18 | 2018-07-03 | 郑州云海信息技术有限公司 | A kind of TPCM boards based on FPGA and crypto chip |
| CN108470129A (en) * | 2018-03-13 | 2018-08-31 | 杭州电子科技大学 | A kind of data protection special chip |
| CN109190407A (en) * | 2018-09-11 | 2019-01-11 | 网御安全技术(深圳)有限公司 | A kind of high-performance encryption and decryption operational capability extended method and system |
| CN109255259A (en) * | 2018-09-11 | 2019-01-22 | 网御安全技术(深圳)有限公司 | A kind of high safety encryption and decryption operational capability extended method and system |
| CN109286492A (en) * | 2018-10-25 | 2019-01-29 | 北京中科富星信息技术有限公司 | Encription algorithms approved by the State Password Administration Committee Office security video data exchange card and exchange method based on FPGA and DSP |
| CN209608668U (en) * | 2019-06-25 | 2019-11-08 | 南方电网科学研究院有限责任公司 | A kind of Network Isolation password board |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060059369A1 (en) * | 2004-09-10 | 2006-03-16 | International Business Machines Corporation | Circuit chip for cryptographic processing having a secure interface to an external memory |
| US20080052525A1 (en) * | 2006-08-28 | 2008-02-28 | Tableau, Llc | Password recovery |
| US20180150256A1 (en) * | 2016-11-29 | 2018-05-31 | Intel Corporation | Technologies for data deduplication in disaggregated architectures |
-
2019
- 2019-06-25 CN CN201910554982.1A patent/CN110166240B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102708632A (en) * | 2012-05-25 | 2012-10-03 | 福建联迪商用设备有限公司 | Method and device for protecting sensitive data in POS (point-of-sale) machine |
| CN104363221A (en) * | 2014-11-10 | 2015-02-18 | 青岛微智慧信息有限公司 | Network safety isolation file transmission control method |
| CN105141599A (en) * | 2015-08-17 | 2015-12-09 | 山东超越数控电子有限公司 | Multi-chip network encryption system based on physical isolation |
| CN105184196A (en) * | 2015-09-02 | 2015-12-23 | 四川九洲电器集团有限责任公司 | Electronic system information security protection system and method |
| CN108243009A (en) * | 2018-01-18 | 2018-07-03 | 郑州云海信息技术有限公司 | A kind of TPCM boards based on FPGA and crypto chip |
| CN108470129A (en) * | 2018-03-13 | 2018-08-31 | 杭州电子科技大学 | A kind of data protection special chip |
| CN109190407A (en) * | 2018-09-11 | 2019-01-11 | 网御安全技术(深圳)有限公司 | A kind of high-performance encryption and decryption operational capability extended method and system |
| CN109255259A (en) * | 2018-09-11 | 2019-01-22 | 网御安全技术(深圳)有限公司 | A kind of high safety encryption and decryption operational capability extended method and system |
| CN109286492A (en) * | 2018-10-25 | 2019-01-29 | 北京中科富星信息技术有限公司 | Encription algorithms approved by the State Password Administration Committee Office security video data exchange card and exchange method based on FPGA and DSP |
| CN209608668U (en) * | 2019-06-25 | 2019-11-08 | 南方电网科学研究院有限责任公司 | A kind of Network Isolation password board |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110166240A (en) | 2019-08-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6275653B2 (en) | Data protection method and system | |
| CN100365641C (en) | Method for protecting computer login using disposable password | |
| CN102508791B (en) | Method and device for encrypting hard disk partition | |
| US6895502B1 (en) | Method and system for securely displaying and confirming request to perform operation on host computer | |
| US5960084A (en) | Secure method for enabling/disabling power to a computer system following two-piece user verification | |
| EP0848315B1 (en) | Securely generating a computer system password by utilizing an external encryption algorithm | |
| CN202795383U (en) | Device and system for protecting data | |
| CN100533459C (en) | Data safety reading method and safety storage apparatus thereof | |
| CN101441601B (en) | Ciphering transmission method of hard disk ATA instruction and system | |
| CN102984115B (en) | A kind of network security method and client-server | |
| Barker | Framework for Designing Cryptographic Key Management Systems | |
| CN104756127A (en) | Secure data handling by a virtual machine | |
| CN102215221A (en) | Methods and systems for secure remote wake, boot, and login to a computer from a mobile device | |
| CN109035519B (en) | Biological feature recognition device and method | |
| CN103227776A (en) | Configuration method, configuration device, computer program product and control system | |
| EP3031001A1 (en) | Secure data storage | |
| CN103080946A (en) | Method, secure device, system and computer program product for securely managing files | |
| CN101452514A (en) | User data protection method for safety computer | |
| CN101983375A (en) | Binding a cryptographic module to a platform | |
| CN101237353A (en) | A method and system for monitoring mobile storage device based on USBKEY | |
| CN104321776A (en) | Offline authentication with embedded authorization attributes | |
| CN102468962A (en) | Method for personal identity authentication utilizing a personal cryptographic device | |
| CN114942729A (en) | Data safety storage and reading method for computer system | |
| JP2008005408A (en) | Recorded data processing apparatus | |
| CN110378135A (en) | Intimacy protection system and method based on big data analysis and trust computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |