CN110417706A - A kind of safety communicating method based on interchanger - Google Patents

A kind of safety communicating method based on interchanger Download PDF

Info

Publication number
CN110417706A
CN110417706A CN201810388976.9A CN201810388976A CN110417706A CN 110417706 A CN110417706 A CN 110417706A CN 201810388976 A CN201810388976 A CN 201810388976A CN 110417706 A CN110417706 A CN 110417706A
Authority
CN
China
Prior art keywords
interchanger
user
network interface
interface card
method based
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810388976.9A
Other languages
Chinese (zh)
Other versions
CN110417706B (en
Inventor
陶林
万积文
孙琳琳
田越
辛树奇
马晓华
胡德环
苏成鑫
吴智睿
杨少华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Orville Over Communication Co Ltd
Original Assignee
Orville Over Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Orville Over Communication Co Ltd filed Critical Orville Over Communication Co Ltd
Priority to CN201810388976.9A priority Critical patent/CN110417706B/en
Publication of CN110417706A publication Critical patent/CN110417706A/en
Application granted granted Critical
Publication of CN110417706B publication Critical patent/CN110417706B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of safety communicating method based on interchanger, system includes a secure exchange mainboard and network interface card;Secure exchange mainboard up direction normally receives/sends common Ethernet packet;Downlink Ethernet data packet is sent FPGA encryption processing module by secure exchange mainboard;Ethernet data is encrypted in FPGA encrypting module;Encrypted data packet is sent to network interface card by encrypting module;After encryption data is decrypted in network interface card, it is converted to normal Ethernet network data packet;The present invention solves the problems, such as that interchanger accesses the secure communication of side in user, realizes independent encryption and the key distribution to each ethernet port, can block illegally listening to for user side communication completely.

Description

A kind of safety communicating method based on interchanger
Technical field
The present invention relates to data communication field, specifically a kind of safety communicating method based on interchanger.
Background technique
With the continuous quickening of China's informatization paces, the application of computer networking technology is increasingly extensive.But from whole Body situation sees that for the network information security in China there is also many problems, network security work obviously lags behind network construction.Especially It is that the security reliability that classified information transmits in a network is low.Privacy and classified information are stored in network system, it is easy to quilt It collects and causes to divulge a secret.This this concerning security matters data due to pass through many exterior nodes, and is difficult to investigate in transmission process, in office What intermediary node is likely to be read or malicious modification, including data modification, repeating transmission and personation.
Due to security switch system be using based on Encryption Algorithm and use user side cipher mode, on the market not with Its matched switching equipment, therefore lack a kind of safety communicating method based on interchanger.
It is all using standard TCP/IP network communication protocol, these communication parties for the network switching equipment most in society Formula can only be using the encryption network communication between switch-to-switch.
Summary of the invention
In view of the deficiencies of the prior art, the present invention provides a kind of security switch system based on Encryption Algorithm, solves Data safety in local area network is exchangeed problem, so that illegal listener can not carry out data theft and interception in local area network.
Present invention technical solution used for the above purpose is: a kind of safety communicating method based on interchanger, Route between interchanger and user all uses encrypted transmission, comprising the following steps:
After the data of user A are encrypted by network interface card, user B is transferred to using interchanger;
The network interface card of user B receives after data are decrypted, and obtains the data of user A transmission.
The interchanger is equipped with multiple switching ports, connect with the Reinforced turf unit inside interchanger.
Before network interface card and interchanger the transmission data of user, certification and delivering key are carried out, comprising the following steps:
1) user initiates certification request to security server by network interface card, interchanger;
2) after certification passes through, user initiates delivering key request to security server;
3) key is issued in the corresponding switching port of the user and network interface card by security server by interchanger;
4) interchanger and network interface card are mutually got in touch with after receiving key, are confirmed, after shaking hands successfully, start to communicate.
After user's shutdown or suspension, key ceases to be in force automatically.
The interchanger regularly updates key according to the instruction of security server.
The encryption and decryption key of the network interface card is only consistent with corresponding power board card port.
The Encryption Algorithm includes one of SM1, SM2, SM3, SM4.
The invention has the following beneficial effects and advantage:
1. the present invention carries out encryption and decryption processing using fpga chip, speed is fast, meets gigabit wire speed transmission requirement;
2. the present invention uses security algorithm, strong security;
3. the present invention carries out independent encryption and decryption to each physical port, so that listener-in can not simultaneously carry out all of the port It listens to;
4. the present invention is distributed using dynamic key, no manual intervention, so that key can not be obtained artificially;
5. the present invention is disappeared automatically using one-time pad, disconnection or offline rear key, need to apply automatically again, greatly Increase the risk given away secrets.
6. the present invention uses self-destruction circuit, any illegal operation of equipment all will lead to Encryption Algorithm auto-destruct, guarantee The safety of security algorithm.
7. the present invention supports dynamic realtime to load security algorithm, guarantee the real-time update of security algorithm.
Detailed description of the invention
Fig. 1 is switch system structure chart of the invention;
Fig. 2 is network mode schematic diagram of the present invention in system application;
Fig. 3 is safe encryption function schematic diagram of the present invention in system application;
Fig. 4 is key distribution schematic diagram of the invention;
Fig. 5 is the structure principle chart of FPGA.
Fig. 6 is the working principle diagram of switch system of the invention.
Specific embodiment
The present invention is described in further detail with reference to the accompanying drawings and embodiments.
It is as shown in Figure 1 hardware structure diagram of the invention.
Security switch system based on Encryption Algorithm includes that CPU is connect with exchange chip;Exchange chip and FPGA pass through Serdes interface is attached;After FPGA carries out encryption and decryption work, encryption message is sent to user side computer by PHY chip Network interface card.Network interface card forms normal message after decryption and is uploaded to computer.As shown in Figure 6.
FPGA, which is realized, mainly controls list by RGMII interface MAC, SGMII interface MAC, scrambling unit, Descrambling unit and MDIO The composition such as member, as shown in Figure 5.
Ciphertext data pass through after PHY resume module with RGMII format transmission to FPGA, after by MAC processing and verifying again Carry out descrambling operation;
Clear data is reverted to after descrambling, and Switching Module is transferred to by SGMII interface.After Switching Module is handled, Forwarding the data to corresponding port, wherein the data for being forwarded to the other ports of this interchanger need re-encrypted to forward again, and Other outside ports (such as cascade port) are forwarded to not need to encrypt.
The clear data of forwarding becomes ciphertext data after handling by scrambling unit and is transferred to Ethernet by RGMII interface On.
A kind of security switch system based on Encryption Algorithm, including one gigabit exchange chip of CPU connection;Gigabit exchange Chip is connected with 2 FPGA;FPGA passes through cable after being connected with PHY chip and network interface card carries out coded communication.Further include FLASH, Memory, serial ports connect CPU with network interface chip.It further include that self-destruction circuit is connect with CPU, for being deleted in non-normal working The secret algorithm of storage.There is backup power source on plate, so that CPU keeps working condition under power-down conditions, the safety of monitoring device, Deletion confidential information is carried out according to self-destruction state at any time.
FPGA is connected by SerDes with exchange chip.FPGA encrypts normal message, and is transmitted to ethernet line On the road.Encryption message is decrypted in FPGA, and is transmitted to exchange chip.
Exclusive FLASH is connected with FPGA, to save the loading procedure of FPGA.
Exchange board could support up the encryption and decryption of 24 gigabit ports.Support dynamic plus solution in 24 ports for exchanging board It is close.Support independent secret cryptographic key configuration and distribution in 24 ports for exchanging board.
Network interface card is made of FPGA, FLASH and PHY chip.The FPGA of network interface card is responsible for realizing the reverse encryption and decryption work to message Make.The encryption and decryption key of network interface card is only consistent with corresponding power board card port.
Encryption Algorithm can be dynamically configured and load.
It is operating mode schematic diagram of the present invention in system application as shown in Figure 2.
As shown in Figure 3, Figure 4, the route between security switch and user side computer all uses encrypted transmission;Safety is handed over It changes planes and is transferred to user side computer after normal message is encrypted, the message that computer is sent is sent to peace after encryption by user side Total exchange machine.After user side computer disconnection, key needs to apply again and issue, and safety obtains sufficient guarantee.
It is illustrated in figure 3 encryption and decryption process of the invention.
The data of user A are transferred on network after being scrambled by network interface card, after safety enhancing interchanger descrambling Output;
User's A data are routed on the port of user B by security switch;
Be transferred on network again after security switch scrambles, the network interface card of user B receives descrambled after data again after just Obtain the data of user A transmission.
It is key distribution flow of the invention shown in Fig. 4.
A reliable key generation centre is arranged in system.When (or reconnect) secure communication network will be added in new user When, safety certification is carried out first, and after certification passes through, key generation centre calculates key by secret algorithm, is sent to use Family.The cipher mode of one-time pad should be followed during communication.
1) before network interface card certification is issued with security protocol, network interface card and interchanger are in transparent transmission state, can only interactive authentication Message, can not normal communication, it is necessary to, just can be with normal communication after completing certification and delivering key.
2) user initiates certification request to safety certificate server by Safety net card, security switch;
3) after certification passes through, user initiates delivering key request to security server;
4) key is issued to the corresponding secure exchange port of the user and safety by security switch by security server In network interface card;
5) security switch and network interface card are mutually got in touch with after receiving key, are confirmed, after shaking hands successfully, enter positive normal open Letter mode;
6) after user's shutdown, suspension, key ceases to be in force automatically;
7) user can not touch key durings use, application etc. always.To ensure that the secrecy peace of network Entirely.
8) interchanger can regularly update key according to the instruction of security server, it is ensured that network interface card FPGA and interchanger FPGA Safety.

Claims (7)

1. a kind of safety communicating method based on interchanger, which is characterized in that the route between interchanger and user all uses Encrypted transmission, comprising the following steps:
After the data of user A are encrypted by network interface card, user B is transferred to using interchanger;
The network interface card of user B receives after data are decrypted, and obtains the data of user A transmission.
2. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that the interchanger is set There are multiple switching ports, is connect with the Reinforced turf unit inside interchanger.
3. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that the network interface card of user with Before interchanger transmits data, certification and delivering key are carried out, comprising the following steps:
1) user initiates certification request to security server by network interface card, interchanger;
2) after certification passes through, user initiates delivering key request to security server;
3) key is issued in the corresponding switching port of the user and network interface card by security server by interchanger;
4) interchanger and network interface card are mutually got in touch with after receiving key, are confirmed, after shaking hands successfully, start to communicate.
4. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that when user shutdown or After suspension, key ceases to be in force automatically.
5. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that the interchanger root Key is regularly updated according to the instruction of security server.
6. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that the network interface card adds Decruption key is only consistent with corresponding power board card port.
7. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that the Encryption Algorithm Including one of SM1, SM2, SM3, SM4.
CN201810388976.9A 2018-04-27 2018-04-27 Switch-based secure communication method Active CN110417706B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810388976.9A CN110417706B (en) 2018-04-27 2018-04-27 Switch-based secure communication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810388976.9A CN110417706B (en) 2018-04-27 2018-04-27 Switch-based secure communication method

Publications (2)

Publication Number Publication Date
CN110417706A true CN110417706A (en) 2019-11-05
CN110417706B CN110417706B (en) 2022-05-31

Family

ID=68346168

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810388976.9A Active CN110417706B (en) 2018-04-27 2018-04-27 Switch-based secure communication method

Country Status (1)

Country Link
CN (1) CN110417706B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111400700A (en) * 2020-03-10 2020-07-10 深圳市三旺通信股份有限公司 Encryption method, device and equipment of switch and computer readable storage medium
CN111541663A (en) * 2020-04-14 2020-08-14 北京数盾信息科技有限公司 Link exchange encryption system based on national password standard
CN117714031A (en) * 2024-01-11 2024-03-15 无锡路通视信网络股份有限公司 High-speed data encryption communication method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050063547A1 (en) * 2003-09-19 2005-03-24 Audrius Berzanskis Standards-compliant encryption with QKD
CN101005359A (en) * 2006-01-18 2007-07-25 华为技术有限公司 Method and device for realizing safety communication between terminal devices
CN102571348A (en) * 2011-12-16 2012-07-11 汉柏科技有限公司 Ethernet encryption and authentication system and encryption and authentication method
CN105721458A (en) * 2016-01-30 2016-06-29 安徽欧迈特数字技术有限责任公司 Industrial Ethernet switching method based on ISG security password technique
CN206322185U (en) * 2016-12-20 2017-07-11 天津铜牛信息科技有限公司 A kind of computer network information safety device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050063547A1 (en) * 2003-09-19 2005-03-24 Audrius Berzanskis Standards-compliant encryption with QKD
CN101005359A (en) * 2006-01-18 2007-07-25 华为技术有限公司 Method and device for realizing safety communication between terminal devices
CN102571348A (en) * 2011-12-16 2012-07-11 汉柏科技有限公司 Ethernet encryption and authentication system and encryption and authentication method
CN105721458A (en) * 2016-01-30 2016-06-29 安徽欧迈特数字技术有限责任公司 Industrial Ethernet switching method based on ISG security password technique
CN206322185U (en) * 2016-12-20 2017-07-11 天津铜牛信息科技有限公司 A kind of computer network information safety device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111400700A (en) * 2020-03-10 2020-07-10 深圳市三旺通信股份有限公司 Encryption method, device and equipment of switch and computer readable storage medium
CN111400700B (en) * 2020-03-10 2023-07-21 深圳市三旺通信股份有限公司 Encryption method, device and equipment of switch and computer readable storage medium
CN111541663A (en) * 2020-04-14 2020-08-14 北京数盾信息科技有限公司 Link exchange encryption system based on national password standard
CN117714031A (en) * 2024-01-11 2024-03-15 无锡路通视信网络股份有限公司 High-speed data encryption communication method
CN117714031B (en) * 2024-01-11 2024-06-04 无锡路通视信网络股份有限公司 High-speed data encryption communication method

Also Published As

Publication number Publication date
CN110417706B (en) 2022-05-31

Similar Documents

Publication Publication Date Title
CN110996318B (en) Safety communication access system of intelligent inspection robot of transformer substation
WO2019100691A1 (en) Industrial embedded system-oriented network information security protection unit and protection method
US8600063B2 (en) Key distribution system
CN104780069B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
CN101442403B (en) Self-adapting method for exchanging composite cipher key and managing session cipher key
CN110636052B (en) Power consumption data transmission system
CN104658090B (en) A kind of smart lock of built-in security module and ZigBee wireless communication modules
WO2018226154A1 (en) Secure and encrypted heartbeat protocol
TW200307423A (en) Password device and method, password system
CN104219217A (en) SA (security association) negotiation method, device and system
CN106209883A (en) Based on link selection and the multi-chain circuit transmission method and system of broken restructuring
CN103119910A (en) Method and system for secure data transmission with a VPN box
CN110417706A (en) A kind of safety communicating method based on interchanger
CN109344639A (en) A kind of distribution automation double protection safety chip, data transmission method and equipment
CN112270020B (en) Terminal equipment safety encryption device based on safety chip
Cho et al. Securing ethernet-based optical fronthaul for 5g network
Cho et al. Secure open fronthaul interface for 5G networks
CN111245604B (en) Server data security interaction system
JP2001177514A (en) Method and device for communication
CN106656493A (en) Software-defined network security communication method based on quantum key distribution
CN210839642U (en) Device for safely receiving and sending terminal data of Internet of things
CN113709119A (en) Password security gateway, system and use method
CN111212018A (en) Multi-link transmission method and system based on link selection and fragmentation recombination
CN113037470A (en) Quantum encryption data transmission system based on cloud and cluster servers
CN104994096B (en) A kind of dynamic load is in the collocation method of the security hardening mechanism module of intelligent substation communication manager

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: At 110179 Shenyang Road, Liaoning Province Hunnan New District No. 6

Applicant after: Zhonghong Huilian Technology Co.,Ltd.

Address before: At 110179 Shenyang Road, Liaoning Province Hunnan New District No. 6

Applicant before: AOWEI FEIYUE COMMUNICATION CO.,LTD.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant