CN110417706A - A kind of safety communicating method based on interchanger - Google Patents
A kind of safety communicating method based on interchanger Download PDFInfo
- Publication number
- CN110417706A CN110417706A CN201810388976.9A CN201810388976A CN110417706A CN 110417706 A CN110417706 A CN 110417706A CN 201810388976 A CN201810388976 A CN 201810388976A CN 110417706 A CN110417706 A CN 110417706A
- Authority
- CN
- China
- Prior art keywords
- interchanger
- user
- network interface
- interface card
- method based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of safety communicating method based on interchanger, system includes a secure exchange mainboard and network interface card;Secure exchange mainboard up direction normally receives/sends common Ethernet packet;Downlink Ethernet data packet is sent FPGA encryption processing module by secure exchange mainboard;Ethernet data is encrypted in FPGA encrypting module;Encrypted data packet is sent to network interface card by encrypting module;After encryption data is decrypted in network interface card, it is converted to normal Ethernet network data packet;The present invention solves the problems, such as that interchanger accesses the secure communication of side in user, realizes independent encryption and the key distribution to each ethernet port, can block illegally listening to for user side communication completely.
Description
Technical field
The present invention relates to data communication field, specifically a kind of safety communicating method based on interchanger.
Background technique
With the continuous quickening of China's informatization paces, the application of computer networking technology is increasingly extensive.But from whole
Body situation sees that for the network information security in China there is also many problems, network security work obviously lags behind network construction.Especially
It is that the security reliability that classified information transmits in a network is low.Privacy and classified information are stored in network system, it is easy to quilt
It collects and causes to divulge a secret.This this concerning security matters data due to pass through many exterior nodes, and is difficult to investigate in transmission process, in office
What intermediary node is likely to be read or malicious modification, including data modification, repeating transmission and personation.
Due to security switch system be using based on Encryption Algorithm and use user side cipher mode, on the market not with
Its matched switching equipment, therefore lack a kind of safety communicating method based on interchanger.
It is all using standard TCP/IP network communication protocol, these communication parties for the network switching equipment most in society
Formula can only be using the encryption network communication between switch-to-switch.
Summary of the invention
In view of the deficiencies of the prior art, the present invention provides a kind of security switch system based on Encryption Algorithm, solves
Data safety in local area network is exchangeed problem, so that illegal listener can not carry out data theft and interception in local area network.
Present invention technical solution used for the above purpose is: a kind of safety communicating method based on interchanger,
Route between interchanger and user all uses encrypted transmission, comprising the following steps:
After the data of user A are encrypted by network interface card, user B is transferred to using interchanger;
The network interface card of user B receives after data are decrypted, and obtains the data of user A transmission.
The interchanger is equipped with multiple switching ports, connect with the Reinforced turf unit inside interchanger.
Before network interface card and interchanger the transmission data of user, certification and delivering key are carried out, comprising the following steps:
1) user initiates certification request to security server by network interface card, interchanger;
2) after certification passes through, user initiates delivering key request to security server;
3) key is issued in the corresponding switching port of the user and network interface card by security server by interchanger;
4) interchanger and network interface card are mutually got in touch with after receiving key, are confirmed, after shaking hands successfully, start to communicate.
After user's shutdown or suspension, key ceases to be in force automatically.
The interchanger regularly updates key according to the instruction of security server.
The encryption and decryption key of the network interface card is only consistent with corresponding power board card port.
The Encryption Algorithm includes one of SM1, SM2, SM3, SM4.
The invention has the following beneficial effects and advantage:
1. the present invention carries out encryption and decryption processing using fpga chip, speed is fast, meets gigabit wire speed transmission requirement;
2. the present invention uses security algorithm, strong security;
3. the present invention carries out independent encryption and decryption to each physical port, so that listener-in can not simultaneously carry out all of the port
It listens to;
4. the present invention is distributed using dynamic key, no manual intervention, so that key can not be obtained artificially;
5. the present invention is disappeared automatically using one-time pad, disconnection or offline rear key, need to apply automatically again, greatly
Increase the risk given away secrets.
6. the present invention uses self-destruction circuit, any illegal operation of equipment all will lead to Encryption Algorithm auto-destruct, guarantee
The safety of security algorithm.
7. the present invention supports dynamic realtime to load security algorithm, guarantee the real-time update of security algorithm.
Detailed description of the invention
Fig. 1 is switch system structure chart of the invention;
Fig. 2 is network mode schematic diagram of the present invention in system application;
Fig. 3 is safe encryption function schematic diagram of the present invention in system application;
Fig. 4 is key distribution schematic diagram of the invention;
Fig. 5 is the structure principle chart of FPGA.
Fig. 6 is the working principle diagram of switch system of the invention.
Specific embodiment
The present invention is described in further detail with reference to the accompanying drawings and embodiments.
It is as shown in Figure 1 hardware structure diagram of the invention.
Security switch system based on Encryption Algorithm includes that CPU is connect with exchange chip;Exchange chip and FPGA pass through
Serdes interface is attached;After FPGA carries out encryption and decryption work, encryption message is sent to user side computer by PHY chip
Network interface card.Network interface card forms normal message after decryption and is uploaded to computer.As shown in Figure 6.
FPGA, which is realized, mainly controls list by RGMII interface MAC, SGMII interface MAC, scrambling unit, Descrambling unit and MDIO
The composition such as member, as shown in Figure 5.
Ciphertext data pass through after PHY resume module with RGMII format transmission to FPGA, after by MAC processing and verifying again
Carry out descrambling operation;
Clear data is reverted to after descrambling, and Switching Module is transferred to by SGMII interface.After Switching Module is handled,
Forwarding the data to corresponding port, wherein the data for being forwarded to the other ports of this interchanger need re-encrypted to forward again, and
Other outside ports (such as cascade port) are forwarded to not need to encrypt.
The clear data of forwarding becomes ciphertext data after handling by scrambling unit and is transferred to Ethernet by RGMII interface
On.
A kind of security switch system based on Encryption Algorithm, including one gigabit exchange chip of CPU connection;Gigabit exchange
Chip is connected with 2 FPGA;FPGA passes through cable after being connected with PHY chip and network interface card carries out coded communication.Further include FLASH,
Memory, serial ports connect CPU with network interface chip.It further include that self-destruction circuit is connect with CPU, for being deleted in non-normal working
The secret algorithm of storage.There is backup power source on plate, so that CPU keeps working condition under power-down conditions, the safety of monitoring device,
Deletion confidential information is carried out according to self-destruction state at any time.
FPGA is connected by SerDes with exchange chip.FPGA encrypts normal message, and is transmitted to ethernet line
On the road.Encryption message is decrypted in FPGA, and is transmitted to exchange chip.
Exclusive FLASH is connected with FPGA, to save the loading procedure of FPGA.
Exchange board could support up the encryption and decryption of 24 gigabit ports.Support dynamic plus solution in 24 ports for exchanging board
It is close.Support independent secret cryptographic key configuration and distribution in 24 ports for exchanging board.
Network interface card is made of FPGA, FLASH and PHY chip.The FPGA of network interface card is responsible for realizing the reverse encryption and decryption work to message
Make.The encryption and decryption key of network interface card is only consistent with corresponding power board card port.
Encryption Algorithm can be dynamically configured and load.
It is operating mode schematic diagram of the present invention in system application as shown in Figure 2.
As shown in Figure 3, Figure 4, the route between security switch and user side computer all uses encrypted transmission;Safety is handed over
It changes planes and is transferred to user side computer after normal message is encrypted, the message that computer is sent is sent to peace after encryption by user side
Total exchange machine.After user side computer disconnection, key needs to apply again and issue, and safety obtains sufficient guarantee.
It is illustrated in figure 3 encryption and decryption process of the invention.
The data of user A are transferred on network after being scrambled by network interface card, after safety enhancing interchanger descrambling
Output;
User's A data are routed on the port of user B by security switch;
Be transferred on network again after security switch scrambles, the network interface card of user B receives descrambled after data again after just
Obtain the data of user A transmission.
It is key distribution flow of the invention shown in Fig. 4.
A reliable key generation centre is arranged in system.When (or reconnect) secure communication network will be added in new user
When, safety certification is carried out first, and after certification passes through, key generation centre calculates key by secret algorithm, is sent to use
Family.The cipher mode of one-time pad should be followed during communication.
1) before network interface card certification is issued with security protocol, network interface card and interchanger are in transparent transmission state, can only interactive authentication
Message, can not normal communication, it is necessary to, just can be with normal communication after completing certification and delivering key.
2) user initiates certification request to safety certificate server by Safety net card, security switch;
3) after certification passes through, user initiates delivering key request to security server;
4) key is issued to the corresponding secure exchange port of the user and safety by security switch by security server
In network interface card;
5) security switch and network interface card are mutually got in touch with after receiving key, are confirmed, after shaking hands successfully, enter positive normal open
Letter mode;
6) after user's shutdown, suspension, key ceases to be in force automatically;
7) user can not touch key durings use, application etc. always.To ensure that the secrecy peace of network
Entirely.
8) interchanger can regularly update key according to the instruction of security server, it is ensured that network interface card FPGA and interchanger FPGA
Safety.
Claims (7)
1. a kind of safety communicating method based on interchanger, which is characterized in that the route between interchanger and user all uses
Encrypted transmission, comprising the following steps:
After the data of user A are encrypted by network interface card, user B is transferred to using interchanger;
The network interface card of user B receives after data are decrypted, and obtains the data of user A transmission.
2. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that the interchanger is set
There are multiple switching ports, is connect with the Reinforced turf unit inside interchanger.
3. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that the network interface card of user with
Before interchanger transmits data, certification and delivering key are carried out, comprising the following steps:
1) user initiates certification request to security server by network interface card, interchanger;
2) after certification passes through, user initiates delivering key request to security server;
3) key is issued in the corresponding switching port of the user and network interface card by security server by interchanger;
4) interchanger and network interface card are mutually got in touch with after receiving key, are confirmed, after shaking hands successfully, start to communicate.
4. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that when user shutdown or
After suspension, key ceases to be in force automatically.
5. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that the interchanger root
Key is regularly updated according to the instruction of security server.
6. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that the network interface card adds
Decruption key is only consistent with corresponding power board card port.
7. a kind of safety communicating method based on interchanger according to claim 1, which is characterized in that the Encryption Algorithm
Including one of SM1, SM2, SM3, SM4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810388976.9A CN110417706B (en) | 2018-04-27 | 2018-04-27 | Switch-based secure communication method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810388976.9A CN110417706B (en) | 2018-04-27 | 2018-04-27 | Switch-based secure communication method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110417706A true CN110417706A (en) | 2019-11-05 |
CN110417706B CN110417706B (en) | 2022-05-31 |
Family
ID=68346168
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810388976.9A Active CN110417706B (en) | 2018-04-27 | 2018-04-27 | Switch-based secure communication method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110417706B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111400700A (en) * | 2020-03-10 | 2020-07-10 | 深圳市三旺通信股份有限公司 | Encryption method, device and equipment of switch and computer readable storage medium |
CN111541663A (en) * | 2020-04-14 | 2020-08-14 | 北京数盾信息科技有限公司 | Link exchange encryption system based on national password standard |
CN117714031A (en) * | 2024-01-11 | 2024-03-15 | 无锡路通视信网络股份有限公司 | High-speed data encryption communication method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050063547A1 (en) * | 2003-09-19 | 2005-03-24 | Audrius Berzanskis | Standards-compliant encryption with QKD |
CN101005359A (en) * | 2006-01-18 | 2007-07-25 | 华为技术有限公司 | Method and device for realizing safety communication between terminal devices |
CN102571348A (en) * | 2011-12-16 | 2012-07-11 | 汉柏科技有限公司 | Ethernet encryption and authentication system and encryption and authentication method |
CN105721458A (en) * | 2016-01-30 | 2016-06-29 | 安徽欧迈特数字技术有限责任公司 | Industrial Ethernet switching method based on ISG security password technique |
CN206322185U (en) * | 2016-12-20 | 2017-07-11 | 天津铜牛信息科技有限公司 | A kind of computer network information safety device |
-
2018
- 2018-04-27 CN CN201810388976.9A patent/CN110417706B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050063547A1 (en) * | 2003-09-19 | 2005-03-24 | Audrius Berzanskis | Standards-compliant encryption with QKD |
CN101005359A (en) * | 2006-01-18 | 2007-07-25 | 华为技术有限公司 | Method and device for realizing safety communication between terminal devices |
CN102571348A (en) * | 2011-12-16 | 2012-07-11 | 汉柏科技有限公司 | Ethernet encryption and authentication system and encryption and authentication method |
CN105721458A (en) * | 2016-01-30 | 2016-06-29 | 安徽欧迈特数字技术有限责任公司 | Industrial Ethernet switching method based on ISG security password technique |
CN206322185U (en) * | 2016-12-20 | 2017-07-11 | 天津铜牛信息科技有限公司 | A kind of computer network information safety device |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111400700A (en) * | 2020-03-10 | 2020-07-10 | 深圳市三旺通信股份有限公司 | Encryption method, device and equipment of switch and computer readable storage medium |
CN111400700B (en) * | 2020-03-10 | 2023-07-21 | 深圳市三旺通信股份有限公司 | Encryption method, device and equipment of switch and computer readable storage medium |
CN111541663A (en) * | 2020-04-14 | 2020-08-14 | 北京数盾信息科技有限公司 | Link exchange encryption system based on national password standard |
CN117714031A (en) * | 2024-01-11 | 2024-03-15 | 无锡路通视信网络股份有限公司 | High-speed data encryption communication method |
CN117714031B (en) * | 2024-01-11 | 2024-06-04 | 无锡路通视信网络股份有限公司 | High-speed data encryption communication method |
Also Published As
Publication number | Publication date |
---|---|
CN110417706B (en) | 2022-05-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110996318B (en) | Safety communication access system of intelligent inspection robot of transformer substation | |
WO2019100691A1 (en) | Industrial embedded system-oriented network information security protection unit and protection method | |
US8600063B2 (en) | Key distribution system | |
CN104780069B (en) | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system | |
CN101442403B (en) | Self-adapting method for exchanging composite cipher key and managing session cipher key | |
CN110636052B (en) | Power consumption data transmission system | |
CN104658090B (en) | A kind of smart lock of built-in security module and ZigBee wireless communication modules | |
WO2018226154A1 (en) | Secure and encrypted heartbeat protocol | |
TW200307423A (en) | Password device and method, password system | |
CN104219217A (en) | SA (security association) negotiation method, device and system | |
CN106209883A (en) | Based on link selection and the multi-chain circuit transmission method and system of broken restructuring | |
CN103119910A (en) | Method and system for secure data transmission with a VPN box | |
CN110417706A (en) | A kind of safety communicating method based on interchanger | |
CN109344639A (en) | A kind of distribution automation double protection safety chip, data transmission method and equipment | |
CN112270020B (en) | Terminal equipment safety encryption device based on safety chip | |
Cho et al. | Securing ethernet-based optical fronthaul for 5g network | |
Cho et al. | Secure open fronthaul interface for 5G networks | |
CN111245604B (en) | Server data security interaction system | |
JP2001177514A (en) | Method and device for communication | |
CN106656493A (en) | Software-defined network security communication method based on quantum key distribution | |
CN210839642U (en) | Device for safely receiving and sending terminal data of Internet of things | |
CN113709119A (en) | Password security gateway, system and use method | |
CN111212018A (en) | Multi-link transmission method and system based on link selection and fragmentation recombination | |
CN113037470A (en) | Quantum encryption data transmission system based on cloud and cluster servers | |
CN104994096B (en) | A kind of dynamic load is in the collocation method of the security hardening mechanism module of intelligent substation communication manager |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: At 110179 Shenyang Road, Liaoning Province Hunnan New District No. 6 Applicant after: Zhonghong Huilian Technology Co.,Ltd. Address before: At 110179 Shenyang Road, Liaoning Province Hunnan New District No. 6 Applicant before: AOWEI FEIYUE COMMUNICATION CO.,LTD. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |