CN110602107B - Zynq-based network cipher machine and network data encryption and decryption method - Google Patents
Zynq-based network cipher machine and network data encryption and decryption method Download PDFInfo
- Publication number
- CN110602107B CN110602107B CN201910879393.0A CN201910879393A CN110602107B CN 110602107 B CN110602107 B CN 110602107B CN 201910879393 A CN201910879393 A CN 201910879393A CN 110602107 B CN110602107 B CN 110602107B
- Authority
- CN
- China
- Prior art keywords
- network
- message data
- data
- chip
- soc chip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000004806 packaging method and process Methods 0.000 claims abstract description 30
- 238000007726 management method Methods 0.000 claims description 19
- 238000012550 audit Methods 0.000 claims description 17
- 238000005538 encapsulation Methods 0.000 claims description 13
- 239000000284 extract Substances 0.000 description 5
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a Zynq-based network cipher machine and a network data encryption and decryption method, belongs to network data encryption and decryption, and aims to solve the technical problem of how to construct a more flexible and conveniently-arranged network cipher machine based on Zynq. The PS end of the SOC chip is used for receiving network data and a password strategy issued by an upper computer; the PL end of the SOC chip is used for matching the message data in the Ethernet frame with a corresponding packaging format, packaging the message data and adding a cryptographic algorithm to the packaged message data; the FPGA chip is used for receiving a basic secret key from an upper computer, receiving the packaged message data added with the cryptographic algorithm from the SOC chip, encrypting or decrypting the message data according to the cryptographic algorithm, and returning the encrypted or decrypted message data to the upper computer through the SOC chip. The method is to encrypt or decrypt the network data through a Zynq-based network cipher machine.
Description
Technical Field
The invention relates to the field of network data encryption and decryption, in particular to a Zynq-based network cipher machine and a network data encryption and decryption method.
Background
Zynq is an SOC device with multicore ARM and FPGA, and the device is a heterogeneous system on chip, has ARM and FPGA's advantage concurrently, compares with traditional ARM + FPGA's discrete chip, has better flexibility, reduces the wiring complexity of PCB board.
How to construct a more flexible and convenient-to-arrange network cipher machine based on Zynq is a technical problem to be solved.
Disclosure of Invention
The technical task of the invention is to provide a Zynq-based network cipher machine and a network data encryption and decryption method aiming at the defects, so as to solve the problem of how to construct a more flexible and conveniently-arranged network cipher machine based on Zynq.
In a first aspect, the present invention provides a network cryptographic machine based on Zynq, including:
the system comprises an SOC chip, wherein a PS (packet switched network) end of the SOC chip is a multi-core ARM (advanced RISC machine) and is used for receiving network data and a password policy issued by an upper computer and sending the password policy and an Ethernet frame of the network data to a PL (packet switched) end of the SOC chip, and the password policy comprises but is not limited to a password algorithm, an encapsulation format and quintuple data;
the PL end of the SOC chip is used for matching the message data in the Ethernet frame with a corresponding packaging format, packaging the message data and adding a cryptographic algorithm to the packaged message data;
the FPGA chip is used for receiving a basic secret key from an upper computer, receiving the packaged message data added with the cryptographic algorithm from the SOC chip, encrypting or decrypting the message data according to the cryptographic algorithm and returning the encrypted or decrypted message data to the upper computer through the SOC chip.
Preferably, the SOC chip includes:
the first network port is configured at the PS end of the SOC chip and used for receiving network data and extracting an Ethernet frame from the network data;
the second network port is configured at the PS end of the SOC chip and used for sending the encrypted or decrypted message data to the upper computer;
the third network is configured at the PS end of the SOC chip and used for receiving the password strategy from the upper computer;
the network strategy issuing module is configured at the PS end of the SOC chip, connected with the third network port and used for storing and issuing the password strategy;
the system comprises an AXI data interface, a first network interface and a second network interface, wherein the AXI data interface is configured at a PL end of an SOC chip and is used for transmitting Ethernet frames extracted by the first network interface;
the AXI control interface is configured at the PL end of the SOC chip and is used for transmitting the password strategy issued by the network strategy issuing module;
the network strategy analysis module is configured at the PL end of the SOC chip and used for matching a corresponding packaging format for message data through quintuple data;
the packaging module is configured at the PL end of the SOC chip and used for packaging the message data in the Ethernet frame according to the packaging format and adding the cryptographic algorithm to the packaged message data;
and the decapsulation module is configured at the PL end of the SOC chip and is used for decapsulating the message data according to the encapsulation format and adding the cryptographic algorithm to the decapsulated message data.
Preferably, the network policy analysis module is configured to extract quintuple data in an ethernet frame, and match the extracted quintuple data with quintuple data in the cryptographic policy through a hash algorithm to obtain a package format corresponding to packet data in the ethernet frame.
Preferably, the FPGA chip includes:
the encryption modules are multiple in number, and each encryption module is used for encrypting the message data according to the corresponding cryptographic algorithm;
the decryption modules are multiple, and each decryption module is used for decrypting the message data according to the corresponding cryptographic algorithm;
the algorithm scheduling module is used for receiving the packaged message data added with the cryptographic algorithm and the unpackaged message data added with the cryptographic algorithm, and sending the packaged message data to a corresponding encryption module or sending the unpacked message data to a corresponding decryption module according to the cryptographic algorithm;
a fourth interface, configured to receive a basic key after being powered on.
Preferably, a high-speed interface is configured between the SOC chip and the FPGA chip;
the FPGA chip receives the packaged message data added with the cryptographic algorithm and the unpackaged message data added with the cryptographic algorithm from the SOC chip through the high-speed interface, and returns the encrypted or decrypted message data to the SOC chip through the high-speed interface.
Preferably, the FPGA chip further includes an error management module, and the error management module is configured to perform algorithm self-check on each cryptographic algorithm configured in the FPGA chip and generate a self-check result;
the SOC chip also comprises a management module, wherein the management module is used for managing and comprises the steps of managing the reception of network data and password strategies according to the self-checking result.
Preferably, the SOC chip further includes an audit module, the audit module is configured at the PS end of the SOC chip, and is configured to read the password policy from the network policy issuing module, determine that the password algorithm is used for encryption or decryption to generate an audit report, and feed the audit report back to the upper computer.
Preferably, a low-speed interface is configured between the SOC chip and the FPGA chip;
and the FPGA chip sends the self-checking result to the SOC chip through the low-speed interface.
In a second aspect, the present invention provides a Zynq-based network data encryption and decryption method, where the Zynq-based network encryption and decryption method is implemented by using a Zynq-based network encryption machine according to any one of the first aspects, and the method includes the following steps:
injecting a basic key into the FPGA chip;
acquiring network data through a PS (packet switching) end of an SOC (System on chip) chip and extracting an Ethernet frame of the network data;
sending a password strategy to a PS (packet switched) end of the SOC (system on chip) through an upper computer, wherein the password strategy comprises but is not limited to a password algorithm, a packaging format and quintuple data;
matching a corresponding encapsulation format or a corresponding decapsulation format for the message data in the Ethernet frame through a PL (programmable logic device) end of the SOC chip, encapsulating or decapsulating the message data in the Ethernet frame, adding a cryptographic algorithm into the encapsulated message data or adding the cryptographic algorithm into the decapsulated message data, and sending the encapsulated message data added with the cryptographic algorithm or the decapsulated message data added with the cryptographic algorithm to the FPGA chip;
encrypting the packaged message data or decrypting the unpackaged message data according to a corresponding cryptographic algorithm on the FPGA chip, and returning the encrypted or decrypted message data to the SOC chip;
and sending the encrypted or decrypted message data to the upper computer through the SOC chip.
Preferably, after the basic key is injected into the FPGA chip, algorithm self-checking is carried out on various cryptographic algorithms configured in the FPGA chip, a generated self-checking result is fed back to the SOC chip, and after the algorithm self-checking is passed, network data and a cryptographic strategy are obtained through a PS (packet switched) end of the SOC chip;
the method further comprises the following steps:
and reading the password strategy from the network strategy issuing module, judging whether the password algorithm is used for encryption or decryption to generate an audit report, and feeding the audit report back to the upper computer.
The Zynq-based network cipher machine and the network data encryption and decryption method have the following advantages that:
1. the FPGA chip and the SOC chip are taken as cores, various password algorithms are realized through the FPGA chip, management and analysis of a private protocol for passwords are realized through the SOC chip, the algorithms and the packaging protocol can be adjusted according to equipment requirements, and the FPGA chip and the SOC chip have the characteristics of high flexibility and good confidentiality;
2. after the basic key is injected into the FPGA chip, algorithm self-checking is carried out on various cryptographic algorithms configured in the FPGA chip, the SOC chip receives the network data and the cryptographic strategy after the self-checking is passed and carries out subsequent cryptographic algorithm processing, and if the self-checking is not passed, the SOC chip stops receiving the network data and the cryptographic strategy, so that when errors occur, error management can be carried out, and normal operation of encryption and decryption and correctness of results are guaranteed.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
The invention is further described below with reference to the accompanying drawings.
Fig. 1 is a block diagram of a network cipher machine based on Zynq in embodiment 1.
Detailed Description
The present invention is further described in the following with reference to the drawings and the specific embodiments so that those skilled in the art can better understand the present invention and can implement the present invention, but the embodiments are not to be construed as limiting the present invention, and the embodiments and the technical features of the embodiments can be combined with each other without conflict.
It is to be understood that the terms first, second, and the like in the description of the embodiments of the invention are used for distinguishing between the descriptions and not necessarily for describing a sequential or chronological order. The "plurality" in the embodiment of the present invention means two or more.
The embodiment of the invention provides a Zynq-based network cipher machine and a network data encryption and decryption method, which are used for solving the technical problem of how to construct a more flexible and conveniently-wired network cipher machine based on Zynq.
Example 1:
the Zynq-based network cipher machine comprises an SOC chip and an FPGA chip, wherein a PS (packet switched network) end of the SOC chip is a multi-core ARM (advanced RISC machine) used for receiving network data and a cipher strategy issued by an upper computer and sending the cipher strategy and an Ethernet frame of the network data to a PL (public line) end of the SOC chip, and the cipher strategy comprises but is not limited to a cipher algorithm, a packaging format and quintuple data; the PL end of the SOC chip is used for matching the message data in the Ethernet frame with a corresponding packaging format, packaging the message data and adding a cryptographic algorithm to the packaged message data; the FPGA chip is used for receiving a basic secret key from an upper computer, receiving the packaged message data added with the cryptographic algorithm from the SOC chip, encrypting or decrypting the message data according to the cryptographic algorithm, and returning the encrypted or decrypted message data to the upper computer through the SOC chip.
The SOC chip comprises a first network port, a second network port, a third network port, a network strategy issuing module, an AXI data interface, an AXI control interface, a network strategy analyzing module, an encapsulating module and an decapsulating module.
The first network port is configured at the PS end of the SOC chip and used for receiving network data and extracting an Ethernet frame from the network data.
The second network port is configured at the PS end of the SOC chip and used for sending the encrypted or decrypted message data to the upper computer.
The third network port is configured at the PS end of the SOC chip and used for receiving the password strategy from the upper computer.
The network strategy issuing module is configured at the PS end of the SOC chip, is connected with the third network port and is used for storing and issuing the password strategy.
The AXI data interface is configured at the PL end of the SOC chip, connected between the first interface and the network policy analysis module, and configured to transmit the ethernet frame extracted by the first port.
The AXI control interface is configured at the PL end of the SOC chip, is connected between the network strategy issuing module and the AXI control interface, and is used for transmitting the password strategy issued by the network strategy issuing module.
The network policy analysis module is configured at the PL end of the SOC chip and configured to match a corresponding encapsulation format for the packet data by using the quintuple data, specifically, extract the quintuple data in the ethernet frame and match the extracted quintuple data with the quintuple data in the password policy by using a hash algorithm, so as to obtain an encapsulation format corresponding to the packet data in the ethernet frame.
The packaging module is configured at the PL end of the SOC chip, is connected with the network strategy analysis module, and is used for packaging the message data according to the packaging format and adding the cryptographic algorithm to the packaged message data.
The decapsulation module is configured at the PL end of the SOC, connected with the network policy analysis module, and configured to decapsulate the packet data according to the encapsulation format and add the cryptographic algorithm to the decapsulated packet data.
The FPGA chip comprises an encryption module, a decryption module, an algorithm scheduling module and a fourth interface.
The number of the encryption modules is multiple, and each encryption module is internally provided with a corresponding cryptographic algorithm and used for encrypting the packaged message data according to the cryptographic algorithm corresponding to the encryption module.
The number of the decryption modules is multiple, and each decryption module is internally provided with a corresponding cryptographic algorithm and used for decrypting the decapsulated message data according to the cryptographic algorithm corresponding to the decryption module.
The algorithm scheduling module is respectively connected with the encapsulation module and the decapsulation module, and is used for receiving the encapsulated message data added with the cryptographic algorithm and the decapsulated message data added with the cryptographic algorithm, and sending the encapsulated message data to the corresponding encryption module or sending the decapsulated message data to the corresponding decryption module according to the cryptographic algorithm.
The fourth interface is connected to the encryption module and the decryption module, respectively, and is configured to receive the basic key after being powered on.
The FPGA chip receives the packaged message data added with the cryptographic algorithm and the unpackaged message data added with the cryptographic algorithm from the SOC chip through the high-speed interface, and returns the encrypted or decrypted message data to the SOC chip through the high-speed interface.
The Zynq-based network cipher machine can realize encryption and decryption of network data. The encryption process comprises the following steps:
(1) after the system is powered on, injecting a basic key into the FPGA chip through a third interface;
(2) the method comprises the steps that network data are injected into an SOC chip through a first interface, the first interface extracts Ethernet frames of the network data and sends the extracted Ethernet frames to a network strategy analysis module of the FPGA chip through an AXI data interface;
meanwhile, the upper computer sends the key strategy to a network strategy issuing module, and the network strategy issuing module transmits the key strategy to a network strategy analysis module through an AXI control interface;
(3) the network strategy analysis module extracts quintuple data in the Ethernet frame, and matches the extracted quintuple data with quintuple data in the password strategy through a Hash algorithm to obtain a packaging format corresponding to message data in the Ethernet frame;
packaging the message data in the Ethernet frame according to the packaging format in a packaging module, and adding a cryptographic algorithm to the packaged message data;
the packaging module sends the message data added with the cryptographic algorithm to an algorithm scheduling module of the FPGA chip through a high-speed interface, and the algorithm scheduling module selects a corresponding encryption module to encrypt the message data according to the cryptographic algorithm, so that the encryption of the network data is realized.
The decryption process of the network data comprises the following steps:
(1) after the system is powered on, injecting a basic key into the FPGA chip through a third interface;
(2) the method comprises the steps that network data are injected into an SOC chip through a first interface, the first interface extracts Ethernet frames of the network data and sends the extracted Ethernet frames to a network strategy analysis module of the FPGA chip through an AXI data interface;
meanwhile, the upper computer sends the key strategy to a network strategy issuing module, and the network strategy issuing module transmits the key strategy to a network strategy analysis module through an AXI control interface;
(3) the network strategy analysis module extracts quintuple data in the Ethernet frame, and matches the extracted quintuple data with quintuple data in the password strategy through a Hash algorithm to obtain a packaging format corresponding to message data in the Ethernet frame;
decapsulating the message data in the Ethernet frame according to the encapsulation format in a decapsulation module, and adding the cryptographic algorithm to the decapsulated message data;
the decapsulation module sends the decapsulated message data added with the cryptographic algorithm to an algorithm scheduling module of the FPGA chip through a high-speed interface, and the algorithm scheduling module selects a corresponding encryption module to decrypt the decapsulated message data according to the cryptographic algorithm, so that decryption of network data is achieved.
As a further improvement of this embodiment, the FPGA chip further includes an error management module, which is configured to perform algorithm self-check on each cryptographic algorithm configured in the FPGA chip and generate a self-check result.
After the system is powered on, the upper computer injects a basic key into the FPGA chip through the third interface, the FPGA chip performs algorithm self-check on various configured cryptographic algorithms through the error management module, and the cryptographic algorithms are processed after the algorithm self-check is passed.
Meanwhile, the SOC chip is also provided with a management module, and the management module is connected with the first interface and the network policy issuing module and is used for managing, including managing the reception of network data and password policies according to the self-checking result.
Specifically, the error management module feeds back a self-checking result to the management module, if the self-checking result is passed, the network data is received through the first interface under the control of the management module, and the password policy is received and issued through the network policy issuing module to perform subsequent password processing, if the self-checking result is not passed, the first interface stops receiving the network data under the control of the management module, and the network policy issuing module stops receiving and issuing the password policy.
And the FPGA chip feeds back a self-checking result to the SOC chip through the low-speed interface.
As a further improvement of this embodiment, the SOC chip further includes an audit module configured at the PS end of the SOC chip, where the audit module is connected to the network policy issuing module, reads the cryptographic policy from the network policy issuing module, and determines that the cryptographic algorithm is used to encrypt or decrypt the message data to generate an audit report, and feeds the audit report back to the second interface, and feeds the audit report back to the upper computer through the second interface.
Example 2:
the invention provides a Zynq-based network data encryption and decryption method, which is used for encrypting or decrypting network data through a Zynq-based network cipher machine disclosed by embodiment 1 and comprises the following steps:
s100, injecting a basic key into the FPGA chip;
s200, acquiring network data through a PS (packet switch) end of the SOC (system on chip) and extracting an Ethernet frame of the network data;
sending a password strategy to a PS (packet switched) end of the SOC (system on chip) through an upper computer, wherein the password strategy comprises but is not limited to a password algorithm, a packaging format and quintuple data;
s300, matching a corresponding encapsulation format or a corresponding decapsulation format for the message data in the Ethernet frame through a PL (programmable logic) end of the SOC (system on chip), encapsulating or decapsulating the message data in the Ethernet frame, adding a cryptographic algorithm into the encapsulated message data or adding the cryptographic algorithm into the decapsulated message data, and sending the encapsulated message data added with the cryptographic algorithm or the decapsulated message data added with the cryptographic algorithm to the FPGA chip;
s400, encrypting the packaged message data or decrypting the unpackaged message data in the FPGA chip according to a corresponding cryptographic algorithm, and returning the encrypted or decrypted message data to the SOC chip;
and S500, sending the encrypted or decrypted message data to an upper computer through the SOC chip.
As a further improvement of this embodiment, after the basic key is injected into the FPGA chip, various cryptographic algorithms configured in the FPGA chip are subjected to algorithm self-check to generate a self-check result, and the self-check result is fed back to the management module, if the self-check result is that the self-check passes, the network data and the cryptographic policy are acquired through the PS terminal of the SOC chip, and if the self-check does not pass, the PS terminal of the SOC chip stops receiving the network data and the cryptographic policy.
As a further improvement of this embodiment, the method further includes the following operations:
in the SOC chip, the auditing module reads the password strategy from the network strategy issuing module and judges whether the password algorithm is used for encrypting or decrypting message data to generate an auditing report, and the auditing report is fed back to the upper computer.
The above-mentioned embodiments are merely preferred embodiments for fully illustrating the present invention, and the scope of the present invention is not limited thereto. The equivalent substitution or change made by the technical personnel in the technical field on the basis of the invention is all within the protection scope of the invention. The protection scope of the invention is subject to the claims.
Claims (8)
1. Zynq-based network cipher machine is characterized by comprising:
the system comprises an SOC chip, wherein a PS (packet switched network) end of the SOC chip is a multi-core ARM (advanced RISC machine) and is used for receiving network data and a password policy issued by an upper computer and sending the password policy and an Ethernet frame of the network data to a PL (packet switched) end of the SOC chip, and the password policy comprises but is not limited to a password algorithm, an encapsulation format and quintuple data;
the PL end of the SOC chip is used for matching the message data in the Ethernet frame with a corresponding packaging format, packaging the message data and adding a cryptographic algorithm to the packaged message data;
the FPGA chip is used for receiving a basic secret key from an upper computer, receiving the packaged message data added with the cryptographic algorithm from the SOC chip, encrypting or decrypting the message data according to the cryptographic algorithm and returning the encrypted or decrypted message data to the upper computer through the SOC chip;
the SOC chip includes:
the first network port is configured at the PS end of the SOC chip and used for receiving network data and extracting an Ethernet frame from the network data;
the second network port is configured at the PS end of the SOC chip and used for sending the encrypted or decrypted message data to the upper computer;
the third network port is configured at the PS end of the SOC chip and used for receiving the password strategy from the upper computer;
the network strategy issuing module is configured at the PS end of the SOC chip, connected with the third network port and used for storing and issuing the password strategy;
the system comprises an AXI data interface, a first network interface and a second network interface, wherein the AXI data interface is configured at a PL end of an SOC chip and is used for transmitting Ethernet frames extracted by the first network interface;
the AXI control interface is configured at the PL end of the SOC chip and is used for transmitting the password strategy issued by the network strategy issuing module;
the network strategy analysis module is configured at the PL end of the SOC chip and used for matching a corresponding packaging format for message data through quintuple data;
the packaging module is configured at the PL end of the SOC chip and used for packaging the message data in the Ethernet frame according to the packaging format and adding the cryptographic algorithm to the packaged message data;
the decapsulation module is configured at the PL end of the SOC chip and used for decapsulating the message data according to the encapsulation format and adding the cryptographic algorithm to the decapsulated message data;
the FPGA chip comprises:
the encryption modules are multiple in number, and each encryption module is used for encrypting the message data according to the corresponding cryptographic algorithm;
the decryption modules are multiple, and each decryption module is used for decrypting the message data according to the corresponding cryptographic algorithm;
the algorithm scheduling module is used for receiving the packaged message data added with the cryptographic algorithm and the unpackaged message data added with the cryptographic algorithm, and sending the packaged message data to a corresponding encryption module or sending the unpacked message data to a corresponding decryption module according to the cryptographic algorithm;
a fourth interface, configured to receive a basic key after being powered on.
2. The Zynq-based network cipher machine according to claim 1, wherein the network policy parsing module is configured to extract quintuple data in an Ethernet frame, and match the extracted quintuple data with quintuple data in the cipher policy through a hash algorithm to obtain an encapsulation format corresponding to packet data in the Ethernet frame.
3. The Zynq-based network cipher machine as claimed in claim 1 or 2, wherein a high speed interface is configured between the SOC chip and the FPGA chip;
the FPGA chip receives the packaged message data added with the cryptographic algorithm and the unpackaged message data added with the cryptographic algorithm from the SOC chip through the high-speed interface, and returns the encrypted or decrypted message data to the SOC chip through the high-speed interface.
4. The Zynq-based network cipher machine as claimed in claim 3, wherein the FPGA chip further comprises an error management module, the error management module is configured to perform algorithm self-check on each cipher algorithm configured in the FPGA chip and generate a self-check result;
the SOC chip also comprises a management module, wherein the management module is used for managing and comprises the steps of managing the reception of network data and password strategies according to the self-checking result.
5. The Zynq-based network cipher machine of claim 4, wherein the SOC chip further comprises an audit module, the audit module is configured at a PS end of the SOC chip, and is configured to read the cipher policy from the network policy issuing module and determine whether the cipher algorithm is used for encryption or decryption to generate an audit report, and feed the audit report back to the upper computer.
6. The Zynq-based network cipher machine of claim 4, wherein a low speed interface is configured between the SOC chip and the FPGA chip;
and the FPGA chip sends the self-checking result to the SOC chip through the low-speed interface.
7. Zynq-based network data encryption and decryption method, characterized in that the network data are encrypted or decrypted by the Zynq-based network encryption machine according to any one of claims 1 to 6, and the method comprises the following steps:
injecting a basic key into the FPGA chip;
acquiring network data through a PS (packet switching) end of an SOC (System on chip) chip and extracting an Ethernet frame of the network data;
sending a password strategy to a PS (packet switched) end of the SOC (system on chip) through an upper computer, wherein the password strategy comprises but is not limited to a password algorithm, a packaging format and quintuple data;
matching a corresponding encapsulation format or a corresponding decapsulation format for the message data in the Ethernet frame through a PL (programmable logic device) end of the SOC chip, encapsulating or decapsulating the message data in the Ethernet frame, adding a cryptographic algorithm into the encapsulated message data or adding the cryptographic algorithm into the decapsulated message data, and sending the encapsulated message data added with the cryptographic algorithm or the decapsulated message data added with the cryptographic algorithm to the FPGA chip;
encrypting the packaged message data or decrypting the unpackaged message data according to a corresponding cryptographic algorithm on the FPGA chip, and returning the encrypted or decrypted message data to the SOC chip;
and sending the encrypted or decrypted message data to the upper computer through the SOC chip.
8. The Zynq-based network data encryption and decryption method according to claim 7, wherein after the basic key is injected into the FPGA chip, algorithm self-checking is performed on various cryptographic algorithms configured in the FPGA chip, and a generated self-checking result is fed back to the SOC chip, and after the algorithm self-checking is passed, network data and a cryptographic strategy are obtained through a PS (packet switched) terminal of the SOC chip;
the method further comprises the following steps:
and reading the password strategy from the network strategy issuing module, judging whether the password algorithm is used for encryption or decryption to generate an audit report, and feeding the audit report back to the upper computer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910879393.0A CN110602107B (en) | 2019-09-18 | 2019-09-18 | Zynq-based network cipher machine and network data encryption and decryption method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910879393.0A CN110602107B (en) | 2019-09-18 | 2019-09-18 | Zynq-based network cipher machine and network data encryption and decryption method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110602107A CN110602107A (en) | 2019-12-20 |
| CN110602107B true CN110602107B (en) | 2021-12-28 |
Family
ID=68860702
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910879393.0A Active CN110602107B (en) | 2019-09-18 | 2019-09-18 | Zynq-based network cipher machine and network data encryption and decryption method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110602107B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111478895A (en) * | 2020-04-03 | 2020-07-31 | 乾讯信息技术(无锡)有限公司 | Network multimedia secure transmission method and system |
| CN114218594A (en) * | 2021-12-17 | 2022-03-22 | 京东方科技集团股份有限公司 | Encryption and decryption initialization configuration method, edge terminal, encryption and decryption platform and security system |
| CN115544491B (en) * | 2022-10-10 | 2023-12-26 | 北京神州安付科技股份有限公司 | Cipher machine with self-checking function |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105099711A (en) * | 2015-08-28 | 2015-11-25 | 北京三未信安科技发展有限公司 | ZYNQ-based small-sized cipher machine and data encryption method |
| WO2016107421A1 (en) * | 2014-12-29 | 2016-07-07 | 深圳市国微电子有限公司 | Reconstruction method and apparatus for programmable logic device |
| CN106022169A (en) * | 2016-06-30 | 2016-10-12 | 北京三未信安科技发展有限公司 | Encryption protection method based on ZYNQ small-size cipher machine and device for realizing method |
| CN107196754A (en) * | 2017-03-31 | 2017-09-22 | 山东超越数控电子有限公司 | A kind of encryption device based on SOC |
| CN109240961A (en) * | 2018-11-30 | 2019-01-18 | 济南浪潮高新科技投资发展有限公司 | A kind of devices, systems, and methods for quantum calculation observing and controlling |
-
2019
- 2019-09-18 CN CN201910879393.0A patent/CN110602107B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016107421A1 (en) * | 2014-12-29 | 2016-07-07 | 深圳市国微电子有限公司 | Reconstruction method and apparatus for programmable logic device |
| CN105099711A (en) * | 2015-08-28 | 2015-11-25 | 北京三未信安科技发展有限公司 | ZYNQ-based small-sized cipher machine and data encryption method |
| CN106022169A (en) * | 2016-06-30 | 2016-10-12 | 北京三未信安科技发展有限公司 | Encryption protection method based on ZYNQ small-size cipher machine and device for realizing method |
| CN107196754A (en) * | 2017-03-31 | 2017-09-22 | 山东超越数控电子有限公司 | A kind of encryption device based on SOC |
| CN109240961A (en) * | 2018-11-30 | 2019-01-18 | 济南浪潮高新科技投资发展有限公司 | A kind of devices, systems, and methods for quantum calculation observing and controlling |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110602107A (en) | 2019-12-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110602107B (en) | Zynq-based network cipher machine and network data encryption and decryption method | |
| CN109842585B (en) | Network information safety protection unit and protection method for industrial embedded system | |
| AU2005213327B2 (en) | Multi-protocol network encryption system | |
| CN105871873A (en) | Security encryption authentication module for power distribution terminal communication and method thereof | |
| CN106301765B (en) | Encryption and decryption chip and method for realizing encryption and decryption | |
| CN107769912A (en) | A kind of quantum key chip and the encipher-decipher method based on quantum key chip | |
| CN107181716A (en) | A kind of secure communication of network system and method based on national commercial cipher algorithm | |
| CN111756627A (en) | Cloud platform security access gateway of electric power monitored control system | |
| CN110620762A (en) | RDMA (remote direct memory Access) -based data transmission method, network card, server and medium | |
| CN108809642A (en) | A kind of encryption certification high-speed transfer implementation method of multi-channel data 10,000,000,000 based on FPGA | |
| CN107241291A (en) | Internet of Things network security access device, internet-of-things terminal equipment and Internet of things system | |
| CN106850443A (en) | A kind of SDN flow table issuance methods based on TPM | |
| CN110417706A (en) | A kind of safety communicating method based on interchanger | |
| CN102082660A (en) | Method for implementing network communication on encryption card and encryption card with network interface | |
| CN114928756B (en) | Video data protection, encryption and verification method, system and equipment | |
| CN102970134A (en) | Method and system for encapsulating PKCS#7 (public-key cryptography standard #7) data by algorithm of hardware password equipment | |
| CN110768982A (en) | Network security interconnection device based on homemade SOC | |
| CN115909560A (en) | Data encryption method, data decryption method and door lock system | |
| CN103297809B (en) | Media content encrypting and decrypting method, apparatus and system | |
| CN112910646B (en) | Data processing method and device of server cipher machine and server cipher machine | |
| CN114826748A (en) | Audio and video stream data encryption method and device based on RTP, UDP and IP protocols | |
| CN110995726B (en) | Network isolation system of FPGA chip based on embedded ARM | |
| US11228431B2 (en) | Communication systems and methods for authenticating data packets within network flow | |
| CN110048838B (en) | Power line carrier system | |
| CN209731292U (en) | Safe distribution of electric power communication terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20211202 Address after: Building S02, 1036 Gaoxin Langchao Road, Jinan, Shandong 250100 Applicant after: Shandong Inspur Scientific Research Institute Co.,Ltd. Address before: North 6th floor, S05 building, Langchao Science Park, 1036 Langchao Road, hi tech Zone, Jinan City, Shandong Province, 250100 Applicant before: SHANDONG INSPUR ARTIFICIAL INTELLIGENCE RESEARCH INSTITUTE Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |