CN111600705A - Isolation card based on auto-negotiation mechanism - Google Patents

Isolation card based on auto-negotiation mechanism Download PDF

Info

Publication number
CN111600705A
CN111600705A CN202010405223.1A CN202010405223A CN111600705A CN 111600705 A CN111600705 A CN 111600705A CN 202010405223 A CN202010405223 A CN 202010405223A CN 111600705 A CN111600705 A CN 111600705A
Authority
CN
China
Prior art keywords
negotiation
fpga
chip
module
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010405223.1A
Other languages
Chinese (zh)
Other versions
CN111600705B (en
Inventor
朱孟江
刘勇
徐项帅
成刚
朱江
赵华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Shandong Electric Power Co Ltd
Nari Information and Communication Technology Co
State Grid Electric Power Research Institute
Original Assignee
State Grid Corp of China SGCC
State Grid Shandong Electric Power Co Ltd
Nari Information and Communication Technology Co
State Grid Electric Power Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Shandong Electric Power Co Ltd, Nari Information and Communication Technology Co, State Grid Electric Power Research Institute filed Critical State Grid Corp of China SGCC
Priority to CN202010405223.1A priority Critical patent/CN111600705B/en
Publication of CN111600705A publication Critical patent/CN111600705A/en
Application granted granted Critical
Publication of CN111600705B publication Critical patent/CN111600705B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/14Handling requests for interconnection or transfer
    • G06F13/20Handling requests for interconnection or transfer for access to input/output bus
    • G06F13/32Handling requests for interconnection or transfer for access to input/output bus using combination of interrupt and burst mode transfer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/38Information transfer, e.g. on bus
    • G06F13/40Bus structure
    • G06F13/4063Device-to-bus coupling
    • G06F13/4068Electrical coupling
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/38Information transfer, e.g. on bus
    • G06F13/42Bus transfer protocol, e.g. handshake; Synchronisation
    • G06F13/4282Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2213/00Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F2213/0026PCI express

Abstract

The invention discloses an isolation card based on an auto-negotiation mechanism, which comprises two FPGA chips which are communicated with each other, a symmetric algorithm SM1 chip which is respectively connected with the FPGA, and a master-slave configuration circuit module. The two FPGA chips are respectively communicated with the two ends of the internal and external networks of the equipment through PCIe interfaces, the two FPGA chips are communicated through high-speed serial interfaces, and data interaction is carried out between the two FPGA chips and the algorithm chip in a local bus mode. The invention sets the algorithm chip in the data isolation card, simultaneously removes the asymmetric algorithm chip, combines the characteristics of the use scene of the data isolation card, provides a session key auto-negotiation mechanism, uses the FPGA fingerprint as the identity information of the session key negotiation, and has the characteristics of high speed, high integration level, low cost and easy transplantation.

Description

Isolation card based on auto-negotiation mechanism
Technical Field
The invention relates to an isolation card based on an auto-negotiation mechanism, belonging to the technical field of information security.
Background
According to the general scheme of safety protection of power monitoring systems (national security [2015] 36), isolation measures are taken between different safety areas, wherein a unidirectional data transmission isolation device is deployed between a production control area and a management information area. The basic structure of the traditional network isolation device is two completely independent host systems and a data ferry board. In order to further increase the data transmission confidentiality, a data encryption and decryption function is added on the basis of the traditional network security isolation device. The data is sent to the isolation card by the host computer, firstly the data is encrypted and decrypted, and then the data is transmitted in one way. Ensuring that data is transmitted between different secure regions is also in a ciphertext state.
The existing data isolation card generally has four modes of an electronic switch, a unidirectional FIFO, an optical fiber and a coprocessor (FPGA and the like) for transmitting data, and the most widely applied mode is the mode of using the coprocessor at present. The data encryption and decryption functions mainly include two modes of data encryption and decryption and a separated encryption and decryption module which are realized on a host system through software. The software encryption and decryption mode cannot be guaranteed in safety, the problems of safety of unsafe keys, easiness in cracking and the like mainly exist, the encryption and decryption performance has great dependence on the performance of a host system, the transmission efficiency is limited and the like. The separated encryption and decryption modules are generally made into an independent encryption card, core devices on the encryption card mainly comprise a CPU (central processing unit), a password chip and the like, data exchange is generally carried out between the encryption card and a host through a high-speed serial interface, and data are encrypted and decrypted through the password chip. The security of the system is improved by the separated encryption module, but compared with the traditional network isolation device, an independent board card is added, multiple times of data interaction is also added, the transmission efficiency is greatly reduced, and the hardware cost is increased.
Disclosure of Invention
The invention aims to provide an isolation card based on an auto-negotiation mechanism, which designs a session key auto-negotiation mechanism, uses FPGA fingerprints as identity information of session key negotiation, and improves the transmission efficiency of data.
In order to achieve the purpose, the invention adopts the technical scheme that:
an isolation card based on an auto-negotiation mechanism comprises two FPGA chips, wherein each FPGA chip is connected with a symmetrical SM1 algorithm chip and a master-slave configuration circuit;
the two FPGA chips are communicated through a high-speed serial interface;
the two FPGA chips are respectively communicated with the internal network host and the external network host through PCIe interfaces;
each FPGA chip is used for negotiating a session key with an opposite-end FPGA chip, encrypting and decrypting data in a host memory connected with the FPGA chip based on the negotiated key and then sending the data to the opposite-end FPGA chip, and writing the data sent by the opposite-end FPGA chip into the host memory of the local side;
the symmetric SM1 algorithm chip is used for carrying out encryption and decryption operation on the data packet cached by the FPGA chip connected with the symmetric SM1 algorithm chip;
the master-slave configuration circuit is used for representing master-slave modes of the FPGA chips on the inner network side and the outer network side.
Furthermore, each FPGA chip comprises a DMA controller, a data analysis module, an SM1 algorithm chip control module, an auto-negotiation module, a hash algorithm module, a data receiving module and an interrupt control module;
the DMA controller is used for reading data in the host memory connected with the DMA controller into an FIFO (first in first out) in the FPGA chip for caching, and writing the data which are processed and transmitted by the FPGA chip at the opposite end into the host memory at the side;
the data analysis module is used for analyzing the data cached in the FIFO and respectively writing the data into different lower-level FIFOs for caching according to the data packet format;
the SM1 algorithm chip control module is used for sending the data packets cached in the FIFO, the negotiation session key and the initial phasor generated by the hash algorithm module to the symmetric SM1 algorithm chip, and returning the data packets encrypted and decrypted by the symmetric SM1 algorithm chip to the FIFO for caching;
the self-negotiation module is used for negotiating the session key at both ends of communication;
the hash algorithm module is used for hashing the negotiation factors to generate negotiation session keys and initial phasors;
the data receiving module is used for receiving a data packet transmitted by the FPGA chip at the opposite end;
the interrupt control module is used for sending an interrupt to the host computer at the side and informing the host computer at the side to read data.
Furthermore, each FPGA chip is provided with a GTP/GTX interface.
Furthermore, the symmetric SM1 algorithm chip is an SSX30-D password chip.
Further, each FPGA chip is an XC7A75T FPGA chip.
Further, the lower-level FIFO comprises a plaintext transparent transmission FIFO and an SM1 algorithm chip cache FIFO; the plaintext transparent transmission FIFO is used for caching data packets which do not need to be encrypted and decrypted and transmitting the data packets to an opposite-end FPGA chip through a high-speed serial interface; the SM1 algorithm chip cache FIFO is used for caching data packets needing encryption and decryption, and writing the data packets into the symmetrical SM1 algorithm chip under the control of the SM1 algorithm chip control module; and transmitting the encrypted and decrypted data packet to an opposite-end FPGA chip through a high-speed serial interface.
Further, the auto-negotiation module is specifically configured to,
obtaining a negotiation factor from a device fingerprint module;
calling a hash algorithm module for calculation;
the calculated negotiation session key and initial phasor are sent to the symmetric SM1 algorithm chip via the SM1 algorithm chip control module.
Further, the auto-negotiation module is specifically configured to,
the auto-negotiation module of the master end FPGA initiating the session key negotiation reads the self 128-bit equipment fingerprint data ID (m) as one of the key negotiation factors, and simultaneously generates 128-bit random number r1 to form 256-bit key negotiation parameters (ID (m) | r1) and sends the parameters to the auto-negotiation module of the slave end FPGA;
the auto-negotiation module of the slave end FPGA reads the self 128-bit equipment fingerprint data ID(s) as one of the key negotiation factors, and simultaneously generates 128-bit random number r2 to form 256-bit key negotiation parameters (ID(s) | | r2) which are sent to the auto-negotiation module of the master end FPGA;
the auto-negotiation module of the FPGA at the master end calls a hash algorithm module according to the negotiation factor sent by the slave end;
and the auto-negotiation module of the FPGA of the slave end calls the hash algorithm module according to the negotiation factor sent by the master end.
Further, the hash algorithm module is specifically configured to,
the hash algorithm module of the FPGA at the main end performs hash H ((ID (m) | r1) & gt (ID(s) | r2)) on the negotiation factor, and the first 128 bits of the generated 256-bit hash result are a session key K, and the last 128 bits are used as an initial phasor IV;
the slave end FPGA hash algorithm module performs hash H ((ID(s) | r 2); (ID (m) | r1)) on the negotiation factor, and the first 128 bits of the generated 256-bit hash result are the session key K, and the last 128 bits are used as the initial phasor IV.
Furthermore, the interruption control module uses MSI interruption mode and dynamically adjusts interruption number according to the number of CPU cores of the host.
The invention achieves the following beneficial effects:
the invention sets the symmetrical SM1 algorithm chip in the data isolation card, simultaneously removes the asymmetrical SM2 algorithm chip, combines the characteristics of the use scene of the data isolation card, designs a session key auto-negotiation mechanism, carries out the negotiation of the session key through two FPGA chips, does not occupy the host resources, and has the characteristics of high speed, high integration level, low cost and easy transplantation.
Drawings
FIG. 1 is a block diagram of a data isolation card according to the present invention;
fig. 2 is a logic block diagram of an FPGA chip in the isolation card based on the auto-negotiation mechanism according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
Referring to fig. 1, in one aspect, the present invention provides an isolation card based on an auto-negotiation mechanism, including two FPGA chips FPGA _ a and FPGA _ B with GTP/GTX interfaces, where each FPGA chip is connected to a symmetric SM1 algorithm chip and a master-slave configuration circuit.
The two FPGA chips communicate through the high-speed serial interface realized by the SERDES resources of the FPGA I/O port, compared with the traditional parallel interface, the high-speed serial interface realized by the SERDES resources in the FPGA chips has the advantages of high speed and less chip pin occupation, and in addition, the parallelism characteristic of the FPGA chips is utilized, the data packet is processed by adopting a pipeline triggering mode, and the data processing speed is further improved.
The two FPGAs are respectively communicated with the internal and external network hosts through PCIe interfaces, and the PCIe interfaces adopt standard golden fingers, so that the universality of products is improved; the FPGA chip and the internal and external network host are communicated in a DMA mode, the DMA mode does not occupy the CPU resource of the host, and the FPGA chip has the capability of quickly transmitting a large amount of burst data and meets the requirements of real-time performance and high speed performance of data transmission.
The symmetric SM1 algorithm chip is used for carrying out encryption and decryption operation on data streams, and ciphertext transmission of data in different security domains is guaranteed.
The master-slave configuration circuit is used for representing the master-slave mode of the FPGA chip on the internal and external network sides, and one side is the master mode and the other side is the slave mode under normal conditions.
In the embodiment of the invention, the symmetric SM1 algorithm chip selects the SSX30-D cipher chip, and the SSX30-D cipher chip is a high-performance block cipher algorithm chip with the highest performance of 1.4 Gbps. The FPGA chip is an XC7A75T FPGA chip of xilinx company, the device supports at most one PCIe multiplied by 4 Lane core, each Lane has a line speed of 5Gbps, the FPGA chip is XC7A75T which is BGA484 packaged, fan-out signals are more, and various level standards of 1V, 1.2V, 1.8V, 3.3V and the like are required. The differential pair of PCIe interface is walked the integrality requirement of line to the PCIe signal higher, and six layers of PCB Layout design schemes have been adopted to the isolation card, do from the top layer to the bottom in proper order: the scheme can effectively avoid the phenomenon of data errors caused by electromagnetic radiation interference.
And (3) carrying out equal-length and impedance matching processing on differential pair signals of PCIe, and carrying out equal-length processing on signal lines of a local bus connected with the symmetric SM1 algorithm chip.
As shown in fig. 2, the xlix official software is used to develop a logic program of an FPGA chip on an isolation card, which includes a DMA controller, a data parsing module, an SM1 algorithm chip control module, an auto-negotiation module, a hash algorithm module, a data receiving module, and an interrupt control module.
The method comprises the following specific steps:
the DMA controller is responsible for reading the host service data into an FIFO (first in first out) in the FPGA chip for caching and writing the data which is processed and transmitted by the FPGA at the opposite end into the host memory at the side.
The data analysis module is used for analyzing the data cached in the FIFO and respectively writing the data packets into different lower-level FIFOs for caching according to the format defined by the packet header field.
The data analysis is a private protocol, a communication protocol is established between the host driver and the isolation card, the purpose of the analysis is mainly to distinguish the types of data packets, the data packets are sent to the isolation card for host services, and the data packets are generated by service software and comprise service data and control data. And the driving layer repackages the original data packet according to the control information sent by the host, adds a private protocol data packet to the packet head of the new data packet and identifies the type of the data packet.
The lower stage FIFO comprises a plaintext transparent transmission FIFO and an SM1 algorithm chip buffer FIFO. The data packet cached in the clear text transparent transmission FIFO is directly transmitted to the other FPGA through the high-speed serial interface; under the logic control of the FPGA, the data packets cached in the SM1 algorithm chip cache FIFO write the data to be encrypted and decrypted into the SM1 algorithm chip control module, and the data packets are encrypted and decrypted by the symmetrical SM1 chip, and then transmitted to another FPGA through the high-speed serial interface.
The auto-negotiation module is used for negotiation of session keys at two communication ends.
The auto-negotiation obtains negotiation factors from the device fingerprint module through a set negotiation mechanism, then calls the hash algorithm module to carry out calculation, the calculated result is a negotiation session key and an initial vector, and the session key and the initial phasor are sent to the symmetric SM1 chip through the SM1 algorithm chip control module for data encryption and decryption.
The hash algorithm module is used for calculating a negotiation session key and an initial vector.
The data receiving module is used for receiving the data packet transmitted from the FIFO in the FPGA chip at the opposite end, reading the data packet received by the data receiving module through the DMA controller and writing the data packet into the memory of the host through the PCIe interface.
The interrupt control module is used for sending an interrupt to the host and informing the host to read data.
The interrupt mode mainly comprises a traditional interrupt mode and an MSI interrupt mode, wherein the traditional interrupt mode is level trigger, the MSI interrupt mode is edge trigger, one PCIe interface supports 4 traditional interrupts at most, and the MSI interrupt mode can reach 32 at most. The embodiment of the invention uses the MSI interruption mode, can dynamically adjust the interruption number according to the number of the CPU cores of the host, and binds one MSI interruption on each CPU core to achieve the effect of load balancing.
Another aspect of the present invention provides an auto-negotiation method for an isolation card, including the following steps:
1) the data isolation card initiates the session negotiation of the key by the master end according to the master-slave configuration circuit of the hardware;
2) the FPGA at the master end reads the self 128-bit equipment fingerprint data ID (m) and is used as one of key negotiation factors, and meanwhile, a 128-bit random number r1 is generated to form 256-bit key negotiation parameters (ID (m) | r1) and is sent to the FPGA at the slave end;
3) reading self 128-bit equipment fingerprint data ID(s) from the slave end FPGA to serve as one of key negotiation factors, and simultaneously generating a 128-bit random number r2 to form 256-bit key negotiation parameters (ID(s) | r2) and sending the parameters to the master end FPGA;
4) the FPGA of the main end calls a hash algorithm module to carry out hash H ((ID (m) | | r1) & gt (ID(s) | r2)) on the negotiation factor according to the negotiation factor sent from the slave end, and the first 128 bits of a generated 256-bit hash result are a session key K, and the second 128 bits are used as an initial phasor IV;
5) the slave end FPGA calls a hash algorithm module to carry out hash H ((ID(s) | | r2) & gt (ID (m) | | r1)) on the negotiation factor according to the negotiation factor sent by the master end, and the first 128 bits of a 256-bit hash result are a session key K, and the last 128 bits are used as an initial phasor IV.
The invention can reach the key negotiation speed up to 5000 times/second according to different main frequencies of FPGA, and can meet the requirement of one-time pad. Under the test condition that the packet length is 1024 bytes, the speed of plaintext transmission reaches 1.5Gbps, and the speed of ciphertext transmission reaches 1.1 Gbps.
The algorithm chip is arranged in the data isolation card and connected with the FPGA chip, the isolation card is combined with a use scene, an FPGA fingerprint mode is used as a key negotiation factor, the traditional asymmetric algorithm chip is removed, and meanwhile, the parallel characteristic of the FPGA is utilized, so that the method has the characteristics of high speed, high integration level, high safety, low cost and easiness in transplantation.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (10)

1. An isolation card based on an auto-negotiation mechanism is characterized by comprising two FPGA chips, wherein each FPGA chip is respectively connected with a symmetrical SM1 algorithm chip and a master-slave configuration circuit;
the two FPGA chips are communicated through a high-speed serial interface;
the two FPGA chips are respectively communicated with the internal network host and the external network host through PCIe interfaces;
each FPGA chip is used for negotiating a session key with an opposite-end FPGA chip, encrypting and decrypting data in a host memory connected with the FPGA chip based on the negotiated key and then sending the data to the opposite-end FPGA chip, and writing the data sent by the opposite-end FPGA chip into the host memory of the local side;
the symmetric SM1 algorithm chip is used for carrying out encryption and decryption operation on the data packet cached by the FPGA chip connected with the symmetric SM1 algorithm chip;
the master-slave configuration circuit is used for representing master-slave modes of the FPGA chips on the inner network side and the outer network side.
2. The isolating card based on the auto-negotiation mechanism as claimed in claim 1, wherein each FPGA chip comprises a DMA controller, a data parsing module, an SM1 algorithm chip control module, an auto-negotiation module, a hash algorithm module, a data receiving module and an interrupt control module;
the DMA controller is used for reading data in the host memory connected with the DMA controller into an FIFO (first in first out) in the FPGA chip for caching, and writing the data which are processed and transmitted by the FPGA chip at the opposite end into the host memory at the side;
the data analysis module is used for analyzing the data cached in the FIFO and respectively writing the data into different lower-level FIFOs for caching according to the data packet format;
the SM1 algorithm chip control module is used for sending the data packets cached in the FIFO, the negotiation session key and the initial phasor generated by the hash algorithm module to the symmetric SM1 algorithm chip, and returning the data packets encrypted and decrypted by the symmetric SM1 algorithm chip to the FIFO for caching;
the self-negotiation module is used for negotiating the session key at both ends of communication;
the hash algorithm module is used for hashing the negotiation factors to generate negotiation session keys and initial phasors;
the data receiving module is used for receiving a data packet transmitted by the FPGA chip at the opposite end;
the interrupt control module is used for sending an interrupt to the host computer at the side and informing the host computer at the side to read data.
3. The card of claim 1, wherein each FPGA chip has a GTP/GTX interface.
4. The card of claim 1, wherein the symmetric SM1 algorithm chip is an SSX30-D cryptographic chip.
5. The card of claim 1, wherein each FPGA chip is XC7a75T FPGA chip.
6. The card of claim 2, wherein the lower stage FIFO comprises a clear text transparent transmission FIFO and a SM1 algorithm chip buffer FIFO; the plaintext transparent transmission FIFO is used for caching data packets which do not need to be encrypted and decrypted and transmitting the data packets to an opposite-end FPGA chip through a high-speed serial interface; the SM1 algorithm chip cache FIFO is used for caching data packets needing encryption and decryption, and writing the data packets into the symmetrical SM1 algorithm chip under the control of the SM1 algorithm chip control module; and transmitting the encrypted and decrypted data packet to an opposite-end FPGA chip through a high-speed serial interface.
7. The quarantine card based on auto-negotiation mechanism according to claim 2, wherein the auto-negotiation module is specifically configured to,
obtaining a negotiation factor from a device fingerprint module;
calling a hash algorithm module for calculation;
the calculated negotiation session key and initial phasor are sent to the symmetric SM1 algorithm chip via the SM1 algorithm chip control module.
8. The quarantine card based on auto-negotiation mechanism according to claim 7, wherein the auto-negotiation module is specifically configured to,
the auto-negotiation module of the master end FPGA initiating the session key negotiation reads the self 128-bit equipment fingerprint data ID (m) as one of the key negotiation factors, and simultaneously generates 128-bit random number r1 to form 256-bit key negotiation parameters (ID (m) | r1) and sends the parameters to the auto-negotiation module of the slave end FPGA;
the auto-negotiation module of the slave end FPGA reads the self 128-bit equipment fingerprint data ID(s) as one of the key negotiation factors, and simultaneously generates 128-bit random number r2 to form 256-bit key negotiation parameters (ID(s) | | r2) which are sent to the auto-negotiation module of the master end FPGA;
the auto-negotiation module of the FPGA at the master end calls a hash algorithm module according to the negotiation factor sent by the slave end;
and the auto-negotiation module of the FPGA of the slave end calls the hash algorithm module according to the negotiation factor sent by the master end.
9. The card of claim 8, wherein the hash algorithm module is specifically configured to,
the hash algorithm module of the FPGA at the main end performs hash H ((ID (m) | r1) & gt (ID(s) | r2)) on the negotiation factor, and the first 128 bits of the generated 256-bit hash result are a session key K, and the last 128 bits are used as an initial phasor IV;
the slave end FPGA hash algorithm module performs hash H ((ID(s) | r 2); (ID (m) | r1)) on the negotiation factor, and the first 128 bits of the generated 256-bit hash result are the session key K, and the last 128 bits are used as the initial phasor IV.
10. The card of claim 1, wherein the interrupt control module uses MSI interrupt mode and dynamically adjusts the number of interrupts according to the number of CPU cores of the host.
CN202010405223.1A 2020-05-14 2020-05-14 Isolation card based on auto-negotiation mechanism Active CN111600705B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010405223.1A CN111600705B (en) 2020-05-14 2020-05-14 Isolation card based on auto-negotiation mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010405223.1A CN111600705B (en) 2020-05-14 2020-05-14 Isolation card based on auto-negotiation mechanism

Publications (2)

Publication Number Publication Date
CN111600705A true CN111600705A (en) 2020-08-28
CN111600705B CN111600705B (en) 2022-10-04

Family

ID=72190740

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010405223.1A Active CN111600705B (en) 2020-05-14 2020-05-14 Isolation card based on auto-negotiation mechanism

Country Status (1)

Country Link
CN (1) CN111600705B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107832248A (en) * 2017-10-27 2018-03-23 南京南瑞集团公司 A kind of data ferry-boat module and its data processing method with encryption and decryption functions
CN110061989A (en) * 2019-04-19 2019-07-26 航天云网数据研究院(江苏)有限公司 A kind of full partition method of data acquisition gateway
US20200349268A1 (en) * 2017-07-28 2020-11-05 Audi Ag Whole apparatus having an authentication arrangement, and method for authentication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200349268A1 (en) * 2017-07-28 2020-11-05 Audi Ag Whole apparatus having an authentication arrangement, and method for authentication
CN107832248A (en) * 2017-10-27 2018-03-23 南京南瑞集团公司 A kind of data ferry-boat module and its data processing method with encryption and decryption functions
CN110061989A (en) * 2019-04-19 2019-07-26 航天云网数据研究院(江苏)有限公司 A kind of full partition method of data acquisition gateway

Also Published As

Publication number Publication date
CN111600705B (en) 2022-10-04

Similar Documents

Publication Publication Date Title
US7634650B1 (en) Virtualized shared security engine and creation of a protected zone
EP1668816B1 (en) Method and apparatus of communicating security/encryption information to a physical layer transceiver
CN108809642B (en) FPGA-based multi-channel data trillion encryption authentication high-speed transmission implementation method
JP2005287024A (en) Modular cryptographic device providing multi-mode wireless lan operation feature and related method
CN107832248A (en) A kind of data ferry-boat module and its data processing method with encryption and decryption functions
CN109274647B (en) Distributed trusted memory exchange method and system
CN206712810U (en) A kind of high speed password card based on PCI E buses
JP2005287023A (en) Modular cryptographic device providing enhanced interface protocol feature and related method
CN111800436B (en) IPSec isolation network card equipment and secure communication method
US20230071723A1 (en) Technologies for establishing secure channel between i/o subsystem and trusted application for secure i/o data transfer
JP2005323337A (en) Modular cryptographic device and related methods
JP2005287025A (en) Module-type cryptographic device with function to determine status and method related thereof
US11729181B2 (en) Pluggable security devices and systems including the same
CN111600705B (en) Isolation card based on auto-negotiation mechanism
CN107979608A (en) The data encrypting and deciphering Transmission system and transmission method that a kind of interface can configure
US20230269075A1 (en) Devices, systems, and methods for integrating encryption service channels with a data path
CN112804265B (en) Unidirectional network gate interface circuit, method and readable storage medium
CN110995726B (en) Network isolation system of FPGA chip based on embedded ARM
CN211183974U (en) Quantum key distribution system-on-chip based on TCP/IP (Transmission control protocol/Internet protocol) unloading engine
US7299350B2 (en) Internet protocol security decryption with secondary use speculative interrupts
CN102314563A (en) Computer hardware system structure
EP1668807B1 (en) Method and apparatus of integrating link layer security into a physical layer transceiver
CN206894652U (en) Cipher machine based on FPGA
US11956160B2 (en) End-to-end flow control with intermediate media access control security devices
CN109861974A (en) A kind of Data Encryption Transmission device and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant