CN113014385B - Double-network-port hardware network data encryption system - Google Patents

Double-network-port hardware network data encryption system Download PDF

Info

Publication number
CN113014385B
CN113014385B CN202110320946.6A CN202110320946A CN113014385B CN 113014385 B CN113014385 B CN 113014385B CN 202110320946 A CN202110320946 A CN 202110320946A CN 113014385 B CN113014385 B CN 113014385B
Authority
CN
China
Prior art keywords
encryption
network
data
subsystem
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110320946.6A
Other languages
Chinese (zh)
Other versions
CN113014385A (en
Inventor
杨自恒
王水青
刘爽
杨启欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Heilongjiang University
Original Assignee
Heilongjiang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Heilongjiang University filed Critical Heilongjiang University
Priority to CN202110320946.6A priority Critical patent/CN113014385B/en
Publication of CN113014385A publication Critical patent/CN113014385A/en
Application granted granted Critical
Publication of CN113014385B publication Critical patent/CN113014385B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The application discloses a double-network-port hardware network data encryption system and a method, wherein the double-network-port hardware network data encryption system comprises an encryption system, a key exchange system and an authentication system; the encryption system, the key exchange system, and the authentication system are linked with each other. The application solidifies the software algorithm in the hardware circuit by the embedded system application mode, thereby improving the reliability and the safety, and being simple to install and convenient to configure, and being very suitable for industrial application.

Description

Double-network-port hardware network data encryption system
Technical Field
The application relates to network information safety transmission and protection, in particular to a double-network-port hardware network data
An encryption system.
Background
At present, research for realizing an encryption algorithm based on an FPGA and being applied to a network security system is still in a primary stage, and an AI algorithm is integrated into the research, so that accurate intrusion detection is realized, the security of a daily network, particularly the industrial control network and core data, are greatly ensured, and related products are quite lacking. The common network encryption method is divided into three types of link encryption, end-to-end encryption and node encryption. Especially, the network encryption chip and the encryption device in the end-to-end encryption are more critical to design.
Hardware for encryption/decryption and authentication processing is developed abroad, and related products are promoted and sold in websites. For example, the network card product 3CR99O-T-95 proposed by the company 3COM in the United states contains an encryption microprocessor 3xP, the network card runs in a Windows2000 system, and all tasks of encryption/decryption are encrypted by common algorithms such as symmetric encryption algorithms DES and 3DES, and the like, and the network card belongs to a special chip design. The same solution is adopted, and an Intel corporation installs an Intel82550 fast Ethernet controller and an IPSec special chip on the network card of the Intel PRO/100S series, so that the security work is completed on the network card. The cipher card SJY01A delivered from North big and young birds in China is also a special chip mode. In the aspect of patent authorization of the network encryption device at home and abroad, encryption is mainly carried out by using a special chip, and the special chip mode can achieve higher speed, but the fatal weakness of the special chip mode is that an algorithm cannot be updated in time, and the encryption chip is redesigned once the algorithm is replaced, so that development cost is increased and development period is prolonged. In addition, the proprietary chip encryption algorithm is a foreign general encryption algorithm, and the application security of the proprietary chip encryption algorithm in the national important department is a considerable problem.
In 2018, the national institute of standards and technology studied the performance of an intrusion detection algorithm based on deep learning on an NSL-KDD dataset, experimentally verified the weaknesses of a neural network adopted by an intrusion detection system, and discussed the role of individual features in generating an countermeasure example.
The Tofino Xenon industrial security device provides comprehensive network protection. It is a versatile, very rugged device that can be installed into existing control systems without requiring changes to the network, forming communication ducts between the areas. Easy integration into existing networks, industrial firewalls, stateful Packet Inspection (SPI) and optional Deep Packet Inspection (DPI), transparent layer 2 operation, DIN rail installation, fanless design, 2 x 10/100 Mbit/s ethernet ports. Stateful layers 2, 3, and 4 filter optional SCADA protocol deep packet inspection (based on purchased LSMs).
The Fortine enterprise firewall solution is combined with the Fortinet security architecture, can timely and intelligently defend malicious software, responds to the emerging threat, and when the enterprise firewall technology detects an event, the firewall technology and the Fortinet security structure determine which information can be shared in the whole enterprise. The fortnet enterprise firewall solution provides end-to-end network security through a platform and a network security operating system, and provides unified policy management through an application.
Disclosure of Invention
The application mainly aims to provide a double-network-port hardware network data encryption system.
According to one aspect of the present application, there is provided a dual-portal hardware network data encryption system including an encryption system, a key exchange system, and an authentication system;
the encryption system is used for realizing data encryption point-to-point transmission;
the key exchange system is used for automatically exchanging the private key of the encryption system according to the hardware identification code;
the authentication system is used for identifying whether the network IP message is tampered;
the encryption system, the key exchange system, and the authentication system are linked with each other.
Further, the key exchange system and the encryption system are arranged in a hardware device to form a network node, and the two devices form an end-to-end network communication private line;
only the equipment registering ID in the authentication server white list can communicate with the data isolation area, and the communication is protected by the digital signature of the encryption algorithm, so that the communication information is encrypted and cannot be tampered;
legal IP message data which passes through the protective wall and is decrypted is filtered by an artificial intelligence algorithm through an intrusion detection subsystem, and dangerous data is intercepted.
Furthermore, the encryption system and the key exchange system are designed in pairs, the core adopts an FPGA chip, each encryption device has a double-network port structure, one end of one encryption device is connected with industrial equipment, the other end of the other encryption device is connected with an industrial control network, and the other end of the other encryption device is connected with intrusion detection equipment; the connection device thus constitutes two nodes of a network hardware dedicated line, one node being connected to the industrial equipment and the other node being connected to the intrusion detection system.
Furthermore, the system encryption algorithm and the digital signature algorithm can be combined together and programmed into the FPGA through hardware algorithm logic, and can also be realized in one device independently, but four devices are needed to complete encryption, decryption and authentication when the encryption system and the authentication system occupy one device independently.
A double-network-port hardware network data encryption method comprises the following steps:
the encryption system and the key exchange system are designed in pairs, the core of the encryption system and the key exchange system adopts FPGA chips, each encryption device has a double-network port structure, one end of one encryption device is connected with industrial equipment, the other end of the other encryption device is connected with industrial control network, the other end of the other encryption device is connected with intrusion detection equipment, thus the two nodes of a network hardware dedicated line are formed by the connected devices, and one node is connected with the industrial equipment, and the other node is connected with the intrusion detection system;
the system encryption algorithm and the digital signature algorithm can be combined together and programmed into the FPGA through hardware algorithm logic, and can also be realized in a device independently; however, when the encryption system and the authentication system independently occupy one device, four devices are required to finish encryption and decryption and authentication;
the high-speed hardware circuit is realized in the FPGA, and 2 network interfaces and one configuration interface are extended outside the external extension; the configuration interface can write configuration information into the control register, and the configuration information can realize the operation of initializing the working mode, the working state, the working mode of the MAC controller and the asymmetric key of an encryption device externally connected with industrial manufacturing equipment;
the configuration interface writes the data custom of the FPGA into a certain frame format, and the meaning of the configuration information can be judged through the command analysis module and written into the related register.
Further, the dual-port hardware network data encryption method further comprises the following steps:
the workflow of the system signature authentication subsystem is carried out under the control of a main state machine;
the encryption system adopts the traditional top-down design concept, the method is that the whole system is decomposed into a plurality of modules, the functions of the modules are realized one by one, then the modules are integrated integrally, the final whole system is built, and the whole system is tested and evaluated integrally;
after the whole system is successfully built, carrying out integral function analysis on each module, wherein a specific encryption chip function module comprises a main state machine, an MAC controller, an encryption and decryption module, a command controller, a key management module and a control register module; the subsystem is realized in an FPGA, and a network interface and a USB interface are extended outside; the USB interface can not only receive network data, but also write configuration information into the control register, and the configuration information can realize the operations of subsystem working mode, working state, MAC controller working mode and symmetric key initialization;
the USB interface is written into the data custom of the FPGA to form a certain frame format, and whether the network IP message or the configuration information data is judged through the command analysis module; if the data is the IP message data, the data is diverted to an encryption and decryption module, the module analyzes the IP message data and encrypts the IP message data, then the ciphertext data is written into a sending buffer zone of the MAC controller, and then the data is transmitted to a network through an RJ45 network port;
realizing IP message hardware deception technology, realizing a digital signature algorithm in FPGA to construct a system signature authentication subsystem in the form of a double-network port module;
the IP message hardware deception technology is realized in the FPGA, and 2 network interfaces and a configuration interface are extended outside; the configuration interface can write configuration information into the control register, and the configuration information can realize the operations of subsystem working mode, working state, MAC controller working mode and asymmetric key initialization;
after the network port receives the data, the IP message is firstly transmitted into a protocol analysis module, and the module analyzes abstract information in the IP message data and stores the abstract information into an authentication abstract cache; the public key decryption module decrypts the summary information through the public key stored in the register of the public key decryption module, and controls the data gate to send the IP packet to the next module for decryption after judging the integrity of the IP message according to the decryption information; the decrypted plaintext data is written into a transmission buffer of the MAC controller and the data is then transmitted to the trusted network via the RJ45 network port on the right side.
The application has the advantages that:
the application solidifies the software algorithm in the hardware circuit by the embedded system application mode, thereby improving the reliability and the safety, and being simple to install and convenient to configure, and being very suitable for industrial application.
In addition to the objects, features and advantages described above, the present application has other objects, features and advantages. The present application will be described in further detail with reference to the drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application.
FIG. 1 is a schematic diagram of the structure of the present application;
FIG. 2 is a technical route frame diagram of the present application;
FIG. 3 is a hardware block diagram of the encryption/decryption system of the present application;
FIG. 4 is a hardware block diagram of an extended USB interface of the encryption/decryption system of the present application;
FIG. 5 is a block diagram of the overall system of the present application;
FIG. 6 is a flowchart of the operation of the system signature authentication subsystem of the present application;
fig. 7 is a logic functional diagram of the present application.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
Referring to fig. 1 to 7, a dual-portal hardware network data encryption system includes an encryption system, a key exchange system, and an authentication system;
the encryption system is used for realizing data encryption point-to-point transmission;
the key exchange system is used for automatically exchanging the private key of the encryption system according to the hardware identification code;
the authentication system is used for identifying whether the network IP message is tampered;
the encryption system, the key exchange system, and the authentication system are linked with each other.
The key exchange system and the encryption system are arranged in a hardware device
For a network node, such two devices constitute an end-to-end network communication dedicated line;
only the equipment registering ID in the authentication server white list can communicate with the data isolation area, and the communication is protected by the digital signature of the encryption algorithm, so that the communication information is encrypted and cannot be tampered;
legal IP message data which passes through the protective wall and is decrypted is filtered by an artificial intelligence algorithm through an intrusion detection subsystem, and dangerous data is intercepted.
The application solidifies the software algorithm in the hardware circuit by the embedded system application mode, thereby improving the reliability and the safety, and being simple to install and convenient to configure, and being very suitable for industrial application.
The encryption system and the key exchange system are designed in pairs, the core of the encryption system is an FPGA chip, each encryption device is provided with a double-network port structure, one end of one encryption device is connected with industrial equipment, the other end of the other encryption device is connected with an industrial control network, and the other end of the other encryption device is connected with intrusion detection equipment; the connection device thus constitutes two nodes of a network hardware dedicated line, one node being connected to the industrial equipment and the other node being connected to the intrusion detection system.
The system encryption algorithm and the digital signature algorithm can be combined together and programmed into the FPGA through hardware algorithm logic, and can be realized in one device independently, but four devices are needed to finish encryption, decryption and authentication when the encryption system and the authentication system occupy one device independently.
A double-network-port hardware network data encryption method comprises the following steps:
the encryption system and the key exchange system are designed in pairs, the core of the encryption system and the key exchange system adopts FPGA chips, each encryption device has a double-network port structure, one end of one encryption device is connected with industrial equipment, the other end of the other encryption device is connected with industrial control network, the other end of the other encryption device is connected with intrusion detection equipment, thus the two nodes of a network hardware dedicated line are formed by the connected devices, and one node is connected with the industrial equipment, and the other node is connected with the intrusion detection system;
the system encryption algorithm and the digital signature algorithm can be combined together and programmed into the FPGA through hardware algorithm logic, and can also be realized in a device independently; however, when the encryption system and the authentication system independently occupy one device, four devices are required to finish encryption and decryption and authentication;
the high-speed hardware circuit is realized in the FPGA, and 2 network interfaces and one configuration interface are extended outside the external extension; the configuration interface can write configuration information into the control register, and the configuration information can realize the operation of initializing the working mode, the working state, the working mode of the MAC controller and the asymmetric key of an encryption device externally connected with industrial manufacturing equipment;
the configuration interface writes the data custom of the FPGA into a certain frame format, and the meaning of the configuration information can be judged through the command analysis module and written into the related register.
The double-network-port hardware network data encryption method further comprises the following steps:
the workflow of the system signature authentication subsystem is carried out under the control of a main state machine;
the encryption system adopts the traditional top-down design concept, the method is that the whole system is decomposed into a plurality of modules, the functions of the modules are realized one by one, then the modules are integrated integrally, the final whole system is built, and the whole system is tested and evaluated integrally;
after the whole system is successfully built, carrying out integral function analysis on each module, wherein a specific encryption chip function module comprises a main state machine, an MAC controller, an encryption and decryption module, a command controller, a key management module and a control register module; the subsystem is realized in an FPGA, and a network interface and a USB interface are extended outside; the USB interface can not only receive network data, but also write configuration information into the control register, and the configuration information can realize the operations of subsystem working mode, working state, MAC controller working mode and symmetric key initialization;
the USB interface is written into the data custom of the FPGA to form a certain frame format, and whether the network IP message or the configuration information data is judged through the command analysis module; if the data is the IP message data, the data is diverted to an encryption and decryption module, the module analyzes the IP message data and encrypts the IP message data, then the ciphertext data is written into a sending buffer zone of the MAC controller, and then the data is transmitted to a network through an RJ45 network port;
realizing IP message hardware deception technology, realizing a digital signature algorithm in FPGA to construct a system signature authentication subsystem in the form of a double-network port module;
the IP message hardware deception technology is realized in the FPGA, and 2 network interfaces and a configuration interface are extended outside; the configuration interface can write configuration information into the control register, and the configuration information can realize the operations of subsystem working mode, working state, MAC controller working mode and asymmetric key initialization;
after the network port receives the data, the IP message is firstly transmitted into a protocol analysis module, and the module analyzes abstract information in the IP message data and stores the abstract information into an authentication abstract cache; the public key decryption module decrypts the summary information through the public key stored in the register of the public key decryption module, and controls the data gate to send the IP packet to the next module for decryption after judging the integrity of the IP message according to the decryption information; the decrypted plaintext data is written into a transmission buffer of the MAC controller and the data is then transmitted to the trusted network via the RJ45 network port on the right side.
With reference to fig. 1 to 7, the object of the present application is achieved in that:
and designing a hardware algorithm encryption IP core based on the FPGA, and realizing network data transmission of the hardware encryption algorithm by applying the ZYNQ chip.
The hardware algorithm encryption IP core comprises a chaotic key sequence module, an encryption module and a control module design, and the FPGA organically combines a processor with the PL by utilizing a novel ZYNQ series to realize a network data transmission hardware device of the hardware encryption algorithm. The encryption algorithm is realized based on a hardware FPGA logic circuit, a domestic SM4 packet encryption algorithm is adopted, the key space reaches 2128, and the encryption object is an IP message with the part of an IP packet header removed. The research process solves the problems of physical, logical and computer modeling of mathematical algorithms, and solves the capability of realizing more complex encryption algorithm operation with less scale circuits by using a theoretical analysis method. The functions of encrypting and transmitting network data such as an encryption core, an encryption chip, an encryption interface, key exchange and the like are realized, the effect of lightening the whole logic of the equipment and improving the speed are achieved, and the requirements are met.
The network key exchange hardware device adopts and realizes the hardware public key algorithm.
The encryption device can ensure that the automatic exchange of the private key between two network nodes is realized, thereby facilitating the specific operation of network security transmission and being more beneficial to realizing transparent information transmission. The information encryption technology is a main guarantee technology of safety communication in an industrial control network, a proprietary communication channel of network point-to-point is realized in the industrial network through hardware equipment based on a digital signature technology and an encryption transmission technology, so that industrial control equipment data are protected, the data of the industrial control equipment are analyzed by an Internet data monitoring subsystem to intercept abnormal data, and the safety data are transmitted to a data exchanger and a server until the enterprise park network finally. The final system achieves the capability of preventing the industrial control network data from being stolen, decrypting the data after being stolen, ensuring the data not to be tampered and the IP address not to be counterfeited. The effects of real time, high efficiency, light weight, low power consumption and the like are achieved, and finally the aim of achieving data security is achieved.
The network data digital signature hardware device adopts and realizes the hardware authentication algorithm.
The function can realize the white list of the network equipment and has the protection function on network attack. The method is characterized in that the function of signing the network data of the industrial control equipment is realized based on a hardware algorithm, a logic encryption specific relation is embodied by utilizing mathematical expression in a limited precision calculation module, the complexity of signing the network data of the industrial control equipment is embodied by utilizing mathematical expression, the contradiction between the calculation efficiency of signing the network data of the industrial control equipment and the hardware realization is solved by utilizing a theoretical analysis method, the ID number of the industrial control equipment and the network data abstract of an IP message are signed by adopting an SM2 public key cryptography technology and other encryption algorithms, the protection of the integrity of the network data of the industrial control equipment is realized, the effect of lightening and speeding the whole logic of equipment is obtained, the core network is prevented from being attacked by the digital signature, and the requirements are met.
And researching and developing a hardware virtual special line system prototype to realize data transmission of the Internet network data hardware special line.
And integrating the related technologies, designing a system schematic diagram and a PCB, and realizing a hardware virtual special line system prototype after welding and debugging. Based on the network communication protocol of the standard equipment, the encryption, the screening and the filtering of the data are realized, and a virtual special channel is established for two network nodes on the Internet.
A virtual private line system X86 computer driver is developed, and system configuration and application software are written by using a DMA key technology.
When the CPU operates the peripheral, the data of the peripheral is read into the internal register and then transmitted to the memory, so that the data is transmitted to the memory, and the number of the internal registers of the CPU is small, and a large amount of codes and data are stored temporarily by the RAM. In a modern operating system, an interrupt mode is basically adopted to inform a CPU when data arrives from a peripheral, the operating system responds to the interrupt, and then the data is read from the peripheral, so that the efficiency of network data transmission is greatly improved. The hardware can serve as a standard device for the PC by writing a driver.
The product technology route is shown in figure 2. Based on FPGA encryption core development, optimization and testing are carried out, and a sequence password fused with an SMS4 algorithm is adopted as an encryption core, so that the innovation of the chaotic sequence password is highlighted, and compatibility is achieved according to user requirements. The special sequence cipher system can be customized according to the user's requirement. And researching and developing a hardware virtual special line system prototype to realize data transmission of the Internet network data hardware special line.
As can be seen from fig. 1, this network security hardware device is divided into three subsystems: an encryption subsystem, a key exchange subsystem, and an authentication subsystem.
The authentication and encryption subsystem is designed to be a network node in a hardware device, and the two devices form a peer-to-peer network communication dedicated line. Thus, only the device registering ID in the white list of the authentication server can communicate with the data isolation area, and the communication is protected by the digital signature of the encryption algorithm, so that the communication information is encrypted and cannot be tampered with.
Legal IP message data which passes through the protective wall and is decrypted is filtered by an artificial intelligence algorithm through an intrusion detection subsystem, and dangerous data is intercepted.
The circuit board making and circuit forming of the data encryption card is carried out by carrying out PCB layout in view of electric performance aiming at the design requirement of the circuit board, taking common impedance interference and elimination countermeasure of ground wires, power supply interference and suppression, electromagnetic space interference and suppression, and the basic requirements of the installation mode and typesetting of elements into consideration. And welding and testing the circuit board to form a network data encryption card, and performing basic test on the network data encryption card according to the network data encryption card test. And forming a network data encryption card product after the test is qualified.
Completion of the entire project will be effected according to the following technical route:
firstly, finishing a project design theoretical algorithm and simulation work, and obtaining initial, intermediate and final verification data result data through a mathematical simulation tool;
meanwhile, the entity is sent to a unit to collect industrial equipment and normal IP messages in working, obtain big data of one hand and store the big data into a database file;
then, the encryption, authentication and other algorithms are verified and realized in a purchased development board, the performance indexes of the algorithms are debugged, and meanwhile, a model machine of the encryption, authentication and detection subsystem principle and a circuit board of a hardware device are designed and are externally matched with the board throwing, welding and testing of a processing plant;
developing a hardware virtual special line system prototype to realize data transmission of an Internet network data hardware special line;
downloading a hardware algorithm into an original model machine to verify and test whether each subsystem meets the expected functional requirement, integrating the subsystems, splicing the subsystems into an integral protection system, and verifying the functional integrity of each part;
encryption/decryption and authentication subsystem design
The encryption/decryption and authentication subsystem is designed in pairs, the core adopts an FPGA chip, each encryption device has a double-network port structure, one end of one encryption device is connected with industrial equipment, the other end of the other encryption device is connected with industrial equipment, and the other end of the other encryption device is connected with intrusion detection equipment. The connection thus constitutes two nodes of a network "hardware line", one node being connected to the industrial equipment and the other node being connected to the intrusion detection system. The system encryption algorithm and the digital signature algorithm can be combined together and programmed into the FPGA through hardware algorithm logic. The encryption system and the authentication system can be independently realized in one device, but when the encryption system and the authentication system independently occupy one device, four devices are needed to finish encryption, decryption and authentication, and the encryption system and the authentication system have the advantages of higher modularization degree, clearer logic processing level and easier realization. The disadvantage is that the processing speed is reduced and the cost is increased. The novel middle-high end FPGA chip is internally provided with two hard core MAC controllers, so that only two PHY chips need to be expanded outside the FPGA. The overall system structure is shown in fig. 3.
As can be seen from the block diagram, the FPGA has JTAG debugging function, and meanwhile, the configuration chip with the AS mode can still store logic information after power failure. Meanwhile, the DDR and flash are expanded by the FPGA, so that a high-capacity data caching function can be realized. For the safety of the system, the design of the display and the keyboard can enable the system to input information to the device on line so as to prevent private information from being intercepted by a third party through network input. Consent to the consideration of system security, we can transmit security data into the system through serial port (COM) through the portable computer.
The system adopts the design concept of EDA from top to bottom, the method is to decompose a plurality of modules in the whole system, realize the functions of each module one by one, then integrate the modules in a whole way and build a final whole system.
In addition, in order to improve the universality of system application, the hardware design mode of the double-network port can be expanded into a USB interface, so that the application range of the equipment is widened. The specific structure is shown in fig. 4.
The encryption/decryption and authentication subsystem is designed in pairs, the core adopts an FPGA chip, each encryption device has a double-network port structure, one end of one encryption device is connected with industrial equipment, the other end of the other encryption device is connected with industrial equipment, and the other end of the other encryption device is connected with intrusion detection equipment. The connection thus constitutes two nodes of a network "hardware line", one node being connected to the industrial equipment and the other node being connected to the intrusion detection system. The system encryption algorithm and the digital signature algorithm can be combined together and programmed into the FPGA through hardware algorithm logic. The encryption system and the authentication system can be independently realized in one device, but when the encryption system and the authentication system independently occupy one device, four devices are needed to finish encryption, decryption and authentication, and the encryption system and the authentication system have the advantages of higher modularization degree, clearer logic processing level and easier realization. The disadvantage is that the processing speed is reduced and the cost is increased. The novel middle-high end FPGA chip is internally provided with two hard core MAC controllers, so that only two PHY chips need to be expanded outside the FPGA. The overall system structure is shown in fig. 5.
The high-speed hardware circuit is implemented in an FPGA, and extends 2 network interfaces and one configuration interface. The configuration interface can write configuration information into the control register, and the configuration information can realize the operations of subsystem working mode, working state, MAC controller working mode and asymmetric key initialization.
The configuration interface writes the data custom of the FPGA into a certain frame format, and the meaning of the configuration information can be judged through the command analysis module and written into the related register.
After the network port on the left of the upper graph receives the data, the IP message is firstly transmitted into a protocol analysis module, and the module analyzes the abstract information in the IP message data and stores the abstract information in an authentication abstract cache. The public key decryption module decrypts the summary information through the public key stored in the register of the public key decryption module, and controls the data gate to send the IP packet to the next module for decryption after judging the integrity of the IP message according to the decryption information. The decrypted plaintext data is written into a transmission buffer of the MAC controller and the data is then transmitted to the trusted network via the RJ45 network port on the right side.
The workflow of the system signature authentication subsystem is performed under the control of a main state machine. As shown in fig. 6:
the encryption system adopts the traditional top-down design concept, the method is that the whole system is decomposed into a plurality of modules, the functions of the modules are realized one by one, then the modules are integrated integrally, the final whole system is built, and the whole system is tested and evaluated comprehensively. After the whole system is successfully built, carrying out integral function analysis on each module, wherein the specific encryption chip function module comprises a main state machine, a MAC controller, an encryption and decryption module, a command controller, a key management module and a control register module. The subsystem is implemented in an FPGA, with external expansion of network interfaces and USB interfaces. The USB interface can not only accept network data, but also write configuration information into the control register, and the configuration information can realize the operations of subsystem working mode, working state, MAC controller working mode and symmetric key initialization
The data written into the FPGA by the USB interface is customized into a certain frame format, and whether the network IP message or the configuration information data is judged by the command analysis module. If the data is the IP message data, the data is diverted to an encryption and decryption module, the module analyzes the IP message data and encrypts the IP message data, then the ciphertext data is written into a sending buffer zone of the MAC controller, and then the data is transmitted to a network through an RJ45 network interface.
The FPGA core control chip adopted by the whole circuit system is a chip produced by Xilinx company. The supply of power is the most basic guarantee of whether the whole system is operating normally. In this case, the system designs five kinds of 5V external power supply interfaces, which respectively adopt USB power supply and common direct plug-in power supply socket power supply. Both of these approaches can provide 5V, giving the user two options.
The clock circuit and the reset circuit are an indispensable part of the system operation. Here, in order to generate integer baud rate and ensure the reliability of data transmission, the system design selects an off-chip high-precision crystal oscillator. The reset mode is selected to be manually reset, and the system can be restored to the initial state by pressing a reset key.
IP message hardware deception technology. The system signature authentication subsystem is used for realizing a digital signature algorithm in the FPGA, and is designed in the form of a double-network port module, and the logic function is shown in fig. 7.
The IP message hardware deception technology is realized in the FPGA, and 2 network interfaces and a configuration interface are extended outside. The configuration interface can write configuration information into the control register, and the configuration information can realize the operations of subsystem working mode, working state, MAC controller working mode and asymmetric key initialization.
The configuration interface writes the data custom of the FPGA into a certain frame format, and the meaning of the configuration information can be judged through the command analysis module and written into the related register.
After the network port on the left of fig. 7 receives the data, the IP packet is first sent to the protocol parsing module, which parses the summary information in the IP packet data and stores the summary information in the authentication summary cache. The public key decryption module decrypts the summary information through the public key stored in the register of the public key decryption module, and controls the data gate to send the IP packet to the next module for decryption after judging the integrity of the IP message according to the decryption information. The decrypted plaintext data is written into a transmission buffer of the MAC controller and the data is then transmitted to the trusted network via the RJ45 network port on the right side.
The workflow of the system signature authentication subsystem is performed under the control of a main state machine.
The application takes into account the utilization rate of CCD bandwidth, the utilization rate of CCD field of view, the real-time measurement, the stability of the system, the complexity of the system and the operation flexibility, so that the overall performance of the system is improved; the structure is simple, the cost is low, and special optical elements such as a polarizing element, a reflection grating and the like are not needed;
by introducing a microscope objective, the method can be applied in microscopic measurements.
The application aims at researching and developing high-tech electronic information products, and mainly focuses on security network products, including network security software, middle plug-in components, security network terminal products and the like.
Aiming at the requirement of the commercial Internet of things information safety transmission, the application solves the problem of the information safety transmission among network nodes; the IP core with independent intellectual property rights, data encryption, key exchange and related products are researched and developed, and the purpose of establishing a special safety channel between devices on the Internet is achieved.
At present, related products in China have few functions and single functions, and are not proportional to the increasing demands of information security users, the application aims at developing and producing security network products, and provides support and service for information security in China, especially network security products.
The foregoing description of the preferred embodiments of the application is not intended to limit the application to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the application are intended to be included within the scope of the application.

Claims (1)

1. The double-network-port hardware network data encryption system is characterized by comprising an encryption subsystem, a key exchange subsystem and an authentication subsystem, wherein the encryption subsystem is used for realizing data encryption point-to-point transmission; the key exchange subsystem is used for automatically exchanging private keys required by the encryption subsystem according to the hardware identification code; the authentication subsystem is used for identifying whether the network IP message is tampered;
the encryption subsystem, the key exchange subsystem and the authentication subsystem are arranged in a hardware encryption device, the core adopts an FPGA chip, each encryption device has a double-network port structure, one end of one encryption device is connected with industrial equipment, the other end of the other encryption device is connected with an industrial control network, the other end of the other encryption device is connected with intrusion detection equipment, the two encryption devices form two nodes of a network hardware dedicated line, and one node is connected with the industrial equipment, and the other node is connected with the intrusion detection system;
the network interface and the configuration interface are extended outside the FPGA chip, the configuration interface can write configuration information into the control register, and the configuration information can realize the operations of subsystem working mode, working state, MAC controller working mode and asymmetric key initialization;
the encryption algorithm required by the encryption subsystem and the digital signature algorithm required by the authentication subsystem are combined together and are programmed into the FPGA chip through hardware algorithm logic;
an encryption subsystem realized based on the FPGA, and an external expansion network interface and a USB interface; the encryption subsystem comprises a main state machine, a MAC controller, an encryption module, a command analysis module and a control register module; the USB interface can not only receive network data, but also write configuration information into the control register, and the configuration information can realize the operation of initializing the working mode, the working state, the working mode of the MAC controller and the asymmetric key of the encryption subsystem;
the USB interface writes the data custom of FPGA into certain frame format, judge it is network IP message or configuration information data through the command analysis module; if the IP message data is the IP message data, forwarding the IP message data to an encryption module, analyzing the IP message data by the module, encrypting the IP message data, writing the ciphertext data into a sending buffer area of the MAC controller, and transmitting the ciphertext data to a network through an RJ45 network interface;
an authentication subsystem realized based on the FPGA, and an external expansion network interface and a configuration interface; the authentication subsystem comprises a main state machine, a MAC controller, a protocol analysis module, an authentication abstract cache, a public key decryption module, a register, a data gate and a private key decryption module; the configuration interface can write configuration information into the control register, and the configuration information can realize the operation of initializing the working mode, the working state, the working mode of the MAC controller and the asymmetric key of the authentication subsystem;
after the network interface receives the IP message data, the IP message is firstly transmitted to a protocol analysis module, and the module analyzes abstract information in the IP message data and stores the abstract information in an authentication abstract cache; the public key decryption module decrypts the summary information through the public key stored in the register of the public key decryption module, and controls the data gate to send the IP message to the private key decryption module for decryption after judging the integrity of the IP message according to the decryption information; the decrypted plaintext data is written into a transmission buffer of the MAC controller and then the data is transmitted to the trusted network via the RJ45 network interface.
CN202110320946.6A 2021-03-25 2021-03-25 Double-network-port hardware network data encryption system Active CN113014385B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110320946.6A CN113014385B (en) 2021-03-25 2021-03-25 Double-network-port hardware network data encryption system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110320946.6A CN113014385B (en) 2021-03-25 2021-03-25 Double-network-port hardware network data encryption system

Publications (2)

Publication Number Publication Date
CN113014385A CN113014385A (en) 2021-06-22
CN113014385B true CN113014385B (en) 2023-09-01

Family

ID=76407212

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110320946.6A Active CN113014385B (en) 2021-03-25 2021-03-25 Double-network-port hardware network data encryption system

Country Status (1)

Country Link
CN (1) CN113014385B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117592026A (en) * 2023-07-18 2024-02-23 湖南工程学院 Computer information security system
CN117714031B (en) * 2024-01-11 2024-06-04 无锡路通视信网络股份有限公司 High-speed data encryption communication method

Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007098362A2 (en) * 2006-02-16 2007-08-30 Joyce James B Methods and apparatus for heuristic/deterministic finite automata
CN102333306A (en) * 2010-06-30 2012-01-25 丛林网络公司 The many service VPN networking clients that are used for mobile device
CN103106169A (en) * 2013-01-28 2013-05-15 无锡众志和达存储技术股份有限公司 High speed bus interface expansion structure based on aurora protocol
CN103490900A (en) * 2013-09-29 2014-01-01 福建星网锐捷网络有限公司 Encryption and authentication method and equipment
CN103986582A (en) * 2014-05-28 2014-08-13 中国广核集团有限公司 Data encryption transmission method, device and system based on dynamic encryption technology
CN104023000A (en) * 2013-09-05 2014-09-03 田玥 Network intrusion detection method
CN105592107A (en) * 2016-03-01 2016-05-18 南京富岛信息工程有限公司 Device and method for safely collecting industrial process data on basis of FPGA
CN106161330A (en) * 2015-03-16 2016-11-23 机械工业仪器仪表综合技术经济研究所 A kind of security isolation system being applied to PROFINET EPA
CN107563213A (en) * 2017-09-29 2018-01-09 北京计算机技术及应用研究所 A kind of safe and secret control device of anti-storage device data extraction
CN107911370A (en) * 2017-11-22 2018-04-13 深圳市智物联网络有限公司 A kind of data ciphering method and device, data decryption method and device
CN108183901A (en) * 2017-12-28 2018-06-19 湖南大唐先科技有限公司 Host security defense physical card and its data processing method based on FPGA
CN109561091A (en) * 2018-11-30 2019-04-02 冶金自动化研究设计院 A kind of network security protection system for civil air defense constructions and installations
CN109842585A (en) * 2017-11-27 2019-06-04 中国科学院沈阳自动化研究所 Network information security protective unit and means of defence towards industrial embedded system
CN110493257A (en) * 2019-09-06 2019-11-22 江苏省水文水资源勘测局 Session key management method in a kind of water conservancy industrial control system encryption equipment
CN110869997A (en) * 2017-07-10 2020-03-06 本质Id有限责任公司 Secure key generation by biased physical unclonable functions
CN211018845U (en) * 2020-01-15 2020-07-14 深圳市艾迪科泰电子有限公司 Encryption chip based on hardware random encryption authentication and electronic cigarette comprising same
CN111541663A (en) * 2020-04-14 2020-08-14 北京数盾信息科技有限公司 Link exchange encryption system based on national password standard

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7383577B2 (en) * 2002-05-20 2008-06-03 Airdefense, Inc. Method and system for encrypted network management and intrusion detection
US10642672B2 (en) * 2015-08-11 2020-05-05 Dell Products L.P. Systems and methods for dynamic thermal excursion timeout determination and predictive failure notification based on airflow escape detection
JP6696352B2 (en) * 2016-08-18 2020-05-20 富士通株式会社 Programmable logic device, information processing device, processing method, and processing program

Patent Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007098362A2 (en) * 2006-02-16 2007-08-30 Joyce James B Methods and apparatus for heuristic/deterministic finite automata
CN102333306A (en) * 2010-06-30 2012-01-25 丛林网络公司 The many service VPN networking clients that are used for mobile device
CN103106169A (en) * 2013-01-28 2013-05-15 无锡众志和达存储技术股份有限公司 High speed bus interface expansion structure based on aurora protocol
CN104023000A (en) * 2013-09-05 2014-09-03 田玥 Network intrusion detection method
CN103490900A (en) * 2013-09-29 2014-01-01 福建星网锐捷网络有限公司 Encryption and authentication method and equipment
CN103986582A (en) * 2014-05-28 2014-08-13 中国广核集团有限公司 Data encryption transmission method, device and system based on dynamic encryption technology
CN106161330A (en) * 2015-03-16 2016-11-23 机械工业仪器仪表综合技术经济研究所 A kind of security isolation system being applied to PROFINET EPA
CN105592107A (en) * 2016-03-01 2016-05-18 南京富岛信息工程有限公司 Device and method for safely collecting industrial process data on basis of FPGA
CN110869997A (en) * 2017-07-10 2020-03-06 本质Id有限责任公司 Secure key generation by biased physical unclonable functions
CN107563213A (en) * 2017-09-29 2018-01-09 北京计算机技术及应用研究所 A kind of safe and secret control device of anti-storage device data extraction
CN107911370A (en) * 2017-11-22 2018-04-13 深圳市智物联网络有限公司 A kind of data ciphering method and device, data decryption method and device
CN109842585A (en) * 2017-11-27 2019-06-04 中国科学院沈阳自动化研究所 Network information security protective unit and means of defence towards industrial embedded system
CN108183901A (en) * 2017-12-28 2018-06-19 湖南大唐先科技有限公司 Host security defense physical card and its data processing method based on FPGA
CN109561091A (en) * 2018-11-30 2019-04-02 冶金自动化研究设计院 A kind of network security protection system for civil air defense constructions and installations
CN110493257A (en) * 2019-09-06 2019-11-22 江苏省水文水资源勘测局 Session key management method in a kind of water conservancy industrial control system encryption equipment
CN211018845U (en) * 2020-01-15 2020-07-14 深圳市艾迪科泰电子有限公司 Encryption chip based on hardware random encryption authentication and electronic cigarette comprising same
CN111541663A (en) * 2020-04-14 2020-08-14 北京数盾信息科技有限公司 Link exchange encryption system based on national password standard

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于MEMS强链的移动硬盘加密系统设计和FPGA实现;汤坚等;《计算机应用》;20081215;全文 *

Also Published As

Publication number Publication date
CN113014385A (en) 2021-06-22

Similar Documents

Publication Publication Date Title
Da Xu et al. Embedding blockchain technology into IoT for security: A survey
US9510195B2 (en) Secured transactions in internet of things embedded systems networks
Fiorin et al. Secure memory accesses on networks-on-chip
Deebak et al. TAB-SAPP: A trust-aware blockchain-based seamless authentication for massive IoT-enabled industrial applications
CN113014385B (en) Double-network-port hardware network data encryption system
CN102280929B (en) System for information safety protection of electric power supervisory control and data acquisition (SCADA) system
Al-Omary et al. Survey of hardware-based security support for IoT/CPS systems
CN103106744A (en) Internet of things intelligent gas meter embedded with information security management module
WO2021227465A1 (en) Security defense method and system for industrial control system network
CN107612679B (en) Ethernet bridge scrambling terminal based on state cryptographic algorithm
CN105610837A (en) Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system
CN103093139B (en) Integrated circuit (IC) card intelligent gas meter information safety management module
Levshun et al. A technique for design of secure data transfer environment: Application for I2C protocol
CN104298936B (en) A kind of FPGA encryptions and parameter configuring system based on CPLD chips
Balan et al. A PUF-based cryptographic security solution for IoT systems on chip
CN104065486A (en) Encryption strategy matching algorithm module verification platform and realizing method thereof
CN103136481A (en) Intelligent energy meter information security management module
CN103220134B (en) There is the Intelligent gas meter based on internet of things of information security management function
CN1808457B (en) Portable trusted device for remote dynamic management
Hutle et al. Resilience against physical attacks
CN103200570B (en) Intelligent water meter of Internet of things information security management module
CN100364305C (en) Information security method of industrial control network and security function block
Reed et al. Bulwark: A framework to store iot data in user accounts
CN108390757A (en) Processing method of communication data, device, electronic equipment, program and medium
CN103152176B (en) Intelligent gas meter information security management module of internet of things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant