CN114050920A - Transparent network encryption system implementation method based on FPGA - Google Patents
Transparent network encryption system implementation method based on FPGA Download PDFInfo
- Publication number
- CN114050920A CN114050920A CN202111304832.9A CN202111304832A CN114050920A CN 114050920 A CN114050920 A CN 114050920A CN 202111304832 A CN202111304832 A CN 202111304832A CN 114050920 A CN114050920 A CN 114050920A
- Authority
- CN
- China
- Prior art keywords
- data
- field
- custom
- self
- custom field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000012545 processing Methods 0.000 claims abstract description 20
- 238000006243 chemical reaction Methods 0.000 claims description 6
- 230000002265 prevention Effects 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 10
- 230000006854 communication Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000035515 penetration Effects 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000035699 permeability Effects 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
Abstract
The invention discloses a method for realizing a transparent network encryption system based on an FPGA (field programmable gate array), which comprises the following steps of: receiving an original data packet of a plaintext network port, and analyzing network message cache MAC header and IP header information; carrying out data alignment processing on the IP header and the data area, and adding a first custom field and a second custom field; encrypting the data added with the first and second custom fields by adopting a preset algorithm; adding a third self-defined field and a fourth self-defined field to the encrypted data to serve as ciphertext data packets; and sending the ciphertext data packet to a ciphertext network port by adopting a UDP (user Datagram protocol). The method is based on FPGA hardware, realizes transparent encryption and decryption of network data, and breaks away from the dependence of traditional network encryption and decryption on CPU performance. Hardware encryption is realized by means of an FPGA technology, safety and permeation prevention are realized, and performance is high.
Description
Technical Field
The invention belongs to the technical field of safe communication, relates to a transparent Network encryption system implementation method based on FPGA (field programmable gate array) and realizing NAT (Network Address Translation) penetration without IP and MAC (media access control), and particularly relates to a transparent Network encryption system implementation method based on FPGA.
Background
With the continuous development of the internet of things, the internet of things has now entered the world of interconnection of everything, and the networking means sharing and intercommunication, and the encryption of network data is very important for ensuring the security of data communication. However, in various network systems that have been deployed at present, a considerable part of data is directly transmitted in the clear text form on the network, and these systems have a great potential safety hazard.
At present, mainstream network data encryption is basically realized in a vpn (virtual Private network) mode such as a secure socket layer protocol (SSL) or an internet security protocol (IPsec). The main functions of the devices are powerful, the processing is complex, the devices basically depend on an operating system or a protocol stack, the devices are realized through software, and the prevention of penetration of network equipment cannot be realized. In addition, the configuration and deployment of the encryption equipment are generally complicated, the topological structure of the original network is influenced, and potential safety problems are possibly introduced.
Disclosure of Invention
The invention mainly aims to provide a transparent network encryption system implementation method based on FPGA, which can solve the safety problem of network communication data of the Internet of things, realize hardware encryption of all networking data, and ensure the safety of data and the prevention of penetration to an internal network; the problem of transparent transmission after network data encryption is solved, and the original network equipment and network topology are not sensed and affected.
In order to achieve the purpose, the invention adopts the technical scheme that:
in a first aspect, in encryption, an embodiment of the present invention provides a method for implementing a transparent network encryption system based on an FPGA, including:
receiving an original data packet of a plaintext network port, and analyzing network message cache MAC header and IP header information;
carrying out data alignment processing on the IP header and the data area, and adding a first custom field and a second custom field;
encrypting the data added with the first and second custom fields by adopting a preset algorithm;
adding a third self-defined field and a fourth self-defined field to the encrypted data to serve as ciphertext data packets;
and sending the ciphertext data packet to a ciphertext network port by adopting a UDP (user Datagram protocol).
Further, the data alignment processing is carried out on the IP header and the data area, and the first and second custom fields are added, including:
carrying out 128-bit data alignment processing on the IP header and the data area, and taking the first custom field as supplementary data during alignment;
adding a second custom field; the second custom field includes: length data and related data parameters of the original data packet.
Further, the data added with the first and second custom fields is encrypted by adopting a preset algorithm, and the method comprises the following steps:
encrypting and verifying the data added with the first and second custom fields by adopting a hash algorithm SM3 and a block cipher algorithm SM 4;
or
And encrypting and verifying the data added with the first and second custom fields by adopting an SM4-GCM algorithm.
Further, adding a third and a fourth self-defined fields to the encrypted data as a ciphertext data packet, including:
adding a third custom field to the encrypted data; the third custom field is a calculated HMAC value for SM3 or a GMAC value generated for SM 4-GCM;
adding a fourth self-defined field to form a ciphertext data packet; the fourth self-defined field includes: vendor information, device ID, and some parameters required for key update.
Further, sending the ciphertext data packet to a ciphertext network port by using a UDP protocol, including:
determining whether the total length of the ciphertext data packet is greater than an MTU value;
if the number of the encrypted data packets is not larger than the preset value, adopting a cache MAC header, an IP header and a self-defined port number, combining the encrypted data packets with the ciphertext data packet to form an encrypted data packet of a UDP protocol, and sending the encrypted data packet to a ciphertext network port;
and when the total length of the encrypted data packets is larger than the MTU value, the encrypted data packets are divided into at least two encrypted data packets with the total length smaller than the MTU value, the encrypted data packets of the UDP protocol are formed by combining the cached MAC headers, the IP headers and the self-defined port numbers, and the encrypted data packets are sent to the encrypted network port.
In a second aspect, in decryption, an embodiment of the present invention further provides a method for implementing a transparent network encryption system based on an FPGA, where the method includes:
receiving a network data packet of a ciphertext network port, and analyzing network message cache MAC header, IP header and UDP header information;
caching the UDP port number and the third and fourth self-defined fields;
carrying out integral decryption by adopting a preset decryption algorithm to obtain a first custom field, a second custom field and plaintext data;
analyzing the length in the plaintext data, comparing the first custom field with the second custom field, and judging whether the length is correct or not;
and when the message is correct, generating a decrypted message MAC head by adopting the cached MAC head, replacing the IP address in the original IP head by using the cached IP head, realizing NAT conversion, generating a plaintext data packet and sending the plaintext data packet to a plaintext network port.
Further, caching the UDP port number, the third self-defined field and the fourth self-defined field; the method comprises the following steps:
caching the UDP port number and the third and fourth self-defined fields, judging whether the UDP port is correct or not and judging whether the fourth self-defined field comprises: manufacturer information, equipment ID and partial parameters required for updating the key; and when the UDP port or the fourth self-defined field is incorrect, packet loss processing is carried out.
Further, when the UDP port and the fourth self-defined field are correct:
the integral decryption is carried out by adopting a preset decryption algorithm to obtain the first custom field, the second custom field and the plaintext data, and the method comprises the following steps:
verifying the encrypted data by adopting a hash algorithm SM3, and comparing whether the third custom field is the HMAC value calculated by SM 3;
when the third custom field is correct, data decryption is performed by adopting SM4 to obtain the first custom field, the second custom field and plaintext data;
or
Calculating a ciphertext GMAC value by adopting an SM4-GCM algorithm, and comparing whether the third custom field is correct or not;
and when the third custom field is correct, data decryption is carried out by adopting an SM4-GCM algorithm to obtain the first custom field, the second custom field and plaintext data.
Further, analyzing the length in the plaintext data, comparing the first custom field with the second custom field, and judging whether the length is correct or not; the method comprises the following steps:
analyzing the length in the plaintext data, and determining whether the first custom field is used as data supplemented during 128-data alignment processing;
it is determined whether the second custom field includes length data and associated data parameters of the original data packet.
Compared with the prior art, the invention has the following advantages:
the implementation method of the transparent network encryption system based on the FPGA provided by the embodiment of the invention applies FPGA hardware, realizes transparent encryption and decryption of network data, and breaks away from the dependence of the traditional network encryption and decryption on CPU performance. Hardware encryption is realized by means of an FPGA technology, safety and permeation prevention are realized, and performance is high.
The design adopts a method of borrowing the packet header information of the original data, and the communication process has no information such as self MAC address, IP address and the like, so that the use of the original network topology and network equipment is not influenced, and the non-perception and transparent encryption of the equipment is ensured. The configuration is simple, the device can be used in a plug-and-play mode after being registered, and the device is very suitable for various application scenes of the Internet of things.
The method supports the encryption protection of TCP and UDP protocols, completes the establishment of an encryption channel in a hardware protection mode, and ensures the permeability resistance of a communication link.
Drawings
Fig. 1 is a flowchart of a method for implementing an FPGA-based transparent network encryption system according to embodiment 1;
fig. 2 is a schematic diagram of a method for implementing the FPGA-based transparent network encryption system according to embodiment 1;
fig. 3 is a flowchart of a method for implementing the FPGA-based transparent network encryption system according to embodiment 2;
fig. 4 is a schematic diagram of an implementation method of the FPGA-based transparent network encryption system according to embodiment 2.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further described with the specific embodiments.
In the description of the present invention, it should be noted that the terms "upper", "lower", "inner", "outer", "front", "rear", "both ends", "one end", "the other end", and the like indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it is to be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "disposed," "connected," and the like are to be construed broadly, such as "connected," which may be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
The invention relates to an encryption process and a decryption process of a transparent network encryption system based on an FPGA, and the main scheme is as follows: plaintext data analysis and encryption process, ciphertext data decryption and NAT process. The technical solution of the present invention will be described in detail below with reference to two examples.
Example 1:
the invention provides a method for realizing a transparent network encryption system based on an FPGA (field programmable gate array), which comprises the following steps of referring to FIG. 1:
s10, receiving an original data packet of a plaintext network port, and analyzing the MAC header and the IP header information of the network message cache;
s20, carrying out data alignment processing on the IP header and the data area, and adding a first custom field and a second custom field;
s30, encrypting the data added with the first and second custom fields by adopting a preset algorithm;
s40, adding a third self-defined field and a fourth self-defined field to the encrypted data to serve as ciphertext data packets;
and S50, sending the ciphertext data packet to a ciphertext network port by adopting a UDP protocol.
In this embodiment, the plaintext data analysis and encryption process is mainly responsible for receiving plaintext data at the network port, analyzing and processing plaintext information, adding a message custom field, performing algorithm control, encrypting data, and packaging encrypted data, and when a data packet is too long, the unpacking function needs to be started, and finally, a ciphertext data packet is sent to the ciphertext network port.
The step S20 includes:
s201, performing 128-bit data alignment processing on the IP header and the data area, and taking the first custom field as supplementary data during alignment; for example, the data field of all zeros is adopted for filling in the initial period, and the accumulated data is adopted for filling in the later period (1, 2 and 3 … …), so that the data validity is verified, and the data length is further verified.
S202, adding a second custom field; the second custom field includes: length data and related data parameters of the original data packet. The related data parameters are provided with data validity marks and preventive processing marks used for detecting the network test simulation replay attack.
In the step S30, various encryption methods may be used for encryption, and a corresponding decryption method may be used for decryption. The first method comprises the following steps: the data added with the first and second custom fields can be encrypted and verified by adopting a hash algorithm SM3 and a block cipher algorithm SM 4. The second method comprises the following steps: and encrypting and verifying the data added with the first and second custom fields by adopting an SM4-GCM algorithm.
In the case of encryption in the above manner, step S40 includes:
s401, adding a third custom field to the encrypted data; the third custom field is the calculated HMAC value of SM 3;
s402, adding a fourth self-defined field to form a ciphertext data packet; the fourth self-defined field includes: vendor information, device ID, and some parameters required for key update. Such as, mainly, the validity flag of the key, and the selection of new and old keys.
In the case of the second encryption, step S40 includes:
s400, adding a third custom field to the encrypted data; the third custom field is a GMAC value generated by SM 4-GCM;
s402, adding a fourth self-defined field to form a ciphertext data packet; the fourth self-defined field includes: vendor information, device ID, and some parameters required for key update. Such as, mainly, the validity flag of the key, and the selection of new and old keys.
The step S50 includes:
s501, determining whether the total length of the ciphertext data packet is greater than an MTU value;
s502, when the number is not larger than the preset value, combining the cache MAC header, the IP header and the self-defined port number with the ciphertext data packet to form an encrypted data packet of a UDP protocol, and sending the encrypted data packet to a ciphertext network port;
s503, when the total length of the ciphertext data packets is larger than the MTU value, the ciphertext data packets are split into at least two ciphertext data packets, the total length of the ciphertext data packets is smaller than the MTU value, a cache MAC header, an IP header and a self-defined port number are adopted, the ciphertext data packets are combined to form an encrypted data packet of a UDP protocol, and the encrypted data packet is sent to a ciphertext network port.
Referring to fig. 2, taking the hash algorithm SM3 and the block cipher algorithm SM4 as examples, the specific implementation process of encryption is as follows:
the FPGA analyzes the received Ethernet data packet and caches the MAC header and the IP header, and the encrypted data needs to borrow header information of the original data packet and send the data to a network. Carrying out integral encryption on an IP head and a data area, firstly carrying out 128-bit alignment before encryption due to the requirement of an encryption module, and adding a first custom field, namely, supplemented data during alignment, wherein the first custom field of each packet of data is different in length; meanwhile, a second custom field is added, the content is information such as the real length of the original data and other data parameters, and the second custom field is used as a judgment basis for verifying the validity of the data during decryption. In this embodiment, the encryption module initially adopts a hash algorithm SM3 and a block cipher algorithm SM 4; the algorithm encryption module is relatively independent, and can also support the replacement of other algorithms, and the corresponding decryption algorithm is adopted during decryption.
And the encrypted data is added with a third self-defined field, the content of the third self-defined field is an HMAC value calculated after SM3, and a fourth self-defined field is added and used for storing information such as manufacturer information, equipment ID, partial parameters required during key updating and the like, so that the encrypted data is convenient for analyzing and identifying the encrypted internet access data and is used as a judgment basis for data validity and verification information during key updating.
The total length is calculated by adding the data of each user-defined field to the ciphertext data, if the total length exceeds an MTU value (maximum transmission unit), an unpacking module is started, the data packets are subjected to fragmentation processing according to an unpacking rule, and then the fragmented data packets are sequentially subjected to encryption processing, so that the length of the ciphertext data packets is ensured not to exceed the MTU value of the current network; the data is divided into a plurality of packets for transmission. And when the packet is packaged, the cached MAC address and IP address are adopted to regenerate a new MAC head and an IP head, a user-defined port number is adopted to generate a UDP head, the encrypted data is sent to the network by adopting a UDP protocol, and the MAC and IP of the original message are borrowed, so that the transparent sending of the ciphertext data is realized.
Example 2:
the embodiment of the present invention further provides a method for implementing a transparent network encryption system based on an FPGA, which is shown in fig. 3 and includes:
s100, receiving a network data packet of a ciphertext network port, and analyzing network message cache MAC header, IP header and UDP header information; namely: the encryption result of the encryption method as in embodiment 1 above is received.
S200, caching a UDP port number, and a third self-defined field and a fourth self-defined field;
s300, carrying out integral decryption by adopting a preset decryption algorithm to obtain a first custom field, a second custom field and plaintext data;
s400, analyzing the length in the plaintext data, comparing the first custom field with the second custom field, and judging whether the length is correct or not;
and S500, if the message is correct, generating a decrypted message MAC head by using the cached MAC head, replacing an IP address in the original IP head by using the cached IP head, realizing NAT conversion, generating a plaintext data packet and sending the plaintext data packet to a plaintext network port.
In this embodiment, the ciphertext data decryption and NAT process is mainly responsible for receiving a network data packet from a ciphertext gateway, filtering out a data packet of a UDP protocol, analyzing header information of each layer, judging validity of each custom field, decrypting ciphertext data, verifying validity and correctness of data, obtaining plaintext data, grouping plaintext packets, performing NAT conversion simultaneously, and sending the data to a plaintext gateway.
In step S200, the UDP port number, the third self-defined field, and the fourth self-defined field are cached, and whether the UDP port is correct and whether the fourth self-defined field includes: manufacturer information, equipment ID and partial parameters required for updating the key; and when the UDP port or the fourth self-defined field is incorrect, packet loss processing is carried out.
When the UDP port and the fourth self-defined field are correct:
taking the first encryption method as an example in the above embodiment 1, when performing decryption, step S300 includes:
s3001, verifying the encrypted data by adopting a hash algorithm SM3, and comparing whether the third self-defined field is the HMAC value calculated by SM 3;
and S3002, when the third custom field is correct, data decryption is performed by adopting SM4 to obtain the first custom field, the second custom field and plaintext data.
Taking the second encryption method as an example in the above embodiment 1, when performing decryption, step S300 includes:
1) and calculating a ciphertext GMAC value by adopting an SM4-GCM algorithm, and comparing whether the third custom field is correct or not.
2) And when the third custom field is correct, data decryption is carried out by adopting an SM4-GCM algorithm to obtain the first custom field, the second custom field and plaintext data.
The step S400 includes:
s4001, analyzing the length in the plaintext data, and determining whether the first custom field is used as data supplemented during 128-data alignment processing;
s4002, determining whether the second custom field comprises length data and related data parameters of the original data packet.
Referring to fig. 4, taking hash algorithm SM3 and block cipher algorithm SM4 as examples, the specific implementation process of decryption is as follows:
the FPGA analyzes the received Ethernet data packet, caches an MAC header, an IP header and a UDP header, because the decrypted data needs to borrow the header information of the original data packet, NAT conversion is realized, and the data is sent to a plaintext network or equipment;
caching the third self-defined field and the fourth self-defined field, calculating ciphertext data primarily filtered by the fourth field by adopting a hash algorithm SM3, matching with HMAC of the third self-defined field, further verifying the correctness of the data, and simultaneously, integrally decrypting by adopting a block cipher algorithm SM4 to obtain the first self-defined field and the second self-defined field, and verifying the validity of the data of each field;
and assembling the plain packets through the data after validity and correctness verification. When the plaintext packet is assembled, the MAC address of the decrypted message is generated by adopting the cached MAC address, the IP address in the IP head of the original message is replaced by the cached IP address, the NAT conversion process is realized, and the aim of transparently forwarding the plaintext data is fulfilled.
The implementation method of the transparent network encryption system based on the FPGA provided by the embodiment of the invention relates to the encryption and decryption processes, and the FPGA hardware is applied to realize the transparent encryption and decryption of network data, so that the dependence of the traditional network encryption and decryption on the CPU performance is eliminated; hardware encryption is realized by means of an FPGA technology, safety and permeation prevention are realized, and performance is high.
The foregoing shows and describes the general principles and features of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (9)
1. A method for realizing a transparent network encryption system based on FPGA is characterized by comprising the following steps:
receiving an original data packet of a plaintext network port, and analyzing network message cache MAC header and IP header information;
carrying out data alignment processing on the IP header and the data area, and adding a first custom field and a second custom field;
encrypting the data added with the first and second custom fields by adopting a preset algorithm;
adding a third self-defined field and a fourth self-defined field to the encrypted data to serve as ciphertext data packets;
and sending the ciphertext data packet to a ciphertext network port by adopting a UDP (user Datagram protocol).
2. The method for implementing the FPGA-based transparent network encryption system according to claim 1, wherein the data alignment processing is performed on the IP header and the data area, and the adding of the first and second custom fields comprises:
carrying out 128-bit data alignment processing on the IP header and the data area, and taking the first custom field as supplementary data during alignment;
adding a second custom field; the second custom field includes: and the length data of the original data packet is related to data parameters.
3. The method for implementing the FPGA-based transparent network encryption system according to claim 2, wherein the data added with the first and second custom fields is encrypted by a preset algorithm, which includes:
encrypting and verifying the data added with the first and second custom fields by adopting a hash algorithm SM3 and a block cipher algorithm SM 4;
or
And encrypting and verifying the data added with the first and second custom fields by adopting an SM4-GCM algorithm.
4. The method for implementing the FPGA-based transparent network encryption system according to claim 3, wherein the step of adding a third self-defined field and a fourth self-defined field to the encrypted data as a ciphertext data packet comprises:
adding a third custom field to the encrypted data; the third custom field is a calculated HMAC value for SM3 or a GMAC value generated for SM 4-GCM;
adding a fourth self-defined field to form a ciphertext data packet; the fourth self-defined field includes: vendor information, device ID, and some parameters required for key update.
5. The implementation method of the FPGA-based transparent network encryption system according to claim 4, wherein the sending the ciphertext data packet to the ciphertext gateway using a UDP protocol comprises:
determining whether the total length of the ciphertext data packet is greater than an MTU value;
if the number of the encrypted data packets is not larger than the preset value, adopting a cache MAC header, an IP header and a self-defined port number, combining the encrypted data packets with the ciphertext data packet to form an encrypted data packet of a UDP protocol, and sending the encrypted data packet to a ciphertext network port;
and when the total length of the encrypted data packets is larger than the MTU value, the encrypted data packets are divided into at least two encrypted data packets with the total length smaller than the MTU value, the encrypted data packets of the UDP protocol are formed by combining the cached MAC headers, the IP headers and the self-defined port numbers, and the encrypted data packets are sent to the encrypted network port.
6. A method for realizing a transparent network encryption system based on FPGA is characterized by comprising the following steps:
receiving a network data packet of a ciphertext network port, and analyzing network message cache MAC header, IP header and UDP header information;
caching the UDP port number and the third and fourth self-defined fields;
carrying out integral decryption by adopting a preset decryption algorithm to obtain a first custom field, a second custom field and plaintext data;
analyzing the length in the plaintext data, comparing the first custom field with the second custom field, and judging whether the length is correct or not;
and when the message is correct, generating a decrypted message MAC head by adopting the cached MAC head, replacing the IP address in the original IP head by using the cached IP head, realizing NAT conversion, generating a plaintext data packet and sending the plaintext data packet to a plaintext network port.
7. The implementation method of the FPGA-based transparent network encryption system according to claim 6, wherein the UDP port number, the third and fourth self-defined fields are cached; the method comprises the following steps:
caching the UDP port number and the third and fourth self-defined fields, judging whether the UDP port is correct or not and judging whether the fourth self-defined field comprises: manufacturer information, equipment ID and partial parameters required for updating the key; and when the UDP port or the fourth self-defined field is incorrect, packet loss processing is carried out.
8. The implementation method of the FPGA-based transparent network encryption system of claim 7, wherein when said UDP port and said fourth self-defined field are correct:
the integral decryption is carried out by adopting a preset decryption algorithm to obtain the first custom field, the second custom field and the plaintext data, and the method comprises the following steps:
verifying the encrypted data by adopting a hash algorithm SM3, and comparing whether the third custom field is the HMAC value calculated by SM 3;
when the third custom field is correct, data decryption is performed by adopting SM4 to obtain the first custom field, the second custom field and plaintext data;
or
Calculating a ciphertext GMAC value by adopting an SM4-GCM algorithm, and comparing whether the third custom field is correct or not;
and when the third custom field is correct, data decryption is carried out by adopting an SM4-GCM algorithm to obtain the first custom field, the second custom field and plaintext data.
9. The method for implementing the FPGA-based transparent network encryption system according to claim 8, wherein the length in the plaintext data is analyzed, and the first custom field and the second custom field are compared to judge whether the length is correct; the method comprises the following steps:
analyzing the length in the plaintext data, and determining whether the first custom field is used as data supplemented during 128-data alignment processing;
it is determined whether the second custom field includes length data and associated data parameters of the original data packet.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2021112712721 | 2021-10-29 | ||
| CN202111271272 | 2021-10-29 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114050920A true CN114050920A (en) | 2022-02-15 |
Family
ID=80207333
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111304832.9A Pending CN114050920A (en) | 2021-10-29 | 2021-11-05 | Transparent network encryption system implementation method based on FPGA |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114050920A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115037563A (en) * | 2022-08-11 | 2022-09-09 | 中国电子科技集团公司第三十研究所 | Pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode |
| CN115174520A (en) * | 2022-06-09 | 2022-10-11 | 郑州信大捷安信息技术股份有限公司 | Network address information hiding method and system |
| CN115225331A (en) * | 2022-06-22 | 2022-10-21 | 中国科学院信息工程研究所 | Data encryption communication method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954222A (en) * | 2015-05-22 | 2015-09-30 | 东南大学 | Tunnel-mode ESP (electronic stability program) hardware encapsulating device on basis of IPSEC (internet protocol security) protocols |
| CN105591752A (en) * | 2015-12-31 | 2016-05-18 | 盛科网络(苏州)有限公司 | Method and apparatus for reducing DTLS decryption time delay |
| US10652220B1 (en) * | 2018-05-09 | 2020-05-12 | Architecture Technology Corporation | Systems and methods for secure data transport |
| CN111294211A (en) * | 2020-02-13 | 2020-06-16 | 山东方寸微电子科技有限公司 | USB network card data encryption and decryption method based on RNDIS |
-
2021
- 2021-11-05 CN CN202111304832.9A patent/CN114050920A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954222A (en) * | 2015-05-22 | 2015-09-30 | 东南大学 | Tunnel-mode ESP (electronic stability program) hardware encapsulating device on basis of IPSEC (internet protocol security) protocols |
| CN105591752A (en) * | 2015-12-31 | 2016-05-18 | 盛科网络(苏州)有限公司 | Method and apparatus for reducing DTLS decryption time delay |
| US10652220B1 (en) * | 2018-05-09 | 2020-05-12 | Architecture Technology Corporation | Systems and methods for secure data transport |
| CN111294211A (en) * | 2020-02-13 | 2020-06-16 | 山东方寸微电子科技有限公司 | USB network card data encryption and decryption method based on RNDIS |
Non-Patent Citations (1)
| Title |
|---|
| 蔡思飞;彭新光;: "基于VPN的安全网关研究", 太原理工大学学报, no. 2, 15 May 2006 (2006-05-15) * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174520A (en) * | 2022-06-09 | 2022-10-11 | 郑州信大捷安信息技术股份有限公司 | Network address information hiding method and system |
| CN115174520B (en) * | 2022-06-09 | 2023-06-23 | 郑州信大捷安信息技术股份有限公司 | Network address information hiding method and system |
| CN115225331A (en) * | 2022-06-22 | 2022-10-21 | 中国科学院信息工程研究所 | Data encryption communication method |
| CN115037563A (en) * | 2022-08-11 | 2022-09-09 | 中国电子科技集团公司第三十研究所 | Pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode |
| CN115037563B (en) * | 2022-08-11 | 2022-12-09 | 中国电子科技集团公司第三十研究所 | Pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114050920A (en) | Transparent network encryption system implementation method based on FPGA | |
| KR101055861B1 (en) | Communication system, communication device, communication method and communication program for realizing it | |
| US8533473B2 (en) | Method and apparatus for reducing bandwidth usage in secure transactions | |
| CN102347870B (en) | A kind of flow rate security detection method, equipment and system | |
| US8392716B2 (en) | Communication apparatus, digital signature issuance method and apparatus, and digital signature transmission method | |
| US20030023845A1 (en) | Method and apparatus for providing secure streaming data transmission facilites using unreliable protocols | |
| US8650397B2 (en) | Key distribution to a set of routers | |
| JP2004295891A (en) | Method for authenticating packet payload | |
| CN114050921B (en) | UDP-based high-speed encryption data transmission system realized by FPGA | |
| CN113904809B (en) | Communication method, device, electronic equipment and storage medium | |
| KR100948604B1 (en) | Security method of mobile internet protocol based server | |
| CN113572766A (en) | Power data transmission method and system | |
| KR100415554B1 (en) | Method for transmitting and receiving of security provision IP packet in IP Layer | |
| CN107276996A (en) | The transmission method and system of a kind of journal file | |
| Gbur et al. | A quic (k) way through your firewall? | |
| CN115834026A (en) | Safety encryption method based on industrial protocol | |
| KR100449809B1 (en) | Improved method for securing packets providing multi-security services in ip layer | |
| Song et al. | Anonymous-address-resolution model | |
| Hohendorf et al. | Secure end-to-end transport over sctp | |
| KR102580639B1 (en) | Data system and encryption method based on key exchange cryptographic protocol using enhanced security function in network layer | |
| CN115333859B (en) | IPsec protocol message encryption and decryption method based on chip scheme | |
| CN117544424B (en) | Multi-protocol intelligent park management and control platform based on ubiquitous connection | |
| CN114465755B (en) | IPSec transmission abnormality-based detection method, device and storage medium | |
| Arora et al. | Comparison of VPN protocols–IPSec, PPTP, and L2TP | |
| KR20070121323A (en) | A method for ipsec supporting mechanism for nat-pt between ipv6 and ipv4 networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |