CN116418544A - High-speed encryption and decryption engine and encryption and decryption implementation method - Google Patents
High-speed encryption and decryption engine and encryption and decryption implementation method Download PDFInfo
- Publication number
- CN116418544A CN116418544A CN202111682867.6A CN202111682867A CN116418544A CN 116418544 A CN116418544 A CN 116418544A CN 202111682867 A CN202111682867 A CN 202111682867A CN 116418544 A CN116418544 A CN 116418544A
- Authority
- CN
- China
- Prior art keywords
- service
- password
- encryption
- cryptographic
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000012545 processing Methods 0.000 claims abstract description 83
- 230000006870 function Effects 0.000 claims description 18
- 238000004806 packaging method and process Methods 0.000 claims description 7
- 238000005538 encapsulation Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 3
- 230000006378 damage Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001172 regenerating effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a high-speed encryption and decryption engine and an encryption and decryption implementation method, wherein a plurality of physical channels are provided for providing password service for a plurality of business processing modules, so that the problem that a password card can only provide a single business channel is solved; the second-level secret key is imported into the FPGA chip for caching, the session secret key is managed by the life cycle of the FPGA chip, the time cost of secret key updating required by the password operation can be reduced, and the password service processing time delay is obviously reduced; and an FPGA chip is used as a cryptographic operation processing core unit, so that multistage parallel pipeline processing is realized, and the processing performance is effectively improved.
Description
Technical Field
The invention relates to the field of passwords, in particular to a high-speed encryption and decryption engine realized based on a new hardware architecture and an encryption and decryption realization method.
Background
The password product is widely applied in modern communication systems, common products comprise a server password machine, a password card, a CA system and the like, and the password product mainly comprises two functions, namely password operation and key management. In order to improve the reliability of the product and facilitate maintenance, the password operation and the key management are generally realized by adopting independent modules, and the password card is one product. In the existing product design, the password operation and key management functions are generally realized by integrating a password card, and the password card is provided with a PCI-E high-speed interface, so that only one service processing module can be provided with password service. Two main architectures exist on the hardware implementation of the password card, one is the implementation architecture of the DSP+FPGA, and the other is the architecture of the DSP+password algorithm chip.
In the first architecture, the DSP mainly realizes the key management function, the FPGA mainly realizes the password operation function, and the corresponding hardware architecture is shown in fig. 1. The cryptographic card generally adopts a three-layer key structure, including a master key, a key encryption key, and a session key, all managed by the DSP. The password card receives a service call instruction of the service processing module, extracts a corresponding key from the DSP, transmits the key to the FPGA, calls an algorithm chip by the FPGA to realize password operation, and returns a result to the service processing module.
In the second architecture, the DSP mainly realizes the key management function, the cipher algorithm chip realizes the cipher operation, and the corresponding hardware architecture is shown in fig. 2.
At present, the password equipment generally realizes functions such as password operation, key management and the like by integrating a universal PCI-E password card. Through research, it is found that at least the following technical disadvantages exist in the prior art:
(1) The universal cipher card can only provide one PCI-E interface and can not provide cipher service for a plurality of business processing modules at the same time;
(2) The secondary and tertiary secret keys are stored in the security chip, the time cost for frequently switching the secret keys in the password operation is high, and the service processing delay is high;
(3) The cipher card provides cipher service without parallel and multistage pipeline processing, and has low processing performance.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides the password service for a plurality of business processing modules by providing a plurality of physical channels, and solves the problem that the password card can only provide a single business channel; the second-level key is imported into the FPGA for caching, the session key is managed by the FPGA in a life cycle mode, time cost for updating the key required by the password operation can be reduced, and the password service processing time delay is obviously reduced; and the FPGA is used as a cryptographic operation processing core unit, so that multistage parallel pipeline processing is realized, and the processing performance is effectively improved.
The first aspect of the invention relates to a high-speed encryption and decryption engine, which comprises an FPGA chip, a security chip and a plurality of cryptographic operation modules, wherein:
the FPGA chip is configured to allow call instructions from a plurality of service processing modules to be received through a plurality of service interfaces, and analyze the call instructions to obtain instruction information;
the FPGA chip is further configured to allow the classified encryption operation processing based on the instruction information according to the encryption service type in the instruction information in a parallel mode, and send encryption operation processing results to the encryption operation module corresponding to the encryption algorithm type according to the encryption algorithm type in the instruction information;
the password operation module is configured to perform password operation on service data in the instruction information under the type of the password algorithm and output a password operation result; and, in addition, the processing unit,
the high-speed encryption and decryption engine is provided with a key, wherein the key comprises a master key, a key encryption key and a session key;
the security chip is configured to implement lifecycle management of the master key and the key encryption key;
the FPGA chip is further configured to implement lifecycle management of the session key;
the key encryption key is synchronously cached in the FPGA chip before the cryptographic operation is performed.
Further, the call instruction is encapsulated in the form of an application interface function; and/or the password service type comprises a symmetric encryption and decryption service, a hash operation service, a MAC operation service, an asymmetric algorithm operation service, a random number generation service, a signature service and a signature verification service; and/or the instruction information comprises the password service type, the password algorithm type, the business data and service interface number information; and/or the cryptographic algorithm types include SM2 algorithm, SM3 algorithm, and SM4 algorithm.
Further, the FPGA chip is provided with an interface polling scheduling module and a calling instruction analyzing/packaging module;
the interface polling scheduling module is configured to inquire the state of the service interface in a polling mode and read the calling instruction;
the call instruction parsing/packaging module is configured to parse the call instruction to obtain the instruction information.
Furthermore, the FPGA chip is also provided with a password service classification scheduling module and a plurality of password operation processing modules;
the password service classification scheduling module is configured to classify according to the password service type and send the instruction information to the password operation processing module according to the classification result;
the cryptographic processing module is configured to obtain a cryptographic intermediate value, a key, and the traffic data from the instruction information, and generate a protocol frame based thereon.
Still further, the FPGA chip is further provided with an arbitration module configured to poll the cryptographic operation processing module and sequentially transmit the protocol frames to the cryptographic operation module corresponding to the type of cryptographic algorithm.
Still further, the arbitration module is further configured to return the cryptographic operation result to the cryptographic operation processing module corresponding to the protocol frame;
the cryptographic operation processing module is further configured to regenerate a data frame based on the cryptographic operation result and send the data frame to the cryptographic service classification scheduling module;
the password service classification scheduling module is further configured to combine data in one or more data frames corresponding to the calling instruction into one path and send the path to the calling instruction analysis/encapsulation module;
the calling instruction analysis/encapsulation module is further configured to encapsulate the data returned by the cryptographic service classification scheduling module and return the encapsulated data to the interface polling scheduling module;
the interface polling scheduling module is further configured to return the returned encapsulated data to the service processing module corresponding to the call instruction via the service interface.
Further, the high-speed encryption and decryption engine of the present invention further comprises a nonvolatile memory configured to cache at least one of the key, the intermediate value of the cryptographic operation, the service data and the random number; and/or further comprising a random number generation module for generating a true random number for the generation of the key.
The second aspect of the invention relates to a high-speed encryption and decryption implementation method, which comprises the following steps:
receiving a plurality of call instructions in parallel through a plurality of service interfaces;
reading the calling instruction in a polling mode, and analyzing the calling instruction to obtain instruction information;
classifying according to the password service types, and performing password operation processing based on the instruction information in a classified manner in a parallel manner to generate a protocol frame;
classifying according to the type of the cryptographic algorithm, and performing cryptographic operation based on the protocol frames in a classified manner in a parallel manner to generate a cryptographic operation result.
Further, the high-speed encryption and decryption implementation method of the invention can further comprise the following steps:
classifying according to the password service types, and generating data frames based on the password operation results in a classified manner in a parallel manner;
encapsulating the data frame according to the calling instruction;
and returning encapsulated data via the service interface.
Preferably, the high-speed encryption and decryption implementation method of the present invention is executed in the high-speed encryption and decryption engine.
Drawings
The following describes the embodiments of the present invention in further detail with reference to the drawings.
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates one architecture of a prior art cryptographic card;
FIG. 2 illustrates another architecture of a prior art cryptographic card;
FIG. 3 illustrates a hardware architecture diagram of a high-speed encryption and decryption engine in accordance with the present invention;
FIG. 4 illustrates a key caching scheme of a three-level key hierarchy in a high-speed encryption and decryption engine and a method for implementing the same according to the present invention;
FIG. 5 shows a cryptographic service process flow in a high-speed encryption and decryption engine and method for implementing the same in accordance with the present invention;
fig. 6 shows a multi-stage flow scheduling process in the high-speed encryption and decryption engine and its implementation method according to the present invention.
Detailed Description
Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. The following examples are provided by way of illustration to fully convey the spirit of the invention to those skilled in the art to which the invention pertains. Thus, the present invention is not limited to the embodiments disclosed herein.
Fig. 3 shows a hardware frame diagram of a high-speed encryption and decryption engine according to the present invention.
As shown in the figure, the high-speed encryption and decryption engine of the invention can process the password service required by a plurality of business processing modules at high speed, and the password service can comprise, but is not limited to, symmetric encryption and decryption service, hash operation service, MAC operation service, asymmetric algorithm operation service, random number generation service, signature verification service and the like.
The service processing module can send a call instruction to the FPGA chip via the service interface to communicate its required cryptographic services to the FPGA chip. As shown in the figure, the encryption and decryption engine of the invention allows a plurality of business processing modules to exchange data with the FPGA chip in parallel through a plurality of service interfaces, thereby having the capability of simultaneously processing a plurality of password services.
The call instruction may be encapsulated in the form of an application interface function. The application interface function may be defined according to a specific type of service interface.
In the invention, the call instruction can comprise instruction information such as password service type, business data, control information, password algorithm type, flow control information and the like. The service data may include data that the service processing module invokes the encryption and decryption engine to implement the corresponding cryptographic algorithm operation. The cryptographic service types may include types such as a key management class, an asymmetric cryptographic operation class, a symmetric cryptographic operation class, a hash operation class, and the like. The cryptographic algorithm may comprise, for example, an SM2/3/4 algorithm.
In addition, in order to conveniently distinguish different service processing modules, the call instruction herein may further include service interface number information.
In a preferred embodiment, the service interface may employ a high-speed serial interface, such as a SerDes interface.
When the FPGA chip receives a call instruction from the service processing module through the service interface, the FPGA chip analyzes the call instruction to obtain corresponding instruction information, calls a corresponding key and a corresponding cryptographic algorithm according to the instruction information to realize corresponding cryptographic operation, and returns an operation result to the corresponding service processing module.
In the present invention, in order to be able to process various cryptographic services at the same time, a plurality of cryptographic operation modules may be provided in the high-speed encryption and decryption engine, which may be implemented, for example, by means of an algorithm chip, such as an SM4 algorithm chip, an SM2/3 algorithm chip, or the like, as shown in fig. 3.
Therefore, when the FPGA chip obtains the corresponding instruction information by analyzing the call instruction, the corresponding key and the service data can be called according to the type of the cryptographic algorithm in the instruction information and sent to the corresponding cryptographic operation module together, so that the cryptographic operation on the service data is realized by using the key based on the corresponding cryptographic algorithm in the cryptographic operation module. For example, when the service processing module 1 sends a call instruction to the FPGA chip through the service interface 1 to expect encryption and decryption operations on the service data about the SM4 algorithm, the FPGA chip may call a corresponding key and the service data to the SM4 algorithm chip based on an analysis result of the call instruction, so as to perform encryption and decryption operations on the service data about the SM4 algorithm by using the key in the SM4 algorithm chip.
The invention adopts a three-level key system, namely, the high-speed encryption and decryption engine is provided with a master key, a key encryption key, a session key and other three-level keys.
In order to generate the secret key, the high-speed encryption and decryption engine of the invention can be further provided with a random number generation module which generates a true random number for generating the secret key. As an example, the random number generation module may include a true random number chip.
In order to safely establish a three-level key system, a security chip is arranged in the high-speed encryption and decryption engine and is used for realizing life cycle management of a master key and a key encryption key; meanwhile, life cycle management of the session key is realized by the FPGA chip. Where the lifecycle of a key refers to the entire process of key generation to final destruction, for example, lifecycle management of a key may include operations such as key generation, key installation, key storage, key use, key destruction, etc. In addition, the security chip can also be used for realizing functions such as user identity authentication and the like.
In order to improve the performance of cryptographic operation processing and enable simultaneous processing of multiple cryptographic services at high speed, in the cryptographic engine of the present invention, before performing cryptographic operation, for example, when a legitimate user logs in, the key encryption key in the security chip may be synchronously stored in a cache in the FPGA chip, as shown in fig. 4, for example. Therefore, when the password operation is required to be executed, the secondary secret key and the tertiary secret key are both cached in the FPGA chip, so that time expenditure caused by secret key replacement in the password operation process can be reduced, the delay of password service is effectively reduced, the operation speed of an engine is greatly improved, and the method is extremely beneficial to the realization of multi-task synchronous parallel processing.
The following describes the workflow of the FPGA chip in the high-speed encryption/decryption engine of the present invention in detail with reference to fig. 5 and 6.
As shown in fig. 5, in the FPGA chip, the state of each service interface is queried in a polling manner in the face of call instructions sent by a plurality of service processing modules, and the next call instruction to be processed is read, and the call instruction (application interface function) is parsed, so as to obtain corresponding instruction information.
In one embodiment, as shown in fig. 6, an interface polling scheduling module and a call instruction parsing/encapsulation module may be provided in the FPGA chip. The interface polling scheduling module queries the states of all service interfaces in a polling mode and reads the calling instruction. The call instruction parsing/packaging module parses the call instruction (application interface function) to obtain corresponding instruction information, such as a password service type, service data, control information, a password algorithm type, flow control information, service interface number information, and the like.
With continued reference to fig. 6, a cryptographic service classification scheduling module may also be provided in the FPGA chip, and configured to classify the cryptographic service according to the instruction information such as the cryptographic service type, and forward the corresponding instruction information to the corresponding cryptographic operation processing module according to the cryptographic service classification result. For example, a call instruction may involve multiple password service types, and the password service classification scheduling module may classify the password service in the call instruction, and send corresponding instruction information to different password operation processing modules (or called password operation units) according to the password service types, so as to complete password operations corresponding to the password service types in different password operation modules, and finally implement all the password services required in the call instruction.
Thus, the first level of scheduling in the cryptographic service processing is completed.
In the password operation processing module, corresponding password operation intermediate values, keys, business data, control information, password algorithm, flow control information and other data are obtained according to the instruction information. For example, as shown in fig. 5, the key may be acquired from the corresponding key cache based on the key address information. The cryptographic intermediate value may be, for example, data generated when the application interface function is invoked, such as a hash (hash) value generated during digital signing.
With continued reference to fig. 6, after obtaining the data described above, the cryptographic processing module may generate a protocol frame based on, but not limited to, the key, the cryptographic intermediate value, the traffic data, and the like, and send the generated protocol frame to the arbitration module depending on the type of cryptographic algorithm.
The arbitration module may poll each of the cryptographic processing modules and forward protocol frames output by the cryptographic processing modules to the corresponding cryptographic processing module (e.g., algorithm chip) in sequence. Thus, the second-stage scheduling in the password service processing process is completed.
In the password operation module, the service data is subjected to password operation by utilizing a secret key based on a preset password algorithm, and an operation result is output to the arbitration module.
The arbitration module returns the operation result output by the password operation module to the corresponding password operation processing module.
And in the password operation processing module, regenerating a data frame based on the returned operation result, and sending the data frame to the password service classification scheduling module.
In the cryptographic service classification scheduling module, data in data frames belonging to the same call instruction but possibly from one or more cryptographic operation processing modules are combined into one path, and the data is sent to the call instruction analyzing/packaging module.
So far, the first-stage scheduling in the output process of the password service processing result is completed.
And in the call instruction analysis/encapsulation module, encapsulating the data returned by the password service classification scheduling module, for example, forming an application interface function, and sending the encapsulated application interface function to the interface polling scheduling module.
In the interface polling scheduling module, the returned application interface function is returned to the corresponding service processing module through the corresponding service interface.
Thus, the second-stage scheduling in the output process of the password service processing result is completed.
In the present invention, data such as keys, intermediate values of cryptographic operations, traffic data, random numbers, etc. may be stored in the cache of the FPGA chip.
In a preferred embodiment, a nonvolatile memory (e.g., DDR memory) may be further provided in the encryption and decryption engine for caching data such as keys, intermediate values for cryptographic operations, traffic data, random numbers, etc. to meet the requirement of a large data volume.
The working principle of the present invention will be further explained by describing a high-speed encryption and decryption implementation method according to the present invention. For the sake of brevity, the same contents as above will not be described again.
In the high-speed encryption and decryption implementation method of the invention, a plurality of service processing modules can send calling instructions to the FPGA chip in parallel through a plurality of service interfaces (for example, serDes interfaces on the FPGA chip).
In the FPGA chip, for example, the interface polling scheduling module may read the call instruction at each service interface according to a preset rule (for example, a polling manner), and for example, the call instruction parsing/packaging module parses the call instruction to obtain instruction information.
Then, in the FPGA chip, the instruction information may be classified for cryptographic services, for example, by a cryptographic service classification scheduling module; furthermore, the cryptographic processing may be performed based on the corresponding instruction information in different cryptographic processing modules, for example, according to the type of cryptographic service. In the present invention, a plurality of cryptographic processes can be executed in parallel due to the presence of a plurality of cryptographic process modules. Therefore, different cryptographic services from one or more call instructions can be processed simultaneously, and the operation efficiency is greatly improved. As an example, in the cryptographic operation process, a protocol frame may be generated based on (but not limited to) a key, a cryptographic operation intermediate value, traffic data, and the like.
Subsequently, in the FPGA chip, different cryptographic operation processing results (e.g., protocol frames) may be executed in parallel according to different types of cryptographic algorithms under the corresponding cryptographic algorithm to obtain an operation result. For example, a plurality of cryptographic operation modules (algorithm chips) for executing the same or different cryptographic algorithm operations may be provided for simultaneously processing a plurality of cryptographic operation processing results.
When the cryptographic operation is completed, the operation result based on the different cryptographic operation processing results is returned to, for example, the corresponding cryptographic operation processing module. One or more operation results corresponding to the same call instruction are then packaged together (e.g., an application interface function is generated), and the packaged operation results are returned to the corresponding business processing module.
In the implementation of the invention a three-level key hierarchy will be employed, where the master key and the key encryption key may be stored in, for example, a security chip and the session key in an FPGA chip. And, the key encryption key may be cached in the FPGA chip in advance when performing the cryptographic operation.
Therefore, the invention combines the FPGA chip with the security chip, effectively improves the cryptographic operation processing performance and reduces the processing delay in a mode of multi-channel cryptographic service call and multi-cryptographic operation module parallel operation.
In the high-speed encryption and decryption engine and the implementation method, a plurality of physical channels can be adopted to provide password services for different service processing modules by the same FPGA chip, so that the utilization efficiency of hardware resources is greatly improved; the key cache and the cipher operation control are realized in the same chip, so that the time cost of key update/switching is greatly reduced, and the cipher service processing time delay is effectively reduced; meanwhile, the password operation executing process utilizes the characteristic of parallel processing of the FPGA chip, and adopts a password operation running mechanism of multistage parallel flow, so that the processing performance is effectively improved.
While the invention has been described in connection with the specific embodiments illustrated in the drawings, it will be readily appreciated by those skilled in the art that the above embodiments are merely illustrative of the principles of the invention, which are not intended to limit the scope of the invention, and various combinations, modifications and equivalents of the above embodiments may be made by those skilled in the art without departing from the spirit and scope of the invention.
Claims (10)
1. A high-speed encryption and decryption engine comprises an FPGA chip, a security chip and a plurality of password operation modules;
the FPGA chip is configured to allow call instructions from a plurality of service processing modules to be received through a plurality of service interfaces, and analyze the call instructions to obtain instruction information;
the FPGA chip is further configured to allow the classified encryption operation processing based on the instruction information according to the encryption service type in the instruction information in a parallel mode, and send encryption operation processing results to the encryption operation module corresponding to the encryption algorithm type according to the encryption algorithm type in the instruction information;
the password operation module is configured to perform password operation on service data in the instruction information under the type of the password algorithm and output a password operation result; wherein,,
the high-speed encryption and decryption engine is provided with a key, wherein the key comprises a master key, a key encryption key and a session key;
the security chip is configured to implement lifecycle management of the master key and the key encryption key;
the FPGA chip is further configured to implement lifecycle management of the session key;
the key encryption key is synchronously cached in the FPGA chip before the cryptographic operation is performed.
2. The high-speed encryption and decryption engine of claim 1, wherein:
the calling instruction is packaged in the form of an application interface function;
and/or the password service type comprises a symmetric encryption and decryption service, a hash operation service, a MAC operation service, an asymmetric algorithm operation service, a random number generation service, a signature service and a signature verification service;
and/or the instruction information comprises the password service type, the password algorithm type, the business data and service interface number information;
and/or the cryptographic algorithm types include SM2 algorithm, SM3 algorithm, and SM4 algorithm.
3. The high-speed encryption and decryption engine according to claim 1, wherein the FPGA chip is provided with an interface polling scheduling module and a call instruction parsing/packaging module;
the interface polling scheduling module is configured to inquire the state of the service interface in a polling mode and read the calling instruction;
the call instruction parsing/packaging module is configured to parse the call instruction to obtain the instruction information.
4. The high-speed encryption and decryption engine of claim 3, wherein:
the FPGA chip is also provided with a password service classification scheduling module and a plurality of password operation processing modules;
the password service classification scheduling module is configured to classify according to the password service type and send the instruction information to the password operation processing module according to the classification result;
the cryptographic processing module is configured to obtain a cryptographic intermediate value, a key, and the traffic data from the instruction information, and generate a protocol frame based thereon.
5. The high-speed encryption and decryption engine of claim 4, wherein the FPGA chip is further provided with an arbitration module configured to poll the cryptographic operation processing modules and sequentially transmit the protocol frames to the cryptographic operation modules corresponding to the type of cryptographic algorithm.
6. A high-speed encryption and decryption engine according to claim 5, wherein,
the arbitration module is further configured to return the cryptographic operation result to the cryptographic operation processing module corresponding to the protocol frame;
the cryptographic operation processing module is further configured to regenerate a data frame based on the cryptographic operation result and send the data frame to the cryptographic service classification scheduling module;
the password service classification scheduling module is further configured to combine data in one or more data frames corresponding to the calling instruction into one path and send the path to the calling instruction analysis/encapsulation module;
the calling instruction analysis/encapsulation module is further configured to encapsulate the data returned by the cryptographic service classification scheduling module and return the encapsulated data to the interface polling scheduling module;
the interface polling scheduling module is further configured to return the returned encapsulated data to the service processing module corresponding to the call instruction via the service interface.
7. The high-speed encryption and decryption engine of claim 1, further comprising a non-volatile memory configured to cache at least one of the key, a cryptographic intermediate value, the traffic data, and a random number;
and/or further comprising a random number generation module for generating a true random number for the generation of the key.
8. A high-speed encryption and decryption realization method comprises the following steps:
receiving a plurality of call instructions in parallel through a plurality of service interfaces;
reading the calling instruction in a polling mode, and analyzing the calling instruction to obtain instruction information;
classifying according to the password service types, and performing password operation processing based on the instruction information in a classified manner in a parallel manner to generate a protocol frame;
classifying according to the type of the cryptographic algorithm, and performing cryptographic operation based on the protocol frames in a classified manner in a parallel manner to generate a cryptographic operation result.
9. The high-speed encryption and decryption implementation method as claimed in claim 8, further comprising the steps of:
classifying according to the password service types, and generating data frames based on the password operation results in a classified manner in a parallel manner;
encapsulating the data frame according to the calling instruction;
and returning encapsulated data via the service interface.
10. The high-speed encryption and decryption implementation method according to claim 9, which is executed in the high-speed encryption and decryption engine according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111682867.6A CN116418544A (en) | 2021-12-30 | 2021-12-30 | High-speed encryption and decryption engine and encryption and decryption implementation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111682867.6A CN116418544A (en) | 2021-12-30 | 2021-12-30 | High-speed encryption and decryption engine and encryption and decryption implementation method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116418544A true CN116418544A (en) | 2023-07-11 |
Family
ID=87056981
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111682867.6A Pending CN116418544A (en) | 2021-12-30 | 2021-12-30 | High-speed encryption and decryption engine and encryption and decryption implementation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116418544A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116633544A (en) * | 2023-07-21 | 2023-08-22 | 杭州海康威视数字技术股份有限公司 | Multi-core key hierarchical storage and synchronization method and device in hardware password module |
-
2021
- 2021-12-30 CN CN202111682867.6A patent/CN116418544A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116633544A (en) * | 2023-07-21 | 2023-08-22 | 杭州海康威视数字技术股份有限公司 | Multi-core key hierarchical storage and synchronization method and device in hardware password module |
| CN116633544B (en) * | 2023-07-21 | 2023-10-10 | 杭州海康威视数字技术股份有限公司 | Multi-core key hierarchical storage and synchronization method and device in hardware password module |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Schweppe et al. | Car2x communication: securing the last meter-a cost-effective approach for ensuring trust in car2x applications using in-vehicle symmetric cryptography | |
| US5673318A (en) | Method and apparatus for data authentication in a data communication environment | |
| CN110009201B (en) | Electric power data link system and method based on block chain technology | |
| CN104753931A (en) | DPI (deep packet inspection) method based on regular expression | |
| US20200213331A1 (en) | Data service system | |
| Castellanos et al. | Legacy-compliant data authentication for industrial control system traffic | |
| KR20170005848A (en) | Communication protocol testing method, and tested device and testing platform thereof | |
| CN109274647A (en) | Distributed credible memory exchanges method and system | |
| CN113507483B (en) | Instant messaging method, device, server and storage medium | |
| US20200128042A1 (en) | Communication method and apparatus for an industrial control system | |
| CN104038505A (en) | Method and device for preventing IPSec (internet protocol security) replaying | |
| CN111181857A (en) | Message processing method and device, storage medium and optical network terminal | |
| CN103457952A (en) | IPSec processing method and device based on encrypting engine | |
| CN104468309A (en) | Efficient adaptation method for low-speed SMP and high-speed password card | |
| CN116418544A (en) | High-speed encryption and decryption engine and encryption and decryption implementation method | |
| CN108566393B (en) | The methods, devices and systems of data encryption | |
| CN103346878A (en) | Secret communication method based on FPGA high-speed serial IO | |
| CN111163108A (en) | Electric power Internet of things security terminal chip composite encryption system and method | |
| CN112217646B (en) | Device and method for realizing SM3 password hash algorithm | |
| CN111669374B (en) | Encryption and decryption performance expansion method for single tunnel software of IPsec VPN | |
| CN211293972U (en) | Encryption card | |
| CN114866778B (en) | Monitoring video safety system | |
| CN115412241B (en) | Fusion cipher safety processor for realizing postquantum cipher algorithm Kyber and Saber | |
| CN113839923B (en) | Multi-node-oriented high-performance processing method | |
| CN104917702A (en) | Algebra commutation system with network encoding function and preprocessing algorithm of algebra commutation system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |