CN117118636A - IPv6 national security network card - Google Patents
IPv6 national security network card Download PDFInfo
- Publication number
- CN117118636A CN117118636A CN202311367983.8A CN202311367983A CN117118636A CN 117118636 A CN117118636 A CN 117118636A CN 202311367983 A CN202311367983 A CN 202311367983A CN 117118636 A CN117118636 A CN 117118636A
- Authority
- CN
- China
- Prior art keywords
- ipv6
- network card
- security
- national security
- chip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000005540 biological transmission Effects 0.000 claims abstract description 29
- 238000004891 communication Methods 0.000 claims abstract description 17
- 238000000034 method Methods 0.000 claims abstract description 12
- 238000005538 encapsulation Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 6
- 230000006835 compression Effects 0.000 claims description 5
- 238000007906 compression Methods 0.000 claims description 5
- 238000012986 modification Methods 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 5
- 230000001133 acceleration Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 claims description 4
- 230000004913 activation Effects 0.000 claims description 3
- 230000006870 function Effects 0.000 claims description 3
- 230000006837 decompression Effects 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 abstract description 2
- 230000009466 transformation Effects 0.000 abstract 1
- 238000012545 processing Methods 0.000 description 9
- 101100236764 Caenorhabditis elegans mcu-1 gene Proteins 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002146 bilateral effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/659—Internet protocol version 6 [IPv6] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses an IPv6 national security network card. The application relates to the technical field of communication, and solves the problem that the prior scheme can not effectively solve the safe and reliable transmission of data between terminal devices in an environment with higher security level requirements. The IPv6 national security network card of the application comprises: the device comprises a main control chip MCU, a network control chip, an encryption chip and an FPGA chip; in the aspect of safety, encryption protection is carried out from a data source, and the risk of disclosure in the data transmission process is avoided. In the aspect of performance, the transmission speed is enhanced, the delay time is reduced, and the throughput is greatly improved. In the aspect of access control, the interconnection authority of the network card host equipment is dynamically established by means of an IPv6 native security policy management mechanism. In the practical aspect, the method is used by plug and play, so that the password transformation cost is saved.
Description
Technical Field
The application relates to the technical field of communication, in particular to an IPv6 national security network card.
Background
Along with popularization of information system construction, large-scale data leakage event frequently occurs, and a cryptographic technology is used as a core and a foundation of network security and becomes a focus of attention of all parties. Along with popularization of an IPv6 protocol and continuous deepening of secret evaluation and secret change, how to greatly reduce the cost of a password product adaptation service system in a secret evaluation process, help users to want to reduce the difficulty of password application, and become an important link in the secret evaluation and secret change process. Current password-modifying schemes tend to be large and full, the user's ultimate purchasing password capability can far exceed his actual needs, and during use, there are two extremes of overuse of password capability and eventual abandonment of password-supporting services. The above reasons are very unfavorable for the popularization and popularization of commercial passwords.
The prior art generally employs a deployment VPN device scheme and a scheme for invoking cryptographic hardware/platform services. In the scheme for deploying VPN equipment, the VPN equipment is deployed at a boundary position, the problem of data transmission safety from side to side is solved, and therefore, when the VPN equipment is deployed, the risk of data transmission safety from side to side still exists, meanwhile, the bottleneck of the transmission performance of the VPN equipment can only be solved in a cluster mode by stacking VPN products, the cost is greatly improved, the communication efficiency and the concurrent service capacity are greatly reduced, and in order not to influence the original service, a user has to purchase VPN service end equipment with stronger performance.
In the scheme of calling the password hardware or the platform, partial work such as data encryption, identity authentication, signature, sensitive information protection and the like is completed by the embedded password hardware or the external encryption hardware, and in the scheme of calling the external encryption hardware to carry out data encryption, the non-data source encryption protection has the risk of transmission safety; in the scheme of calling embedded password hardware to carry out data encryption protection, throughput efficiency of data transmission is greatly restricted, transmission delay is large, and service with high real-time requirements is greatly affected. In an environment with higher security level requirements, the existing scheme can not effectively solve the problem of safe and reliable data transmission between terminal devices.
Disclosure of Invention
The application aims to provide an IPv6 national security network card aiming at the defects of the prior art, so as to solve the problem that the prior scheme can not effectively solve the problem of safe and reliable transmission of data between terminal devices in an environment with higher security level requirements.
The application provides an IPv6 national security network card, which comprises: the device comprises a main control chip MCU, a network control chip, an encryption chip and an FPGA chip; the network control chip, the encryption chip and the FPGA chip are respectively in communication connection with the master control chip MCU, the master control chip MCU is in communication connection with external applications through a serial port, the FPGA chip is in communication connection with the external applications through a parallel port, and the network control chip is in communication connection with the IPv6 network through an RJ45 interface;
the main control chip MCU is used for IP layer data unpacking, package and link concurrency management, security policy configuration and activation application;
the network control chip is used for unloading and loading IPv6 protocol and accelerating network;
the encryption chip is used for providing related cryptographic operation service and key storage function;
the FPGA chip is used for communicating with a PCI bus of the upper computer and is responsible for accelerating an SM9 algorithm.
Further, the IPv6 national security network card further includes: the FLASH chip and the memory chip are respectively in communication connection with the MCU;
the FLASH chip is used for storing a micro system, the micro system is constructed based on a busy box, and the default security policy of the micro system closes an external service port;
the memory chip is used for enabling the microsystem to run in the memory.
Further, the microsystem is constructed as follows: and constructing rootfs by using a busy box, compiling kernel in a ramdisk mode by cutting and optimizing the linux kernel, and introducing the constructed rootfs to derive a microsystem.
Further, when network data arrives at the security network card by modifying a network driving protocol, the security network card directly copies NIC data to a user state without submitting the NIC data to a kernel protocol stack through an improved network card driving, the kernel protocol stack is unloaded to the user state for completion, and the user state is used for completing the unpacking, decryption and decompression operations of IPSec6 data packets; and submitting the application layer data to the IPv6 national security network card directly through a transparent IPv6 protocol for security encapsulation modification.
Further, the IPv6 national security network card loads security elements in a hardware mode, modifies an IPSec6 protocol, replaces a password suite in a standard AH and ESP authentication protocol with a national security SM2, SM3 and SM4 password suite, encrypts and decrypts data in a data transmission tunnel by adopting an SM4 algorithm, and completes security encapsulation and decapsulation of the national security algorithm of the IPv6 data packet.
Furthermore, the IPv6 national security network card realizes TCP protocol network data transmission acceleration by modifying a bottom protocol stack, optimizing a TCP congestion control algorithm, a TCP transmission window size and increasing a compression algorithm for network data packets.
Further, authorizing the connection authority of each IPv6 national security network card in the management domain through the security policy management system comprises: the method comprises the steps of centralized management of factory initialization of an IPv6 national security network card and binding of a security policy management system; centralized management of key security distribution of IPv6 national security network cards, authentication and encryption algorithm selection; and the connection authority of each IPv6 national security network card in the management domain of the security policy management system is managed in a centralized way, wherein the connection authority comprises security interconnection permissions with a certain or a certain network segment of equipment.
Further, the factory initialization of the IPv6 national security network card comprises factory stage initialization and starting stage initialization;
the factory stage initialization includes:
injecting customized COS into the encryption chip through the management serial port, wherein the COS core comprises a policy configuration verification public key, an encryption and decryption public-private key pair and a standard cryptographic algorithm interface; issuing an encryption chip fusing instruction, wherein the chip cannot be burned any more later;
the enabling phase initialization includes:
producing identity information and a secret key for the IPv6 national security network card according to the pre-allocated IPv6 address; executing a strategy updating flow; and starting the IPv6 national security network card.
Further, the policy update procedure includes:
the security policy management system generates a new configuration information file according to the requirements of the working environment, wherein the configuration information file comprises: a peer authentication database, a security association database, and a security policy database;
the security policy management system formulates a receiving party encryption configuration file and issues a configuration file update permission;
the security policy management system upgrades and updates policy configuration information through a network card serial port;
the IPv6 national security network card checks the digital signature of the issuing permission, and if the verification fails, the update is terminated; directing the decryption configuration information file, and terminating updating if decryption fails;
the IPv6 national security network card stops network work, writes new strategy configuration into the FLASH chip, prevents the power failure risk in the updating process, and adopts a seamless updating mode.
Further, the form of the IPv6 national security network card is a hardware network card, comprising a PCI-e standard or Mini wired Ethernet card and a portable USB interface RJ45 network card.
The application has the following beneficial effects: the IPv6 national security network card provided by the application finishes the IPv6 protocol unloading based on the national security algorithm, finishes the network access control by injecting the security policy on line or off line by the upper layer application, ensures the reliable interconnection and privacy protection of the network application data based on IPv6, and solves the problem of key distribution by using the national security identification password SM 9; in the aspect of safety, encryption protection is carried out from a data source, and the risk of disclosure in the data transmission process is avoided. In the aspect of performance, the transmission speed is enhanced, the delay time is reduced, and the throughput is greatly improved. In the aspect of access control, the interconnection authority of the network card host equipment is dynamically established by means of an IPv6 native security policy management mechanism. In the practical aspect, the method is used by plug and play, and the cost of secret change is saved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a diagram of an IPv6 national security network card according to the present application;
FIG. 2 is a flowchart for initializing an IPv6 national security network card;
fig. 3 is a flowchart of updating security policy of an IPv6 national security network card according to the present application.
Detailed Description
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments. It should be noted that the following detailed description is illustrative and is intended to provide further explanation of the application. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
Referring to fig. 1, an embodiment of the present application provides an IPv6 national security network card, including: the device comprises a main control chip MCU1, a network control chip 3, an encryption chip 4, an FPGA chip 5, a FLASH chip 6 and a memory chip 2. The network control chip 3, the encryption chip 4, the FPGA chip 5, the FLASH chip 6 and the memory chip 2 are respectively in communication connection with the main control chip MCU1, the main control chip MCU1 is in communication connection with external applications through serial ports, the FPGA chip 5 is in communication connection with the external applications through parallel ports, and the network control chip 3 is in communication connection with the IPv6 network through an RJ45 interface.
The main control chip MCU1 is used as a main processor for IP layer data unpacking, package and link concurrency management, security policy configuration and activation application. And the network control chip 3 is used for unloading and loading the IPv6 protocol and accelerating the network. An encryption chip 4 for providing a related cryptographic operation service and a key storage function. The FPGA chip 5 is used for communicating with the PCI bus of the upper computer and is responsible for accelerating the SM9 algorithm. The FLASH chip 6 is used for storing a microsystem, the microsystem is constructed based on a busy box, and the microsystem defaults a security policy to close all external services. A memory chip 2 for running the microsystem in a memory.
Specifically, the microsystem is constructed as follows: and constructing rootfs by using a busy box, compiling kernel in a ramdisk mode by cutting and optimizing the linux kernel, and introducing the constructed rootfs to derive a microsystem. And the default security policy of the microsystem closes all external services, and ensures the system security of the network card operating environment.
Specifically, when network data arrives at the secure network card through modifying a network driving protocol, the secure network card directly copies NIC data to a user state without submitting the NIC data to a kernel protocol stack through an improved network card driving, the kernel protocol stack is unloaded to the user state to finish the operations of unpacking, decrypting, decompressing and the like of IPSec6 data packets, the problem of multiple copying processing of the data is solved, and the user state fully utilizes multi-core and multi-thread to finish concurrent processing of the data packets, so that the processing efficiency is improved. And submitting the application layer data to the IPv6 national security network card directly through a transparent IPv6 protocol for security encapsulation modification.
Specifically, the IPv6 national security network card loads security elements in a hardware manner, modifies the IPSec6 protocol, replaces the cipher suite in the standard AH and ESP authentication protocol with the national security SM2, SM3 and SM4 cipher suites, encrypts and decrypts data in a data transmission tunnel by adopting an SM4 algorithm, and completes the security encapsulation and decapsulation of the national security algorithm of the IPv6 data packet.
Specifically, the IPv6 private network card modifies a bottom protocol stack, adjusts a TCP congestion control algorithm, a TCP transmission window size, and increases a compression algorithm for network data packets, thereby realizing acceleration of TCP protocol network data transmission. The standard TCP protocol will make an ACK acknowledgement every time a data frame is received, and the sender needs to acknowledge before the next data segment transmission. According to the application, the TCP protocol buffer zone can be established on the network card at the two sides, the congestion algorithm is adjusted by combining with the TCP sliding window, and ACK confirmation is carried out after data of a plurality of frames are received, so that the transmission time of a large data packet is saved. The original relatively large data packet can be compressed and recoded through a compression algorithm, so that the number of bytes of data transmission is reduced.
Specifically, the method for authorizing the connection authority of each IPv6 national security network card in the management domain by the security policy management system comprises the following steps: the method comprises the steps of centralized management of factory initialization of an IPv6 national security network card and binding of a security policy management system; centralized management of key security distribution of IPv6 national security network cards, authentication and encryption algorithm selection; and the connection authority of each IPv6 national security network card in the management domain of the security policy management system is managed in a centralized way, wherein the connection authority comprises security interconnection permissions with a certain or a certain network segment of equipment. In addition, to ensure the national regulations of security policy management systems, both the cryptographic algorithm and the choice of cryptographic devices must meet relevant regulations.
Referring to fig. 2, factory initialization of the ipv6 national security network card includes factory stage initialization and start-up stage initialization; the factory stage initialization includes:
injecting customized COS into the encryption chip through the management serial port, wherein the COS core comprises a policy configuration verification public key, an encryption and decryption public-private key pair and a standard cryptographic algorithm interface; issuing an encryption chip fusing instruction, wherein the chip cannot be burned any more later; the enabling phase initialization includes: producing identity information and a secret key for the IPv6 national security network card according to the pre-allocated IPv6 address; executing a strategy updating flow; and starting the IPv6 national security network card.
Referring to fig. 3, the policy update procedure includes: the security policy management system generates a new configuration information file according to the requirements of the working environment, wherein the configuration information file comprises: a peer authentication database, a security association database, and a security policy database; the security policy management system formulates a receiving party encryption configuration file and issues a configuration file update permission; the security policy management system upgrades and updates policy configuration information through a network card serial port; the IPv6 national security network card checks the digital signature of the issuing permission, and if the verification fails, the update is terminated; directing the decryption configuration information file, and terminating updating if decryption fails; the IPv6 national security network card stops network work, writes new strategy configuration into the FLASH chip, prevents the power failure risk in the updating process, and adopts a seamless updating mode.
The IPv6 national security network card utilizes the SM9 identification password to solve the problem of security authentication access between the security network card and the security policy management system and between the security network cards, thereby completing the security distribution of the identity authentication key. The identity authentication key is stored in a security chip of the security network card and the security policy management system respectively. And the security network card in the same security domain establishes a 'point' to 'point' security tunnel through an IPSec6 protocol, so as to solve the security risk of data plaintext transmission.
When network data arrives at the secure network card, the secure network card directly copies the NIC data to a user state through an improved network card driver, a protocol stack in a kernel state is unloaded to the user state to finish the operations of unpacking, decrypting, decompressing and the like of IPSec6 data packets, the problem of multiple copying processing of the data is solved, and the user state fully utilizes multi-core multi-thread to finish the concurrent processing of the data packets, so that the processing efficiency is improved. And transparently forwarding the processed data to an upper application program. After receiving the real data content, the application program completes the service processing and submits the feedback data to the user state protocol stack, and if the user state protocol stack is the TCP protocol, the protocol stack adopts an optimized congestion algorithm, a transmission window size, a data packet compression algorithm and the like to realize the bilateral acceleration of the TCP protocol. And encrypting and packaging the data processed by the protocol stack, and then submitting the data to the security network card NIC. The security network card driver accelerates the secure transmission of network data packets to the peer via the IPSec6 tunnel.
As can be seen from the above embodiments, the embodiments of the present application provide a hardware architecture design of a national security network card in an IPv6 network environment, which can cooperate with data network processing and encryption protection processing in a fixed network card, encrypt protection data from a data source, and then forward the data through a network, so as to radically avoid the risk of disclosure of network transmission data. The design framework of the application can control the access of the IPv6 national security network card, the national security network card after authentication and authorization is allowed to access the network, the security access strategy is deployed in a centralized way by the security policy management system, and the security access strategy is distributed to the national security network card after encryption and protection. The design of the application provides that the IPv6 protocol stack is unloaded into the national security network card, thereby reducing network delay and improving network throughput. The hardware of the application has stronger password service capability, and can provide general password calculation interface service for clients through the SDK when the clients need. The form of the application is a hardware network card, including but not limited to PCI-e standard or Mini wired Ethernet card, portable USB interface RJ45 network card. The security policy update of the application can support the offline update of the offline special physical interface and also can support the online quick update according to different security requirements.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the present application. As used herein, the singular is also intended to include the plural unless the context clearly indicates otherwise, and furthermore, it is to be understood that the terms "comprises" and/or "comprising" when used in this specification are taken to specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the application described herein may be capable of being practiced otherwise than as specifically illustrated and described.
The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (10)
1. An IPv6 national security network card, comprising: the device comprises a main control chip MCU (1), a network control chip (3), an encryption chip (4) and an FPGA chip (5); the network control chip (3), the encryption chip (4) and the FPGA chip (5) are respectively in communication connection with the master control chip MCU (1), the master control chip MCU (1) is in communication connection with external applications through a serial port, the FPGA chip (5) is in communication connection with the external applications through a parallel port, and the network control chip (3) is in communication connection with an IPv6 network through an RJ45 interface;
the main control chip MCU (1) is used for IP layer data unpacking, package and link concurrency management, security policy configuration and activation application;
the network control chip (3) is used for unloading and loading IPv6 protocol and accelerating network;
the encryption chip (4) is used for providing related cryptographic operation service and key storage function;
the FPGA chip (5) is used for communicating with a PCI bus of the upper computer and is responsible for accelerating an SM9 algorithm.
2. The IPv6 national security network card of claim 1, further comprising: the FLASH chip (6) and the memory chip (2) are respectively in communication connection with the main control chip MCU (1);
the FLASH chip (6) is used for storing a micro system, the micro system is constructed based on a busy box, and the default security policy of the micro system closes an external service port;
the memory chip (2) is used for enabling the microsystem to run in the memory.
3. The IPv6 national security network card of claim 2, wherein the microsystem is configured in the following manner: and constructing rootfs by using a busy box, compiling kernel in a ramdisk mode by cutting and optimizing the linux kernel, and introducing the constructed rootfs to derive a microsystem.
4. The IPv6 national security network card of claim 3, wherein when network data arrives at the security network card by modifying a network driving protocol, the security network card directly copies the NIC data to a user state without submitting the NIC data to a kernel protocol stack through an improved network card driving, and the kernel protocol stack is unloaded to the user state to complete the unpacking, decryption and decompression operations of the IPSec6 data packet; and submitting the application layer data to the IPv6 national security network card directly through a transparent IPv6 protocol for security encapsulation modification.
5. The IPv6 national security network card according to claim 4, wherein the IPv6 national security network card loads security elements by means of hardware, modifies IPSec6 protocol, replaces cipher suites in standard AH and ESP authentication protocols with cipher suites of national ciphers SM2, SM3 and SM4, encrypts and decrypts data by using SM4 algorithm in a tunnel for data transmission, and completes security encapsulation and decapsulation of the national cipher algorithm of IPv6 data packet.
6. The IPv6 national security network card of claim 5, wherein the IPv6 national security network card implements TCP protocol network data transmission acceleration by modifying an underlying protocol stack, optimizing a TCP congestion control algorithm, a TCP transmission window size, and increasing a compression algorithm for network data packets.
7. The IPv6 national security network card of claim 6, wherein the security policy management system is configured to authorize the connection authority of each IPv6 national security network card within its administrative domain, comprising: the method comprises the steps of centralized management of factory initialization of an IPv6 national security network card and binding of a security policy management system; centralized management of key security distribution of IPv6 national security network cards, authentication and encryption algorithm selection; and the connection authority of each IPv6 national security network card in the management domain of the security policy management system is managed in a centralized way, wherein the connection authority comprises security interconnection permissions with a certain or a certain network segment of equipment.
8. The IPv6 national security network card of claim 7, wherein the factory initialization of the IPv6 national security network card comprises factory phase initialization and enable phase initialization;
the factory stage initialization includes:
injecting customized COS into the encryption chip through the management serial port, wherein the COS core comprises a policy configuration verification public key, an encryption and decryption public-private key pair and a standard cryptographic algorithm interface; issuing an encryption chip fusing instruction, wherein the chip cannot be burned any more later;
the enabling phase initialization includes:
producing identity information and a secret key for the IPv6 national security network card according to the pre-allocated IPv6 address; executing a strategy updating flow; and starting the IPv6 national security network card.
9. The IPv6 national security network card of claim 8, wherein the policy update flow comprises:
the security policy management system generates a new configuration information file according to the requirements of the working environment, wherein the configuration information file comprises: a peer authentication database, a security association database, and a security policy database;
the security policy management system formulates a receiving party encryption configuration file and issues a configuration file update permission;
the security policy management system upgrades and updates policy configuration information through a network card serial port;
the IPv6 national security network card checks the digital signature of the issuing permission, and if the verification fails, the update is terminated; directing the decryption configuration information file, and terminating updating if decryption fails;
the IPv6 national security network card stops network work, writes new strategy configuration into the FLASH chip, prevents the power failure risk in the updating process, and adopts a seamless updating mode.
10. The IPv6 national security network card of claim 9, wherein the IPv6 national security network card is in the form of a hardware network card, including a PCI-e standard or Mini wired ethernet card, and a portable RJ45 network card with a USB interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311367983.8A CN117118636B (en) | 2023-10-23 | 2023-10-23 | IPv6 national security network card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311367983.8A CN117118636B (en) | 2023-10-23 | 2023-10-23 | IPv6 national security network card |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117118636A true CN117118636A (en) | 2023-11-24 |
| CN117118636B CN117118636B (en) | 2023-12-29 |
Family
ID=88811298
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311367983.8A Active CN117118636B (en) | 2023-10-23 | 2023-10-23 | IPv6 national security network card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117118636B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105871873A (en) * | 2016-04-29 | 2016-08-17 | 国家电网公司 | Security encryption authentication module for power distribution terminal communication and method thereof |
| WO2017045484A1 (en) * | 2015-09-15 | 2017-03-23 | 中兴通讯股份有限公司 | Xts-sm4-based storage encryption and decryption method and apparatus |
| CN109842585A (en) * | 2017-11-27 | 2019-06-04 | 中国科学院沈阳自动化研究所 | Network information security protective unit and means of defence towards industrial embedded system |
| CN110138553A (en) * | 2019-05-10 | 2019-08-16 | 郑州信大捷安信息技术股份有限公司 | A kind of IPSec vpn gateway data packet processing and method |
| CN111092860A (en) * | 2019-11-27 | 2020-05-01 | 北京晤智物联科技有限公司 | Medical data safety interaction transmission module |
| CN114095251A (en) * | 2021-11-19 | 2022-02-25 | 南瑞集团有限公司 | SSLVPN realization method based on DPDK and VPP |
| WO2022170857A1 (en) * | 2021-02-09 | 2022-08-18 | 深圳市汇顶科技股份有限公司 | Secure transmission method and apparatus for signaling, and server and se chip |
-
2023
- 2023-10-23 CN CN202311367983.8A patent/CN117118636B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017045484A1 (en) * | 2015-09-15 | 2017-03-23 | 中兴通讯股份有限公司 | Xts-sm4-based storage encryption and decryption method and apparatus |
| CN105871873A (en) * | 2016-04-29 | 2016-08-17 | 国家电网公司 | Security encryption authentication module for power distribution terminal communication and method thereof |
| CN109842585A (en) * | 2017-11-27 | 2019-06-04 | 中国科学院沈阳自动化研究所 | Network information security protective unit and means of defence towards industrial embedded system |
| CN110138553A (en) * | 2019-05-10 | 2019-08-16 | 郑州信大捷安信息技术股份有限公司 | A kind of IPSec vpn gateway data packet processing and method |
| CN111092860A (en) * | 2019-11-27 | 2020-05-01 | 北京晤智物联科技有限公司 | Medical data safety interaction transmission module |
| WO2022170857A1 (en) * | 2021-02-09 | 2022-08-18 | 深圳市汇顶科技股份有限公司 | Secure transmission method and apparatus for signaling, and server and se chip |
| CN114095251A (en) * | 2021-11-19 | 2022-02-25 | 南瑞集团有限公司 | SSLVPN realization method based on DPDK and VPP |
Non-Patent Citations (3)
| Title |
|---|
| 张朕荣;: "一种将国密算法添加至Openswan的方法", 现代计算机(专业版), no. 06 * |
| 李兆斌;刘丹丹;黄鑫;曹浩;: "基于国密算法的安全接入设备设计与实现", 信息网络安全, no. 11 * |
| 胡逸: "IPv6加密接口模块的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》, no. 5, pages 11 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117118636B (en) | 2023-12-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220174050A1 (en) | Cloud storage using encryption gateway with certificate authority identification | |
| US11038682B2 (en) | Communication method, apparatus and system, electronic device, and computer readable storage medium | |
| US10601801B2 (en) | Identity authentication method and apparatus | |
| CN109150688B (en) | IPSec VPN data transmission method and device | |
| US20100228962A1 (en) | Offloading cryptographic protection processing | |
| US8190899B1 (en) | System and method for establishing a remote connection over a network with a personal security device connected to a local client without using a local APDU interface or local cryptography | |
| US20170085372A1 (en) | Client(s) to cloud or remote server secure data or file object encryption gateway | |
| CN107533472A (en) | A kind of method in system interlayer division data operational function | |
| CN102118426B (en) | Network security payment terminal and network security payment method thereof | |
| US20210314214A1 (en) | IPSEC Acceleration Method, Apparatus, and System | |
| CN107018154B (en) | Router and routing method for connecting intranet and extranet based on application layer | |
| JP2002287620A (en) | Security communication packet processor and security communication packet processing method | |
| US20200228311A1 (en) | Lightweight encryption, authentication, and verification of data moving to and from intelligent devices | |
| US10990692B2 (en) | Managing data handling policies | |
| EP3613195A1 (en) | Cloud storage using encryption gateway with certificate authority identification | |
| WO2020030132A1 (en) | Control method and device for smart door lock, and storage medium | |
| CN107634950A (en) | A kind of method that unloading SSL/TLS agreements are designed using pipeline hardware | |
| CN102111321A (en) | Encryption/decryption chip drive method used for VPN | |
| US20210281608A1 (en) | Separation of handshake and record protocol | |
| CN117118636B (en) | IPv6 national security network card | |
| CN103269301A (en) | Desktop type IPSecVPN cryptographic machine and networking method | |
| CN114629678B (en) | TLS-based intranet penetration method and device | |
| CN109801423A (en) | A kind of control method for vehicle and system based on bluetooth | |
| EP3942770B1 (en) | Chained trusted platform modules (tpms) as a secure bus for pre-placement of device capabilities | |
| CN112751664B (en) | Internet of things networking method, internet of things networking device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |