CN117955683A - IPSec VPN software system based on hardware encryption and decryption - Google Patents
IPSec VPN software system based on hardware encryption and decryption Download PDFInfo
- Publication number
- CN117955683A CN117955683A CN202311598039.3A CN202311598039A CN117955683A CN 117955683 A CN117955683 A CN 117955683A CN 202311598039 A CN202311598039 A CN 202311598039A CN 117955683 A CN117955683 A CN 117955683A
- Authority
- CN
- China
- Prior art keywords
- hardware
- ipsec
- encryption
- decryption
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000001133 acceleration Effects 0.000 claims abstract description 40
- 230000006854 communication Effects 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 17
- 230000005540 biological transmission Effects 0.000 claims description 8
- 238000005538 encapsulation Methods 0.000 claims description 7
- 238000012546 transfer Methods 0.000 claims description 4
- 238000013461 design Methods 0.000 abstract description 3
- 230000003993 interaction Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000000034 method Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000002457 bidirectional effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 239000008186 active pharmaceutical agent Substances 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000010200 validation analysis Methods 0.000 description 3
- 230000007175 bidirectional communication Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013496 data integrity verification Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 239000012717 electrostatic precipitator Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application is applicable to the technical field of computers, and provides an IPSec VPN software system based on hardware encryption and decryption, which is ingenious in design, and interacts with a session parameter database through an IPsec negotiation module, wherein the session parameter database stores SPI and SA parameters of all current sessions; the hardware acceleration capability database stores acceleration capability data of the current hardware, and manages and supplies security protocol operations offloaded to the hardware-based device; the hardware capacity acquisition module acquires the acceleration capacity of the current hardware of the hardware acceleration capacity database; then encrypting and decrypting the message by using the hardware acceleration capability through the data encryption and decryption module, and improving the performance of the IPSec VPN by adopting the hardware encryption and decryption mode, wherein the software platform in the application controls various different hardware and can be adapted to various operating systems; the hardware encryption and decryption are adopted to realize more than 250 concurrent tunnel channels; the software system can also support a plurality of hardware schemes, such as MARVEL, NXP, INTEL, BCM, REALTEK, and has strong compatibility.
Description
Technical Field
The invention belongs to the field of data communication, and particularly relates to an IPSec VPN software system based on hardware encryption and decryption.
Background
IPSec is an abbreviation for IP Security. The purpose of which is to provide high security functionality for IP. IPSec is the protocol most commonly used to implement VPN functionality. IPSec is not a separate protocol, which gives a complete set of architecture for network data security applied at the IP layer. The architecture includes an authentication header protocol (Authentication Header, abbreviated AH), an encapsulating security payload protocol (Encapsulating Security Payload, abbreviated ESP), a key management protocol (INTERNET KEY Exchange, abbreviated IKE), and some algorithms for network authentication and encryption, among others. IPSec specifies how to choose security protocols, determine security algorithms and key exchanges between peers, providing network security services such as access control, data source authentication, data encryption, etc.
IPSec is a framework architecture consisting of two types of protocols:
AH protocol (Authentication Header): it may provide security functions such as data integrity validation, data source validation and anti-replay. The AH public digest algorithm (one-way hash function) MD5 and SHA1 accomplishes this function.
ESP (Encapsulated Security Payload): it may provide security functions such as data integrity validation, data encryption and anti-replay. ESPs generally encrypt data using DES,3DES, AES and other encryption algorithms. Data integrity is achieved using MD5 or SHA 1.
VPN is a technology for establishing a private network on a public network and carrying out encryption communication, and is widely applied to networking interconnection between an organization headquarter and a branch office as a mature technology.
IPsec VPN is a VPN technology for realizing remote access by adopting IPSec protocol; whereas existing IPSec VPNs are typically implemented by pure software techniques, there are certain limitations,
1. Compared with CPU performance consumption, the encryption and decryption algorithm has lower processing capacity, and 75byte gigabit network ports of the concurrent total flow packets realize bidirectional packet loss starting at about 100Mbps, so that the tunnel channel can not meet the large concurrency requirement.
2. The number of tunnel channels is limited, and the channel requirements of more than 100+ cannot be met.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides an IPSec VPN software system based on hardware encryption and decryption.
The technical scheme adopted for solving the technical problems is as follows: an IPSec VPN software system based on hardware encryption and decryption, comprising:
The IPSec negotiation module is used for negotiating IPSec communication parameters with other devices on the network to establish a session;
The session parameter database is used for storing SPI and SA parameters of all the current sessions; the session parameter database supports the number of channels above 250+;
A hardware acceleration capability database for storing acceleration capability data of the current hardware and managing and provisioning security protocol operations offloaded to the hardware-based device;
the hardware capacity acquisition module is used for acquiring the acceleration capacity of the current hardware;
the message encapsulation and decapsulation module is used for encapsulating or decapsulating the message according to the session parameters;
the data encryption and decryption module is used for encrypting and decrypting the message by using the hardware acceleration capability;
And the software platform is used for managing the IPSec negotiation module, the session parameter database, the hardware acceleration capability database, the hardware capability acquisition module, the message encapsulation and decapsulation module and the starting and communication of the data encryption and decryption module.
Further, the IPSec negotiation module exchanges and transfers data with the session parameter database in a bidirectional manner through SA interaction.
The application has the beneficial effects that: the IPSec VPN software system based on hardware encryption and decryption is ingenious in design, and interacts with a session parameter database through an IPsec negotiation module, wherein the session parameter database stores SPI and SA parameters of all current sessions; the hardware acceleration capability database stores acceleration capability data of the current hardware, and manages and supplies security protocol operations offloaded to the hardware-based device; the hardware capacity acquisition module acquires the acceleration capacity of the current hardware of the hardware acceleration capacity database; then encrypting and decrypting the message by using the hardware acceleration capability through the data encryption and decryption module, and improving the performance of the IPSec VPN by adopting the hardware encryption and decryption mode, wherein the software platform in the application controls various different hardware and can be adapted to various operating systems; the hardware encryption and decryption are adopted to realize more than 250 concurrent tunnel channels; the software system can also support a plurality of hardware schemes, such as MARVEL, NXP, INTEL, BCM, REALTEK, and has strong compatibility.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the present invention will be further described with reference to the accompanying drawings and embodiments, in which the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained by those skilled in the art without inventive effort:
FIG. 1 is a schematic diagram of the overall framework of an IPSec VPN software system based on hardware encryption and decryption according to the preferred embodiment of the invention;
fig. 2 is a schematic diagram of management information interaction of an IPSec VPN software system based on hardware encryption and decryption according to a preferred embodiment of the present invention.
Detailed Description
The terms "comprising" and "having" and any variations thereof in the description and claims of the invention and in the drawings are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
"Plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
Moreover, the terms "upper, lower, front, rear, left, right, upper end, lower end, longitudinal" and the like that represent orientations are referred to with reference to the attitude position of the apparatus or device described in this scheme when in normal use.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the following description will be made in detail with reference to the technical solutions in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by a person skilled in the art without any inventive effort, are intended to be within the scope of the present invention, based on the embodiments of the present invention.
IP Security (IPsec) is a suite of network protocols used to protect Internet Protocol (IP) communications. IPsec provides security mechanisms for data encryption, data integrity verification, and authentication, etc., to ensure secure transmission of data over IP networks.
IPsec works by establishing a secure communication tunnel between two endpoints for data transmission. The tunnel encrypts the data by using an encryption algorithm, and the confidentiality of the data in the transmission process is protected. In addition, IPsec also uses message integrity check codes to ensure the integrity of data during transmission. The identity verification mechanism can be used for verifying identities of two endpoints of communication and ensuring the safety of the communication.
IPsec can be applied in a variety of network communication scenarios including Virtual Private Networks (VPN), remote access, communication between Local Area Networks (LAN) and Wide Area Networks (WAN), etc. It is a widely used network security technology for protecting the security of transmission and communication of sensitive data.
Referring to fig. 1-2, an IPSec VPN software system based on hardware encryption and decryption in a preferred embodiment of the present invention is shown, which is an overall frame schematic diagram of the IPSec VPN software system based on hardware encryption and decryption and a schematic diagram of management information interaction of the IPSec VPN software system, respectively, and includes an IPSec negotiation module 11 configured to negotiate IPSec communication parameters with other devices on a network to establish a session;
A session parameter database 12, configured to store SPI and SA parameters of all sessions currently;
A hardware acceleration capability database 13 for storing acceleration capability data of the current hardware and managing and provisioning security protocol operations offloaded to the hardware-based device;
A hardware capability acquiring module 14, configured to acquire an acceleration capability of current hardware;
the message encapsulation and decapsulation module 15 is used for encapsulating or decapsulating the message according to the session parameters;
A data encryption and decryption module 16, configured to encrypt and decrypt the message using a hardware acceleration capability;
The software platform 17 is used for managing the starting and communication of the IPSec negotiation module 11, the session parameter database 12, the hardware acceleration capability database 13, the hardware capability acquisition module 14, the message encapsulation and decapsulation module 15 and the data encryption and decryption module 16. The software platform 17 manages the starting of the above modules, the overall function flow, memory BUFF allocation, communication between the modules, system alarm logs, and the like.
The IPSec VPN software system based on hardware encryption and decryption is ingenious in design, and interacts with a session parameter database through an IPsec negotiation module, wherein the session parameter database stores SPI and SA parameters of all current sessions; the hardware acceleration capability database stores acceleration capability data of the current hardware, and manages and supplies security protocol operations offloaded to the hardware-based device; the hardware capacity acquisition module acquires the acceleration capacity of the current hardware of the hardware acceleration capacity database; then encrypting and decrypting the message by using the hardware acceleration capability through the data encryption and decryption module, and improving the performance of the IPSec VPN by adopting the hardware encryption and decryption mode, wherein the software platform in the application controls various different hardware and can be adapted to various operating systems; the hardware encryption and decryption are adopted to realize more than 250 concurrent tunnel channels; the software system can also support a plurality of hardware schemes, such as MARVEL, NXP, INTEL, BCM, REALTEK, and has strong compatibility.
The IPSec negotiation module 11 exchanges bidirectional communication and transmits data with the session parameter database 12 through SA interaction; the SA interaction refers to the process of communication and data transfer between the IPSec negotiation module 11 and the session parameter database 12. In this process, IPSec negotiation module 11 may send a request to session parameter database 12 to obtain the required session parameter information, and transmit the relevant negotiation result and decision result to session parameter database 12 for updating and saving. Meanwhile, the session parameter database 12 may also provide data, such as the current session parameter value and status, to the IPSec negotiation module 11. The SA interaction is implemented through an interface between the IPSec negotiation module 11 and the session parameter database 12, and may be data transfer and interaction through an API, database query, or the like.
The hardware capability acquiring module 14 reads the corresponding register bit of the hardware through the software interface to acquire the chip CPU model, and matches whether the hardware scheme is supported.
The IPSec negotiation module 11 adopts an IKE channel to carry out negotiation, and after the negotiation is successful, the DUT equipment carries out ESP negotiation with the opposite terminal equipment according to an ESP encryption and decryption mode supported by hardware.
After negotiating a set of supported hardware acceleration schemes, the IPSec negotiation module 11 applies SPI, SA to the software platform 17, and establishes a pair of IPSec security associations for data security transmission.
The software platform 17 initializes the hardware encryption and decryption engine according to the session parameters, initializes the statistics counter, creates channels, and initializes the encryption and decryption queues.
The hardware acceleration capability database 13 supports the encryption algorithm and the security mode set after the software platform 17 detects the hardware model, and the session parameter database 12 negotiates the encryption algorithm and the security mode set according to the number of channels in the IPSec negotiation module 11.
Session parameter database 12 supports channel numbers above 250+; and the 75byte gigabit network port of the small packet with the concurrent total flow realizes bidirectional 500Mbps+ flow, and the 170byte gigabit network port of the large packet realizes bidirectional 1000Mbps+ flow.
The data encryption and decryption module 16 obtains the current session parameter information and the hardware encryption and decryption capability through the encryption and decryption interface and encrypts and decrypts the received data packet.
The implementation of the software platform technology is accomplished by the following parts.
The first part is hardware capability acquisition, the module supports self-adaption of various hardware schemes, corresponding register bits of hardware are read through a unified software interface, the CPU model of a chip is acquired, whether the hardware scheme is supported or not is matched, if the hardware scheme is matched, hardware API initialization is carried out according to a current hardware acceleration capability database module, wherein the hardware acceleration capability database provides a framework for managing and supplying security protocol operation unloaded to hardware-based equipment. The library defines generic APIs to create and release secure sessions that can support complete protocol offloading and inline encryption operations using encryption devices. The framework only supports IPsec and SSL protocols and related operations at present, and other protocols will be added in the future. And finally, the session parameter database and the IPSEC negotiation module establish a bidirectional communication mechanism, and inform the application layer of the acceleration capability supported by hardware.
And the second partial IPSec negotiation module performs IKE channel negotiation in the first stage, performs ESP negotiation with the opposite terminal equipment according to an ESP encryption and decryption mode supported by hardware after successful negotiation, applies SPI and SA to the software platform after negotiating a set of supported hardware acceleration scheme, and establishes a pair of IPSec security alliances for data security transmission. The associated IKE SA, authentication and security channel information is stored in the software platform session parameters database. The software platform initializes the hardware encryption and decryption engine according to the session parameters, initializes the statistics counter, creates session, and initializes the encryption and decryption queue. And defining the various algorithms/functions supported by the device, such as a specific symmetric encryption password, authentication operations, or authentication encryption with associated data (AEAD) operations.
The third partial database module mainly relates to a hardware acceleration capability database and a session parameter database, wherein the hardware acceleration capability database supports an encryption algorithm and a security mode set after a software platform detects a hardware model, the session parameter database supports sessions which is more than 250+ in the IPSEC negotiation module according to the encryption algorithm and the security mode set negotiated by the channel number, namely the session parameter database supports the channel number.
The fourth part of the universal encryption and decryption interface can be applicable to different hardware schemes, and can acquire the current session parameter information and the hardware encryption and decryption capability through the interface and encrypt and decrypt the received data packet; the data encryption and decryption interface performs encryption and decryption processing on the protocol message encapsulation and decapsulation module 15 according to the hardware encryption and decryption interface.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.
Claims (9)
1. An IPSec VPN software system based on hardware encryption and decryption, comprising:
The IPSec negotiation module is used for negotiating IPSec communication parameters with other devices on the network to establish a session;
the session parameter database is used for storing SPI and SA parameters of all the current sessions;
A hardware acceleration capability database for storing acceleration capability data of the current hardware and managing and provisioning security protocol operations offloaded to the hardware-based device;
the hardware capacity acquisition module is used for acquiring the acceleration capacity of the current hardware;
the message encapsulation and decapsulation module is used for encapsulating or decapsulating the message according to the session parameters;
the data encryption and decryption module is used for encrypting and decrypting the message by using the hardware acceleration capability;
And the software platform is used for managing the IPSec negotiation module, the session parameter database, the hardware acceleration capability database, the hardware capability acquisition module, the message encapsulation and decapsulation module and the starting and communication of the data encryption and decryption module.
2. The IPSec VPN software system according to claim 1, wherein the IPSec negotiation module interacts with the session parameters database to exchange and transfer data bi-directionally via an SA.
3. The IPSec VPN software system according to claim 2, wherein the hardware capability obtaining module reads a corresponding register bit of hardware through a software interface to obtain a chip CPU model, and matches whether the hardware scheme is supported.
4. The IPSec VPN software system according to claim 3, wherein the IPSec negotiation module performs negotiation using an IKE channel, and after the negotiation is successful, the DUT device performs ESP negotiation with the peer device according to an ESP encryption/decryption manner supported by hardware.
5. The IPSec VPN software system according to claim 4, wherein the IPSec negotiation module negotiates a set of supported hardware acceleration schemes, applies SPI, SA to the software platform, and establishes a pair of IPSec security associations for secure data transmission.
6. The IPSec VPN software system according to claim 5, wherein the software platform initializes a hardware encryption and decryption engine, initializes a statistics counter, creates a channel, and initializes an encryption and decryption queue according to session parameters.
7. The IPSec VPN software system according to claim 6, wherein the hardware acceleration capability database supports a set of encryption algorithms and security modes after the software platform detects a hardware model, and the session parameter database negotiates a set of encryption algorithms and security modes at the IPSec negotiation module according to a number of channels.
8. The IPSec VPN software system according to any of claims 1-7, characterized in that said session parameter database supports a number of channels above 250+.
9. The IPSec VPN software system according to claim 8, wherein the data encryption/decryption module obtains current session parameter information and hardware encryption/decryption capability through an encryption/decryption interface and encrypts and decrypts a received data packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311598039.3A CN117955683A (en) | 2023-11-27 | 2023-11-27 | IPSec VPN software system based on hardware encryption and decryption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311598039.3A CN117955683A (en) | 2023-11-27 | 2023-11-27 | IPSec VPN software system based on hardware encryption and decryption |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117955683A true CN117955683A (en) | 2024-04-30 |
Family
ID=90796929
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311598039.3A Pending CN117955683A (en) | 2023-11-27 | 2023-11-27 | IPSec VPN software system based on hardware encryption and decryption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117955683A (en) |
-
2023
- 2023-11-27 CN CN202311598039.3A patent/CN117955683A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7587587B2 (en) | Data path security processing | |
| US9832015B2 (en) | Efficient key derivation for end-to-end network security with traffic visibility | |
| EP1427164B1 (en) | Tagging mechanism for data path security processing | |
| US8984268B2 (en) | Encrypted record transmission | |
| US7483423B2 (en) | Authenticity of communications traffic | |
| Oppliger | Security at the Internet layer | |
| US8379638B2 (en) | Security encapsulation of ethernet frames | |
| Alshamsi et al. | A technical comparison of IPSec and SSL | |
| US9002016B2 (en) | Rekey scheme on high speed links | |
| TW200307423A (en) | Password device and method, password system | |
| CN110266725B (en) | Password security isolation module and mobile office security system | |
| CN111800436B (en) | IPSec isolation network card equipment and secure communication method | |
| CN109344639A (en) | A kind of distribution automation double protection safety chip, data transmission method and equipment | |
| Cho et al. | Securing ethernet-based optical fronthaul for 5g network | |
| CN211352206U (en) | IPSec VPN cryptographic machine based on quantum key distribution | |
| US10230698B2 (en) | Routing a data packet to a shared security engine | |
| CN117955683A (en) | IPSec VPN software system based on hardware encryption and decryption | |
| CN110417706A (en) | A kind of safety communicating method based on interchanger | |
| JP2004135134A (en) | Adapter for wireless communication | |
| CN113783868A (en) | Method and system for protecting security of gate Internet of things based on commercial password | |
| Hohendorf et al. | Secure end-to-end transport over sctp | |
| CN216016881U (en) | Ethernet anti-attack gateway based on control chip | |
| CN115766172A (en) | Message forwarding method, device, equipment and medium based on DPU and national password | |
| CN116506353A (en) | SoC-based high-bandwidth quantum secret communication router, system and communication method | |
| CN117155568A (en) | IPv6 message encryption and decryption method based on quantum key application mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |