CN211630188U - Secure encryption switch - Google Patents
Secure encryption switch Download PDFInfo
- Publication number
- CN211630188U CN211630188U CN202020282201.6U CN202020282201U CN211630188U CN 211630188 U CN211630188 U CN 211630188U CN 202020282201 U CN202020282201 U CN 202020282201U CN 211630188 U CN211630188 U CN 211630188U
- Authority
- CN
- China
- Prior art keywords
- switch
- encryption
- data
- module
- loongson
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The utility model discloses a switch is encrypted to safety, include: the switch comprises a switch body, a Loongson CPU, an MAC chip, an encryption FPGA, a network port module, a DDR memory, a storage and a power supply module for supplying power, wherein the Loongson CPU is arranged in the switch body, the MAC chip is connected with the MAC chip and used for controlling data transmission, the MAC chip is connected with the network port module through the encryption FPGA and used for encrypting message data, the Loongson CPU is connected with the encryption FPGA and used for sending a random key, and the DDR memory and the storage are respectively connected with the Loongson CPU. On the actual transmission line, the data message is prevented from being intercepted and cracked, the data transmitted on the network cable is encrypted out-of-order data, the encryption cannot be carried out through network interception, and the purpose of protecting the data safety is achieved.
Description
Technical Field
The utility model relates to a switch field of encrypting safely, specificly relate to a switch is encrypted safely.
Background
The network security and network isolation methods in the market at present include physical isolation, gatekeeper, firewall, multiple security gateways, data switching network, etc., but these methods all have certain limitations.
The physical isolation is to disconnect the target network from the internet, directly limits the range of network application, and is only suitable for a small-range office scene. When the data exchange system interacts with external data, a transfer machine device is needed, a security administrator is needed to be configured, and manual operation is conducted. The network gate separates the data receiving and transmitting ends and is connected through the network gate equipment. The transceiving data cannot be communicated simultaneously on the physical link. The method is suitable for regularly exchanging batch data, and is poor in user experience, timeliness and multi-application penetrability. The firewall is a security protection of a network layer, can resist certain network attacks, and is only suitable for network isolation of the same security level. The multiple security gateways are data protection from a network layer to a data layer, are suitable for the same network data exchange, and are not suitable for the exchange between secret-related network data and non-secret-related network data.
At present, an encryption switch which is low in cost, can perform data protection on a physical layer and is good in safety is lacked in the market, most of the existing switches adopt imported CPU chips, but the imported CPU chips have the possibility of leaving backdoors, and the switches using the imported chips cannot ensure the safety of communication data in some confidential departments, such as party administration, national defense departments, scientific research institutions, financial industries, group enterprises and other confidential office environments which are related to national defense safety and social stability and important office environments which have sensitive economic data information and can influence the operation of an economic system.
SUMMERY OF THE UTILITY MODEL
The utility model discloses aim at solving one of the technical problem that exists among the prior art at least. Therefore, the utility model provides a safe encryption switch can carry out data protection at the physical layer, encrypts network data, and the security is good to adopt the localization CPU chip, avoid the back door to take place the risk of divulging a secret.
According to the utility model discloses switch is encrypted to safety, include: the switch comprises a switch body, a Loongson CPU, an MAC chip, an encryption FPGA, a network port module, a DDR memory, a storage and a power module for supplying power, wherein the Loongson CPU and the MAC chip are arranged in the switch body and connected for controlling data transmission, the MAC chip is connected with the network port module through the encryption FPGA for encrypting message data, the Loongson CPU is connected with the encryption FPGA for sending a random key, and the DDR memory and the storage are respectively connected with the Loongson CPU.
According to the utility model discloses switch is encrypted to safety has following technological effect at least: and the normal Ethernet frame data is destroyed and recombined by the encryption FPGA according to a specific rule, and then is transmitted through the MAC chip. And after the data arrives at the opposite end, the data is restored and restored according to the same rule. Therefore, the data message can be prevented from being intercepted and cracked on the actual transmission line, the data transmitted on the network line is encrypted out-of-order data, and the encryption cannot be stolen through network interception, so that the aim of protecting the data safety is fulfilled.
Meanwhile, a domestic Loongson CPU is adopted in the exchanger, so that the leak of a back door of a CPU chip can be effectively prevented, and the application requirements of a confidential office environment which is safe and socially stable in national defense and is related to the national defense of party administration, national defense departments, scientific research institutions, financial industries, group enterprises and the like and an important office environment which has sensitive economic data information and can influence the operation of an economic system are met.
According to some embodiments of the utility model, encrypt FPGA and include SGMII control module, SM4-IP core and SM4 control module, SGMII control module links to each other with the MAC chip in order to be used for the control read-write time sequence control of MAC chip, SGMII control module links to each other with the net gape module in order to be used for sending the data after encrypting, the SM4-IP core links to each other with SGMII control module through SM4 control module in order to be used for providing SM4 symmetric algorithm, SM4 control module is used for realizing the control to SM4-IP core.
According to some embodiments of the present invention, the network port module includes a PHY chip and an ethernet port, and the encryption FPGA connects the ethernet port through the PHY chip.
According to the utility model discloses a some embodiments still include self-destruction device and the theftproof detecting element of installing in the switch body, the theftproof detecting element links to each other with godson CPU and sends feedback information after being used for the switch to be destroyed by physics or stolen, godson CPU links to each other with self-destruction device and carries out the self-destruction after being used for the switch to be destroyed by physics or stolen and prevent that data from leaking.
According to some embodiments of the utility model, the theftproof detecting element includes self-destruction button, uncaps and detects sensor, electric quantity detection module and position detection sensor, the button department at the switch body is installed to the self-destruction button, uncap and detect the sensor and install the apron department at the switch body, electric quantity detection module links to each other with power module, position detection sensor installs at the switch body internally, self-destruction button, uncap and detect sensor, electric quantity detection module and position detection sensor link to each other with godson CPU respectively.
According to some embodiments of the present invention, the apparatus further comprises a parameter configuration port, wherein the parameter configuration port is connected to the Loongson CPU through a Console-PHY chip or a serial port chip.
According to some embodiments of the present invention, the model of the godson CPU is godson 2H.
According to some embodiments of the invention, the model of the MAC chip is CTC 5160.
According to some embodiments of the invention, the encrypted FPGA has a model of PGT 220H.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a schematic block diagram of a secure encryption switch according to an embodiment of the present invention;
fig. 2 is an internal block diagram of the encryption FPGA in the embodiment of the present invention;
fig. 3 is a block diagram of encrypted data flow of the encryption switch according to the embodiment of the present invention;
fig. 4 is a flowchart of random key interaction in the embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary only for the purpose of explaining the present invention, and should not be construed as limiting the present invention.
In the description of the present invention, unless there is an explicit limitation, the words such as setting, installation, connection, etc. should be understood in a broad sense, and those skilled in the art can reasonably determine the specific meanings of the above words in combination with the specific contents of the technical solution.
Referring to fig. 1, a secure encrypted switch, comprising: the switch comprises a switch body, a Loongson CPU100, an MAC chip 200, an encryption FPGA300, a network port module, a DDR memory 400, a storage 500 and a power supply module for supplying power, wherein the Loongson CPU100 is connected with the MAC chip 200 for controlling data transmission, the MAC chip 200 is connected with the network port module through the encryption FPGA300, the encryption FPGA300 encrypts transmitted heat preservation data firstly, carries out disorder processing and the like, converts the heat preservation data into special network communication protocol data and then outputs the data from the network port module, the Loongson CPU100 is connected with the encryption FPGA300 for sending a random key, the FPGA300 realizes disorder and encryption of messages through the random key, the DDR memory 400 and the storage 500 are respectively connected with the Loongson CPU, in order to avoid the possibility of disclosure caused by leak at a back door of an imported chip, the main CPU in the embodiment adopts the Loongson CPU100 with the type of Loongson 2H, in order to improve the integration level of a domestic chip and effectively prevent the back door of the chip, in the embodiment, the MAC chip 200 adopts a domestic CTC5160, the encryption FPGA300 adopts a purple light PGT220H, and the main core components of the whole switch all adopt domestic chips, so that the risk of disclosure is further reduced.
The network port module includes a PHY chip 610 and an ethernet port 620, the encryption FPGA300 is connected to the ethernet port 620 through the PHY chip 610, and in this embodiment, two PHY chips 610 of 12X are configured to connect to a 1000BASE-T network port of 24 ports.
Referring to fig. 2, the encryption function of the encryption FPGA300 is implemented by a built-in SGMII control module 310, an SM4-IP core 320 and an SM4 control module 330, the SGMII control module 310 is connected to the MAC chip 200 for encrypting plaintext data, the SGMII control module 310 is connected to a portal module for transmitting encrypted data, the SM4-IP core 320 is connected to the SGMII control module 310 through an SM4 control module 330 for providing an SM4 symmetric algorithm, i.e., an SM4 symmetric equal-length cryptographic algorithm, and the SM4 control module 330 is used for implementing control over the SM4-IP core.
The encryption process of the network message data is as follows: the MAC chip 200 receives and transmits plaintext data and starts an encryption operation, the SGMII control module 310 invokes the SM4-IP320 core to perform encryption operation on the plaintext data, the encrypted ciphertext data is transmitted to the SGMII control module 310 and transmitted to the PHY chip 610 through the SGMII control module 310, and the data encryption process is opposite to the decryption process.
Referring to fig. 3, in a network data transmission process between computer users a and B, both computer users a and B need to configure a special encryption/decryption network card, and the special encryption/decryption network card is also configured with an encryption FPGA, which has the same function as the encryption FPGA in this embodiment, to encrypt and decrypt data:
1) the standard Ethernet data packet sent by the user A is processed by a special encryption and decryption network card, converted into a special protocol data packet and transmitted to the network;
2) the encryption switch receives the special protocol data packet, and the special protocol data packet is processed by the encryption FPGA300 and converted into a standard Ethernet data packet to enter the MAC chip 200;
3) the MAC chip 200 routes the data of the network port of the user A to the port corresponding to the user B;
4) the standard Ethernet data packet of the user B port is processed by the encryption FPGA300, converted into a special protocol data packet and then transmitted to the network;
5) and after receiving the special protocol data packet, the special encryption and decryption network card of the user B processes the special protocol data packet and converts the special protocol data packet into a standard Ethernet data packet to obtain the real data sent by the user A.
And a special network communication protocol is arranged in the encryption FPGA, and the special network communication protocol destroys and recombines normal Ethernet frame data according to a specific rule and then transmits the data. And after the data arrives at the opposite end, the data is restored and restored according to the same rule. Therefore, the data message can be prevented from being intercepted and cracked on the actual transmission line, and the purpose of protecting the data safety is achieved.
After the common terminal equipment or the unauthorized equipment is accessed to the exchange platform, the connection is disconnected at a link layer, and any data exchange and data analysis cannot be carried out.
Referring to FIG. 4, the distribution process of the random key is
A reliable random key generation module is configured in the Loongson CPU 100. The generated key is sent to the encryption FPGA300 for data encryption. When the user connects the special safe communication network, firstly, the safe authentication is carried out, after the authentication is passed, the random key generation module calculates the key for the encryption and decryption of the special communication protocol, and the key is distributed to the user with the previous key. When the authorized user upgrades the local special encryption and decryption network card, the two parties can communicate normally.
In the aspect of key trial, when a user shuts down or disconnects the network, the key automatically fails. The user can not directly see the key data in the process of using and applying for the key. The encryption switch may periodically update the keys according to a security policy.
In order to further improve the safety of data protection, a self-destruction device and an anti-theft detection unit are further arranged in the switch body, the anti-theft detection unit is connected with the Loongson CPU and used for sending feedback information after the switch is physically destroyed or stolen, the Loongson CPU is connected with the self-destruction device and used for self-destruction after the switch is physically destroyed or stolen to prevent data leakage, and the self-destruction device can adopt a conventional electric shock device, a physical firing pin self-destruction device, a blasting explosive column self-destruction device and the like.
The anti-theft detection unit comprises a self-destruction key 710, an uncovering detection sensor 720, an electric quantity detection module 730 and a position detection sensor 740, wherein the self-destruction key 710, the uncovering detection sensor 720, the electric quantity detection module 730 and the position detection sensor 740 are respectively connected with the Loongson CPU 100.
The self-destruction key 710 is arranged at the key of the switch body and has the function of actively triggering the key to send a feedback signal to the Loongson CPU100 when danger is found; the uncovering detection sensor 720 is arranged at the cover plate of the switch body and is used for sending a feedback signal to the Loongson CPU100 when the shell of the switch body is violently damaged; the electric quantity detection module 730 is connected with the power supply module and is used for feeding back a signal to the Loongson CPU100 when the electric quantity of the lithium battery is low; the position detection sensor 740 is installed in the switch body, and functions to feed back a signal to the Loongson CPU100 when the switch body is stolen and moved to another place.
The parameter configuration port 800 is further included, and in this embodiment, the parameter configuration port 800 includes an MGMT port and a Console port, the Console port is connected to the Loongson CPU100 through a Console-PHY chip, and the MGMT port is connected to the Loongson CPU through a serial port chip.
In order to enhance heat dissipation, a fan 900 is also disposed in the switch body, and the fan 900 is controlled by the Loongson CPU 100.
To sum up, the embodiment of the present invention destroys and recombines the normal ethernet frame data according to the specific rule through encrypting FPGA300, and transmits through MAC chip 200 again. And after the data arrives at the opposite end, the data is restored and restored according to the same rule. Therefore, the data message can be prevented from being intercepted and cracked on the actual transmission line, the data transmitted on the network line is encrypted out-of-order data, and the encryption cannot be stolen through network interception, so that the aim of protecting the data safety is fulfilled. Network data exchange is encrypted through a domestic FPGA chip, an encryption algorithm and an encryption key can be dynamically updated, and network attack of a network layer application layer can be directly abandoned while the real-time performance of network communication is guaranteed.
Meanwhile, the domestic Loongson CPU100 is adopted in the exchanger, so that the leak of the back door of a CPU chip can be effectively prevented, and the application requirements of a confidential office environment which is safe and socially stable in national defense and is related to the national defense of party administration, national defense departments, scientific research institutions, financial industries, group enterprises and the like and an important office environment which has sensitive economic data information and can influence the operation of an economic system can be met.
The embodiments of the present invention have been described in detail with reference to the accompanying drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.
Claims (9)
1. A secure encryption switch, comprising: the novel message encryption switch comprises a switch body, a Loongson CPU (100), an MAC chip (200), an encryption FPGA (300), a network port module, a DDR memory (400), a storage (500) and a power module for supplying power, wherein the Loongson CPU (100) and the MAC chip (200) are connected to be used for controlling data transmission, the MAC chip (200) is connected with the network port module through the encryption FPGA (300) to be used for encrypting message data and then transmitting the message data, the Loongson CPU (100) is connected with the encryption FPGA (300) to be used for sending a random key, and the DDR memory (400) and the storage (500) are connected with the Loongson CPU respectively.
2. The secure encryption switch of claim 1, wherein: the encryption FPGA (300) comprises an SGMII control module (310), an SM4-IP core (320) and an SM4 control module (330), wherein the SGMII control module (310) is connected with the MAC chip (200) to encrypt plaintext data, the SGMII control module (310) is connected with the network port module to send the encrypted data, the SM4-IP core (320) is connected with the SGMII control module (310) through the SM4 control module (330) to provide an SM4 symmetric algorithm, and the SM4 control module (330) is used for controlling the SM4-IP core.
3. The secure encryption switch of claim 1, wherein: the network port module comprises a PHY chip (610) and an Ethernet port (620), and the encryption FPGA (300) is connected with the Ethernet port (620) through the PHY chip (610).
4. The secure encryption switch of claim 1, wherein: the anti-theft detection unit is connected with the Loongson CPU and used for sending feedback information after the switch is physically destroyed or stolen, and the Loongson CPU is connected with the self-destruction device and used for self-destruction after the switch is physically destroyed or stolen to prevent data leakage.
5. The secure encryption switch of claim 4, wherein: the anti-theft detection unit comprises a self-destruction key (710), a cover opening detection sensor (720), an electric quantity detection module (730) and a position detection sensor (740), wherein the self-destruction key (710) is arranged at the key of the switch body, the cover opening detection sensor (720) is arranged at the cover plate of the switch body, the electric quantity detection module (730) is connected with the power supply module, the position detection sensor (740) is arranged in the switch body, and the self-destruction key (710), the cover opening detection sensor (720), the electric quantity detection module (730) and the position detection sensor (740) are respectively connected with the Loongson CPU (100).
6. The secure encryption switch of claim 1, wherein: the device also comprises a parameter configuration port (800), and the parameter configuration port (800) is connected with the Loongson CPU (100) through a Console-PHY chip or a serial port chip.
7. The secure encryption switch of claim 1, wherein: the model of the Loongson CPU (100) is Loongson 2H.
8. The secure encryption switch of claim 1, wherein: the model of the MAC chip (200) is CTC 5160.
9. The secure encryption switch of claim 1, wherein: the type of the encryption FPGA (300) is PGT 220H.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202020282201.6U CN211630188U (en) | 2020-03-09 | 2020-03-09 | Secure encryption switch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202020282201.6U CN211630188U (en) | 2020-03-09 | 2020-03-09 | Secure encryption switch |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN211630188U true CN211630188U (en) | 2020-10-02 |
Family
ID=72621192
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202020282201.6U Active CN211630188U (en) | 2020-03-09 | 2020-03-09 | Secure encryption switch |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN211630188U (en) |
-
2020
- 2020-03-09 CN CN202020282201.6U patent/CN211630188U/en active Active
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1387236B1 (en) | Key management system and method for secure data transmission | |
| CN109561047B (en) | Encrypted data storage system and method based on key remote storage | |
| Islam et al. | An analysis of cybersecurity attacks against internet of things and security solutions | |
| TW200307423A (en) | Password device and method, password system | |
| WO1998045981A2 (en) | Cryptographic system and protocol for establishing secure authenticated remote access | |
| Musa et al. | Secure security model implementation for security services and related attacks base on end-to-end, application layer and data link layer security | |
| CN106209883A (en) | Based on link selection and the multi-chain circuit transmission method and system of broken restructuring | |
| CN101795271A (en) | Network secure printing system and printing method | |
| CN104753953A (en) | Access control system | |
| CN106549502B (en) | A kind of safe distribution of electric power protecting, monitoring system | |
| CN112202773B (en) | Computer network information security monitoring and protection system based on internet | |
| CN115242392A (en) | Method and system for realizing industrial information safety transmission based on safety transmission protocol | |
| CN211630188U (en) | Secure encryption switch | |
| CN103379103A (en) | Linear encryption and decryption hardware implementation method | |
| CN110417706A (en) | A kind of safety communicating method based on interchanger | |
| CN111541663A (en) | Link exchange encryption system based on national password standard | |
| CN111092860A (en) | Medical data safety interaction transmission module | |
| Xia et al. | Design of secure FTP system | |
| Glanzer et al. | Increasing security and availability in KNX networks | |
| TWI760240B (en) | Authentication and authorization plug-in system | |
| CN115883211B (en) | File transfer system oriented to enterprise data security | |
| CN111212018A (en) | Multi-link transmission method and system based on link selection and fragmentation recombination | |
| AU2021106427A4 (en) | System and Method for achieving cyber security of Internet of Things (IoT) devices using embedded recognition token | |
| CN117955728B (en) | Single block chain system and block chain data transmission method for different networks | |
| Jain | “Sec-KeyD” an efficient key distribution protocol for critical infrastructures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| GR01 | Patent grant | ||
| GR01 | Patent grant |