WO2021080050A1 - Electronic security system in unmanned aerial vehicle, for high-speed encryption/decryption processing - Google Patents

Electronic security system in unmanned aerial vehicle, for high-speed encryption/decryption processing Download PDF

Info

Publication number
WO2021080050A1
WO2021080050A1 PCT/KR2019/014139 KR2019014139W WO2021080050A1 WO 2021080050 A1 WO2021080050 A1 WO 2021080050A1 KR 2019014139 W KR2019014139 W KR 2019014139W WO 2021080050 A1 WO2021080050 A1 WO 2021080050A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
data
decryption
queue
stored
Prior art date
Application number
PCT/KR2019/014139
Other languages
French (fr)
Korean (ko)
Inventor
김강산
박병관
Original Assignee
단암시스템즈 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 단암시스템즈 주식회사 filed Critical 단암시스템즈 주식회사
Priority to PCT/KR2019/014139 priority Critical patent/WO2021080050A1/en
Publication of WO2021080050A1 publication Critical patent/WO2021080050A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B64AIRCRAFT; AVIATION; COSMONAUTICS
    • B64UUNMANNED AERIAL VEHICLES [UAV]; EQUIPMENT THEREFOR
    • B64U10/00Type of UAV
    • B64U10/10Rotorcrafts
    • B64U10/13Flying platforms
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B64AIRCRAFT; AVIATION; COSMONAUTICS
    • B64UUNMANNED AERIAL VEHICLES [UAV]; EQUIPMENT THEREFOR
    • B64U20/00Constructional aspects of UAVs
    • B64U20/80Arrangement of on-board electronics, e.g. avionics systems or wiring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators

Definitions

  • the present invention is a high-speed arm for encrypting/decrypting transmission/reception data in a data-link communication system of an unmanned aerial vehicle (hereinafter referred to as “UAV”). It relates to an electronic security system for decryption processing.
  • UAV unmanned aerial vehicle
  • UAVs were developed for military purposes, but thanks to recent technological advances, the market is rapidly expanding into industrial and private sectors such as broadcasting shooting, communication relay, agriculture, traffic surveillance, disaster response, reconnaissance, delivery, and leisure.
  • UAV uses wireless communication technology to perform a mission through remote control or automatic control, and in order to properly perform a given mission, the high reliability of a wireless communication system that continuously connects the UAV and the ground control system is very important.
  • the UAV's wireless communication channel uses a wireless network that is always open, so it is highly susceptible to wireless security attacks, and it physically damages the UAV by mobilizing security threat technologies related to UAV such as communication hacking, controller hacking, and sensor hacking. It is in an environment where it is very likely to be stolen or stolen and exploited for other purposes.
  • data link spoofing can be said to be a more serious security problem since it can completely take control of the UAV.
  • the conventional UAV data link security technology uses encryption algorithms such as DES (Digital Encryption Standard), AES (Advanced Encryption Standard), ARIA (Academy, Research Institute, Agency), and SEED to encrypt data and then modulate and demodulate the modem. It is implemented in a structure that transmits and receives through. The transmitter encrypts the transmitted data, modulates it through a modem, and transmits it wirelessly, and the receiver demodulates and decrypts the received data to restore the data.
  • data encryption is implemented by being built-in together with a data processing unit, which is a modem unit that performs modulation/demodulation in a data link, or is interfaced with an external encryption device to encrypt/decrypt transmission/reception data.
  • the encryption key is transmitted from the control device that controls the data link or from an external storage medium and is stored internally, and it is common to use a fixed encryption key of a symmetric key method in which the UAV and the control station or radio station use the same key. It is a type of data link transmission/reception data encryption key management and operation.
  • UAV data link transmission/reception data is UAV tele-command (TC), telemetry (TM) or observation image information from the ground control system.
  • TC/TM data are within the system standard. Since it has a pattern that repeats in a certain pattern, the possibility of guessing or estimating the original data is relatively higher than that of general communication when a third party collects or observes data repeatedly transmitted and received over the radio.
  • the characteristics of transmission/reception data, encryption application method, and key management structure provide a high level of security in terms of confidentiality, integrity, and availability from a security perspective. It is difficult to be satisfied or maintained, and in addition to the possibility of observation of a radio channel by a third party, if the UAV is stolen, the security system is exposed and the operation of the existing UAV must be stopped or the structure must be changed.
  • Patent Document 1 Korean Patent Publication No. 10-2015-0001206 (Publication)
  • the present invention has been devised in accordance with the above-described necessity, and the present invention provides a high-speed encryption/decryption system for transmission/reception data in an unmanned aerial vehicle data link communication system.
  • the present invention provides an electronic security system for providing a unique identification that cannot be physically replicated in an unmanned aerial vehicle data link, and for securing encryption key management and security of an encryption device.
  • the present invention provides an electronic security system in an unmanned aerial vehicle capable of high-speed encryption/decryption processing by parallel processing of data in an input/output (Full-Duplex) direction.
  • An electronic security system in an unmanned aerial vehicle for high-speed encryption/decryption processing includes: Plaintext data to be transmitted to the ground control station of the unmanned aerial vehicle and the ground control station.
  • a main processor configured to input/output at least one of the ciphertext data received from the input/output;
  • a buffer unit temporarily storing the at least one data in a plurality of queues;
  • An extended memory interface control unit for generating a write completion signal when storing of the at least one data is completed, and reading the plaintext data or the ciphertext data stored in some of the plurality of queues when a read command is received;
  • the write completion signal is generated, an encryption command or a decryption command for the data stored in the partial queue is generated, and when an encryption completion signal or a decryption completion signal for the data is received, a read command for the read is issued.
  • Generated encryption/decryption control unit And upon receiving the encryption command, encrypting the plaintext data using an encryption/decryption engine unit using a decrypted security key, temporarily storing the encrypted data, and generating an encryption completion signal, and the decryption command Upon receiving, include an encryption/decryption unit that decrypts the encrypted text data using the decrypted security key through an encryption/decryption engine unit, temporarily stores the decrypted plaintext data, and generates a decryption completion signal. I can.
  • a security technology at the link layer for eavesdropping, observation, and hijacking of transmission/reception data by unauthorized third parties in an unmanned aerial vehicle data link wireless communication system is proposed, through which the unmanned aerial vehicle data link It provides an electronic security system that can improve the security of the communication system.
  • the electronic security system of the UAV can be implemented with hardware separate from the data processing unit, thereby increasing the degree of security for a unique security key, and improving the encryption/decryption processing speed of data. have.
  • the electronic security system of the UAV has an effect of reducing a problem that occurs in the unmanned aerial vehicle system (system) due to a delay caused by the encryption/decryption process.
  • the electronic security system of the UAV according to the above-described embodiment of the present invention has an effect of providing the advantage of low-latency processing by shortening the time required for data processing due to encryption/decryption.
  • FIG. 1 is a block diagram of an electronic security system in an unmanned aerial vehicle according to an embodiment of the present invention.
  • FIG. 2 is a diagram illustrating a process of encrypting plain text data to be transmitted to a ground control station according to an embodiment of the present invention.
  • FIG. 3 is a diagram illustrating a process of decrypting Cyphertext data transmitted from a ground control station according to an embodiment of the present invention.
  • FIG. 4 is a diagram for explaining a process in which a security key management unit transmits an encrypted security key to the encryption/decryption processor 160 according to an embodiment of the present invention.
  • FIG. 5 is a diagram illustrating a process of processing plain text data to be transmitted to a ground control station according to an embodiment of the present invention.
  • FIG. 6 is a diagram illustrating a process of processing encrypted text data transmitted from a ground control station according to an embodiment of the present invention.
  • FIG. 7 is a diagram illustrating a simultaneous processing process of plain text data and encrypted text data for high-speed encryption/decryption processing according to an embodiment of the present invention.
  • FIG. 8 is a diagram illustrating a configuration example of an electronic security system according to an embodiment of the present invention.
  • FIG. 9 is a diagram illustrating a configuration example of an electronic security system according to another embodiment of the present invention.
  • block diagrams herein are to be understood as representing a conceptual perspective of exemplary circuits embodying the principles of the invention.
  • all flowcharts, state transition diagrams, pseudocodes, etc. are understood to represent the various processes performed by a computer or processor, whether or not the computer or processor is clearly depicted and that can be represented substantially in a computer-readable medium. It should be.
  • the functions of the various elements shown in the drawings may be provided by the use of dedicated hardware as well as hardware having the ability to execute software in association with appropriate software.
  • the function may be provided by a single dedicated processor, a single shared processor, or a plurality of individual processors, some of which may be shared.
  • DSP digital signal processor
  • ROM read-only memory
  • RAM random access memory
  • non-volatile memory Other commonly used hardware may also be included.
  • components expressed as means for performing the functions described in the detailed description include all types of software including, for example, combinations of circuit elements or firmware/microcodes that perform the above functions. It is intended to include all methods of performing a function to perform the function, and is combined with suitable circuitry for executing the software to perform the function. Since the invention defined by these claims is combined with the functions provided by the various enumerated means and combined with the manner required by the claims, any means capable of providing the above functions are equivalent to those conceived from this specification. It should be understood as.
  • the present invention relates to a hardware-based encryption/decryption apparatus and method for encrypting/decrypting transmission/reception data in an unmanned aerial vehicle (UAV) data-link communication system.
  • UAV unmanned aerial vehicle
  • data link transmission/reception data is high-speed encrypted/decrypted using a queue, which is a multi-data buffer implemented on hardware, and multi-encryption/decryption algorithm engine to minimize transmission delay due to encryption/decryption operation.
  • a queue which is a multi-data buffer implemented on hardware
  • multi-encryption/decryption algorithm engine to minimize transmission delay due to encryption/decryption operation.
  • it is characterized by improving the security of encryption/decryption function and security key management in unmanned aerial vehicles by using a unique identifier generated through a physically unclonable function (PUF) circuit that cannot be physically duplicated.
  • PAF physically unclonable function
  • FIG. 1 is a block diagram of an electronic security system in an unmanned aerial vehicle according to an embodiment of the present invention.
  • FIG. 1 shows an electronic security system 130 for hardware-based encryption/decryption in order to enhance security with a ground control station performing wireless communication with an unmanned aerial vehicle or a ground control station including a radio station.
  • the flight controller 110 controls the flight of the UAV according to the command received from the ground control station, and serves to collect various types of information.
  • the data processing unit 120 demodulates the encrypted data received from the ground control station and transmits it to the flight control unit 110, modulates the encrypted data generated by the flight control unit 110 and transmits it to the ground control station.
  • the electronic security system 130 performs interfacing of data transmitted between the flight control unit 110 and the data processing unit 120, and performs encryption/decryption of the interfacing data.
  • the first serial interface control unit 140a, the main processor 140b, and the second serial interface control unit 140c are included in the main processor unit 140.
  • the first serial interface control unit 140a converts parallel data processed by the main processor 140b and serial data processed by the flight control unit 110 to each other, so that the main processor 140b and the flight control unit
  • the first serial interface is controlled to communicate bidirectional high-speed serial data with (110) in a full-duplex manner.
  • the second serial interface controller 140c controls a second serial interface for communicating bidirectional high-speed serial data between the main processor 140b and the data processing unit 120 in a full-duplex manner.
  • the first serial interface control unit 140a and the second serial interface control unit 140c include serial communication controllers such as Ethernet MAC, UART Controller, SPI, I2C, CAN Controller, and USB Controller, and include Ethernet, RS232, RS422, It inputs and outputs transmission/reception data through serial communication such as CAN and USB.
  • serial communication controllers such as Ethernet MAC, UART Controller, SPI, I2C, CAN Controller, and USB Controller, and include Ethernet, RS232, RS422, It inputs and outputs transmission/reception data through serial communication such as CAN and USB.
  • the main processor 140b may be implemented as a single core or a multi core, and data transmitted and received at high speed through the first serial interface 140a and the second serial interface 140c
  • the encryption/decryption processor 160 is controlled to perform encryption/decryption of the.
  • the encryption/decryption processor 160 may be implemented in a hardware form such as a Field Programmable Gate Array (FPGA), and includes an extension memory interface controller 162 and a plurality of queues. It includes a buffer unit 164, an encryption/decryption control unit 170, an encryption/decryption unit 172, a security key decryption unit 174, and an encryption/decryption engine unit 176 including a plurality of encryption engines. .
  • FPGA Field Programmable Gate Array
  • the extended memory interface control unit 162 accesses the queues 164a 164b, 164c, 164d and the encryption/decryption control unit 170 included in the buffer unit 164 by the main processor 140b through a memory address. To be able to do it.
  • the extended memory interface control unit 162 manages addresses in which data input through the main processor 140b is stored in the queues 164a 164b, 164c, 164d of the buffer unit 164, and the queues 164a 164b, 164c, 164d) and transmits the queue status signal to the encryption/decryption control unit 170.
  • the queue status signal includes a storage space of the queues 164a 164b, 164c, 164d or a read/write signal for the queues 164a 164b, 164c, 164d.
  • the extended memory interface control unit 162 outputs information on the operation state of the encryption/decryption control unit 170 to the main processor 140b.
  • the information on the operation state of the encryption/decryption control unit 170 includes information on the operation state of the encryption/decryption engines included in the encryption/decryption engine unit 176, and the encryption/decryption engines encrypt Includes a busy signal when the decryption operation is in progress, a Ready signal when preparing, and a complete signal when encryption/decryption is completed.
  • the extended memory interface control unit 162 performs data reading and data writing operations for queues 164a 164b, 164c, and 164d included in the buffer unit 164.
  • the extended memory interface control unit 162 Generates a write completion signal including the size and memory address in which the data is stored.
  • the extended memory interface control unit 162 stores data input through the main processor 140b in the queues 164a, 164b, 164c, 164d, or data stored in the queues 164a, 164b, 164c, 164d. Is read and output to the main processor 140b.
  • the buffer unit 164 includes a plurality of queues 164a, 164b, 164c, 164d, and the queues 164a, 164b, 164c, 164d are plain text data and ciphertext input from the main processor 140b.
  • a memory having a first in first out (FIFO) structure for storing data, data encrypted by the encryption/decryption unit 172 or decrypted data.
  • FIFO first in first out
  • the main processor 140b transfers plaintext data transmitted from the flight control unit 110 through the first serial interface control unit 140a to the buffer unit 164 through the extended memory interface control unit 162. It outputs, and receives the encrypted data of the plaintext data, Cyphertext data, through the extended memory interface control unit 162, and transmits the received data to the data processing unit 120 through the second serial interface control unit 140c.
  • the first queue 164a stores plaintext data input from the main processor 140b
  • the second queue 164b stores encrypted data for the plaintext data stored in the first queue 164a.
  • the fourth queue 164d stores the encrypted text data input from the main processor 140b
  • the third queue 164c is the decrypted plaintext data of the encrypted data stored in the fourth queue 164c. Is saved.
  • the time for storing plain text data in the queue and the time for storing plain text data are encrypted. It is possible to smooth the data processing flow by buffering the time synchronization collision and data overhead between the time periods performing the operation, and thus, the high-speed encryption/decryption operation can be sustained.
  • the encryption/decryption control unit 170 stores the memory address of the queue in which plaintext data to be encrypted is stored, the size of the stored data or the memory address of the queue in which the ciphertext data to be decrypted is stored, and the stored data size information.
  • an encryption command or a decryption command is transmitted to the encryption/decryption unit 172.
  • the encryption command or decryption command includes the size of the data to be encrypted/decrypted and the stored memory address.
  • the encryption/decryption unit 172 controls the encryption/decryption engines included in the encryption/decryption engine unit 176 and monitors operation states of each engine. In addition, by receiving the decrypted security key from the security key management unit 150, the encryption/decryption engines control the encryption/decryption of data stored in the buffer unit 164 using the security key.
  • the main processor 140b directly accesses and states the encryption/decryption engine unit 176. Monitoring can be blocked, so confidentiality from the outside can be maintained.
  • the encryption/decryption unit 172 uses a plurality of encryption/decryption algorithm engines included in the encryption/decryption engine unit 176 according to the encryption command or decryption command. Encryption/decryption is performed on the data stored in, and when encryption/decryption is completed, the encrypted data or decrypted data is stored in the buffer unit 164, and then an encryption completion or decryption completion signal is generated. It transmits to the encryption/decryption control unit 170.
  • the encryption/decryption engine unit 176 includes an encryption/decryption engine using a plurality of encryption/decryption algorithms or multiple cryptographic hash functions, and encrypts data. / Responsible for the decryption operation.
  • the encryption/decryption engine unit 176 may be implemented as hardware logic for high-speed encryption operation processing, and the encryption/decryption algorithm is AES (Advanced Encryption Standard) 128/256, DES (Digital Encryption Standard). , SEED, ARIA (Academy, Research Institute, Agency).
  • LEA Lightweight Encryption Algorithm
  • the security key decryption unit 174 decrypts the security key encrypted by the security key management unit 150 and transmits the decryption to the encryption/decryption unit 172.
  • the encryption/decryption unit 172 may perform encryption/decryption through the encryption/decryption engine unit 176 using the security key decrypted by the security key decryption unit 174.
  • the security key decryption unit 174 stores in advance a security key encryption key, which is a key encrypted by the security key management unit 150.
  • the security key management unit 150 includes a Physically Unclonable Function (PUF) circuit 150a, a non-volatile memory 150b, and a security key encryption unit 150c.
  • PPF Physically Unclonable Function
  • the PUF circuit 150a generates a unique key, which is an unpredictable digital value, using a process variation in a semiconductor manufacturing process, and stores it in the nonvolatile memory 150b. At this time, the generated unique key is used as a secure key used in the present invention.
  • the security key encryption unit 150c encrypts the security key, which is a unique key stored in the nonvolatile memory 150b, with an encryption key, and outputs the encrypted key to the security key decryption unit 174.
  • the encryption key is a nonce (Number used ONCE), which is a random number used once, and a hash value generated through a hash function for the nonce.
  • the security key decryption unit 174 since the security key decryption unit 174 knows the security key encryption key in advance, the encrypted security key transmitted from the security key management unit 150 is converted to the security key encryption key ( By decrypting using Secure Key Encryption Key), you can obtain a security key.
  • the encryption/decryption processor 160 implemented as an FPGA performs encryption/decryption of data through the internal encryption/decryption engine unit 176, and the security key management unit 150
  • the unique security key generated by the PUF circuit 150a in the nonvolatile memory 150b is encrypted with an encryption key and transmitted to the encryption/decryption processor 160 to prevent physical exposure to the security key. By doing so, airtightness can be improved.
  • FIG. 2 is a diagram illustrating a process of encrypting plain text data to be transmitted to a ground control station according to an embodiment of the present invention.
  • the electronic security system 130 outputs the encrypted plaintext data 210 input from the flight control unit 110 and the encrypted text data 220 to the data processing unit 120.
  • the data processing unit 120 receiving the ciphertext data 220 modulates the ciphertext data 220 and transmits the modulated ciphertext data 220 to a control station on the ground.
  • the main processor 140b when the plaintext data 210 is received through the first serial interface controller 140a, as shown by reference numeral 250, the main processor 140b, the extended memory interface controller of the encryption/decryption processor 160 ( 162, and the extended memory interface control unit 162 stores the plaintext data in the first queue 164a of the buffer unit 164.
  • reference numeral 230 denotes the plain text data stored in the first queue 164a.
  • the extended memory interface control unit 162 determines the size of the plaintext data 230 stored in the first queue 164a and the first queue 164a.
  • a write completion signal including the memory address stored in) is output to the encryption/decryption control unit 170.
  • the encryption/decryption control unit 170 uses the encryption/decryption unit 172 to store the plaintext data 230 in the first queue 164a. Outputs an encryption command instructing to perform encryption for the data.
  • the encryption command may include the size and memory address of the plaintext data 230 stored in the first queue 164a.
  • the encryption/decryption unit 172 When the encryption/decryption unit 172 receives the encryption command, the plaintext data 230 stored in the first queue 164a is encrypted through the encryption/engine unit 176.
  • the encryption/decryption engine unit 176 encrypts the plaintext data 230 through the security key decrypted by the security key decryption unit 174.
  • the encryption/decryption engine unit 176 may be composed of N encryption/decryption engines, and may perform encryption using only one of the N encryption/decryption engines. , Parallel encryption processing on the plain text data may be performed using a plurality of encryption/decryption engines.
  • the encryption/decryption unit 172 completes encryption of the plaintext data 230 by the encryption/engine unit 176
  • the encrypted encrypted text data is stored in the second queue 164b (240)
  • the encryption completion signal is output to the encryption/decryption control unit 170.
  • the encryption completion signal may include a size of the ciphertext data 240 stored in the second queue 164b and a memory address of the ciphertext data stored in the second queue 164b.
  • the encryption/decryption control unit 170 may determine an encryption/decryption engine to be used by the encryption/decryption unit 172 and determine various parameters of the determined encryption/decryption engine.
  • the encryption/decryption control unit 170 Upon receiving the encryption completion signal, the encryption/decryption control unit 170 outputs a read command for the encrypted text data 240 stored in the second queue 164b to the extended memory interface control unit 162.
  • the extended memory interface control unit 162 After receiving the read command, the extended memory interface control unit 162 reads the encrypted text data 240 stored in the second queue 164b and outputs it to the main processor 140b.
  • the encrypted text transmission data packet 220 is output to the data processing unit 120 through the interface control unit 140c (reference numeral 260).
  • FIG. 3 is a diagram illustrating a decryption process of a ciphertext data 310 transmitted from a ground control station according to an embodiment of the present invention.
  • reference numerals 350, 360, and 370 denote plaintext data 320 obtained by decrypting the ciphertext data 310 input from the data processing unit 120 by the electronic security system 130. 110) shows the process of printing.
  • the data processing unit 120 receiving the encrypted text data 310 demodulates the encrypted text data 310 and outputs it to the electronic security system 130.
  • reference numeral 350 when the encrypted text data 310 is received through the second serial interface controller 140c, the extended memory interface controller of the encryption/decryption processor 160 ( 162, and the extended memory interface control unit 162 stores the encrypted text data in the fourth queue 164d of the buffer unit 164.
  • reference numeral 350 denotes the encrypted text data stored in the fourth queue 164d.
  • the extended memory interface control unit 162 determines the size of the encrypted text data 350 stored in the fourth queue 164d and the fourth queue 164d.
  • a write completion signal including the memory address stored in) is output to the encryption/decryption control unit 170.
  • the encryption/decryption control unit 170 Upon receiving the write completion signal from the extended memory interface control unit 162, the encryption/decryption control unit 170 uses the encryption/decryption unit 172 to store the encrypted text data 350 in the fourth queue 164d. Outputs a decryption command instructing to perform decryption for it.
  • the decryption command may include the size and memory address of the encrypted text data 350 stored in the fourth queue 164d.
  • the encryption/decryption unit 172 Upon receiving the decryption command, the encryption/decryption unit 172 decrypts the encrypted text data 350 stored in the fourth queue 164d through the encryption/decryption engine unit 176.
  • the encryption/decryption unit 172 transmits the secure key decrypted by the security key decryption unit 174 to the encryption/engine unit 176, and the encryption/decryption engine unit 176 includes the The cryptographic data 350 is decrypted through a security key.
  • the encryption/decryption engine unit 176 may be composed of N encryption/decryption engines, and decryption may be performed using only one of the N encryption/decryption engines.
  • a plurality of encryption/decryption engines may be used to perform parallel decryption processing on the encrypted text data.
  • the encryption/decryption unit 172 stores the decrypted plaintext data in the third queue 164c when decryption of the encrypted text data 350 is completed by the encryption/engine unit 176 (360). Then, the decryption completion signal is output to the encryption/decryption control unit 170.
  • the decryption completion signal may include a size of the plaintext data 340 stored in the third queue 164c and a memory address of the plaintext data stored in the third queue 164c.
  • the encryption/decryption control unit 170 may determine an encryption/decryption engine to be used by the encryption/decryption unit 172 and determine various parameters of the determined encryption/decryption engine.
  • the encryption/decryption control unit 170 Upon receiving the decryption completion signal, the encryption/decryption control unit 170 outputs a read command for the plain text data 340 stored in the third queue 164c to the extended memory interface control unit 162.
  • the extended memory interface controller 162 receives the plain text data 340 stored in the third queue 164c and outputs it to the main processor 140b, and the main processor 140b receives the first serial
  • the plaintext reception data packet 320 is output to the flight control unit 110 through the interface control unit 140a (reference number 370).
  • a queue in which plaintext data is stored a queue in which encrypted data of plaintext data is stored, a queue in which ciphertext data is stored, and a queue in which decrypted data of ciphertext data is stored are respectively specified and described.
  • FIG. 4 is a diagram for explaining a process in which the security key management unit 150 transmits an encrypted security key to the encryption/decryption processor 160 according to an embodiment of the present invention.
  • the security key described in the present invention is an encryption key used for encryption/decryption in wired/wireless communication, and includes a master key, a session key, a derived key, and the like.
  • the security key management unit 150 includes a PUF (Physical Unclonable Function) circuit 150a, a nonvolatile memory 150b, and a security key encryption unit 150c.
  • PUF Physical Unclonable Function
  • the PUF (Physical Unclonable Function) circuit 405 is a circuit that generates at least one Secure Key that is physically unclonable, and the nonvolatile memory 150b is a security key generated by the PUF circuit. Save 410.
  • the security key encryption unit 150c encrypts the security key 410 stored in the nonvolatile memory 150b using an encryption key (reference numeral 430). At this time, the security key encryption unit 150c generates an encryption key to encrypt the security key through a nonce (Number used ONCE), which is a random number used once, and a hash value generated through a hash function for the nonce. Generate. Then, the security key encryption unit 150c transmits the encrypted security key 430 to the security key decryption unit 174 of the encryption/decryption processor 160.
  • a nonce Numberer used ONCE
  • the security key decryption unit 174 decrypts the encrypted security key 430 transmitted from the security key management unit 150 through a secure key encryption key previously stored (reference number 450), The decrypted security key is transmitted to the encryption/decryption engine unit 176 through the encryption/decryption unit 172 (460). In addition, the encryption/decryption engine unit 176 performs encryption/decryption through the received security key 470.
  • a security key is encrypted and transmitted from the security key management unit 150 to the encryption/decryption processor 160, so that a third party encrypts/decrypts the security key management unit 150
  • the interface between the processor 160 is monitored or probed in hardware so that the security key cannot be stolen or guessed.
  • the security key management unit 150 encrypts and outputs the security key, thereby maintaining the confidentiality of the security key.
  • FIG. 5 is a diagram illustrating a process of processing plain text data to be transmitted to a ground control station according to an embodiment of the present invention.
  • 5 is an operation of simultaneously processing full-duplex data input and output from the flight control unit 110 and the data processing unit 120 in the electronic security system of the unmanned aerial vehicle, and the plain text data to be transmitted to the ground control station Indicate the processing process.
  • the plain text data output from the flight control unit 110 is encrypted by the encryption engine unit 176 through a specific queue among the plurality of queues, and then transmitted to the data processing unit 120 and transmitted to the ground control station.
  • the flight control unit 110 transmits plain text data (Paintext) to the main processor 140b through the first serial interface under the control of the first serial interface control unit 140a.
  • plain text data Paintext
  • the main processor 140b temporarily stores plain text data in some of the plurality of queues.
  • the plain text data may be stored in the first queue 164a.
  • the extended memory interface control unit 162 When the storage of the plain text data is completed, the extended memory interface control unit 162 generates a write completion signal.
  • the encryption/decryption control unit 170 When a write completion signal is generated from the extended memory interface controller 162, the encryption/decryption control unit 170 generates an encryption command for plain text data stored in a partial queue (first queue).
  • the encryption/decryption unit 172 When receiving the encryption command, the encryption/decryption unit 172 encrypts the plaintext data through the encryption/decryption engine unit using the decrypted security key.
  • the encryption/decryption unit 172 temporarily stores the encrypted text data in some of the plurality of queues and then generates an encryption completion signal.
  • the encrypted text data by encrypting the plain text data may be stored in the second queue 164b.
  • the encryption/decryption control unit 170 When the encryption/decryption control unit 170 receives an encryption completion signal for plain text data, the encryption/decryption control unit 170 generates a read command for reading.
  • the extended memory interface control unit 162 reads out the encrypted text data stored in some queues (second queue) to the data processing unit 120 through the main processor 140b and the second serial interface control unit 140c. Deliver.
  • FIG. 6 is a diagram illustrating a process of processing encrypted text data transmitted from a ground control station according to an embodiment of the present invention.
  • 6 is an operation of simultaneously processing full-duplex data input and output from the flight control unit 110 and the data processing unit 120 in an electronic security system in an unmanned aerial vehicle, Indicate the processing process.
  • Ciphertext data input to the data processing unit 120 is decrypted by the encryption engine unit 176 through a specific queue among a plurality of queues, and then transmitted to the flight control unit 110 and transmitted to the unmanned aerial vehicle.
  • the data processing unit 120 transmits the encrypted text data to the main processor 140b through the second serial interface under the control of the second serial interface controller 140c.
  • the main processor 140b temporarily stores the encrypted text data in some of the plurality of queues.
  • the encrypted text data may be stored in the fourth queue 164d.
  • the extended memory interface control unit 162 When the storage of the encrypted text data is completed, the extended memory interface control unit 162 generates a write completion signal.
  • the encryption/decryption control unit 170 When a write completion signal is generated from the extended memory interface controller 162, the encryption/decryption control unit 170 generates a decryption command for the encrypted text data stored in some queues (fourth queue).
  • the encryption/decryption unit 172 Upon receiving the decryption command, the encryption/decryption unit 172 decrypts the encrypted text data through the encryption/decryption engine unit using the decrypted security key. The encryption/decryption unit 172 temporarily stores the decrypted plaintext data in some of the plurality of queues and then generates a decryption completion signal.
  • the plaintext data obtained by decrypting the ciphertext data may be stored in the third queue 164b.
  • the encryption/decryption control unit 170 When the encryption/decryption control unit 170 receives the decryption completion signal for the encrypted text data, it generates a read command for reading.
  • the extended memory interface control unit 162 reads out the plain text data stored in some queues (third queue), and passes through the main processor 140b and the first serial interface control unit 140a to the flight control unit 110. Deliver.
  • FIG. 7 is a diagram illustrating a simultaneous processing process of plain text data and encrypted text data for high-speed encryption/decryption processing according to an embodiment of the present invention.
  • FIG. 7 shows a simultaneous processing process of simultaneously processing full-duplex data input/output from the flight control unit 110 and the data processing unit 120 in an electronic security system in an unmanned aerial vehicle.
  • the electronic security system can simultaneously process plaintext data and ciphertext data input through both ports 110 and 120, so that encryption/decryption processing can be accelerated.
  • the electronic security system can provide the advantage of low-delay processing by shortening the time required for data processing, and can minimize the effect of delay occurrence through encryption/decryption.
  • the electronic security system encrypts the plaintext data output from the flight control unit 110 through a specific queue among a plurality of queues, and transmits it to the data processing unit 120 after encryption by the encryption engine unit 176 to be transmitted to the ground control station.
  • the operation and the operation of transferring the encrypted text data input to the data processing unit 120 to the flight control unit 110 after being decrypted by the encryption engine unit 176 through a specific queue among the plurality of queues and transmitting it to the unmanned aerial vehicle are processed in parallel. Processing at the same time.
  • the electronic security system performs parallel processing of plaintext data and encrypted text data (queue storage and encryption/decryption processing, etc.), thereby simultaneously processing the encryption/decryption data of unmanned aerial vehicle transmission/reception data, thereby enabling high-speed processing.
  • the electronic security system must apply the same encryption algorithm to the encryption/decryption engine for simultaneous processing.
  • the main processor 140b of the electronic security system processes data in an orderly manner, and performs parallel processing from the step of storing data in some of the plurality of queues through the extended memory interface controller 162.
  • the main processor 140b of the electronic security system may change the processing order according to the set priority when priorities for plain text data and encrypted text data are set. For example, the main processor 140b stops processing the plaintext data when ciphertext data having a higher priority than the plaintext data comes in while processing plaintext data, and processes the ciphertext data to be stored in some of the plurality of queues. I can.
  • the main processor unit 140 inputs/outputs at least one of plain text data to be transmitted to the ground control station of the unmanned aerial vehicle and encrypted text data received from the ground control station.
  • the flight control unit 110 transmits plain text data (Paintext) to the main processor 140b through a first serial interface under the control of the first serial interface control unit 140a, and the data processing unit 120 is a second serial interface control unit. Under the control of 140c, the encrypted text data is transmitted to the main processor 140b through the second serial interface.
  • plain text data Paintext
  • the data processing unit 120 is a second serial interface control unit.
  • the encrypted text data is transmitted to the main processor 140b through the second serial interface.
  • the main processor unit 140 sequentially transfers one of the plaintext data and the ciphertext data to some of the plurality of queues through the extended memory interface control unit 162 according to the input order to be temporarily stored.
  • the buffer unit 164 includes a plurality of queues 164a 164b, 164c, 164d, and temporarily stores at least one data such as plain text data and cipher text data.
  • the plain text data may be stored in the first queue 164a
  • the encrypted text data may be stored in the fourth queue 164d.
  • the extended memory interface control unit 162 When the storage of at least one data such as plain text data and encrypted text data is completed, the extended memory interface control unit 162 generates a write completion signal.
  • the write completion signal includes the size of the plaintext data stored in the first queue 164a, the memory address of the first queue 164a in which the plaintext data is stored, and the size of the ciphertext data stored in the fourth queue 164d and the encrypted text data. It may include the memory address of the stored fourth queue 164d.
  • the extended memory interface controller 162 manages addresses stored so that the plaintext data and the ciphertext data are stored in different queues included in the buffer unit 164 so that the plaintext data and the ciphertext data are processed in parallel.
  • the extended memory interface controller 162 may control the plain text data to be temporarily stored in the first queue 164a, and the encrypted text data to be temporarily stored in the fourth queue 164d. That is, the extended memory interface controller 162 stores plain text data and encrypted text data in parallel in each of the first queue 164a and the fourth queue 164d so that they are processed simultaneously.
  • the encryption/decryption control unit 170 When a write completion signal is generated from the extended memory interface controller 162, the encryption/decryption control unit 170 generates an encryption command or a decryption command for at least one data stored in some queues.
  • the encryption/decryption control unit 170 When a write completion signal is generated from the extended memory interface controller 162, the encryption/decryption control unit 170 generates an encryption command for plain text data stored in some queues (first queue), and partially queues (fourth queue). Generates a decryption instruction for the encrypted text data stored in.
  • the encryption/decryption control unit 170 generates an encryption command for the plaintext data stored in the first queue 164a when a write completion signal for each of the plaintext data and the encrypted text data is generated, and is stored in the fourth queue 164d. Generates decryption instructions for ciphertext data.
  • the encryption/decryption control unit 170 may simultaneously generate an encryption command and a decryption command when a write completion signal for each of the plain text data and the encrypted text data is simultaneously generated.
  • the encryption/decryption unit 172 When receiving the encryption command, the encryption/decryption unit 172 encrypts the plaintext data using the decrypted security key through the encryption/decryption engine unit, temporarily stores the encrypted data, and generates an encryption completion signal. , Upon receiving the decryption command, the encrypted text data is decrypted through the encryption/decryption engine unit using the decrypted security key, the decrypted plaintext data is temporarily stored, and a decryption completion signal is generated.
  • the encryption/decryption unit 172 When receiving the encryption command, the encryption/decryption unit 172 encrypts the plaintext data stored in the first queue using the decrypted security key through the encryption/decryption engine unit.
  • the stored encrypted text data is decrypted through the encryption/decryption engine unit using the decrypted security key.
  • the encryption/decryption unit 172 preferably encrypts plain text data and decrypts the encrypted text data using different encryption/decryption engine units, but is not limited thereto.
  • a single encryption/decryption engine unit may encrypt plain text data and decrypt the encrypted text data.
  • the encryption/decryption unit 172 may simultaneously process plaintext data and ciphertext data by using different encryption/decryption engine units each using the same encryption/decryption algorithm.
  • each of the different encryption/decryption engine units is AES (Advanced Encryption Standard) 128/256, DES (Digital Encryption Standard), SEED, ARIA (Academy, Research Institute, Agency).
  • AES Advanced Encryption Standard
  • DES Digital Encryption Standard
  • SEED Digital Encryption Standard
  • ARIA Analog Encryption Standard
  • LEA Lightweight Encryption Algorithm
  • the encryption/decryption unit 172 temporarily stores the encrypted text data in some of the plurality of queues and then generates an encryption completion signal.
  • the encrypted text data by encrypting the plain text data may be stored in the second queue 164b.
  • the encryption completion signal may include a size of encrypted data stored in the second queue 164b and a memory address of the second queue 164b in which the encrypted data is stored.
  • the encryption/decryption unit 172 temporarily stores the decrypted plaintext data in some of the plurality of queues and generates a decryption completion signal.
  • the plaintext data obtained by decrypting the ciphertext data may be stored in the third queue 164b.
  • the decryption completion signal may include a size of decrypted plaintext data stored in the third queue 164b and a memory address of the third queue 164b in which decrypted plaintext data is stored.
  • the encryption/decryption control unit 170 When the encryption/decryption control unit 170 receives an encryption completion signal or a decryption completion signal for at least one data such as plain text data or encrypted text data, it generates a read command for the reading.
  • the encryption/decryption control unit 170 When the encryption/decryption control unit 170 receives the encryption completion signal for the plaintext data, the encryption/decryption control unit 170 generates a read command for reading the encrypted text data, and when the decryption completion signal for the ciphertext data is received, the decryption completion signal for the plaintext data is received. Issue a read order. Reading commands for reading encrypted text data and reading plain text data may occur simultaneously in parallel.
  • the extended memory interface controller 162 When a read command is received, the extended memory interface controller 162 reads plain text data or encrypted text data stored in some of the plurality of queues. When a read command is received, the extended memory interface control unit 162 reads out the encrypted text data stored in some queues (second queue) and transfers the encrypted text data to the data processing unit 120 through the main processor 140b and the second serial interface control unit 140c. The transfer operation and the operation of reading the plaintext data stored in some queues (third queue) and transferring them to the flight control unit 110 through the main processor 140b and the first serial interface control unit 140a are simultaneously processed.
  • FIG. 8 is a diagram illustrating a configuration example of an electronic security system according to an embodiment of the present invention.
  • the electronic security system 130 is connected between the flight control unit 810 and the data processing unit 820 through serial interfaces, respectively, and performs encryption/decryption of transmitted/received data.
  • FIG. 9 is a diagram illustrating a configuration example of an electronic security system according to another embodiment of the present invention.
  • the electronic security system 130 according to FIG. 9 shows that it is included as a component of the data processing unit 920 and operates.
  • the electronic security system 130 is located at the front end of the modem 940, Communication is performed with the flight control interface 930 through a serial interface, and the flight control interface 930 performs an interface with the flight control unit 910.
  • the modem 940 modulates the ciphertext data output from the electronic providing system 1360 and outputs it through the RF unit 950, or demodulates the ciphertext data received through the RF unit 950 to electronically modulate the ciphertext data. Output to the security system 130.
  • the operation method according to various embodiments of the present invention described above may be implemented as a program and stored in various non-transitory computer readable media and provided.
  • the non-transitory readable medium refers to a medium that stores data semi-permanently and can be read by a device, rather than a medium that stores data for a short moment, such as a register, a cache, and a memory.
  • the above-described various applications or programs may be provided by being stored in a non-transitory readable medium such as a CD, DVD, hard disk, Blu-ray disk, USB, memory card, ROM, or the like.
  • 140a first serial interface control unit
  • security key management unit 150a PUF circuit
  • buffer unit 164a first queue
  • fourth queue 170 encryption/decryption control unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Remote Sensing (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Storage Device Security (AREA)

Abstract

An electronic security system in an unmanned aerial vehicle, for high-speed encryption/decryption processing, according to the present invention, can comprise: a main processor unit for performing input/output processing on plaintext data to be transmitted to a ground control station of the unmanned aerial vehicle and/or on ciphertext data received from the ground control station; a buffer unit for temporarily storing the plaintext data and/or the ciphertext data in a plurality of queues; an extended memory interface control unit for generating a write completion signal when the plaintext data and/or the ciphertext data is completely stored, and reading the plaintext data or the ciphertext data stored in some of the plurality of queues when a read command is received; an encryption/decryption control unit for generating an encryption command or a decryption command for the data stored in the some of the queues when the write completion signal is generated, and generating a read command for the read when an encryption completion signal or a decryption completion signal for the data is received; and an encryption/decryption unit which encrypts, when the encryption command is received, the plaintext data through an encryption/decryption engine unit by using a decrypted security key, temporarily stores the encryption-completed ciphertext data, and then generates the encryption completion signal, and which decrypts, when the decryption completion signal is received, the ciphertext data through the encryption/decryption engine unit by using the decrypted security key, temporarily stores the decryption-completed plaintext data, and then generates the decryption completion signal.

Description

고속 암복호화 처리를 위한 무인 항공기에서 전자 보안 시스템Electronic security system in unmanned aerial vehicle for high-speed encryption/decryption processing
본 발명은 본 발명은 무인 항공기(Unmanned Aerial Vehicle, 이하 "UAV"라 칭하기로 한다.)의 데이터링크(Data-Link) 통신 시스템에서의 송수신 데이터를 암호화/해독화(Encryption/Decryption)하는 고속 암복호화 처리를 위한 전자 보안 시스템에 관한 것이다.The present invention is a high-speed arm for encrypting/decrypting transmission/reception data in a data-link communication system of an unmanned aerial vehicle (hereinafter referred to as “UAV”). It relates to an electronic security system for decryption processing.
UAV는 군사적 목적으로 개발이 시작되었지만 최근 기술 발전에 힘입어 방송촬영, 통신중계, 농업, 교통감시, 재난재해 대처, 정찰, 배송, 레저 등의 산업 및 민간 분야로 시장을 급속도로 넓혀나가고 있다. UAV는 무선 통신 기술을 사용하여 원격 조종 또는 자동 조종을 통해 임무를 수행하며 주어진 임무를 제대로 수행하기 위해서는 지속적으로 UAV와 지상 관제 시스템을 이어주는 무선통신 시스템의 고 신뢰성이 매우 중요하다. UAV의 무선 통신 채널은 항시 개방된 상태의 무선 네트워크를 이용하고 있어 무선 보안 공격에 대한 취약성 높은 구조이며, 또한 통신 해킹, 컨트롤러 해킹, 센서 해킹 등 UAV와 관련한 보안 위협 기술을 동원해 UAV를 물리적으로 파손시키거나 탈취해 다른 용도로 악용할 수 가능성이 매우 높은 환경에 놓여 있다. 특히, 무선을 사용하는 통신 보안과 관련하여 데이터 링크 스푸핑(Spoofing)은 UAV의 제어권을 완전하게 장악 할 수 있으므로 더욱 심각한 보안 문제라고 할 수 있다. UAVs were developed for military purposes, but thanks to recent technological advances, the market is rapidly expanding into industrial and private sectors such as broadcasting shooting, communication relay, agriculture, traffic surveillance, disaster response, reconnaissance, delivery, and leisure. UAV uses wireless communication technology to perform a mission through remote control or automatic control, and in order to properly perform a given mission, the high reliability of a wireless communication system that continuously connects the UAV and the ground control system is very important. The UAV's wireless communication channel uses a wireless network that is always open, so it is highly susceptible to wireless security attacks, and it physically damages the UAV by mobilizing security threat technologies related to UAV such as communication hacking, controller hacking, and sensor hacking. It is in an environment where it is very likely to be stolen or stolen and exploited for other purposes. In particular, with regard to communication security using wireless, data link spoofing can be said to be a more serious security problem since it can completely take control of the UAV.
종래의 UAV 데이터링크의 보안기술은 DES(Digital Encryption Standard), AES(Advanced Encryption Standard), ARIA(Academy, Research Institute, Agency), SEED와 같은 암호화 알고리즘을 이용하여 데이터를 암호화 한 후 모뎀의 변복조를 통해 송수신하는 구조로 구현 되고 있다. 송신부는 전송 데이터를 암호화 한 후 모뎀을 통해 변조하여 무선 전송하며, 수신부는 수신 데이터를 복조 후 해독화 하여 데이터를 복원 처리하는 것이 일반적이다. 이때 데이터의 암호화는 데이터링크에서 변복조를 수행하는 모뎀부인 데이터 처리부와 함께 내장되어 구현되거나 외부의 별도로 존재하는 암호 장치와 인터페이스 되어 송수신 데이터를 암호화/해독화(Encryption/Decryption) 하게 된다. 또한 암호 키는 데이터링크를 제어하는 제어장치 또는 외부의 저장매체로부터 전송 받아 내부에 저장되며, UAV와 제어국 또는 무선국이 동일한 키를 사용하는 대칭 키 방식의 고정된 암호키를 사용하는 것이 일반적인 UAV데이터링크의 송수신 데이터 암호 키 관리 및 운영 형태이다.The conventional UAV data link security technology uses encryption algorithms such as DES (Digital Encryption Standard), AES (Advanced Encryption Standard), ARIA (Academy, Research Institute, Agency), and SEED to encrypt data and then modulate and demodulate the modem. It is implemented in a structure that transmits and receives through. The transmitter encrypts the transmitted data, modulates it through a modem, and transmits it wirelessly, and the receiver demodulates and decrypts the received data to restore the data. At this time, data encryption is implemented by being built-in together with a data processing unit, which is a modem unit that performs modulation/demodulation in a data link, or is interfaced with an external encryption device to encrypt/decrypt transmission/reception data. In addition, the encryption key is transmitted from the control device that controls the data link or from an external storage medium and is stored internally, and it is common to use a fixed encryption key of a symmetric key method in which the UAV and the control station or radio station use the same key. It is a type of data link transmission/reception data encryption key management and operation.
일반적으로 UAV의 데이터링크의 송수신 데이터는 지상 관제 시스템으로부터의 UAV원격명령(Tele-Command)(TC), 상태측정(Telemetry)(TM) 또는 관측 영상 정보들이며, 특히 TC/TM 데이터들은 체계 규격 내에서 일정한 패턴으로 반복되는 형태를 가지므로, 제3자가 무선상에서 반복적으로 송수신 되는 데이터를 수집 또는 관찰할 경우 원본 데이터를 추측하거나 추정할 수 있는 가능성이 일반적인 통신보다 상대적으로 높다.In general, UAV data link transmission/reception data is UAV tele-command (TC), telemetry (TM) or observation image information from the ground control system.In particular, TC/TM data are within the system standard. Since it has a pattern that repeats in a certain pattern, the possibility of guessing or estimating the original data is relatively higher than that of general communication when a third party collects or observes data repeatedly transmitted and received over the radio.
상기와 같이 종래의 일반적인 UAV데이터링크 보안구조에서 송수신 데이터의 특성, 암호화 적용 방식, 키 관리 구조는 보안 관점에서 기밀성(Confidentiality), 무결성(Integrity), 가용성(Availability) 측면에서 높은 수준의 보안성을 만족하거나 상태를 유지하기 어려우며, 제3자에 의한 무선채널의 관측 가능성과 더불어 UAV가 탈취될 경우 보안 체계가 노출되어 기존 UAV의 운영을 중단 하거나 구조를 변경해야 만 하는 문제점을 가진다.As described above, in the conventional general UAV data link security structure, the characteristics of transmission/reception data, encryption application method, and key management structure provide a high level of security in terms of confidentiality, integrity, and availability from a security perspective. It is difficult to be satisfied or maintained, and in addition to the possibility of observation of a radio channel by a third party, if the UAV is stolen, the security system is exposed and the operation of the existing UAV must be stopped or the structure must be changed.
종래의 UAV 데이터링크의 보안기술은 단방향(Half-Duplex)으로 데이터를 암호화 또는 복호화함에 따라 데이터의 고속 처리가 어렵거나, 암복화 처리 과정에 의한 데이터 처리 지연이 발생하는 문제점이 있다.In the conventional UAV data link security technology, as data is encrypted or decrypted in one direction (Half-Duplex), it is difficult to process data at a high speed or delay data processing due to an encryption/decryption process.
[특허문헌][Patent Literature]
(특허문헌 1) 한국 공개 특허 제10-2015-0001206호 (공개)(Patent Document 1) Korean Patent Publication No. 10-2015-0001206 (Publication)
본 발명은 상술한 필요성에 따라 안출된 것으로, 본 발명은 무인기 데이터링크 통신 시스템에서 송수신 데이터의 고속 암호화/해독화 시스템을 제공한다. 또한, 본 발명은 무인기 데이터링크에서 물리적으로 복제 불가능한 고유한 식별성을 부여하고, 암호키 관리 및 암호장치의 보안성을 확보하기 위한 전자 보안 시스템을 제공한다. 또한, 본 발명은 입출력되는 전방향(Full-Duplex)으로 데이터를 병렬 처리하여 고속 암복호화 처리가 가능한 무인 항공기에서 전자 보안 시스템을 제공한다. The present invention has been devised in accordance with the above-described necessity, and the present invention provides a high-speed encryption/decryption system for transmission/reception data in an unmanned aerial vehicle data link communication system. In addition, the present invention provides an electronic security system for providing a unique identification that cannot be physically replicated in an unmanned aerial vehicle data link, and for securing encryption key management and security of an encryption device. In addition, the present invention provides an electronic security system in an unmanned aerial vehicle capable of high-speed encryption/decryption processing by parallel processing of data in an input/output (Full-Duplex) direction.
상술한 목적을 달성하기 위한 본 발명의 일 실시 예에 따른 고속 암복호화 처리를 위한 무인 항공기에서의 전자 보안 시스템은, 상기 무인 항공기의 지상 관제국으로 송신될 평문(Paintext) 데이터 및 상기 지상 관제국으로부터 수신된 암호문(Ciphertext) 데이터 중 적어도 하나의 데이터를 입출력 처리하는 메인 프로세서부; 상기 적어도 하나의 데이터를 복수의 큐에 임시 저장하는 버퍼부; 상기 적어도 하나의 데이터에 대한 저장이 완료되면, 쓰기 완료 신호를 발생하고, 독출 명령이 수신되면, 상기 복수의 큐 중 일부 큐에 저장된 상기 평문 데이터 또는 상기 암호문 데이터를 독출하는 확장 메모리 인터페이스 제어부; 상기 쓰기 완료 신호가 발생되면, 상기 일부 큐에 저장된 상기 데이터에 대한 암호화 명령 또는 해독화 명령을 생성하고, 상기 데이터에 대한 암호화 완료 신호 또는 해독화 완료 신호가 수신되면, 상기 독출에 대한 독출 명령을 발생하는 암호화/해독화 제어부; 및 상기 암호화 명령을 수신하면, 상기 평문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 암호화하고, 암호화가 완료된 암호화 데이터를 임시 저장한 후 암호화 완료 신호를 발생하며, 상기 해독화 명령을 수신하면, 상기 암호문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 해독화하고, 해독화가 완료된 평문 데이터를 임시 저장한 후 해독화 완료 신호를 발생하는 암호화/해독화부를 포함할 수 있다.An electronic security system in an unmanned aerial vehicle for high-speed encryption/decryption processing according to an embodiment of the present invention for achieving the above object includes: Plaintext data to be transmitted to the ground control station of the unmanned aerial vehicle and the ground control station. A main processor configured to input/output at least one of the ciphertext data received from the input/output; A buffer unit temporarily storing the at least one data in a plurality of queues; An extended memory interface control unit for generating a write completion signal when storing of the at least one data is completed, and reading the plaintext data or the ciphertext data stored in some of the plurality of queues when a read command is received; When the write completion signal is generated, an encryption command or a decryption command for the data stored in the partial queue is generated, and when an encryption completion signal or a decryption completion signal for the data is received, a read command for the read is issued. Generated encryption/decryption control unit; And upon receiving the encryption command, encrypting the plaintext data using an encryption/decryption engine unit using a decrypted security key, temporarily storing the encrypted data, and generating an encryption completion signal, and the decryption command Upon receiving, include an encryption/decryption unit that decrypts the encrypted text data using the decrypted security key through an encryption/decryption engine unit, temporarily stores the decrypted plaintext data, and generates a decryption completion signal. I can.
상술한 본 발명의 실시 예에 따라 무인기 데이터링크 무선 통신 시스템에 있어서 허가되지 않은 제3자에 의한 송수신데이터의 도청, 관측, 탈취에 대한 링크 계층에서의 보안 기술을 제안하며, 이를 통해 무인기 데이터링크 통신 시스템의 보안성을 향상 시킬 수 있는 전자 보안 시스템을 제공한다.In accordance with an embodiment of the present invention described above, a security technology at the link layer for eavesdropping, observation, and hijacking of transmission/reception data by unauthorized third parties in an unmanned aerial vehicle data link wireless communication system is proposed, through which the unmanned aerial vehicle data link It provides an electronic security system that can improve the security of the communication system.
상술한 본 발명의 실시 예에 따라 UAV의 전자 보안 시스템은 데이터 처리부와 별개의 하드웨어로 구현할 수 있어 유니크 한 보안 키에 대한 보안 정도를 높일 수 있고, 데이터의 암호화/해독화 처리 속도를 향상 시킬 수 있다.According to the embodiment of the present invention, the electronic security system of the UAV can be implemented with hardware separate from the data processing unit, thereby increasing the degree of security for a unique security key, and improving the encryption/decryption processing speed of data. have.
상술한 본 발명의 실시 예에 따라 UAV의 전자 보안 시스템은 암복화 처리 과정에 의한 지연발생으로 인해 무인항공기 시스템(체계)에서 발생하는 문제를 줄일 수 있는 효과가 있다. The electronic security system of the UAV according to the above-described embodiment of the present invention has an effect of reducing a problem that occurs in the unmanned aerial vehicle system (system) due to a delay caused by the encryption/decryption process.
상술한 본 발명의 실시 예에 따라 UAV의 전자 보안 시스템은 암복호화로 인해 데이터 처리에 소요되는 시간을 단축하여 저지연 처리의 이점을 제공할 수 있는 효과가 있다.The electronic security system of the UAV according to the above-described embodiment of the present invention has an effect of providing the advantage of low-latency processing by shortening the time required for data processing due to encryption/decryption.
도 1은 본 발명의 실시 예에 따른 무인 항공기에서의 전자 보안 시스템의 블록 구성도이다. 1 is a block diagram of an electronic security system in an unmanned aerial vehicle according to an embodiment of the present invention.
도 2는 본 발명의 실시 예에 따른 지상 관제국으로 전송될 평문 데이터의 암호화 과정을 나타낸 도면이다. 2 is a diagram illustrating a process of encrypting plain text data to be transmitted to a ground control station according to an embodiment of the present invention.
도 3은 본 발명의 실시 예에 따른 지상 관제국으로부터 송신된 암호문(Cyphertext) 데이터의 해독화 과정을 나타낸 도면이다. 3 is a diagram illustrating a process of decrypting Cyphertext data transmitted from a ground control station according to an embodiment of the present invention.
도 4는 본 발명의 실시 예에 따라 보안 키 관리부가 암호화/해독화 프로세서(160)로 암호화된 보안 키(Secure Key)를 전달하는 과정을 설명하기 위한 도면이다. FIG. 4 is a diagram for explaining a process in which a security key management unit transmits an encrypted security key to the encryption/decryption processor 160 according to an embodiment of the present invention.
도 5는 본 발명의 실시 예에 따른 지상 관제국으로 전송될 평문 데이터의 처리 과정을 나타낸 도면이다. 5 is a diagram illustrating a process of processing plain text data to be transmitted to a ground control station according to an embodiment of the present invention.
도 6은 본 발명의 실시 예에 따른 지상 관제국으로부터 송신된 암호문 데이터의 처리 과정을 나타낸 도면이다. 6 is a diagram illustrating a process of processing encrypted text data transmitted from a ground control station according to an embodiment of the present invention.
도 7은 본 발명의 실시 예에 따른 고속 암복호화 처리를 위한 평문 데이터 및 암호문 데이터의 동시 처리 과정을 나타낸 도면이다.7 is a diagram illustrating a simultaneous processing process of plain text data and encrypted text data for high-speed encryption/decryption processing according to an embodiment of the present invention.
도 8은 본 발명의 실시 예에 따라 전자 보안 시스템의 구성 예를 도시한 도면이다. 8 is a diagram illustrating a configuration example of an electronic security system according to an embodiment of the present invention.
도 9는 본 발명의 다른 실시 예에 따라 전자 보안 시스템의 구성 예를 도시한 도면이다.9 is a diagram illustrating a configuration example of an electronic security system according to another embodiment of the present invention.
이하의 내용은 단지 본 발명의 원리를 예시한다. 그러므로 당업자는 비록 본 명세서에 명확히 설명되거나 도시되지 않았지만 본 발명의 원리를 구현하고 본 발명의 개념과 범위에 포함된 다양한 장치를 발명할 수 있는 것이다. 또한, 본 명세서에 열거된 모든 조건부 용어 및 실시 예들은 원칙적으로, 본 발명의 개념이 이해되도록 하기 위한 목적으로만 명백히 의도되고, 이와 같이 특별히 열거된 실시 예들 및 상태들에 제한적이지 않는 것으로 이해되어야 한다.The following content merely exemplifies the principles of the present invention. Therefore, those skilled in the art can implement the principles of the present invention and invent various devices included in the concept and scope of the present invention, although not clearly described or illustrated herein. In addition, all conditional terms and examples listed in this specification are, in principle, clearly intended only for the purpose of understanding the concept of the present invention, and should be understood as not limiting to the embodiments and states specifically listed as described above. do.
또한, 본 발명의 원리, 관점 및 실시 예들뿐만 아니라 특정 실시 예를 열거하는 모든 상세한 설명은 이러한 사항의 구조적 및 기능적 균등물을 포함하도록 의도되는 것으로 이해되어야 한다. 또한 이러한 균등물들은 현재 공지된 균등물뿐만 아니라 장래에 개발될 균등물 즉 구조와 무관하게 동일한 기능을 수행하도록 발명된 모든 소자를 포함하는 것으로 이해되어야 한다.In addition, it is to be understood that all detailed descriptions listing specific embodiments as well as principles, aspects and embodiments of the present invention are intended to include structural and functional equivalents of these matters. It should also be understood that these equivalents include not only currently known equivalents, but also equivalents to be developed in the future, that is, all devices invented to perform the same function regardless of the structure.
따라서, 예를 들어, 본 명세서의 블럭도는 본 발명의 원리를 구체화하는 예시적인 회로의 개념적인 관점을 나타내는 것으로 이해되어야 한다. 이와 유사하게, 모든 흐름도, 상태 변환도, 의사 코드 등은 컴퓨터가 판독 가능한 매체에 실질적으로 나타낼 수 있고 컴퓨터 또는 프로세서가 명백히 도시되었는지 여부를 불문하고 컴퓨터 또는 프로세서에 의해 수행되는 다양한 프로세스를 나타내는 것으로 이해되어야 한다.Thus, for example, the block diagrams herein are to be understood as representing a conceptual perspective of exemplary circuits embodying the principles of the invention. Similarly, all flowcharts, state transition diagrams, pseudocodes, etc. are understood to represent the various processes performed by a computer or processor, whether or not the computer or processor is clearly depicted and that can be represented substantially in a computer-readable medium. It should be.
프로세서 또는 이와 유사한 개념으로 표시된 기능 블럭을 포함하는 도면에 도시된 다양한 소자의 기능은 전용 하드웨어뿐만 아니라 적절한 소프트웨어와 관련하여 소프트웨어를 실행할 능력을 가진 하드웨어의 사용으로 제공될 수 있다. 프로세서에 의해 제공될 때, 상기 기능은 단일 전용 프로세서, 단일 공유 프로세서 또는 복수의 개별적 프로세서에 의해 제공될 수 있고, 이들 중 일부는 공유될 수 있다.The functions of the various elements shown in the drawings, including a processor or functional block represented by a similar concept, may be provided by the use of dedicated hardware as well as hardware having the ability to execute software in association with appropriate software. When provided by a processor, the function may be provided by a single dedicated processor, a single shared processor, or a plurality of individual processors, some of which may be shared.
또한 프로세서, 제어 또는 이와 유사한 개념으로 제시되는 용어의 명확한 사용은 소프트웨어를 실행할 능력을 가진 하드웨어를 배타적으로 인용하여 해석되어서는 아니되고, 제한 없이 디지털 신호 프로세서(DSP) 하드웨어, 소프트웨어를 저장하기 위한 롬(ROM), 램(RAM) 및 비 휘발성 메모리를 암시적으로 포함하는 것으로 이해되어야 한다. 주지관용의 다른 하드웨어도 포함될 수 있다.In addition, the explicit use of terms presented as processor, control, or similar concepts should not be interpreted exclusively by quoting hardware capable of executing software, and without limitation, digital signal processor (DSP) hardware, ROM for storing software. It should be understood to implicitly include (ROM), RAM (RAM) and non-volatile memory. Other commonly used hardware may also be included.
본 명세서의 청구범위에서, 상세한 설명에 기재된 기능을 수행하기 위한 수단으로 표현된 구성요소는 예를 들어 상기 기능을 수행하는 회로 소자의 조합 또는 펌웨어/마이크로 코드 등을 포함하는 모든 형식의 소프트웨어를 포함하는 기능을 수행하는 모든 방법을 포함하는 것으로 의도되었으며, 상기 기능을 수행하도록 상기 소프트웨어를 실행하기 위한 적절한 회로와 결합된다. 이러한 청구범위에 의해 정의되는 본 발명은 다양하게 열거된 수단에 의해 제공되는 기능들이 결합되고 청구항이 요구하는 방식과 결합되기 때문에 상기 기능을 제공할 수 있는 어떠한 수단도 본 명세서로부터 파악되는 것과 균등한 것으로 이해되어야 한다.In the claims of the present specification, components expressed as means for performing the functions described in the detailed description include all types of software including, for example, combinations of circuit elements or firmware/microcodes that perform the above functions. It is intended to include all methods of performing a function to perform the function, and is combined with suitable circuitry for executing the software to perform the function. Since the invention defined by these claims is combined with the functions provided by the various enumerated means and combined with the manner required by the claims, any means capable of providing the above functions are equivalent to those conceived from this specification. It should be understood as.
상술한 목적, 특징 및 장점은 첨부된 도면과 관련한 다음의 상세한 설명을 통하여 보다 분명해질 것이며, 그에 따라 본 발명이 속하는 기술 분야에서 통상의 지식을 가진 자가 본 발명의 기술적 사상을 용이하게 실시할 수 있을 것이다. 또한, 본 발명을 설명함에 있어서 본 발명과 관련된 공지 기술에 대한 구체적인 설명이 본 발명의 요지를 불필요하게 흐릴 수 있다고 판단되는 경우에 그 상세한 설명을 생략하기로 한다. The above-described objects, features, and advantages will become more apparent through the following detailed description in connection with the accompanying drawings, whereby those of ordinary skill in the technical field to which the present invention pertains can easily implement the technical idea of the present invention. There will be. In addition, in describing the present invention, when it is determined that a detailed description of a known technology related to the present invention may unnecessarily obscure the subject matter of the present invention, a detailed description thereof will be omitted.
본 발명은 무인 항공기(Unmanned Aerial Vehicle : UAV) 데이터링크(Data-Link) 통신 시스템에서의 송수신 데이터를 암호화/해독화(Encryption/Decryption) 하는 하드웨어 기반의 암호화/해독화 장치 및 그 방법에 관한 것이다. 특히 하드웨어상에 구현된 다중 데이터 버퍼인 큐(Queue) 및 다중 암호화/해독화 알고리즘 엔진을 사용하여 데이터링크 송수신 데이터를 고속 암호화/해독화 처리하여 암호화/해독화 연산으로 인한 전송지연을 최소화한다. 또한 물리적 복제가 불가능한 PUF(Physically Unclonable Function) 회로를 통해 생성된 고유한 식별자(Unique Identifier)를 이용하여 무인 항공기에서의 암호화/해독화 기능 및 보안키 관리의 보안성을 향상시키는 것을 특징으로 한다.The present invention relates to a hardware-based encryption/decryption apparatus and method for encrypting/decrypting transmission/reception data in an unmanned aerial vehicle (UAV) data-link communication system. . In particular, data link transmission/reception data is high-speed encrypted/decrypted using a queue, which is a multi-data buffer implemented on hardware, and multi-encryption/decryption algorithm engine to minimize transmission delay due to encryption/decryption operation. In addition, it is characterized by improving the security of encryption/decryption function and security key management in unmanned aerial vehicles by using a unique identifier generated through a physically unclonable function (PUF) circuit that cannot be physically duplicated.
이하, 첨부된 도면을 참조하여 본 발명의 다양한 실시 예를 상세히 설명하기로 한다.Hereinafter, various embodiments of the present invention will be described in detail with reference to the accompanying drawings.
도 1은 본 발명의 실시 예에 따른 무인 항공기에서의 전자 보안 시스템의 블록 구성도이다. 1 is a block diagram of an electronic security system in an unmanned aerial vehicle according to an embodiment of the present invention.
도 1은 무인 항공기와 무선 통신을 수행하는 지상 제어국 또는 무선국을 포함하는 지상 관제국과의 보안을 강화하기 위하여 하드웨어 기반의 암호화/해독화를 위한 전자 보안 시스템(130)을 도시하고 있다. FIG. 1 shows an electronic security system 130 for hardware-based encryption/decryption in order to enhance security with a ground control station performing wireless communication with an unmanned aerial vehicle or a ground control station including a radio station.
도 1에서 비행 제어부(110)는 지상 관제국으로부터 수신된 명령에 따라 UAV의 비행을 제어하며, 각종 정보들을 수집하는 역할을 수행한다. 데이터 처리부(120)는 지상 관제국으로부터 수신된 암호화된 데이터를 복조하여 비행 제어부(110)로 전달하고, 상기 비행 제어부(110)로부터 생성되어 암호화된 데이터를 변조하여 상기 지상 관제국으로 송신한다. In FIG. 1, the flight controller 110 controls the flight of the UAV according to the command received from the ground control station, and serves to collect various types of information. The data processing unit 120 demodulates the encrypted data received from the ground control station and transmits it to the flight control unit 110, modulates the encrypted data generated by the flight control unit 110 and transmits it to the ground control station.
그리고, 전자 보안 시스템(130)은 상기 비행 제어부(110)와 상기 데이터 처리부(120)와의 사이에 전달되는 데이터들의 인터페이싱을 수행하고, 인터페이싱되는 데이터들에 대한 암호화/해독화를 수행한다. In addition, the electronic security system 130 performs interfacing of data transmitted between the flight control unit 110 and the data processing unit 120, and performs encryption/decryption of the interfacing data.
제1 시리얼 인터페이스(Serial Interface) 제어부(140a), 메인 프로세서(140b), 제2 시리얼 인터페이스 제어부(140c)는 메인 프로세서부(140)에 포함된다. The first serial interface control unit 140a, the main processor 140b, and the second serial interface control unit 140c are included in the main processor unit 140.
구체적으로, 제1 시리얼 인터페이스(Serial Interface) 제어부(140a)는 메인 프로세서(140b)에서 처리되는 병렬 데이터와 상기 비행 제어부(110)에서 처리되는 직렬 데이터를 서로 변환하여 메인 프로세서(140b)와 비행 제어부(110)와와의 양방향 고속 시리얼 데이터(Serial Data)를 전이중 방식으로 통신하도록 제1시리얼 인터페이스를 제어한다. 제2 시리얼 인터페이스 제어부(140c)는 메인 프로세서(140b)와 상기 데이터 처리부(120)와의 양방향 고속의 시리얼 데이터를 전이중 방식으로 통신하기 위한 제2시리얼 인터페이스를 제어한다. Specifically, the first serial interface control unit 140a converts parallel data processed by the main processor 140b and serial data processed by the flight control unit 110 to each other, so that the main processor 140b and the flight control unit The first serial interface is controlled to communicate bidirectional high-speed serial data with (110) in a full-duplex manner. The second serial interface controller 140c controls a second serial interface for communicating bidirectional high-speed serial data between the main processor 140b and the data processing unit 120 in a full-duplex manner.
상기 제1 시리얼 인터페이스 제어부(140a)와 상기 제2 시리얼 인터페이스 제어부(140c)는 Ethernet MAC, UART Controller, SPI, I2C, CAN Controller, USB Controller와 같은 시리얼 통신 제어기를 포함하며, Ethernet, RS232, RS422, CAN, USB와 같은 시리얼 통신을 통하여 송수신 데이터를 입출력 처리한다.The first serial interface control unit 140a and the second serial interface control unit 140c include serial communication controllers such as Ethernet MAC, UART Controller, SPI, I2C, CAN Controller, and USB Controller, and include Ethernet, RS232, RS422, It inputs and outputs transmission/reception data through serial communication such as CAN and USB.
상기 메인 프로세서(140b)는 단일 코어(Single core) 또는 멀티 코어(Multi core)로 구현될 수 있으며, 상기 제1 시리얼 인터페이스(140a)와 상기 제2 시리얼 인터페이스(140c)를 통해 고속으로 송수신되는 데이터에 대한 암호화/해독화를 하기 위해 암호화/해독화 프로세서(160)을 제어한다. The main processor 140b may be implemented as a single core or a multi core, and data transmitted and received at high speed through the first serial interface 140a and the second serial interface 140c The encryption/decryption processor 160 is controlled to perform encryption/decryption of the.
상기 암호화/해독화 프로세서(160)는 FPGA(Field Programmable Gate Array)와 같은 하드웨어 형태로 구현될 수 있으며, 확장 메모리 인터페이스 제어부(Extension Memory Interface Controller)(162), 복수 개의 큐(Queue)들을 포함하는 버퍼부(164), 암호화/해독화 제어부(170), 암호화/해독화부(172), 보안키 해독화부(174), 복수 개의 암호화 엔진들을 포함하는 암호화/해독화 엔진부(176)를 포함한다. The encryption/decryption processor 160 may be implemented in a hardware form such as a Field Programmable Gate Array (FPGA), and includes an extension memory interface controller 162 and a plurality of queues. It includes a buffer unit 164, an encryption/decryption control unit 170, an encryption/decryption unit 172, a security key decryption unit 174, and an encryption/decryption engine unit 176 including a plurality of encryption engines. .
확장 메모리 인터페이스 제어부(162)는 메모리 주소를 통해 메인 프로세서(140b)가 버퍼부(164)에 포함된 큐(Queue)들(164a 164b, 164c, 164d), 암호화/해독화 제어부(170)에 액세스 할 수 있도록 한다. 확장 메모리 인터페이스 제어부(162)는 메인 프로세서(140b)를 통해 입력되는 데이터들이 버퍼부(164)의 큐들(164a 164b, 164c, 164d)에 저장되는 주소를 관리하고, 상기 큐들(164a 164b, 164c, 164d)의 상태들에 대한 큐 상태 신호를 암호화/해독화 제어부(170)로 전송한다. The extended memory interface control unit 162 accesses the queues 164a 164b, 164c, 164d and the encryption/decryption control unit 170 included in the buffer unit 164 by the main processor 140b through a memory address. To be able to do it. The extended memory interface control unit 162 manages addresses in which data input through the main processor 140b is stored in the queues 164a 164b, 164c, 164d of the buffer unit 164, and the queues 164a 164b, 164c, 164d) and transmits the queue status signal to the encryption/decryption control unit 170.
상기 큐 상태 신호는 큐들(164a 164b, 164c, 164d)의 저장 공간 또는 큐 들(164a 164b, 164c, 164d)에 대한 읽기/쓰기 신호 등을 포함한다. The queue status signal includes a storage space of the queues 164a 164b, 164c, 164d or a read/write signal for the queues 164a 164b, 164c, 164d.
또한, 확장 메모리 인터페이스 제어부(162)는 상기 암호화/해독화 제어부(170)의 동작 상태 등에 대한 정보를 상기 메인 프로세서(140b)로 출력한다. In addition, the extended memory interface control unit 162 outputs information on the operation state of the encryption/decryption control unit 170 to the main processor 140b.
상기 암호화/해독화 제어부(170)의 동작 상태에 대한 정보는 암호화/해독화 엔진부(176)에 포함되는 암호화/해독화 엔진들의 동작 상태에 대한 정보를 포함하며, 암호화/해독화 엔진들이 암호화/해독화 동작을 진행 중인 경우에는 비지(Busy) 신호를, 준비 중인 경우에는 레디(Ready) 신호를, 암호화/해독화가 완료된 경우에는 완료(Complete) 신호를 포함한다. The information on the operation state of the encryption/decryption control unit 170 includes information on the operation state of the encryption/decryption engines included in the encryption/decryption engine unit 176, and the encryption/decryption engines encrypt Includes a busy signal when the decryption operation is in progress, a Ready signal when preparing, and a complete signal when encryption/decryption is completed.
그리고, 확장 메모리 인터페이스 제어부(162)는 버퍼부(164)에 포함된 큐(Queue)들(164a 164b, 164c, 164d)에 대한 데이터 읽기, 데이터 쓰기 동작을 수행한다. 확장 메모리 인터페이스 제어부(162)는 버퍼부(164)에 포함된 큐(Queue)들(164a 164b, 164c, 164d)에 대한 데이터 쓰기가 완료되면, 큐들(164a 164b, 164c, 164d)에 저장된 데이터의 크기와 데이터가 저장된 메모리 주소를 포함하는 쓰기 완료 신호를 생성한다. In addition, the extended memory interface control unit 162 performs data reading and data writing operations for queues 164a 164b, 164c, and 164d included in the buffer unit 164. When writing data to the queues 164a 164b, 164c, 164d included in the buffer unit 164 is completed, the extended memory interface control unit 162 Generates a write completion signal including the size and memory address in which the data is stored.
따라서, 확장 메모리 인터페이스 제어부(162)는 메인 프로세서(140b)를 통해 입력된 데이터들을 상기 큐들(164a, 164b, 164c, 164d)에 저장하거나, 상기 큐들(164a, 164b, 164c, 164d)에 저장된 데이터를 독출하여 메인 프로세서(140b)로 출력한다. Accordingly, the extended memory interface control unit 162 stores data input through the main processor 140b in the queues 164a, 164b, 164c, 164d, or data stored in the queues 164a, 164b, 164c, 164d. Is read and output to the main processor 140b.
상기 버퍼부(164)는 복수 개의 큐들(164a, 164b, 164c, 164d)을 포함하며, 상기 큐들(164a, 164b, 164c, 164d)은 메인 프로세서(140b)로부터 입력되는 평문 데이터, 암호문(Cypertext) 데이터, 암호화/해독화부(172)에 의해 암호화된 데이터 또는 해독화된 데이터를 저장하는 선입선출(First In First Out : FIFO) 구조의 메모리이다. The buffer unit 164 includes a plurality of queues 164a, 164b, 164c, 164d, and the queues 164a, 164b, 164c, 164d are plain text data and ciphertext input from the main processor 140b. A memory having a first in first out (FIFO) structure for storing data, data encrypted by the encryption/decryption unit 172 or decrypted data.
도 1에서와 같이 메인 프로세서(140b)는 제1 시리얼 인터페이스 제어부(140a)를 통해 비행 제어부(110)로부터 전달되는 평문(Plaintext) 데이터를 확장 메모리 인터페이스 제어부(162)를 통해 버퍼부(164)에 출력하고, 상기 평문 데이터에 대해 암호화된 데이터인 암호문(Cyphertext) 데이터를 확장 메모리 인터페이스 제어부(162)를 통해 입력 받아 제2 시리얼 인터페이스 제어부(140c)를 통해 데이터 처리부(120)로 전송한다. As shown in FIG. 1, the main processor 140b transfers plaintext data transmitted from the flight control unit 110 through the first serial interface control unit 140a to the buffer unit 164 through the extended memory interface control unit 162. It outputs, and receives the encrypted data of the plaintext data, Cyphertext data, through the extended memory interface control unit 162, and transmits the received data to the data processing unit 120 through the second serial interface control unit 140c.
도 1에서 제1큐(164a)는 메인 프로세서(140b)로부터 입력된 평문 데이터가 저장되며, 제2큐(164b)는 상기 제1큐(164a)에 저장된 평문 데이터에 대해 암호화된 데이터가 저장된다. 제4큐(164d)는 상기 메인 프로세서(140b)로부터 입력된 암호문(Cypertext) 데이터가 저장되며, 제3큐(164c)는 상기 제4큐(164c)에 저장된 암호화된 데이터의 해독화된 평문 데이터가 저장된다. In FIG. 1, the first queue 164a stores plaintext data input from the main processor 140b, and the second queue 164b stores encrypted data for the plaintext data stored in the first queue 164a. . The fourth queue 164d stores the encrypted text data input from the main processor 140b, and the third queue 164c is the decrypted plaintext data of the encrypted data stored in the fourth queue 164c. Is saved.
이와 같이 본 발명의 실시 예에서는 메인 프로세서(140b)를 통해 입출력된 데이터와 암호화/해독화된 데이터를 저장하는 큐(Queue)들을 구분함으로써, 평문 데이터를 큐에 저장하는 시간과 평문 데이터에 대한 암호화를 수행하는 시간간의 시간 동기 충돌과 데이터의 오버헤드를 완충하여 데이터 처리 흐름을 원활히 할 수 있어 고속의 암호화/해독화 연산을 지속시킬 수 있다. As described above, in an embodiment of the present invention, by separating data input/output through the main processor 140b from queues storing encrypted/decrypted data, the time for storing plain text data in the queue and the time for storing plain text data are encrypted. It is possible to smooth the data processing flow by buffering the time synchronization collision and data overhead between the time periods performing the operation, and thus, the high-speed encryption/decryption operation can be sustained.
본 발명의 실시 예에 따라 암호화/해독화 제어부(170)가 암호화될 평문 데이터가 저장된 큐의 메모리 주소와, 저장된 데이터 크기 또는 해독화될 암호문 데이터가 저장된 큐의 메모리 주소와, 저장된 데이터 크기 정보를 포함하는 쓰기 완료 신호를 확장 메모리 인터페이스 제어부(162)로부터 수신하면, 암호화/해독부(172)로 암호화 명령 또는 해독화 명령을 전송한다. 이때 상기 암호화 명령 또는 해독화 명령에는 암호화/해독화할 데이터의 크기 및 저장된 메모리 주소가 포함된다. According to an embodiment of the present invention, the encryption/decryption control unit 170 stores the memory address of the queue in which plaintext data to be encrypted is stored, the size of the stored data or the memory address of the queue in which the ciphertext data to be decrypted is stored, and the stored data size information. When the included write completion signal is received from the extended memory interface control unit 162, an encryption command or a decryption command is transmitted to the encryption/decryption unit 172. In this case, the encryption command or decryption command includes the size of the data to be encrypted/decrypted and the stored memory address.
암호화/해독화부(172)는 암호화/해독화 엔진부(176)에 포함된 암호화/해독화 엔진들을 제어하고, 각 엔진들의 동작 상태들을 모니터링한다. 또한, 보안 키 관리부(150)에서 해독된 보안 키를 전달받아, 암호화/해독화 엔진들이 상기 보안 키를 이용하여 버퍼부(164)에 저장된 데이터에 대한 암호화/해독화를 수행하도록 제어한다. The encryption/decryption unit 172 controls the encryption/decryption engines included in the encryption/decryption engine unit 176 and monitors operation states of each engine. In addition, by receiving the decrypted security key from the security key management unit 150, the encryption/decryption engines control the encryption/decryption of data stored in the buffer unit 164 using the security key.
이와 같이 본 발명의 실시 예에서는 확장 메모리 인터페이스 제어부(162)와 암호화/해독화부(172)를 별개로 구성함으로써, 메인 프로세서(140b)가 직접 암호화/해독화 엔진부(176)에 대한 접근 및 상태 모니터링을 차단할 수 있어, 외부로부터의 기밀성을 유지할 수 있다. As described above, in an embodiment of the present invention, by separately configuring the extended memory interface control unit 162 and the encryption/decryption unit 172, the main processor 140b directly accesses and states the encryption/decryption engine unit 176. Monitoring can be blocked, so confidentiality from the outside can be maintained.
구제척으로, 암호화/해독화부(172)는 상기 암호화 명령 또는 해독화 명령에 따라 암호화/해독화 엔진부(176)에 포함된 복수 개의 암호화/해독화 알고리즘 엔진들을 이용하여 상기 버퍼부(164)에 저장된 데이터들에 대하여 암호화/해독화를 수행하고, 암호화/해독화가 완료되면, 암호화된 데이터 또는 해독화된 데이터를 상기 버퍼부(164)에 저장한 후, 암호 완료 또는 해독 완료 신호를 생성하여 암호화/해독화 제어부(170)로 전송한다. As a remedy, the encryption/decryption unit 172 uses a plurality of encryption/decryption algorithm engines included in the encryption/decryption engine unit 176 according to the encryption command or decryption command. Encryption/decryption is performed on the data stored in, and when encryption/decryption is completed, the encrypted data or decrypted data is stored in the buffer unit 164, and then an encryption completion or decryption completion signal is generated. It transmits to the encryption/decryption control unit 170.
본 발명의 실시 예에서 상기 암호화/해독화 엔진부(176)에는 복수 개의 암호화/해독화 알고리즘 또는 다중 암호학적 해쉬 함수(Hash Function)들을 사용하는 암호화/해독화 엔진을 포함하며, 데이터에 대한 암호화/해독화 연산을 담당한다. 또한, 상기 암호화/해독화 엔진부(176)는 고속의 암호화 연산 처리를 위하여 하드웨어 로직으로 구현될 수도 있으며, 암호화/해독화 알고리즘은 AES (Advanced Encryption Standard) 128/256, DES(Digital Encryption Standard), SEED, ARIA(Academy, Research Institute, Agency). LEA(Lightweight Encryption Algorithm) 등 다양한 암호 알고리즘으로 구성될 수 있으며, 필요에 따라 단일 암호화/해독화 엔진만을 이용하여 암호화/해독화를 수행할 수도 있고, 복수 개의 암호화/해독화 엔진을 이용하여 병렬 암호화/해독화를 수행할 수도 있다. In an embodiment of the present invention, the encryption/decryption engine unit 176 includes an encryption/decryption engine using a plurality of encryption/decryption algorithms or multiple cryptographic hash functions, and encrypts data. / Responsible for the decryption operation. In addition, the encryption/decryption engine unit 176 may be implemented as hardware logic for high-speed encryption operation processing, and the encryption/decryption algorithm is AES (Advanced Encryption Standard) 128/256, DES (Digital Encryption Standard). , SEED, ARIA (Academy, Research Institute, Agency). It can be composed of various encryption algorithms such as LEA (Lightweight Encryption Algorithm), and if necessary, encryption/decryption can be performed using only a single encryption/decryption engine, or parallel encryption using multiple encryption/decryption engines /You can also perform decryption.
보안 키 해독화부(174)는 보안 키 관리부(150)에서 암호화된 보안 키(Secure Key)를 해독화하여, 암호화/해독화부(172)로 전달한다. 암호화/해독화부(172)는 상기 보안 키 해독화부(174)에 의해 해독화된 보안 키를 이용하여 암호화/해독화 엔진부(176)를 통해 암호화/해독화를 수행할 수 있다. 본 발명에서는 보안 키 해독화부(174)가 보안 키 관리부(150)에서 보안 키를 암호화한 키인 보안 키 암호화 키(Secure Key Encryption Key)를 미리 저장하고 있는 것을 가정한다. The security key decryption unit 174 decrypts the security key encrypted by the security key management unit 150 and transmits the decryption to the encryption/decryption unit 172. The encryption/decryption unit 172 may perform encryption/decryption through the encryption/decryption engine unit 176 using the security key decrypted by the security key decryption unit 174. In the present invention, it is assumed that the security key decryption unit 174 stores in advance a security key encryption key, which is a key encrypted by the security key management unit 150.
보안 키 관리부(150)는 PUF(Physically Unclonable Function) 회로(150a), 비휘발성 메모리(Non-volatile Memory)(150b) 및 보안 키 암호화부(150c)를 포함하여 구성된다. The security key management unit 150 includes a Physically Unclonable Function (PUF) circuit 150a, a non-volatile memory 150b, and a security key encryption unit 150c.
PUF 회로(150a)는 반도체 제조 공정 상의 공정 편차를 이용하여 예측 불가능한(Unpredictable) 디지털 값인 유니크 키(Unique Key)를 생성하여, 비휘발성 메모리(150b)에 저장한다. 이때 생성된 유니크 키는 본 발명에서 사용되는 보안 키(Secure Key)로 사용된다. 보안 키 암호화부(150c)는 상기 비휘발성 메모리(150b)에 저장된 유니크 키인 보안 키를 암호 키로 암호화하여 보안 키 해독화부(174)로 출력한다. 이때 상기 암호화 키는, 1회 사용되는 난수인 Nonce(Number used ONCE)와, 상기 Nonce에 대한 해쉬(Hash) 함수를 통해 생성된 해쉬 값이다. 본 발명의 실시 예에서 보안 키 해독화부(174)는 상기 보안 키 암호화 키(Secure Key Encryption Key)를 미리 알고 있으므로, 보안 키 관리부(150)로부터 전달된 암호화된 보안 키를 상기 보안 키 암호화 키(Secure Key Encryption Key)를 이용하여 해독함으로써, 보안 키를 획득할 수 있다. The PUF circuit 150a generates a unique key, which is an unpredictable digital value, using a process variation in a semiconductor manufacturing process, and stores it in the nonvolatile memory 150b. At this time, the generated unique key is used as a secure key used in the present invention. The security key encryption unit 150c encrypts the security key, which is a unique key stored in the nonvolatile memory 150b, with an encryption key, and outputs the encrypted key to the security key decryption unit 174. In this case, the encryption key is a nonce (Number used ONCE), which is a random number used once, and a hash value generated through a hash function for the nonce. In an embodiment of the present invention, since the security key decryption unit 174 knows the security key encryption key in advance, the encrypted security key transmitted from the security key management unit 150 is converted to the security key encryption key ( By decrypting using Secure Key Encryption Key), you can obtain a security key.
상술한 바와 같이 본 발명에서는 FPGA로 구현된 암호화/해독화 프로세서(160)가 내부의 암호화/해독화 엔진부(176)를 통해 데이터의 암호화/해독화를 수행하고, 보안 키 관리부(150)에서 비 휘발성 메모리(150b)에 PUF 회로(150a)에 의해 생성된 유니크한 보안 키를 암호화 키(Encryption Key)로 암호화 하여 암호화/해독화 프로세서(160)로 전달함으로써 보안 키에 대한 물리적인 노출을 방지함으로써 기밀성을 높일 수 있다. As described above, in the present invention, the encryption/decryption processor 160 implemented as an FPGA performs encryption/decryption of data through the internal encryption/decryption engine unit 176, and the security key management unit 150 The unique security key generated by the PUF circuit 150a in the nonvolatile memory 150b is encrypted with an encryption key and transmitted to the encryption/decryption processor 160 to prevent physical exposure to the security key. By doing so, airtightness can be improved.
도 2는 본 발명의 실시 예에 따른 지상 관제국으로 전송될 평문 데이터의 암호화 과정을 나타낸 도면이다. 2 is a diagram illustrating a process of encrypting plain text data to be transmitted to a ground control station according to an embodiment of the present invention.
도 2에서는 전자 보안 시스템(130)이 비행 제어부(110)로부터 입력되는 평문 데이터(210)를 암호화한 암호문(Cyphertext) 데이터(220)를 데이터 처리부(120)로 출력하는 것을 보여준다. 상기 암호문 데이터(220)를 입력 받은 데이터 처리부(120)는 상기 암호문 데이터(220)를 변조하여 지상의 관제국으로 송신한다. In FIG. 2, it is shown that the electronic security system 130 outputs the encrypted plaintext data 210 input from the flight control unit 110 and the encrypted text data 220 to the data processing unit 120. The data processing unit 120 receiving the ciphertext data 220 modulates the ciphertext data 220 and transmits the modulated ciphertext data 220 to a control station on the ground.
도 2를 참조하면, 참조번호 250과 같이 메인 프로세서(140b)는 제1 시리얼 인터페이스 제어부(140a)를 통해 평문 데이터(210)가 수신되면, 암호화/해독화 프로세서(160)의 확장 메모리 인터페이스 제어부(162)로 전달하고, 확장 메모리 인터페이스 제어부(162)는 상기 평문 데이터를 버퍼부(164)의 제1큐(164a)에 저장한다. 상기 도 2에서 참조번호 230은 제1큐(164a)에 저장된 상기 평문 데이터를 나타낸다. Referring to FIG. 2, when the plaintext data 210 is received through the first serial interface controller 140a, as shown by reference numeral 250, the main processor 140b, the extended memory interface controller of the encryption/decryption processor 160 ( 162, and the extended memory interface control unit 162 stores the plaintext data in the first queue 164a of the buffer unit 164. In FIG. 2, reference numeral 230 denotes the plain text data stored in the first queue 164a.
상기 확장 메모리 인터페이스 제어부(162)는 상기 제1큐(164a)에 상기 평문 데이터의 저장을 완료하면, 상기 제1큐(164a)에 저장된 상기 평문 데이터(230)의 크기와 상기 제1큐(164a)에 저장된 메모리 주소를 포함하는 쓰기 완료 신호를 암호화/해독화 제어부(170)로 출력한다. When the storage of the plaintext data in the first queue 164a is completed, the extended memory interface control unit 162 determines the size of the plaintext data 230 stored in the first queue 164a and the first queue 164a. A write completion signal including the memory address stored in) is output to the encryption/decryption control unit 170.
상기 확장 메모리 인터페이스 제어부(162)로부터 상기 쓰기 완료 신호를 수신한, 암호화/해독화 제어부(170)는 암호화/해독화부(172)로 상기 제1큐(164a)에 저장된 상기 평문 데이터(230)에 대한 암호화를 수행할 것을 명령하는 암호화 명령을 출력한다. 이때 상기 암호화 명령은 상기 제1큐(164a)에 저장된 상기 평문 데이터(230)의 크기 및 메모리 주소가 포함될 수 있다. After receiving the write completion signal from the extended memory interface control unit 162, the encryption/decryption control unit 170 uses the encryption/decryption unit 172 to store the plaintext data 230 in the first queue 164a. Outputs an encryption command instructing to perform encryption for the data. In this case, the encryption command may include the size and memory address of the plaintext data 230 stored in the first queue 164a.
암호화/해독화부(172)가 상기 암호화 명령을 수신하면, 상기 제1큐(164a)에 저장된 평문 데이터(230)를 암호화/엔진부(176)를 통해 암호화한다. When the encryption/decryption unit 172 receives the encryption command, the plaintext data 230 stored in the first queue 164a is encrypted through the encryption/engine unit 176.
이때, 암호화/해독화 엔진부(176)는 보안 키 해독화부(174)에 의해 해독된 보안 키를 통해 상기 평문 데이터(230)에 대한 암호화를 수행한다. At this time, the encryption/decryption engine unit 176 encrypts the plaintext data 230 through the security key decrypted by the security key decryption unit 174.
암호화/해독화 엔진부(176)는 N개의 암호화/해독화 엔진들로 구성될 수 있으며, N개의 암호화/해독화 엔진들 중 어느 하나의 암호화/해독화 엔진만을 이용하여 암호화를 수행할 수도 있고, 복수 개의 암호화/해독화 엔진들을 이용하여 상기 평문 데이터에 대한 병렬 암호화 처리를 수행할 수도 있다. The encryption/decryption engine unit 176 may be composed of N encryption/decryption engines, and may perform encryption using only one of the N encryption/decryption engines. , Parallel encryption processing on the plain text data may be performed using a plurality of encryption/decryption engines.
암호화/해독화부(172)는 상기 암호화/엔진부(176)에 의해 상기 평문 데이터(230)에 대한 암호화가 완료되면, 상기 암호화된 암호문 데이터를 상기 제2큐(164b)에 저장(240)하고, 암호화 완료 신호를 암호화/해독화 제어부(170)로 출력한다. 이때 상기 암호화 완료 신호에는 상기 제2큐(164b)에 저장된 암호문(Cyphertext) 데이터(240)의 크기 및 상기 제2큐(164b)에 저장된 암호문 데이터의 메모리 주소가 포함될 수 있다. When the encryption/decryption unit 172 completes encryption of the plaintext data 230 by the encryption/engine unit 176, the encrypted encrypted text data is stored in the second queue 164b (240), and , The encryption completion signal is output to the encryption/decryption control unit 170. In this case, the encryption completion signal may include a size of the ciphertext data 240 stored in the second queue 164b and a memory address of the ciphertext data stored in the second queue 164b.
또한, 암호화/해독화 제어부(170)는 암호화/해독화부(172)가 사용할 암호화/해독화 엔진을 결정하고, 결정된 암호화/해독화 엔진의 여러 파라미터들을 결정할 수 있다. In addition, the encryption/decryption control unit 170 may determine an encryption/decryption engine to be used by the encryption/decryption unit 172 and determine various parameters of the determined encryption/decryption engine.
상기 암호화 완료 신호를 수신한, 암호화/해독화 제어부(170)은 확장 메모리 인터페이스 제어부(162)로 상기 제2큐(164b)에 저장된 암호문 데이터(240)에 대한 독출 명령을 출력한다.Upon receiving the encryption completion signal, the encryption/decryption control unit 170 outputs a read command for the encrypted text data 240 stored in the second queue 164b to the extended memory interface control unit 162.
상기 독출 명령을 수신한 확장 메모리 인터페이스 제어부(162)는 상기 제2큐(164b)에 저장된 암호문 데이터(240)를 읽은 후, 메인 프로세서(140b)로 출력하고, 메인 프로세서(140b)는 제2 시리얼 인터페이스 제어부(140c)를 통해 데이터 처리부(120)로 암호문 송신 데이터 패킷(220)을 출력한다(참조번호 260).After receiving the read command, the extended memory interface control unit 162 reads the encrypted text data 240 stored in the second queue 164b and outputs it to the main processor 140b. The encrypted text transmission data packet 220 is output to the data processing unit 120 through the interface control unit 140c (reference numeral 260).
도 3은 본 발명의 실시 예에 따른 지상 관제국으로부터 송신된 암호문(Cyphertext) 데이터(310)의 해독화 과정을 나타낸 도면이다. 도 3에서 참조번호 350, 360, 370은 전자 보안 시스템(130)이 데이터 처리부(120) 로부터 입력되는 암호문(Cyphertext) 데이터(310)를 해독화한 평문(Plaintext) 데이터(320)를 비행 제어부(110)로 출력하는 과정을 보여준다. FIG. 3 is a diagram illustrating a decryption process of a ciphertext data 310 transmitted from a ground control station according to an embodiment of the present invention. In FIG. 3, reference numerals 350, 360, and 370 denote plaintext data 320 obtained by decrypting the ciphertext data 310 input from the data processing unit 120 by the electronic security system 130. 110) shows the process of printing.
상기 암호문 데이터(310)를 수신한 데이터 처리부(120)는 상기 암호문 데이터(310)를 복조하여 전자 보안 시스템(130)으로 출력한다. The data processing unit 120 receiving the encrypted text data 310 demodulates the encrypted text data 310 and outputs it to the electronic security system 130.
도 3을 참조하면, 참조번호 350과 같이 메인 프로세서(140b)는 제2 시리얼 인터페이스 제어부(140c)를 통해 암호문 데이터(310)가 수신되면, 암호화/해독화 프로세서(160)의 확장 메모리 인터페이스 제어부(162)로 전달하고, 확장 메모리 인터페이스 제어부(162)는 상기 암호문 데이터를 버퍼부(164)의 제4큐(164d)에 저장한다. 상기 도 3에서 참조번호 350은 제4큐(164d)에 저장된 상기 암호문 데이터를 나타낸다. Referring to FIG. 3, as shown by reference numeral 350, when the encrypted text data 310 is received through the second serial interface controller 140c, the extended memory interface controller of the encryption/decryption processor 160 ( 162, and the extended memory interface control unit 162 stores the encrypted text data in the fourth queue 164d of the buffer unit 164. In FIG. 3, reference numeral 350 denotes the encrypted text data stored in the fourth queue 164d.
상기 확장 메모리 인터페이스 제어부(162)는 상기 제4큐(164d)에 상기 암호문 데이터의 저장을 완료하면, 상기 제4큐(164d)에 저장된 상기 암호문 데이터(350)의 크기와 상기 제4큐(164d)에 저장된 메모리 주소를 포함하는 쓰기 완료 신호를 암호화/해독화 제어부(170)로 출력한다. When the storage of the encrypted text data in the fourth queue 164d is completed, the extended memory interface control unit 162 determines the size of the encrypted text data 350 stored in the fourth queue 164d and the fourth queue 164d. A write completion signal including the memory address stored in) is output to the encryption/decryption control unit 170.
상기 확장 메모리 인터페이스 제어부(162)로부터 상기 쓰기 완료 신호를 수신한, 암호화/해독화 제어부(170)는 암호화/해독화부(172)로 상기 제4큐(164d)에 저장된 상기 암호문 데이터(350)에 대한 해독화를 수행할 것을 명령하는 해독화 명령을 출력한다. 이때 상기 해독화 명령은 상기 제4큐(164d)에 저장된 상기 암호문 데이터(350)의 크기 및 메모리 주소가 포함될 수 있다. Upon receiving the write completion signal from the extended memory interface control unit 162, the encryption/decryption control unit 170 uses the encryption/decryption unit 172 to store the encrypted text data 350 in the fourth queue 164d. Outputs a decryption command instructing to perform decryption for it. In this case, the decryption command may include the size and memory address of the encrypted text data 350 stored in the fourth queue 164d.
암호화/해독화부(172)는 상기 해독화 명령을 수신하면, 상기 제4큐(164d)에 저장된 암호문 데이터(350)를 암호화/해독화 엔진부(176)를 통해 해독한다.Upon receiving the decryption command, the encryption/decryption unit 172 decrypts the encrypted text data 350 stored in the fourth queue 164d through the encryption/decryption engine unit 176.
이때, 암호화/해독화부(172)는 보안 키 해독화부(174)에 의해 해독된 보안 키(Secure Key)를 암호화/엔진부(176)로 전달하고, 암호화/해독화 엔진부(176)는 상기 보안 키를 통해 상기 암호문 데이터(350)에 대한 해독화를 수행한다. At this time, the encryption/decryption unit 172 transmits the secure key decrypted by the security key decryption unit 174 to the encryption/engine unit 176, and the encryption/decryption engine unit 176 includes the The cryptographic data 350 is decrypted through a security key.
암호화/해독화 엔진부(176)는 N개의 암호화/해독화 엔진들로 구성될 수 있으며, N개의 암호화/해독화 엔진들 중 어느 하나의 암호화/해독화 엔진만을 이용하여 해독화를 수행할 수도 있고, 복수 개의 암호화/해독화 엔진들을 이용하여 상기 암호문 데이터에 대한 병렬 해독화 처리를 수행할 수도 있다. The encryption/decryption engine unit 176 may be composed of N encryption/decryption engines, and decryption may be performed using only one of the N encryption/decryption engines. In addition, a plurality of encryption/decryption engines may be used to perform parallel decryption processing on the encrypted text data.
암호화/해독화부(172)는 상기 암호화/엔진부(176)에 의해 상기 암호문 데이터(350)에 대한 해독화가 완료되면, 상기 해독화된 평문 데이터를 상기 제3큐(164c)에 저장(360)하고, 해독화 완료 신호를 암호화/해독화 제어부(170)로 출력한다. 이때 상기 해독화 완료 신호에는 상기 제3큐(164c)에 저장된 평문(Plaintext) 데이터(340)의 크기 및 상기 제3큐(164c)에 저장된 평문 데이터의 메모리 주소가 포함될 수 있다. The encryption/decryption unit 172 stores the decrypted plaintext data in the third queue 164c when decryption of the encrypted text data 350 is completed by the encryption/engine unit 176 (360). Then, the decryption completion signal is output to the encryption/decryption control unit 170. In this case, the decryption completion signal may include a size of the plaintext data 340 stored in the third queue 164c and a memory address of the plaintext data stored in the third queue 164c.
또한, 암호화/해독화 제어부(170)는 암호화/해독화부(172)가 사용할 암호화/해독화 엔진을 결정하고, 결정된 암호화/해독화 엔진의 여러 파라미터들을 결정할 수 있다. In addition, the encryption/decryption control unit 170 may determine an encryption/decryption engine to be used by the encryption/decryption unit 172 and determine various parameters of the determined encryption/decryption engine.
상기 해독화 완료 신호를 수신한, 암호화/해독화 제어부(170)은 확장 메모리 인터페이스 제어부(162)로 상기 제3큐(164c)에 저장된 평문 데이터(340)에 대한 독출 명령을 출력한다.Upon receiving the decryption completion signal, the encryption/decryption control unit 170 outputs a read command for the plain text data 340 stored in the third queue 164c to the extended memory interface control unit 162.
상기 독출 명령을 수신한 확장 메모리 인터페이스 제어부(162)는 상기 제3큐(164c)에 저장된 평문 데이터(340)를 읽은 후, 메인 프로세서(140b)로 출력하고, 메인 프로세서(140b)는 제1 시리얼 인터페이스 제어부(140a)를 통해 비행 제어부(110)로 평문 수신 데이터 패킷(320)을 출력한다(참조번호 370).Receiving the read command, the extended memory interface controller 162 reads the plain text data 340 stored in the third queue 164c and outputs it to the main processor 140b, and the main processor 140b receives the first serial The plaintext reception data packet 320 is output to the flight control unit 110 through the interface control unit 140a (reference number 370).
상술한 본 발명의 실시 예에서는 평문 데이터가 저장되는 큐, 평문 데이터의 암호화 데이터가 저장되는 큐와 암호문 데이터가 저장되는 큐, 암호문 데이터의 해독화된 데이터가 저장되는 큐를 각각 지정하여 설명하였지만, 이는 일 실시 예에 불과할 뿐 실제 구현과정에서는 당업자에 의해 서로 구분되는 다른 큐에 저장이 가능하도록 변경이 가능함은 물론이다. In the above-described embodiment of the present invention, a queue in which plaintext data is stored, a queue in which encrypted data of plaintext data is stored, a queue in which ciphertext data is stored, and a queue in which decrypted data of ciphertext data is stored are respectively specified and described. This is only an exemplary embodiment, and in the actual implementation process, it is of course possible to change it to be stored in different queues that are distinguished from each other by those skilled in the art.
도 4는 본 발명의 실시 예에 따라 보안 키 관리부(150)가 암호화/해독화 프로세서(160)로 암호화된 보안 키(Secure Key)를 전달하는 과정을 설명하기 위한 도면이다. 본 발명에서 설명하는 보안 키는 유무선 통신에서 암호화/해독화에 사용되는 암호 키로서, 마스터 키, 세션 키, 파생 키 등을 포함한다. FIG. 4 is a diagram for explaining a process in which the security key management unit 150 transmits an encrypted security key to the encryption/decryption processor 160 according to an embodiment of the present invention. The security key described in the present invention is an encryption key used for encryption/decryption in wired/wireless communication, and includes a master key, a session key, a derived key, and the like.
보안 키 관리부(150)는 PUF(Physical Unclonable Function) 회로(150a), 비 휘발성 메모리(150b), 보안 키 암호화부(150c)를 포함한다. The security key management unit 150 includes a PUF (Physical Unclonable Function) circuit 150a, a nonvolatile memory 150b, and a security key encryption unit 150c.
PUF(Physical Unclonable Function) 회로(405)는 물리적으로 복제 불가능 한(Physical Unclonable) 적어도 하나의 보안 키(Secure Key)를 생성하는 회로이며, 비 휘발성 메모리(150b)는 상기 PUF 회로에서 생성된 보안 키(410)를 저장한다. The PUF (Physical Unclonable Function) circuit 405 is a circuit that generates at least one Secure Key that is physically unclonable, and the nonvolatile memory 150b is a security key generated by the PUF circuit. Save 410.
보안 키 암호화부(150c)는 상기 비 휘발성 메모리(150b)에 저장된 보안 키(410)를 암호화 키를 통해 암호화한다(참조번호 430). 이때 상기 보안 키 암호화부(150c)는 1회 사용되는 난수인 Nonce(Number used ONCE)와, 상기 Nonce에 대한 해쉬(Hash) 함수를 통해 생성된 해쉬 값을 통해 상기 보안 키를 암호화할 암호화 키를 생성한다. 그리고, 보안 키 암호화부(150c)는 상기 암호화된 보안 키(430)를 암호화/해독화 프로세서(160)의 보안 키 해독화부(174)로 전달한다.The security key encryption unit 150c encrypts the security key 410 stored in the nonvolatile memory 150b using an encryption key (reference numeral 430). At this time, the security key encryption unit 150c generates an encryption key to encrypt the security key through a nonce (Number used ONCE), which is a random number used once, and a hash value generated through a hash function for the nonce. Generate. Then, the security key encryption unit 150c transmits the encrypted security key 430 to the security key decryption unit 174 of the encryption/decryption processor 160.
보안 키 해독화부(174)는 상기 보안 키 관리부(150)로부터 전달된 암호화된 보안 키(430)를 미리 저장하고 있는 보안 키 암호 키(Secure Key Encryption Key)를 통해 해독하고(참조번호 450), 해독된 보안 키를 암호화/해독화부(172)를 통해 암호화/해독화 엔진부(176)로 전달한다(460). 그리고, 암호화/해독화 엔진부(176)는 전달받은 보안 키(470)를 통해 암호화/해독화를 수행한다. The security key decryption unit 174 decrypts the encrypted security key 430 transmitted from the security key management unit 150 through a secure key encryption key previously stored (reference number 450), The decrypted security key is transmitted to the encryption/decryption engine unit 176 through the encryption/decryption unit 172 (460). In addition, the encryption/decryption engine unit 176 performs encryption/decryption through the received security key 470.
도 4에 도시된 바와 같이 본 발명의 실시 예에서는 보안 키 관리부(150)로부터 보안 키가 암호화/해독화 프로세서(160)로 암호화되어 전달됨으로써, 제3자가 보안 키 관리부(150)와 암호화/해독화 프로세서(160) 사이의 인터페이스에 대한 모니터링 또는 하드웨어적으로 프로빙(Probing)하여 보안 키를 탈취 또는 추측할 수 없도록 한다. 또한, 본 발명의 실시 예에서는 보안 키 관리부(150)가 보안 키를 암호화하여 출력함으로써, 보안 키의 기밀 성을 유지할 수 있다. As shown in FIG. 4, in an embodiment of the present invention, a security key is encrypted and transmitted from the security key management unit 150 to the encryption/decryption processor 160, so that a third party encrypts/decrypts the security key management unit 150 The interface between the processor 160 is monitored or probed in hardware so that the security key cannot be stolen or guessed. In addition, in an embodiment of the present invention, the security key management unit 150 encrypts and outputs the security key, thereby maintaining the confidentiality of the security key.
도 5는 본 발명의 실시 예에 따른 지상 관제국으로 전송될 평문 데이터의 처리 과정을 나타낸 도면이다. 5 is a diagram illustrating a process of processing plain text data to be transmitted to a ground control station according to an embodiment of the present invention.
도 5는, 무인 항공기에서의 전자 보안 시스템에서 비행 제어부(110)와 데이터 처리부(120)로부터 입출력되는 전방향(Full-Duplex) 데이터를 동시 처리하는 동작에서, 지상 관제국으로 전송될 평문 데이터의 처리 과정을 나타낸다. 5 is an operation of simultaneously processing full-duplex data input and output from the flight control unit 110 and the data processing unit 120 in the electronic security system of the unmanned aerial vehicle, and the plain text data to be transmitted to the ground control station Indicate the processing process.
비행 제어부(110)에서 출력되는 평문 데이터는 복수의 큐 중 특정 큐를 거쳐 암호화 엔진부(176)에서 암호화 후 데이터 처리부(120)로 전달되어 지상 관제국으로 전송된다. The plain text data output from the flight control unit 110 is encrypted by the encryption engine unit 176 through a specific queue among the plurality of queues, and then transmitted to the data processing unit 120 and transmitted to the ground control station.
비행 제어부(110)는 제1 시리얼 인터페이스 제어부(140a)의 제어에 따라 제1 시리얼 인터페이스를 통해 평문 데이터(Paintext)를 메인 프로세서(140b)로 전송한다. The flight control unit 110 transmits plain text data (Paintext) to the main processor 140b through the first serial interface under the control of the first serial interface control unit 140a.
메인 프로세서(140b)는 평문 데이터를 복수의 큐 중 일부 큐에 임시 저장한다. 여기서, 평문 데이터는 제1큐(164a)에 저장될 수 있다. The main processor 140b temporarily stores plain text data in some of the plurality of queues. Here, the plain text data may be stored in the first queue 164a.
확장 메모리 인터페이스 제어부(162)는 평문 데이터에 대한 저장이 완료되면, 쓰기 완료 신호를 발생한다. When the storage of the plain text data is completed, the extended memory interface control unit 162 generates a write completion signal.
암호화/해독화 제어부(170)는 확장 메모리 인터페이스 제어부(162)에서 쓰기 완료 신호가 발생되면, 일부 큐(제1큐)에 저장된 평문 데이터에 대한 암호화 명령을 생성한다. When a write completion signal is generated from the extended memory interface controller 162, the encryption/decryption control unit 170 generates an encryption command for plain text data stored in a partial queue (first queue).
암호화/해독화부(172)는 암호화 명령을 수신하면, 평문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 암호화를 수행한다. 암호화/해독화부(172)는 암호화가 완료된 암호문 데이터를 복수의 큐 중 일부 큐에 임시 저장한 후 암호화 완료 신호를 발생한다. 여기서, 평문 데이터를 암호화한 암호문 데이터는 제2큐(164b)에 저장될 수 있다.When receiving the encryption command, the encryption/decryption unit 172 encrypts the plaintext data through the encryption/decryption engine unit using the decrypted security key. The encryption/decryption unit 172 temporarily stores the encrypted text data in some of the plurality of queues and then generates an encryption completion signal. Here, the encrypted text data by encrypting the plain text data may be stored in the second queue 164b.
암호화/해독화 제어부(170)는 평문 데이터에 대한 암호화 완료 신호가 수신되면, 독출에 대한 독출 명령을 발생한다.When the encryption/decryption control unit 170 receives an encryption completion signal for plain text data, the encryption/decryption control unit 170 generates a read command for reading.
확장 메모리 인터페이스 제어부(162)는 독출 명령이 수신되면, 일부 큐(제2큐)에 저장된 암호문 데이터를 독출하여 메인 프로세서(140b) 및 제2 시리얼 인터페이스 제어부(140c)를 거쳐 데이터 처리부(120)로 전달한다. When a read command is received, the extended memory interface control unit 162 reads out the encrypted text data stored in some queues (second queue) to the data processing unit 120 through the main processor 140b and the second serial interface control unit 140c. Deliver.
도 6은 본 발명의 실시 예에 따른 지상 관제국으로부터 송신된 암호문 데이터의 처리 과정을 나타낸 도면이다. 6 is a diagram illustrating a process of processing encrypted text data transmitted from a ground control station according to an embodiment of the present invention.
도 6은, 무인 항공기에서의 전자 보안 시스템에서 비행 제어부(110)와 데이터 처리부(120)로부터 입출력되는 전방향(Full-Duplex) 데이터를 동시 처리하는 동작에서, 지상 관제국으로부터 송신된 암호문 데이터의 처리 과정을 나타낸다. 6 is an operation of simultaneously processing full-duplex data input and output from the flight control unit 110 and the data processing unit 120 in an electronic security system in an unmanned aerial vehicle, Indicate the processing process.
데이터 처리부(120)으로 입력되는 암호문(Ciphertext) 데이터는 복수의 큐 중 특정 큐를 거쳐 암호화 엔진부(176)에서 복호화 후 비행 제어부(110)로 전달되어 무인 항공기로 전달된다. Ciphertext data input to the data processing unit 120 is decrypted by the encryption engine unit 176 through a specific queue among a plurality of queues, and then transmitted to the flight control unit 110 and transmitted to the unmanned aerial vehicle.
데이터 처리부(120)는 제2 시리얼 인터페이스 제어부(140c)의 제어에 따라 제2 시리얼 인터페이스를 통해 암호문 데이터를 메인 프로세서(140b)로 전송한다. The data processing unit 120 transmits the encrypted text data to the main processor 140b through the second serial interface under the control of the second serial interface controller 140c.
메인 프로세서(140b)는 암호문 데이터를 복수의 큐 중 일부 큐에 임시 저장한다. 여기서, 암호문 데이터는 제4큐(164d)에 저장될 수 있다. The main processor 140b temporarily stores the encrypted text data in some of the plurality of queues. Here, the encrypted text data may be stored in the fourth queue 164d.
확장 메모리 인터페이스 제어부(162)는 암호문 데이터에 대한 저장이 완료되면, 쓰기 완료 신호를 발생한다. When the storage of the encrypted text data is completed, the extended memory interface control unit 162 generates a write completion signal.
암호화/해독화 제어부(170)는 확장 메모리 인터페이스 제어부(162)에서 쓰기 완료 신호가 발생되면, 일부 큐(제4큐)에 저장된 암호문 데이터에 대한 해독화 명령을 생성한다. When a write completion signal is generated from the extended memory interface controller 162, the encryption/decryption control unit 170 generates a decryption command for the encrypted text data stored in some queues (fourth queue).
암호화/해독화부(172)는 해독화 명령을 수신하면, 암호문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 해독화를 수행한다. 암호화/해독화부(172)는 해독화가 완료된 평문 데이터를 복수의 큐 중 일부 큐에 임시 저장한 후 해독화 완료 신호를 발생한다. 여기서, 암호문 데이터를 해독화한 평문 데이터는 제3큐(164b)에 저장될 수 있다.Upon receiving the decryption command, the encryption/decryption unit 172 decrypts the encrypted text data through the encryption/decryption engine unit using the decrypted security key. The encryption/decryption unit 172 temporarily stores the decrypted plaintext data in some of the plurality of queues and then generates a decryption completion signal. Here, the plaintext data obtained by decrypting the ciphertext data may be stored in the third queue 164b.
암호화/해독화 제어부(170)는 암호문 데이터에 대한 해독화 완료 신호가 수신되면, 독출에 대한 독출 명령을 발생한다.When the encryption/decryption control unit 170 receives the decryption completion signal for the encrypted text data, it generates a read command for reading.
확장 메모리 인터페이스 제어부(162)는 독출 명령이 수신되면, 일부 큐(제3큐)에 저장된 평문 데이터를 독출하여 메인 프로세서(140b) 및 제1 시리얼 인터페이스 제어부(140a)를 거쳐 비행 제어부(110)로 전달한다. When the read command is received, the extended memory interface control unit 162 reads out the plain text data stored in some queues (third queue), and passes through the main processor 140b and the first serial interface control unit 140a to the flight control unit 110. Deliver.
도 7은 본 발명의 실시 예에 따른 고속 암복호화 처리를 위한 평문 데이터 및 암호문 데이터의 동시 처리 과정을 나타낸 도면이다.7 is a diagram illustrating a simultaneous processing process of plain text data and encrypted text data for high-speed encryption/decryption processing according to an embodiment of the present invention.
도 7은, 무인 항공기에서의 전자 보안 시스템에서 비행 제어부(110)와 데이터 처리부(120)로부터 입출력되는 전방향(Full-Duplex) 데이터를 동시 처리하는 동시 처리 과정을 나타낸다. 7 shows a simultaneous processing process of simultaneously processing full-duplex data input/output from the flight control unit 110 and the data processing unit 120 in an electronic security system in an unmanned aerial vehicle.
본 실시예에 따른 전자 보안 시스템은 양 포트(110,120)로 입력되는 평문 데이터와 암호문 데이터를 동시에 처리 할 수 있으므로 암복호화 처리가 고속화될 수 있다. 또한, 전자 보안 시스템은 데이터 처리에 소요되는 시간이 단축되어 저지연 처리의 이점을 제공할 수 있으며, 암복화를 통한 지연발생의 영향을 최소화할 수 있다. The electronic security system according to the present embodiment can simultaneously process plaintext data and ciphertext data input through both ports 110 and 120, so that encryption/decryption processing can be accelerated. In addition, the electronic security system can provide the advantage of low-delay processing by shortening the time required for data processing, and can minimize the effect of delay occurrence through encryption/decryption.
본 실시예에 따른 전자 보안 시스템은 비행 제어부(110)에서 출력되는 평문 데이터를 복수의 큐 중 특정 큐를 거쳐 암호화 엔진부(176)에서 암호화 후 데이터 처리부(120)로 전달하여 지상 관제국으로 전송하는 동작과 데이터 처리부(120)으로 입력되는 암호문 데이터를 복수의 큐 중 특정 큐를 거쳐 암호화 엔진부(176)에서 복호화 후 비행 제어부(110)로 전달하여 무인 항공기로 전달하는 동작을 병렬로 처리하여 동시에 처리한다. The electronic security system according to the present embodiment encrypts the plaintext data output from the flight control unit 110 through a specific queue among a plurality of queues, and transmits it to the data processing unit 120 after encryption by the encryption engine unit 176 to be transmitted to the ground control station. The operation and the operation of transferring the encrypted text data input to the data processing unit 120 to the flight control unit 110 after being decrypted by the encryption engine unit 176 through a specific queue among the plurality of queues and transmitting it to the unmanned aerial vehicle are processed in parallel. Processing at the same time.
전자 보안 시스템은 평문 데이터 및 암호문 데이터를 처리하는 과정(Queue 저장 및 암복호화 처리 과정 등)을 병렬 처리함으로써 무인항공기 송수신 데이터의 암복호화 데이터를 동시 처리하여고속화 처리가 가능하다. 여기서, 전자 보안 시스템은 동시 처리를 위해 암호화/해독화 엔진은 동일한 암호화 알고리즘을 적용해야 한다. The electronic security system performs parallel processing of plaintext data and encrypted text data (queue storage and encryption/decryption processing, etc.), thereby simultaneously processing the encryption/decryption data of unmanned aerial vehicle transmission/reception data, thereby enabling high-speed processing. Here, the electronic security system must apply the same encryption algorithm to the encryption/decryption engine for simultaneous processing.
한편, 전자 보안 시스템의 메인프로세서(140b)는 순서적인 방식으로 데이터를 처리하고, 확장 메모리 인터페이스 제어부(162)를 통해 복수의 큐 중 일부 큐에 데이터를 저장하는 단계부터 병렬 처리를 수행한다. Meanwhile, the main processor 140b of the electronic security system processes data in an orderly manner, and performs parallel processing from the step of storing data in some of the plurality of queues through the extended memory interface controller 162.
전자 보안 시스템의 메인프로세서(140b)는 평문 데이터 및 암호문 데이터에 대한 우선순위가 설정되어 있는 경우 설정된 우선순위에 따라 처리 순서를 변경할 수 있다. 예를 들어, 메인프로세서(140b)는 평문 데이터를 처리 중 평문 데이터보다 우선순위가 높은 암호문 데이터가 들어오는 경우 평문 데이터를 처리하는 것을 중지하고, 암호문 데이터를 복수의 큐 중 일부 큐에 저장되도록 처리할 수 있다. The main processor 140b of the electronic security system may change the processing order according to the set priority when priorities for plain text data and encrypted text data are set. For example, the main processor 140b stops processing the plaintext data when ciphertext data having a higher priority than the plaintext data comes in while processing plaintext data, and processes the ciphertext data to be stored in some of the plurality of queues. I can.
메인 프로세서부(140)는 무인 항공기의 지상 관제국으로 송신될 평문 데이터 및 지상 관제국으로부터 수신된 암호문 데이터 중 적어도 하나의 데이터를 입출력 처리한다. The main processor unit 140 inputs/outputs at least one of plain text data to be transmitted to the ground control station of the unmanned aerial vehicle and encrypted text data received from the ground control station.
비행 제어부(110)는 제1 시리얼 인터페이스 제어부(140a)의 제어에 따라 제1 시리얼 인터페이스를 통해 평문 데이터(Paintext)를 메인 프로세서(140b)로 전송하고, 데이터 처리부(120)는 제2 시리얼 인터페이스 제어부(140c)의 제어에 따라 제2 시리얼 인터페이스를 통해 암호문 데이터를 메인 프로세서(140b)로 전송한다.The flight control unit 110 transmits plain text data (Paintext) to the main processor 140b through a first serial interface under the control of the first serial interface control unit 140a, and the data processing unit 120 is a second serial interface control unit. Under the control of 140c, the encrypted text data is transmitted to the main processor 140b through the second serial interface.
메인 프로세서부(140)는 입력 순서에 따라 순차적으로 평문 데이터 및 암호문 데이터 중 하나의 데이터를 확장 메모리 인터페이스 제어부(162)를 통해 복수의 큐 중 일부 큐로 전달하여 임시 저장되도록 한다. The main processor unit 140 sequentially transfers one of the plaintext data and the ciphertext data to some of the plurality of queues through the extended memory interface control unit 162 according to the input order to be temporarily stored.
버퍼부(164)는 복수의 큐(164a 164b, 164c, 164d)를 포함하며, 평문 데이터, 암호문 데이터 등 적어도 하나의 데이터를 임시 저장한다. 여기서, 평문 데이터는 제1큐(164a)에 저장될 수 있으며, 암호문 데이터는 제4큐(164d)에 저장될 수 있다.The buffer unit 164 includes a plurality of queues 164a 164b, 164c, 164d, and temporarily stores at least one data such as plain text data and cipher text data. Here, the plain text data may be stored in the first queue 164a, and the encrypted text data may be stored in the fourth queue 164d.
확장 메모리 인터페이스 제어부(162)는 평문 데이터, 암호문 데이터 등 적어도 하나의 데이터에 대한 저장이 완료되면, 쓰기 완료 신호를 발생한다. When the storage of at least one data such as plain text data and encrypted text data is completed, the extended memory interface control unit 162 generates a write completion signal.
여기서, 쓰기 완료 신호는, 제1큐(164a)에 저장된 평문 데이터의 크기와 평문 데이터가 저장된 제1큐(164a)의 메모리 주소와 제4큐(164d)에 저장된 암호문 데이터의 크기와 암호문 데이터가 저장된 제4큐(164d)의 메모리 주소를 포함할 수 있다. Here, the write completion signal includes the size of the plaintext data stored in the first queue 164a, the memory address of the first queue 164a in which the plaintext data is stored, and the size of the ciphertext data stored in the fourth queue 164d and the encrypted text data. It may include the memory address of the stored fourth queue 164d.
확장 메모리 인터페이스 제어부(162)는 평문 데이터 및 암호문 데이터가 병렬로 처리되도록 평문 데이터 및 암호문 데이터 각각이 버퍼부(164)에 포함된 서로 다른 큐에 저장되도록 저장되는 주소를 관리한다. The extended memory interface controller 162 manages addresses stored so that the plaintext data and the ciphertext data are stored in different queues included in the buffer unit 164 so that the plaintext data and the ciphertext data are processed in parallel.
확장 메모리 인터페이스 제어부(162)는 평문 데이터의 경우 제1큐(164a)에 임시 저장되도록 하고, 암호문 데이터의 경우 제4큐(164d)에 임시 저장되도록 제어할 수 있다. 즉, 확장 메모리 인터페이스 제어부(162)는 평문 데이터 및 암호문 데이터를 제1큐(164a) 및 제4큐(164d) 각각에 병렬로 저장되도록 하여 동시 처리되도록 한다. The extended memory interface controller 162 may control the plain text data to be temporarily stored in the first queue 164a, and the encrypted text data to be temporarily stored in the fourth queue 164d. That is, the extended memory interface controller 162 stores plain text data and encrypted text data in parallel in each of the first queue 164a and the fourth queue 164d so that they are processed simultaneously.
암호화/해독화 제어부(170)는 확장 메모리 인터페이스 제어부(162)에서 쓰기 완료 신호가 발생되면, 일부 큐에 저장된 적어도 하나의 데이터에 대한 암호화 명령 또는 복호화 명령을 생성한다. When a write completion signal is generated from the extended memory interface controller 162, the encryption/decryption control unit 170 generates an encryption command or a decryption command for at least one data stored in some queues.
암호화/해독화 제어부(170)는 확장 메모리 인터페이스 제어부(162)에서 쓰기 완료 신호가 발생되면, 일부 큐(제1큐)에 저장된 평문 데이터에 대한 암호화 명령을 생성하고, 일부 큐(제4큐)에 저장된 암호문 데이터에 대한 해독화 명령을 생성한다. When a write completion signal is generated from the extended memory interface controller 162, the encryption/decryption control unit 170 generates an encryption command for plain text data stored in some queues (first queue), and partially queues (fourth queue). Generates a decryption instruction for the encrypted text data stored in.
암호화/해독화 제어부(170)는 평문 데이터 및 암호문 데이터 각각에 대한 쓰기 완료 신호가 발생되면, 제1큐(164a)에 저장된 평문 데이터에 대한 암호화 명령을 생성하고, 제4큐(164d)에 저장된 암호문 데이터에 대한 해독화 명령을 생성한다. 암호화/해독화 제어부(170)는 평문 데이터 및 암호문 데이터 각각에 대한 쓰기 완료 신호가 동시에 발생된 경우, 암호화 명령 및 해독화 명령을 동시에 생성할 수 있다. The encryption/decryption control unit 170 generates an encryption command for the plaintext data stored in the first queue 164a when a write completion signal for each of the plaintext data and the encrypted text data is generated, and is stored in the fourth queue 164d. Generates decryption instructions for ciphertext data. The encryption/decryption control unit 170 may simultaneously generate an encryption command and a decryption command when a write completion signal for each of the plain text data and the encrypted text data is simultaneously generated.
암호화/해독화부(172)는 암호화 명령을 수신하면, 평문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 암호화하고, 암호화가 완료된 암호화 데이터를 임시 저장한 후 암호화 완료 신호를 발생하며, 해독화 명령을 수신하면, 상기 암호문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 해독화하고, 해독화가 완료된 평문 데이터를 임시 저장한 후 해독화 완료 신호를 발생한다. When receiving the encryption command, the encryption/decryption unit 172 encrypts the plaintext data using the decrypted security key through the encryption/decryption engine unit, temporarily stores the encrypted data, and generates an encryption completion signal. , Upon receiving the decryption command, the encrypted text data is decrypted through the encryption/decryption engine unit using the decrypted security key, the decrypted plaintext data is temporarily stored, and a decryption completion signal is generated.
암호화/해독화부(172)는 암호화 명령을 수신하면, 제1큐에 저장된 평문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 암호화하며, 해독화 명령을 수신하면, 제4큐에 저장된 암호문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 해독화한다. 여기서, 암호화/해독화부(172)는 서로 다른 암호화/해독화 엔진부 각각을 이용하여 평문 데이터를 암호화하고, 암호문 데이터를 해독화하는 것이 바람직하나 반드시 이에 한정되는 것은 아니다. 예를 들어, 병렬 처리가 가능한 암호화/해독화 엔진부의 경우 하나의 암호화/해독화 엔진부에서 평문 데이터를 암호화하고, 암호문 데이터를 해독화할 수도 있다. When receiving the encryption command, the encryption/decryption unit 172 encrypts the plaintext data stored in the first queue using the decrypted security key through the encryption/decryption engine unit. The stored encrypted text data is decrypted through the encryption/decryption engine unit using the decrypted security key. Here, the encryption/decryption unit 172 preferably encrypts plain text data and decrypts the encrypted text data using different encryption/decryption engine units, but is not limited thereto. For example, in the case of an encryption/decryption engine unit capable of parallel processing, a single encryption/decryption engine unit may encrypt plain text data and decrypt the encrypted text data.
한편, 암호화/해독화부(172)는 동일한 암복호화 알고리즘을 사용하는 서로 다른 암호화/해독화 엔진부 각각을 이용하여 평문 데이터 및 암호문 데이터를 동시에 처리할 수 있다. 예를 들어, 서로 다른 암호화/해독화 엔진부 각각은 AES (Advanced Encryption Standard) 128/256, DES(Digital Encryption Standard), SEED, ARIA(Academy, Research Institute, Agency). LEA(Lightweight Encryption Algorithm) 등 중 하나의 동일한 암호화/해독화 알고리즘을 적용하여 평문 데이터 및 암호문 데이터를 동시에 처리할 수 있다.Meanwhile, the encryption/decryption unit 172 may simultaneously process plaintext data and ciphertext data by using different encryption/decryption engine units each using the same encryption/decryption algorithm. For example, each of the different encryption/decryption engine units is AES (Advanced Encryption Standard) 128/256, DES (Digital Encryption Standard), SEED, ARIA (Academy, Research Institute, Agency). By applying the same encryption/decryption algorithm, such as LEA (Lightweight Encryption Algorithm), both plaintext data and ciphertext data can be processed at the same time.
암호화/해독화부(172)는 암호화가 완료된 암호문 데이터를 복수의 큐 중 일부 큐에 임시 저장한 후 암호화 완료 신호를 발생한다. 여기서, 평문 데이터를 암호화한 암호문 데이터는 제2큐(164b)에 저장될 수 있다. 암호 완료 신호는, 제2큐(164b)에 저장된 암호화 완료된 데이터의 크기와 암호화 완료된 데이터가 저장된 제2큐(164b)의 메모리 주소를 포함할 수 있다. The encryption/decryption unit 172 temporarily stores the encrypted text data in some of the plurality of queues and then generates an encryption completion signal. Here, the encrypted text data by encrypting the plain text data may be stored in the second queue 164b. The encryption completion signal may include a size of encrypted data stored in the second queue 164b and a memory address of the second queue 164b in which the encrypted data is stored.
한편, 암호화 처리와 동시에 암호화/해독화부(172)는 해독화가 완료된 평문 데이터를 복수의 큐 중 일부 큐에 임시 저장한 후 해독화 완료 신호를 발생한다. 여기서, 암호문 데이터를 해독화한 평문 데이터는 제3큐(164b)에 저장될 수 있다. 해독 완료 신호는, 제3큐(164b)에 저장된 해독화 완료된 평문 데이터의 크기와 해독화 완료된 평문 데이터가 저장된 제3큐(164b)의 메모리 주소를 포함할 수 있다. Meanwhile, at the same time as the encryption process, the encryption/decryption unit 172 temporarily stores the decrypted plaintext data in some of the plurality of queues and generates a decryption completion signal. Here, the plaintext data obtained by decrypting the ciphertext data may be stored in the third queue 164b. The decryption completion signal may include a size of decrypted plaintext data stored in the third queue 164b and a memory address of the third queue 164b in which decrypted plaintext data is stored.
암호화/해독화 제어부(170)는 평문 데이터, 암호문 데이터 등 적어도 하나의 데이터에 대한 암호화 완료 신호 또는 해독화 완료 신호가 수신되면, 상기 독출에 대한 독출 명령을 발생한다. When the encryption/decryption control unit 170 receives an encryption completion signal or a decryption completion signal for at least one data such as plain text data or encrypted text data, it generates a read command for the reading.
암호화/해독화 제어부(170)는 평문 데이터에 대한 암호화 완료 신호가 수신되면, 암호문 데이터의 독출에 대한 독출 명령을 발생하고, 암호문 데이터에 대한 해독화 완료 신호가 수신되면, 평문 데이터의 독출에 대한 독출 명령을 발생한다. 암호문 데이터의 독출 및 평문 데이터의 독출에 대한 독출 명령은 병렬로 동시에 발생할 수 있다. When the encryption/decryption control unit 170 receives the encryption completion signal for the plaintext data, the encryption/decryption control unit 170 generates a read command for reading the encrypted text data, and when the decryption completion signal for the ciphertext data is received, the decryption completion signal for the plaintext data is received. Issue a read order. Reading commands for reading encrypted text data and reading plain text data may occur simultaneously in parallel.
확장 메모리 인터페이스 제어부(162)는 독출 명령이 수신되면, 복수의 큐 중 일부 큐에 저장된 평문 데이터 또는 암호문 데이터를 독출한다. 확장 메모리 인터페이스 제어부(162)는 독출 명령이 수신되면, 일부 큐(제2큐)에 저장된 암호문 데이터를 독출하여 메인 프로세서(140b) 및 제2 시리얼 인터페이스 제어부(140c)를 거쳐 데이터 처리부(120)로 전달하는 동작과 일부 큐(제3큐)에 저장된 평문 데이터를 독출하여 메인 프로세서(140b) 및 제1 시리얼 인터페이스 제어부(140a)를 거쳐 비행 제어부(110)로 전달하는 동작을 동시에 처리한다. When a read command is received, the extended memory interface controller 162 reads plain text data or encrypted text data stored in some of the plurality of queues. When a read command is received, the extended memory interface control unit 162 reads out the encrypted text data stored in some queues (second queue) and transfers the encrypted text data to the data processing unit 120 through the main processor 140b and the second serial interface control unit 140c. The transfer operation and the operation of reading the plaintext data stored in some queues (third queue) and transferring them to the flight control unit 110 through the main processor 140b and the first serial interface control unit 140a are simultaneously processed.
도 8는 본 발명의 실시 예에 따라 전자 보안 시스템의 구성 예를 도시한 도면이다. 8 is a diagram illustrating a configuration example of an electronic security system according to an embodiment of the present invention.
도 8에서는 전자 보안 시스템(130)이 비행 제어부(810)와 데이터 처리부(820) 사이에서 각각 시리얼 인터페이스를 통해 연결되어, 송수신 되는 데이터들에 대한 암호화/해독화를 수행하는 것을 보여준다. 8 shows that the electronic security system 130 is connected between the flight control unit 810 and the data processing unit 820 through serial interfaces, respectively, and performs encryption/decryption of transmitted/received data.
도 9는 본 발명의 다른 실시 예에 따라 전자 보안 시스템의 구성 예를 도시한 도면이다. 도 9에 따른 전자 보안 시스템(130)은 데이터 처리부(920)의 구성 요소로 포함되어 동작하는 것을 보여주고 있으며, 도 9에서 전자 보안 시스템(130)은 변복조부(940)의 전단에 위치하며, 비행 제어부 인터페이스(930)와 시리얼 인터페이스를 통해 통신을 수행하고, 비행 제어부(910)와의 인터페이스는 비행 제어부 인터페이스(930)가 수행한다. 그리고, 도 9에서 변복조부(940)는 전자 제공 시스템(1360)에서 출력되는 암호문 데이터를 변조하여 RF부(950)를 통해 출력하거나, RF부(950)를 통해 수신된 암호문 데이터를 복조하여 전자 보안 시스템(130)으로 출력한다. 9 is a diagram illustrating a configuration example of an electronic security system according to another embodiment of the present invention. The electronic security system 130 according to FIG. 9 shows that it is included as a component of the data processing unit 920 and operates. In FIG. 9, the electronic security system 130 is located at the front end of the modem 940, Communication is performed with the flight control interface 930 through a serial interface, and the flight control interface 930 performs an interface with the flight control unit 910. In addition, in FIG. 9, the modem 940 modulates the ciphertext data output from the electronic providing system 1360 and outputs it through the RF unit 950, or demodulates the ciphertext data received through the RF unit 950 to electronically modulate the ciphertext data. Output to the security system 130.
또한, 상술한 본 발명의 다양한 실시 예들에 따른 동작 방법은 프로그램으로 구현되어 다양한 비일시적 판독 가능 매체(non-transitory computer readable medium)에 저장되어 제공될 수 있다. 비일시적 판독 가능 매체란 레지스터, 캐쉬, 메모리 등과 같이 짧은 순간 동안 데이터를 저장하는 매체가 아니라 반영구적으로 데이터를 저장하며, 기기에 의해 판독(reading)이 가능한 매체를 의미한다. 구체적으로는, 상술한 다양한 어플리케이션 또는 프로그램들은 CD, DVD, 하드 디스크, 블루레이 디스크, USB, 메모리카드, ROM 등과 같은 비일시적 판독 가능 매체에 저장되어 제공될 수 있다.In addition, the operation method according to various embodiments of the present invention described above may be implemented as a program and stored in various non-transitory computer readable media and provided. The non-transitory readable medium refers to a medium that stores data semi-permanently and can be read by a device, rather than a medium that stores data for a short moment, such as a register, a cache, and a memory. Specifically, the above-described various applications or programs may be provided by being stored in a non-transitory readable medium such as a CD, DVD, hard disk, Blu-ray disk, USB, memory card, ROM, or the like.
또한, 이상에서는 본 발명의 바람직한 실시 예에 대하여 도시하고 설명하였지만, 본 발명은 상술한 특정의 실시 예에 한정되지 아니하며, 청구범위에서 청구하는 본 발명의 요지를 벗어남이 없이 당해 발명이 속하는 기술분야에서 통상의 지식을 가진 자에 의해 다양한 변형실시가 가능한 것은 물론이고, 이러한 변형실시들은 본 발명의 기술적 사상이나 전망으로부터 개별적으로 이해되어져서는 안될 것이다.In addition, although the preferred embodiments of the present invention have been illustrated and described above, the present invention is not limited to the specific embodiments described above, and the technical field to which the present invention belongs without departing from the gist of the present invention claimed in the claims. In addition, various modifications are possible by those of ordinary skill in the art, and these modifications should not be individually understood from the technical spirit or prospect of the present invention.
[부호의 설명][Explanation of code]
110: 비행제어부 120: 데이터 처리부110: flight control unit 120: data processing unit
130: 전자 보안 시스템 140: 메인 프로세서부130: electronic security system 140: main processor unit
140a: 제1시리얼 인터페이스 제어부140a: first serial interface control unit
140b: 메인 프로세서140b: main processor
140c: 제2시리얼 인터페이스 제어부140c: second serial interface control unit
150: 보안 키 관리부 150a: PUF 회로150: security key management unit 150a: PUF circuit
150b: 비 휘발성 메모리 150c: 보안 키 암호화부150b: non-volatile memory 150c: security key encryption unit
160: 암호화/해독화 프로세서 160: encryption/decryption processor
162: 확장 메모리 인터페이스 제어부162: extended memory interface control unit
164: 버퍼부 164a: 제1큐164: buffer unit 164a: first queue
164b: 제2큐 164c: 제3큐164b: second queue 164c: third queue
164d: 제4큐 170: 암호화/해독화 제어부164d: fourth queue 170: encryption/decryption control unit
172: 암호화/해독화부 174: 보안 키 해독화부172: encryption/decryption unit 174: security key decryption unit
176: 암호화/해독화 엔진부 176: encryption/decryption engine unit

Claims (11)

  1. 고속 암복호화 처리를 위한 무인 항공기에서의 전자 보안 시스템에 있어서,In an electronic security system in an unmanned aerial vehicle for high-speed encryption/decryption processing,
    상기 무인 항공기의 지상 관제국으로 송신될 평문(Paintext) 데이터 및 상기 지상 관제국으로부터 수신된 암호문(Ciphertext) 데이터 중 적어도 하나의 데이터를 입출력 처리하는 메인 프로세서부;A main processor for input/output processing at least one of plaintext data to be transmitted to the ground control station of the unmanned aerial vehicle and ciphertext data received from the ground control station;
    상기 적어도 하나의 데이터를 복수의 큐에 임시 저장하는 버퍼부;A buffer unit temporarily storing the at least one data in a plurality of queues;
    상기 적어도 하나의 데이터에 대한 저장이 완료되면, 쓰기 완료 신호를 발생하고, 독출 명령이 수신되면, 상기 복수의 큐 중 일부 큐에 저장된 상기 평문 데이터 또는 상기 암호문 데이터를 독출하는 확장 메모리 인터페이스 제어부;An extended memory interface control unit for generating a write completion signal when storing of the at least one data is completed, and reading the plaintext data or the ciphertext data stored in some of the plurality of queues when a read command is received;
    상기 쓰기 완료 신호가 발생되면, 상기 일부 큐에 저장된 상기 데이터에 대한 암호화 명령 또는 해독화 명령을 생성하고, 상기 데이터에 대한 암호화 완료 신호 또는 해독화 완료 신호가 수신되면, 상기 독출에 대한 독출 명령을 발생하는 암호화/해독화 제어부; 및When the write completion signal is generated, an encryption command or a decryption command for the data stored in the partial queue is generated, and when an encryption completion signal or a decryption completion signal for the data is received, a read command for the read is issued. Generated encryption/decryption control unit; And
    상기 암호화 명령을 수신하면, 상기 평문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 암호화하고, 암호화가 완료된 암호화 데이터를 임시 저장한 후 암호화 완료 신호를 발생하며, Upon receiving the encryption command, the plaintext data is encrypted through an encryption/decryption engine unit using a decrypted security key, and after temporarily storing the encrypted data that has been encrypted, an encryption completion signal is generated,
    상기 해독화 명령을 수신하면, 상기 암호문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 해독화하고, 해독화가 완료된 평문 데이터를 임시 저장한 후 해독화 완료 신호를 발생하는 암호화/해독화부Upon receiving the decryption command, the encrypted text data is decrypted through the encryption/decryption engine unit using the decrypted security key, and the decryption completion signal is generated after temporarily storing the decrypted plain text data. stoker
    를 포함하는 것을 특징으로 하는 무인 항공기에서의 전자 보안 시스템.Electronic security system in an unmanned aerial vehicle comprising a.
  2. 제1항에 있어서,The method of claim 1,
    상기 메인 프로세서부는,The main processor unit,
    입력 순서에 따라 순차적으로 상기 평문 데이터 및 상기 암호문 데이터 중 하나의 데이터를 상기 확장 메모리 인터페이스 제어부를 통해 상기 복수의 큐로 전달하여 임시 저장되도록 하는 무인 항공기에서의 전자 보안 시스템.An electronic security system in an unmanned aerial vehicle that sequentially transfers one of the plaintext data and the ciphertext data to the plurality of queues through the extended memory interface control unit and stores them temporarily according to an input order.
  3. 제2항에 있어서,The method of claim 2,
    상기 확장 메모리 인터페이스 제어부는,The extended memory interface control unit,
    상기 평문 데이터 및 상기 암호문 데이터가 병렬로 처리되도록 상기 평문 데이터 및 상기 암호문 데이터 각각이 상기 버퍼부에 포함된 서로 다른 큐에 저장되도록 저장되는 주소를 관리하는 것을 특징으로 하는 무인 항공기에서의 전자 보안 시스템.An electronic security system in an unmanned aerial vehicle, characterized in that managing addresses stored so that the plaintext data and the ciphertext data are stored in different queues included in the buffer unit so that the plaintext data and the ciphertext data are processed in parallel. .
  4. 제3항에 있어서,The method of claim 3,
    상기 확장 메모리 인터페이스 제어부는,The extended memory interface control unit,
    상기 평문 데이터의 경우 제1큐에 임시 저장되도록 하고, 상기 암호문 데이터의 경우 제4큐에 임시 저장되도록 제어하되,In the case of the plain text data, it is controlled to be temporarily stored in the first queue, and in the case of the encrypted text data, it is controlled to be temporarily stored in the fourth queue,
    상기 평문 데이터 및 상기 암호문 데이터를 상기 제1큐 및 상기 제4큐 각각에 병렬로 저장되도록 하여 동시 처리되도록 하는 것을 특징으로 하는 무인 항공기에서의 전자 보안 시스템.The electronic security system in an unmanned aerial vehicle, characterized in that the plain text data and the encrypted text data are stored in parallel in each of the first queue and the fourth queue to be processed simultaneously.
  5. 제4항에 있어서,The method of claim 4,
    상기 암호화/해독화 제어부는,The encryption/decryption control unit,
    상기 평문 데이터 및 상기 암호문 데이터 각각에 대한 상기 쓰기 완료 신호가 발생되면, 상기 제1큐에 저장된 평문 데이터에 대한 암호화 명령을 생성하고, 상기 제4큐에 저장된 암호문 데이터에 대한 해독화 명령을 생성하며, 상기 평문 데이터 및 상기 암호문 데이터 각각에 대한 상기 쓰기 완료 신호가 동시에 발생된 경우, 상기 암호화 명령 및 상기 해독화 명령을 동시에 생성하는 것을 특징으로 하는 무인 항공기에서의 전자 보안 시스템.When the write completion signal for each of the plain text data and the encrypted text data is generated, an encryption command for the plain text data stored in the first queue is generated, and a decryption command for the encrypted text data stored in the fourth queue is generated, and And generating the encryption command and the decryption command at the same time when the write completion signal for each of the plain text data and the encrypted text data is simultaneously generated.
  6. 제4항에 있어서,The method of claim 4,
    상기 암호화/해독화부는,The encryption/decryption unit,
    상기 암호화 명령을 수신하면, 상기 제1큐에 저장된 평문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 암호화하며, Upon receiving the encryption command, the plaintext data stored in the first queue is encrypted through an encryption/decryption engine unit using a decrypted security key,
    상기 해독화 명령을 수신하면, 상기 제4큐에 저장된 암호문 데이터를 해독된 보안 키를 이용하여 암호화/해독화 엔진부를 통해 해독화하는 것을 특징으로 하는 무인 항공기에서의 전자 보안 시스템.When receiving the decryption command, the encrypted text data stored in the fourth queue is decrypted through an encryption/decryption engine unit using a decrypted security key.
  7. 제6항에 있어서,The method of claim 6,
    상기 암호화/해독화부는,The encryption/decryption unit,
    서로 다른 암호화/해독화 엔진부 각각을 이용하여 상기 평문 데이터를 암호화하고, 상기 암호문 데이터를 해독화하는 것을 특징으로 하는 무인 항공기에서의 전자 보안 시스템.An electronic security system for an unmanned aerial vehicle, comprising encrypting the plaintext data and decrypting the ciphertext data by using different encryption/decryption engine units respectively.
  8. 제7항에 있어서,The method of claim 7,
    상기 암호화/해독화부는,The encryption/decryption unit,
    동일한 암복호화 알고리즘을 사용하는 상기 서로 다른 암호화/해독화 엔진부 각각을 이용하여 상기 평문 데이터 및 상기 암호문 데이터를 동시에 처리하는 것을 특징으로 하는 무인 항공기에서의 전자 보안 시스템.An electronic security system in an unmanned aerial vehicle, characterized in that the plaintext data and the ciphertext data are simultaneously processed using each of the different encryption/decryption engine units using the same encryption/decryption algorithm.
  9. 제4항에 있어서,The method of claim 4,
    상기 암호화/해독화부는,The encryption/decryption unit,
    상기 평문 데이터에 대한 암호화가 완료되면, 상기 암호화 데이터를 상기 제2큐에 저장하고, 상기 암호화 완료 신호를 발생하며, When the encryption of the plaintext data is completed, the encrypted data is stored in the second queue, and the encryption completion signal is generated,
    상기 암호문 데이터에 대한 해독화가 완료되면, 상기 해독화된 평문 데이터를 상기 제3큐에 저장하고, 상기 해독화 완료 신호를 발생하는 것을 특징으로 하는 무인 항공기에서의 전자 보안 시스템.When decryption of the encrypted text data is completed, the decrypted plain text data is stored in the third queue, and the decryption completion signal is generated.
  10. 제1항에 있어서,The method of claim 1,
    상기 쓰기 완료 신호는,The write complete signal,
    상기 제1큐에 저장된 상기 평문 데이터의 크기와 상기 평문 데이터가 저장된 상기 제1큐의 메모리 주소와 상기 제4큐에 저장된 상기 암호문 데이터의 크기와 상기 암호문 데이터가 저장된 상기 제4큐의 메모리 주소를 포함함을 특징으로 하는 무인 항공기에서의 전자 보안 시스템.The size of the plaintext data stored in the first queue, the memory address of the first queue in which the plaintext data is stored, the size of the ciphertext data stored in the fourth queue, and the memory address of the fourth queue in which the ciphertext data are stored Electronic security system in an unmanned aerial vehicle, characterized in that it comprises.
  11. 제1항에 있어서,The method of claim 1,
    상기 암호 완료 신호는, 상기 제2 큐에 저장된 암호화 완료된 데이터의 크기와 상기 암호화 완료된 데이터가 저장된 상기 제2큐의 메모리 주소를 포함하고, 상기 해독 완료 신호는, 상기 제3큐에 저장된 해독화 완료된 평문 데이터의 크기와 상기 해독화 완료된 평문 데이터가 저장된 상기 제3큐의 메모리 주소를 포함함을 특징으로 하는 무인 항공기에서의 전자 보안 시스템.The encryption completion signal includes a size of encrypted data stored in the second queue and a memory address of the second queue in which the encrypted data is stored, and the decryption completion signal is decrypted and completed stored in the third queue. An electronic security system for an unmanned aerial vehicle, comprising: a size of plain text data and a memory address of the third queue in which the decrypted plain text data is stored.
PCT/KR2019/014139 2019-10-25 2019-10-25 Electronic security system in unmanned aerial vehicle, for high-speed encryption/decryption processing WO2021080050A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/KR2019/014139 WO2021080050A1 (en) 2019-10-25 2019-10-25 Electronic security system in unmanned aerial vehicle, for high-speed encryption/decryption processing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/KR2019/014139 WO2021080050A1 (en) 2019-10-25 2019-10-25 Electronic security system in unmanned aerial vehicle, for high-speed encryption/decryption processing

Publications (1)

Publication Number Publication Date
WO2021080050A1 true WO2021080050A1 (en) 2021-04-29

Family

ID=75620710

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2019/014139 WO2021080050A1 (en) 2019-10-25 2019-10-25 Electronic security system in unmanned aerial vehicle, for high-speed encryption/decryption processing

Country Status (1)

Country Link
WO (1) WO2021080050A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100054697A (en) * 2008-11-14 2010-05-25 한국전자통신연구원 Encryption method for data and decryption method therefor
KR20110058574A (en) * 2009-11-26 2011-06-01 삼성전자주식회사 Endecryptor enabling parallel processing and en/decryption method thereof
US20170162059A1 (en) * 2014-07-14 2017-06-08 John A. Jarrell Unmanned aerial vehicle communication, monitoring, and traffic management
KR20180077888A (en) * 2016-12-29 2018-07-09 단암시스템즈 주식회사 System for electronically securing in unmanned aerial vehicle
US20180198779A1 (en) * 2015-03-27 2018-07-12 Amazon Technologies, Inc. Unmanned vehicle message exchange

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100054697A (en) * 2008-11-14 2010-05-25 한국전자통신연구원 Encryption method for data and decryption method therefor
KR20110058574A (en) * 2009-11-26 2011-06-01 삼성전자주식회사 Endecryptor enabling parallel processing and en/decryption method thereof
US20170162059A1 (en) * 2014-07-14 2017-06-08 John A. Jarrell Unmanned aerial vehicle communication, monitoring, and traffic management
US20180198779A1 (en) * 2015-03-27 2018-07-12 Amazon Technologies, Inc. Unmanned vehicle message exchange
KR20180077888A (en) * 2016-12-29 2018-07-09 단암시스템즈 주식회사 System for electronically securing in unmanned aerial vehicle

Similar Documents

Publication Publication Date Title
US10491569B1 (en) Secure transfer of independent security domains across shared media
WO2018151390A1 (en) Internet of things device
WO2016021981A1 (en) System and method of counter management and security key update for device-to-device group communication
WO2018026030A1 (en) Vehicle and method for controlling same
US8417936B2 (en) Node apparatus, method and storage medium
WO2012157880A2 (en) Time synchronization methodmethod for time synchronization in a machine-to-machine communication system
WO2016039556A1 (en) Apparatus and method for data encryption
WO2015062220A1 (en) Parallel transmission method and system on wireless links of different types
WO2023120906A1 (en) Method for receiving firmware and method for transmitting firmware
WO2015072788A1 (en) Method and apparatus for managing security key in a near fieldd2d communication system
KR102057525B1 (en) System for electronically securing in unmanned aerial vehicle
WO2018072261A1 (en) Information encryption method and device, information decryption method and device, and terminal
WO2019182377A1 (en) Method, electronic device, and computer-readable recording medium for generating address information used for transaction of blockchain-based cryptocurrency
WO2019160304A1 (en) Low power environment-applicable beacon-based remote control system and method having high level security
US11606346B2 (en) Method and apparatus for managing reception of secure data packets
WO2019143212A1 (en) Electronic apparatus, terminal apparatus and method of controlling the same
WO2019098790A1 (en) Electronic device and method for transmitting and receiving data on the basis of security operating system in electronic device
WO2021080050A1 (en) Electronic security system in unmanned aerial vehicle, for high-speed encryption/decryption processing
WO2013035927A1 (en) Smart card containing one-time password having iris image information
US7457409B2 (en) System and method for performing secure communications in a wireless local area network
WO2023113168A1 (en) Method for secure communication of data
WO2018004114A2 (en) Proxy authentication system and authentication method for providing proxy service
WO2018101533A1 (en) Image processing device and method
WO2021107389A1 (en) Network system and message security method thereof
WO2020067734A1 (en) Non-address network equipment and communication security system using same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19950067

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19950067

Country of ref document: EP

Kind code of ref document: A1