[go: up one dir, main page]

CN115567928A - WiFi network cipher machine - Google Patents

WiFi network cipher machine Download PDF

Info

Publication number
CN115567928A
CN115567928A CN202211201205.7A CN202211201205A CN115567928A CN 115567928 A CN115567928 A CN 115567928A CN 202211201205 A CN202211201205 A CN 202211201205A CN 115567928 A CN115567928 A CN 115567928A
Authority
CN
China
Prior art keywords
gate array
field programmable
module
programmable gate
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211201205.7A
Other languages
Chinese (zh)
Inventor
刘广林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qingdao Hisense Electronic Equipment Co Ltd
Original Assignee
Qingdao Hisense Electronic Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qingdao Hisense Electronic Equipment Co Ltd filed Critical Qingdao Hisense Electronic Equipment Co Ltd
Priority to CN202211201205.7A priority Critical patent/CN115567928A/en
Publication of CN115567928A publication Critical patent/CN115567928A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application provides a Wi Fi network cipher machine, which comprises a field programmable gate array module and a central processing unit module, wherein the central processing unit module is connected with the field programmable gate array module. The field programmable gate array module comprises a first field programmable gate array, a second field programmable gate array and a third field programmable gate array; the first field programmable logic gate array is used for carrying out access control on accessed external network data; the second field programmable gate array is used for encrypting and decrypting the interactive data of the outer network and the inner network according to a cryptographic algorithm; the third field programmable gate array is used for controlling the application flow of the external network according to the flow control strategy; the central processor module is used for assisting the field programmable gate array module to carry out data access control, encryption and decryption processing and flow control; the control on the application flow of the external network is realized while the use safety of Wi Fi can be effectively ensured.

Description

WiFi network cipher machine
Technical Field
The application relates to the technical field of cipherers, in particular to a WiFi network cipherer.
Background
WiFi is a technology allowing electronic equipment to be connected to a wireless local area network, and with the development of science and technology, wiFi is more and more popular, and brings great convenience to production and life of people. However, the security problem of WiFi use is more and more prominent, and it may face that personal sensitive information is stolen, and even cause direct economic loss, and the potential safety hazard may cause that all data packets on the internet are forwarded through hacker equipment, and these information can be intercepted and analyzed, and some communication without encryption can be directly viewed, so it is very important to the security encryption of WiFi.
Disclosure of Invention
The embodiment of the application mainly aims to provide a WiFi network cipher machine. The control of the application flow of the external network is realized while the safety of WiFi use is effectively guaranteed.
In order to achieve the above object, an embodiment of the present application provides a WiFi network cryptographic engine, including:
the field programmable gate array module comprises a first field programmable gate array, a second field programmable gate array and a third field programmable gate array;
the first field programmable logic gate array is used for carrying out access control on accessed extranet data;
the second field programmable gate array is used for encrypting and decrypting the interactive data of the outer network and the inner network according to a cryptographic algorithm;
the third field programmable gate array is used for controlling the application traffic of the external network according to a traffic control strategy;
and the central processor module is connected with the field programmable gate array module and is used for assisting the field programmable gate array module in carrying out data access control, encryption and decryption processing and flow control.
In some embodiments, the first field programmable gate array and the second field programmable gate array are both connected to the third field programmable gate array;
the second field programmable logic gate array is connected with the third field programmable logic gate array.
In some embodiments, the central processor module comprises a first central processor, a second central processor, and a third central processor;
the first central processing unit is connected with the first field programmable logic gate array;
the second central processing unit is connected with the second field programmable logic gate array;
and the third central processing unit is connected with the third field programmable gate array.
In some embodiments, the first central processor is configured to set an access control policy and write the access control policy to an access control list;
the first field programmable gate array comprises an access control unit, wherein the access control unit is used for extracting quintuple data in access request data and matching the quintuple data according to the access control list so as to perform access control on accessed external network data.
In some embodiments, the second field programmable gate array comprises an encryption and decryption unit, and the encryption and decryption unit is used for encrypting and decrypting interactive data of an external network and an internal network according to a cryptographic algorithm;
and the second central processing unit is used for transmitting the intranet data to the encryption and decryption unit for encryption processing and transmitting the extranet data decrypted by the encryption and decryption unit to the intranet.
In some embodiments, the third central processing unit is configured to identify an external network data stream, and obtain an application type used by an external network traffic according to an identification result;
the third field programmable gate array comprises a flow control unit, and the flow control unit is used for controlling the application flow of the external network according to the application type and the flow control strategy used by the external network flow.
In some embodiments, the WiFi network cryptographic machine further comprises a main control module and a fan module, the field programmable gate array module, the central processor module and the fan module are all connected to the main control module, and the main control module is configured to:
controlling the field programmable gate array module to execute access control, encryption and decryption processing and flow control;
the central processor module is controlled to execute the functions of assisting the field programmable logic gate array module to carry out data access control, encryption and decryption processing and flow control;
and acquiring the temperature of the WiFi network cipher machine, and controlling the rotating speed of the fan module according to the temperature of the WiFi network cipher machine.
In some embodiments, the WiFi network cryptographic machine further comprises a switch machine control module, and the switch machine control module is connected with the main control module;
the switch control module is used for acquiring the on-off state of the WiFi network password machine and remotely controlling the operations of starting, shutting down and resetting the WiFi network password machine based on the network port.
In some embodiments, the WiFi network cryptographic engine further comprises a virtual media mapping module, the virtual media mapping module is connected with the main control module;
the virtual media mapping module is used for providing mounting of the virtual media device.
In some embodiments, the WiFi network cryptographic machine further comprises a display module, the display module is connected with the main control module;
the display module is used for displaying the running state of the WiFi network password machine and displaying a corresponding error code when the WiFi network password machine runs in error.
The WiFi network cipher machine comprises a field programmable gate array module and a central processing unit module, wherein the central processing unit module is connected with the field programmable gate array module. The field programmable logic gate array module comprises a first field programmable logic gate array, a second field programmable logic gate array and a third field programmable logic gate array; the first field programmable gate array is used for carrying out access control on accessed external network data; the second field programmable gate array is used for encrypting and decrypting the interactive data of the outer network and the inner network according to a cryptographic algorithm; the third field programmable gate array is used for managing and controlling the application flow of the external network according to the flow management and control strategy; the central processor module is used for assisting the field programmable gate array module to carry out data access control, encryption and decryption processing and flow control; the control of the application flow of the external network is realized while the safety of WiFi use can be effectively guaranteed.
Drawings
Fig. 1 is a schematic structural diagram of a WiFi network cryptographic engine provided in an embodiment of the present application;
fig. 2 is another schematic structural diagram of a WiFi network cryptographic engine provided in the embodiment of the present application;
fig. 3 is another schematic structural diagram of a WiFi network cryptographic engine provided in the embodiment of the present application;
fig. 4 is a diagram of an exemplary structure of a WiFi network cryptographic engine provided in an embodiment of the present application;
FIG. 5 is a schematic diagram of a logic architecture of an FPGA (A) provided in an embodiment of the present application;
FIG. 6 is a schematic diagram of a logic architecture of an FPGA (B) provided in an embodiment of the present application;
FIG. 7 is a schematic diagram of a logic architecture of an FPGA (C) provided by an embodiment of the present application;
FIG. 8 is a schematic diagram of a logic architecture of a CPU according to an embodiment of the present application;
fig. 9 is an architecture diagram of a WiFi wireless encryption system provided by an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application.
It should be noted that although functional blocks are partitioned in a schematic diagram of an apparatus and a logical order is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the partitioning of blocks in the apparatus or the order in the flowchart. The terms first, second and the like in the description and in the claims, and the drawings described above, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the application.
WiFi is a technology that allows an electronic device to connect to a wireless local area network, and with the development of technology, wiFi is more and more popular, and the security problem of WiFi is more and more prominent. An information security system under a network environment is a key for ensuring information security, and the information security refers to that an information system (comprising hardware, software, data, people, a physical environment and infrastructure thereof) is protected and is not damaged, changed and leaked due to accidental or malicious reasons, so that the system can continuously, reliably and normally run, information service is not interrupted, and finally, the continuity of services is realized. However, information security cannot be guaranteed when privacy-sensitive access is involved and internet access is performed in a public WiFi environment.
Based on this, referring to fig. 1, fig. 1 is a schematic structural diagram of a WiFi network cryptographic engine provided in an embodiment of the present application. The embodiment of the present application provides a WiFi network cryptographic machine 100, including:
the field programmable gate array module 110 and the central processor module 120, the central processor module 120 is connected with the field programmable gate array module 110;
the field programmable gate array module 110 includes a first field programmable gate array 111, a second field programmable gate array 112 and a third field programmable gate array 113;
the first field programmable gate array 111 is used for performing access control on accessed extranet data;
the second field programmable gate array 112 is used for encrypting and decrypting the interactive data of the extranet and the intranet according to a cryptographic algorithm;
the third field programmable gate array 113 is configured to manage and control application traffic of the external network according to a traffic management and control policy;
the central processor module 120 is configured to assist the field programmable gate array module in performing data access control, encryption and decryption processing, and flow control.
As shown in fig. 2, the first field programmable gate array 111 and the second field programmable gate array 112 are both connected to the third field programmable gate array 113; the second field programmable gate array 112 is connected to the third field programmable gate array 113.
As shown in fig. 2, the cpu module 120 includes a first cpu 121, a second cpu 122, and a third cpu 123; the first central processing unit 121 is connected with the first field programmable gate array 111; the second central processor 122 is connected with the second field programmable gate array 112; the third cpu 123 is connected to the third fpga 113.
In the embodiment of the present application, the first field programmable gate array 111 is connected to the first central processing unit 121 through a PCIe interface, the second field programmable gate array 112 is connected to the second central processing unit 122 through a PCIe interface, and the third field programmable gate array 113 is connected to the third central processing unit 123 through a PCIe interface. The first field programmable gate array 111, the second field programmable gate array 112 and the third field programmable gate array 113 are connected through a 10GBASE-R interface, and the second field programmable gate array 112 and the third field programmable gate array 113 are connected through a 10GBASE-R interface.
In this embodiment of the application, the first central processing unit 121 is configured to set an access control policy, and write the access control policy into an access control list;
the first field programmable gate array 111 includes an access control unit, and the access control unit is configured to extract quintuple data in the access request data, and match the quintuple data according to the access control list, so as to perform access control on accessed external network data.
Specifically, the first central processing unit 121 communicates with an external network, and the first field programmable gate array 111 cooperates with the first central processing unit 121 to complete the function of performing access control on an external network request, so as to ensure that the network is not illegally accessed. The first central processor 121 may set a plurality of access control policies such as allowing or denying network access requests for certain specific addresses, ports or protocols. Writing the access control strategy into an access control list; the access control unit in the first fpga 111 extracts five tuple data (source IP address, source port, destination IP address, destination port, and transport layer protocol) in the access request data, matches them with all valid access control statements in the access control list, and if the access control unit does not match with all access control statements, the packet is discarded.
Illustratively, when the source IP address in the five-tuple data in the access request data extracted by the access control unit in the first field programmable gate array 111 is set to be allowed to access in the access control list, the extranet access corresponding to the current access request data may be allowed. If the source IP address in the quintuple data in the access request data extracted by the access control unit in the first field programmable gate array 111 is set to deny access in the access control list, at this time, the external network access corresponding to the current access request data is denied.
In this embodiment, in order to enhance security, a packet filtering rule may be further set in the first central processing unit 121, and when an extranet data packet is transmitted to the WiFi network crypto engine, the first field programmable gate array 111 may filter the extranet data packet according to the set packet filtering rule. Specifically, if the information in the packet on the extranet matches a certain filtering rule and the rule allows the packet to pass, the packet is allowed to be transmitted to the intranet, and if the information in the packet on the extranet matches a certain filtering rule but the rule rejects the packet to pass, the packet is discarded. If there are no rules that can be matched, the default rule will determine whether the packet is to be passed in or dropped.
In this embodiment, the second fpga 112 includes an encryption/decryption unit, which is configured to encrypt and decrypt interactive data of the extranet and the intranet according to a cryptographic algorithm;
the second central processing unit 122 is configured to transmit the intranet data to the encryption and decryption unit for encryption processing, and transmit the extranet data decrypted by the encryption and decryption unit to the intranet.
In this embodiment, after the first field programmable gate array 111 cooperates with the first central processing unit 121 to perform access authentication on the external network request, for example, the external network is allowed to access, at this time, the external network data is encrypted by the WiFi encryption network card and then transmitted to the WiFi network crypto-machine, and the encryption and decryption unit in the second field programmable gate array 112 decrypts the encrypted external network data according to the cryptographic algorithm and then transmits the decrypted external network data to the internal network through the second central processing unit 122. When the intranet needs to send data to the extranet, the intranet data is transmitted to the encryption and decryption unit of the second fpga 112 through the second cpu 122, and the encryption and decryption unit encrypts the intranet data and then sends the encrypted intranet data to the extranet. And the user terminal of the external network decrypts the transmitted encrypted internal network data through the WiFi encryption network card. Therefore, the safety of data transmission in the interaction process of the intranet and the extranet can be ensured.
It is understood that, in the embodiment of the present application, the cryptographic algorithm may be set according to specific requirements and implemented based on programming. The encryption algorithm is written into the second field programmable gate array 112 after being written into the corresponding program, so that the encryption and decryption unit can call the corresponding encryption algorithm to perform encryption and decryption processing.
It should be noted that, in the embodiment of the present application, the WiFi network crypto needs to interact with the user terminal of the external network through the WiFi encryption network card, so as to implement encryption and decryption processing between the interactive data.
In this embodiment of the application, the third central processing unit 123 is configured to identify an external network data stream, and obtain an application type used by external network traffic according to an identification result;
the third fpga 113 includes a traffic control unit, which is configured to control application traffic of the external network according to an application type and a traffic control policy used by the external network traffic.
Different from other cryptographic engines, the WiFi network cryptographic engine provided in the embodiment of the present application further has a function of traffic control, and specifically, the third central processing unit 123 is provided with specific software and hardware devices to monitor related traffic information of the external network. Considering that different application types are different in states of session connection or data flow, the extranet data flow can be identified, and the application type used by extranet traffic can be obtained according to the identification result. The identification index includes: the size, the speed, the time delay, the duration, the sending frequency, the proportional relation of the uplink and downlink flow, the connection mode of the IP address and the like of the data packet. Then, the traffic control unit in the third fpga 113 may control the application traffic of the external network according to the application type and the traffic control policy used by the external network traffic. Specifically, the data flow can be subjected to flow management and resource scheduling in the modes of blocking, random packet loss and the like, so that the purpose of flow management and control can be achieved.
It can be understood that, in the embodiment of the present application, the traffic control policy may be set according to specific requirements, for example, the traffic may be set to be evenly distributed to all user terminals accessing the intranet, and also the traffic of the critical service application may be set to be unlimitedly released, the traffic of the non-critical service application is limited, and the illegal service application is prohibited.
For example, the traffic policing policy may be set to: the bandwidth is guaranteed to be 50% at the lowest and 100% at the highest by accessing common applications such as websites, mails, DNS, IM, office OA, microblog forum online banking and the like; the flow of key applications such as internet access, file downloading, mail receiving and sending and the like is preferably ensured, if the key applications do not exist, the line bandwidth can be used as much as possible by the applications such as online streaming media and the like, and the bandwidth waste is avoided.
In the embodiment of the application, the flow control unit is arranged in the WiFi network cipher machine, network flow can be detected and analyzed, flow control aiming at users and application types can be provided through identification of the application types, so that key service application is ensured, non-key service application is controlled, and irrelevant service application is blocked. The traffic can be reduced by controlling the traffic, and the network resources of the key services are ensured. Meanwhile, when the user accesses an illegal website, the user can not access the website by the way of prohibiting dialing the flow, and the security of the network can be enhanced to a certain extent.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a WiFi network cryptographic engine provided in the embodiment of the present application. In this embodiment, the WiFi network cryptographic machine 100 further includes a main control module 130 and a fan module 140, the field programmable gate array module 110, the central processor module 120 and the fan module 140 are all connected to the main control module 130, and the main control module 130 is configured to perform the following operations:
controlling the field programmable gate array module 110 to execute access control, encryption and decryption processing and flow control;
the control central processing unit module 120 assists the field programmable gate array module to perform data access control, encryption and decryption processing and flow control;
and acquiring the temperature of the WiFi network password machine, and controlling the rotating speed of the fan module 140 according to the temperature of the WiFi network password machine.
In this embodiment, the main control module 130 is connected to the fpga module 110, the cpu module 120, and the fan module 140, so as to control these modules to operate. Specifically, the fpga module 110 may be controlled to perform access control, encryption and decryption processing, and traffic control; the control cpu module 120 assists the fpga module in performing data access control, encryption and decryption processing, and traffic control. Meanwhile, the rotating speed of each fan of the fan module can be dynamically adjusted according to a fan control strategy and by combining the temperature change condition of the WiFi network cipher machine, so that the effects of reducing the power consumption and noise of the whole machine and improving the heat dissipation efficiency are achieved.
Referring to fig. 3, in the embodiment of the present application, the WiFi network cryptographic engine 100 further includes a switch on/off control module 150, where the switch on/off control module 150 is connected to the main control module 130; the switch control module 150 is configured to obtain a switch state of the WiFi network cryptographic machine, and remotely control the operations of starting, shutting down, and resetting the WiFi network cryptographic machine based on the internet access.
Referring to fig. 3, in the embodiment of the present application, the WiFi network cryptographic machine further includes a virtual media mapping module 160, where the virtual media mapping module 160 is connected to the main control module 130; the virtual media mapping module is used for providing mounting of the virtual media device.
Specifically, the mounting of virtual media devices such as a hard disk, a U disk, an optical disk and the like can be realized at the user terminal through software support.
Referring to fig. 3, the wifi network cryptographic engine further includes a display module 170, and the display module 170 is connected to the main control module 130; the display module 170 is used for displaying the operation state of the WiFi network cryptographic machine and displaying a corresponding error code when the WiFi network cryptographic machine has an error in operation.
The display module 170 integrates a VGA display function, and can meet the low-end display requirement without a 3D function without an extended graphics card. For example, the running state of the WiFi network password machine can be displayed, and meanwhile, when the WiFi network password machine runs mistakenly, a corresponding error code can be displayed to prompt a user of the fault reason of the WiFi network password machine, so that the fault of the WiFi network password machine can be repaired conveniently.
Referring to fig. 4, fig. 4 is a diagram illustrating a structure of a WiFi network cryptographic engine provided in an embodiment of the present application; in the embodiment of the application, a specific WiFi network cipher machine product is constructed and obtained based on the WiFi network cipher machine shown in fig. 2, and the whole hardware is composed of 3 parts: 1 carrier plate, 3 CPU integrated circuit boards and 1 FPGA integrated circuit board. The support plate is used for bearing components such as a CPU board card, an FPGA board card, a PCIe expansion card, a front panel, a hard disk board, a fan and the like in the case, is fixed with the case through screws, and is connected with the board cards through connectors. The carrier plate mainly comprises a CPU (Central processing Unit) plate interface circuit, an FPCA (field programmable Gate array) plate interface circuit, a control panel card interface circuit, a BMC (baseboard management controller) circuit, an expansion circuit, a control circuit, a front panel interface circuit, a rear panel interface circuit and the like, and particularly relates to a product structure shown in figure 4, which mainly comprises an FPGA (A), an FPGA (B) and an FPGA (C), wherein the FPGA (A) and the FPGA (B) are connected with the FPGA (C) through two paths of 10GBASE-R interfaces, and the FPGA (A) is connected with the FPGA (B) through the 10GBASE-R interfaces. The FPGA (A) is connected with the CPU (A), the FPGA (B) is connected with the CPU (B), and the FPGA (C) is connected with the CPU (C). The FPGA (B) is connected with the control panel card through an interface circuit. Each FPGA is connected with a DDR. Here, FPGAs (a), (B), and (C) correspond to the first field programmable gate array 111, the second field programmable gate array 112, and the third field programmable gate array 113 in fig. 1, respectively. The CPUs (a), (B), and (C) correspond to the first, second, and third central processing units 121, 122, and 123 in fig. 1, respectively.
The logic architecture of the FPGA (A) refers to FIG. 5. PCIe-ETH communicates with the CPU through a PCIe interface, and the function is to realize a standard network device of the PCIe interface, and the matched driver can be mounted as two standard network cards in a host Linux system and respectively correspond to data routes of other two nodes, for example, for the host CPU (A), the two network cards of the FPGA (A) are respectively ETH _ A1 and ETH _ A2, wherein the data of the ETH _ A1 is transmitted to the FPGA (B), and the data of the ETH _ A2 is transmitted to the FPGA (C); and the other function is to complete the calculation intensive operations of data transfer between the host memory and the interior of the FPGA network card, unloading host data transfer, data verification and the like as DMA (direct memory access), thereby improving the platform performance.
The RX Checksum Verify and TX Checksum Generator module completes the TCP Checksum Offload function, replaces software to complete the generation and verification of TCP Checksum, and can effectively reduce the work load of the CPU. The RX Access Control module and the TX Access Control module realize an Access Control function, realize a strategy of filtering a source and target IP address, a source and target port and a protocol in an IP data packet, increase the monitoring capability of a network and ensure the safety of the network. The CPU may set a plurality of Access Control policies, write them into an Access Control List ACL (Access Control List), and after receiving the IP packet, the Access Control module extracts five elements (source-destination address, source-destination port number, and protocol) in the IP packet, matches them with all valid Access Control statements in the Access Control List ACL, and if they are not matched with all the Access Control statements, the packet is discarded.
The Descriptor Generator module is responsible for receiving DMA descriptors sent by the CPU, converting the descriptors into a format which can be received by the XDMA, and storing the format in an internal queue, wherein the descriptors comprise information such as source/destination addresses and data length information. And simultaneously monitoring the working state of the XDMA, sending the descriptor to the XDMA at a proper time, and completing the movement of data between the memory of the host and the interior of the FPGA according to the descriptor by the XDMA.
The 10G Ethernet Subsystem comprises MAC and PHY, and completes the receiving and transmitting functions of the MAC data frame.
In the embodiment of the present application, the logic architecture of FPGA (B) is similar to that of FPGA (a) with reference to fig. 6, except that the access control module is replaced with an encryption/decryption module in FPGA (B). Logic architecture of FPGA (C) referring to fig. 7, the architecture of FPGA (C) is similar to FPGA (a), except that the access control module is replaced with the flow control module in FPGA (C). In the embodiment of the present application, reference may be made to fig. 8 for a logic architecture of 3 CPUs.
Referring to fig. 9, in the embodiment of the present application, the constructed WiFi network cryptographic engine may be applied to a WiFi wireless encryption communication system, where the system includes a plurality of user terminals, a WiFi device module, and a WiFi network cryptographic engine, where each user terminal is configured with a WiFi encryption network card. The WiFi device module includes a plurality of APs and an AC. The user terminal is firstly accessed to the WiFi equipment module, and then the WiFi equipment module is accessed to the WiFi network cipher machine and then is accessed to the intranet. Therefore, the external network where the user terminal is located can perform data interaction with the internal network through the WiFi network password machine.
The AP provides basic wireless access forwarding for the wireless terminal equipment;
the AC is used for the general configuration management of the AP, the forwarding treatment of the authentication and authorization of the user terminal, the forwarding of network data and the like;
the WiFi network cipher machine can ensure the confidentiality and the integrity of data, and is responsible for data aggregation, security protocol analysis, access authentication, encryption, decryption, forwarding, flow control and the like of each terminal;
the WiFi encryption network card provides WiFi security access authentication, data encryption protection and the like for a user, and ensures data confidentiality and integrity.
In the embodiment of the application, the WiFi network cipher machine and the WiFi encryption network card are applied to the WiFi wireless encryption communication system in a matched mode, and different processing can be carried out on the basis of different data.
For example, when a user terminal wants to access an intranet, the user terminal needs to be authenticated first. At the moment, data authenticated by the terminal is encrypted through the WiFi encryption network card, uploaded to the AP wirelessly, connected to the AC equipment through the wired link layer and then forwarded to the WiFi network cipher machine, an encryption and decryption unit in the WiFi network cipher machine decrypts the authentication data and then sends the decrypted authentication data to the access control unit, and the access control unit verifies the identity information of the terminal on the decrypted authentication data. And after passing the inspection, the data is returned to the terminal, and the terminal can surf the internet.
After the terminal accesses the intranet, data sent to the intranet are encrypted through the WiFi encryption network card, uploaded to the AP wirelessly, connected to the AC equipment through the wired link layer and then forwarded to the WiFi network password machine, an encryption and decryption unit of the WiFi network password machine decrypts the encrypted data, and then the decrypted data are sent to the intranet. When the content sends data to the outer network, the inner network data are encrypted through the encryption and decryption unit of the WiFi network password machine, then the encrypted inner network data are transmitted to the WiFi encryption network card of the outer network, and the encrypted inner network data are decrypted through the WiFi encryption network card, so that the user terminal can obtain the decrypted inner network data.
After the user terminal accesses an intranet to surf the internet, the WiFi network cipher machine can identify the application type suitable for the flow of the extranet, and then control the flow of the identified application type according to a preset flow control strategy, so that the internet surfing behavior of the user can be managed.
The WiFi network cipher machine provided by the embodiment of the application has a person-accessing authentication function, so that only a terminal user allowed to access can access an intranet; the encryption and decryption functions are provided, and the encryption and decryption processing can be performed on the interactive data of the external network and the internal network, so that the data are protected from being damaged, changed and leaked by accidental or malicious attacks during transmission; the method has the flow control function, can regulate and control corresponding flow based on different application types when the terminal accesses the internet, can ensure the use flow of main service application, can prohibit dialing the flow when the terminal opens an illegal website, and can also enhance the safety of the network.
The preferred embodiments of the present application have been described above with reference to the accompanying drawings, and the scope of the claims of the embodiments of the present application is not limited thereby. Any modifications, equivalents and improvements that may occur to those skilled in the art without departing from the scope and spirit of the embodiments of the present application are intended to be within the scope of the claims of the embodiments of the present application.

Claims (10)

1. A WiFi network cipher machine is used for processing data of an outer network and an inner network, and is characterized by comprising the following components:
the field programmable gate array module comprises a first field programmable gate array, a second field programmable gate array and a third field programmable gate array;
the first field programmable gate array is used for carrying out access control on accessed extranet data;
the second field programmable gate array is used for encrypting and decrypting the interactive data of the outer network and the inner network according to a cryptographic algorithm;
the third field programmable gate array is used for controlling the application traffic of the external network according to a traffic control strategy;
and the central processor module is connected with the field programmable gate array module and is used for assisting the field programmable gate array module in carrying out data access control, encryption and decryption processing and flow control.
2. The WiFi network cryptographic engine of claim 1, characterized by:
the first field programmable logic gate array and the second field programmable logic gate array are both connected with the third field programmable logic gate array;
the second field programmable logic gate array is connected with the third field programmable logic gate array.
3. The WiFi network cryptographic machine of claim 2, wherein:
the central processor module comprises a first central processor, a second central processor and a third central processor;
the first central processing unit is connected with the first field programmable gate array;
the second central processing unit is connected with the second field programmable gate array;
and the third central processing unit is connected with the third field programmable gate array.
4. The WiFi network cryptographic engine of claim 3, characterized by:
the first central processing unit is used for setting an access control strategy and writing the access control strategy into an access control list;
the first field programmable gate array comprises an access control unit, wherein the access control unit is used for extracting quintuple data in access request data and matching the quintuple data according to the access control list so as to perform access control on accessed external network data.
5. The WiFi network cryptographic machine of claim 3, wherein:
the second field programmable gate array comprises an encryption and decryption unit, and the encryption and decryption unit is used for encrypting and decrypting interactive data of an outer network and an inner network according to a cryptographic algorithm;
and the second central processing unit is used for transmitting the intranet data to the encryption and decryption unit for encryption processing and transmitting the extranet data decrypted by the encryption and decryption unit to the intranet.
6. The WiFi network cryptographic machine of claim 3, wherein:
the third central processing unit is used for identifying the external network data flow and acquiring the application type used by the external network flow according to the identification result;
the third field programmable gate array comprises a flow control unit, and the flow control unit is used for controlling the application flow of the external network according to the application type used by the external network flow and a flow control strategy.
7. The WiFi network cryptographic machine of claim 1, wherein the WiFi network cryptographic machine further comprises a main control module and a fan module, the fpga module, the cpu module and the fan module are all connected to the main control module, and the main control module is configured to perform the following operations:
controlling the field programmable gate array module to execute access control, encryption and decryption processing and flow control;
the central processor module is controlled to execute the functions of assisting the field programmable gate array module to carry out data access control, encryption and decryption processing and flow management and control;
and acquiring the temperature of the WiFi network password machine, and controlling the rotating speed of the fan module according to the temperature of the WiFi network password machine.
8. The WiFi network cryptographic machine of claim 7, further comprising a switch-on/off control module, the switch-on/off control module being connected to the main control module;
the switch control module is used for acquiring the on-off state of the WiFi network password machine and remotely controlling the operations of starting, shutting down and resetting the WiFi network password machine based on the network port.
9. The WiFi network cryptographic machine of claim 7, wherein the WiFi network cryptographic machine further comprises a virtual media mapping module, the virtual media mapping module is connected with the main control module;
the virtual media mapping module is used for providing mounting of the virtual media device.
10. The WiFi network cryptographic machine of claim 7, wherein the WiFi network cryptographic machine further comprises a display module, the display module is connected with the main control module;
the display module is used for displaying the running state of the WiFi network password machine and displaying a corresponding error code when the WiFi network password machine runs in error.
CN202211201205.7A 2022-09-29 2022-09-29 WiFi network cipher machine Pending CN115567928A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211201205.7A CN115567928A (en) 2022-09-29 2022-09-29 WiFi network cipher machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211201205.7A CN115567928A (en) 2022-09-29 2022-09-29 WiFi network cipher machine

Publications (1)

Publication Number Publication Date
CN115567928A true CN115567928A (en) 2023-01-03

Family

ID=84742201

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211201205.7A Pending CN115567928A (en) 2022-09-29 2022-09-29 WiFi network cipher machine

Country Status (1)

Country Link
CN (1) CN115567928A (en)

Similar Documents

Publication Publication Date Title
Rothenberger et al. {ReDMArk}: Bypassing {RDMA} security mechanisms
US8448238B1 (en) Network security as a service using virtual secure channels
JP4579969B2 (en) Method, apparatus and computer program product for sharing encryption key among embedded agents at network endpoints in a network domain
US8006297B2 (en) Method and system for combined security protocol and packet filter offload and onload
US8566612B2 (en) System and method for a secure I/O interface
CN114553568A (en) Resource access control method based on zero-trust single packet authentication and authorization
CN101159718B (en) Embedded Industrial Ethernet Security Gateway
Islam et al. An analysis of cybersecurity attacks against internet of things and security solutions
US20140189811A1 (en) Security enclave device to extend a virtual secure processing environment to a client device
WO2019111065A1 (en) End-to-end communication security
US20090193503A1 (en) Network access control
US20160248734A1 (en) Multi-Wrapped Virtual Private Network
JP2014511616A (en) Logic device, processing method and processing device
CN111800436B (en) IPSec isolation network card equipment and secure communication method
US9031238B2 (en) Data encryption and/or decryption by integrated circuit
US20020116644A1 (en) Adapter card for wirespeed security treatment of communications traffic
US20240146728A1 (en) Access control method, access control system, and related device
CN108712364B (en) Security defense system and method for SDN (software defined network)
WO2014105914A1 (en) Security enclave device to extend a virtual secure processing environment to a client device
EP2896177A1 (en) Method and devices for registering a client to a server
Kornaros et al. Hardware-assisted security in electronic control units: Secure automotive communications by utilizing one-time-programmable network on chip and firewalls
CN110430178A (en) A kind of safety chip protected for network safety system and the network safety system using the chip
CN210469376U (en) Data encryption and decryption equipment based on ZYNQ7020 and security chip
US9419800B2 (en) Secure network systems and methods
CN111541663A (en) Link exchange encryption system based on national password standard

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination