A method and device for reducing dtls decryption delay

Abstract

The invention discloses a method and an apparatus for reducing DTLS decryption time delay. The method includes: decryption operation of a DTLS encryption ciphertext is performed, and complementary fields of a plaintext after decryption is obtained; authentication operation of the DTLS encryption ciphertext is performed during decryption operation, and a plurality of HMAC values are obtained via calculation; a local HMAC value is selected form the plurality of HMAC values according to the decrypted complementary fields; and the local HMAC value is compared with an HMAC field carried in the message, and if the HMAC value is equal to the HMAC field, the decryption is successful. According to the method and the apparatus, on one hand, the processing time of DTLS decryption is reduced, and the processing bandwidth of the CAPWAP ciphertext by the chip is increased; on the other hand, the chip storage area is reduced, and the chip cost is reduced.

Description

technical field [0001] The invention relates to a DTLS decryption technology, in particular to a method and device for reducing the time delay of DTLS decryption. Background technique [0002] According to the description of the tunnel protocol rfc5415 between the wireless access point (AP) and the wireless controller (AC), in order to prevent the data between the AP and the AC from being eavesdropped, CAPWAP (Control And Provisioning of Wireless AccessPoints, the control of wireless access points and configuration) uses DTLS (Datagram Transport Layer Security, data packet transport layer security protocol) to encrypt and decrypt its data packets to ensure network security communication. rfc5415 also stipulates the encryption and decryption algorithm TLS_RSA_WITH_AES_128_CBC_SHA that DTLS must support when encrypting CAPWAP messages. The meaning of this algorithm is: the RSA asymmetric encryption and decryption algorithm is used in the handshake phase of the DTLS protocol, a...

AI Technical Summary

Problems solved by technology

[0005] The existing decryption and authentication process is a serial operation. It is necessary to wait for the entire ciphertext to be decrypted by the AES algorithm before the field can be filled, thereby updating the DTLS header, and then the SHA algorithm authentication process can be performed. The disadvantages of this operation are: It will generate a large decryption delay, which will affect the processing bandwidth of the chip for DTLS ciphertext; and since the authentication process can only be performed after the decryption is completed, it is necessary to increase the memory in the decryption engine to save the entire message, otherwise the authentication will be performed The data will be lost, which will consume a certain amount of memory, and the longer the CAPWAP message, the larger the memory that needs to be reserved, and the greater the cost of the chip

Or the existing DTLS encryption and decryption process is completely completed by the CPU, which is not supported at the chip level. This method will increase the load on the CPU, and its processing speed will be limited by the processing capacity of the CPU, which cannot meet the 100G line-speed processing capacity of the switch.

Images