An FPGA-based ultra-high-speed network security transmission method and system
By using an FPGA-based network security transmission system, the requirements for high bandwidth, low latency, and high security in ultra-high-speed network environments were addressed. The system achieved transparent access with gatekeeper-style encryption and decryption and out-of-order reordering, ensuring the real-time performance and integrity of data transmission.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING INST OF COMP TECH & APPL
- Filing Date
- 2025-08-21
- Publication Date
- 2026-07-07
AI Technical Summary
Existing technologies cannot meet the requirements of high bandwidth, low latency, and high security in ultra-high-speed network environments. Traditional data security transmission systems suffer from poor computing performance, unstable latency, and disordered message timing.
Design an FPGA-based ultra-high-speed network security transmission system, including a network interface module, a cryptographic processing module, and a configuration management module. Utilizing the flexible programmable circuitry and powerful parallel processing capabilities of the FPGA, it provides transparent access, gatekeeper-style encryption/decryption, and out-of-order reordering services. The network interface module enables ultra-high-speed network packet transmission and reception and protocol parsing. The cryptographic processing module provides parallel processing of multiple algorithm units, and the configuration management module implements runtime parameter configuration and audit log management.
It achieves ultra-high-speed network data transmission with high bandwidth, low latency, and high security, solving the problems of poor performance, low bandwidth, and unstable latency in cryptographic operations in traditional systems, and ensuring the real-time, confidentiality, and integrity of data transmission.
Smart Images

Figure CN121151005B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network security communication technology, and specifically relates to an ultra-high-speed network security transmission method and system based on FPGA. Background Technology
[0002] In the era of the Internet of Everything, with the rapid popularization of emerging businesses such as cloud computing and data centers, the amount of data is growing explosively. These new business models concentrate computing and processing in high-performance data centers. Data transmission systems with high bandwidth, low latency, high security, and high reliability, represented by data center interconnection, are currently a research hotspot.
[0003] This type of data transmission system needs to be able to transparently access existing network systems and provide gatekeeper-style secure data transmission capabilities. Its implementation requires overcoming technical challenges in two areas:
[0004] First, in the field of high-speed communication, breakthroughs are needed in ultra-high-speed Ethernet access technologies such as 40G and 100G to meet the high bandwidth and low latency requirements of the system. This requires the system to provide ultra-high-speed network interfaces such as 40G and 100G externally, and high-bandwidth data paths and efficient network packet processing capabilities internally. Computing platforms based on general-purpose network cards cannot meet the requirements of ultra-high-speed network environments and have become a bottleneck in network access performance.
[0005] Second, in the field of cryptography, we need to overcome the challenges of ultra-high-speed data security transmission technology to meet the high security and reliability requirements of the system. Traditional data security transmission systems are usually implemented in software, which suffers from poor computing performance, unstable computing latency, and disruption of message timing. Even current high-performance cryptographic chips cannot achieve a data encryption and decryption speed of 100Gbps, which is insufficient to meet the requirements of ultra-high-speed network message encryption and decryption. Summary of the Invention
[0006] (a) Technical problems to be solved
[0007] The technical problem to be solved by this invention is: how to design an ultra-high-speed network security transmission method and system to meet the gatekeeper-style ultra-high-speed network data security transmission requirements between two network domains.
[0008] (II) Technical Solution
[0009] To address the aforementioned technical problems, this invention provides an FPGA-based ultra-high-speed network security transmission system, comprising a network interface module, a cryptographic processing module, and a configuration management module.
[0010] The network interface module provides services for sending and receiving ultra-high-speed network packets, parsing and reassembling protocols, and checking packet compliance. Specifically, it includes a network packet access submodule, a network packet output submodule, a protocol parsing submodule, and a protocol encapsulation submodule. The network packet access and output submodules are the system's external network interfaces, conforming to the IEEE 802.3 standard, and are used to implement PCS, PMA, and MAC functions for network packets at the physical and data link layers. The protocol parsing submodule is used to implement the parsing of data from the network packet access submodule. The input network packets are parsed. The parsing process varies depending on the type of plaintext and ciphertext. For plaintext, the Layer 2 header is parsed and the packet's validity is checked. For ciphertext, the ciphertext header is parsed, fragmented packets exceeding the maximum transmission unit (MTU) are reassembled, and their validity is checked. The protocol encapsulation submodule encapsulates the encrypted ciphertext packets with ciphertext headers and performs fragmentation on packets exceeding the MTU. The encapsulated network packets are then sent to the network packet output submodule to complete the transmission of the network packets.
[0011] The cryptographic processing module provides gatekeeper-style encryption / decryption and reordering services for network packets. Specifically, it includes a data encryption submodule, a data decryption submodule, an algorithm scheduling submodule, and a packet order preservation submodule. The data encryption submodule encapsulates data encryption algorithm units and configures encryption modes. Using the current working key, it provides gatekeeper-style encryption services to the input plaintext packets and can also bundle multiple data encryption algorithm units into an encryption algorithm cluster. Similarly, the data decryption submodule encapsulates data decryption algorithm units and configures decryption modes. Using the current working key, it provides decryption services to the input ciphertext packets and can also bundle multiple data decryption algorithm units into a decryption cluster. The system includes: an encryption algorithm cluster; an algorithm scheduling submodule, which monitors the working status of the data encryption or decryption submodule and allocates appropriate data encryption or decryption algorithm units to the network packets to be processed; and a packet ordering submodule, which adds a digital tag to the network packets to be input to the data encryption or decryption submodule to identify the position of the data fragments in the data stream. It rearranges out-of-order packets output from the data encryption or decryption submodule based on the digital tag to ensure that packet fragments are not out of order due to concurrent processing by multiple data encryption or decryption algorithm units of the data encryption or decryption submodule.
[0012] The configuration management module is used to configure the operating parameters of the network interface module and the password processing module through the management bus, and serves as a unified management interface for audit logs.
[0013] Preferably, the cryptographic processing module further includes a key generation submodule, which is used to generate working keys for data encryption and decryption according to the key negotiation specification, and configure the effective time and validity period. After the working key is generated, the data encryption submodule or the data decryption submodule can start to provide network security transmission services.
[0014] Preferably, the cryptographic processing module further includes an algorithm unit self-test submodule, which, after inputting the test data and encryption / decryption operation type preset by the configuration management module, performs encryption / decryption operations on the test data, returns the output ciphertext / plaintext to the configuration management module, and compares it with known results to verify whether the current encryption mode and working key of the data encryption submodule are correct, and whether the current decryption mode and working key of the data decryption submodule are correct. After verification that both are correct, the data encryption submodule or the data decryption submodule can start providing network security transmission services.
[0015] Preferably, the cryptographic processing module further includes an algorithm status reporting submodule, which is used to: automatically generate alarm information and report it to the configuration management module if the encryption mode or working key of the verification data encryption submodule is incorrect, or the decryption mode or working key of the data decryption submodule is incorrect, or the number of incomplete or invalid messages received within a certain period of time reaches the alarm reporting threshold set by the configuration management module, or the number of network messages that fail to decrypt within a certain period of time reaches the alarm threshold set by the configuration management module.
[0016] Preferably, the configuration management module includes a configuration management submodule and a log management submodule. The configuration management submodule is used to generate operation events, and the log management submodule is used to receive alarm information reported by the algorithm status reporting submodule, record the operation events generated by the configuration management submodule, classify the operation events according to their severity level, and convert them into log information.
[0017] Preferably, the network interface module further includes a Layer 2 network forwarding submodule. For systems with multiple network physical ports, this Layer 2 network forwarding submodule supports self-learning of the MAC information of each network physical port and configures the VLAN division of each network physical port online through the configuration management module, so as to be suitable for application scenarios where multiple network interface devices perform Layer 2 network switching. The network interface module also includes a network interface rate adaptive submodule, which is used to obtain the connection rate of the current communication link by reading the optical module information of the access system, and automatically modify the encoding and transmission mode of the interface data of this system to adapt to the communication requirements of links with different rates.
[0018] Preferably, it is assumed that there are N schedulable data encryption / decryption algorithm units in the data encryption / decryption submodule, and the maximum data packet length that each data encryption / decryption algorithm unit can process at one time is MPU; each data encryption / decryption algorithm unit has a data buffer of length L, which is used to construct a network packet input queue. Each data encryption / decryption algorithm unit can process one network packet at the same time and store the next network packet. The length L of the data buffer is 2*MPU; each data buffer is configured with a "full" signal identifier PROG_FULL. The signal identifier PROG_FULL is set to 1 when the remaining space in the data buffer is less than MPU, and set to 0 when the remaining space is greater than MPU, so as to ensure that when PROG_FULL is 0, the data buffer can receive one network packet to be input; the signal identifiers PROG_FULL of the N data encryption / decryption submodules form a circular shift register CIR_PROG_FULL with a width of N bits. Each bit in the circular shift register CIR_PROG_FULL indicates the idle status of its corresponding data buffer.
[0019] Preferably, the workflow of the algorithm scheduling submodule includes two steps: a retrieval operation and a shift operation. After the system receives a network packet to be encrypted / decrypted, the algorithm scheduling submodule obtains the idle state of each data encryption / decryption algorithm unit in the current data encryption submodule or data decryption submodule, i.e., the value of the circular shift register CIR_PROG_FULL. After determining the scheduling starting point, the algorithm scheduling submodule starts the retrieval operation. Assuming that the scheduling starting point of the algorithm scheduling submodule is data buffer A at this time, if the value of bit 0 is 1, it indicates that data buffer A cannot receive the network packet to be input, and then the process continues to judge the circular shift register CIR_PROG_FULL sequentially from low bits to high bits. The values of each bit in the circular shift register CIR_PROG_FULL are used to sequentially check the idle status of other data buffers until the position where the least significant bit in the circular shift register CIR_PROG_FULL is 0 is found, and the data buffer it points to is identified. Assuming the current scheduling result is data buffer C, the data packet is sent to the data encryption / decryption algorithm unit corresponding to data buffer C for cryptographic processing. The shift operation is performed after the retrieval operation. After the retrieval operation is completed, the circular shift register CIR_PROG_FULL is shifted 1 bit in the low bit direction, meaning the starting point for the next scheduling will be data buffer B.
[0020] This invention also provides an ultra-high-speed network security transmission method based on the system described above. Assuming that encrypted data transmission communication is required between network domain A and network domain B, the method includes the following data encryption process:
[0021] Step 1: Deploy system a at the boundary of network domain A and system b at the boundary of network domain B; connect the communication link between system a and system b.
[0022] Step 2: Using the human-computer interaction device, input the parameters required for system operation into the configuration management modules of System a and System b respectively. The configuration management modules of System a and System b will then send the received system configuration data to the network interface module and password processing module of this system.
[0023] Step 3: After receiving the information that the network interface module and password processing module have been correctly configured, the configuration management modules of system a and system b configure the connection status of the corresponding network interface to be enabled, and the corresponding system enters the working state.
[0024] Step four: The network interface module of system a receives the Ethernet plaintext message and verifies its integrity; it parses the header of the Ethernet plaintext message and verifies its legality; if it is a complete and legal data message, it forwards the message to the cryptographic processing module of system a; if the data message is incomplete or invalid, it is discarded.
[0025] Step 5: The algorithm scheduling submodule of the password processing module of system a receives the Ethernet data packet to be encrypted and temporarily stores it in the data buffer area; the algorithm scheduling submodule polls the status information of each data encryption submodule, calculates and finds the currently idle data encryption submodule, and adds an incrementing order-preserving tag to the Ethernet data packet;
[0026] Step 6: After receiving the Ethernet data packet, the idle data encryption submodule temporarily stores it in the input buffer, calls the cryptographic algorithm supported by this system and the algorithm parameters issued by the configuration management module to encrypt the packet, and temporarily stores the encrypted ciphertext data packet in the output buffer of the data encryption submodule.
[0027] Step 7: The message ordering submodule polls the status information of the output buffer of each data encryption submodule, extracts the ordering tags of the temporarily stored messages in each output buffer from the status information, reads the ciphertext data messages temporarily stored in each output buffer in ascending order, and sends the ciphertext data messages to the network interface module. After encapsulation according to the ciphertext transmission protocol, the ciphertext data messages are sent to system b, completing the data encryption transmission process.
[0028] This invention also provides an ultra-high-speed network security transmission method based on the aforementioned system. Assuming that encrypted data transmission communication is required between network domain A and network domain B, the method includes the following data decryption process:
[0029] Step 1: Deploy system a at the boundary of network domain A and system B at the boundary of network domain B; connect the communication link between system a and system b.
[0030] Step 2: Input the system operation parameters into the configuration management modules of System a and System b respectively through the human-computer interaction device. The configuration management modules of System a and System b will then send the received system configuration data to the network interface module and password processing module of this system.
[0031] Step 3: After receiving the information that the network interface module and password processing module of this system have been correctly configured, the configuration management modules of system a and system b configure the connection status of the corresponding network interface to be enabled, and the corresponding system enters the working state.
[0032] Step four: The network interface module of system b receives the encrypted data packet and verifies its integrity; it parses the encrypted transmission protocol header to verify the packet's legitimacy; if it is a complete and valid data packet, it forwards the packet to the cryptographic processing module of system b; if the data packet is incomplete or invalid, it is discarded.
[0033] Furthermore, if it is determined that the received ciphertext data packet is a fragmented packet, the ciphertext data is reassembled.
[0034] Step 5: The algorithm scheduling submodule of the password processing module of system b receives the ciphertext data packet to be decrypted and temporarily stores it in the data buffer area; the algorithm scheduling submodule polls to receive the status information of each data decryption submodule, calculates and finds the currently idle data decryption submodule, and adds an incrementing order-preserving tag to the ciphertext data packet;
[0035] Step 6: After receiving the ciphertext data packet, the idle data decryption submodule temporarily stores the data packet in the input buffer, calls the cryptographic algorithm supported by this system and the algorithm parameters issued by the configuration management module to decrypt the message, and the decrypted plaintext data packet is temporarily stored in the output buffer of the data decryption submodule.
[0036] Step 7: The message ordering submodule polls the status information of the output buffer of each data decryption submodule, extracts the ordering tags of the temporarily stored messages in each output buffer from the status information, reads the plaintext data messages temporarily stored in each output buffer in ascending order, and sends the plaintext data messages to the network interface module, encapsulates and restores them into the original Ethernet data messages, and then sends them to system a in network domain A to complete the data decryption and transmission process.
[0037] (III) Beneficial Effects
[0038] This invention, based on a hardware parallelizable architecture, provides a gatekeeper-style ultra-high-speed encrypted transmission system for transparent access between different systems. It mainly consists of a network interface module, a cryptographic processing module, and a configuration management module. The network interface module provides ultra-high-speed network packet transmission and reception, protocol parsing and reassembly, and packet compliance checks. The cryptographic processing module fully utilizes the parallel processing capabilities of the system's multiple algorithm units to provide gatekeeper-style encryption / decryption and out-of-order reordering services for network packets. The configuration management module, through a management bus, enables unified management of the configuration of operating parameters and audit logs for the network interface module and cryptographic processing module. This invention solves the problems of poor performance, low bandwidth, unstable cryptographic computation latency, and out-of-order packets inherent in traditional secure transmission equipment, as well as the issues of real-time performance, confidentiality, and integrity in ultra-high-speed data transmission between two network domains. Attached Figure Description
[0039] Figure 1 This invention provides an architecture diagram of an ultra-high-speed secure transmission system;
[0040] Figure 2 A schematic diagram of the data buffer design for the algorithm scheduling submodule provided by this invention;
[0041] Figure 3 The flowchart of the algorithm scheduling submodule provided by this invention;
[0042] Figure 4 This invention provides a schematic diagram of the deployment of an ultra-high-speed secure transmission system;
[0043] Figure 5 This is a flowchart of the data encryption process of the present invention;
[0044] Figure 6 This is a flowchart of the data decryption process of the present invention. Detailed Implementation
[0045] To make the objectives, contents, and advantages of the present invention clearer, the specific embodiments of the present invention will be described in further detail below with reference to the accompanying drawings and examples.
[0046] This invention addresses the problems of poor processing performance, low bandwidth, unstable cryptographic operation latency, and message timing in existing secure transmission systems. It proposes an FPGA-based ultra-high-speed network security transmission system that provides gatekeeper-style (meaning connecting devices in series between terminals) ultra-high-speed network security transmission capability for transparent access between two network domains, solving the problems of real-time performance, confidentiality, and integrity of ultra-high-speed data transmission between two network domains (such as intercity networks, data centers, etc.).
[0047] This invention proposes an FPGA-based ultra-high-speed secure transmission system that meets the requirements of high bandwidth, low latency, high security, and high reliability for data transmission between ultra-high-speed network systems. FPGAs, with their flexible programmable circuits, powerful parallel processing capabilities, low latency, and high reliability, are widely favored in various information fields. Currently, large-scale FPGAs contain a large number of logic units and interconnect resources, allowing developers to implement complex algorithms through hardware circuits, greatly improving algorithm processing efficiency. Simultaneously, FPGAs support multi-channel concurrent multi-stage pipelined processing, further improving data processing performance while achieving extremely low processing latency. Furthermore, algorithms implemented based on FPGA logic circuits are difficult to tamper with or bypass, exhibiting high security and reliability.
[0048] refer to Figure 1 The system includes the following modules: a network interface module, a password processing module, and a configuration management module.
[0049] The network interface module provides services such as sending and receiving ultra-high-speed network packets, protocol parsing and reassembly, and packet compliance checks. Specifically, it includes: a network packet access submodule, a network packet output submodule, a protocol parsing submodule, and a protocol encapsulation submodule. The network packet access submodule and network packet output submodule serve as the system's external network interfaces, conforming to the IEEE 802.3 standard. They are used to implement PCS, PMA, and MAC functions for network packets at the physical and data link layers. The protocol parsing submodule, deployed after the network packet access submodule, parses network packets input from it. The parsing process varies depending on the plaintext or ciphertext type of the network packet. For plaintext, it parses the Layer 2 header and checks the packet's validity; for ciphertext, it parses the ciphertext header, reassembles fragmented packets exceeding the maximum transmission unit (MTU), and checks the packet's validity. The protocol encapsulation submodule, deployed before the network packet output submodule, encapsulates ciphertext headers into encrypted ciphertext packets and fragments packets exceeding the MTU. The encapsulated network packets are then sent to the network packet output submodule to complete the network packet transmission.
[0050] Optionally, the network interface module further includes a Layer 2 network forwarding submodule. For systems with multiple network physical ports, this Layer 2 network forwarding submodule is integrated inside the network interface module. It supports self-learning of MAC information of each network physical port and can also configure VLAN division of each network physical port online through the configuration management module, so as to be suitable for application scenarios where multiple network interface devices perform Layer 2 network switching.
[0051] Optionally, the network interface module further includes a network interface rate adaptive submodule, which is integrated inside the network interface module. By reading the optical module information of the access system, the current connection rate of the communication link is obtained, and the encoding and transmission method of the interface data of this system are automatically modified to adapt to the communication requirements of different link rates. Currently, it supports the adaptation of multiple interface rates such as 25Gbps, 40Gbps, 50Gbps, and 100Gbps.
[0052] The cryptographic processing module fully utilizes the parallel processing capabilities of the system's multiple algorithm units to provide gatekeeper-style encryption / decryption and out-of-order reordering services for network packets. Specifically, it includes a data encryption submodule, a data decryption submodule, an algorithm scheduling submodule, and a packet order preservation submodule. The data encryption submodule encapsulates data encryption algorithm units and configures encryption modes. Using the current working key, it provides gatekeeper-style encryption services for input plaintext packets. Furthermore, if using a large-scale FPGA, the data encryption submodule supports bundling multiple data encryption algorithm units into an encryption algorithm cluster, designing a multi-level pipeline operation mode to improve the overall encryption performance of the system. The data decryption submodule encapsulates data decryption algorithm units and configures decryption modes. Using the current working key, it provides decryption services for input ciphertext packets. Similarly, if using a large-scale FPGA, the data decryption submodule supports bundling multiple data decryption algorithm units into a decryption algorithm cluster, designing a multi-level pipeline operation mode to improve the overall decryption performance of the device. The algorithm scheduling submodule is deployed between the data encryption submodule and the data decryption submodule. The first part monitors the working status of the data encryption submodule or data decryption submodule and allocates appropriate data encryption algorithm units or data decryption algorithm units to the network packets to be processed, so as to make full use of the processing resources of the data encryption submodule or data decryption submodule, realize the load balancing of the processing tasks of multiple algorithm units, and reduce the processing latency of network packets. The second part adds a digital tag to the network packets to be input to the data encryption submodule or data decryption submodule to identify the position of the data fragment in the data stream. The third part rearranges the out-of-order packets output from the data encryption submodule or data decryption submodule according to the digital tag, ensuring that the packet fragments are not out of order due to the concurrent processing of multiple data encryption algorithm units of the data encryption submodule or multiple data decryption algorithm units of the data decryption submodule.
[0053] Optionally, the cryptographic processing module further includes a key generation submodule, which is deployed before the data encryption submodule or the data decryption submodule. This key generation submodule is used to generate working keys for data encryption and decryption according to the key negotiation specification, and configure the effective time and validity period. After the working keys are generated, the data encryption submodule or the data decryption submodule can start providing network security transmission services.
[0054] Optionally, the cryptographic processing module further includes an algorithm unit self-test submodule. This algorithm unit self-test submodule is deployed before the data encryption submodule or the data decryption submodule. It takes the test data and encryption / decryption operation type preset by the configuration management module as input, performs encryption / decryption operations on them, and returns the output ciphertext / plaintext to the configuration management module. It compares the output with known results to verify whether the current encryption mode and working key of the data encryption submodule are correct, and whether the current decryption mode and working key of the data decryption submodule are correct. After verifying that the working status of the algorithm unit is correct (the encryption mode and working key of the data encryption submodule are both correct, and the decryption mode and working key of the data decryption submodule are both correct), the data encryption submodule or the data decryption submodule can start providing network security transmission services.
[0055] Optionally, the cryptographic processing module further includes an algorithm status reporting submodule, which is used to: automatically generate alarm information and report it to the configuration management module if the algorithm unit self-test submodule verifies that the working status of the algorithm unit is incorrect (the encryption mode or working key of the data encryption submodule is incorrect, or the decryption mode or working key of the data decryption submodule is incorrect), or the number of incomplete or invalid messages received within a certain period of time reaches the alarm reporting threshold set by the configuration management module, or the number of network messages that fail to decrypt within a certain period of time reaches the alarm threshold set by the configuration management module.
[0056] The configuration management module configures the operating parameters of the network interface module and the password processing module through the management bus, and serves as a unified management interface for audit logs.
[0057] Optionally, the configuration management module includes a configuration management submodule and a log management submodule. The configuration management submodule is responsible for generating operation events, and the log management submodule can receive alarm information reported by the algorithm status reporting submodule, as well as record the operation events generated by the configuration management submodule, classify them according to their severity level and convert them into log information, so as to provide evidence support for the traceability analysis of security events and the auditing of user information.
[0058] The key technology of this invention is the design of a cryptographic processing module based on a hardware parallel architecture, especially the design of an algorithm scheduling submodule. The difficulty lies in how to find the encryption algorithm unit that the current data encryption submodule can input network packets or the decryption algorithm unit that the data decryption submodule can input network packets with the highest efficiency, optimal timing and minimum hardware overhead.
[0059] refer to Figure 2Assuming the data encryption / decryption submodule has N schedulable data encryption / decryption algorithm units, and each data encryption / decryption algorithm unit can process a maximum data packet length of MPU at a time, due to the latency in data encryption / decryption operations performed by the data encryption / decryption algorithm units on network packets, the system designs a data buffer of length L for each data encryption / decryption algorithm unit, using this data buffer to construct a network packet input queue. To minimize hardware overhead, the length L of the data buffer should be as small as possible. This system adopts a "processing + storage" design, meaning each data encryption / decryption algorithm unit can process one network packet simultaneously and store the next network packet. Therefore, the length L of the data buffer in this system is 2 * MPU. Meanwhile, to minimize hardware overhead, the algorithm unit working status signals provided to the algorithm scheduling submodule should be as concise as possible. This system configures a "full" signal identifier PROG_FULL for each data buffer. The signal identifier PROG_FULL is set to 1 when the remaining space in the data buffer is less than the MPU and set to 0 when the remaining space is greater than the MPU, so as to ensure that when PROG_FULL is 0, the data buffer can receive a network packet to be input.
[0060] To achieve optimal timing, the data encryption / decryption submodule should provide as few signal identifiers as possible to indicate the idle state of the algorithm unit. This invention uses the signal identifiers PROG_FULL from N data encryption / decryption submodules to form a circular shift register CIR_PROG_FULL with a width of N bits. Each bit in the circular shift register CIR_PROG_FULL indicates the idle state of its corresponding data buffer.
[0061] refer to Figure 3To achieve maximum efficiency, the algorithm scheduling submodule should complete the retrieval of idle algorithm units within the fewest possible clock cycles. The workflow of the algorithm scheduling submodule includes two steps: retrieval and shifting. After the system receives a network packet to be encrypted / decrypted, the algorithm scheduling submodule obtains the idle status of each data encryption / decryption algorithm unit in the current data encryption or decryption submodule, i.e., the value of the circular shift register CIR_PROG_FULL. After determining the scheduling starting point, the algorithm scheduling submodule begins the retrieval operation. Assuming that the scheduling starting point of the algorithm scheduling submodule is data buffer A at this time, if the value of bit 0 is 1, it indicates that data buffer A cannot receive the network packet to be input. Then, it continues to check the value of each bit in the circular shift register CIR_PROG_FULL from low bits to high bits, i.e., check the idle status of other data buffers B, C, etc., until the position where the lowest bit of the circular shift register CIR_PROG_FULL is 0 and the data buffer it points to is found. Assuming the current scheduling result is data buffer C, the data packet will be sent to the corresponding data encryption / decryption algorithm unit for cryptographic processing. The shift operation is performed after the retrieval operation. After the retrieval operation is completed, the circular shift register CIR_PROG_FULL is shifted 1 bit towards the lower bit direction, meaning the next scheduling starting point will be data buffer B. The algorithm scheduling submodule can complete both the retrieval and shift operations within one system clock cycle, ensuring the efficient operation of the cryptographic processing module.
[0062] As can be seen, this invention provides a gatekeeper-style ultra-high-speed secure transmission system capable of transparently accessing two network domains, mainly composed of a network interface module, a cryptographic processing module, and a configuration management module. The network interface module provides services such as sending and receiving ultra-high-speed network packets, protocol parsing and reassembly, and packet compliance checks. The cryptographic processing module fully utilizes the parallel processing capabilities of the system's multiple algorithm units to provide gatekeeper-style secure transmission and out-of-order reordering services for network packets, ensuring that the internal data order of packets remains unchanged after parallel processing by multiple computational units. The configuration management module, through a management bus, enables unified management of the configuration of operating parameters and audit logs for the network interface module and cryptographic processing module.
[0063] This invention is based on hardware logic circuits and supports ultra-high-speed network bandwidth for internal communication. It solves the problems of poor performance, low bandwidth, unstable cryptographic operation latency, and chaotic message timing that exist in traditional network security transmission equipment. It can meet the real-time, confidentiality, and integrity requirements of ultra-high-speed data transmission between two network domains (such as intercity networks, data centers, etc.).
[0064] This invention provides an FPGA-based ultra-high-speed secure transmission system that enables gatekeeper-style encrypted data transmission communication between two network domains.
[0065] refer to Figure 1 This is a diagram illustrating an ultra-high-speed network security transmission system architecture provided by an embodiment of the present invention. In this embodiment, reference is made to... Figure 4 Suppose that encrypted data transmission and communication are required between network domain A and network domain B. This system is deployed at the boundary of the two network domains, namely system a and system b.
[0066] If network domain A sends data to network domain B, system a encrypts the Ethernet packet sent by network domain A, and system b decrypts the received encrypted data packet. After decryption and restoration to the original Ethernet packet, it is then sent to the information processing device in network domain B.
[0067] refer to Figure 5 The data encryption process of the ultra-high-speed network security transmission system specifically includes the following steps:
[0068] Step 1: Deploy system a at the boundary of network domain A and system b at the boundary of network domain B; connect the communication link between system a and system b.
[0069] Step 2: Using the human-computer interaction device, input the parameters required for system operation, such as algorithm parameters, into the configuration management modules of System A and System B respectively. The configuration management modules of System A and System B will then send the received system configuration data to the network interface module and password processing module of this system.
[0070] Step 3: After receiving the information that the network interface module and password processing module have been correctly configured, the configuration management modules of system a and system b configure the connection status of the corresponding network interface to be enabled, and the corresponding system enters the working state.
[0071] Step four: The network interface module of system a receives the Ethernet plaintext message and verifies its integrity; it parses the header of the Ethernet plaintext message to verify its validity. If it is a complete and valid data message, it forwards the message to the cryptographic processing module of system a; if the data message is incomplete or invalid, it is discarded.
[0072] Step 5: The algorithm scheduling submodule of the password processing module of system a receives the Ethernet data packet to be encrypted and temporarily stores it in the data buffer area; the algorithm scheduling submodule polls the status information of each data encryption submodule, calculates and finds the currently idle data encryption submodule, and adds an incrementing order-preserving tag to the Ethernet data packet.
[0073] Step six: After receiving the Ethernet data packet, the idle data encryption submodule temporarily stores it in the input buffer, calls the cryptographic algorithm supported by the system and the algorithm parameters issued by the configuration management module to encrypt the packet, and temporarily stores the encrypted ciphertext data packet in the output buffer of the data encryption submodule.
[0074] Step 7: The message ordering submodule polls the status information of the output buffer of each data encryption submodule, extracts the ordering tags (digital tags) of the temporarily stored messages in each output buffer from the status information, reads the ciphertext data messages temporarily stored in each output buffer in ascending order, and sends the ciphertext data messages to the network interface module. After encapsulation according to the ciphertext transmission protocol, the ciphertext data messages are sent to system b, completing the data encryption transmission process.
[0075] In this embodiment, to ensure the integrity of the encrypted data packet transmission, the protocol encapsulation submodule also performs integrity calculation on the encapsulated encrypted data packet and transmits it to the peer system along with the encrypted data for verification during decryption by the peer system, thereby verifying the integrity of the encrypted data packet.
[0076] Furthermore, if the length of the encapsulated data packet exceeds the maximum transmission unit of the link, the encrypted data is fragmented; if its length does not exceed the maximum transmission unit of the link, it is not fragmented.
[0077] refer to Figure 6 The data decryption process of the aforementioned ultra-high-speed secure transmission system specifically includes the following steps:
[0078] Step 1: Deploy system a at the boundary of network domain A and system B at the boundary of network domain B; connect the communication link between system a and system b.
[0079] Step 2: Input the system operation parameters, such as algorithm parameters, into the configuration management modules of System a and System b respectively through the human-computer interaction device, and then send them to the network interface module and the password processing module.
[0080] Step 3: After receiving the information that the network interface module and password processing module have been correctly configured, the configuration management modules of system a and system b configure the connection status of the corresponding network interface to be enabled, and the corresponding system enters the working state.
[0081] Step four: The network interface module of system b receives the encrypted data packet and verifies its integrity; it parses the encrypted transmission protocol header to verify the packet's legitimacy. If the data packet is complete and valid, it is forwarded to the cryptographic processing module of system b; if the data packet is incomplete or invalid, it is discarded.
[0082] Furthermore, if the received ciphertext data packet is determined to be a fragmented packet, the ciphertext data is reassembled.
[0083] Step 5: The algorithm scheduling submodule of the password processing module of system b receives the ciphertext data packet to be decrypted and temporarily stores it in the data buffer area; the algorithm scheduling submodule polls to receive the status information of each data decryption submodule, calculates and finds the currently idle data decryption submodule, and adds an incrementing order-preserving tag to the ciphertext data packet.
[0084] Step six: After receiving the ciphertext data packet, the idle data decryption submodule temporarily stores the data packet in the input buffer, calls the cryptographic algorithm supported by the system and the algorithm parameters issued by the configuration management module to decrypt the message, and the decrypted plaintext data packet is temporarily stored in the output buffer of the data decryption submodule.
[0085] Step 7: The message ordering submodule polls the status information of the output buffer of each data decryption submodule, extracts the ordering tags (digital tags) of the temporarily stored messages in each output buffer from the status information, reads the plaintext data messages temporarily stored in each output buffer in ascending order, and sends the plaintext data messages to the network interface module, encapsulates and restores them into the original Ethernet data messages, and then sends them to the information processing device (system a) in network domain A to complete the data decryption and transmission process.
[0086] The above description is only a preferred embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the technical principles of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.
Claims
1. An FPGA-based ultra-high-speed network security transmission system, characterized in that, It includes a network interface module, a password processing module, and a configuration management module; The network interface module provides services for sending and receiving ultra-high-speed network packets, parsing and reassembling protocols, and checking packet compliance. Specifically, it includes a network packet access submodule, a network packet output submodule, a protocol parsing submodule, and a protocol encapsulation submodule. The network packet access and output submodules are the system's external network interfaces, conforming to the IEEE 802.3 standard, and are used to implement PCS, PMA, and MAC functions for network packets at the physical and data link layers. The protocol parsing submodule is used to implement the parsing of data from the network packet access submodule. The input network packets are parsed. The parsing process varies depending on the type of plaintext and ciphertext. For plaintext, the Layer 2 header is parsed and the packet's validity is checked. For ciphertext, the ciphertext header is parsed, fragmented packets exceeding the maximum transmission unit (MTU) are reassembled, and their validity is checked. The protocol encapsulation submodule encapsulates the encrypted ciphertext packets with ciphertext headers and performs fragmentation on packets exceeding the MTU. The encapsulated network packets are then sent to the network packet output submodule to complete the transmission of the network packets. The cryptographic processing module provides gatekeeper-style encryption / decryption and reordering services for network packets. Specifically, it includes a data encryption submodule, a data decryption submodule, an algorithm scheduling submodule, and a packet order preservation submodule. The data encryption submodule encapsulates data encryption algorithm units and configures encryption modes. Using the current working key, it provides gatekeeper-style encryption services to the input plaintext packets and can also bundle multiple data encryption algorithm units into an encryption algorithm cluster. Similarly, the data decryption submodule encapsulates data decryption algorithm units and configures decryption modes. Using the current working key, it provides decryption services to the input ciphertext packets and can also bundle multiple data decryption algorithm units into a decryption cluster. The system includes: an encryption algorithm cluster; an algorithm scheduling submodule, which monitors the working status of the data encryption or decryption submodule and allocates appropriate data encryption or decryption algorithm units to the network packets to be processed; and a packet ordering submodule, which adds a digital tag to the network packets to be input to the data encryption or decryption submodule to identify the position of the data fragments in the data stream. It rearranges out-of-order packets output from the data encryption or decryption submodule based on the digital tag to ensure that packet fragments are not out of order due to concurrent processing by multiple data encryption or decryption algorithm units of the data encryption or decryption submodule. The configuration management module is used to configure the operating parameters of the network interface module and the password processing module through the management bus, and serves as a unified management interface for audit logs.
2. The system as described in claim 1, characterized in that, The cryptographic processing module also includes a key generation submodule, which generates working keys for data encryption and decryption according to the key negotiation specification, and configures the effective time and validity period. After the working keys are generated, the data encryption submodule or the data decryption submodule can start providing network security transmission services.
3. The system as described in claim 2, characterized in that, The cryptographic processing module further includes an algorithm unit self-test submodule, which, after inputting the test data and encryption / decryption operation type preset by the configuration management module, performs encryption / decryption operations on the test data, returns the output ciphertext / plaintext to the configuration management module, and compares it with known results to verify whether the current encryption mode and working key of the data encryption submodule are correct, and whether the current decryption mode and working key of the data decryption submodule are correct. After both verifications are correct, the data encryption submodule or the data decryption submodule can start providing network security transmission services.
4. The system as described in claim 3, characterized in that, The cryptographic processing module further includes an algorithm status reporting submodule, which is used to: automatically generate alarm information and report it to the configuration management module if the encryption mode or working key of the verification data encryption submodule is incorrect, or the decryption mode or working key of the data decryption submodule is incorrect, or the number of incomplete or invalid messages received within a certain period of time reaches the alarm reporting threshold set by the configuration management module, or the number of network messages that fail to decrypt within a certain period of time reaches the alarm threshold set by the configuration management module.
5. The system as described in claim 4, characterized in that, The configuration management module includes a configuration management submodule and a log management submodule. The configuration management submodule is used to generate operation events, and the log management submodule is used to receive alarm information reported by the algorithm status reporting submodule, record operation events generated by the configuration management submodule, classify the operation events according to their severity level, and convert them into log information.
6. The system as described in claim 5, characterized in that, The network interface module also includes a Layer 2 network forwarding submodule. For systems with multiple network physical ports, this Layer 2 network forwarding submodule supports self-learning of the MAC information of each network physical port and configures the VLAN division of each network physical port online through the configuration management module, so as to be suitable for application scenarios where multiple network interface devices perform Layer 2 network switching. The network interface module also includes a network interface rate adaptive submodule, which is used to obtain the connection rate of the current communication link by reading the optical module information of the access system, and automatically modify the encoding and transmission mode of the interface data of this system to adapt to the communication requirements of different link rates.
7. The system as described in claim 5, characterized in that, Assume there are N schedulable data encryption / decryption algorithm units in the data encryption / decryption submodule, and each data encryption / decryption algorithm unit can process a maximum data packet length of MPU at a time; each data encryption / decryption algorithm unit has a data buffer of length L, which is used to construct a network packet input queue. Each data encryption / decryption algorithm unit can process one network packet simultaneously and store the next network packet. The length L of the data buffer is 2*MPU; each data buffer is configured with a "full" signal identifier PROG_FULL. This signal identifier PROG_FULL is set to 1 when the remaining space in the data buffer is less than MPU, and set to 0 when the remaining space is greater than MPU, to ensure that the data buffer can receive one network packet to be input when PROG_FULL is 0; the signal identifiers PROG_FULL of the N data encryption / decryption submodules form a circular shift register CIR_PROG_FULL with a width of N bits. Each bit in the circular shift register CIR_PROG_FULL indicates the idle status of its corresponding data buffer.
8. The system as described in claim 5, characterized in that, The workflow of the algorithm scheduling submodule includes two steps: retrieval and shifting. After the system receives a network packet to be encrypted / decrypted, the algorithm scheduling submodule obtains the idle status of each data encryption / decryption algorithm unit in the current data encryption or decryption submodule, i.e., the value of the circular shift register CIR_PROG_FULL. After determining the scheduling starting point, the algorithm scheduling submodule begins the retrieval operation. Assuming that the scheduling starting point of the algorithm scheduling submodule is data buffer A, if the value of bit 0 is 1, it means that data buffer A cannot receive the network packet to be input. Then, it continues to check the value of each bit in the circular shift register CIR_PROG_FULL from low bit to high bit, i.e., it checks the idle status of other data buffers, until it finds the position where the lowest bit of the circular shift register CIR_PROG_FULL is 0 and the data buffer it points to. Assuming that the scheduling result is data buffer C, the data packet is sent to the data encryption / decryption algorithm unit corresponding to data buffer C for cryptographic processing. The shift operation is performed after the retrieval operation. After the retrieval operation is completed, the circular shift register CIR_PROG_FULL is shifted 1 bit in the low bit direction, that is, the starting point of the next scheduling will be the data buffer B.
9. A method for ultra-high-speed network security transmission based on the system described in any one of claims 5 to 8, characterized in that, Suppose that network domain A and network domain B need to transmit data in encrypted form. This method includes the following data encryption process: Step 1: Deploy system a at the boundary of network domain A and system b at the boundary of network domain B; connect the communication link between system a and system b. Step 2: Using the human-computer interaction device, input the parameters required for system operation into the configuration management modules of System a and System b respectively. The configuration management modules of System a and System b will then send the received system configuration data to the network interface module and password processing module of this system. Step 3: After receiving the information that the network interface module and password processing module have been correctly configured, the configuration management modules of system a and system b configure the connection status of the corresponding network interface to be enabled, and the corresponding system enters the working state. Step four: The network interface module of system a receives Ethernet plaintext packets and verifies the integrity of the packets; Parse the header of an Ethernet plaintext message to verify its validity; If the data packet is complete and valid, it is forwarded to the cryptographic processing module of system a; if the data packet is incomplete or invalid, it is discarded. Step 5: The algorithm scheduling submodule of the password processing module of system a receives the Ethernet data packet to be encrypted and temporarily stores it in the data buffer area; the algorithm scheduling submodule polls the status information of each data encryption submodule, calculates and finds the currently idle data encryption submodule, and adds an incrementing order-preserving tag to the Ethernet data packet; Step 6: After receiving the Ethernet data packet, the idle data encryption submodule temporarily stores it in the input buffer, calls the cryptographic algorithm supported by this system and the algorithm parameters issued by the configuration management module to encrypt the packet, and temporarily stores the encrypted ciphertext data packet in the output buffer of the data encryption submodule. Step 7: The message ordering submodule polls the status information of the output buffer of each data encryption submodule, extracts the ordering tags of the temporarily stored messages in each output buffer from the status information, reads the ciphertext data messages temporarily stored in each output buffer in ascending order, and sends the ciphertext data messages to the network interface module. After encapsulation according to the ciphertext transmission protocol, the ciphertext data messages are sent to system b, completing the data encryption transmission process.
10. A method for ultra-high-speed network security transmission based on the system described in any one of claims 5 to 8, characterized in that, Suppose that network domain A and network domain B need to transmit data in encrypted form. This method includes the following data decryption process: Step 1: Deploy system a at the boundary of network domain A and system B at the boundary of network domain B; connect the communication link between system a and system b. Step 2: Input the system operation parameters into the configuration management modules of System a and System b respectively through the human-computer interaction device. The configuration management modules of System a and System b will then send the received system configuration data to the network interface module and password processing module of this system. Step 3: After receiving the information that the network interface module and password processing module of this system have been correctly configured, the configuration management modules of system a and system b configure the connection status of the corresponding network interface to be enabled, and the corresponding system enters the working state. Step four: The network interface module of system b receives the encrypted data packet, verifies the packet integrity, and parses the encrypted transmission protocol header to verify the packet's legitimacy. If the data message is complete and valid, it will be forwarded to the password processing module of system b. If the data packet is incomplete or invalid, it is discarded; Furthermore, if it is determined that the received ciphertext data packet is a fragmented packet, the ciphertext data is reassembled. Step 5: The algorithm scheduling submodule of the password processing module of system b receives the ciphertext data packet to be decrypted and temporarily stores it in the data buffer area. The algorithm scheduling submodule receives the status information of each data decryption submodule in a polling manner, calculates and finds the currently idle data decryption submodule, and adds an incrementing order-preserving tag to the ciphertext data packet; Step 6: After receiving the ciphertext data packet, the idle data decryption submodule temporarily stores the data packet in the input buffer, calls the cryptographic algorithm supported by this system and the algorithm parameters issued by the configuration management module to decrypt the message, and the decrypted plaintext data packet is temporarily stored in the output buffer of the data decryption submodule. Step 7: The message ordering submodule polls the status information of the output buffer of each data decryption submodule, extracts the ordering tags of the temporarily stored messages in each output buffer from the status information, reads the plaintext data messages temporarily stored in each output buffer in ascending order, and sends the plaintext data messages to the network interface module, encapsulates and restores them into the original Ethernet data messages, and then sends them to system a in network domain A to complete the data decryption and transmission process.