A network security protection circuit for special industry terminal equipment
By setting up module configuration, encryption, and FPGA security processing circuits in the network security protection circuits of terminal equipment in special industries, data encryption and routing control are achieved, solving the problem of insufficient network communication security of terminal equipment and improving the security and flexibility of data transmission.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- EMDOOR CHINESE ACAD OF SCI CO LTD
- Filing Date
- 2026-04-21
- Publication Date
- 2026-06-05
AI Technical Summary
Existing technologies for special industry terminal equipment lack sufficient network communication security. Traditional encryption methods are easily cracked, hardware security boundaries are vague, and communication links lack deep protection, making them susceptible to theft and tampering.
The network security protection circuit of the terminal device is equipped with a module configuration circuit, an encryption module circuit, an FPGA security processing circuit, and a communication circuit. Data is encrypted through the FPGA security processing circuit, and the communication circuit is connected through the RGMII interface to realize data routing and access control. It independently executes national cryptographic algorithms and has physical tamper detection and key self-destruction functions.
Significantly enhances network security, resists side-channel attacks and memory leaks, ensures the trustworthiness of encrypted operations, adapts to different scenario requirements, meets high confidentiality requirements, and guarantees data transmission security.
Smart Images

Figure CN122160176A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of charging circuit technology, and more specifically to a network security protection circuit for terminal equipment in special industries. Background Technology
[0002] FPGA stands for Field-Programmable Gate Array. It is an integrated chip primarily composed of digital circuits, belonging to the category of programmable logic devices (PLDs). Emerging as a semi-custom circuit within the field of application-specific integrated circuits (ASICs), it addresses the shortcomings of custom circuits while overcoming the limited gate count of traditional programmable devices. Simply put, an FPGA is like a circuit board that can be reprogrammed after installation. Unlike traditional fixed-function chips (such as microprocessors), it is a hardware platform that can be dynamically reconfigured according to needs. Users can program the connections between hardware circuits to achieve the desired circuit functions. The core of an FPGA is its programmable logic circuitry, which includes a large number of reconfigurable logic blocks (CLBs) and memory circuitry. CLBs are the basic logic circuits in an FPGA and can be programmed and connected according to user requirements. Memory circuitry is used to store configuration data and intermediate calculation results.
[0003] The RGMII interface is a standard interface used to connect Ethernet PHY (Physical Layer Device) and MAC (Media Access Controller). RGMII stands for Reduced Gigabit Media Independent Interface, a network interface standard used between Gigabit Ethernet chips and PHY chips. The RGMII interface is designed to reduce the number of I / Os, minimize the network card's PCB footprint, and improve data transmission efficiency.
[0004] Currently, in specialized industries (such as military, government, energy, and finance, which involve classified information), dedicated terminal equipment is involved in core confidentiality matters, and the network communication security of terminal equipment is directly related to the security of state secrets, trade secrets, and critical infrastructure.
[0005] The most commonly used solution in current mainstream designs is perimeter protection technology, represented by firewalls. Firewalls act as gatekeepers for the network, controlling and detecting network access based on preset security policies. However, for network security, firewalls only perform detection and filtering, representing passive defense. This approach primarily targets known network attacks and has a certain lag in dealing with advanced persistent threats (APTs), and the accuracy of detection needs improvement. Furthermore, building a comprehensive security defense system is costly, and security policies need continuous adjustment to adapt to network development, leading to high maintenance difficulty and complex management.
[0006] The following are prominent problems in the existing technology: 1. Traditional encryption methods are simplistic, with most terminal devices relying solely on software-level encryption algorithms (such as SSL / TLS), making them vulnerable to reverse engineering and cracking, and unable to withstand high-intensity network attacks; 2. The hardware security boundaries are blurred. The main control CPU of the terminal device directly processes encryption calculations, which poses risks such as side-channel attacks and memory leaks. Sensitive data is easily stolen during transmission and processing. 3. The communication link lacks security. Ordinary network communication modules are not deeply bound to dedicated encryption hardware, and data is easily intercepted and tampered with before entering the public network. Summary of the Invention
[0007] To address the problems in the prior art, this invention provides a network security protection circuit for special industry terminal equipment. By incorporating a cooperating module configuration circuit, an encryption module circuit, an FPGA security processing circuit, and a communication circuit within the network security protection circuit for special industry terminal equipment, the FPGA security processing circuit can encrypt information transmitted from the terminal equipment's main control CPU to the communication circuit according to the encryption instructions from the encryption module circuit. This significantly improves the network security of special industry terminal equipment and solves the problem of severe security deficiencies in network communication for special industry terminal equipment in the prior art.
[0008] This invention provides a network security protection circuit for terminal equipment in special industries, comprising a module configuration circuit, an encryption module circuit, an FPGA security processing circuit, and a communication circuit. The input terminal of the module configuration circuit is provided with an encryption interface for connecting to external devices. The output terminal of the module configuration circuit is connected to the input terminal of the encryption module circuit, which is also connected to the main control CPU of the terminal equipment. The output terminal of the encryption module circuit is connected to the input terminal of the FPGA security processing circuit, which is also connected to the main control CPU of the terminal equipment. The output terminal of the FPGA security processing circuit is connected to the communication circuit via an RGMII interface. The communication circuit can wirelessly or wiredly connect to external devices. The module configuration circuit is used to configure encryption parameters for the encryption module circuit. The FPGA security processing circuit can encrypt information transmitted from the main control CPU of the terminal equipment to the communication circuit according to the encryption command information of the encryption module circuit.
[0009] The present invention is further improved in that the module configuration circuit includes a module configuration chip U68 and a multi-protocol transceiver chip U25. The module configuration chip U68 has 48 pins, and the multi-protocol transceiver chip U25 has 39 pins. Pins 19 and 20 of the module configuration chip U68 are connected to the input terminal of the encryption module circuit. Pins 13 and 14 of the module configuration chip U68 are connected to the encryption interface. Pins 4, 5, 6, and 7 of the module configuration chip U68 are connected to pins 3, 6, 7, and 2 of the multi-protocol transceiver chip U25, respectively. Pins 27, 28, 30, and 31 of the multi-protocol transceiver chip U25 are connected to the encryption interface.
[0010] The present invention is further improved in that the encryption module circuit is provided with an encryption chip U4, the encryption chip U4 has 48 pins, the 36th and 40th pins of the encryption chip U4 are communicatively connected to the main control CPU of the terminal device, the 2nd, 1st, 48th and 31st pins of the encryption chip U4 are connected to the input terminal of the FPGA security processing circuit, the 16th pin of the encryption chip U4 can trigger a button destruction command, and the 17th pin of the encryption chip U4 can trigger a cover-opening destruction command.
[0011] The present invention is further improved in that the FPGA security processing circuit includes a security processing chip U1, resistors R34, R35, R38, and R43. The security processing chip U1 has 8 pins. The first pin of the security processing chip U1 is connected to the 31st pin of the encryption chip U4 through the resistor R34. The second pin of the security processing chip U1 is connected to the 48th pin of the encryption chip U4 through the resistor R35. The fifth pin of the security processing chip U1 is connected to the first pin of the encryption chip U4 through the resistor R34. The sixth pin of the security processing chip U1 is connected to the second pin of the encryption chip U4 through the resistor R34. The third pin of the security processing chip U1 is connected to the communication circuit through the RGMII interface. The seventh pin of the security processing chip U1 is connected to the main control CPU of the terminal device through the RGMII interface.
[0012] The present invention is further improved in that the communication circuit is provided with a communication chip U80, the communication chip U80 has 48 pins, the 34th pin of the communication circuit is connected to the 3rd pin of the security processing chip U1, and the 2nd, 3rd, 5th, 6th, 7th, 8th, 10th and 11th pins of the communication circuit can be wirelessly or wiredly connected to external devices.
[0013] The present invention is further improved in that the module configuration chip U68 is model CH567 and the multi-protocol transceiver chip U25 is model WS339EER1-L / TR.
[0014] The present invention is further improved in that the encryption chip U4 is model CH567.
[0015] The present invention is further improved in that the security processing chip U1 is model GD25Q128ESIGR.
[0016] The present invention is further improved, and the communication chip U80 is model YT8521SH.
[0017] Compared with existing technologies, the beneficial effects of this invention are: it provides a network security protection circuit for special industry terminal equipment. By incorporating mutually cooperating module configuration circuits, encryption module circuits, FPGA security processing circuits, and communication circuits within the network security protection circuit for special industry terminal equipment, the FPGA security processing circuit can encrypt information transmitted from the terminal equipment's main control CPU to the communication circuit according to the encryption instructions from the encryption module circuit. This significantly improves the network security of the special industry terminal equipment. The FPGA security processing circuit is responsible for data routing and access control, while the encryption module circuit focuses on key management and encryption / decryption operations. The two interact through a dedicated interface, further reducing the exposure surface of sensitive data. It effectively resists side-channel attacks and memory leaks; the encryption module circuit independently executes national cryptographic algorithms, and the key is never exported, ensuring the reliability and immutability of encryption operations, and complying with national cryptographic management standards; the module configuration circuit uniformly manages encryption strategies, facilitating dynamic adjustment of security levels to adapt to different special scenario requirements and improve system flexibility; it adopts an RGMII interface to connect the communication circuit, balancing high-speed transmission and hardware security, avoiding protocol vulnerabilities caused by general network interfaces, and ensuring data transmission efficiency and security; the system has physical tamper detection and key self-destruction functions, which can protect core data security under extreme attacks, meet the high confidentiality requirements of special industries, and solve the problem of serious security deficiencies in network communication of terminal equipment in special industries in existing technologies. Attached Figure Description
[0018] To more clearly illustrate the solutions in this invention or the prior art, the accompanying drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0019] Figure 1 This is a schematic diagram of a network security protection circuit for terminal equipment in special industries according to the present invention. Figure 2 A circuit diagram of the module configuration circuit of the present invention; Figure 3 A circuit diagram of the module configuration circuit of the present invention; Figure 4 This is a circuit diagram of the encryption module circuit of the present invention; Figure 5 This is a circuit diagram of the FPGA security processing circuit of the present invention; Figure 6 This is a circuit diagram of the communication circuit of the present invention. Detailed Implementation
[0020] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs; the terminology used herein in the specification is for the purpose of describing particular embodiments only and is not intended to limit the invention; the terms "comprising" and "having," and any variations thereof, in the specification, claims, and foregoing drawings, are intended to cover non-exclusive inclusion. The terms "first," "second," etc., in the specification, claims, or foregoing drawings are used to distinguish different objects and not to describe a particular order.
[0021] In this document, the term "embodiment" means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of the invention. The appearance of this phrase in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments. It will be explicitly and implicitly understood by those skilled in the art that the embodiments described herein can be combined with other embodiments.
[0022] To enable those skilled in the art to better understand the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings.
[0023] like Figures 1-6As shown, the present invention provides a network security protection circuit for terminal equipment in special industries, including a module configuration circuit, an encryption module circuit, an FPGA security processing circuit, and a communication circuit. The input terminal of the module configuration circuit is provided with an encryption interface for connecting to external devices. The output terminal of the module configuration circuit is connected to the input terminal of the encryption module circuit. The input terminal of the encryption module circuit is also connected to the main control CPU of the terminal equipment. The output terminal of the encryption module circuit is connected to the input terminal of the FPGA security processing circuit. The input terminal of the FPGA security processing circuit is also connected to the main control CPU of the terminal equipment. The output terminal of the FPGA security processing circuit is connected to the communication circuit through an RGMII interface. The communication circuit can wirelessly or wiredly communicate with external devices. The module configuration circuit is used to configure encryption parameters for the encryption module circuit. In this embodiment, the FPGA security processing circuit can encrypt the information transmitted from the main control CPU of the terminal device to the communication circuit according to the encryption instruction information of the encryption module circuit. This significantly improves the network security of terminal devices in special industries. The FPGA security processing circuit is responsible for data routing and access control, while the encryption module circuit focuses on key management and encryption / decryption operations. The two interact through a dedicated interface, further reducing the exposure surface of sensitive data and effectively resisting side-channel attacks and memory leaks. The encryption module circuit independently executes national cryptographic algorithms, and the key is never exported, ensuring the reliability and immutability of encryption operations, in compliance with national cryptographic management standards. The module configuration circuit uniformly manages encryption strategies, facilitating dynamic adjustment of security levels to adapt to different special scenario requirements and improve system flexibility. The communication circuit is connected using an RGMII interface, balancing high-speed transmission and hardware security, avoiding protocol vulnerabilities caused by general network interfaces, and ensuring data transmission efficiency and security. The system has physical tamper detection and key self-destruction functions, which can protect core data security under extreme attacks and meet the high confidentiality requirements of special industries.
[0024] like Figures 2-3 As shown, the module configuration circuit includes a module configuration chip U68 and a multi-protocol transceiver chip U25. The module configuration chip U68 is a CH567, and the multi-protocol transceiver chip U25 is a WS339EER1-L / TR. The module configuration chip U68 has 48 pins, and the multi-protocol transceiver chip U25 has 39 pins. Pins 19 and 20 of the module configuration chip U68 are connected to the input of the encryption module circuit, and pins 13 and 14 of the module configuration chip U68 are connected to the encryption interface. Pins 4, 5, 6, and 7 of the module configuration chip U68 are connected to pins 3, 6, 7, and 2 of the multi-protocol transceiver chip U25, respectively. Pins 27, 28, 30, and 31 of the multi-protocol transceiver chip U25 are connected to the encryption interface. In this embodiment, the module configuration circuit is connected to the encryption module circuit through a communication interface for unified distribution of security policies and configuration of encryption parameters, achieving centralized management of security policies.
[0025] like Figure 4 As shown, the encryption module circuit includes an encryption chip U4, model CH567, with 48 pins. Pins 36 and 40 of the encryption chip U4 are connected to the main control CPU of the terminal device, while pins 2, 1, 48, and 31 are connected to the input terminals of the FPGA security processing circuit. Pin 16 of the encryption chip U4 can trigger a button destruction command, and pin 17 can trigger a cover-open destruction command. In this embodiment, relevant encryption or authentication information can be injected through the module configuration circuit so that identity authentication and FPGA configuration can be completed upon power-on. All keys are stored only internally within the module and are never exported, greatly ensuring data security.
[0026] like Figure 5 As shown, the FPGA security processing circuit includes a security processing chip U1, resistors R34, R35, R38, and R43. The security processing chip U1 is model GD25Q128ESIGR and has eight pins. Pin 1 of the security processing chip U1 is connected to pin 31 of the encryption chip U4 via resistor R34. Pin 2 of the security processing chip U1 is connected to pin 48 of the encryption chip U4 via resistor R35. Pin 5 of the security processing chip U1 is connected to pin 1 of the encryption chip U4 via resistor R34. Pin 6 of the security processing chip U1 is connected to pin 2 of the encryption chip U4 via resistor R34. Pin 3 of the security processing chip U1 is connected to the communication circuit via the RGMII interface. Pin 7 of the security processing chip U1 is connected to the main control CPU of the terminal device via the RGMII interface. In this embodiment, the FPGA security processing circuit serves as a hardware isolation layer, implementing data routing, protocol conversion, and access control. It performs strict permission verification and auditing on the data flow between the terminal device's main control CPU and the communication circuit, blocking illegal data paths.
[0027] like Figure 6 As shown, the communication circuit includes a communication chip U80, model YT8521SH, with 48 pins. Pin 34 of the communication circuit is connected to pin 3 of the security processing chip U1. Pins 2, 3, 5, 6, 7, 8, 10, and 11 of the communication circuit can be used for wireless or wired communication with external devices. In this embodiment, the communication circuit only receives encrypted data that has undergone dual processing by the encryption module circuit and the FPGA security processing circuit. It communicates with the external network through a dedicated encryption channel to ensure that the data cannot be cracked or tampered with during transmission. Simultaneously, the data received from the external network is transmitted to the FPGA security processing circuit, encrypted, and then transmitted to the terminal device's main control CPU, ensuring network security.
[0028] In this embodiment, after the terminal device is powered on, the user can first add a key to the encryption module circuit through the module configuration circuit. The key includes the user's authentication information and encryption information. CH567 in the encryption module circuit will store the key. When the power button is pressed, the terminal enters the system normally. The terminal device's main control CPU sends a self-test command to the FPGA security processing circuit and the encryption module circuit through the communication interface. The FPGA security processing circuit completes its own logical integrity verification and initializes the RGMII interface and performs a link self-test. The encryption module circuit completes hardware identity verification and key information confirmation through the module configuration circuit, and generates a unique root key for the device. This key is only stored in the internal hardware security element of the encryption module and is never exported. After the terminal device's main control CPU confirms that both the FPGA security processing circuit and the encryption module circuit are legitimate and trusted hardware, it opens the business data path; otherwise, it locks the system and triggers an alarm.
[0029] When a user initiates an internet access request, the terminal device's main control CPU sends the user's identity information (such as biometric data) to the encryption module circuit through the communication interface. The encryption module circuit verifies the user's identity information. If the verification is successful, the encryption module circuit sends an authorization signal to the FPGA security processing circuit to open the data path. If the verification fails, the encryption module circuit refuses authorization and reports an unauthorized access event to the terminal device's main control CPU.
[0030] When transmitting uplink data, the terminal device's main control CPU transmits the plaintext service data to the FPGA security processing circuit via RGMII. The FPGA security processing circuit performs protocol analysis and access control verification on the data, allowing only data packets that conform to the security policy to pass through, and then sends the data to the encryption module circuit. The encryption module circuit encrypts the data using encryption information and then sends it back to the FPGA security processing circuit. The encrypted data from the FPGA security processing circuit is then transmitted to the communication circuit, which sends the encrypted data to the peer device through the selected network communication interface, completing the uplink transmission.
[0031] When receiving downlink data, the communication circuit transmits the data from the peer device to the FPGA security processing circuit via RGMII. The FPGA security processing circuit verifies the integrity of the data and, after confirming that it has not been tampered with, sends it to the encryption module circuit. The encryption module circuit uses a key to decrypt the data, restores it to plaintext data, and sends it back to the FPGA security processing circuit. The FPGA security processing circuit verifies its access permissions. If it is a legitimate service, the FPGA security processing circuit sends it to the terminal device's main control CPU. The terminal device's main control CPU processes the data and completes the downlink data reception.
[0032] As can be seen from the above, the present invention provides a network security protection circuit for special industry terminal equipment. By incorporating a cooperating module configuration circuit, an encryption module circuit, an FPGA security processing circuit, and a communication circuit within the network security protection circuit for special industry terminal equipment, the FPGA security processing circuit can encrypt information transmitted from the terminal equipment's main control CPU to the communication circuit according to the encryption instructions from the encryption module circuit. This significantly improves the network security of the special industry terminal equipment. The FPGA security processing circuit is responsible for data routing and access control, while the encryption module circuit focuses on key management and encryption / decryption operations. The two interact through a dedicated interface, further reducing the exposure surface of sensitive data and effectively resisting side signals. The system is designed to prevent network attacks and memory leaks. The encryption module independently executes national cryptographic algorithms, and the key is never exported, ensuring the reliability and immutability of encryption operations and complying with national cryptographic management standards. The module configuration circuit uniformly manages encryption strategies, facilitating dynamic adjustment of security levels to adapt to different special scenarios and enhance system flexibility. The RGMII interface is used to connect the communication circuit, balancing high-speed transmission with hardware security, avoiding protocol vulnerabilities introduced by general network interfaces, and ensuring data transmission efficiency and security. The system features physical tamper detection and key self-destruction capabilities, protecting core data security under extreme attacks, meeting the high confidentiality requirements of special industries, and solving the problem of severe security deficiencies in network communication for terminal equipment in special industries in existing technologies.
[0033] The specific embodiments described above are preferred embodiments of the present invention and are not intended to limit the specific scope of the present invention. The scope of the present invention includes, but is not limited to, these specific embodiments. All equivalent changes made in accordance with the present invention are within the protection scope of the present invention.
Claims
1. A network security protection circuit for terminal equipment in special industries, characterized in that: The system includes a module configuration circuit, an encryption module circuit, an FPGA security processing circuit, and a communication circuit. The input of the module configuration circuit has an encryption interface for connecting to external devices. The output of the module configuration circuit is connected to the input of the encryption module circuit, which is also connected to the main control CPU of the terminal device. The output of the encryption module circuit is connected to the input of the FPGA security processing circuit, which is also connected to the main control CPU of the terminal device. The output of the FPGA security processing circuit is connected to the communication circuit via an RGMII interface. The communication circuit can wirelessly or wiredly connect to external devices. The module configuration circuit configures encryption parameters for the encryption module circuit. The FPGA security processing circuit encrypts information transmitted from the main control CPU of the terminal device to the communication circuit according to the encryption instructions from the encryption module circuit.
2. The network security protection circuit for special industry terminal equipment according to claim 1, characterized in that: The module configuration circuit includes a module configuration chip U68 and a multi-protocol transceiver chip U25. The module configuration chip U68 has 48 pins, and the multi-protocol transceiver chip U25 has 39 pins. Pins 19 and 20 of the module configuration chip U68 are connected to the input terminal of the encryption module circuit. Pins 13 and 14 of the module configuration chip U68 are connected to the encryption interface. Pins 4, 5, 6, and 7 of the module configuration chip U68 are connected to pins 3, 6, 7, and 2 of the multi-protocol transceiver chip U25, respectively. Pins 27, 28, 30, and 31 of the multi-protocol transceiver chip U25 are connected to the encryption interface.
3. The network security protection circuit for special industry terminal equipment according to claim 2, characterized in that: The encryption module circuit includes an encryption chip U4 with 48 pins. Pins 36 and 40 of the encryption chip U4 are connected to the main control CPU of the terminal device. Pins 2, 1, 48, and 31 of the encryption chip U4 are connected to the input of the FPGA security processing circuit. Pin 16 of the encryption chip U4 can trigger a button destruction command, and pin 17 of the encryption chip U4 can trigger a cover-opening destruction command.
4. The network security protection circuit for special industry terminal equipment according to claim 3, characterized in that: The FPGA security processing circuit includes a security processing chip U1, resistors R34, R35, R38, and R43. The security processing chip U1 has eight pins. Pin 1 of the security processing chip U1 is connected to pin 31 of the encryption chip U4 via resistor R34. Pin 2 of the security processing chip U1 is connected to pin 48 of the encryption chip U4 via resistor R35. Pin 5 of the security processing chip U1 is connected to pin 1 of the encryption chip U4 via resistor R34. Pin 6 of the security processing chip U1 is connected to pin 2 of the encryption chip U4 via resistor R34. Pin 3 of the security processing chip U1 is connected to the communication circuit via an RGMII interface. Pin 7 of the security processing chip U1 is connected to the main control CPU of the terminal device via an RGMII interface.
5. The network security protection circuit for special industry terminal equipment according to claim 4, characterized in that: The communication circuit is equipped with a communication chip U80, which has 48 pins. The 34th pin of the communication circuit is connected to the 3rd pin of the security processing chip U1. The 2nd, 3rd, 5th, 6th, 7th, 8th, 10th, and 11th pins of the communication circuit can be wirelessly or wiredly connected to external devices.
6. The network security protection circuit for special industry terminal equipment according to claim 5, characterized in that: The module configuration chip U68 is model CH567, and the multi-protocol transceiver chip U25 is model WS339EER1-L / TR.
7. The network security protection circuit for special industry terminal equipment according to claim 6, characterized in that: The encryption chip U4 is model CH567.
8. The network security protection circuit for special industry terminal equipment according to claim 5, characterized in that: The security processing chip U1 is model GD25Q128ESIGR.
9. The network security protection circuit for special industry terminal equipment according to claim 6, characterized in that: The communication chip U80 is model number YT8521SH.