Data encryption chip, method, device, medium and program product

By pre-storing encryption keys in the data processing strategy and using dynamic keys to encrypt data content fields, the problem of encryption keys being vulnerable to attack is solved, thus achieving security and reliability in data transmission.

CN122226271APending Publication Date: 2026-06-16BEIJING XINGCHEN WANHE NETWORK TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING XINGCHEN WANHE NETWORK TECHNOLOGY CO LTD
Filing Date
2026-04-20
Publication Date
2026-06-16

AI Technical Summary

Technical Problem

In existing technologies, encryption keys are easily intercepted by man-in-the-middle attacks and spoofing during transmission, leading to data leakage.

Method used

By pre-storing encryption keys in the data processing strategy and generating dynamic keys using feature fields in the network packet header, real-time key negotiation is avoided. The data content fields are then encrypted using the dynamic keys to generate ciphertext data.

Benefits of technology

It effectively prevents key leakage and replay attacks, ensures the security and integrity of data transmission, and ensures that reconstructed data can be parsed normally during cross-network transmission.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122226271A_ABST
    Figure CN122226271A_ABST
Patent Text Reader

Abstract

The application provides a data encryption chip, method, device, medium and program product. The data encryption chip comprises: a data transceiving module, which is used for receiving network data; a packet header analysis module, which is used for analyzing the network data to obtain an IP five-tuple, a feature field and a data content field; the feature field comprises part or all of the packet header data field of the network data; a policy matching module, which is used for obtaining the IP five-tuple from the packet header analysis module and determining a data processing policy of the network data according to the IP five-tuple; a dynamic key combination module, which is used for obtaining a dynamic key according to the feature field and an encryption key in the case that the data processing policy represents data encryption; wherein the encryption key is included in the data processing policy in the case that the data processing policy represents data encryption; and an encryption module, which is used for encrypting the data content field by using the dynamic key to obtain ciphertext data. Thus, data leakage can be reduced.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of data processing technology, and more specifically, to a data encryption chip, method, device, medium, and program product. Background Technology

[0002] In the field of data transmission, data traffic encryption is widely used to ensure data security. Traditional VPN devices, firewalls, gateways, and encryption machines are typical examples. These devices are mostly deployed at the network egress point of the sending end. After a handshake and key negotiation with the receiving end, the successfully negotiated key is used to encrypt and decrypt the data to be transmitted. However, during the handshake and negotiation process, the encryption key data circulates within the network, making it vulnerable to man-in-the-middle attacks and spoofing attacks. This can expose the key, invalidate the encryption, and lead to data leakage. Summary of the Invention

[0003] The purpose of this application is to provide a data encryption chip, method, device, medium, and program product to solve the problem of data leakage caused by the easy exposure of encryption keys in related technologies.

[0004] This application provides a data encryption chip, including: Data transceiver module, the data transceiver module is used to receive network data; The packet header parsing module is used to parse the network data to obtain the IP 5-tuple, feature fields, and data content fields; the feature fields include some or all of the fields in the packet header data field of the network data; The strategy matching module is used to obtain the IP 5-tuple from the packet header parsing module and determine the data processing strategy of the network data based on the IP 5-tuple. A dynamic key combination module is used to obtain a dynamic key based on the feature field and the encryption key when the data processing strategy represents data encryption; wherein, when the data processing strategy represents data encryption, the data processing strategy includes the encryption key; An encryption module is used to encrypt the data content field using the dynamic key to obtain ciphertext data.

[0005] In the above implementation, by pre-storing the encryption key in the data processing strategy, the two communicating parties (sender and receiver) can directly obtain the encryption key required for encryption without real-time key negotiation interaction on the communication link. This fundamentally eliminates the risk of man-in-the-middle attacks or eavesdropping that may exist during the key negotiation stage, ensuring the security of the key distribution process.

[0006] Building upon this foundation, the system further extracts characteristic fields from network packet headers in real time and combines them with the encryption key as dynamic variables to generate a dynamic key specific to the current network data. Since the probability of repeated header data fields in each packet of a network data stream is very small, this allows the dynamic key to change along with the packet data. Thus, even if an attacker cracks the dynamic key at a certain moment, that dynamic key cannot be used to decrypt other packets, effectively curbing the chain reaction caused by key leakage; consequently, it can effectively defend against replay attacks and significantly reduce the risk of data theft or tampering.

[0007] Furthermore, by using the dynamic key to encrypt only the data content field to obtain ciphertext data, rather than encrypting the entire network data, when the ciphertext data is subsequently reconstructed using the packet header data field of the network data to obtain the reconstructed data, the IP field in the reconstructed data remains in plaintext and can be correctly parsed by network devices. Therefore, even in cross-network transmission scenarios, the reconstructed data can be forwarded normally.

[0008] Optionally, the dynamic key combination module is specifically used to: when the bit length of the feature field is less than the first preset bit length, extend the bit length of the feature field to the first preset bit length to obtain an extended feature field; the first preset bit length is the same as the bit length of the encryption key; and perform a bitwise XOR operation between the encryption key and the extended feature field to obtain the dynamic key.

[0009] In the above implementation, when the bit length of the feature field is less than the first preset bit length, the bit length of the feature field is extended to the first preset bit length, so that the bit length of the feature field can be equal to the bit length of the encryption key, thereby ensuring that the encryption key can be XORed with the extended feature field to obtain the dynamic key.

[0010] Optionally, the dynamic key combination module is specifically used to extend the bit length of the feature field to the first preset bit length in the following way to obtain the extended feature field: pad the high bits of the feature field with zeros until the bit length of the feature field is equal to the first preset bit length, thereby obtaining the extended feature field.

[0011] In the above implementation, the feature field is padded with zeros at the high bits until the length of the feature field is equal to the first preset length. Since padding with zeros at the high bits does not increase any combinational logic delay, the feature field can be expanded more quickly.

[0012] Optionally, the dynamic key combination module is specifically used to extend the bit length of the feature field to the first preset bit length in the following manner to obtain the extended feature field: When the first preset bit length is an integer multiple of the bit length of the feature field, the feature field is copied until the sum of the bit length of the copied field and the bit length of the feature field is equal to the first preset bit length. The feature field is concatenated with the copied field to form the extended feature field.

[0013] In the above implementation, an extended feature field is constructed by copying the original feature field and concatenating it with the original feature field. This ensures that during the subsequent generation of the dynamic key, the information from the original feature field is evenly distributed across all positions of the extended feature field. Consequently, the generated dynamic key is influenced by the original feature field at every bit, thus significantly enhancing the obfuscation effect of key generation.

[0014] Optionally, the encryption module is specifically used for: The data content field is grouped according to the second preset bit length to obtain n blocks to be encrypted; By performing n increment operations on the preset initialization vector using a counter, n intermediate dynamic vectors are obtained. Each of the intermediate dynamic vectors is encrypted using the dynamic key to obtain n session keys; Perform an XOR operation between each session key and the corresponding block to be encrypted to obtain the target encrypted data corresponding to each block to be encrypted. Arrange each target encrypted data according to the order of each block to be encrypted in the data content field to obtain the ciphertext data.

[0015] In the above implementation, since the session key for each block to be encrypted is generated by encrypting a counter, and the value of the counter is known and independent before encryption, not dependent on the encryption result of the previous block, the session keys corresponding to all blocks to be encrypted can be computed in parallel and XORed, thus obtaining the ciphertext data more efficiently.

[0016] Optionally, the encryption module is specifically used for: For the last block to be encrypted, if the bit length of the last block to be encrypted is less than the second preset bit length, the bit length of the last block to be encrypted is extended to the second preset bit length to obtain an intermediate block to be encrypted. The session key corresponding to the last block to be encrypted is XORed with the intermediate block to be encrypted to obtain intermediate encrypted data. Based on the bit length of the last block to be encrypted, a byte removal operation is performed on the intermediate encrypted data to obtain the target encrypted data corresponding to the last block to be encrypted.

[0017] In the above implementation, if the bit length of the last block to be encrypted is less than the second preset bit length, the bit length of the last block to be encrypted is extended to the second preset bit length. This ensures that the last block to be encrypted can also be XORed with the corresponding session key. Then, based on the bit length of the last block to be encrypted, a byte removal operation is performed on the intermediate encrypted data to obtain the target encrypted data corresponding to the last block to be encrypted. This ensures that when each target encrypted data is arranged according to the order of each block to be encrypted in the data content field, the bit length of the obtained ciphertext data can be the same as the bit length of the data content field in the network data.

[0018] Optionally, the packet header parsing module is specifically used to: determine whether the protocol type of the network data is the target protocol and whether the network data is an IP packet; if the network data is an IP packet and the protocol type of the network data is the target protocol, parse the network data to obtain the IP 5-tuple, feature field, and data content field.

[0019] In the above implementation, by determining whether the protocol type of the network data is the target protocol and whether the network data is an IP packet, the network data can be quickly filtered, thereby significantly improving the processing efficiency of network data.

[0020] Optionally, the data transceiver module is further configured to: send the network data when the data processing strategy indicates direct forwarding.

[0021] Optionally, the data encryption chip further includes: The data reconstruction module is used to reconstruct the encrypted data with the packet header data field in the network data to obtain reconstructed data; based on the reconstructed data, perform frame check sequence calculation to obtain a new frame check sequence; and combine the reconstructed data and the frame check sequence to obtain a reconstructed data frame. The data transceiver module is also used to send the reassembled data frame.

[0022] In the above implementation, after obtaining the ciphertext data, the ciphertext data is reassembled with the header data field of the network data to obtain the reassembled data. Since the IP field in the reassembled data remains in plaintext, it can be correctly parsed by network devices. Therefore, even in cross-network transmission scenarios, the reassembled data can be forwarded normally.

[0023] Secondly, embodiments of this application provide a data encryption method, including: Acquire network data; The network data is parsed to obtain the IP 5-tuple, feature fields, and data content fields; the feature fields include some or all of the header data fields of the network data. The data processing strategy for the network data is determined based on the IP quintuple; When the data processing strategy characterizes data encryption, a dynamic key is obtained based on the feature field and the encryption key; wherein, when the data processing strategy characterizes data encryption, the data processing strategy includes an encryption key; The data content field is encrypted using the dynamic key to obtain ciphertext data.

[0024] Thirdly, embodiments of this application provide an electronic device, including a processor and a memory, wherein the memory stores computer-executable instructions that can be executed by the processor, and the processor executes the computer-executable instructions to implement the above-described data encryption method.

[0025] Fourthly, embodiments of this application provide a computer storage medium storing computer-executable instructions. When the computer-executable instructions are invoked and executed by a processor, the computer-executable instructions cause the processor to implement the aforementioned data encryption method.

[0026] Fifthly, embodiments of this application provide a computer program product, which includes a computer program that, when executed by a processor, implements the aforementioned data encryption method. Attached Figure Description

[0027] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments of this application will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0028] Figure 1 This is a schematic diagram of the structure of a data encryption chip provided in an embodiment of this application; Figure 2 A flowchart illustrating a data encryption method provided in this application embodiment. Figure 3 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation

[0029] The technical solutions in the embodiments of this application will now be described with reference to the accompanying drawings.

[0030] Example 1: To address the problem of data leakage due to the easy exposure of encryption keys in related technologies, this application provides a data encryption chip. The data encryption chip can be an ASIC chip. See also... Figure 1 As shown, Figure 1 This is a schematic diagram of the structure of the data encryption chip 100 provided in the embodiments of this application. See also... Figure 1 As shown, the data encryption chip 100 may include a data transceiver module 101, a packet header parsing module 102, a policy matching module 103, a dynamic key combination module 104, an encryption module 105, and a data reconstruction module 106.

[0031] The data transceiver module 101 can be used to receive and send network data. The data transceiver module 101 may include at least one of the following interfaces: RGMII (Reduced Gigabit Media Independent Interface) and SGMII (Serial Gigabit Media Independent Interface).

[0032] In this embodiment of the application, when the data transceiver module 101 receives network data, it can send the received network data to the packet header parsing module 102.

[0033] The data transceiver module 101 may include an RGMII module and an SGMII module.

[0034] The RGMII module, as a parallel interface unit, integrates an RGMII transceiver compliant with the IEEE 802.3-2008 standard. To address the inherent data skew problem in parallel transmission, the RGMII module incorporates an 8KB FIFO buffer. This FIFO buffer can not only temporarily store burst data streams but also achieve precise data alignment through an asynchronous clock domain. Furthermore, the RGMII module includes a state machine for real-time monitoring of physical layer control signals to define the start and end of a data packet.

[0035] The SGMII module, as a serial interface unit, integrates a SerDes (Serializer / Deserializer) transceiver conforming to the IEEE 802.3z standard, a 10KB FIFO buffer, and a clock recovery circuit. The FIFO buffer supports high-speed optical transmission. The clock recovery circuit extracts a reference clock from the SGMII signal to solve the critical problem of clock synchronization between the transmitting and receiving ends in high-speed serial communication, providing a stable timing reference for subsequent data deserialization.

[0036] Refer to the register mapping table in Table 1. RGMII_STATUS_REG (address 0x0000) is used to reflect the real-time operating status of the RGMII module. Bit0 of RGMII_STATUS_REG indicates the status of the RGMII module's receive channel. When Bit0 of RGMII_STATUS_REG = 1, it indicates that the RGMII interface's receive channel is in data receiving mode. When Bit0 of RGMII_STATUS_REG = 0, it indicates that the RGMII interface's receive channel is in an idle state.

[0037] Bit1 of RGMII_STATUS_REG is used to indicate the status of the RGMII module's transmit channel. When Bit1=1, it indicates that the RGMII interface's transmit channel is in a data transmission state. When Bit1=0, it indicates that the RGMII interface's transmit channel is in an idle state.

[0038] The SGMII_FIFO_CTRL_REG field (address 0x0004) is used to reflect the real-time operating status of the SGMII module. Bits 0-7 of SGMII_FIFO_CTRL_REG indicate the threshold of the internal FIFO buffer of the SGMII module. Bit 8 of SGMII_FIFO_CTRL_REG indicates whether the internal FIFO buffer of the SGMII module has overflowed. When bit 8 = 1, it indicates that the internal FIFO buffer of the SGMII module has overflowed. When bit 8 = 0, it indicates that the internal FIFO buffer of the SGMII module is working normally, that is, the data is within the buffer capacity and no data is lost.

[0039] Table 1

[0040] The header parsing module 102 can respond to received network data and determine whether the network data is an IP packet.

[0041] For example, the header parsing module 102 includes a data packet buffer, and correspondingly, the header parsing module 102 can store the received network data in the data packet buffer.

[0042] The packet header parsing module 102 can parse network data to obtain the IP 5-tuple, feature fields, and data content fields; the feature fields include some or all of the header data fields of the network data.

[0043] For example, the packet header parsing module 102 can determine whether the network data is an IP packet based on the type field of the network data.

[0044] If the network data is determined to be an IP packet, the header parsing module 102 can extract the IP header data from the network data and determine the protocol type of the network data based on the protocol field of the IP header data.

[0045] If the protocol type of the network data is the target protocol, then the protocol header data, IP 5-tuple, and data content field can be extracted from the network data.

[0046] An IP 5-tuple can include the source IP address, destination IP address, source port, destination port, and protocol.

[0047] The target protocol may include at least one of the following protocols: TCP (Transmission Control Protocol), UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol), AH (Authentication Header), and ESP (Encapsulating Security Payload).

[0048] In this embodiment of the application, the header data field of network data may include at least one of IP header data and protocol header data.

[0049] For example, the feature field may consist of a first feature value, a second feature value, and a third feature value. The first feature value may include an identification field in the IP header data, the second feature value may include fields in the IP header data other than the IP header length, and the third feature value may include a sequence number in the protocol header data.

[0050] In one optional implementation of this application, the length of the first feature value can be the same as the identifier field in the IP header data, the length of the second feature value can be the same as the length of the fields in the IP header data other than the IP header length, and the length of the third feature value can be the same as the length of the sequence number in the protocol header data.

[0051] In one optional implementation of this application, the first feature value, the second feature value, and the third feature value can each have their own specific bit length. For example, the first feature value can be 16 bits, the second feature value can be 16 bits, and the third feature value can be 32 bits. Correspondingly, the bit length of the feature field composed of the first feature value, the second feature value, and the third feature value can be 64 bits.

[0052] For example, suppose the same computer continuously sends 1 byte of content via the TCP protocol, with a fixed packet length of 64 bytes. In this extreme case, the characteristic value 2 remains a fixed value and no longer changes.

[0053] Calculation process: By calculation, the network throughput is approximately 1073741824 bps ÷ (64 bytes × 8 bits) ≈ 2072576 packets / second, so the network packet sending rate is approximately 2072576 packets / second.

[0054] With the eigenvalue 2 fixed, the remaining effective number of bits is 48 (i.e., 2). 48 (A combination of these).

[0055] Then it can be calculated by 2 48 ÷2072576≈134217728 seconds≈4.25 years to obtain the repeating cycle required to exhaust all combinations.

[0056] It is evident that even under the extreme assumption of eliminating some feature value changes, the repetition period of the combined feature values ​​is still over 4 years. In practical applications, due to the continuous dynamic changes in fields such as the sequence number, the actual repetition period will far exceed 4 years. Therefore, limiting the bit length of the feature field to 64 bits can effectively prevent key cracking and replay attacks, significantly ensuring the security of encrypted communication.

[0057] The bit length of the identifier field in the IP header data can be less than or equal to the bit length of the first feature value, for example, 16 bits. If the bit length of the identifier field in the IP header data is less than the bit length of the first feature value, the identifier field in the IP header data can be padded with zeros at the high bits to make the length of the zero-padded identifier field consistent with the bit length of the first feature value, thereby ensuring that the bit length of each component of the feature field meets the preset requirements.

[0058] Similarly, the bit length of fields in the IP header data other than the IP header length can be less than or equal to the length of the second characteristic value. If the bit length of a field in the IP header data other than the IP header length is less than the length of the second characteristic value, the field can be padded with zeros at the high-order bits to make the length of the padded field the same as the bit length of the second characteristic value.

[0059] Similarly, the length of the sequence number in the protocol header data can be less than or equal to the length of the third characteristic value. If the length of the sequence number in the protocol header data is less than the length of the third characteristic value, the sequence number can be padded with zeros at the high bits to make the length of the padded sequence number the same as the length of the third characteristic value.

[0060] In this way, regardless of the actual bit length of the source data fields (identification fields in IP header data, fields in IP header data other than IP header length, and sequence numbers in protocol header data), they can be uniformly mapped to preset feature value bit lengths (e.g., 16 bits for the first feature value, 16 bits for the second feature value, and 32 bits for the third feature value), thereby ensuring that the final feature field has a fixed total bit length (e.g., 64 bits).

[0061] In detail, if the network data protocol type is TCP, then... The first feature value can be obtained by extracting the identifier field of bytes 4-5 in the IP header to obtain the identifier field (16 bits) in the IP header data.

[0062] The second feature value can be obtained by reading the total length field of the IP header, subtracting the length of the IP header, and obtaining the IP data length (16 bits), which is the field in the IP header data other than the length of the IP header.

[0063] The third feature value can be obtained by extracting the sequence number from bytes 4 to 7 of the TCP header data to obtain the 32-bit sequence number in the header data.

[0064] If the network data protocol type is ICMP, the third feature value can be obtained in the following way: extract the 6th-7th byte sequence number (16 bits) in the ICMP protocol header data, and pad the extracted sequence number with zeros at the high bits so that the length of the padded sequence number is equal to 32 bits.

[0065] If the network data uses the UDP protocol, its header structure does not include a sequence number field. Therefore, when the protocol type is identified as UDP, there is no valid sequence number to extract, and the extraction result can be 0 or a null value. To maintain the uniformity of the feature field structure (i.e., maintain a total length of 64 bits), the value 0 can be padded to the target bit length (e.g., 32 bits), thereby allocating the corresponding bit space for the third feature value.

[0066] The header parsing module 102 interacts with the controller through the register mapping table Table 2. As shown in Table 2, the register definitions and functions are described below: Table 2

[0067] In this embodiment, the processor can set the target protocol through PARSE_CTRL_REG (0x0010) Bits 1-3. For example, if it is set to 000, the target protocol is TCP. If PARSE_CTRL_REG (0x0010) Bits 1-3 are set to 001, the target protocol is UDP. If PARSE_CTRL_REG (0x0010) Bits 1-3 are set to 010, the target protocol is ICMP.

[0068] The processor can also write a control word to PARSE_CTRL_REG (0x0010) to make Bit 0=1, so that the packet header parsing module 102 can parse the network data, obtain the position of the IP quintuple, feature field and data content field in the network data, and store the IP quintuple and feature field into the corresponding registers respectively.

[0069] For example, bits 0-31 of IP_FIVE_TUPLE_REG (0x0014) are used to store the source IP address. Bits 32-63 of IP_FIVE_TUPLE_REG (0x0014) are used to store the destination IP address. Bits 64-95 of IP_FIVE_TUPLE_REG (0x0014) are used to store the source port. Bits 96-127 of IP_FIVE_TUPLE_REG (0x0014) are used to store the destination port. Bits 128-135 of IP_FIVE_TUPLE_REG (0x0014) are used to store the protocol number.

[0070] Bits 0-15 of FEATURE_REG (0x0018) are used to store the identifier field. Bits 16-31 of FEATURE_REG (0x0018) are used to store the data length. Bits 21-63 of FEATURE_REG (0x0018) are used to store the sequence number.

[0071] The policy matching module 103 is communicatively connected to the packet header parsing module 102. The policy matching module 103 can obtain the IP 5-tuple from the packet header parsing module 102 and determine the data processing policy for network data based on the IP 5-tuple. For example, the policy matching module 103 and the packet header parsing module 102 can be communicatively connected via a 32-bit internal data bus, and correspondingly, the policy matching module 103 can obtain the IP 5-tuple from the packet header parsing module 102 via the 32-bit internal data bus.

[0072] Data processing strategies can be characterized by one of the following: direct forwarding, blocking, and data encryption.

[0073] When the data processing policy indicates direct forwarding, the policy matching module 103 can send the data processing policy to the data transceiver module 101. The data transceiver module 101, in response to the received data processing policy indicating direct forwarding, can directly send network data. Correspondingly, the network data in the data packet buffer will also be cleared.

[0074] When a data processing strategy indicates a blocking event, the strategy matching module 103 can send the data processing strategy to the packet header parsing module 102. In response to the received data processing strategy indicating a blocking event, the packet header parsing module 102 can discard the network data in the packet buffer.

[0075] When the data processing strategy represents data encryption, the strategy matching module 103 can send the data processing strategy to the dynamic key combination module 104. The data processing strategy includes an encryption key.

[0076] In this embodiment, the policy matching module 103 may be configured with a TCAM memory, which is used to store the correspondence between IP quintuples and data processing policies. The TCAM memory can also be used to store encryption keys.

[0077] For example, the TCAM memory can store multiple correspondences between IP quintuples and data processing strategies arranged in sequential order. The storage format of one such correspondence between an IP quintuple and a data processing strategy can be as shown in Table 3.

[0078] Table 3

[0079] As shown in Table 4, Bits 0-31 of POLICY_TCAM_BASE (0x0020) can be used to record the TCAM base address, that is, the starting address in the TCAM memory of the correspondence between the IP quintuple and the data processing strategy.

[0080] The policy matching module can perform matching operations by utilizing the correspondence between IP 5-tuples in network data and data processing policies to obtain matching results.

[0081] For example, if the source IP address, destination IP address, source port, and destination port of the IP 5-tuple to be matched (i.e., the IP 5-tuple of network data) are all in one of the correspondences between IP 5-tuples and data processing policies, and the protocol in the IP 5-tuple to be matched is in the correspondence between that IP 5-tuple and data processing policy, then the match can be determined to be successful.

[0082] Bit0 of MATCH_RESULT_REG (0x0024) records the matching status of the matching module. When Bit0 of MATCH_RESULT_REG (0x0024) is 1, it indicates that the matching module is performing a matching operation. When Bit0 of MATCH_RESULT_REG (0x0020) is 0, it indicates that the matching module is in an idle state.

[0083] Bits 1-2 of MATCH_RESULT_REG (0x0024) can record the data processing strategy. When Bits 1-2 of MATCH_RESULT_REG (0x0024) = 00, the data processing strategy is direct forwarding. When Bits 1-2 of MATCH_RESULT_REG (0x0024) = 01, the data processing strategy is data encryption. When Bits 1-2 of MATCH_RESULT_REG (0x0024) = 10, the data processing strategy is blocking. Bits 3-10 of MATCH_RESULT_REG (0x0024) can be used to store the key index of the encryption key.

[0084] Table 4

[0085] The dynamic key combination module 104 can obtain a dynamic key based on the feature field and the encryption key in response to the received data processing strategy.

[0086] In one optional implementation of this application, the dynamic key combination module 104 can be specifically used to: extend the length of the feature field to the first preset length when the length of the feature field is less than the first preset length to obtain an extended feature field; the first preset length is the same as the length of the encryption key; and perform a bitwise XOR operation between the encryption key and the extended feature field to obtain a dynamic key.

[0087] In this embodiment, when the bit length of the feature field is less than the first preset bit length, the bit length of the feature field can be extended to the first preset bit length to obtain an extended feature field in the following ways: the feature field can be padded with zeros at the high bits until the bit length of the feature field is equal to the first preset bit length to obtain an extended feature field; or, if the first preset bit length is an integer multiple of the bit length of the feature field, the feature field can be copied until the sum of the bit length of the copied field and the bit length of the feature field is equal to the first preset bit length; the feature field and the copied field can then be concatenated to form an extended feature field.

[0088] Of course, regardless of whether the first preset bit length is an integer multiple of the bit length of the feature field, the feature field can be padded with zeros at the high bits until the bit length of the feature field is equal to the first preset bit length, thus obtaining the extended feature field.

[0089] This makes it easier to perform a bitwise XOR operation between the encryption key and the extended feature field to obtain the dynamic key.

[0090] The dynamic key combination module 104 can communicate with the encryption module 105. After obtaining the dynamic key, the dynamic key combination module 104 can send the dynamic key to the encryption module 105. For example, the dynamic key combination module 104 can send the dynamic key to the encryption module 105 through a 32-bit internal data bus.

[0091] Referring to Table 5, in this embodiment of the application, the processor can write a control word to KEY_CTRL_REG (0x0030) to make the bit field Bit 0 of KEY_CTRL_REG (0x0030) equal to 1, thus enabling the dynamic key combination module 104.

[0092] The processor can also set the target protocol through bits 1-3 of the KEY_CTRL_REG (0x0030). For example, if it is set to 000, the target protocol is TCP. If bits 1-3 of the KEY_CTRL_REG (0x0030) are set to 001, the target protocol is UDP. If bits 1-3 of the KEY_CTRL_REG (0x0030) are set to 010, the target protocol is ICMP.

[0093] The dynamic key combination module 104 can respond to Bit 0=1 in the bit field of KEY_CTRL_REG (0x0030) by sending an encryption key retrieval command to the policy matching module 103. Correspondingly, the policy matching module 103 can respond to the encryption key retrieval command by retrieving the key index from the bit fields of MATCH_RESULT_REG (0x0024) Bits 3-10 and feeding it back. Upon receiving the key index, the dynamic key combination module 104 can retrieve the encryption key from the TCAM memory based on the key index. Then, it retrieves the dynamic key based on the feature field and the encryption key, and stores the dynamic key in the bit fields of KEY_CTRL_REG (0x0034) Bits 0-127.

[0094] The dynamic key combination module 104 and the policy matching module 103 can communicate with each other via the APB (Advanced Peripheral Bus).

[0095] Table 5

[0096] The encryption module 105 can communicate with the packet header parsing module 102 to obtain the data content field from the packet header parsing module 102. In addition, the encryption module 105 can encrypt the data content field using the received dynamic key in response to obtain ciphertext data.

[0097] In this embodiment of the application, the encryption module 105 can specifically be used for: The data content field is grouped according to the second preset bit length to obtain n blocks to be encrypted; the preset initialization vector is incremented n times by a counter to obtain n intermediate dynamic vectors; each intermediate dynamic vector is encrypted using a dynamic key to obtain n session keys; each session key is XORed with the corresponding block to be encrypted to obtain the target encrypted data corresponding to each block to be encrypted; each target encrypted data is arranged according to the order of each block to be encrypted in the data content field to obtain ciphertext data.

[0098] Since the length of the data content field can be an integer multiple of the second preset length, or it can be a non-integer multiple of the second preset length, if the length of the data content field is an integer multiple of the second preset length, then the lengths of all n blocks to be encrypted are the same as the second preset length. If the length of the data content field is not an integer multiple of the second preset length, then the lengths of the first n-1 blocks to be encrypted are the same as the second preset length, and the length of the nth block to be encrypted, i.e., the last block to be encrypted, is less than the second preset length.

[0099] If the bit length of the last block to be encrypted is less than the second preset bit length, the encryption module 105 can extend the bit length of the last block to be encrypted to the second preset bit length to obtain an intermediate block to be encrypted; perform an XOR operation between the session key corresponding to the last block to be encrypted and the intermediate block to be encrypted to obtain intermediate encrypted data; and perform a byte removal operation on the intermediate encrypted data based on the bit length of the last block to be encrypted to obtain the target encrypted data corresponding to the last block to be encrypted.

[0100] Thus, after arranging each target encrypted data according to the order of each block to be encrypted in the data content field, the bit length of the obtained ciphertext data can be the same as the bit length of the data content field.

[0101] In addition, in this embodiment, the encryption module 105 can process n blocks to be encrypted in parallel, and simultaneously perform encryption processing on multiple blocks to be encrypted, thereby improving encryption efficiency.

[0102] Referring to Table 6, the encryption module 105 can read the initial counter value from bits 0-127 of ENCRYPT_COUNT0ER_REG (0x0040). It can also read the dynamic key from bits 0-127 of KEY_CTRL_REG (0x0034). Finally, it can obtain the data content field from the packet buffer of the packet header parsing module. The dynamic key is then used to encrypt the data content field to obtain ciphertext data.

[0103] Specifically, Bit0 of ENCRYPT_STATUS_REG (0x0044) is used to record the encryption status of the encryption module 105. When Bit0 of ENCRYPT_STATUS_REG (0x0044) = 1, it indicates that the encryption module 105 is in the process of encryption. When Bit0 of ENCRYPT_STATUS_REG (0x0044) = 0, it indicates that the encryption module 105 is in an idle state.

[0104] Table 6

[0105] The encryption module 105 can also communicate with the data reconstruction module 106, and the encryption module 105 can send encrypted data to the data reconstruction module 106.

[0106] The data reconstruction module 106 can respond to received ciphertext data by reconstructing the ciphertext data with the header data field in the network data to obtain reconstructed data; based on the reconstructed data, it performs frame check sequence calculation to obtain a new frame check sequence; and combines the reconstructed data and the frame check sequence to obtain a reconstructed data frame. Thus, compared to the original network data, the reconstructed data frame only changes the data content field and the frame check sequence, and the total length of the reconstructed data frame is the same as the total length of the original network data.

[0107] Finally, the data reassembly module 106 can communicate with the receiving module. The data reassembly module 106 can send the reassembled data frame to the data transceiver module 101, which can respond to the received reassembled data frame by sending the reassembled data frame back. After the data transceiver module 101 sends the reassembled data frame, the network data currently stored in the packet buffer of the header parsing module will be deleted, and the header parsing module will retrieve the next network data from the data transceiver module.

[0108] Referring to Table 7, in this embodiment, the processor can also write a control word to REASSEMBLY_CTRL_REG (0x0050) to set Bit 0 of REASSEMBLY_CTRL_REG (0x0050) to 1, thereby enabling the data reconstruction module 106 to reconstruct the data, obtain the reconstructed data, and perform frame check sequence calculation based on the reconstructed data to obtain a new frame check sequence.

[0109] Bits 0-127 of HEADER_BUFFER_REG (0x0054) can be used to store the MAC header, IP header, and transport layer header of network data. That is, when the header parsing module 102 parses the network data, the parsed MAC header, IP header, and transport layer header can be stored in bits 0-127 of HEADER_BUFFER_REG (0x0054).

[0110] Bits 0-31 of FCS_REG (0x0058) are used to store the frame check sequence.

[0111] Table 7

[0112] In this embodiment, the data encryption chip may further include a control interface module, which is used to enable communication between the data encryption chip and an external controller via SPI. The control interface module may include an SPI controller, a register mapping table, and a state machine. The SPI controller supports SPI mode 0 (CPOL=0, CPHA=0) with a clock frequency of 1-10MHz. The register mapping table maps all registers in the data encryption chip to the SPI address space (0x0000-0x00FF). The state machine handles read and write requests from the external controller.

[0113] For example, referring to Table 8, in practical applications, if an external controller needs to obtain the current encryption statistics of the data encryption chip, it can initiate a read request to the control interface module via the SPI bus. Correspondingly, Bit0 of SPI_CTRL_REG (0x0060) is set to 1. When the SPI controller detects that Bit0 of SPI_CTRL_REG (0x0060) is 1, it can set Bit1 of SPI_CTRL_REG (0x0060) to 0. The state machine can obtain the number of received packets from Bits 0-31 of STATISTICS_REG (0x0064) and the number of encrypted packets from Bits 32-63 of STATISTICS_REG (0x0064). Subsequently, the state machine can serially shift out the number of received packets and the number of encrypted packets via the MISO pin for the external controller to read.

[0114] Table 8

[0115] Example 2 This embodiment, based on the first embodiment described above, provides a data encryption method applicable to data encryption chips, combined with... Figure 2 The flowchart shown illustrates a data encryption method, which may include the following steps: Step S201: Obtain network data; Step S202: Parse the network data to obtain the IP 5-tuple, feature fields, and data content fields; the feature fields include some or all of the header data fields of the network data.

[0116] In this embodiment of the application, it can be determined whether the protocol type of the network data is the target protocol and whether the network data is an IP data packet; if the network data is an IP data packet and the protocol type of the network data is the target protocol, the network data is parsed to obtain the IP quintuple, feature field and data content field.

[0117] Step S203: Determine the data processing strategy for network data based on the IP 5-tuple; Step S204: When the data processing strategy represents data encryption, obtain the dynamic key based on the feature field and the encryption key; wherein, when the data processing strategy represents data encryption, the data processing strategy includes the encryption key.

[0118] In this embodiment of the application, when the bit length of the feature field is less than the first preset bit length, the bit length of the feature field can be extended to the first preset bit length to obtain an extended feature field; the first preset bit length is the same as the bit length of the encryption key; the encryption key and the extended feature field are XORed bitwise to obtain a dynamic key.

[0119] In one feasible implementation of this application, extending the bit length of the feature field to a first preset bit length to obtain an extended feature field includes: padding the high bits of the feature field with zeros until the bit length of the feature field is equal to the first preset bit length, thereby obtaining the extended feature field.

[0120] In one feasible implementation of this application, extending the bit length of a feature field to a first preset bit length to obtain an extended feature field includes: copying the feature field when the first preset bit length is an integer multiple of the bit length of the feature field, until the sum of the bit length of the copied field and the bit length of the feature field is equal to the first preset bit length; and concatenating the feature field with the copied field to obtain the extended feature field.

[0121] Step S205: Encrypt the data content field using a dynamic key to obtain ciphertext data.

[0122] In this embodiment, the data content field can be grouped according to a second preset bit length to obtain n blocks to be encrypted; the preset initialization vector can be incremented n times by a counter to obtain n intermediate dynamic vectors; each intermediate dynamic vector can be encrypted using a dynamic key to obtain n session keys; each session key can be XORed with the corresponding block to be encrypted to obtain the target encrypted data corresponding to each block to be encrypted; each target encrypted data can be arranged according to the order of each block to be encrypted in the data content field to obtain ciphertext data.

[0123] In one feasible implementation of this application, for the last block to be encrypted, if the bit length of the last block to be encrypted is less than the second preset bit length, the bit length of the last block to be encrypted is extended to the second preset bit length to obtain an intermediate block to be encrypted; the session key corresponding to the last block to be encrypted is XORed with the intermediate block to be encrypted to obtain intermediate encrypted data; based on the bit length of the last block to be encrypted, a byte removal operation is performed on the intermediate encrypted data to obtain the target encrypted data corresponding to the last block to be encrypted.

[0124] In one feasible implementation of this application, for the last block to be encrypted, if the bit length of the last block to be encrypted is less than the second preset bit length, a subsequence with the same bit length as the last block to be encrypted is extracted from the session key corresponding to the last block to be encrypted as the target session key, and the target session key is XORed with the last block to be encrypted to obtain the target encrypted data corresponding to the last block to be encrypted.

[0125] Step S206: Reassemble the ciphertext data with the packet header data field in the network data to obtain reassembled data. Based on the reassembled data, perform frame check sequence calculation to obtain a new frame check sequence.

[0126] Step S207: Combine the reconstructed data and the frame check sequence to obtain a reconstructed data frame, and send the reconstructed data frame.

[0127] In one feasible embodiment of this application, the data encryption method may further include: sending network data when the data policy representation is directly forwarded.

[0128] When the data receiver receives the reconstructed data frame, it can parse the reconstructed data frame to obtain the ciphertext data and feature fields. Then, according to the method steps for obtaining the dynamic key in the aforementioned embodiment two, it can obtain the dynamic key using its own stored encryption key and feature fields. Since the encryption key stored by the receiver is the same as the encryption key in the aforementioned embodiment two, the data receiver can use the dynamic key to decrypt the ciphertext data to obtain the plaintext data, i.e., the data content field.

[0129] It should be understood that, for the sake of brevity, some of the content described in Embodiment 1 will not be repeated in this embodiment.

[0130] Example 3: Based on the same inventive concept, this embodiment provides an electronic device, see [link to relevant documentation]. Figure 3 As shown, it includes a processor 301 and a memory 302. Wherein: The processor 301 is used to execute one or more programs stored in the memory 302 to implement the above-described data encryption method.

[0131] It is understandable that processor 301 can be a processor core or processor chip, or other circuitry capable of program configuration and execution. Memory 302 can be RAM (Random Access Memory), ROM (Read-Only Memory), flash memory, etc., but this is not a limitation.

[0132] It's understandable. Figure 3 The structure shown is for illustrative purposes only; the electronic device may also include components that are more advanced than those shown. Figure 3 The more or fewer components shown, or having the same Figure 3 Different configurations are shown. For example, it may also have an internal communication bus for communication between the processor 301 and the memory 302; or it may have an external communication interface, such as a USB (Universal Serial Bus) interface, a CAN (Controller Area Network) bus interface, etc.; or it may have an information display component such as a display screen, but this is not a limitation.

[0133] Based on the same inventive concept, this embodiment also provides a computer-readable storage medium, such as a floppy disk, optical disk, hard disk, flash memory, USB flash drive, SD (Secure Digital Memory Card), MMC (Multimedia Card), etc., in which one or more programs implementing the above steps are stored. These one or more programs can be executed by one or more processors to implement the above data encryption method. Further details will not be elaborated here.

[0134] Based on the same inventive concept, this embodiment also provides a computer program product, which includes a computer program that, when executed by a processor, implements the above-described data encryption method.

[0135] In the embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. The apparatus embodiments described above are merely illustrative. For example, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. Furthermore, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Additionally, the displayed or discussed mutual couplings, direct couplings, or communication connections may be through some communication interfaces; indirect couplings or communication connections between devices or units may be electrical, mechanical, or other forms.

[0136] Furthermore, the units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0137] Furthermore, the functional modules in the various embodiments of this application can be integrated together to form an independent part, or each module can exist independently, or two or more modules can be integrated to form an independent part.

[0138] In this document, relational terms such as first and second are used only to distinguish one entity or operation from another entity or operation, without necessarily requiring or implying any such actual relationship or order between these entities or operations.

[0139] In this article, "multiple" refers to two or more.

[0140] The above description is merely an embodiment of this application and is not intended to limit the scope of protection of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application.

Claims

1. A data encryption chip, characterized in that, include: The data transceiver module is used to receive and / or send network data; The packet header parsing module is used to parse the network data to obtain the IP 5-tuple, feature fields, and data content fields; the feature fields include some or all of the fields in the packet header data field of the network data; The strategy matching module is used to obtain the IP 5-tuple from the packet header parsing module and determine the data processing strategy of the network data based on the IP 5-tuple. A dynamic key combination module is used to obtain a dynamic key based on the feature field and the encryption key when the data processing strategy represents data encryption; wherein, when the data processing strategy represents data encryption, the data processing strategy includes the encryption key; An encryption module is used to encrypt the data content field using the dynamic key to obtain ciphertext data.

2. The data encryption chip according to claim 1, characterized in that, The dynamic key combination module is specifically used to: when the bit length of the feature field is less than the first preset bit length, extend the bit length of the feature field to the first preset bit length to obtain an extended feature field; The first preset bit length is the same as the bit length of the encryption key; the encryption key and the extended feature field are XORed bitwise to obtain the dynamic key.

3. The data encryption chip according to claim 2, characterized in that, The dynamic key combination module is specifically used to extend the bit length of the feature field to the first preset bit length in the following way to obtain the extended feature field: pad the high bits of the feature field with zeros until the bit length of the feature field is equal to the first preset bit length, thereby obtaining the extended feature field.

4. The data encryption chip according to claim 2, characterized in that, The dynamic key combination module is specifically used to extend the bit length of the feature field to the first preset bit length in the following manner to obtain the extended feature field: When the first preset bit length is an integer multiple of the bit length of the feature field, the feature field is copied until the sum of the bit length of the copied field and the bit length of the feature field is equal to the first preset bit length. The feature field is concatenated with the copied field to form the extended feature field.

5. The data encryption chip according to claim 1, characterized in that, The encryption module is specifically used for: The data content field is grouped according to the second preset bit length to obtain n blocks to be encrypted; By performing n increment operations on the preset initialization vector using a counter, n intermediate dynamic vectors are obtained. Each of the intermediate dynamic vectors is encrypted using the dynamic key to obtain n session keys; Perform an XOR operation between each session key and the corresponding block to be encrypted to obtain the target encrypted data corresponding to each block to be encrypted. Arrange each target encrypted data according to the order of each block to be encrypted in the data content field to obtain the ciphertext data.

6. The data encryption chip according to claim 5, characterized in that, The encryption module is specifically used for: For the last block to be encrypted, if the bit length of the last block to be encrypted is less than the second preset bit length, the bit length of the last block to be encrypted is extended to the second preset bit length to obtain an intermediate block to be encrypted. The session key corresponding to the last block to be encrypted is XORed with the intermediate block to be encrypted to obtain intermediate encrypted data. Based on the bit length of the last block to be encrypted, a byte removal operation is performed on the intermediate encrypted data to obtain the target encrypted data corresponding to the last block to be encrypted.

7. The data encryption chip according to any one of claims 1 to 6, characterized in that, The packet header parsing module is specifically used to: determine whether the protocol type of the network data is the target protocol and whether the network data is an IP packet; and, if the network data is an IP packet and the protocol type of the network data is the target protocol, parse the network data to obtain the IP 5-tuple, feature field, and data content field.

8. The data encryption chip according to any one of claims 1 to 6, characterized in that, The data transceiver module is also used to: send the network data when the data processing strategy indicates direct forwarding.

9. The data encryption chip according to any one of claims 1 to 6, characterized in that, The data encryption chip also includes: The data reconstruction module is used to reconstruct the encrypted data with the packet header data field in the network data to obtain reconstructed data; based on the reconstructed data, perform frame check sequence calculation to obtain a new frame check sequence; and combine the reconstructed data and the frame check sequence to obtain a reconstructed data frame. The data transceiver module is also used to send the reassembled data frame.

10. A data encryption method, characterized in that, include: Acquire network data; The network data is parsed to obtain the IP quintuple, feature fields, and data content fields; The feature fields include some or all of the header data fields of the network data; The data processing strategy for the network data is determined based on the IP quintuple; When the data processing strategy characterizes data encryption, a dynamic key is obtained based on the feature field and the encryption key; wherein, when the data processing strategy characterizes data encryption, the data processing strategy includes an encryption key; The data content field is encrypted using the dynamic key to obtain ciphertext data.

11. The method according to claim 10, characterized in that, Obtaining a dynamic key based on the aforementioned feature fields and encryption key includes: If the bit length of the feature field is less than the first preset bit length, the bit length of the feature field is extended to the first preset bit length to obtain an extended feature field; the first preset bit length is the same as the bit length of the encryption key. The dynamic key is obtained by performing a bitwise XOR operation between the encryption key and the extended feature field.

12. The method according to claim 11, characterized in that, Extending the bit length of the feature field to the first preset bit length to obtain the extended feature field includes: The feature field is padded with zeros at the high bits until the bit length of the feature field is equal to the first preset bit length, thus obtaining the extended feature field.

13. The method according to claim 11, characterized in that, Extending the bit length of the feature field to the first preset bit length to obtain the extended feature field includes: When the first preset bit length is an integer multiple of the bit length of the feature field, the feature field is copied until the sum of the bit length of the copied field and the bit length of the feature field is equal to the first preset bit length. The feature field is concatenated with the copied field to form the extended feature field.

14. The method according to claim 10, characterized in that, The data content field is encrypted using the dynamic key to obtain ciphertext data, including: The data content field is grouped according to the second preset bit length to obtain n blocks to be encrypted; By performing n increment operations on the preset initialization vector using a counter, n intermediate dynamic vectors are obtained. Each of the intermediate dynamic vectors is encrypted using the dynamic key to obtain n session keys; Perform an XOR operation between each session key and the corresponding block to be encrypted to obtain the target encrypted data corresponding to each block to be encrypted. Arrange each target encrypted data according to the order of each block to be encrypted in the data content field to obtain the ciphertext data.

15. The method according to claim 14, characterized in that, The encrypted data is obtained by performing an XOR operation between each session key and the corresponding block to be encrypted, including: For the last block to be encrypted, if the bit length of the last block to be encrypted is less than the second preset bit length, the bit length of the last block to be encrypted is extended to the second preset bit length to obtain an intermediate block to be encrypted. The session key corresponding to the last block to be encrypted is XORed with the intermediate block to be encrypted to obtain intermediate encrypted data. Based on the bit length of the last block to be encrypted, a byte removal operation is performed on the intermediate encrypted data to obtain the target encrypted data corresponding to the last block to be encrypted.

16. The method according to any one of claims 10 to 15, characterized in that, The network data is parsed to obtain the IP 5-tuple, feature fields, and data content fields, including: Determine whether the protocol type of the network data is the target protocol and whether the network data is an IP packet; When the network data is an IP packet and the protocol type of the network data is the target protocol, the network data is parsed to obtain the IP 5-tuple, feature field, and data content field.

17. The method according to any one of claims 10 to 15, characterized in that, Also includes: In the case where the data policy characterizes direct forwarding, the network data is sent.

18. The method according to any one of claims 10 to 15, characterized in that, After encrypting the data content field using the dynamic key to obtain ciphertext data, the method further includes: The encrypted data is reconstructed with the packet header data field in the network data to obtain reconstructed data; Based on the recombined data, a frame check sequence is calculated to obtain a new frame check sequence; The reconstructed data and the frame verification sequence are combined to obtain a reconstructed data frame; Send the reassembled data frame.

19. An electronic device, characterized in that, The device includes a processor and a memory, the memory storing computer-executable instructions that can be executed by the processor, the processor executing the computer-executable instructions to implement the data encryption method according to any one of claims 10 to 18.

20. A computer storage medium, characterized in that, The storage medium stores computer-executable instructions, which, when invoked and executed by a processor, cause the processor to implement the data encryption method according to any one of claims 10 to 18.

21. A computer program product, characterized in that, The computer program product includes a computer program that, when executed by a processor, implements the data encryption method according to any one of claims 10 to 18.