CN103269301A - Desktop type IPSecVPN cryptographic machine and networking method - Google Patents
Desktop type IPSecVPN cryptographic machine and networking method Download PDFInfo
- Publication number
- CN103269301A CN103269301A CN2013102072118A CN201310207211A CN103269301A CN 103269301 A CN103269301 A CN 103269301A CN 2013102072118 A CN2013102072118 A CN 2013102072118A CN 201310207211 A CN201310207211 A CN 201310207211A CN 103269301 A CN103269301 A CN 103269301A
- Authority
- CN
- China
- Prior art keywords
- ipsecvpn
- chip
- network
- cipher machine
- desktop type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a desktop type IPSecVPN cryptographic machine and a networking method, and relates to the virtual private network technology. By means of the desktop type IPSecVPN cryptographic machine and the networking method, the problems that end users can not use the an existing encryption product protectively and the existing encryption product is large in size, expensive and not easy to implement are solved. The desktop type IPSecVPN cryptographic machine comprises an intelligent cipher key, a USB interface chip, an encryption and decryption algorithm chip, a secure storage chip, an embedded processor and an Ethernet interface chip. According to the networking method, a client-side computer is connected to the embedded processor through the USB interface chip, the transmission of interactive data is achieved; the encryption and decryption algorithm chip and the secure storage chip are connected to the embedded processor through buses, the equipment secret key storage and the data encryption and decryption algorithm are achieved; the embedded processor converts the data into a network packet through the Ethernet interface chip and transmits the network packet to an external internet. The cryptographic machine is small in size, low in consumption, convenient to connect, plug and play and suitable for portable use. The networking scheme based on the cryptographic machine is high in transmission speed.
Description
Technical field
The present invention relates under virtual private network technology is used a kind of high security for the terminal use provides the low cost of secure communication service, high safety, cipher machine equipment that volume is little, and the most complicated networking plan by this cipher machine protection has been proposed.
Background technology
At present, VPN(Virtual Private Network) is the network security technology that is most widely used, and it provides a whole set of to take into account the solution of economy and fail safe.Up to the present, based on VPN (virtual private network), the product of following the realization coded communication of the close office of state " IPSecVPN technical specification " mainly contains following three kinds:
One, based on the software cryptography mode of terminal operating system.This kind coded communication mode is owing to based on operating system design, inevitably exist the leak problem.In case hacker's success attack, after intercepting and capturing sensitive information, the assailant can get around relevant VPN security protocol and directly utilize universal network equipment that these information are sent, thereby causes the leakage of sensitive information.Up to the present the close office of state does not examine as yet by the software class cipher machine.
Two, hardware based safety encipher gateway.This kind encryption equipment exists with the form of hardware gateway, and it suits to set up Intranet between branched structure of certain scale, lays special stress on protecting the communication between the gateway.But because its protection is local area network (LAN), can't protect at the terminal use, lose the meaning of terminal protection.Such equipment volume is big in addition, and is expensive, is not suitable for generally applying.
Three, the Safety net card that is encrypted of hardware based terminal use.At first this kind encryption equipment exists with the form of network interface card, requires basic function and state machine all to realize having bigger difficulty by the hardware language based on hardware chip.Secondly encryption equipment will guarantee network service speed when realizing secure communication, guarantees the friendly that makes things convenient for of user terminal use.Having big gap through investigating present Wuxi manufacturer production product of the same type but what communicate by letter in indexs such as speed, volumes.
Summary of the invention
The present invention can't protect use at the terminal use for solving existing security product, and exists small product size big, and is expensive, and realizes problems such as difficulty is big, and a kind of desktop type IPSecVPN cipher machine and networking plan are provided.
Desktop type IPSecVPN cipher machine comprises intelligent code key, USB interface chip, encrypting and decrypting algorithm chip, safe storage chip, flush bonding processor and Ethernet interface chip; Described cipher machine has arranged keeper's intelligent code key and the PIN password of acquiescence when dispatching from the factory, the keeper passes through checking back activating pin machine, and is cipher machine setting, deletion or changes Device keys by the computer management interface; Client computer is connected to flush bonding processor by the USB interface chip, realizes the transmission of interaction data; Encrypting and decrypting algorithm chip and safe storage chip are connected to flush bonding processor by bus, realize Device keys storage and data ciphering and deciphering computing; Described flush bonding processor transfers data to network packet transmission to external the Internet by the Ethernet interface chip.
The network-building method of desktop type IPSecVPN cipher machine, this method is realized by following steps:
Step 1, user by intelligent code key and PIN password login password machine after, described cipher machine is read the security strategy that the keeper disposes automatically, and is saved in the Security Policy Database;
Step 2, when IP bag sends to the internet from subscriber computer, the departures processing module at first in security association database inquiry whether have corresponding Security Association, if there is execution in step three; If there is no, then the bind command of sending according to the user of Security Association module is initiated to set up Security Association after the ike negotiation; Execution in step three;
Step 3, departures message are at first inquired about corresponding IPSecSA according to purpose IP address in security association database, and the key that adopts described SA to formulate is encrypted the IP message, and the calculation of integrity check value, finish ESP encapsulation after, utilize the Ethernet interface chip to send; Inbound message is inquired about corresponding IPSecSA according to SPI and source IP address in security association database, the key that adopts SA to formulate carries out completeness check to ESP load, if check is correct, then ESP load is decrypted, then the ESP message is carried out deblocking, and utilize the USB interface chip to be uploaded to computer.
Beneficial effect of the present invention: desktop type IPsecVPN cipher machine of the present invention has the following advantages: one, evincible fail safe foundation can be provided, follow the related specifications of the close office of state fully; Two, realize really encryption tunnel end to end at the terminal use; Three, volume is little, and is low in energy consumption, and interface is convenient, but plug and play is suitable for portable use; Four, use hardware few, cost is low; Method transmission speed based on this cipher machine networking is fast.
Description of drawings
Fig. 1 is the structural representation of cipher machine of the present invention;
Fig. 2 is the internal work state machine schematic diagram of cipher machine of the present invention;
Fig. 3 is the networking structure schematic diagram of embodiment three.
Embodiment
Embodiment one, in conjunction with Fig. 1 present embodiment is described, desktop type IPSecVPN cipher machine comprises that the close office of enciphering and deciphering algorithm chip SSX30, state of the close innings of approval production of intelligent code key, USB interface chip, state for the plug and play of authenticating user identification ratifies safe storage chip SSX43, flush bonding processor, Ethernet interface chip, network filter, the network interface of production.Client computer is connected to flush bonding processor by the USB interface chip, mainly carries out the transmission of interaction data, requires communication speed to satisfy normal online demand; Algorithm chip and safety chip are connected to flush bonding processor by bus and are mainly used to carry out Device keys storage and data encrypting and deciphering computing; Flush bonding processor transfers data to network packet by the Ethernet interface chip, and further process network filter and network interface convert network cable to and be connected to external the Internet.
Described this equipment of present embodiment has been provided with keeper's intelligent code key and the PIN password of acquiescence when dispatching from the factory, the keeper can the activating pin machine after by checking, and is cipher machine setting, deletion or changes Device keys by the computer management interface.Be replaced by Device keys, behind the cipher machine user that determines to finish, should set security strategy according to communication object.More than work finish after the terminal use namely can being encrypted of safety communicate by letter after by the login of one's own intelligent code key and PIN password.
The described cipher machine of present embodiment is in order to provide evincible fail safe, determines that desktop type VPN encryption equipment must follow the close office of state and promulgate " IPSecVPN technical specification ", uses SM1 cryptographic algorithm and the SSX30-F algorithm chip of the close office of state approval.In order to guarantee the fail safe of Device keys, select to use the SZD24-E intelligent code key as memory carrier.In order to satisfy mobile subscriber's requirement, select USB as the data-interface of encryption equipment, and utilize the USB mouth to power for encryption equipment.In order to strengthen compatibility, encryption equipment is selected standard and the working method identical with the standard network interface card.
The parameter of the parameter of some performance index and Wuxi manufacturer production product of the same type is compared as follows table 1 in the described desktop type IPSecVPN of the present embodiment cipher machine, wherein has comparatively outstanding advantage aspect algorithm arithmetic speed, volume, the interface plug and play from comparable performance index desktop type IPSecVPN cipher machine, except this and cipher machine satisfy high definition screen transmission requirements at data transfer bandwidth, this cipher machine has also that volume is little, cost is low, the characteristics of plug and play in addition.
Table 1
The technical indicator of the described cipher machine of present embodiment, specifically as table 2:
Table 2
Embodiment two, in conjunction with Fig. 2 and Fig. 3 present embodiment is described, present embodiment is the network-building method of embodiment one described desktop type IPSecVPN cipher machine, described user by intelligent code key and PIN password logging device after, encryption equipment is read the keeper automatically and is the security strategy of its configuration, and is saved in the Security Policy Database.
When the IP bag sends to the internet from subscriber computer, the departures processing module at first inquires about whether there is corresponding Security Association in security association database, if there is no then can the Security Association module can initiate ike negotiation according to " connection " order that the user sends.Before carrying out ike negotiation, need in Security Policy Database, inquire about whether there is corresponding tactful entrance, if the rule of not finding then refuse to consult; If there is corresponding security strategy; then strictness is followed the close office of state " IPSecVPN technical specification " and is initiated ike negotiation; negotiations process is divided into two stages; phase I produces ISAKMPSA(for the protection of the working key of the negotiations process of next stage); second stage produces IPSecSA(actual user protection IP communication), thus Security Association set up.When wrapping into the station, takes IP identical strategy.
When ike negotiation finishes, set up after the Security Association, the departures message is at first inquired about corresponding IPSecSA according to purpose IP address in security association database, the key that utilizes this SA to formulate is encrypted the IP message, and calculation of integrity check value, after finishing the ESP encapsulation, utilize Ethernet interface to send.Inbound message is then inquired about IPSecSA to usefulness according to SPI and source IP address in security association database, the key that utilizes SA to formulate carries out completeness check to ESP load, if check correctly then ESP load is decrypted, then the ESP message is carried out deblocking, and utilize USB interface to be uploaded to computer.
The described user of present embodiment can legitimate ip address directly connects by having fixedly, can connect by dynamic legitimate ip address, can pass through by inner private IP address realization NAT and connect terminal use's form support personal computer, large-scale application server.
The described desktop type IPSecVPN of present embodiment cipher machine can adapt to the network of various complexity, and wherein a kind of the most complicated client connected mode is as follows:
The user terminal of this complex network comprises having the fixedly application server and user A, the B that directly insert external the Internet by cipher machine of legitimate ip address, have dynamic legitimate ip address and be linked into the user C of the Internet respectively by the ADSL mode, has dynamic legitimate ip address respectively by the user D of telecommunication optical fiber broadband access to the Internet, user E, the F that carries out network address translation among the internal subnet by the NAT gateway that be positioned at inner private IP address has the application server that cipher machine inserts the Internet that passes through of legitimate ip address.Client (more than two and two) can insert the internet with above-mentioned any form carry out secure communication, and support 300 simultaneously online with interior client.
The network-building method of the described cipher machine of present embodiment can comprehensively solve channel safety and prevent the active attack problem.In encryption equipment, the running environment of VPN security protocol is separated fully with the operating system of Net-connected computer, computer just is responsible for providing or receiving data, and above-mentioned data must make any program all can't get around the VPN security protocol when using the network equipment through just sending after the processing of VPN security protocol.The VPN security protocol comprises authentication, key management, encryption and decryption coding and completeness check function.Therefore, encryption equipment only carries out data communication with legal users; Because the disabled user can not provide effective identity documents, after differentiating through identity, encryption equipment just refuses to carry out data communication with it, the active attack that can stop malicious attacker that Net-connected computer is initiated so effectively; In addition, even the assailant can adopt means such as similar IP spoofing personation validated user and encryption equipment to communicate, but do not know working key and session key that communicating pair is consulted, so the malicious data of its encryption equipment that is injected into will become skimble-skamble mess code after deciphering through mistake, therefore can shield virus and trojan horse program effectively, thereby guarantee the main body fail safe of computer.
The described network-building method of present embodiment has proposed the logical subnetwork splitting scheme based on policy configurations, and security strategy has determined the terminal use to carry out secure communication with user in which net.So, the configuration by strategy can be divided into a plurality of logical subnetworks with whole network, and the structure of logical subnetwork also will change thereupon when the strategy change, thereby can realize logic isolation between the user of different level of securitys.
Claims (5)
1. desktop type IPSecVPN cipher machine comprises intelligent code key, USB interface chip, encrypting and decrypting algorithm chip, safe storage chip, flush bonding processor and Ethernet interface chip; It is characterized in that described cipher machine has arranged keeper's intelligent code key and the PIN password of acquiescence when dispatching from the factory, the keeper passes through checking back activating pin machine, and is cipher machine setting, deletion or changes Device keys by the computer management interface; Client computer is connected to flush bonding processor by the USB interface chip, realizes the transmission of interaction data; Encrypting and decrypting algorithm chip and safe storage chip are connected to flush bonding processor by bus, realize Device keys storage and data ciphering and deciphering computing; Described flush bonding processor transfers data to network packet transmission to external the Internet by the Ethernet interface chip.
2. desktop type IPSecVPN cipher machine according to claim 1 is characterized in that, also comprises network filter and network interface; Described network packet process network filter and network interface convert network cable to and are connected to external the Internet.
3. based on the network-building method of the described desktop type IPSecVPN of claim 1 cipher machine, it is characterized in that this method is realized by following steps:
Step 1, user by intelligent code key and PIN password login password machine after, described cipher machine is read the security strategy that the keeper disposes automatically, and is saved in the Security Policy Database;
Step 2, when IP bag sends to the internet from subscriber computer, the departures processing module at first in security association database inquiry whether have corresponding Security Association, if there is execution in step three; If there is no, then the bind command of sending according to the user of Security Association module is initiated to set up Security Association after the ike negotiation; Execution in step three;
Step 3, departures message are at first inquired about corresponding IPSecSA according to purpose IP address in security association database, and the key that adopts described SA to formulate is encrypted the IP message, and the calculation of integrity check value, finish ESP encapsulation after, utilize the Ethernet interface chip to send; Inbound message is inquired about corresponding IPSecSA according to SPI and source IP address in security association database, the key that adopts SA to formulate carries out completeness check to ESP load, if check is correct, then ESP load is decrypted, then the ESP message is carried out deblocking, and utilize the USB interface chip to be uploaded to computer.
4. the network-building method of desktop type IPSecVPN cipher machine according to claim 3 is characterized in that, in the step 2, also be included in and carry out before the ike negotiation, at first whether inquiry exists corresponding tactful entrance in Security Policy Database, if the rule of not finding, then refusal is consulted; If there is corresponding security strategy, then to follow the state's IPSecVPN of close office technical specification and initiate ike negotiation, concrete negotiations process is divided into two stages, and the phase I produces ISAKMPSA, and second stage produces IPSecSA, realizes setting up Security Association.
5. the network-building method of desktop type IPSecVPN cipher machine according to claim 3, it is characterized in that being connected that legitimate ip address directly connects by having fixedly, connecting or realize by inner private IP address that NAT passes through by dynamic legitimate ip address and connect of described user and cipher machine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013102072118A CN103269301A (en) | 2013-05-30 | 2013-05-30 | Desktop type IPSecVPN cryptographic machine and networking method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013102072118A CN103269301A (en) | 2013-05-30 | 2013-05-30 | Desktop type IPSecVPN cryptographic machine and networking method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103269301A true CN103269301A (en) | 2013-08-28 |
Family
ID=49012910
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013102072118A Pending CN103269301A (en) | 2013-05-30 | 2013-05-30 | Desktop type IPSecVPN cryptographic machine and networking method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103269301A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911212A (en) * | 2017-11-09 | 2018-04-13 | 安徽皖通邮电股份有限公司 | One kind bridge joint transmits encrypted method |
| CN111541658A (en) * | 2020-04-14 | 2020-08-14 | 许艺明 | PCIE prevents hot wall |
| CN113206775A (en) * | 2021-04-16 | 2021-08-03 | 中科开创(广州)智能科技发展有限公司 | Terminal access equipment with CAN bus function, application method and device |
| CN114173312A (en) * | 2021-12-14 | 2022-03-11 | 乾讯信息技术(无锡)有限公司 | Method for realizing wireless network VPN cipher machine without any physical connection |
| CN114244762A (en) * | 2021-12-14 | 2022-03-25 | 乾讯信息技术(无锡)有限公司 | Method for realizing network VPN cipher machine based on non-IP address |
| CN114912129A (en) * | 2022-03-28 | 2022-08-16 | 中安云科科技发展(山东)有限公司 | Portable VPN equipment with hardware encryption function |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6047325A (en) * | 1997-10-24 | 2000-04-04 | Jain; Lalit | Network device for supporting construction of virtual local area networks on arbitrary local and wide area computer networks |
| CN102664896A (en) * | 2012-04-28 | 2012-09-12 | 郑州信大捷安信息技术股份有限公司 | Safety network transmission system and method based on hardware encryption |
| CN102932229A (en) * | 2012-11-20 | 2013-02-13 | 成都卫士通信息产业股份有限公司 | Method for carrying out encryption and decryption processing on data packet |
-
2013
- 2013-05-30 CN CN2013102072118A patent/CN103269301A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6047325A (en) * | 1997-10-24 | 2000-04-04 | Jain; Lalit | Network device for supporting construction of virtual local area networks on arbitrary local and wide area computer networks |
| CN102664896A (en) * | 2012-04-28 | 2012-09-12 | 郑州信大捷安信息技术股份有限公司 | Safety network transmission system and method based on hardware encryption |
| CN102932229A (en) * | 2012-11-20 | 2013-02-13 | 成都卫士通信息产业股份有限公司 | Method for carrying out encryption and decryption processing on data packet |
Non-Patent Citations (1)
| Title |
|---|
| 王振等: "高速VPN 密码机系统设计", 《计算机安全》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911212A (en) * | 2017-11-09 | 2018-04-13 | 安徽皖通邮电股份有限公司 | One kind bridge joint transmits encrypted method |
| CN111541658A (en) * | 2020-04-14 | 2020-08-14 | 许艺明 | PCIE prevents hot wall |
| CN111541658B (en) * | 2020-04-14 | 2024-05-31 | 许艺明 | PCIE firewall |
| CN113206775A (en) * | 2021-04-16 | 2021-08-03 | 中科开创(广州)智能科技发展有限公司 | Terminal access equipment with CAN bus function, application method and device |
| CN114173312A (en) * | 2021-12-14 | 2022-03-11 | 乾讯信息技术(无锡)有限公司 | Method for realizing wireless network VPN cipher machine without any physical connection |
| CN114244762A (en) * | 2021-12-14 | 2022-03-25 | 乾讯信息技术(无锡)有限公司 | Method for realizing network VPN cipher machine based on non-IP address |
| CN114912129A (en) * | 2022-03-28 | 2022-08-16 | 中安云科科技发展(山东)有限公司 | Portable VPN equipment with hardware encryption function |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11432150B2 (en) | Method and apparatus for authenticating network access of terminal | |
| AU2007267836B2 (en) | Policy driven, credential delegation for single sign on and secure access to network resources | |
| US8438631B1 (en) | Security enclave device to extend a virtual secure processing environment to a client device | |
| CN107018134A (en) | A kind of distribution terminal secure accessing platform and its implementation | |
| CN112073375A (en) | Isolation device and isolation method suitable for power Internet of things client side | |
| CN103441991A (en) | Mobile terminal security access platform | |
| CN103269301A (en) | Desktop type IPSecVPN cryptographic machine and networking method | |
| CN101488952A (en) | Mobile storage apparatus, data secured transmission method and system | |
| CN106656490B (en) | Quantum whiteboard data storage method | |
| CN103458400A (en) | Key management method for voice encryption communication system | |
| CN104065485A (en) | Power grid dispatching mobile platform safety guaranteeing and controlling method | |
| CN107181716A (en) | A kind of secure communication of network system and method based on national commercial cipher algorithm | |
| CN106209916A (en) | Industrial automation produces business data transmission encryption and decryption method and system | |
| CN104219077A (en) | Information management system for middle and small-sized enterprises | |
| CN202652534U (en) | Mobile terminal safety access platform | |
| CN101521667A (en) | Method and device for safety data communication | |
| CN104168565A (en) | Method for controlling safe communication of intelligent terminal under undependable wireless network environment | |
| CN105915511A (en) | Wireless communication method based on VPDN private network | |
| CN102377731A (en) | Virtual private network system and network device thereof | |
| CN211352206U (en) | IPSec VPN cryptographic machine based on quantum key distribution | |
| CN106789845A (en) | A kind of method of network data security transmission | |
| CN104519055A (en) | VPN (virtual private network) service implementation method, VPN service implementation device and VPN server | |
| CN105591748B (en) | A kind of authentication method and device | |
| EP3556046B1 (en) | Method for secure management of secrets in a hierarchical multi-tenant environment | |
| CN113783868A (en) | Method and system for protecting security of gate Internet of things based on commercial password |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130828 |