[go: up one dir, main page]

CN111400700B - Encryption method, device, device and computer-readable storage medium of switch - Google Patents

Encryption method, device, device and computer-readable storage medium of switch Download PDF

Info

Publication number
CN111400700B
CN111400700B CN202010163970.9A CN202010163970A CN111400700B CN 111400700 B CN111400700 B CN 111400700B CN 202010163970 A CN202010163970 A CN 202010163970A CN 111400700 B CN111400700 B CN 111400700B
Authority
CN
China
Prior art keywords
switch
data
encryption
program
chip
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010163970.9A
Other languages
Chinese (zh)
Other versions
CN111400700A (en
Inventor
熊伟
李耀军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
3onedata Co ltd
Original Assignee
3onedata Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 3onedata Co ltd filed Critical 3onedata Co ltd
Priority to CN202010163970.9A priority Critical patent/CN111400700B/en
Publication of CN111400700A publication Critical patent/CN111400700A/en
Application granted granted Critical
Publication of CN111400700B publication Critical patent/CN111400700B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种交换机的加密方法、装置、设备及存储介质,该方法的步骤包括:在交换机的硬件系统上电启动后,对启动所述硬件系统的启动程序进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统;在所述操作系统启动之后,通过所述交换机中的交换芯片接收数据包,并通过所述交换机中的FPGA芯片对所述数据包进行解析,并对解析出的数据进行加密。本发明实现在硬件系统上电启动后,通过对启动程序进行密钥认证,以启动操作系统,通过交换芯片接收数据包,并通过FPGA芯片对数据包进行解析,并对解析出来的数据进行加密,从而防止了交换机程序被暴力破解,以及对交换机数据的加密,从而提高了交换机的安全性。

The invention discloses an encryption method, device, equipment and storage medium of a switch. The steps of the method include: after the hardware system of the switch is powered on, performing key authentication on the startup program for starting the hardware system, so as to start the operating system of the switch after the startup program passes the key authentication; after the operating system is started, a data packet is received by a switching chip in the switch, and the data packet is analyzed by an FPGA chip in the switch, and the parsed data is encrypted. The present invention realizes that after the hardware system is powered on and started, the operating system is started by performing key authentication on the startup program, receiving data packets through the switching chip, analyzing the data packets through the FPGA chip, and encrypting the parsed data, thereby preventing the switch program from being cracked violently and encrypting the switch data, thereby improving the security of the switch.

Description

交换机的加密方法、装置、设备及计算机可读存储介质Encryption method, device, device and computer-readable storage medium of switch

技术领域technical field

本发明涉及加密技术领域,尤其涉及一种交换机的加密方法、装置、设备及计算机可读存储介质。The present invention relates to the technical field of encryption, in particular to an encryption method, device, equipment and computer-readable storage medium of a switch.

背景技术Background technique

目前以太网交换机使用的是透明而统一的传输控制协议,在传输控制协议中,交换机的程序和数据都是开放的,无加密无监控的,从而导致了交换机程序被暴力破解,以及交换机数据的泄露。由此可知,目前太网交换机的安全性低。At present, Ethernet switches use a transparent and unified transmission control protocol. In the transmission control protocol, the program and data of the switch are open, without encryption and monitoring, which leads to the brute force cracking of the switch program and the leakage of switch data. It can be seen that the security of the current Ethernet switch is low.

发明内容Contents of the invention

本发明的主要目的在于提供一种交换机的加密方法、装置、设备及存储介质,旨在解决现有的以太网交换机的安全性低的技术问题。The main purpose of the present invention is to provide an encryption method, device, equipment and storage medium of a switch, aiming at solving the technical problem of low security of the existing Ethernet switch.

为实现上述目的,本发明提供一种交换机的加密方法,所述交换机的加密方法包括步骤:In order to achieve the above object, the present invention provides an encryption method of a switch, the encryption method of the switch comprises the steps of:

在交换机的硬件系统上电启动后,对启动所述硬件系统的启动程序进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统;After the hardware system of the switch is powered on and started, key authentication is performed on the startup program for starting the hardware system, so as to start the operating system of the switch after the startup program passes the key authentication;

在所述操作系统启动之后,通过所述交换机中的交换芯片接收数据包,并通过所述交换机中的现场可编程逻辑门阵列FPGA芯片对所述数据包进行解析,并对解析出的数据进行加密。After the operating system is started, the data packet is received by the switching chip in the switch, and the field programmable logic gate array FPGA chip in the switch is used to analyze the data packet, and the parsed data is encrypted.

优选地,所述在所述操作系统启动之后,通过所述交换机中的交换芯片接收数据包,并通过所述交换机中的FPGA芯片对所述数据包进行解析,并对解析出的数据进行加密的步骤包括:Preferably, after the operating system is started, receiving data packets through the switch chip in the switch, and analyzing the data packets through the FPGA chip in the switch, and encrypting the parsed data includes:

在所述操作系统启动之后,通过所述交换机中的交换芯片从所述交换机的以太网数据端口接收第一终端设备发送的数据包;After the operating system is started, a data packet sent by the first terminal device is received from the Ethernet data port of the switch through the switch chip in the switch;

通过所述交换机的FPGA芯片解析所述数据包,得到所述数据包中的有效数据,并采用预设的加密算法对所述有效数据进行加密。The data packet is analyzed by the FPGA chip of the switch to obtain valid data in the data packet, and a preset encryption algorithm is used to encrypt the valid data.

优选地,所述通过所述交换机的FPGA芯片解析所述数据包,得到所述数据包中的有效数据,并采用预设的加密算法对所述有效数据进行加密的步骤包括:Preferably, the FPGA chip of the switch parses the data packet to obtain valid data in the data packet, and the steps of encrypting the valid data using a preset encryption algorithm include:

通过所述FPGA芯片中数据包格式对所述数据包进行解包,得到解包数据;The data packet is unpacked by the data packet format in the FPGA chip to obtain unpacked data;

根据所述FPGA芯片中预设的有效数据字段对所述解包数据进行提取,得到有效数据;Extracting the unpacked data according to the valid data field preset in the FPGA chip to obtain valid data;

采用所述FPGA芯片中预设的加密算法对所述有效数据进行加密。The valid data is encrypted by using a preset encryption algorithm in the FPGA chip.

优选地,所述在交换机的硬件系统上电启动后,对启动所述硬件系统的启动程序进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统的步骤包括:Preferably, after the hardware system of the switch is powered on and started, performing key authentication on the startup program for starting the hardware system, so that the step of starting the operating system of the switch after the startup program passes the key authentication includes:

在交换机的硬件系统上电启动后,从所述交换机存储芯片预先烧录好的flash中读取启动所述硬件系统的启动程序,其中,所述启动程序为boot程序;After the hardware system of the switch is powered on and started, the startup program for starting the hardware system is read from the pre-programmed flash of the switch memory chip, wherein the startup program is a boot program;

将所述boot程序加载至所述交换机的内部SRAM中运行,以启动所述boot程序;The boot program is loaded into the internal SRAM of the switch to run to start the boot program;

在所述boot程序启动后,读取所述交换机PCB上外置加密芯片中的密钥文件;After the boot program starts, read the key file in the external encryption chip on the switch PCB;

通过所述密钥文件对所述boot程序中的boot密钥文件进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统。performing key authentication on the boot key file in the boot program through the key file, so as to start the operating system of the switch after the startup program passes the key authentication.

优选地,所述通过所述密钥文件对所述boot程序中的boot密钥文件进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统的步骤包括:Preferably, the step of performing key authentication on the boot key file in the boot program through the key file to start the operating system of the switch after the startup program passes the key authentication includes:

将所述boot密钥文件读入所述加密芯片的密钥文件中进行密钥检验,得到密钥认证的检验结果,并验证所述检验结果是否通过;Read the boot key file into the key file of the encryption chip to perform key verification, obtain the verification result of the key authentication, and verify whether the verification result is passed;

若验证所述检验结果为通过,则启动所述交换机的操作系统。If it is verified that the check result is passed, start the operating system of the switch.

优选地,所述在交换机的硬件系统上电启动后,对启动所述硬件系统的启动程序进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统的步骤之前,还包括:Preferably, after the hardware system of the switch is powered on and started, the key authentication is performed on the startup program for starting the hardware system, so that before the step of starting the operating system of the switch after the startup program passes the key authentication, it also includes:

检测交换机存储芯片中的boot程序是否已更新;Detect whether the boot program in the switch memory chip has been updated;

若检测到所述boot程序已更新,则上电启动所述交换机的硬件系统。If it is detected that the boot program has been updated, power on and start the hardware system of the switch.

优选地,所述在所述操作系统启动之后,通过所述交换机中的交换芯片接收数据包,并通过所述交换机中的FPGA芯片对所述数据包进行解析,并对解析出的数据进行加密的步骤之后,还包括:Preferably, after the operating system is started, the data packet is received by the switch chip in the switch, and the data packet is analyzed by the FPGA chip in the switch, and after the step of encrypting the parsed data, it also includes:

对加密后的数据按照所述FPGA芯片中的数据包格式重新封装,得到封装数据包;The encrypted data is repackaged according to the data packet format in the FPGA chip to obtain a packaged data packet;

通过所述交换机的以太网数据端口将所述封装数据包发送至第二终端设备,以供所述第二终端设备在接收到所述封装数据包后,对所述封装数据包进行解包,提取所述加密后的数据,并对所述加密后的数据进行解密,得到所述封装数据包中的有效数据。Sending the encapsulated data packet to the second terminal device through the Ethernet data port of the switch, so that after the second terminal device receives the encapsulated data packet, it unpacks the encapsulated data packet, extracts the encrypted data, and decrypts the encrypted data to obtain valid data in the encapsulated data packet.

此外,为实现上述目的,本发明还提供一种交换机的加密装置包括:In addition, in order to achieve the above object, the present invention also provides an encryption device for a switch comprising:

认证模块,用于在交换机的硬件系统上电启动后,对启动所述硬件系统的启动程序进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统;An authentication module, configured to perform key authentication on the startup program for starting the hardware system after the hardware system of the switch is powered on, so as to start the operating system of the switch after the startup program passes the key authentication;

接收模块,用于在所述操作系统启动之后,通过所述交换机中的交换芯片接收数据包;a receiving module, configured to receive data packets through the switch chip in the switch after the operating system is started;

解析模块,用于通过所述交换机中的FPGA芯片对所述数据包进行解析;An analysis module, configured to analyze the data packet through the FPGA chip in the switch;

加密模块,用于对解析出的数据进行加密。The encryption module is used to encrypt the parsed data.

此外,为实现上述目的,本发明还提供一种交换机的加密设备,所述交换机的加密设备包括存储器、处理器和存储在所述存储器上并在所述处理器上运行的交换机的加密程序,所述交换机的加密程序被所述处理器完成时实现如上所述的交换机的加密方法的步骤。In addition, in order to achieve the above object, the present invention also provides an encryption device of a switch, the encryption device of the switch includes a memory, a processor, and an encryption program of the switch stored in the memory and run on the processor, when the encryption program of the switch is completed by the processor, the steps of the encryption method for the switch as described above are implemented.

此外,为实现上述目的,本发明还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有交换机的加密程序,所述交换机的加密程序被处理器完成时实现如上所述的交换机的加密方法的步骤。In addition, to achieve the above object, the present invention also provides a computer-readable storage medium, on which an encryption program of a switch is stored, and when the encryption program of the switch is completed by a processor, the steps of the encryption method for the switch as described above are implemented.

本发明在硬件系统上电启动后,通过对启动硬件系统的启动程序进行密钥认证,以启动操作系统,通过交换芯片接收数据包,并通过FPGA芯片对数据包进行解析,并对解析出来的数据进行加密。由此可知,本发明在交换机加密的过程中,在硬件系统上电启动后,对启动程序进行密钥认证,只有启动程序通过密钥认证后,才会启动操作系统,从而防止了交换机程序被暴力破解,在操作系统启动之后,通过交换芯片接收数据包,然后通过FPGA芯片对数据包进行解析,并对解析出的数据进行加密处理,防止了交换机数据的泄露,从而实现了交换机的二重加密,提高了交换机的安全性。After the hardware system is powered on and started, the present invention performs key authentication on the startup program of the hardware system to start the operating system, receives data packets through the switching chip, analyzes the data packets through the FPGA chip, and encrypts the parsed data. It can be seen that, in the encryption process of the switch, the present invention performs key authentication on the startup program after the hardware system is powered on and starts, and the operating system is started only after the startup program passes the key authentication, thus preventing the switch program from being cracked by violence.

附图说明Description of drawings

图1是本发明交换机的加密方法第一实施例的流程示意图;Fig. 1 is a schematic flow chart of the first embodiment of the encryption method of the switch of the present invention;

图2是本发明交换机的加密装置较佳的结构示意图;Fig. 2 is a better structural schematic diagram of the encryption device of the switch of the present invention;

图3是本发明实施例方案涉及的硬件运行环境的结构示意图。Fig. 3 is a schematic structural diagram of the hardware operating environment involved in the solution of the embodiment of the present invention.

本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization of the purpose of the present invention, functional characteristics and advantages will be further described in conjunction with the embodiments and with reference to the accompanying drawings.

具体实施方式Detailed ways

应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

本发明提供一种交换机的加密方法,参照图1,图1为本发明交换机的加密方法第一实施例的流程示意图。The present invention provides an encryption method for a switch. Referring to FIG. 1 , FIG. 1 is a schematic flowchart of a first embodiment of the encryption method for a switch according to the present invention.

本发明实施例提供了交换机的加密方法的实施例,需要说明的是,虽然在流程图中示出了逻辑顺序,但是在某些数据下,可以以不同于此处的顺序完成所示出或描述的步骤。The embodiment of the present invention provides an embodiment of the encryption method of the switch. It should be noted that although the logic sequence is shown in the flow chart, the steps shown or described may be completed in a different order than here under certain data.

交换机的加密方法包括:Encryption methods for switches include:

步骤S10,在交换机的硬件系统上电启动后,对启动所述硬件系统的启动程序进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统。Step S10, after the hardware system of the switch is powered on and started, perform key authentication on the startup program for starting the hardware system, so as to start the operating system of the switch after the startup program passes the key authentication.

在交换机的硬件系统上电启动之后,交换机通过其加密芯片对启动该硬件系统的启动程序进行密钥认证,在启动程序通过密钥认证之后,交换机会启动其操作系统。After the hardware system of the switch is powered on and started, the switch uses its encryption chip to perform key authentication on the startup program that starts the hardware system. After the startup program passes the key authentication, the switch will start its operating system.

其中,硬件系统包括交换芯片、存储芯片、加密芯片和FPGA(Field ProgrammableGate Array,现场可编程逻辑门阵列)芯片等。交换芯片用于接收数据包,存储芯片用于存储boot(启动命令)程序,加密芯片用于对boot程序的密钥认证,FPGA芯片用于对数据包进行解析并提取其中的数据、对解析出来的数据进行加密处理、将加密后的数据进行转发处理等。Wherein, the hardware system includes a switching chip, a storage chip, an encryption chip, and an FPGA (Field Programmable Gate Array, Field Programmable Logic Gate Array) chip and the like. The switching chip is used to receive data packets, the storage chip is used to store the boot (startup command) program, the encryption chip is used to authenticate the key of the boot program, and the FPGA chip is used to analyze the data packet and extract the data, encrypt the parsed data, forward the encrypted data, etc.

所述步骤S10还包括:The step S10 also includes:

步骤a,在交换机的硬件系统上电启动后,从所述交换机存储芯片预先烧录好的flash中读取启动所述硬件系统的启动程序,其中,所述启动程序为boot程序;Step a, after the hardware system of the switch is powered on and started, read the startup program for starting the hardware system from the pre-burned flash of the switch memory chip, wherein the startup program is a boot program;

步骤b,将所述boot程序加载至所述交换机的内部SRAM中运行,以启动所述boot程序;Step b, the boot program is loaded into the internal SRAM of the switch to run to start the boot program;

步骤c,在所述boot程序启动后,读取所述交换机PCB上外置加密芯片中的密钥文件;Step c, after the boot program starts, read the key file in the external encryption chip on the switch PCB;

步骤d,通过所述密钥文件对所述boot程序中的boot密钥文件进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统。Step d, performing key authentication on the boot key file in the boot program through the key file, so as to start the operating system of the switch after the boot program passes the key authentication.

具体地,在交换机的硬件系统上电启动之后,交换机从其存储芯片预先烧录好的flash(闪存寄存器)中读取启动程序,该启动程序为boot程序,并将该boot程序加载至交换机的内部SRAM器(Static Random-Access Memory,静态随机存取存储)中运行,以启动该boot程序,并读取该boot程序中的boot密钥文件。在boot程序启动之后,交换机通过I2C(双向二线制同步串行总线)读取其PCB(Printed Circuit Board,印制电路板)上外置加密芯片中的密钥文件,并通过加密芯片中的密钥文件对boot密钥文件中的代码信息进行密钥认证,该密钥认证为boot密钥认证。当通过加密芯片中的密钥文件对boot密钥文件中的代码信息进行密钥认证成功后,即启动程序通过密钥认证后,交换机启动其操作系统。Specifically, after the hardware system of the switch is powered on, the switch reads the boot program from the pre-programmed flash (flash memory register) of its memory chip, the boot program is a boot program, and the boot program is loaded into the internal SRAM (Static Random-Access Memory) of the switch to run, to start the boot program, and read the boot key file in the boot program. After the boot program starts, the switch reads the key file in the external encryption chip on its PCB (Printed Circuit Board, printed circuit board) through I2C (bidirectional two-wire synchronous serial bus), and performs key authentication on the code information in the boot key file through the key file in the encryption chip, and the key authentication is boot key authentication. After the code information in the boot key file is successfully authenticated by the key file in the encryption chip, that is, after the startup program passes the key authentication, the switch starts its operating system.

其中,boot程序是一种交换机硬件系统的启动命令。密钥文件是指用来完成加密、解密、完整性验证等密码学应用的秘密信息。I2C总线是一条双向二线制同步串行总线,需要两根线即可在连接于总线上的器件之间传送信息。boot密钥认证即bootloader底层密钥认证,在它完成交换芯片与相关硬件的初始化之后,将操作系统映像或固化的嵌入式应用程序装在到内存中,然后跳转到操作系统所在的空间,启动操作系统运行。Wherein, the boot program is a startup command of the switch hardware system. The key file refers to the secret information used to complete cryptographic applications such as encryption, decryption, and integrity verification. The I2C bus is a bidirectional two-wire synchronous serial bus that requires two wires to transmit information between devices connected to the bus. The boot key authentication is the bottom layer key authentication of the bootloader. After it completes the initialization of the switching chip and related hardware, it installs the operating system image or solidified embedded application in the memory, and then jumps to the space where the operating system is located to start the operating system.

需要说明的是,在交换机的硬件系统启动的同时,交换机会在加密芯片预先设定一份密钥文件,不同交换机的操作系统是不同的,本实施例不限制交换机的形式。It should be noted that when the hardware system of the switch is started, the switch will pre-set a key file on the encryption chip. The operating systems of different switches are different, and the form of the switch is not limited in this embodiment.

在本实施例,比如,加密芯片的密钥文件的信息中,对boot密钥文件进行密钥认证的信息为if the boot program has“3onedata”,certification passed,在boot程序的boot密钥文件中的包含的代码信息有“connect to 3onedata”等等,交换机读取存储芯片flash中的boot程序,boot程序在内部SRAM中运行启动,然后交换机将boot程序中的boot密钥文件与加密芯片中的密钥文件进行密文匹配。当加密芯片中的密钥文件与boot程序中的boot密钥文件相匹配时,即加密芯片的密钥文件与boot程序中的boot密钥文件相同时,交换机启动其操作系统。In this embodiment, for example, in the information of the key file of the encryption chip, the information for key authentication of the boot key file is if the boot program has "3onedata", certification passed, and the code information included in the boot key file of the boot program has "connect to 3onedata" and so on. The switch reads the boot program in the memory chip flash, and the boot program runs and starts in the internal SRAM. The ciphertext matches. When the key file in the encryption chip matches the boot key file in the boot program, that is, when the key file in the encryption chip is the same as the boot key file in the boot program, the switch starts its operating system.

进一步地,所述步骤d包括:Further, said step d includes:

步骤e,将所述boot密钥文件读入所述加密芯片的密钥文件中进行密钥检验,得到密钥认证的检验结果,并验证所述检验结果是否通过;Step e, read the boot key file into the key file of the encryption chip to perform key verification, obtain the verification result of the key authentication, and verify whether the verification result is passed;

步骤f,若验证所述检验结果为通过,则启动所述交换机的操作系统。Step f, if it is verified that the inspection result is passed, start the operating system of the switch.

具体地,交换机将boot密钥文件读入加密芯片的密钥文件中进行密钥匹配检验,并得到一个boot密钥认证的检验结果,然后交换机对该检验结果进行验证,若该检验结果通过,交换机则启动其操作系统,若检验结果不通过,则交换机锁定其操作系统,直到该检验结果验证通过。Specifically, the switch reads the boot key file into the key file of the encryption chip to perform a key matching check, and obtains a boot key authentication check result, and then the switch verifies the check result, and if the check result passes, the switch starts its operating system; if the check result fails, the switch locks its operating system until the check result is verified.

其中,密钥匹配验证的方法有信息对比验证法、字符对比验证法等等,本实施例不限制对比验证法的形式。Among them, methods for key matching verification include information comparison verification method, character comparison verification method, etc., and the form of the comparison verification method is not limited in this embodiment.

在本实施例中,比如,密钥匹配验证法采用的是字符对比验证法,在交换机中设定通过字符为true,不通过字符为false,交换机将boot密钥文件读入加密芯片的密钥文件中进行密钥匹配检验,由于加密芯片中的密钥文件与boot密钥文件相匹配,加密芯片返回字符true给交换机,交换机将该返回字符与内部设定的字符相比较,然后进行验证,返回字符与内部设定通过的字符相对应,从而交换机启动操作系统。In this embodiment, for example, what the key matching verification method adopts is the character comparison verification method. Set the pass character as true in the switch, and the pass character as false, and the switch reads the boot key file into the key file of the encryption chip for key matching inspection. Since the key file in the encryption chip matches the boot key file, the encryption chip returns the character true to the switch. The switch compares the returned character with the internally set character, and then performs verification.

步骤S20,在所述操作系统启动之后,通过所述交换机中的交换芯片接收数据包,并通过所述交换机中的FPGA芯片对所述数据包进行解析,并对解析出的数据进行加密。Step S20, after the operating system is started, receive data packets through the switch chip in the switch, analyze the data packets through the FPGA chip in the switch, and encrypt the parsed data.

在交换机的操作系统启动之后,交换机通过其交换芯片接收数据包,在接收到数据包之后,通过其FPGA芯片对数据包进行解析,然后对解析出的数据进行重新加密处理。After the operating system of the switch is started, the switch receives the data packet through its switching chip, and after receiving the data packet, it analyzes the data packet through its FPGA chip, and then re-encrypts the parsed data.

所述步骤S20还包括:The step S20 also includes:

步骤g,在所述操作系统启动之后,通过所述交换机中的交换芯片从所述交换机的以太网数据端口接收第一终端设备发送的数据包;Step g, after the operating system is started, receiving the data packet sent by the first terminal device from the Ethernet data port of the switch through the switching chip in the switch;

步骤h,通过所述交换机的FPGA芯片解析所述数据包,得到所述数据包中的有效数据,并采用预设的加密算法对所述有效数据进行加密。In step h, the FPGA chip of the switch analyzes the data packet to obtain valid data in the data packet, and encrypts the valid data by using a preset encryption algorithm.

具体地,在交换机操作系统启动之后,交换机通过其交换芯片从交换机的以太网数据端口接收从第一终端设备发送进来的数据包。在得到数据包之后,交换机通过FPGA芯片对数据包进行解析,得到数据包中的有效数据,然后采用预设的加密算法对有效数据重新加密处理。Specifically, after the operating system of the switch is started, the switch receives the data packet sent from the first terminal device from the Ethernet data port of the switch through its switch chip. After obtaining the data packet, the switch analyzes the data packet through the FPGA chip to obtain valid data in the data packet, and then uses a preset encryption algorithm to re-encrypt the valid data.

其中,第一终端设备是指向交换机发送数据包的终端设备,可为外网终端设备,也可为内网终端设备。加密算法就是对数据进行加密的方法,加密算法有很多,包括中英文加密算法、二进制加密算法和数字英文加密算法等,本实施例不限制加密算法的形式。Wherein, the first terminal device is a terminal device that sends data packets to the switch, and may be an external network terminal device or an internal network terminal device. An encryption algorithm is a method for encrypting data. There are many encryption algorithms, including Chinese and English encryption algorithms, binary encryption algorithms, and digital English encryption algorithms. This embodiment does not limit the form of encryption algorithms.

进一步地,所述步骤h还包括:Further, the step h also includes:

步骤i,通过所述FPGA芯片中数据包格式对所述数据包进行解包,得到解包数据;Step i, unpacking the data packet by the data packet format in the FPGA chip to obtain unpacked data;

步骤j,根据所述FPGA芯片中预设的有效数据字段对所述解包数据进行提取,得到有效数据;Step j, extracting the unpacked data according to the valid data field preset in the FPGA chip to obtain valid data;

步骤k,采用所述FPGA芯片中预设的加密算法对所述有效数据进行加密,得到加密数据。In step k, the valid data is encrypted using a preset encryption algorithm in the FPGA chip to obtain encrypted data.

具体地,交换机通过FPGA芯片中数据包格式的解包方法对数据包进行解包,得到解包数据,然后根据FPGA芯片中预设的有效字段对解包数据进行提取,将无效数据进行丢弃,从而得到有效数据,再采用FPGA芯片中预设的加密算法对有效数据重新加密,从而得到加密数据。Specifically, the switch unpacks the data packet through the unpacking method of the data packet format in the FPGA chip to obtain the unpacked data, then extracts the unpacked data according to the valid fields preset in the FPGA chip, and discards the invalid data to obtain valid data, and then uses the preset encryption algorithm in the FPGA chip to re-encrypt the valid data to obtain encrypted data.

其中,有效数据和无效数据是根据个人需求而设定的。数据包格式是指根据不同协议规定的数据格式,数据包格式有很多种,本实施例不限制数据包格式的形式,最常用的数据包格式为“帧头+数据”。在本实施例中,比如,预设的有效字段为“3onedata”,交换机接收到的数据包有“3onedata-2020年1月份盈利.doc”、“ABC-2020年2月份盈利.doc”等,在解包后,得到帧头为“3onedata”、“ABC”等,“3onedata”对应的数据为“2020年1月份盈利.doc”,“ABC”对应的数据为“2020年2月份盈利.doc”,然后根据预设的有限字段,提取数据“2020年1月份盈利.doc“并对其重新加密,丢弃数据“2020年2月份盈利.doc”。本实施例。比如,密文为“20 21 18 14 12 05 06 20”,通过数字英文加密算法解密后为“TURE LERT”。Among them, valid data and invalid data are set according to individual needs. The data packet format refers to the data format specified according to different protocols. There are many kinds of data packet formats. This embodiment does not limit the form of the data packet format. The most commonly used data packet format is "frame header + data". In this embodiment, for example, the preset effective field is "3onedata", and the data packets received by the switch include "3onedata-Profit in January 2020.doc", "ABC-Profit in February 2020.doc", etc. After unpacking, the frame headers are "3onedata", "ABC", etc., the data corresponding to "3onedata" is "Profit in January 2020.doc", and the data corresponding to "ABC" is "Profit in February 2020.doc ", and then according to the preset limited fields, extract the data "Profit in January 2020.doc" and re-encrypt it, and discard the data "Profit in February 2020.doc". This example. For example, the ciphertext is "20 21 18 14 12 05 06 20", which is "TURE LERT" after being decrypted by the digital English encryption algorithm.

进一步地,所述交换机的加密方法还包括:Further, the encryption method of the switch also includes:

步骤l,检测交换机存储芯片中的boot程序是否已更新;Step 1, detecting whether the boot program in the switch memory chip has been updated;

步骤m,若检测到所述boot程序已更新,则上电启动所述交换机的硬件系统。Step m, if it is detected that the boot program has been updated, power on and start the hardware system of the switch.

具体地,在交换机的硬件系统未上电启动之前,交换机通过其内部系统检测交换机的存储芯片中的boot程序是否已更新,当检测到boot程序没有更新,交换机则继续检测,在检测到boot程序已更新时,交换机则上电启动其硬件系统。Specifically, before the hardware system of the switch is not powered on, the switch detects whether the boot program in the memory chip of the switch has been updated through its internal system. When it is detected that the boot program has not been updated, the switch continues to detect.

需要说明的是,检测更新的方法有很多,比如根据时间、名称、后缀等等,本实施例不限制检测更新的方法。It should be noted that there are many methods for detecting updates, such as based on time, name, suffix, etc., and this embodiment does not limit the methods for detecting updates.

本实施例,比如,交换机的存储芯片中一个原始的boot程序为“3onedata-2020.1”,在一段时间后,交换机检测到该boot程序变更为“3onedata-2020.1.1”,则说明该boot程序已经更新。In this embodiment, for example, an original boot program in the memory chip of the switch is "3onedata-2020.1". After a period of time, the switch detects that the boot program has been changed to "3onedata-2020.1.1", which means that the boot program has been updated.

本发明在硬件系统上电启动后,通过对启动硬件系统的启动程序进行密钥认证,以启动操作系统,通过交换芯片接收数据包,并通过FPGA芯片对数据包进行解析,并对解析出来的数据进行加密。由此可知,本发明在交换机加密的过程中,在硬件系统上电启动后,对启动程序进行密钥认证,只有启动程序通过密钥认证后,才会启动操作系统,从而防止了交换机程序被暴力破解,在操作系统启动之后,通过交换芯片接收数据包,然后通过FPGA芯片对数据包进行解析,并对解析出的数据进行加密处理,防止了交换机数据的泄露,从而实现了交换机的二重加密,提高了交换机的安全性。After the hardware system is powered on and started, the present invention performs key authentication on the startup program of the hardware system to start the operating system, receives data packets through the switching chip, analyzes the data packets through the FPGA chip, and encrypts the parsed data. It can be seen that, in the encryption process of the switch, the present invention performs key authentication on the startup program after the hardware system is powered on and starts, and the operating system is started only after the startup program passes the key authentication, thus preventing the switch program from being cracked by violence.

进一步地,提出本发明交换机的加密方法第二实施例。Further, a second embodiment of the encryption method of the switch of the present invention is proposed.

所述交换机的加密方法第二实施例与所述交换机的加密方法第一施例的区别在于,所述交换机的加密方法还包括:The difference between the second embodiment of the encryption method of the switch and the first embodiment of the encryption method of the switch is that the encryption method of the switch further includes:

步骤n,对加密后的数据按照所述FPGA芯片中的数据包格式重新封装,得到封装数据包;Step n, the encrypted data is repackaged according to the packet format in the FPGA chip, to obtain the packaged packet;

步骤o,通过所述交换机的以太网数据端口将所述封装数据包发送至第二终端设备,以供所述第二终端设备在接收到所述封装数据包后,对所述封装数据包进行解包,提取所述加密后的数据,并对所述加密后的数据进行解密,得到所述封装数据包中的有效数据。Step o, sending the encapsulated data packet to the second terminal device through the Ethernet data port of the switch, so that the second terminal device unpacks the encapsulated data packet after receiving the encapsulated data packet, extracts the encrypted data, and decrypts the encrypted data to obtain valid data in the encapsulated data packet.

具体地,在交换机对数据加密完成之后,交换机对加密后的数据按照FPGA芯片中的数据包格式进行重新封装,得到封装数据包,然后将封装数据包通过FPGA芯片发送到交换机的以太网数据端口,再通过该以太网数据端口发送到第二终端设备,以供在第二终端设备在接收到封装数据包之后,按照数据包格式对封装数据包进行解包处理,得到解包封装数据,然后提出封装数据中的加密数据,然后对该加密数据进行解密,从而得到有效数据,然后按照用户需求获取有效数据中的需求数据。Specifically, after the switch encrypts the data, the switch repackages the encrypted data according to the data packet format in the FPGA chip to obtain the encapsulated data packet, and then sends the encapsulated data packet to the Ethernet data port of the switch through the FPGA chip, and then sends it to the second terminal device through the Ethernet data port, so that after the second terminal device receives the encapsulated data packet, it unpacks the encapsulated data packet according to the data packet format to obtain the unpackaged encapsulated data, then proposes the encrypted data in the encapsulated data, and then decrypts the encrypted data to obtain valid data, and then according to user needs Get the required data in the valid data.

其中,第二终端设备是指接收交换机封装数据包的设备,可为外网终端设备,也可为内网终端设备。解密算法就是对数据进行解密的方法,解密算法有很多,包括中英文加密算法、二进制加密算法、数字英文加密算法等,本实施例不限制解密算法的形式。Wherein, the second terminal device refers to a device that receives the data packet encapsulated by the switch, and may be an external network terminal device or an internal network terminal device. The decryption algorithm is a method for decrypting data. There are many decryption algorithms, including Chinese and English encryption algorithms, binary encryption algorithms, digital English encryption algorithms, etc. This embodiment does not limit the form of the decryption algorithm.

本实施例交换机在对数据进行重新加密之后,对加密后的数据进行重新封装,将封装数据通过正常的以太网数据包格式发送到终端设备,这样封装数据包可以在公网上按照普通的数据包格式传输,从而提升了封装数据包的通用性。After re-encrypting the data, the switch in this embodiment re-encapsulates the encrypted data, and sends the encapsulated data to the terminal device through a normal Ethernet packet format, so that the encapsulated data packet can be transmitted on the public network according to the common packet format, thereby improving the versatility of the encapsulated data packet.

此外,本发明还提供一种交换机的加密装置参照图2,所述交换机的加密装置包括:In addition, the present invention also provides an encryption device of a switch. Referring to FIG. 2, the encryption device of the switch includes:

认证模块10,用于在交换机的硬件系统上电启动后,对启动所述硬件系统的启动程序进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统;The authentication module 10 is used to perform key authentication on the startup program for starting the hardware system after the hardware system of the switch is powered on, so as to start the operating system of the switch after the startup program passes the key authentication;

接收模块20,用于在所述操作系统启动之后,通过所述交换机中的交换芯片接收数据包;A receiving module 20, configured to receive data packets through a switching chip in the switch after the operating system is started;

解析模块30,用于通过所述交换机中的FPGA芯片对所述数据包进行解析;Parsing module 30, for parsing the data packet by the FPGA chip in the switch;

加密模块40,用于对解析出的数据进行加密。An encryption module 40, configured to encrypt the parsed data.

进一步地,所述加密模块40包括:Further, the encryption module 40 includes:

接收单元,用于在所述操作系统启动之后,通过所述交换机中的交换芯片从所述交换机的以太网数据端口接收第一终端设备发送的数据包;a receiving unit, configured to receive a data packet sent by a first terminal device from an Ethernet data port of the switch through a switch chip in the switch after the operating system is started;

加密单元,用于通过所述交换机的FPGA芯片解析所述数据包,得到所述数据包中的有效数据,并采用预设的加密算法对所述有效数据进行加密。The encryption unit is used to parse the data packet through the FPGA chip of the switch to obtain valid data in the data packet, and encrypt the valid data by using a preset encryption algorithm.

进一步地,所述加密单元包括:Further, the encryption unit includes:

解包子单元,用于通过所述FPGA芯片中数据包格式对所述数据包进行解包,得到解包数据;The unpacking subunit is used to unpack the data packet through the data packet format in the FPGA chip to obtain unpacked data;

提取子单元,用于根据所述FPGA芯片中预设的有效数据字段对所述解包数据进行提取,得到有效数据;An extraction subunit is used to extract the unpacked data according to the valid data field preset in the FPGA chip to obtain valid data;

加密子单元,用于采用所述FPGA芯片中预设的加密算法对所述有效数据进行加密,得到加密数据。The encryption subunit is used to encrypt the valid data by adopting the encryption algorithm preset in the FPGA chip to obtain encrypted data.

进一步地,所述认证模块10包括:Further, the authentication module 10 includes:

读取单元,用于在交换机的硬件系统上电启动后,从所述交换机存储芯片预先烧录好的flash中读取启动所述硬件系统的启动程序,其中,所述启动程序为boot程序;The reading unit is used to read the startup program for starting the hardware system from the pre-programmed flash of the switch memory chip after the hardware system of the switch is powered on, wherein the startup program is a boot program;

加载单元,用于将所述boot程序加载至所述交换机的内部SRAM中运行,以启动所述boot程序;a loading unit, configured to load the boot program into the internal SRAM of the switch to run, so as to start the boot program;

所述读取单元还用于在所述boot程序启动后,读取所述交换机PCB上外置加密芯片中的密钥文件;The reading unit is also used to read the key file in the external encryption chip on the switch PCB after the boot program is started;

认证单元,用于通过所述密钥文件对所述boot程序中的boot密钥文件进行boot密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统。The authentication unit is configured to perform boot key authentication on the boot key file in the boot program through the key file, so as to start the operating system of the switch after the startup program passes the key authentication.

进一步地,所述认证单元包括:Further, the authentication unit includes:

检验子单元,用于将所述boot密钥文件读入所述加密芯片的密钥文件中进行密钥检验,得到密钥认证的检验结果;The verification subunit is used to read the boot key file into the key file of the encryption chip for key verification, and obtain the verification result of key authentication;

验证子单元,用于验证所述检验结果是否通过;A verification subunit is used to verify whether the test result is passed;

启动子单元,用于若验证所述检验结果为通过,则启动所述交换机的操作系统。The starting subunit is used to start the operating system of the switch if the verification result is passed.

进一步地,所述交换机的加密装置还包括:Further, the encryption device of the switch also includes:

检测单元,用于检测所述交换机存储芯片中的boot程序是否有更新;A detection unit, configured to detect whether the boot program in the switch memory chip is updated;

启动单元,用于若所述boot程序已将更新,则上电启动所述交换机的硬件系统。A starting unit, configured to power on and start the hardware system of the switch if the boot program has been updated.

进一步地,所述交换机的加密装置还包括:Further, the encryption device of the switch also includes:

封装模块,用于对加密后的数据按照所述FPGA芯片中的数据包格式重新封装,得到封装数据包;An encapsulation module is used to re-encapsulate the encrypted data according to the data packet format in the FPGA chip to obtain an encapsulated data packet;

发送模块,通过所述交换机的以太网数据端口将所述封装数据包发送至第二终端设备,以供所述第二终端设备在接收到所述封装数据包后,对所述封装数据包进行解包,提取所述加密后的数据,并对所述加密后的数据进行解密,得到所述封装数据包中的有效数据。The sending module sends the encapsulated data packet to the second terminal device through the Ethernet data port of the switch, so that the second terminal device unpacks the encapsulated data packet after receiving the encapsulated data packet, extracts the encrypted data, and decrypts the encrypted data to obtain valid data in the encapsulated data packet.

本发明基于交换机的加密装置具体实施方式与上述基于交换机的加密方法各实施例基本相同,在此不再赘述。The specific implementation manners of the switch-based encryption device of the present invention are basically the same as the above-mentioned embodiments of the switch-based encryption method, and will not be repeated here.

此外,本发明还提供一种交换机的加密设备。如图3所示,图3是本发明实施例方案涉及的硬件运行环境的结构示意图。In addition, the invention also provides an encryption device of a switch. As shown in FIG. 3 , FIG. 3 is a schematic structural diagram of a hardware operating environment involved in the solution of the embodiment of the present invention.

需要说明的是,图3即可为交换机的加密设备的硬件运行环境的结构示意图。It should be noted that FIG. 3 is a schematic structural diagram of a hardware operating environment of an encryption device of a switch.

图3即可为交换机的加密设备的硬件运行环境的结构示意图。FIG. 3 is a schematic structural diagram of a hardware operating environment of an encryption device of a switch.

如图所示,该交换机的加密设备可以包括:处理器1001,例如CPU,存储器1005,用户接口1003,网络接口1004,通信总线1002。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(board),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in the figure, the encryption device of the switch may include: a processor 1001 , such as a CPU, a memory 1005 , a user interface 1003 , a network interface 1004 , and a communication bus 1002 . Wherein, the communication bus 1002 is used to realize connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit such as a keyboard (board), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. Optionally, the network interface 1004 may include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 1005 can be a high-speed RAM memory, or a stable memory (non-volatile memory), such as a disk memory. Optionally, the memory 1005 may also be a storage device independent of the aforementioned processor 1001 .

可选地,交换机的加密设备还可以包括RF(Radio Frequency,射频)电路,传感器、WiFi模块等等。Optionally, the encryption device of the switch may also include an RF (Radio Frequency, radio frequency) circuit, a sensor, a WiFi module, and the like.

本领域技术人员可以理解,图3中示出的交换机的加密设备结构并不构成对交换机的加密设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the encryption device structure of the switch shown in FIG. 3 does not constitute a limitation on the encryption device of the switch, and may include more or less components than shown in the figure, or combine some components, or arrange different components.

如图3所示,作为一种计算机存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及交换机的加密程序。其中,操作系统是管理和控制交换机的加密设备硬件和软件资源的程序,支持交换机的加密程序以及其它软件或程序的运行。As shown in FIG. 3 , the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and an encryption program of a switch. Wherein, the operating system is a program that manages and controls the hardware and software resources of the encryption device of the switch, and supports the operation of the encryption program of the switch and other software or programs.

在图所示的交换机的加密设备中,用户接口1003主要用于用户的终端设备,以供用户在终端设备上根据个人需求选择有效数据;网络接口1004主要用于交换机,与终端设备进行数据通信;处理器1001可以用于调用存储器1005中存储的交换机的加密程序,并完成如上所述的交换机的加密设备的控制方法的步骤。In the encryption device of the switch shown in the figure, the user interface 1003 is mainly used for the user's terminal device, so that the user can select valid data on the terminal device according to individual needs; the network interface 1004 is mainly used for the switch, and performs data communication with the terminal device; the processor 1001 can be used to call the encryption program of the switch stored in the memory 1005, and complete the steps of the control method for the encryption device of the switch as described above.

本发明交换机的加密设备具体实施方式与上述交换机的加密方法各实施例基本相同,在此不再赘述。The specific implementation manners of the encryption device of the switch in the present invention are basically the same as the embodiments of the encryption method of the switch above, and will not be repeated here.

此外,本发明实施例还提出一种计算机可读存储介质,所述计算机可读存储介质上存储有交换机的加密程序,所述交换机的加密程序被处理器完成时实现如上所述的交换机的加密方法的步骤。In addition, an embodiment of the present invention also provides a computer-readable storage medium, on which an encryption program of a switch is stored, and when the encryption program of the switch is completed by a processor, the steps of the above-mentioned encryption method for the switch are implemented.

本发明计算机可读存储介质具体实施方式与上述交换机的加密方法各实施例基本相同,在此不再赘述。The specific implementation manners of the computer-readable storage medium of the present invention are basically the same as the embodiments of the encryption method of the switch above, and will not be repeated here.

需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的数据下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。It should be noted that, in this document, the terms "comprising", "comprising" or any other variation thereof are intended to cover a non-exclusive inclusion, such that a process, method, article or device comprising a series of elements includes not only those elements, but also includes other elements not explicitly listed, or also includes elements inherent in such a process, method, article or device. Without further limitation, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article or apparatus comprising that element.

上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the above embodiments of the present invention are for description only, and do not represent the advantages and disadvantages of the embodiments.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多数据下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件货物的形式体现出来,该计算机软件货物存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台交换机的加密设备完成本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but the former is a better implementation in many cases. Based on such an understanding, the technical solution of the present invention or the part that contributes to the prior art can be embodied in the form of software goods, and the computer software goods are stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), and include several instructions to enable the encryption device of a switch to complete the methods described in various embodiments of the present invention.

Claims (6)

1.一种交换机的加密方法,其特征在于,所述交换机的加密方法包括以下步骤:1. an encryption method of an exchange, is characterized in that, the encryption method of the exchange comprises the following steps: 在交换机的硬件系统上电启动后,从所述交换机存储芯片预先烧录好的闪存寄存器flash中读取启动所述硬件系统的启动程序,其中,所述启动程序为boot程序;After the hardware system of the switch is powered on and started, the startup program for starting the hardware system is read from the pre-programmed flash memory register flash of the switch memory chip, wherein the startup program is a boot program; 将所述boot程序加载至所述交换机的内部静态随机存取存储器SRAM中运行,以启动所述boot程序;The boot program is loaded into the internal static random access memory SRAM of the switch to run, to start the boot program; 在所述boot程序启动后,读取所述交换机印制线路板PCB上外置加密芯片中的密钥文件;After the boot program starts, read the key file in the external encryption chip on the printed circuit board PCB of the switch; 通过所述密钥文件对所述boot程序中的boot密钥文件进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统;Carry out key authentication to the boot key file in the boot program through the key file, to start the operating system of the switch after the startup program passes the key authentication; 在所述操作系统启动之后,通过所述交换机中的交换芯片从所述交换机的以太网数据端口接收第一终端设备发送的数据包;After the operating system is started, a data packet sent by the first terminal device is received from the Ethernet data port of the switch through the switch chip in the switch; 通过所述交换机中的现场可编程门阵列FPGA芯片中数据包格式对所述数据包进行解包,得到解包数据;The data packet is unpacked by the data packet format in the Field Programmable Gate Array FPGA chip in the switch to obtain unpacked data; 根据所述FPGA芯片中预设的有效数据字段对所述解包数据进行提取,得到有效数据;Extracting the unpacked data according to the valid data field preset in the FPGA chip to obtain valid data; 采用所述FPGA芯片中预设的加密算法对所述有效数据进行加密;Encrypting the valid data using a preset encryption algorithm in the FPGA chip; 对加密后的数据按照所述FPGA芯片中的数据包格式重新封装,得到封装数据包;The encrypted data is repackaged according to the data packet format in the FPGA chip to obtain a packaged data packet; 通过所述交换机的以太网数据端口将所述封装数据包发送至第二终端设备,以供所述第二终端设备在接收到所述封装数据包后,对所述封装数据包进行解包,提取所述加密后的数据,并对所述加密后的数据进行解密,得到所述封装数据包中的有效数据。Sending the encapsulated data packet to the second terminal device through the Ethernet data port of the switch, so that after the second terminal device receives the encapsulated data packet, it unpacks the encapsulated data packet, extracts the encrypted data, and decrypts the encrypted data to obtain valid data in the encapsulated data packet. 2.如权利要求1所述的交换机的加密方法,其特征在于,所述通过所述密钥文件对所述boot程序中的boot密钥文件进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统的步骤包括:2. the encryption method of switch as claimed in claim 1, is characterized in that, described key authentication is carried out to the boot key file in described boot program by described key file, to start the step of the operating system of described switch after described start-up program by key authentication comprises: 将所述boot密钥文件读入所述加密芯片的密钥文件中进行密钥检验,得到密钥认证的检验结果,并验证所述检验结果是否通过;Read the boot key file into the key file of the encryption chip to perform key verification, obtain the verification result of the key authentication, and verify whether the verification result is passed; 若验证所述检验结果为通过,则启动所述交换机的操作系统。If it is verified that the check result is passed, start the operating system of the switch. 3.如权利要求1所述的交换机的加密方法,其特征在于,所述在交换机的硬件系统上电启动后,从所述交换机存储芯片预先烧录好的闪存寄存器flash中读取启动所述硬件系统的启动程序,其中,所述启动程序为boot程序的步骤之前,还包括:3. the encryption method of switch as claimed in claim 1, it is characterized in that, after the hardware system of switch is powered on and started, read the start-up program of starting described hardware system from the flash memory register flash of described switch memory chip burning in advance, wherein, before described start-up program is the step of boot program, also comprise: 检测所述交换机存储芯片中的boot程序是否已更新;Detect whether the boot program in the switch memory chip has been updated; 若检测到所述boot程序已更新,则上电启动所述交换机的硬件系统。If it is detected that the boot program has been updated, power on and start the hardware system of the switch. 4.一种交换机的加密装置,其特征在于,所述交换机的加密装置包括:4. An encryption device of a switch, characterized in that the encryption device of the switch comprises: 认证模块,用于在交换机的硬件系统上电启动后,从所述交换机存储芯片预先烧录好的闪存寄存器flash中读取启动所述硬件系统的启动程序,其中,所述启动程序为boot程序;将所述boot程序加载至所述交换机的内部静态随机存取存储器SRAM中运行,以启动所述boot程序;在所述boot程序启动后,读取所述交换机印制线路板PCB上外置加密芯片中的密钥文件;通过所述密钥文件对所述boot程序中的boot密钥文件进行密钥认证,以在所述启动程序通过密钥认证后启动所述交换机的操作系统;The authentication module is used to read the startup program for starting the hardware system from the pre-programmed flash memory register flash of the switch memory chip after the hardware system of the switch is powered on, wherein the startup program is a boot program; the boot program is loaded into the internal static random access memory (SRAM) of the switch to start the boot program; start the operating system of the switch after the startup program passes the key authentication; 接收模块,用于在所述操作系统启动之后,通过所述交换机中的交换芯片从所述交换机的以太网数据端口接收第一终端设备发送的数据包;A receiving module, configured to receive a data packet sent by a first terminal device from an Ethernet data port of the switch through a switch chip in the switch after the operating system is started; 解析模块,用于通过所述交换机中的现场可编程门阵列FPGA芯片中数据包格式对所述数据包进行解包,得到解包数据;根据所述FPGA芯片中预设的有效数据字段对所述解包数据进行提取,得到有效数据;Parsing module, for unpacking the data packet by the data packet format in the Field Programmable Gate Array FPGA chip in the switch to obtain unpacked data; extract the unpacked data according to the valid data field preset in the FPGA chip to obtain valid data; 加密模块,用于采用所述FPGA芯片中预设的加密算法对所述有效数据进行加密;An encryption module, configured to encrypt the valid data using a preset encryption algorithm in the FPGA chip; 所述加密模块,还用于对加密后的数据按照所述FPGA芯片中的数据包格式重新封装,得到封装数据包;通过所述交换机的以太网数据端口将所述封装数据包发送至第二终端设备,以供所述第二终端设备在接收到所述封装数据包后,对所述封装数据包进行解包,提取所述加密后的数据,并对所述加密后的数据进行解密,得到所述封装数据包中的有效数据。The encryption module is also used to repackage the encrypted data according to the packet format in the FPGA chip to obtain a packaged data package; the packaged data package is sent to the second terminal device through the Ethernet data port of the switch, for the second terminal device to unpack the packaged data package after receiving the packaged data package, extract the encrypted data, and decrypt the encrypted data to obtain valid data in the packaged data package. 5.一种交换机的加密设备,其特征在于,所述交换机的加密设备包括存储器、处理器和存储在所述存储器上并在所述处理器上运行的交换机的加密程序,所述交换机的加密程序被所述处理器完成时实现如权利要求1至3中任一项所述的交换机的加密方法的步骤。5. An encryption device of a switch, characterized in that the encryption device of the switch comprises a memory, a processor, and an encryption program of the switch stored on the memory and operated on the processor, and the encryption program of the switch is implemented when the processor is completed. The steps of the encryption method of the switch according to any one of claims 1 to 3. 6.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有交换机的加密程序,所述交换机的加密程序被处理器完成时实现如权利要求1至3中任一项所述的交换机的加密方法的步骤。6. A computer-readable storage medium, wherein an encryption program of a switch is stored on the computer-readable storage medium, and when the encryption program of the switch is completed by a processor, the steps of the encryption method for a switch according to any one of claims 1 to 3 are implemented.
CN202010163970.9A 2020-03-10 2020-03-10 Encryption method, device, device and computer-readable storage medium of switch Active CN111400700B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010163970.9A CN111400700B (en) 2020-03-10 2020-03-10 Encryption method, device, device and computer-readable storage medium of switch

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010163970.9A CN111400700B (en) 2020-03-10 2020-03-10 Encryption method, device, device and computer-readable storage medium of switch

Publications (2)

Publication Number Publication Date
CN111400700A CN111400700A (en) 2020-07-10
CN111400700B true CN111400700B (en) 2023-07-21

Family

ID=71436187

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010163970.9A Active CN111400700B (en) 2020-03-10 2020-03-10 Encryption method, device, device and computer-readable storage medium of switch

Country Status (1)

Country Link
CN (1) CN111400700B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113285895B (en) * 2021-04-28 2022-05-31 深圳中为思创科技有限公司 Safe and reliable type high-speed switch

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101123507A (en) * 2007-10-08 2008-02-13 杭州华三通信技术有限公司 Method for protecting data information on storage device and storage device
CN105357218A (en) * 2015-12-03 2016-02-24 上海斐讯数据通信技术有限公司 A router with hardware encryption and decryption function and its encryption and decryption method
CN105610738A (en) * 2016-03-08 2016-05-25 浪潮集团有限公司 Two-stage encryption protection method for switch
CN205407875U (en) * 2016-03-08 2016-07-27 浪潮集团有限公司 Ethernet switch of chip is encrypted in area
CN106933752A (en) * 2017-03-09 2017-07-07 西安电子科技大学 The encryption device and method of a kind of SRAM type FPGA
CN109284136A (en) * 2018-09-12 2019-01-29 盛科网络(苏州)有限公司 A kind of method and device realizing switch system and quickly restarting
CN110417706A (en) * 2018-04-27 2019-11-05 奥维飞越通信有限公司 A kind of safety communicating method based on interchanger

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9779245B2 (en) * 2013-03-20 2017-10-03 Becrypt Limited System, method, and device having an encrypted operating system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101123507A (en) * 2007-10-08 2008-02-13 杭州华三通信技术有限公司 Method for protecting data information on storage device and storage device
CN105357218A (en) * 2015-12-03 2016-02-24 上海斐讯数据通信技术有限公司 A router with hardware encryption and decryption function and its encryption and decryption method
CN105610738A (en) * 2016-03-08 2016-05-25 浪潮集团有限公司 Two-stage encryption protection method for switch
CN205407875U (en) * 2016-03-08 2016-07-27 浪潮集团有限公司 Ethernet switch of chip is encrypted in area
CN106933752A (en) * 2017-03-09 2017-07-07 西安电子科技大学 The encryption device and method of a kind of SRAM type FPGA
CN110417706A (en) * 2018-04-27 2019-11-05 奥维飞越通信有限公司 A kind of safety communicating method based on interchanger
CN109284136A (en) * 2018-09-12 2019-01-29 盛科网络(苏州)有限公司 A kind of method and device realizing switch system and quickly restarting

Also Published As

Publication number Publication date
CN111400700A (en) 2020-07-10

Similar Documents

Publication Publication Date Title
US20250141853A1 (en) Secure Session Resumption using Post-Quantum Cryptography
US8150039B2 (en) Single security model in booting a computing device
CN100542085C (en) System and method for secure executable code
EP2348442B1 (en) Trusted graphics rendering for safer browsing on mobile devices
KR100611628B1 (en) Information processing method, system, electronic device and processing block in electronic device
US9413754B2 (en) Authenticator device facilitating file security
CN109639661B (en) Server certificate updating method, device, equipment and computer readable storage medium
CN106533665B (en) Mthods, systems and devices for storing website private key plaintext
US20090259855A1 (en) Code Image Personalization For A Computing Device
US20140282978A1 (en) Method and apparatus for secure interaction with a computer service provider
CN109194625B (en) Client application protection method and device based on cloud server and storage medium
CN109067739B (en) Communication data encryption method and device
CN107786331B (en) Data processing method, device, system and computer readable storage medium
US9893882B1 (en) Apparatus, system, and method for detecting device tampering
CN106330936A (en) A plug-in data transmission method, client and server
CN108170461B (en) Differential upgrade package generation method, differential upgrade method and device
US20180316497A1 (en) Security apparatus and control method
CN108959990A (en) A kind of verification method and device of two dimensional code
US20130073840A1 (en) Apparatus and method for generating and managing an encryption key
CN111400700B (en) Encryption method, device, device and computer-readable storage medium of switch
CN117951720A (en) Front-end encryption method and device, electronic equipment and storage medium
CN103024734B (en) The encryption preventing Apk from being installed by unauthorized mobile phone, decryption method and device
CN113127844A (en) Variable access method, device, system, equipment and medium
KR102434275B1 (en) Remote resetting to factory default settings, a method and a device
CN101175267A (en) Communication terminal and software detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant