Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberCN101843031 A
Publication typeApplication
Application numberCN 200880114117
PCT numberPCT/US2008/081078
Publication dateSep 22, 2010
Filing dateOct 24, 2008
Priority dateOct 30, 2007
Also published asEP2213036A2, EP2213036A4, US8775790, US20090113202, WO2009058675A2, WO2009058675A3
Publication number200880114117.5, CN 101843031 A, CN 101843031A, CN 200880114117, CN-A-101843031, CN101843031 A, CN101843031A, CN200880114117, CN200880114117.5, PCT/2008/81078, PCT/US/2008/081078, PCT/US/2008/81078, PCT/US/8/081078, PCT/US/8/81078, PCT/US2008/081078, PCT/US2008/81078, PCT/US2008081078, PCT/US200881078, PCT/US8/081078, PCT/US8/81078, PCT/US8081078, PCT/US881078
InventorsF希德尔
Applicant霍尼韦尔国际公司
Export CitationBiBTeX, EndNote, RefMan
External Links: SIPO, Espacenet
System and method for providing secure network communications
CN 101843031 A
Abstract
A method includes receiving a data message, from a first embedded node (112a-112d), in a first end point device (130a). The first data message is addressed to a second embedded node (122a-122d). The method also includes encrypting the first data message to produce an encrypted data message, where the encryption is transparent to the first embedded node. The method further includes transmitting the encrypted data message to a second end point device (130b). An apparatus includes a plurality of embedded node ports (212a-212d) each configured to communicate with an embedded node. The apparatus also includes an encrypted communications link port (240) configured to communicate with an end point device. The apparatus further includes a controller (250, 270) connected to communicate with the embedded node ports and the encrypted communications link port. In addition, the apparatus includes a storage (260) connected to be read from and written to by the controller.
Claims(10)  translated from Chinese
  1. 一种方法包括:在第一端点设备(130a)中从第一嵌入式节点(112a-112d)接收(304)数据消息,第一数据消息被定址到第二嵌入式节点(122a-122d);使用第2层加密过程加密(304)所述第一数据消息以产生加密数据消息,所述加密对所述第一嵌入式节点透明;以及将所述加密数据消息传送(306)至第二端点设备(130b)。 A method comprising: a first endpoint device (130a) in (112a-112d) receiving (304) a first message from the embedded data node, a first data message is addressed to a second embedded node (122a-122d) ; use Layer 2 encryption process encrypts (304) the first data to produce an encrypted message data message, the encryption embedded on the first transparent node; and transmitting said encrypted data message (306) to the second endpoint device (130b).
  2. 2.如权利要求1所述的方法,进一步包括:在所述第二端点设备中接收(306)所述加密数据消息;解密(308)所述加密数据消息以产生与所述第一数据消息相对应的第二数据消息;以及将所述第二数据消息传送(310)至所述第二嵌入式节点。 2. The method of claim 1, further comprising: receiving (306) at the second endpoint device in the encrypted data message; decrypting (308) the encrypted message data to generate the first data message corresponding to a second data message; and transmitting the second data message (310) to said second embedded node.
  3. 3.如权利要求2所述的方法,其中:所述加密和解密对所述第二嵌入式节点透明;以及所述解密对所述第一嵌入式节点透明。 The method as claimed in claim 2, wherein: the encryption and decryption of the second transparent embedded node; and the decryption of the first transparent embedded node.
  4. 4.如权利要求1所述的方法,其中所述第二数据消息与所述第一数据消息相同。 4. The method of claim 1, wherein the second data message with the same first data message.
  5. 5. 一种装置包括:多个嵌入式节点端口(212a-212d),每个都配置为与嵌入式节点(112a-112d, 122a-122d)通信;加密通信链路端口(240),配置为与端点设备(130a-130b)通信; 控制器(250),被连接以与所述嵌入式节点端口和所述加密通信链路端口通信,所述控制器与被配置为使用第2层加密过程加密形成数据消息的分组的加密控制器(270,420)相关联;以及贮存器(260),被连接以由所述控制器从中读取和写入。 An apparatus comprising: a plurality of embedded nodes ports (212a-212d), each configured with an embedded node (112a-112d, 122a-122d) communication; encrypted communications link port (240) configured to (130a-130b) communicates with the endpoint device; and a controller (250), said embedded node being coupled to said encrypted communications link port and a port communicating with the controller and is configured to use encryption process Layer 2 forming data packets encrypted message encryption controller (270,420) is associated; and reservoir (260) connected to read from and write by the controller.
  6. 6.如权利要求5所述的装置,其中所述加密控制器被配置为从嵌入式节点端口接收第一数据消息,加密所述第一数据消息以产生加密数据消息,以及将所述加密数据消息传送到所述加密通信链路端口。 6. The apparatus according to claim the encrypted data, wherein said encryption controller is configured to port a first node receives data from the embedded message, the encrypted message data to generate a first encrypted message data, and message to the encrypted communications link port.
  7. 7.如权利要求5所述的装置,其中所述加密控制器被配置为从所述加密通信链路端口接收加密数据消息,解密所述加密数据消息以产生解密数据消息,并且将所述解密数据消息传送到所述嵌入式节点端口中的至少一个。 7. The apparatus of claim 5, wherein the controller is configured to encrypt the encrypted data from the communication link port receives the encrypted message, decrypts the encrypted message data to generate decrypted data message and the decrypted data message to at least one of said embedded node ports.
  8. 8.如权利要求5所述的装置,进一步包括与所述加密控制器相关联的存储器(422),所述存储器存储加密密钥对和识别至少一个其它端点设备的信息。 8. The apparatus of claim 5, further comprising a memory controller associated with the encryption of the (422), the memory for storing the encryption key and information identifying at least one other endpoint devices.
  9. 9.如权利要求5所述的装置,其中所述控制器被配置为透明地执行以下中的至少一个:速率限制功能;以及使用IP过滤或媒体访问控制(MAC)过滤中的至少一个对不期望的业务进行过滤。 And the use of at least one IP or MAC filtering (MAC) of the filter are not; rate limiting features: 9. The apparatus of claim 5, wherein the controller is configured to transparently perform at least one of the following desired traffic filtering.
  10. 10. 一种通信网络,包括:多个嵌入式节点(112a-112d);以及在第一物理网络(110)上的第一端点设备(130a),所述第一端点设备具有: 多个嵌入式节点端口(212a-212d),每个都配置为与嵌入式节点中的相应的一个通信;加密通信链路端口(240),配置为与在第二物理网络(120)上的第二端点设备(130b) 通信,从而形成具有所述第一端点设备的单个逻辑网络;控制器(250,270),被连接以与所述嵌入式节点端口和所述加密通信链路端口通信并且被配置为执行第2层加密;以及贮存器(260),被连接以由所述控制器从中读取和写入。 10. A communication network, comprising: a plurality of embedded nodes (112a-112d); and a first end on a first physical network device (110) (130a), the first endpoint device having: Multi- embedded node ports (212a-212d), each configured for a corresponding one of the communication nodes and embedded; encrypted communications link port (240) disposed on the second to the first physical network (120) bis endpoint device (130b) communicating to form a single logical network having the first endpoint device; and a controller (250, 270) connected to said embedded node port and the port communicating encrypted communication link and is configured to perform Layer 2 encryption; and a reservoir (260) connected to read from and written to by the controller.
Description  translated from Chinese

用于提供安全网络通信的系统和方法 System and method for providing secure network for communication

技术领域 Technical Field

[0001] 本公开一般涉及联网计算系统,尤其涉及一种用于提供安全网络通信的系统和方法。 [0001] The present disclosure relates generally to systems and methods for networked computing systems, and more particularly to a method for providing secure network communications.

背景技术 Background

[0002] 通常为了安全有必要在网络上具有加密业务(encrypted traffic)。 [0002] Typically it is necessary for security with encryption services (encrypted traffic) on the network. 可是,在大规模嵌入式部署中,实现典型的网络安全(例如IPSec或其它加密网络引擎)所涉及的处理开销,结合有限的处理资源,使其在嵌入式设备中不能实现。 However, embedded in a large-scale deployment, realize typical network security (such as IPSec or other encryption network engine) processing overhead involved, combined with limited processing resources, it can not be implemented in embedded devices.

发明内容 DISCLOSURE

[0003] 本公开提供了一种用于提供安全网络通信的系统和方法。 [0003] The present disclosure provides a system and method for providing secure network communications.

[0004] 在第一实施例中,一种方法包括在第一端点设备中从第一嵌入式节点接收数据消息。 [0004] In the first embodiment, a method includes receiving a data message from a first node at a first end embedded device. 所述第一数据消息被定址到第二嵌入式节点。 The first data message is addressed to a second embedded node. 该方法还包括使用第2层加密过程对所述第一数据消息加密以产生加密数据消息。 The method also includes the use of layer 2 of the first encryption process to produce an encrypted data message data message. 所述加密对所述第一嵌入式节点透明(transparent)。 The encryption of the first embedded node transparent (transparent). 该方法进一步包括传送所述加密数据消息至第二端点设备。 The method further comprises transmitting the encrypted data message to the second endpoint device. 一些实施例还包括在所述第二端点设备中接收所述加密数据消息,解密所述加密数据消息以产生与所述第一数据消息相对应的第二数据信息,并将所述第二数据消息传送至所述第二嵌入式节点ο Some embodiments further comprising receiving said encrypted data message in said second end device, decrypting the encrypted message data to generate the first data message corresponding to the second data and the second data the embedded message to the second node ο

[0005] 在第二实施例中,一种装置包括多个嵌入式节点端口,每个都配置为与嵌入式节点通信。 [0005] In the second embodiment, an apparatus comprising a plurality of ports embedded nodes, each node configured to communicate with embedded. 所述装置还包括配置为与端点设备通信的加密通信链路端口。 The apparatus further includes a communication link configured to encrypt communications endpoint device port. 所述装置进一步包括被连接以与所述嵌入式节点端口和所述加密通信链路端口通信的控制器,此处所述控制器与配置为使用第2层加密过程加密形成数据消息的分组的加密控制器相关联。 The device further comprises a packet is connected to the embedded controller node port and the encrypted communications link port communications, said here controller is configured to use Layer 2 encryption process of the encrypted data message form The controller associated with encryption. 另外,所述装置包括被连接以由所述控制器从中读取和写入的贮存器。 Further, the apparatus comprises a connection to the controller from which to read and write from the reservoir. 一些实施例还包括与所述加密控制器相关联的存储器,此处所述存储器存储加密密钥对和识别至少一个其它端点设备的信息。 Some embodiments further comprising a memory controller associated with the encryption, the encryption key storage memory here and information identifying at least one other endpoint devices.

[0006] 在第三实施例中,一种通信网络包括多个嵌入式节点和第一端点设备。 [0006] In the third embodiment, a communication network comprising a plurality of nodes and the first endpoint device embedded. 所述第一端点设备具有多个嵌入式节点端口,每个都配置为与嵌入式节点通信。 The first endpoint device having a plurality of ports embedded nodes, each node configured to communicate with embedded. 所述第一端点设备还包括配置为与第二物理网络上的第二端点设备通信的加密通信链路端口,从而形成具有所述第一端点设备的单个逻辑网络。 The apparatus further comprises a first end configured for encrypted communication link with a second endpoint device communications port on the second physical network, so as to form a single logical network having the first endpoint device. 所述第一端点设备进一步包括被连接以与所述嵌入式节点端口和所述加密通信链路端口通信并且被配置为执行第2层加密的控制器。 The apparatus further comprises a first end connected to said embedded node and the encrypted communications link port to communicate with the port and configured to perform Layer 2 encryption controller. 另外,所述第一端点设备包括被连接以由所述控制器从中读取和写入的贮存器。 Further, the device includes a first end connected to the controller from which to read and write by the reservoir. 一些实施例还包括多个第二嵌入式节点。 Some embodiments further comprise a second plurality of embedded nodes. 所述第二端点设备具有每个都配置为与多个第二嵌入式节点中相应的一个进行通信的多个嵌入式节点端口,配置为与所述第一端点设备通信的加密通信链路端口,被连接以与所述嵌入式节点端口和所述加密通信链路端口通信的控制器,以及被连接以由所述控制器从中读取和写入的贮存器。 The second endpoint device are each configured to have a plurality of second nodes corresponding one embedded a plurality of nodes embedded communications port configured to communicate with the first endpoint device encrypted communication link port is connected to the controller of the embedded node ports and the encrypted communications link port to communicate with, and is connected to the controller from which to read and write by the reservoir.

[0007] 从下列附图、说明和权利要求中,其它技术特征对于本领域技术人员可以很容易显而易见。 [0007] from the following drawings, description and claims, other technical features of the skilled in the art can readily apparent. 附图说明 Brief Description

[0008] 为了更完整的理解本公开,现在结合以下附图参考下列说明,其中: [0008] For a more complete understanding of the present disclosure, reference is now made to the following figures the following description, in which:

[0009] 图1是根据本公开的一个实施例的示例通信网络100的方框图; [0009] FIG. 1 is a block diagram of a communication network 100 according to an example embodiment of the present disclosure an embodiment;

[0010] 图2是根据本公开的一个实施例的端点的方框图; [0010] FIG. 2 is a block diagram of an example of an endpoint one embodiment according to the present disclosure;

[0011] 图3说明根据本公开的一个实施例的用于提供安全网络通信的示例方法;并且 [0011] Figure 3 illustrates an exemplary embodiment of a method for providing a secure communication network according to one embodiment of the present disclosure; and

[0012] 图4是根据本公开的一个实施例的端点设备的更详细的方框图。 [0012] FIG. 4 is a more detailed block diagram of the endpoint devices of the present disclosure an embodiment.

具体实施方式 DETAILED DESCRIPTION

[0013] 图1是根据本公开的一个实施例的示例通信网络100的方框图。 [0013] FIG. 1 is a block diagram of a communication network 100 according to an example embodiment of the present disclosure an embodiment. 图1中所示的通信网络100的实施例仅用于示例。 Communication network shown in the embodiment 100 of FIG. 1 for illustration only. 通信网络100的其他实施例可被采用而不背离本公开的范围。 Other embodiments of the communication network 100 may be employed without departing from the scope of this disclosure.

[0014] 如图1所示,各种公开的实施例包括网络端点设备,表示为第一端点设备130a和第二端点设备130b,其能加密两个单独网络之间的所有网络业务。 [0014] Figure 1, the disclosed embodiments include various network endpoint device, indicated as a first endpoint device and the second endpoint devices 130a 130b, which can encrypt all network traffic between two separate networks. 在该图中,第一通信网络110通过由端点设备130a和130b管理的加密通信链路140与第二通信网络120通信。 In this figure, the first communication network 110 through the communication equipment by the encryption communication endpoints 130a and 130b of the link 140 and a second management communications network 120. 通过直接连接或经由易受攻击的公共或专用网络的连接上的加密通信,这允许上述两个网络之间的安全通信。 Direct connection or via encrypted communications vulnerable public or private network connection, which allows secure communication between the two networks through.

[0015] 在该图中,第一端点设备130a被连接以与嵌入式节点112a_112d通过任何已知通信手段(例如以太网、串行通信、硬连线或者无线通信,等等)进行通信。 [0015] In this figure, the first endpoint device 130a is connected to the node 112a_112d embedded by any known means of communication (e.g., Ethernet, serial communication, hard-wired or wireless communication, etc.) to communicate. 第一端点设备130a和嵌入式节点112a-112s —起形成第一通信网络110。 The first endpoint device 130a and embedded nodes 112a-112s - together form a first communication network 110. 注意尽管在这个示例中示出四个嵌入式节点,根据期望的实现可以使用更多或更少的节点。 Note that although in this example shows four embedded node, depending on the desired implementation can use more or fewer nodes.

[0016] 类似的,在该图中,第二端点设备130b被连接以与嵌入式节点122a_122d通过任何已知通信手段(例如以太网、串行通信、硬连线或者无线通信,等等)进行通信。 [0016] Similarly, in the figure, the second endpoint device 130b is connected to the node 122a_122d embedded by any known means of communication (e.g., Ethernet, serial communication, hard-wired or wireless communications, etc.) communications. 第二端点设备130b和嵌入式节点122a-122s —起形成第二通信网络120。 The second endpoint device 130b and embedded nodes 122a-122s - together form a second communication network 120. 注意尽管在这个示例中示出四个嵌入式节点,根据期望的实现可以使用更多或更少的节点。 Note that although in this example shows four embedded node, depending on the desired implementation can use more or fewer nodes.

[0017] 根据各种的实施例,每个端点设备130a/130b具有嵌入式节点112a_d和122a_d 分别附接到的多个端口。 [0017] According to various embodiments, each endpoint device 130a / 130b embedded node having a plurality of ports 122a_d 112a_d and attached respectively. 每个嵌入式节点能与相应的嵌入式设备相关联,这被本领域的技术人员所熟知。 Each embedded node corresponding embedded device can be associated with, which is the skilled artisan. 该嵌入式节点与连接至其它端点的节点进行通信,并且反之亦然。 The embedded node and the node connected to the other end of the communication, and vice versa. 例如,嵌入式节点112a_d中的一个或多个能与嵌入式节点122a_d中的一个或多个通信。 For example, an embedded node 112a_d one or more of the plurality of communication can be embedded in one or 122a_d node.

[0018] 所述端点通过加密通信链路140中继业务,能使用任何已知的技术加密业务,包括因特网协议安全性(IPSec)、无线加密协议(WEP)、高级加密标准(AES)和其它。 [0018] The end link 140 via encrypted communication relay service, can use any known technique to encrypt traffic, including Internet Protocol Security (IPSec), Wireless Encryption Protocol (WEP), Advanced Encryption Standard (AES) and other . 该加密通信链路140能被用于传送数据业务,该数据业务包括广播、组播、专有私人或商业数据和在两个网络之间无需修改IP层网络信息的其他形式的业务。 The encrypted communication link 140 can be used to transmit data services, the data business, including broadcast, multicast, or proprietary business data and private between the two networks without modifying the IP layer network information and other forms of business. 在所述两个端点之间的所有业务可被加密。 All traffic between the two endpoints can be encrypted.

[0019] 所述端点设备130a/130b能执行所有网络处理以加密和解密分组。 [0019] The endpoint device 130a / 130b can perform all network processing to encrypt and decrypt packets. 在加密通信链路140任一侧上的网络110/120可在相同的子网中或者在不同的子网中。 On either side of encrypted communication link 140 networks 110/120 can be on the same subnet or in different subnets. 该加密部分任一侧上的节点112a-112d和122a-122d能彼此之间互相通信而无需知道该加密链路存在。 Node 112a-112d the encrypted portions on either side of and 122a-122d can communicate with each other without having to know the presence of the encrypted link. 因此,公开的端点设备能以对嵌入式节点透明(transparent)的方式实现在相同逻辑网络上的两个不同的物理网络的连接。 Accordingly, the disclosure of endpoint devices embedded node can be transparent (transparent) way to achieve the same logical network in two different physical network connection.

[0020] 在各种公开的实施例中,端点设备130a/130b还能够按照实现的需要作为防火墙或速率限制器。 [0020] In various embodiments disclosed, the endpoint device 130a / 130b can also be implemented as needed as a firewall or rate limiter. 而且,能够采用MAC层或其他安全措施,包括监控未授权的媒体访问控制(MAC)地址,禁用未授权节点附接到的端口,和其他有关使网络安全的方法。 Further, it can use MAC layer or other safety measures, including monitoring of unauthorized media access control (MAC) address, disable node attached to the port is not authorized, and other information about making network security.

[0021] 图2是根据本公开的一个实施例的能被用作端点设备130a/130b的端点设备230 的方框图。 [0021] FIG. 2 is a block diagram according to the present disclosure can be used as an embodiment of the endpoint device 130a / 130b endpoint device 230. 图2所示的端点设备230的实施例仅用于示例。 The endpoint device 230 embodiment shown in FIG. 2 embodiment for illustration only. 端点设备230的其他实施例可被使用而不背离本公开的范围。 Endpoint device 230 other embodiments may be used without departing from the scope of this disclosure.

[0022] 根据一个公开的实施例,端点设备230被实施为嵌入式计算机系统。 [0022] According to one embodiment, the disclosed embodiments endpoint device 230 is implemented as an embedded computer system. 端点设备230 包括多个嵌入式节点端口212a-212d,其配置为与嵌入式节点,例如嵌入式节点112a_112d 连接并与之通信。 Endpoint device 230 includes a plurality of embedded nodes ports 212a-212d, embedded node configured to, e.g., an embedded node 112a_112d connected and communicate. 此外,虽然这个示例中示出了四个嵌入式节点端口,但端口的数目可根据需要的实现被增加或减少。 In addition, although this example shows four embedded node ports, but the number of ports can be increased or decreased depending on the implementation desired. 嵌入式节点端口212a-212d可采用任何已知通信端口(特别是包括常规以太网端口)实现。 Embedded node ports 212a-212d may be any known communication ports (particularly including conventional Ethernet ports) implementation.

[0023] 端点设备230还包括被配置为通过加密通信链路140连接和通信的加密通信链路端口240。 [0023] endpoint device 230 further includes a communication link configured to encrypt the encrypted communication link 140 and communication port 240 is connected. 注意在其他实施方式中,加密通信链路端口可包括RF收发机和本领域技术人员所知的实现无线通信链路的相关的硬件和软件。 Note that in other embodiments, encrypted communications link port may include RF transceiver and known to those skilled in the realization of related hardware and software wireless communication link. 加密通信链路端口240可采用任何已知的通信端口(特别包括常规以太网端口)实现。 Encrypted communication link port 240 using any known communication ports (particularly including conventional Ethernet ports) implementation.

[0024] 端点设备230进一步包括被配置并连接以与嵌入式节点端口212a_d和加密通信链路端口240通信的控制器250。 [0024] The endpoint device 230 further comprises a processor configured and connected to the embedded node ports 212a_d encrypt communications link 240 and communication port of the controller 250. 控制器250 (其可被实现为例如微处理器或微控制器)还与贮存器260 (其可被实现为任何计算机可用介质)通信。 Controller 250 (which may be implemented, for example, a microprocessor or microcontroller) also with the reservoir 260 (which may be implemented as any computer-usable medium) communication.

[0025] 控制器250可被配置以执行操作系统、网络驱动器、加密驱动器和作用于中继业务的过滤软件。 [0025] The controller 250 may be configured to perform an operating system, a network drive, encrypting drives acting on relay traffic filtering software. 所述软件,存储在贮存器260中,可被配置为附接两个独立的网络接口(例如嵌入式节点端口212a-212d和加密通信链路端口240)并且将输入在一个接口上的所有业务中继至另一个的输出,并且反之亦然。 The software is stored in the reservoir 260 may be configured for attachment to two separate network interfaces (such as the embedded node ports 212a-212d and encrypted communications link port 240) and the input of all traffic on an interface an output relay to another, and vice versa. 加密控制器270,与控制器250相关联,可被配置为加密所有输出的业务和解密所有输入的业务,而不管待通过加密通信链路端口240传送的源或目的地MAC或IP地址。 Encryption controller 270, the controller 250 is associated with, can be configured to encrypt and decrypt all outputs of the business operations of all inputs, regardless of the communication link 240 to be transmitted over an encrypted source or destination MAC or IP address of the port. 端点设备230还可被配置为透明地执行速率限制和对不期望的业务进行过滤/拒绝。 Endpoint device 230 may also be configured to transparently perform rate limiting and filtering undesirable traffic / refused. 在各种实施例中,加密控制器被实现为FPGA。 In various embodiments, the encryption controller is implemented as a FPGA.

[0026] 在各种实施例中,控制器250仅作用于在报头中包装(wrap)经过的业务并且在解密(入站)后或在加密(出站)前对输入/输出的业务执行防火墙(Firewalling)或其他活动,并且为端点设备230执行其它一般的路由和控制功能。 [0026] In various embodiments, the controller 250 only in decrypted (inbound) or after encryption (outbound) in front of the input / output traffic enforcement firewall in the packaging in the header (wrap) after the business and (Firewalling) or other activities, and 230 perform other general routing and control for endpoint devices. 在一些实施例中,如果使得该设备支持专有网络,例如来自HONEYWELLINTERNATIONAL INC的容错以太网(FAULT TOLERANT ETHERNET,FTE)网络,它还作为FTE控制器。 In some embodiments, if the device supports a proprietary network so that, for example from HONEYWELLINTERNATIONAL INC Fault Tolerant Ethernet (FAULT TOLERANT ETHERNET, FTE) network, also serves as FTE controller. 在一些实施例中,控制器250独立于加密控制器270并且“不知道”该加密控制器270,使得加密控制器270执行其功能而无需控制器250 的任何控制或与控制器250的交互,除了传送数据分组之外。 In some embodiments, the controller 250 is independent of the encryption controller 270 and "do not know" the encryption controller 270, so that the encryption controller 270 to perform its function without any control interaction controller 250 or the controller 250, In addition to the transmission of data packets.

[0027] 当加密分组到达时,以太网物理层(PHY)将接收的模拟信号转换为媒体独立接口(MII)总线上的数字分组,并且该分组由加密控制器270接收,其对分组(使用第2层方案对其进行加密)进行解密。 [0027] When encrypting a packet arrives, the analog signal is converted Ethernet physical layer (PHY) received a media independent interface (MII) digital packet on the bus, and the packet is received by the encryption controller 270, which packet (using Layer 2 program encrypts) for decryption. 然后它将未加密的分组传送至控制器250,其对有效载荷进行打开(unwrap),对产生的分组(无论它是UDP、TCP、IP、FTE、组播还是其它)执行过滤,并且把它传送至嵌入式节点。 It then unencrypted packets to the controller 250, which opens the payload (unwrap), for packet generation (whether it is UDP, TCP, IP, FTE, multicast or other) to perform filtering, and put it transferred to the embedded node.

[0028] 类似的,当来自嵌入式节点的未加密的分组到达时,控制器250接收其,执行任何过滤或速率限制,然后把它包装在报头中,如以下更详细的描述的。 [0028] Similarly, when an unencrypted packets from the embedded node is reached, the controller 250 receives it, do any filtering or rate limiting, then wrap it in a header, as described in more detail below. 控制器然后把它传送至加密控制器270,加密控制器270加密整个包装的分组(MAC地址等等),将它封装在第2层帧中,并且把它送出至以太网PHY,以太网PHY把它转换成线路的模拟信号。 The controller then sends it to the encryption controller 270, controller 270 encryption encrypts the entire package packet (MAC address, etc.), wrap it in a layer 2 frame, and sends it to the Ethernet PHY, Ethernet PHY converts it into an analog signal line.

[0029] 图3示出了根据本公开的一个实施例的用于提供安全网络通信的示例方法300。 [0029] Figure 3 shows an example of the present disclosure an embodiment of the method for providing secure network communications 300. 图3所示的方法300的实施例仅用于示例。 The method shown in FIG. 3 in Example 300 only for illustration. 方法300的其他实施例可被使用而不背离本公开的范围。 Other embodiments of the method 300 may be used without departing from the scope of this disclosure.

[0030] 在步骤302中,嵌入式节点112a针对嵌入式节点122a传送第一数据消息。 [0030] In step 302, the embedded node 112a for node 122a transmits a first embedded data message. 第一数据消息可以例如被格式化为常规因特网协议(IP)消息并且被定址到嵌入式节点122a。 A first data message may be formatted as a conventional example, an Internet Protocol (IP) message is addressed to and embedded node 122a.

[0031] 在步骤304中,第一端点设备130a接收该第一数据消息并且加密该数据消息以产生加密数据消息。 [0031] In step 304, the first endpoint device 130a receives the first data message and encrypts the data message to produce an encrypted data message.

[0032] 在步骤306中,第一端点设备130a经由加密通信链路140向第二端点设备130b 传送该加密数据消息。 [0032] In step 306, the first endpoint device 130a via encrypted communication link 140 transmits the encrypted data message to the second endpoint device 130b.

[0033] 在步骤308中,第二端点设备130b接收该加密数据消息并且把它解密以产生与第一数据消息相对应的第二数据消息。 [0033] In step 308, the second endpoint device 130b receives the encrypted data message and decrypts it to generate a first data message corresponding to the second data message.

[0034] 在步骤310中,第二端点设备130b把该第二数据消息传送至嵌入式节点122a。 [0034] In step 310, the second endpoint device 130b to the second data message to the embedded node 122a. 在该第一和第二端点设备之间的加密和传输对嵌入式节点112a和122a透明。 Encryption and transmission of the first and second terminal devices for embedded nodes 112a and 122a and transparent.

[0035] 在嵌入式节点之间的应答消息和其它消息可使用如上描述的相同或相似过程来完成。 [0035] Embedded in the response message between the nodes and other messages may be used as described above to accomplish the same or similar procedure. 在一些实施例中,单个嵌入式节点能向多个接收嵌入式节点“组播”或广播消息。 In some embodiments, a single node can receive embedded embedded node "multicast" or broadcast messages to multiple.

[0036] 图4是根据本公开的一个实施例的端点设备230的更详细方框图。 [0036] FIG. 4 is a more detailed block diagram of the present disclosure an endpoint device 230 according to the embodiment. 图4还包括在处理过程中发生的分组事件的图示。 Figure 4 illustrates grouping also includes events that occurred during processing.

[0037] 端点设备230包括可以被实现为例如以太网接口的嵌入式节点端口212a和212b (以及其他)。 [0037] The endpoint devices 230 may be implemented, for example, include an embedded Ethernet node interface ports 212a and 212b (and others). 这些嵌入式节点端口可被连接以通过交换机410彼此之间互相通信。 These embedded node ports may be connected to each other through the switch 410 communicate with each other. 每个嵌入式节点端口可与相应的嵌入式节点(例如嵌入式节点122a)通信。 Each port may communicate with embedded node corresponding embedded node (e.g., an embedded node 122a). 这些通信可以是基于分组的并且可包括未加密的分组数据,表示为分组402。 These communications may be a packet-based and may comprise unencrypted data packet, the packet is represented as 402.

[0038] 例如通过该领域的技术人员所熟知的媒体独立接口(MII)总线,该嵌入式节点端口212a/b和/或交换机410与控制器250通信。 [0038] for example, by the skilled artisan Media Independent Interface (MII) bus, the embedded node 250 communication port 212a / b and / or switch 410 and the controller. 这些通信也可以是基于分组的并且可包括未加密的分组数据,表示为分组404。 These communications may also be a packet-based and may comprise unencrypted data packet, the packet 404 as indicated.

[0039] 控制器250可包括MAC过滤器和IP过滤器,其可被用于对不来自于其他授权端点的业务进行过滤。 [0039] The controller 250 may include a MAC filter and IP filter, which can be used for non-authorized endpoints from other businesses were filtered. 控制器250能实现其他已知的商业、公共、或者专有功能。 The controller 250 can achieve other known commercial, public, or proprietary features.

[0040] 在一些实施例中,处理器250还使用任何已知的公共或者专用包装技术在包装器(wrapper)中包装分组404,并且包括初始分组404作为其有效载荷。 [0040] In some embodiments, the processor 250 is also known to use any public or private packet 404 packaging technology packaging wrapper (wrapper), and including the initial packet 404 as its payload. 在一些实施例中经由MII总线,该被包装的分组被传送到加密控制器420,表示为分组406。 In some embodiments, via the MII bus, the packet is transmitted to the encryption package controller 420, indicated as 406 packets.

[0041] 加密控制器420可被实现为微处理器、微控制器或者其它,包括实现为现场可编程门阵列(FPGA)。 [0041] The encryption controller 420 may be implemented as a microprocessor, microcontroller, or other, including as a field programmable gate array (FPGA). 此外,加密控制器420的功能可以由控制器250实现。 In addition, the controller 420 of the encryption function 250 can be implemented by the controller.

[0042] 在一些实施例中,加密控制器420与安全的、加密的闪存422相关联。 [0042] In some embodiments, the encryption controller 420 and secure, encrypted flash memory 422 is associated. 闪存422能包含每个授权端点设备的加密密钥对和MAC地址。 Flash memory 422 can include an encryption key for each authorized endpoint devices and MAC address. 在特定实施例中,闪存422由制造商编程并且不能由终端用户访问。 In a particular embodiment, the flash memory 422 by the manufacturer and can not be accessed by the end-user programming.

[0043] 在各种实施例中,加密控制器420加密整个分组406并且用它自己的MAC地址附加在第2层报头上,表示为分组408。 [0043] In various embodiments, the encryption controller 420 and 406 encrypt the entire packet with its own MAC address attached to the Layer 2 packet headers, indicating that a packet 408. 在各种实施例中,分组408具有有效载荷,有效载荷是包括分组406和第2层之上的所有报头在内的加密数据。 In various embodiments, the packet 408 has a payload, the payload includes a packet header 406 and the second layer all over including encrypted data. 加密控制器420然后把分组408 传送至可被实现为以太网接口的加密通信链路端口240。 Encryption controller 420 and the packet 408 can be sent to carry out encrypted communication link for the Ethernet interface port 240. 该通信可经由MII总线。 This communication via MII bus.

[0044] 在一些实施例中,加密由在FPGA中的商业的、公共可用的、或专用的代码在第2层完成,并且不由可能具有已知易受攻击性的高级操作系统完成。 [0044] In some embodiments, the encryption at layer 2 performed by the FPGA, and publicly available, or specific code of business, and not by might have known vulnerabilities advanced operating system is complete. 在第2层执行加密的优势是除了两个端点的源和目的地MAC地址之外没有未加密数据,因此甚至保护了嵌入式节点的MAC地址,即使当业务是MAC广播时。 When the advantages of the implementation of Layer 2 encryption is in addition to the two ends of the source and destination MAC address does not encrypt data, so that even the protection of the MAC address embedded nodes, even when the business is the MAC broadcast.

[0045] 当两个端点设备正在通信时,在一些实施例中,它们交换一连串的握手分组以采用基于旋转时间表(rotating time table)的代码建立可靠性。 [0045] When the two endpoint devices are communicating, in some embodiments, they exchanged a series of handshake packets to use based on the rotation schedule (rotating time table) to establish the reliability of the code. 在各种实施例中,这两个端点设备通过交换和测试(解密和验证)加密消息来验证加密密钥,从而执行询问/响应的交换。 In various embodiments, the two endpoint devices by exchanging and testing (decryption and authentication) to verify that the encryption key encrypted message, thereby executing exchange inquiry / response.

[0046] 在各种实施例中,加密和解密对第二嵌入式节点透明。 [0046] In various embodiments, the encryption and decryption of the second transparent embedded node. 在各种实施例中,解密对第一嵌入式节点透明。 In various embodiments, the decryption of the first transparent embedded node. 在各种实施例中,第二数据消息与第一数据消息相同。 In various embodiments, the second data message with the same first data message.

[0047] 在各种实施例中,加密控制器被配置为从嵌入式节点端口接收第一数据消息,力口密该第一数据消息以产生加密数据消息,并且将该加密数据消息传送到加密通信链路端口。 [0047] In various embodiments, the encryption controller is configured to receive a first data message from a port embedded node, the force of the first data port message encrypted to generate encrypted data message, and transmits the encrypted data to the encrypted message communication link ports. 在各种实施例中,该控制器被配置为从该加密通信链路端口接收加密数据消息,解密该加密数据消息以产生解密数据消息,并且将该解密数据消息传送到至少一个嵌入式节点端口。 In various embodiments, the controller is configured to encrypt the data from the communication link port receives the encrypted message, decrypts the encrypted message data to generate decrypted data message, and transmits the decrypted data message to the at least one embedded node port . 在各种实施例中,该控制器被配置为执行对连接到该嵌入式节点端口的设备透明的加密过程。 In various embodiments, the controller is configured to perform connected to the device transparent encryption process that embedded node ports. 在各种实施例中,该控制器被配置为透明地执行速率限制功能。 In various embodiments, the controller is configured to transparently perform rate limiting. 在各种实施例中, 该控制器被配置为使用IP过滤或媒体访问控制(MAC)过滤中的至少一个来透明地执行对不期望的业务的过滤。 In various embodiments, the controller is configured to use IP filtering or MAC (MAC) filtering at least one transparent execution of the undesirable traffic filtering. 在一些实施例中,该控制器被配置为执行操作系统、网络驱动器、力口密驱动器和过滤软件。 In some embodiments, the controller is configured to perform an operating system, a network drive, the drive force is densely populated and filtering software.

[0048] 术语“第2层”涉及协议栈的数据链路层,如本领域的技术人员所熟知,并且由数据通信的开放系统互连(OSI)模型所定义,由此引入作为参考。 [0048] The term "layer 2" refers to the data link layer protocol stack, as is well known to persons skilled in the art, and is defined by the OSI data communications (OSI) model, which is incorporated herein by reference. 第2层在本地电信设备和远程目的地之间建立物理连接并且将数据帧定义为在节点之间的物理传输媒介。 Layer 2 between the local and remote destination telecommunication device physical connection and the data frame is defined as the physical transmission medium between nodes.

[0049] 第2层主要用于在电信设备或设施之间的高速度/高数据吞吐量的点到点应用。 [0049] Layer 2 is mainly used in high-speed telecommunications equipment, or facilities between / high data throughput to-point applications. 为了实现这些高速度,硬件加密被主要使用。 In order to achieve these high-speed, hardware-based encryption is mainly used. 在这一层的加密封装经过该链路的任何第2 层协议,而不像仅IP分组被加密的第3层。 In this layer encryption encapsulating Layer 2 protocol through any of the link, rather than only the IP packets are encrypted Layer 3. 因此,第2层加密对点到点应用(其中路由不被考虑)更加灵活。 Therefore, Layer 2 encryption for point application (where routes are not considered) more flexible. 第2层加密还提供平台独立性,因为客户端系统将不需要特别的软件或者硬件以管理路由决定。 Layer 2 encryption also provides platform independence, because the client will not need special software or hardware to manage routing decisions.

[0050] 虚拟专用网络(VPN)是通常用于描述在公共共享网络基础结构中分离专用业务的能力的术语,并且通常是第3层的解决方案。 [0050] Virtual Private Network (VPN) is a term commonly used to describe the ability to separate private business in public shared network infrastructure, and is usually the first Layer 3 solutions. 多数VPN市场集中在第3层的隧穿和加密, 并且由此经受了与路由决定和上面讨论的易受攻击性相关联的配置开销。 Most VPN market concentration in the third layer tunneling and encryption, and thus subjected to the configuration overhead associated with routing decisions discussed above associated vulnerable phase.

[0051] 在一些实施例中,如上描述的各种功能由计算机可读程序代码形成的和在计算机可用介质中包含的计算机程序来实现和支持。 [0051] In some embodiments, various functions as described above is formed by a computer-readable program code and a computer program in a computer usable medium containing to implement and support. 短语“计算机可读程序代码”包括任何类型的计算机代码,包括源代码、目标代码和可执行代码。 The phrase "computer-readable program code" includes any type of computer code, including source code, object code, and executable code. 短语“计算机可用介质”包括能够由计算机访问的任何类型的介质,例如只读存储器(ROM)、随机存取存储器(RAM)、硬盘驱动器、 光盘(CD)、数字视频盘(DVD)或者任何其它类型的存储器。 The phrase "computer usable medium" includes any type of media can be accessed by a computer, such as a read only memory (ROM), a random access memory (RAM), hard disk drives, compact disc (CD), digital video disc (DVD), or any other memory type.

[0052] 阐明在整个该专利文献中使用的某些词和短语的定义可能是有益的。 [0052] set forth definitions of certain words and phrases used throughout this patent document may be beneficial. 术语“耦合” 和它的派生词指的是在两个或更多个元件之间的任何直接或者间接的通信,无论那些元件是否物理上与另外一个接触。 The term "coupled" and its derivatives refer to any direct or indirect communication between two or more elements, and the other one contact regardless of whether those elements physically. 术语“应用”指的是一个或多个计算机程序、指令集、过程、功能、对象、类、实例或者适于以合适的计算机语言实现的相关数据。 The term "application" refers to one or more computer programs, instruction sets, processes, functions, objects, classes, instances, or adapted to the relevant data to a suitable computer language. 术语“包括”和“包含”及其派生词意味着没有限制的包括。 The term "including" and "comprising" and its derivatives include means no limit. 术语“或”是广泛的,意味着和/或。 The term "or" is broad, meaning and / or. 短语“相关联”和“与之相关联”及其派生词可意味着包括、被包括在内、与之互连、包含、被包含在内、连接到或与之连接、耦合至或者与之耦合、可与之通信、与之合作、交错、使并列、接近、绑定到至或者与之绑定、具有、具有性质等等。 The phrase "associated with" and "associated with" and their derivatives may mean to include, be included within, interconnect with, contain, be contained within, connect to or connected thereto, is coupled to or with coupling, can communicate, cooperate, staggered, juxtaposed, close to or bound to it is bound to, has, with the nature and more. 术语“控制器”意味着任何设备、系统或者控制至少一个操作的其一部分。 The term "controller" means any device, system, or controlling at least one operation part. 控制器可在硬件、固件、软件或者至少同样两个的一些组合中被实现。 The controller may be implemented in hardware, firmware, software or some combination of at least two of the same. 与任何特定的控制器相关的功能性可以是集中式的或者分布式的,无论本地地还是远程地。 Associated with any particular controller functionality can be centralized or distributed, whether locally or remotely. [0053] 尽管本公开已经描述了某些实施例和一般相关联的方法,但这些实施例和方法的改变和替换对本领域技术人员将是明显的。 [0053] Although the present disclosure has described certain embodiments and generally associated with the implementation of the method, but change and replace these embodiments and methods of the skilled in the art it will be apparent. 因此,示例实施例的上述说明并不限定或者限制本公开。 Therefore, the above description of exemplary embodiments of the present disclosure is not limited or restricted. 在不背离以下权利要求所定义的本公开的精神和范围的情况下,其他改变、代替和改动也是可能的。 In the case of the present disclosure without departing from the spirit and scope defined by the following claims, other changes, substitutions and alterations are also possible.

Referenced by
Citing PatentFiling datePublication dateApplicantTitle
CN105162789A *Sep 21, 2015Dec 16, 2015北京鼎普信息技术有限公司Data encryption and decryption method and device
Classifications
International ClassificationH04L9/00, H04L29/10
Cooperative ClassificationH04L63/162, H04L63/1408, H04L63/0428
European ClassificationH04L63/04B, H04L63/14A
Legal Events
DateCodeEventDescription
Sep 22, 2010C06Publication
Dec 15, 2010C10Request of examination as to substance
Dec 4, 2013C02Deemed withdrawal of patent application after publication (patent law 2001)