[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN117997538B - Stream media encryption and decryption system and method based on PUF technology - Google Patents

Stream media encryption and decryption system and method based on PUF technology Download PDF

Info

Publication number
CN117997538B
CN117997538B CN202410401170.4A CN202410401170A CN117997538B CN 117997538 B CN117997538 B CN 117997538B CN 202410401170 A CN202410401170 A CN 202410401170A CN 117997538 B CN117997538 B CN 117997538B
Authority
CN
China
Prior art keywords
module
counter
fpga
streaming media
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410401170.4A
Other languages
Chinese (zh)
Other versions
CN117997538A (en
Inventor
马加林
万泳震
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Yuanxin Wangan Technology Co ltd
Original Assignee
Jiangsu Yuanxin Wangan Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Yuanxin Wangan Technology Co ltd filed Critical Jiangsu Yuanxin Wangan Technology Co ltd
Priority to CN202410401170.4A priority Critical patent/CN117997538B/en
Publication of CN117997538A publication Critical patent/CN117997538A/en
Application granted granted Critical
Publication of CN117997538B publication Critical patent/CN117997538B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a stream media encryption and decryption system and an encryption and decryption method based on a PUF technology. The stream media encryption and decryption method based on the PUF technology ensures the data security by updating the key at regular time. A PUF technology-based streaming media encryption and decryption system, comprising: the method comprises the steps of configuring management equipment, a first FPGA, a second FPGA, a first service CPU and a second service CPU; the first FPGA includes: a first counter module; the second FPGA includes: a second counter module; the configuration management device: and the method is used for generating a final key and issuing the final key to the first FPGA and the second FPGA. The key based on the PUF technology is fetched along with use, does not store the key, and provides a mechanism for updating the key at regular time, thereby ensuring the security of streaming media data in network transmission.

Description

Stream media encryption and decryption system and method based on PUF technology
Technical Field
The invention relates to the field of encryption cards and data encryption, in particular to a stream media encryption and decryption system and an encryption and decryption method based on a PUF technology.
Background
The PCIE encryption card design method is based on the security of streaming media in the network transmission process, and is a network security data protection technology. At present, in the design process of a PCIE encryption card, a management CPU is often relied on to manage a key table in the encryption card, and the generated key table exists in the PCIE encryption card.
Referring to fig. 1 and fig. 2, a traffic flow of a conventional PCIE encryption card is shown. In fig. 1, the configuration management CPU first configures keys for the key tables in the FPGA1 and the FPGA2, respectively, and initializes the key tables stored in the FPGA. After the initialization of the configuration key is completed, in fig. 2, the service CPU1 issues collected streaming media data through the PCIE bus, the FPGA1 encrypts payload data in the issued TLP packet (Transaction LAYER PACKET ), and sequentially classifies, packetizes, and encapsulates the encrypted data into UDP (User Datagram Protocol user datagram protocol) packets, and sends out the UDP packets from the 10g network port. At the receiving end, the FPGA2 decrypts the payload in the network packet after receiving the network packet, and sequentially classifies, packetizes and encapsulates the decrypted data into TLP packets, and then uploads the TLP packets from the pcie bus to the CPU2 end. In the whole business process, the key table is always in the FPGA1 and the FPGA2, so that the risk that network transmission data are deciphered after the key is stolen exists, and serious damage is caused to network safety.
Therefore, the network streaming media message processed by the traditional PCIE encryption card design has risks of key theft, data decoding, network security damage and the like.
Disclosure of Invention
The invention provides a stream media encryption and decryption system and an encryption and decryption method based on PUF technology.
In order to achieve the purpose of the present invention, a PUF technology-based streaming media encryption and decryption method is provided, when a first service CPU and a first FPGA are used as a transmitting end of streaming media data and a second service CPU and a second FPGA are used as a receiving end of streaming media data, the encryption and decryption method includes the following steps:
S1: the CPU management module confirms that the first computing core module and the second computing core module are ready to receive initialization operation; the CPU management module calls a PUF software module, and the PUF software module extracts the unique physical identifier of the CPU management module from the SRAM memory and generates an intermediate key based on the extracted unique physical identifier of the CPU management module; the third algorithm module hashes the intermediate key and generates a final key;
s2: the third algorithm module sends the final key to the first computing core module and the second computing core module through a third network interface module respectively;
the first computing core module receives the final key through a first network interface module and performs initialization operation; after the initialization operation of the first computing core module is finished, generating a response packet which is successfully initialized by the first computing core module, and returning the response packet to the CPU management module through the first network interface module;
The second computing core module receives the final key through a second network interface module and performs initialization operation; after the initialization operation of the second computing core module is finished, generating a response packet which is successfully initialized by the second computing core module, and returning the response packet to the CPU management module through the second network interface module;
the CPU management module receives a response packet of successful initialization of the first computing core module and a response packet of successful initialization of the second computing core module through a third network interface module respectively; the PUF software module deletes the unique physical identification of the CPU management module and the final key;
S3: the CPU management module sends a query command to the first counter module through the third network interface module to query whether the value of the counter in the first counter module is 0,
If the value of the counter in the first counter module is not equal to 0, entering step S4;
if the value of the counter in the first counter module is equal to 0, step S5 is entered;
s4: the first counter module sends a query result of which the value of a counter in the first counter module is not equal to 0 to the CPU management module;
The CPU management module generates a counter resetting command and sends the counter resetting command to the first counter module and the second counter module through the third network interface module respectively; the first counter module receives a command for resetting the counter through the first network interface module, and resets the value of the counter in the first counter module; meanwhile, the second counter module receives a command for resetting the counter through the second network interface module, and resets the value of the counter in the second counter module; then, the process proceeds to step S6;
S5: the CPU management module sends a starting service signal to the first network interface module through the third network interface module; after the first network interface module receives the starting service signal, a first interrupt signal generating module is called; the first interrupt signal generation module generates an interrupt signal and sends the interrupt signal to the first service CPU through a first interface interaction module; the first service CPU receives the interrupt signal and sends the collected streaming media data to the first FPGA;
S6, the first FPGA receives the collected streaming media data through the first interface interaction module; the first DDR control module calls a first DDR module, and the first DDR module performs cache operation on the collected streaming media data; the first algorithm control module calls the first algorithm module; the first algorithm module calls the first counter module, the first counter module judges whether the value of a counter in the first counter module is larger than or equal to a preset threshold value at the moment, if the value of the counter in the first counter module is larger than or equal to the preset threshold value, the first counter module uploads the alarm information to the CPU management module through the first network interface module, returns to the step S1 to regenerate the final secret key, and meanwhile, the first FPGA continuously receives the collected streaming media data and stores the streaming media data in the first DDR module one by one; if the value of the counter in the first counter module is smaller than the preset threshold value, entering step S7;
S7: the first algorithm control module calls the first algorithm module, and the first algorithm module encrypts the collected streaming media data stored in the first DDR module based on the final key and obtains encrypted streaming media data; the first algorithm module calls the first counter module, and the value of the counter in the first counter module executes the operation of adding 1; the first packaging module packages the encrypted streaming media data into UDP messages and sends the UDP messages to the second FPGA through a network port;
S8: the second FPGA receives the UDP message through a network port; the second unpacking module unpacks the UDP message and obtains stream media data to be decrypted; the second DDR control module calls a second DDR module, and the second DDR module performs cache operation on the streaming media data to be decrypted; the second algorithm control module calls a second algorithm module, and the second algorithm module decrypts the streaming media data to be decrypted stored in the second DDR module based on the final key and obtains decrypted streaming media data; the second algorithm module calls the second counter module, and the value of the counter in the second counter module executes the operation of adding 1; the second algorithm module calls the second counter module, the second counter module judges whether the value of the counter in the second counter module is larger than or equal to the preset threshold value at the moment, if the value of the counter in the second counter module is larger than or equal to the preset threshold value, the second counter module uploads the alarm information to the CPU management module through the second network interface module, the step S1 is returned to regenerate a final key, and meanwhile, the decrypted streaming media data enters the step S9; if the value of the counter in the first counter module is smaller than the preset threshold value, directly entering step S9;
S9: and the second algorithm module sends the decrypted streaming media data to the second service CPU through a second interface interaction module.
The invention also provides a stream media encryption and decryption system based on the PUF technology, which adopts the stream media encryption and decryption method based on the PUF technology, comprising the following steps: the configuration management device, the first FPGA, the second FPGA, the first service CPU and the second service CPU;
the first FPGA includes: the first counter module; the second FPGA includes: the second counter module;
the configuration management device: the final key is used for generating and transmitting the final key to the first FPGA and the second FPGA;
The first service CPU sends the collected streaming media data to the first FPGA; the first FPGA receives the streaming media data, encrypts the streaming media data based on the final key, and then sends the encrypted streaming media data to the second FPGA; the second FPGA receives the encrypted streaming media data, and decrypts the encrypted streaming media data based on the final key to obtain decrypted streaming media data; the second FPGA sends the decrypted streaming media data to the second service CPU;
The first counter module: the method comprises the steps of counting the number of encrypted or decrypted data frames in the first FPGA; and further for uploading the alert information to the configuration management device to restart the process of generating the final key;
The second counter module: the method comprises the steps of counting the number of encrypted or decrypted data frames in the second FPGA; and is further configured to upload the alert information to the configuration management device to restart the process of generating the final key.
Further, the first service CPU and the first FPGA transfer data through a PCIE bus;
and the second service CPU and the second FPGA transmit data through a PCIE bus.
Further, the configuration management device includes: the CPU management module, the PUF software module, the third algorithm module and the third network interface module; the CPU management module comprises: the SRAM memory;
the CPU management module: the configuration management device is used for calling each module in the configuration management device to perform the operations of generating, issuing and deleting the final secret key;
The PUF software module: the method comprises the steps of extracting a unique physical identifier of the CPU management module from the SRAM memory, and generating the intermediate key based on the unique physical identifier of the CPU management module;
The third algorithm module: the method comprises the steps of carrying out hash processing on the intermediate key and generating the final key;
The third network interface module: and the final secret key is respectively issued to the first FPGA and the second FPGA.
Further, the first FPGA further includes: the first algorithm module, the first algorithm control module, the first DDR control module, the first packet unpacking module, the first network interface module, the first interface interaction module and the first interrupt signal generation module;
the second FPGA further includes: the second algorithm module, the second algorithm control module, the second DDR control module, the second packet module, the second unpacking module, the second network interface module, the second interface interaction module, and the second interrupt signal generation module;
the first algorithm module and the second algorithm module: all are used for encrypting or decrypting the collected streaming media data;
the first algorithm control module and the second algorithm control module: the method comprises the steps of respectively calling the first algorithm module and the second algorithm module to carry out encryption or decryption operation;
The first DDR module and the second DDR module: all are used for caching streaming media data in the encryption or decryption process;
The first DDR control module and the second DDR control module: the method comprises the steps of respectively calling streaming media data in the encryption or decryption process of the first DDR module and the second DDR module;
the first and second packet modules: all are used for carrying out the package operation on the stream media data in the encryption process;
the first unpacking module and the second unpacking module: the method is used for unpacking the streaming media data in the decryption process;
the first network interface module and the second network interface module: respectively used for transmitting data packets with the configuration management equipment;
the first interface interaction module and the second interface interaction module: the first service CPU and the second service CPU are respectively used for transmitting data packets;
the first interrupt signal generation module and the second interrupt signal generation module: and the interrupt signal is used for generating and respectively sending the interrupt signal to the first service CPU and the second service CPU.
Further, the first algorithm module includes: the first computing core module;
the second algorithm module includes: the second computing core module;
the first computing core module and the second computing core module: are used for managing the final key issued by the configuration management device.
Compared with the prior art, the invention has the following beneficial technical effects:
In the invention, the secret key based on the PUF technology is fetched as needed, the secret key is not stored, and a mechanism for updating the secret key at regular time is provided, so that the security of streaming media data in network transmission is ensured.
Drawings
Fig. 1 is a flow chart of a PCIE streaming media encryption card in the prior art;
FIG. 2 is a block diagram of a prior art management CPU configuration key table;
Fig. 3 is a flow diagram of a PUF technology-based streaming media encryption and decryption method according to one embodiment;
FIG. 4 is a block diagram of a PUF technology-based streaming media encryption and decryption system of one embodiment;
fig. 5 is a schematic flow diagram of a PUF technology-based streaming media encryption and decryption system according to one embodiment;
FIG. 6 is a diagram of a reboot update key flow diagram of one embodiment;
FIG. 7 is a schematic diagram of a key switching process between an FPGA end and a configuration management device end in one embodiment;
FIG. 8 is a schematic diagram of a sender service processing flow in one embodiment;
fig. 9 is a schematic diagram of a receiving-end service processing flow according to an embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
Referring to fig. 3, fig. 3 is a flow chart of a PUF technology-based streaming media encryption and decryption method according to one embodiment. The stream media encryption and decryption method based on the PUF technology comprises the following steps when a first service CPU and a first FPGA are used as a transmitting end of stream media data and a second service CPU and a second FPGA are used as a receiving end of the stream media data:
S1: the CPU management module confirms that the first computing core module and the second computing core module are ready to receive initialization operation; the CPU management module calls a PUF software module, and the PUF software module extracts the unique physical identifier of the CPU management module from the SRAM memory and generates an intermediate key based on the extracted unique physical identifier of the CPU management module; the third algorithm module hashes the intermediate key and generates a final key;
s2: the third algorithm module sends the final key to the first computing core module and the second computing core module through a third network interface module respectively;
the first computing core module receives the final key through a first network interface module and performs initialization operation; after the initialization operation of the first computing core module is finished, generating a response packet which is successfully initialized by the first computing core module, and returning the response packet to the CPU management module through the first network interface module;
The second computing core module receives the final key through a second network interface module and performs initialization operation; after the initialization operation of the second computing core module is finished, generating a response packet which is successfully initialized by the second computing core module, and returning the response packet to the CPU management module through the second network interface module;
the CPU management module receives a response packet of successful initialization of the first computing core module and a response packet of successful initialization of the second computing core module through a third network interface module respectively; the PUF software module deletes the unique physical identification of the CPU management module and the final key;
S3: the CPU management module sends a query command to the first counter module through the third network interface module to query whether the value of the counter in the first counter module is 0,
If the value of the counter in the first counter module is not equal to 0, entering step S4;
if the value of the counter in the first counter module is equal to 0, step S5 is entered;
s4: the first counter module sends a query result of which the value of a counter in the first counter module is not equal to 0 to the CPU management module;
The CPU management module generates a counter resetting command and sends the counter resetting command to the first counter module and the second counter module through the third network interface module respectively; the first counter module receives a command for resetting the counter through the first network interface module, and resets the value of the counter in the first counter module; meanwhile, the second counter module receives a command for resetting the counter through the second network interface module, and resets the value of the counter in the second counter module; then, the process proceeds to step S6;
S5: the CPU management module sends a starting service signal to the first network interface module through the third network interface module; after the first network interface module receives the starting service signal, a first interrupt signal generating module is called; the first interrupt signal generation module generates an interrupt signal and sends the interrupt signal to the first service CPU through a first interface interaction module; the first service CPU receives the interrupt signal and sends the collected streaming media data to the first FPGA;
S6, the first FPGA receives the collected streaming media data through the first interface interaction module; the first DDR control module calls a first DDR module, and the first DDR module performs cache operation on the collected streaming media data; the first algorithm control module calls the first algorithm module; the first algorithm module calls the first counter module, the first counter module judges whether the value of a counter in the first counter module is larger than or equal to a preset threshold value at the moment, if the value of the counter in the first counter module is larger than or equal to the preset threshold value, the first counter module uploads the alarm information to the CPU management module through the first network interface module, returns to the step S1 to regenerate the final secret key, and meanwhile, the first FPGA continuously receives the collected streaming media data and stores the streaming media data in the first DDR module one by one; if the value of the counter in the first counter module is smaller than the preset threshold value, entering step S7;
S7: the first algorithm control module calls the first algorithm module, and the first algorithm module encrypts the collected streaming media data stored in the first DDR module based on the final key and obtains encrypted streaming media data; the first algorithm module calls the first counter module, and the value of the counter in the first counter module executes the operation of adding 1; the first packaging module packages the encrypted streaming media data into UDP messages and sends the UDP messages to the second FPGA through a network port;
S8: the second FPGA receives the UDP message through a network port; the second unpacking module unpacks the UDP message and obtains stream media data to be decrypted; the second DDR control module calls a second DDR module, and the second DDR module performs cache operation on the streaming media data to be decrypted; the second algorithm control module calls a second algorithm module, and the second algorithm module decrypts the streaming media data to be decrypted stored in the second DDR module based on the final key and obtains decrypted streaming media data; the second algorithm module calls the second counter module, and the value of the counter in the second counter module executes the operation of adding 1; the second algorithm module calls the second counter module, the second counter module judges whether the value of the counter in the second counter module is larger than or equal to the preset threshold value at the moment, if the value of the counter in the second counter module is larger than or equal to the preset threshold value, the second counter module uploads the alarm information to the CPU management module through the second network interface module, the step S1 is returned to regenerate a final key, and meanwhile, the decrypted streaming media data enters the step S9; if the value of the counter in the first counter module is smaller than the preset threshold value, directly entering step S9;
S9: and the second algorithm module sends the decrypted streaming media data to the second service CPU through a second interface interaction module.
Fig. 4 is a schematic block diagram of a PUF technology-based streaming media encryption and decryption system according to one embodiment. The stream media encryption and decryption system based on the PUF technology adopts the stream media encryption and decryption method based on the PUF technology, and comprises the following steps: the configuration management device, the first FPGA, the second FPGA, the first service CPU and the second service CPU;
the first FPGA includes: the first counter module; the second FPGA includes: the second counter module;
the configuration management device: the final key is used for generating and transmitting the final key to the first FPGA and the second FPGA;
The first service CPU sends the collected streaming media data to the first FPGA; the first FPGA receives the streaming media data, encrypts the streaming media data based on the final key, and then sends the encrypted streaming media data to the second FPGA; the second FPGA receives the encrypted streaming media data, and decrypts the encrypted streaming media data based on the final key to obtain decrypted streaming media data; the second FPGA sends the decrypted streaming media data to the second service CPU;
The first counter module: the method comprises the steps of counting the number of encrypted or decrypted data frames in the first FPGA; and further for uploading the alert information to the configuration management device to restart the process of generating the final key;
The second counter module: the method comprises the steps of counting the number of encrypted or decrypted data frames in the second FPGA; and is further configured to upload the alert information to the configuration management device to restart the process of generating the final key.
In one embodiment, the first service CPU and the first FPGA transfer data through a PCIE bus;
and the second service CPU and the second FPGA transmit data through a PCIE bus.
In one embodiment, the configuration management device includes: the CPU management module, the PUF software module, the third algorithm module and the third network interface module; the CPU management module comprises: the SRAM memory;
the CPU management module: the configuration management device is used for calling each module in the configuration management device to perform the operations of generating, issuing and deleting the final secret key;
The PUF software module: the method comprises the steps of extracting a unique physical identifier of the CPU management module from the SRAM memory, and generating the intermediate key based on the unique physical identifier of the CPU management module;
The third algorithm module: the method comprises the steps of carrying out hash processing on the intermediate key and generating the final key;
The third network interface module: and the final secret key is respectively issued to the first FPGA and the second FPGA.
In one embodiment, the first FPGA further comprises: the first algorithm module, the first algorithm control module, the first DDR control module, the first packet unpacking module, the first network interface module, the first interface interaction module and the first interrupt signal generation module;
the second FPGA further includes: the second algorithm module, the second algorithm control module, the second DDR control module, the second packet module, the second unpacking module, the second network interface module, the second interface interaction module, and the second interrupt signal generation module;
the first algorithm module and the second algorithm module: all are used for encrypting or decrypting the collected streaming media data;
the first algorithm control module and the second algorithm control module: the method comprises the steps of respectively calling the first algorithm module and the second algorithm module to carry out encryption or decryption operation;
The first DDR module and the second DDR module: all are used for caching streaming media data in the encryption or decryption process;
The first DDR control module and the second DDR control module: the method comprises the steps of respectively calling streaming media data in the encryption or decryption process of the first DDR module and the second DDR module;
the first and second packet modules: all are used for carrying out the package operation on the stream media data in the encryption process;
the first unpacking module and the second unpacking module: the method is used for unpacking the streaming media data in the decryption process;
the first network interface module and the second network interface module: respectively used for transmitting data packets with the configuration management equipment;
the first interface interaction module and the second interface interaction module: the first service CPU and the second service CPU are respectively used for transmitting data packets;
the first interrupt signal generation module and the second interrupt signal generation module: and the interrupt signal is used for generating and respectively sending the interrupt signal to the first service CPU and the second service CPU.
In one embodiment, the first algorithm module includes: the first computing core module;
the second algorithm module includes: the second computing core module;
the first computing core module and the second computing core module: are used for managing the final key issued by the configuration management device.
In one embodiment, the step S1 is just started, the CPU management module sends request packets related to whether the two modules are ready for the next initialization operation with the first kernel module and the second kernel module, the first kernel module and the second kernel module receive the request packets, and when each module is ready for initialization, a response packet is returned to the CPU module, and after receiving the response packet, the CPU module starts to start the following encryption and decryption service flow.
In one embodiment, the PUF software module of the configuration management device extracts the unique device physical identifier of the CPU management module from the SRAM memory of the CPU management module, and generates a final key through a series of algorithmic operations.
The CPU management module directly transmits the final keys to respective computing cores of the first FPGA and the second FPGA through sgmii kilomega network ports for algorithm initialization, namely the computing cores have the capability of starting operation.
After the configuration management equipment receives a packet returned by the first FPGA and the second FPGA and subjected to final key initialization through sgmii (Serial Gigabit MEDIA INDEPENDENT INTERFACE Gigabit media independent interface) Gigabit network ports, the PUF software module immediately deletes the physical identifier and the final key trace of the management CPU management module, and regenerates the final key when the final key is needed to be reused.
In the process of encrypting and decrypting the streaming media data stream in the service plane, the timing key update is supported. In general, only the first counter module of the first FPGA serving as the service sending end is required to report the update key request, and because the flow direction of the data frame flows from the first FPGA to the second FPGA, the timer in the first counter module is definitely faster than the timer in the second counter module, so that the first FPGA is definitely required to report the update key request first. The reserved reporting key updating request of the second FPGA is used for preventing the CPU management module from inquiring that when the counters in the first FPGA and the second FPGA are inconsistent after the reporting key updating request of the first FPGA, the second FPGA is required to report the key updating request, the configuration management module is required to update the key again, the timer in the first FPGA is fixed and is necessarily the same as the timer in the second FPGA at the moment, and the CPU management module is only waited to update the key, or the counter is cleared directly, and the business process is continued.
In one embodiment, as shown in fig. 5 and 6, when the whole system is started, the configuration management device first applies for a section of SRAM memory space, i.e., SRAM memory; the PUF software module extracts the unique physical identifier of the equipment in the SRAM memory, and invokes the PUF algorithm to generate an intermediate key, wherein the intermediate key is a fixed character with the length of 128 bits or 256 bits; the third algorithm module then performs a hash process with the intermediate key to generate the final key. The CPU management module inquires the state information of the interfaces of the first computing core and the second computing core through sgmii kilomega network ports, and directly issues the final key to the first computing core and the second computing core for algorithm initialization under the condition that the interfaces of the first computing core and the second computing core are ready.
The CPU management module receives the response after the initialization of the first computing core and the second computing core is finished through sgmii kilomega network port
After packaging, the PUF software module will then delete the unique physical identifier and key trace of the device that were previously generated until the next restart of the process of generating keys.
In the operation process of the stream media encryption and decryption system based on the PUF technology, at a transmitting end:
the first service CPU passes PCIE (PERIPHERAL COMPONENT INTERCONNECT EXPRESS PCI
Express is a kind of PCI computer bus) DMA (Direct Memory Access direct memory access) bus issues collected streaming media data, and DDR cache is firstly carried out on the streaming media data in the first FPGA;
The first FGPA reads DDR (double Rate synchronous dynamic random Access memory) cache data and encrypts the data
Processing; the first FPGA encapsulates the encrypted data into UDP messages; the first FPGA sends out the packaged message from a 10g network port;
at the receiving end:
The second FPGA receives data through a 10G network port; the second FPGA unpacks the network message before receiving the network message
DDR buffering is carried out on the encrypted message; reading the DDR cache by the second FPGA, and decrypting the encrypted report Wen Diaoyong by a second algorithm module; and uploading the decrypted data packet to the CPU2 end through the PCIE DMA bus by the second FPGA.
In one embodiment, when the second service CPU and the second FPGA are used as the transmitting end and the first service CPU and the first FPGA are used as the receiving end, the service operation flows are the same.
In one embodiment, as shown in fig. 7, in the key switching process flow of the first FPGA, the second FPGA and the configuration management device, when the system just begins to configure the final key in the first round, after confirming that each algorithm in the first FPGA and the second FPGA is in an idle and operable state, the final key is sent to the first FPGA and the second FPGA respectively for initializing operation. Then judging whether the value of a counter in the first FPGA serving as a transmitting end is 0, and starting the system to operate just, wherein the value of the counter in the first FPGA serving as the transmitting end is 0, the CPU management module transmits a service starting signal to the first FPGA, and then the first FPGA initiates an interrupt to inform the first service CPU to start transmitting video stream data, and a service flow is started.
The counter of the first counter module in the first FPGA performs statistic calculation on the encrypted frame entries, and when the frame statistic threshold value set in advance is reached, the first FPGA uploads an alarm signal to the CPU management module to inform the CPU management module to generate a new key. Video streaming data is transmitted frame by data frame. Therefore, the counting mode of the counter in the first FPGA or the second FPGA counts the number of the data frames. The first counter module is responsible for counting the number of encrypted data frames, and the second counter module is responsible for counting the number of decrypted data frames.
After the configuration management device generates a new final key by referring to the above process and completes the initialization of the final keys of the first core calculation module and the second core calculation module, judging whether the value of the counter is 0 again, on the premise that the value of the counter is not 0, the CPU management module informs the first counter module and the second counter module, sets the value of the counter to 0, and then continues the encryption and decryption business process of the streaming media data. During this period, the data packets at both ends of the first FPGA and the second FPGA are buffered in respective DDR modules.
In one embodiment, as shown in fig. 8, when the first FPGA is used as the transmitting end, after the first service CPU receives the interrupt request sent by the first FPGA, starting PCIE DMA transmission, and sending streaming media data to the first FPGA;
the first FPGA firstly carries out DDR buffering on streaming media data issued by PCIE through a first DDR control module; reading DDR cached data frames through a first algorithm control module in the first FPGA; the first algorithm control module completes interaction with the first algorithm module, the first algorithm control module detects the states of all the algorithm modules, and if the first algorithm module is in an idle state, the first algorithm control module can fetch data from a cache of the first DDR module and send the data to the first algorithm module, so that full-load operation of the algorithm is ensured; a first FPGA internal counter calculates the number of the entries of the encrypted data frame; the first FPGA packages the encrypted data frame into a network UDP message through a first packaging module; and sending the generated network UDP message out through a 10G optical port in the first FPGA.
In one embodiment, as shown in fig. 9, when the second FPGA is used as the receiving end, the second FPGA internally receives the data sent by the 10G portal; the second FPGA analyzes the received network message and stores the data frame load part into a second DDR module; the second DDR control module in the second FPGA reads the data frames of the DDR cache as long as the second algorithm module detects that the internal algorithm is in an idle state through interaction with the second algorithm module; the second control algorithm module calls the second algorithm module to ensure the full-load operation of the algorithm; the second FPGA internal counter calculates the number of decrypted data frame entries; and the decrypted streaming media data is sent to a second service CPU through a 10G optical port by a second interface interaction module in the second FPGA. Thus, the safe transmission of the streaming media data on the network is completed.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
It should be noted that, the term "first\second\third" related to the embodiment of the present application is merely to distinguish similar objects, and does not represent a specific order for the objects, it is to be understood that "first\second\third" may interchange a specific order or sequence where allowed. It is to be understood that the "first\second\third" distinguishing aspects may be interchanged where appropriate to enable embodiments of the application described herein to be implemented in sequences other than those illustrated or described.
The terms "comprising" and "having" and any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or device that comprises a list of steps or modules is not limited to the particular steps or modules listed and may optionally include additional steps or modules not listed or inherent to such process, method, article, or device.
The above examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.

Claims (3)

1. The stream media encryption and decryption method based on PUF technology is characterized in that,
When the first service CPU and the first FPGA are used as a sending end of the streaming media data and the second service CPU and the second FPGA are used as a receiving end of the streaming media data, the encryption and decryption method comprises the following steps:
S1: the CPU management module confirms that the first computing core module and the second computing core module are ready to receive initialization operation; the CPU management module calls a PUF software module, and the PUF software module extracts the unique physical identifier of the CPU management module from the SRAM memory and generates an intermediate key based on the extracted unique physical identifier of the CPU management module; the third algorithm module hashes the intermediate key and generates a final key;
s2: the third algorithm module sends the final key to the first computing core module and the second computing core module through a third network interface module respectively;
the first computing core module receives the final key through a first network interface module and performs initialization operation; after the initialization operation of the first computing core module is finished, generating a response packet which is successfully initialized by the first computing core module, and returning the response packet to the CPU management module through the first network interface module;
The second computing core module receives the final key through a second network interface module and performs initialization operation; after the initialization operation of the second computing core module is finished, generating a response packet which is successfully initialized by the second computing core module, and returning the response packet to the CPU management module through the second network interface module;
the CPU management module receives a response packet of successful initialization of the first computing core module and a response packet of successful initialization of the second computing core module through a third network interface module respectively; the PUF software module deletes the unique physical identification of the CPU management module and the final key;
S3: the CPU management module sends a query command to the first counter module through the third network interface module to query whether the value of the counter in the first counter module is 0,
If the value of the counter in the first counter module is not equal to 0, entering step S4;
if the value of the counter in the first counter module is equal to 0, step S5 is entered;
s4: the first counter module sends a query result of which the value of a counter in the first counter module is not equal to 0 to the CPU management module;
The CPU management module generates a counter resetting command and sends the counter resetting command to the first counter module and the second counter module through the third network interface module respectively; the first counter module receives a command for resetting the counter through the first network interface module, and resets the value of the counter in the first counter module; meanwhile, the second counter module receives a command for resetting the counter through the second network interface module, and resets the value of the counter in the second counter module; then, the process proceeds to step S6;
S5: the CPU management module sends a starting service signal to the first network interface module through the third network interface module; after the first network interface module receives the starting service signal, a first interrupt signal generating module is called; the first interrupt signal generation module generates an interrupt signal and sends the interrupt signal to the first service CPU through a first interface interaction module; the first service CPU receives the interrupt signal and sends the collected streaming media data to the first FPGA;
S6, the first FPGA receives the collected streaming media data through the first interface interaction module; the first DDR control module calls a first DDR module, and the first DDR module performs cache operation on the collected streaming media data; the first algorithm control module calls the first algorithm module; the first algorithm module calls the first counter module, the first counter module judges whether the value of a counter in the first counter module is larger than or equal to a preset threshold value at the moment, if the value of the counter in the first counter module is larger than or equal to the preset threshold value, the first counter module uploads alarm information to the CPU management module through the first network interface module, returns to the step S1 to regenerate the final secret key, and meanwhile, the first FPGA continuously receives the collected streaming media data and stores the streaming media data in the first DDR module one by one; if the value of the counter in the first counter module is smaller than the preset threshold value, entering step S7;
S7: the first algorithm control module calls the first algorithm module, and the first algorithm module encrypts the collected streaming media data stored in the first DDR module based on the final key and obtains encrypted streaming media data; the first algorithm module calls the first counter module, and the value of the counter in the first counter module executes the operation of adding 1; the first packaging module packages the encrypted streaming media data into UDP messages and sends the UDP messages to the second FPGA through a network port;
S8: the second FPGA receives the UDP message through a network port; the second unpacking module unpacks the UDP message and obtains stream media data to be decrypted; the second DDR control module calls a second DDR module, and the second DDR module performs cache operation on the streaming media data to be decrypted; the second algorithm control module calls a second algorithm module, and the second algorithm module decrypts the streaming media data to be decrypted stored in the second DDR module based on the final key and obtains decrypted streaming media data; the second algorithm module calls the second counter module, and the value of the counter in the second counter module executes the operation of adding 1; the second algorithm module calls the second counter module, the second counter module judges whether the value of the counter in the second counter module is larger than or equal to the preset threshold value at the moment, if the value of the counter in the second counter module is larger than or equal to the preset threshold value, the second counter module uploads the alarm information to the CPU management module through the second network interface module, the step S1 is returned to regenerate a final key, and meanwhile, the decrypted streaming media data enters the step S9; if the value of the counter in the first counter module is smaller than the preset threshold value, directly entering step S9;
S9: and the second algorithm module sends the decrypted streaming media data to the second service CPU through a second interface interaction module.
2. The stream media encryption and decryption system based on the PUF technology adopts the stream media encryption and decryption method based on the PUF technology as set forth in claim 1, and is characterized in that the system comprises: the configuration management device, the first FPGA, the second FPGA, the first service CPU and the second service CPU;
the first FPGA includes: the first counter module; the second FPGA includes: the second counter module;
the configuration management device: the final key is used for generating and transmitting the final key to the first FPGA and the second FPGA;
The first service CPU sends the collected streaming media data to the first FPGA; the first FPGA receives the streaming media data, encrypts the streaming media data based on the final key, and then sends the encrypted streaming media data to the second FPGA; the second FPGA receives the encrypted streaming media data, and decrypts the encrypted streaming media data based on the final key to obtain decrypted streaming media data; the second FPGA sends the decrypted streaming media data to the second service CPU;
The first counter module: the method comprises the steps of counting the number of encrypted or decrypted data frames in the first FPGA; and further for uploading the alert information to the configuration management device to restart the process of generating the final key;
the second counter module: the method comprises the steps of counting the number of encrypted or decrypted data frames in the second FPGA; and further for uploading the alert information to the configuration management device to restart the process of generating the final key;
the configuration management device includes: the CPU management module, the PUF software module, the third algorithm module and the third network interface module; the CPU management module comprises: the SRAM memory;
the CPU management module: the configuration management device is used for calling each module in the configuration management device to perform the operations of generating, issuing and deleting the final secret key;
The PUF software module: the method comprises the steps of extracting a unique physical identifier of the CPU management module from the SRAM memory, and generating the intermediate key based on the unique physical identifier of the CPU management module;
The third algorithm module: the method comprises the steps of carrying out hash processing on the intermediate key and generating the final key;
The third network interface module: the final secret key is used for respectively issuing the final secret key to the first FPGA and the second FPGA;
The first FPGA further includes: the first algorithm module, the first algorithm control module, the first DDR control module, the first packet unpacking module, the first network interface module, the first interface interaction module and the first interrupt signal generation module;
the second FPGA further includes: the second algorithm module, the second algorithm control module, the second DDR control module, a second packet module, the second packet unpacking module, the second network interface module, the second interface interaction module, and a second interrupt signal generating module;
the first algorithm module and the second algorithm module: all are used for encrypting or decrypting the collected streaming media data;
the first algorithm control module and the second algorithm control module: the method comprises the steps of respectively calling the first algorithm module and the second algorithm module to carry out encryption or decryption operation;
The first DDR module and the second DDR module: all are used for caching streaming media data in the encryption or decryption process;
The first DDR control module and the second DDR control module: the method comprises the steps of respectively calling streaming media data in the encryption or decryption process of the first DDR module and the second DDR module;
the first and second packet modules: all are used for carrying out the package operation on the stream media data in the encryption process;
the first unpacking module and the second unpacking module: the method is used for unpacking the streaming media data in the decryption process;
the first network interface module and the second network interface module: respectively used for transmitting data packets with the configuration management equipment;
the first interface interaction module and the second interface interaction module: the first service CPU and the second service CPU are respectively used for transmitting data packets;
The first interrupt signal generation module and the second interrupt signal generation module: the interrupt signal is used for generating and respectively sending the interrupt signal to the first service CPU and the second service CPU;
the first algorithm module includes: the first computing core module;
the second algorithm module includes: the second computing core module;
the first computing core module and the second computing core module: are used for managing the final key issued by the configuration management device.
3. The PUF technology-based streaming media encryption and decryption system according to claim 2, wherein,
The first service CPU and the first FPGA transmit data through a PCIE bus;
and the second service CPU and the second FPGA transmit data through a PCIE bus.
CN202410401170.4A 2024-04-03 2024-04-03 Stream media encryption and decryption system and method based on PUF technology Active CN117997538B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410401170.4A CN117997538B (en) 2024-04-03 2024-04-03 Stream media encryption and decryption system and method based on PUF technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410401170.4A CN117997538B (en) 2024-04-03 2024-04-03 Stream media encryption and decryption system and method based on PUF technology

Publications (2)

Publication Number Publication Date
CN117997538A CN117997538A (en) 2024-05-07
CN117997538B true CN117997538B (en) 2024-06-11

Family

ID=90897947

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410401170.4A Active CN117997538B (en) 2024-04-03 2024-04-03 Stream media encryption and decryption system and method based on PUF technology

Country Status (1)

Country Link
CN (1) CN117997538B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9723003B1 (en) * 2014-06-06 2017-08-01 Amazon Technologies, Inc. Network beacon based credential store
WO2018041043A1 (en) * 2016-08-29 2018-03-08 烽火通信科技股份有限公司 Streaming media-based system and method for second retransmission of lost packet
CN110166411A (en) * 2018-02-13 2019-08-23 华为技术有限公司 A kind of data transmission method, device and network node
CN115567207A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Method and system for realizing multicast data encryption and decryption by quantum key distribution

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9723003B1 (en) * 2014-06-06 2017-08-01 Amazon Technologies, Inc. Network beacon based credential store
WO2018041043A1 (en) * 2016-08-29 2018-03-08 烽火通信科技股份有限公司 Streaming media-based system and method for second retransmission of lost packet
CN110166411A (en) * 2018-02-13 2019-08-23 华为技术有限公司 A kind of data transmission method, device and network node
CN115567207A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Method and system for realizing multicast data encryption and decryption by quantum key distribution

Also Published As

Publication number Publication date
CN117997538A (en) 2024-05-07

Similar Documents

Publication Publication Date Title
US20190132118A1 (en) Technologies for low-latency cryptography for processor-accelerator communication
KR20040033159A (en) Method for cryptographing wireless data and apparatus thereof
CN108898033A (en) A kind of data encrypting and deciphering system based on FPGA
US20200089645A1 (en) Security techniques for a peripheral component interconnect (pci) express (pcie) system
CN115208705B (en) Encryption and decryption method and device based on link data self-adaptive adjustment
EP3751781A1 (en) Overhead reduction for link protection
EP1687998B1 (en) Method and apparatus to inline encryption and decryption for a wireless station
JP3581601B2 (en) Data transfer device, data transfer system and recording medium
US7181616B2 (en) Method of and apparatus for data transmission
CN117997538B (en) Stream media encryption and decryption system and method based on PUF technology
CN113726743B (en) Method, device, equipment and medium for detecting network replay attack
CN112910891B (en) Network security interconnection system based on FPGA high-speed encryption and decryption
CN114710287B (en) Encryption method, system, storage medium and encrypted file access method
CN216490525U (en) Network data encryption repeater
JP2015216450A (en) Information processing apparatus, information processing system and relay program
CN210274109U (en) Ethernet card device supporting encryption function
CN114257424A (en) Data packet receiving and processing method and device based on special power chip
CN114553411A (en) Encryption device for distributed memory and decryption device for distributed memory
JP2003069555A (en) Encryption device and encryption/decryption processing method
US20210075777A1 (en) Method and system for asynchronous side channel cipher renegotiation
CN111385311A (en) Remote dictionary warehouse implementation method of RADIUS protocol
CN111310211A (en) Method for encrypting database by using SM4 algorithm
US20230345239A1 (en) Data transmission method and apparatus
CN114221814B (en) System, method, device, processor and computer readable storage medium for realizing terminal equipment safety starting special service
CN111143897A (en) Data security processing device, system and processing method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant