基于多DSP的网络加密隔离卡的设计与实现

【作者】 李红良；

【导师】 蔡皖东；

【作者基本信息】 西北工业大学 ， 计算机应用技术， 2006， 硕士

【摘要】 随着计算机网络技术的高速发展,如何保证网络上信息的安全逐渐成为人们关注的焦点,个人和普通公司、企业对安全的需求也日益迫切。利用安全套接层(SSL)协议可有效地提高网络通信的安全。然而,在SSL的握手和记录处理过程中要进行大量的加密与解密运算,占用了大量的CPU时间,成为了系统瓶颈。网络隔离是重要的网络安全措施,其目的是禁止网络之间的资源共享,防止一个网络的信息泄露到另一个网络上去。为了在多个网络之间进行有效的隔离,人们提出了多种方案。也是现今网络安全技术研究的一个热点。 本文详细论述了基于多DSP的网络加密隔离卡(Network Encryption and Isolation Card Based on Multi-DSP,简称为MDSP NEIC卡)的设计与实现。把SSL中与加/解密有关的复杂运算交于PCI硬件卡上的多DSP运算单元实现,使主机从繁重的加/解密运算中解脱出来,并避免了加密算法被篡改或分析的风险,因此有力地提高了计算机系统的安全连接能力和通讯速度。同时,利用多DSP及双TCP/IP堆栈技术,在加密的基础上有效地实现了双网隔离。 本文的主要研究内容如下: (1) 研究了网络加密、网络隔离及SSL的有关技术。 (2) 在研究了PCI及DSP等开发技术的基础上,完成了MDSP NEIC卡的硬件设计及DSP程序的设计与实现。 (3) 在研究了多端口存储器的有关原理的基础上,利用多端口存储器实现了多DSP的连接与调度。 (4) 利用双TCP/IP堆栈和多DSP结构的特点,在加密基础上有效地实现了两个网段的隔离。 (5) 对Windows平台下WDM驱动程序开发技术进行了深入研究,完成了Windows下MDSP NEIC卡驱动程序的开发。 (6) 分析研究了Windows的CryptoAPI/CSP的开发技术,开发实现了MDSP NEIC卡的加密API。更多还原

【Abstract】 Along with the rapid progress of computer networks, the idea of network information security looms so large in modern technology communities. Security requirements from individuals and enterprises have never been more intensive nowadays. It may effectively enhance the network communication security by using the Secure Sockets Layer (SSL) protocol. However, hand-shake and the record disposal processes in SSL must carry on the massive encryptions and the decryption operation, processing of encryption and decryption does take great amount of CPU time, which leads to a system bottleneck.Network isolation is an important security measure,it aims to restrict network resource sharing,preventing information omitting among different networks.Various technologies are proposed with the purpose of implementing efficient network isolation and related researches are hot points in the field of security.Detailed description of the design and implementation of the network encryption and isolation card based on multi-DSP (for short MDSPNEIC card) is presented in this thesis.Encryption and decryption related execution in SSL are processed by the PCI hardware card,this largely reduces the burden of host computers and lows the risk of encryption algorithms being altered or analyzed.Moreover,with the combination of double TCP/IP stacks and multi-DSP technologies,it achives the goal of 2-network isolation on the basis of encryption.The research work mentioned in the thesis is mainly about:(1) Network encryption, network isolation and SSL research.(2) With the research background of PCI and DSP technology, have designed MDSPNEIC card and have designed and realized the DSP implementation.(3) With the research background of multi-port memory principles, have realized multi-DSP connection and dispatch.(4) Based on encryption , have effectively realized 2-netowrk isolation according to characteristics of double TCP/IP stack and multi-DSP architecture.(5) With the deep research of Windows Driver Model,have realized the implementation of MDSPNEIC card hardware driver on the windows platform.(6) With the analysis and study of CryptoAPI/CSP development technology, have realized MDSPNEIC card API for encryption.更多还原