Search

CN-121619180-B - Method, device and equipment for rapidly processing encrypted traffic of distributed cross-domain PLC

CN121619180BCN 121619180 BCN121619180 BCN 121619180BCN-121619180-B

Abstract

The invention discloses a method, a device and equipment for rapidly processing encrypted traffic of a distributed cross-domain PLC (programmable logic controller), which relate to the technical field of PLC controllers, and are characterized in that an encrypted data frame in a data packet is extracted by a first filter of a physical network card driving layer and redirected to a user state processing program, a key negotiation process of a WireGuard protocol stack is detected by a first detection mechanism in a kernel state to obtain a key parameter, the key parameter is sent to the user state processing program by an asynchronous transmission mechanism, the encrypted data frame is decrypted and checked by the user state processing program and the key parameter, and the original IP message is subjected to the following shunt processing according to a check result.

Inventors

  • CHU BING
  • YUE XIANG
  • FAN ZHAOHONG
  • YIN JUNJIE
  • WANG JIANMIN

Assignees

  • 宁波和利时信息安全研究院有限公司

Dates

Publication Date
20260512
Application Date
20260203

Claims (9)

  1. 1. A method for rapidly processing encrypted traffic of a distributed cross-domain PLC is characterized by comprising the following steps: acquiring a data packet by using a physical network card; filtering the data packet by using a first filter of a physical network card driving layer, and identifying and extracting an encrypted data frame of WireGuard protocol; Redirecting the encrypted data frame to a user mode handler; detecting WireGuard a key negotiation process of a protocol stack by using a first detection mechanism in a kernel mode to obtain a key parameter; Decrypting the encrypted data frame by using the user mode processing program and the key parameter to obtain a decrypted original IP message; checking the message destination IP address of the decrypted original IP message to obtain a checking result; If the destination IP address of the original IP message is a local virtual IP address and accords with a white list protocol, carrying out local control protocol processing through a user mode processing program; if the target IP address of the original IP message is not the local virtual IP address or does not accord with the white list protocol, the original IP message is returned to the kernel protocol stack through a return interface, and encrypted forwarding is carried out through a WireGuard virtual network card; the method further comprises the steps of: generating an original IP message to be sent by utilizing a socket interface established by the user state processing program; The first filter is utilized to receive the original IP message, the original IP message is checked, and when the check is passed, the original IP message is mounted to a message sending queue of the WireGuard virtual network card; Encrypting and protocol packaging the original IP message through the WireGuard protocol stack to obtain an encrypted message; and determining a corresponding physical network card according to the routing information in the original IP message, and transmitting the encrypted message by adopting the physical network card.
  2. 2. The method for quickly processing encrypted traffic of a distributed cross-domain PLC according to claim 1, wherein the first filter is an XDP program, the user state processing program is a DPDK program, and the backhaul interface is a DPDK KNI network card.
  3. 3. The method for quickly processing encrypted traffic by a distributed cross-domain PLC according to claim 2, wherein the first probing mechanism is a Kprobe mechanism, the key parameters include a session key and an initialization vector, the probing WireGuard protocol stack key negotiation process by using the first probing mechanism in kernel mode to obtain the key parameters, and sending the key parameters to the user mode processing program by using an asynchronous transmission mechanism, including: Hooking a hook function used for key negotiation in a WireGuard protocol stack based on Kprobe mechanisms; Triggering the hooking function to capture the session key and the initialization vector in response to a key agreement being completed; Storing the session key and the initialization vector to an enhanced berkeley packet filter mapping structure; And asynchronously transmitting the session key and the initialization vector to the DPDK program based on an asynchronous input-output mechanism.
  4. 4. The method for quickly processing the encrypted traffic of the distributed cross-domain PLC according to claim 2, wherein the verifying the destination IP address of the decrypted original IP message to obtain the verification result includes: acquiring a predetermined filtering strategy by utilizing an enhanced Berkeley data packet filter mapping structure; And based on the filtering strategy, carrying out message destination IP address matching verification on the decrypted original IP message by using the DPDK program, and judging that the decrypted original IP message accords with a white list protocol when the destination IP address of the decrypted original IP message belongs to a local virtual IP address and an IP address white list passes.
  5. 5. The method for rapidly processing the encrypted traffic of the distributed cross-domain PLC according to claim 2, wherein decrypting the encrypted data frame using the user mode processing program and the key parameter to obtain the decrypted original IP packet comprises: The DPDK program is operated through rte _eth_AF_XDP driving, wherein the rte _eth_AF_XDP monitors the state that the XDP program forwards a receiving queue message, when the receiving queue message is detected to be empty, the method is switched to a dormant state, when the receiving queue message is detected to be non-empty, a PMD thread is triggered through an interrupt mechanism, and when the encrypted data frame is decrypted and the receiving queue message is empty again, the method starts interrupt and is switched to the dormant state.
  6. 6. The method for quickly processing encrypted traffic of a distributed cross-domain PLC according to claim 1, wherein said redirecting said encrypted data frame to a user mode handler comprises: Utilizing PMD drive in DPDK program to create independent AF_XDP socket for multiple receiving queue messages of physical network card; and distributing corresponding message processing threads for each AF_XDP socket so as to perform multi-queue parallel processing on the received queue messages.
  7. 7. The method for quickly processing encrypted traffic by a distributed cross-domain PLC according to claim 4, wherein the filtering policy includes one or more of a whitelist of IP addresses, wireGuard protocol port numbers, wireGuard protocol packet type identification, and negotiation frequency.
  8. 8. The utility model provides a distributed cross-domain PLC encrypts flow quick processing device which characterized in that includes: The acquisition module is used for acquiring the data packet by using the physical network card; The filtering module is used for filtering the data packet by utilizing a first filter of the physical network card driving layer, and identifying and extracting the encrypted data frame of WireGuard protocols; a redirection module for redirecting the encrypted data frame to a user mode handler; The key negotiation module is used for detecting a key negotiation process of a WireGuard protocol stack by using a first detection mechanism in a kernel mode to obtain a key parameter; The decryption module is used for decrypting the encrypted data frame by utilizing the user mode processing program and the key parameter to obtain a decrypted original IP message; the verification module is used for verifying the message destination IP address of the decrypted original IP message to obtain a verification result; The distribution module is used for carrying out the following processing on the original IP message according to the verification result, wherein if the destination IP address of the original IP message is a local virtual IP address and accords with a white list protocol, the local control protocol processing is carried out through a user mode processing program; The device further comprises a message generating module, a mounting module, an encryption packaging module and a message sending module, wherein the message generating module is used for generating an original IP message to be sent by utilizing a socket interface established by a user state processing program, the mounting module is used for receiving the original IP message by utilizing a first filter and checking the original IP message, when the checking is passed, the original IP message is mounted to a message sending queue of a WireGuard virtual network card, the encryption packaging module is used for encrypting and packaging the original IP message through a WireGuard protocol stack to obtain an encrypted message, and the message sending module is used for determining a corresponding physical network card according to routing information in the original IP message and sending the encrypted message by adopting the physical network card.
  9. 9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method of any one of claims 1-7 when the computer program is executed.

Description

Method, device and equipment for rapidly processing encrypted traffic of distributed cross-domain PLC Technical Field The invention belongs to the technical field of PLC controllers, and particularly relates to a method, a device and equipment for rapidly processing encryption traffic of a distributed cross-domain PLC. Background The traditional PLC controller is not encrypted in control protocol transmission, and is particularly easy to attack aiming at large-scale PLC cross-domain distributed deployment scenes such as petroleum pipeline transmission, multi-workshop production coordination, cloud space deployment and integration. Encryption of transmission information between controllers can improve safety, but processing overhead is necessarily increased, and encryption operation, especially key negotiation and other steps are complex in processing, so that calculation power, storage and aging are obviously affected, and how to improve encryption processing efficiency to the greatest extent is a huge problem faced by distributed deployment controllers. The traditional TLS encryption code has the advantages of complex flow, multiple supporting algorithms, strong compatibility, relatively low performance, high security vulnerability risk, complex configuration, dependence on certificate management, difficulty in falling to the ground in off-network environment, incomplete applicability to controller type equipment, difficulty in guaranteeing index parameters such as control delay, system load and the like of a PLC (programmable logic controller), and the like, is mainly used for communication between north (namely communication with an upper layer system) and a programming platform or intercommunication with other IT systems, and has the problems of algorithm vulnerability, insufficient encryption strength, key leakage, replay attack, doS attack, forward security and the like because a private encryption protocol is not subjected to security formal proof and professional algorithm examination. Disclosure of Invention In order to solve the problems, the invention provides a method, a device and equipment for rapidly processing encryption traffic of a distributed cross-domain PLC, which can improve encryption processing efficiency, reduce system resource overhead and improve system stability. In a first aspect, the present invention provides a method for rapidly processing encrypted traffic of a distributed cross-domain PLC, including: acquiring a data packet by using a physical network card; filtering the data packet by using a first filter of a physical network card driving layer, and identifying and extracting an encrypted data frame of WireGuard protocol; Redirecting the encrypted data frame to a user mode handler; detecting WireGuard a key negotiation process of a protocol stack by using a first detection mechanism in a kernel mode to obtain a key parameter; Decrypting the encrypted data frame by using the user mode processing program and the key parameter to obtain a decrypted original IP message; checking the message destination IP address of the decrypted original IP message to obtain a checking result; And processing the original IP message according to the verification result, wherein if the destination IP address of the original IP message is a local virtual IP address and accords with a white list protocol, local control protocol processing is performed through a user mode processing program, and if the destination IP address of the original IP message is not a local virtual IP address or does not accord with the white list protocol, the original IP message is returned to a kernel protocol stack through a return interface and is encrypted and forwarded through a WireGuard virtual network card. In an alternative embodiment, the first filter is an XDP program, the user state processing program is a DPDK program, and the backhaul interface is a DPDK KNI network card. In an optional embodiment, the first probing mechanism is a Kprobe mechanism, the key parameters include a session key and an initialization vector, the probing WireGuard a key negotiation process of a protocol stack by using a first probing mechanism in a kernel mode, to obtain a key parameter, and sending the key parameter to a user mode handler by using an asynchronous transmission mechanism, including: Hooking a hook function used for key negotiation in a WireGuard protocol stack based on Kprobe mechanisms; Triggering the hooking function to capture the session key and the initialization vector in response to a key agreement being completed; Storing the session key and the initialization vector to an enhanced berkeley packet filter mapping structure; And asynchronously transmitting the session key and the initialization vector to the DPDK program based on an asynchronous input-output mechanism. In an alternative embodiment, the verifying the destination IP address of the decrypted original IP message to obtain a verification result i