Network Security Processor Research Articles

Partitioned security processor architecture on FPGA platform

Internet protocol security (IPSec), secure sockets layer (SSL)/transport layer security (TLS) and other security protocols necessitate high throughput hardware implementation of cryptographic functions. In recent literature, cryptographic functions implemented in software, application specific integrated circuit (ASIC) and field programmable gate array (FPGA). They are not necessarily optimized for throughput. Due to the various side-channel based attacks on cache and memory, and various malware based exfiltration of security keys and other sensitive information, cryptographic enclave processors are implemented which isolates the cryptographically sensitive information like keys. We propose a partitioned enclave architecture targeting IPSec, TLS and SSL where the partitioned area ensures that the processor data-path is completely isolated from the secret-key memory. The security processor consists of a Trivium random number generator, Rivest–Shamir–Adleman (RSA), advanced encryption standard (AES) and KECCAK cryptos. We implement three different optimized KECCAK architectures. The processing element (PE) handles all communication interfaces, data paths, and control hazards of network security processor. The memory of KECCAK and AES communication is done via a direct memory access controller to reduce the PE overhead. The whole system is demonstrated by FPGA implementation using Vivado 2015.2 on Artix-7 (XC7A100T, CSG324). The performances of the implemented KECCAKs are better in terms of security, throughput and resource than the existing literature.

Hardware variant NSP with security‐aware automated preferential algorithm

Efficient and cost-effective hardware design of network security processor (NSP) is of vital importance in the present era due to the increasing need of security infrastructure in a wide range of computing applications. Here, the authors propose an NSP in field programmable gate array (FPGA) platform where according to a strict power, throughput, resource, and security priorities, a proposed preferential algorithm chooses a cipher suite to program the hardware. The choice is based on a rank list of available cipher suites depending on efficient system index evaluated in terms of power, throughput, resource, and security data and their given weights by the user. Encryption, hash, and key exchange algorithm along with their architectural variants serve excellent hardware flexibility whose bit files are stored in secure digital memory. The proposed design used an isolated key memory where secret keys are stored in encrypted form along with the hash value. The design is implemented using ISE14.4 suite with ZYNQ7z020-clg484 FPGA platform. The performances of the variants architecture of the crypto algorithms are considerably better in terms of power, throughput, and resource than the existing works reported in the literature.

Multi core SSL/TLS security processor architecture and its FPGA prototype design with automated preferential algorithm

In this paper a pipelined architecture of a high speed network security processor (NSP) for SSL/TLS protocol is implemented on a system on chip (SoC) where hardware information of all encryption, hashing and key exchange algorithms are stored in Secure Digital (SD) card in terms of bit files, in contrary to recent ones where all are actually implemented in hardware. The SoC works as NSP for the system (PC), which is running the application. Through the SoC the security algorithms are implemented and it also provides the Ethernet communication interface. The NSP finds applications in e-commerce, virtual private network (VPN) and in other fields that require data confidentiality.The motivation of the present work is to dynamically execute applications in embedded systems having strict resource and power budgets maintaining a stipulated throughput. An appropriate cipher suite is chosen following a proposed preferential algorithm based on Efficient System Index (ESI) budget comprising of throughput, power and resource given by the user. The bit files of the chosen security algorithms are downloaded from the SD card to the partial region of Field Programmable Gate Array (FPGA). The proposed SoC controls data communication between an application running in a system through a PCI and an Ethernet interface of a network. The proposed design uses partial reconfiguration feature of ISE14.4 suite with ZYNQ 7z020-clg484 FPGA platform. The performances of the implemented crypto algorithms are considerably better in terms of power throughput and resource than the existing works reported in literatures.

A 10 Gbps in-line network security processor based on configurable hetero-multi-cores

This paper deals with an in-line network security processor (NSP) design that implements the Internet Protocol Security (IPSec) protocol processing for the 10 Gbps Ethernet. The 10 Gbps high speed data transfer, the IPSec processing including the crypto-operation, the database query, and IPSec header processing are integrated in the design. The in-line NSP is implemented using 65 nm CMOS technology and the layout area is 2.5 mm×3 mm with 360 million gates. A configurable crossbar data transfer skeleton implementing an iSLIP scheduling algorithm is proposed, which enables simultaneous data transfer between the heterogeneous multiple cores. There are, in addition, a high speed input/output data buffering mechanism and design of high performance hardware structures for modules, wherein the transfer efficiency and the resource utilization are maximized and the IPSec protocol processing achieves 10 Gbps line speed. A high speed and low power hardware look-up method is proposed, which effectively reduces the area and power dissipation. The post simulation results demonstrate that the design gives a peak throughput for the Authentication Header (AH) transport mode of 10.06 Gbps with the average test packet length of 512 bytes under the clock rate of 250 MHz, and power dissipation less than 1 W is obtained. An FPGA prototype is constructed to verify the function of the design. A test bench is being set up for performance and function verification.

An IPSec Accelerator Design for a 10Gbps In-Line Security Network Processor

The IP security protocol (IPSec) is an important and widely used security protocol in the IP layer. But the implementation of the IPSec is a computing intensive work which greatly limits the performance of the high speed network. In this paper, a high performance IPSec accelerator used in a 10Gbps in-line network security processor (NSP) is presented. The design integrates the protocol processing and the cryptographic processing; the transport/tunnel mode of the AH, ESP security protocols and the AES, HMAC-SHA-1 cryptographic algorithms are realized by hardware. An efficient partial crossbar data transfer skeleton with iSLIP scheduling algorithm is adopted to realize the maximum utilization of the computation resources in the accelerator. The number of AH, ESP, AES, HMAC-SHA-1 cores in the design can be configured to meet the different applications. By simulation, with 8 protocol IP-cores and 24 crypto IP-cores connected to the crossbar in the IPSec accelerator, the design gives a peak throughput for the AH protocol transport mode of 11.28Gbps at the average of 512 bytes packet length under a clock rate of 300MHz. The hardware verification is implemented on a Virtex-5 XC5VSX95T based FPGA board. Low power design methods are also used in the design to reduce the power dissipation.

SOC Test Architecture and Method for 3-D ICs

3-D integration provides another way to put more devices in a smaller footprint. However, it also introduces new challenges in testing. Flexible test architecture named test access control system for 3-D integrated circuits (TACS-3D) is proposed for 3-D integrated circuits (IC) testing. Integration of heterogeneous design-for-testability methods for logic, memory, and through-silicon via (TSV) testing further reduces the usage of test pins and TSVs. To highly reuse pre-bond test circuits in post-bond test, an innovative linking mechanism shares TSVs and test pins of the 3-D IC. No matter how many layers are there in the 3-D IC, a large portion of TSVs and test pins is reserved for data application. Therefore, smaller post-bond test time is expected. A test chip composed of a network security processor platform is taken as an example. Less than 0.4% test overhead increases in area and time between 2-D and 3-D cases. Compared with the instinctively direct access, TACS-3D reveals up to 54% test time improvement under the same TSV usage.

Design and implementation of a high performance network security processor

The last few years have seen many significant progresses in the field of application-specific processors. One example is network security processors (NSPs) that perform various cryptographic operations specified by network security protocols and help to offload the computation intensive burdens from network processors (NPs). This article presents a high performance NSP system architecture implementation intended for both internet protocol security (IPSec) and secure socket layer (SSL) protocol acceleration, which are widely employed in virtual private network (VPN) and e-commerce applications. The efficient dual one-way pipelined data transfer skeleton and optimised integration scheme of the heterogenous parallel crypto engine arrays lead to a Gbps rate NSP, which is programmable with domain specific descriptor-based instructions. The descriptor-based control flow fragments large data packets and distributes them to the crypto engine arrays, which fully utilises the parallel computation resources and improves the overall system data throughput. A prototyping platform for this NSP design is implemented with a Xilinx XC3S5000 based FPGA chip set. Results show that the design gives a peak throughput for the IPSec ESP tunnel mode of 2.85 Gbps with over 2100 full SSL handshakes per second at a clock rate of 95 MHz.

A Gbps IPSec SSL Security Processor Design and Implementation in an FPGA Prototyping Platform

This paper presents a high performance Network Security Processor (NSP) system architecture implementation intended for both Internet Protocol Security (IPSec) and Secure Socket Layer (SSL) protocol acceleration, which are widely employed in Virtual Private Network (VPN) and e-commerce applications. The efficient data transfer skeleton and optimized integration scheme of the parallel crypto engine arrays lead to a Gbps rate NSP, which is programmable with domain specific descriptor-based instructions for Gbps throughput IPSec and SSL applications. The descriptor-based control flow fragments large data packets and distributes them to the parallel crypto engine arrays, which fully utilizes the computation resources and improves the overall system data throughput. A prototyping platform for this NSP design is implemented with Xilinx XC3S5000 based FPGA chip set. Results show that the design gives a peak throughput for the IPSec ESP tunnel mode of 1.851 Gbps with over 1600 full SSL handshakes per second at a clock rate of 150 MHz.

WLAN security processor

A novel wireless local area network (WLAN) security processor is described in this paper. It is designed to offload security encapsulation processing from the host microprocessor in an IEEE 802.11i compliant medium access control layer to a programmable hardware accelerator. The unique design, which comprises dedicated cryptographic instructions and hardware coprocessors, is capable of performing wired equivalent privacy, temporal key integrity protocol, counter mode with cipher block chaining message authentication code protocol, and wireless robust authentication protocol. Existing solutions to wireless security have been implemented on hardware devices and target specific WLAN protocols whereas the programmable security processor proposed in this paper provides support for all WLAN protocols and thus, can offer backwards compatibility as well as future upgrade ability as standards evolve. It provides this additional functionality while still achieving equivalent throughput rates to existing architectures.

Transaction Security System

Components of previous security systems were designed independently from one another and were often difficult to integrate. Described is the recently available IBM Transaction Security System. It implements the Common Cryptographic Architecture and offers a comprehensive set of security products that allow users to implement end-to-end secure systems with IBM components. The system includes a mainframe host-attached Network Security Processor, high-performance encryption adapters for the IBM Personal Computer and Personal System/2® Micro Channel®, an RS-232 attached Security Interface Unit, and a credit-card size state-of-the-art Personal Security™ card containing a high-performance microprocessor. The application programming interface provides common programming in the host and the workstation and supports all of the Systems Application Architecture™ languages except REXX and RPG. Applications may be written to run on Multiple Virtual Storage (MVS) and PC DOS operating systems.