Security chip architecture and implementations for cryptography acceleration

US 6,971,006 B2
Filed: 08/23/2002
Issued: 11/29/2005
Est. Priority Date: 07/08/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for cryptography processing of data packets, the method comprising:

identifying a first fixed-sized cell at a cryptography accelerator, the first fixed-sized cell comprising one of a plurality of fixed-sized cells derived from a first packet;

maintaining first context information corresponding to the first fixed-sized cell, the first context information identifying a first key and a first algorithm for cryptographically processing the first fixed-sized cell;

identifying a second fixed-sized cell at a cryptography accelerator, the second fixed-sized cell comprising one of a plurality of fixed-sized cells derived from a second packet; and

maintaining second context information associated with the second fixed-sized cell, the second context information identifying a second key and a second algorithm for cryptographically processing the second fixed-sized cell.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An architecture and a method for a cryptography acceleration is disclosed that allows significant performance improvements without the use of external memory. Specifically, the chip architecture enables “cell-based” processing of random-length IP packets. The IP packets, which may be of variable and unknown size, are split into fixed-size “cells.” The fixed-sized cells are then processed and reassembled into packets. The cell-based packet processing architecture of the present invention allows the implementation of a processing pipeline that has known processing throughput and timing characteristics, thus making it possible to fetch and process the cells in a predictable time frame. The architecture is scalable and is also independent of the type of cryptography performed. The cells may be fetched ahead of time (pre-fetched) and the pipeline may be staged in such a manner that attached (local) memory is not required to store packet data or control parameters.

Citations

30 Claims

1. A method for cryptography processing of data packets, the method comprising:
- identifying a first fixed-sized cell at a cryptography accelerator, the first fixed-sized cell comprising one of a plurality of fixed-sized cells derived from a first packet;
  
  maintaining first context information corresponding to the first fixed-sized cell, the first context information identifying a first key and a first algorithm for cryptographically processing the first fixed-sized cell;
  
  identifying a second fixed-sized cell at a cryptography accelerator, the second fixed-sized cell comprising one of a plurality of fixed-sized cells derived from a second packet; and
  
  maintaining second context information associated with the second fixed-sized cell, the second context information identifying a second key and a second algorithm for cryptographically processing the second fixed-sized cell.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising cryptographically processing the first and second fixed-sized cells using the first and second context information.
  - 3. The method of claim 1, wherein the first and second packets are back-to-back packets.
  - 4. The method of claim 1, further comprising recombining the first and second fixed-sized cell into first and second processed data packets.

5. A method for accelerating cryptography processing of data packets, the method comprising:
- splitting an unfixed-sized incoming packet into a plurality of fixed-sized cells;
  
  maintaining context information for the fixed-sized cells, wherein context information comprises key and algorithm information for cryptographically processing the fixed-sized cells;
  
  processing the fixed-sized cells using context information; and
  
  recombining the fixed-sized cells associated with the incoming packet into a processed data packet.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. The method of claim 5, further comprising reading an incoming packet from a system memory before splitting the packet into fixed-sized cells.
  - 7. The method of claim 6, further comprising writing the processed data packet out to the system memory.
  - 8. The method of claim 7, further comprising storing the fixed-sized cells in a buffer.
  - 9. The method of claim 8, further comprising pre-fetching context information associated with the incoming packet and storing the context information in an on-chip context buffer.
  - 10. The method of claim 9, wherein processing comprises performing at least one cryptographic operation on the fixed-sized cells.
  - 11. The method of claim 10, wherein the processing comprises performing 3DES-CBC encryption/decryption and MD authentication/digital signature processing on the fixed-sized cells.
  - 12. The method of claim 11, wherein for in-bound packets, the cells are first authenticated and then decrypted in parallel fashion and for out-bound packets, the cells are first encrypted then authenticated, in pipelined fashion.
  - 13. The method of claim 12, wherein the cryptographic processing operations are performed in parallel.
  - 14. The method of claim 10, wherein the processing comprises Diffie-Hellman/RSA/DSA public key processing.
  - 15. The method of claim 5, further comprising pre-fetching the context information.

16. A method for accelerating IPSec cryptography processing of IF packets, the method comprising:
- splitting an unfixed-sized incoming IP packet into a plurality of fixed-sized cells;
  
  placing the fixed-sized cells in a buffer;
  
  processing the fixed-sized cells with a 3DES-CBC encryption/decryption unit and an MD5/SHA1 authentication signature unit; and
  
  recombining the fixed-sized cells into a processed IP packet.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The method of claim 16, further comprising reading an incoming IP packet from a system memory before splitting the packet into fixed-sized cells.
  - 18. The method of claim 16, further comprising writing the processed IP packet out to the system memory.
  - 19. The method of claim 18, wherein the buffer size is less than 512 kilobytes.
  - 20. The method of claim 19, further comprising pre-fetching context information associated with the incoming packet and storing the context information in a context buffer.
  - 21. The method of claim 20, wherein for in-bound packets, the cells are first authenticated and then decrypted in parallel fashion and for out-bound packets, the cells are first encrypted then authenticated, in pipelined fashion.
  - 22. The method of claim 21, wherein the cryptographic processing operations are performed in parallel.
  - 23. The method of claim 22, wherein multiple packets are combined into a single record and are sent for processing by a system controller with a single bus write command.

24. A method for sequencing fixed-sized cells in a cryptography acceleration chip, wherein incoming data packets are split into fixed-sized cells, the method comprising:
- pre-fetching a next cell for processing;
  
  waiting until a previous cell has finished processing;
  
  loading the next cell into a cryptography processing unit such that the next cell comprises a current cell for cryptography processing;
  
  waiting until less than a predetermined number of system bus writes are pending before starting the cryptography processing on the current cell and queuing up a write for the previous cell.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The method of claim 24, wherein the cryptography processing comprises performing both encryption/decryption and authentication in parallel.
  - 26. The method of claim 25, further comprising writing an outer HMAC code, if the current cell is the last cell to be authenticated in a current packet.
  - 27. The method of claim 26, further comprising writing an inner HMAC code, if the current cell is the first cell in a new packet.
  - 28. The method of claim 27, further comprising pre-fetching a next cell, if the next cell is from a same packet as a current cell, otherwise, determining if a new packet is part of a same Master Command Record (MCR) as the current packet.
  - 29. The method of claim 28, further comprising pre-fetching a new context and a new cell, if the new packet is part of the same MCR as the current packet, otherwise, draining the cryptography processing blocks, writing an output, updating status MCR status information, and then pre-fetching a new context and a new cell.
  - 30. The method of claim 29, wherein the encryption/decryption is performed by a 3DES-CBC unit and the authentication is performed by a MD5/SHA1 unit in order to implement IPSec processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Owen, Christopher, Krishna, Suresh
Primary Examiner(s)
Song, Hosuk

Application Number

US10/227,491
Publication Number

US 20020199101A1
Time in Patent Office

1,194 Days
Field of Search

713160-162, 713/181, 713189-190, 713/194, 713200-201, 380/212, 380/217, 380/277, 380/282, 380/285, 709/235, 709238-240, 370/394, 370/395.1
US Class Current

713/161
CPC Class Codes

G06F 21/72   in cryptographic circuits

G06F 2207/7219   Countermeasures against sid...

G06F 9/3879   for non-native instruction ...

H04L 63/0485   Networking architectures fo...

H04L 63/123   received data contents, e.g...

H04L 63/164   at the network layer

H04L 69/12   Protocol engines

Security chip architecture and implementations for cryptography acceleration

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Security chip architecture and implementations for cryptography acceleration

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links