Security chip architecture and implementations for cryptography acceleration
First Claim
1. A method for cryptography processing of data packets, the method comprising:
- identifying a first fixed-sized cell at a cryptography accelerator, the first fixed-sized cell comprising one of a plurality of fixed-sized cells derived from a first packet;
maintaining first context information corresponding to the first fixed-sized cell, the first context information identifying a first key and a first algorithm for cryptographically processing the first fixed-sized cell;
identifying a second fixed-sized cell at a cryptography accelerator, the second fixed-sized cell comprising one of a plurality of fixed-sized cells derived from a second packet; and
maintaining second context information associated with the second fixed-sized cell, the second context information identifying a second key and a second algorithm for cryptographically processing the second fixed-sized cell.
6 Assignments
0 Petitions
Accused Products
Abstract
An architecture and a method for a cryptography acceleration is disclosed that allows significant performance improvements without the use of external memory. Specifically, the chip architecture enables “cell-based” processing of random-length IP packets. The IP packets, which may be of variable and unknown size, are split into fixed-size “cells.” The fixed-sized cells are then processed and reassembled into packets. The cell-based packet processing architecture of the present invention allows the implementation of a processing pipeline that has known processing throughput and timing characteristics, thus making it possible to fetch and process the cells in a predictable time frame. The architecture is scalable and is also independent of the type of cryptography performed. The cells may be fetched ahead of time (pre-fetched) and the pipeline may be staged in such a manner that attached (local) memory is not required to store packet data or control parameters.
-
Citations
30 Claims
-
1. A method for cryptography processing of data packets, the method comprising:
-
identifying a first fixed-sized cell at a cryptography accelerator, the first fixed-sized cell comprising one of a plurality of fixed-sized cells derived from a first packet; maintaining first context information corresponding to the first fixed-sized cell, the first context information identifying a first key and a first algorithm for cryptographically processing the first fixed-sized cell; identifying a second fixed-sized cell at a cryptography accelerator, the second fixed-sized cell comprising one of a plurality of fixed-sized cells derived from a second packet; and maintaining second context information associated with the second fixed-sized cell, the second context information identifying a second key and a second algorithm for cryptographically processing the second fixed-sized cell. - View Dependent Claims (2, 3, 4)
-
-
5. A method for accelerating cryptography processing of data packets, the method comprising:
-
splitting an unfixed-sized incoming packet into a plurality of fixed-sized cells; maintaining context information for the fixed-sized cells, wherein context information comprises key and algorithm information for cryptographically processing the fixed-sized cells; processing the fixed-sized cells using context information; and recombining the fixed-sized cells associated with the incoming packet into a processed data packet. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for accelerating IPSec cryptography processing of IF packets, the method comprising:
-
splitting an unfixed-sized incoming IP packet into a plurality of fixed-sized cells; placing the fixed-sized cells in a buffer; processing the fixed-sized cells with a 3DES-CBC encryption/decryption unit and an MD5/SHA1 authentication signature unit; and recombining the fixed-sized cells into a processed IP packet. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A method for sequencing fixed-sized cells in a cryptography acceleration chip, wherein incoming data packets are split into fixed-sized cells, the method comprising:
-
pre-fetching a next cell for processing; waiting until a previous cell has finished processing; loading the next cell into a cryptography processing unit such that the next cell comprises a current cell for cryptography processing; waiting until less than a predetermined number of system bus writes are pending before starting the cryptography processing on the current cell and queuing up a write for the previous cell. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification