Secure data transfer over a network

US 8,468,337 B2
Filed: 03/02/2004
Issued: 06/18/2013
Est. Priority Date: 03/02/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A system, comprising:

a memory;

a memory controller that transfers data received from a network to the memory;

a network interface coupled to the memory controller, the network interface comprising;

a first data moving unit (DMU) that exchanges secure data with a first portion of the network;

a second DMU that exchanges non-secure data with a second portion of the network; and

an embedded processor complex coupled to the memory controller, the embedded processor complex comprising;

a first protocol processor in communication with a first crypto coprocessor and a shared memory; and

a second protocol processor in communication with a second crypto coprocessor and the shared memory;

wherein the first and the second crypto coprocessors each comprise a sequential cascaded plurality of processors, and each of the sequential cascaded plurality of processors comprise;

an input interface in communication with the shared memory and with inputs of first, second and third cascaded processors;

an output interface in communication with the shared memory and with outputs of the first, second and third cascaded processors; and

an output of the first cascaded processor coupled to an input of the second cascaded processor and to an input of the third cascaded processor, and an output of the second cascaded processor coupled to an input of the third cascaded processor; and

wherein the first and second protocol processors in parallel identify information flow of the data in the memory, identify a priority of the identified information flow, retrieve a portion of the data from the memory using the memory controller based on the identified priority, perform security operations on the retrieved portion of the data, store the operated-on portion of the data in the memory using the memory controller, queue data for transfer based on the identified priority and discard portions of data associated with a particular information flow based on the identified priority;

wherein the first cascaded processor in response to an input of uncompressed, non-secure data from the input interface, outputs compressed data to the second cascaded processor and to the third cascaded processor, the second cascaded processor encrypts the compressed data received from the first cascaded processor and outputs the encrypted compressed data to the shared memory via the output interface, and the third processor hashes the compressed data received from the first cascaded processor and outputs a fixed length digest of the compressed data to the shared memory via the output interface; and

wherein the second cascaded processor, in response to an input of secure data from the input interface, decrypts the secure data received from the input interface and outputs the decrypted data to the shared memory via the output interface, and the third processor hashes the secure data input from the input interface and outputs a fixed length digest of the secure data to the shared memory via the output interface; and

wherein the memory controller is further configured to transfer the operated-on portion of the data from the memory to the network, wherein portions of the data having higher priority information flow are retrieved before portions of the data having lower priority information flow based on the identified priority, wherein the priority of information flow is independent of an order in which the data is stored in the memory and any contentions for memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are described for secure data transfer over a network. According to an exemplary embodiment a system for secure data transfer over a network includes memory and a memory controller configured to transfer data received from the network to the memory. The system includes a processor, having logic configured to retrieve a portion of the data from the memory using the memory controller. The processor also includes logic configured to perform security operations on the retrieved portion of the data, and logic configured to store the operated-on portion of the data in the memory using the memory controller. The memory controller is further configured to transfer the operated-on portion of the data from the memory to the network.

Citations

21 Claims

1. A system, comprising:
- a memory;
  
  a memory controller that transfers data received from a network to the memory;
  
  a network interface coupled to the memory controller, the network interface comprising;
  
  a first data moving unit (DMU) that exchanges secure data with a first portion of the network;
  
  a second DMU that exchanges non-secure data with a second portion of the network; and
  
  an embedded processor complex coupled to the memory controller, the embedded processor complex comprising;
  
  a first protocol processor in communication with a first crypto coprocessor and a shared memory; and
  
  a second protocol processor in communication with a second crypto coprocessor and the shared memory;
  
  wherein the first and the second crypto coprocessors each comprise a sequential cascaded plurality of processors, and each of the sequential cascaded plurality of processors comprise;
  
  an input interface in communication with the shared memory and with inputs of first, second and third cascaded processors;
  
  an output interface in communication with the shared memory and with outputs of the first, second and third cascaded processors; and
  
  an output of the first cascaded processor coupled to an input of the second cascaded processor and to an input of the third cascaded processor, and an output of the second cascaded processor coupled to an input of the third cascaded processor; and
  
  wherein the first and second protocol processors in parallel identify information flow of the data in the memory, identify a priority of the identified information flow, retrieve a portion of the data from the memory using the memory controller based on the identified priority, perform security operations on the retrieved portion of the data, store the operated-on portion of the data in the memory using the memory controller, queue data for transfer based on the identified priority and discard portions of data associated with a particular information flow based on the identified priority;
  
  wherein the first cascaded processor in response to an input of uncompressed, non-secure data from the input interface, outputs compressed data to the second cascaded processor and to the third cascaded processor, the second cascaded processor encrypts the compressed data received from the first cascaded processor and outputs the encrypted compressed data to the shared memory via the output interface, and the third processor hashes the compressed data received from the first cascaded processor and outputs a fixed length digest of the compressed data to the shared memory via the output interface; and
  
  wherein the second cascaded processor, in response to an input of secure data from the input interface, decrypts the secure data received from the input interface and outputs the decrypted data to the shared memory via the output interface, and the third processor hashes the secure data input from the input interface and outputs a fixed length digest of the secure data to the shared memory via the output interface; and
  
  wherein the memory controller is further configured to transfer the operated-on portion of the data from the memory to the network, wherein portions of the data having higher priority information flow are retrieved before portions of the data having lower priority information flow based on the identified priority, wherein the priority of information flow is independent of an order in which the data is stored in the memory and any contentions for memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the first and second DMUs directly communicate with the first and seconds portions of the network.
  - 3. The system of claim 2, wherein the network interface comprises:
    - a first serializer/deserializer (SERDES) circuit coupled between the first DMU and the first network portion and a second SERDES coupled between the second DMU and the second network portion, each SERDES configured to convert serial data received from the respective network portions to a parallel format and to convert parallel data received from the respective DMUs to a serial format.
  - 4. The system of claim 1, wherein the embedded processor complex further performs quality-of-service (QoS) operations on the data in coordination with performing the security operations.
  - 5. The system of claim 4, wherein the embedded processor complex performs the QoS operations by:
    - identifying an information flow associated with the portion of the data;
      
      determining a priority of the information flow; and
      
      scheduling at least one of the retrieving the portion of the data and the transferring of the operated-on portion of the data from memory based on the priority of the information flow associated with the portion of the data.
  - 6. The system of claim 1, wherein the memory includes a memory block having a plurality of memory banks;
    - andthe memory controller references the plurality of memory banks in a sequence that minimizes a memory access time.
  - 7. The system of claim 1, wherein the memory controller further:
    - includes a request to reference the memory into one of a group of read requests and a group of write requests; and
      
      executes all requests included in one of the groups of read requests and write requests before executing a request included in the other group.
  - 8. The system of claim 7, wherein the embedded processor complex:
    - includes error correction code with the data transferred to or stored in the memory; and
      
      detects and corrects errors in the data retrieved or transferred from the memory based on the error correction code included with the data.

9. A method for secure data transfer over a network, the method comprising:
- transferring data from the network to memory using a memory controller;
  
  identifying information flow of the data in the memory;
  
  identifying a priority of the identified information flow;
  
  retrieving a portion of the data from the memory based on the identified priority into an embedded processor complex using the memory controller, wherein portions of the data having higher priority information flow are retrieved before portions of the data having lower priority information flow, wherein the priority of information flow is independent of an order in which the data is stored in the memory and any memory contentions;
  
  the embedded processor complex performing security operations on the retrieved portion of the data via a sequential cascaded plurality of processors, wherein an input interface is in communication with a shared memory and with inputs of a first, a second and a third cascaded processor;
  
  an output interface is in communication with the shared memory and with outputs of the first, second and third cascaded processors; and
  
  an output of the first cascaded processor is coupled to an input of the second cascaded processor and to an input of the third cascaded processor, and an output of the second cascaded processor is coupled to an input of the third cascaded processor, by;
  
  in response to an input of uncompressed, non-secure data, the first cascaded processor outputting compressed data to the second cascaded processor and to the third cascaded processor, the second cascaded processor encrypting the compressed data received from the first cascaded processor and outputting the encrypted compressed data to the shared memory via the output interface, and the third processor hashing the compressed data received from the first cascaded processor and outputting a fixed length digest of the compressed data to the shared memory via the output interface; and
  
  in response to an input of secure data, the second cascaded processor decrypting the secure data and outputting the decrypted data to the shared memory via the output interface, and the third processor hashing the secure data input and outputting a fixed length digest of the secure data to the shared memory via the output interface;
  
  storing the operated-on portion of the data in the memory using the memory controller;
  
  discarding portions of data associated with particular information flow based on the identified memory;
  
  queuing the operated-on portion of the data for transfer based on the identified priority; and
  
  transferring the operated-on portion of the data from the memory to the network using the memory controller.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, comprising:
    - performing quality-of-service (QoS) operations on the data in coordination with performing the security operations.
  - 11. The method of claim 10, wherein the QoS operations comprise:
    - identifying an information flow associated with the portion of the data;
      
      determining a priority of the information flow; and
      
      scheduling at least one of the retrieving the portion of the data and the transferring the operated-on portion of the data from memory based on the priority of the information flow associated with the portion of the data.
  - 12. The method of claim 11, comprising:
    - deciphering the portion of the data prior to the identifying of the information flow when the retrieved portion is secure data; and
      
      obscuring the portion of the data after the identifying of the information flow when the retrieved portion is non-secure data.
  - 13. The method of claim 9, comprising:
    - compressing the portion of the data prior to performing the security operations when the retrieved portion is non-secure data; and
      
      decompressing the portion of the data after performing the security operations when the retrieved portion is secure data.
  - 14. The method of claim 9, comprising:
    - including a request to reference the memory into one of a group of read requests and a group of write requests; and
      
      executing all requests included in one of the groups of read requests and write requests before executing a request included in the other group.
  - 15. The method of claim 14, wherein the executing all requests included in one of the groups of read requests and write requests occurs when a sum of the requests included in one of the groups corresponds to a predetermined amount of the memory.
  - 16. The method of claim 9, comprising:
    - including error correction code with the data transferred to or stored in the memory; and
      
      at least one of detecting and correcting errors in the data retrieved or transferred from the memory based on the error correction code included with the data.
  - 17. The method of claim 9, comprising:
    - referencing portions of the memory in a sequence that minimizes a memory access time.

18. A computer readable storage medium, wherein the medium is not a signal, containing a computer program for secure data transfer over a network, wherein the computer program comprises executable instructions for:
- transferring data from the network to memory using a memory controller;
  
  identifying information flow of the data in the memory;
  
  identifying a priority of the identified information flow;
  
  retrieving a portion of the data from the memory into an embedded processor complex using the memory controller based on the identified priority;
  
  performing security operations on the retrieved portion of the data using the processor;
  
  via a sequential cascaded plurality of processors, wherein an input interface is in communication with a shared memory and with inputs of a first, a second and a third cascaded processor;
  
  an output interface is in communication with the shared memory and with outputs of the first, second and third cascaded processors; and
  
  an output of the first cascaded processor is coupled to an input of the second cascaded processor and to an input of the third cascaded processor, and an output of the second cascaded processor is coupled to an input of the third cascaded processor, by;
  
  in response to an input of uncompressed, non-secure data, the first cascaded processor outputting compressed data to the second cascaded processor and to the third cascaded processor, the second cascaded processor encrypting the compressed data received from the first cascaded processor and outputting the encrypted compressed data to the shared memory via the output interface, and the third processor hashing the compressed data received from the first cascaded processor and outputting a fixed length digest of the compressed data to the shared memory via the output interface; and
  
  in response to an input of secure data, the second cascaded processor decrypting the secure data and outputting the decrypted data to the shared memory via the output interface, and the third processor hashing the secure data input and outputting a fixed length digest of the secure data to the shared memory via the output interface;
  
  storing the operated-on portion of the data in the memory using the memory controller;
  
  discarding portions of data associated with particular information flow based on the identified memory;
  
  queuing the operated-on portion of the data for transfer based on the identified priority; and
  
  transferring the operated-on portion of the data from the memory to the network using the memory controller, wherein operated-on portions of the data having higher priority information flow are transferred before portions of the data having lower priority information flow, wherein the priority does not depend on a location of the operated-on data in the memory and any memory contention.
- View Dependent Claims (19, 20, 21)
- - 19. The computer readable storage medium of claim 18, wherein the computer program comprises executable instructions for:
    - performing quality-of-service (QoS) operations on the data in coordination with performing the security operations.
  - 20. The computer readable storage medium of claim 19, wherein the computer program comprises executable instructions for:
    - identifying an information flow associated with the portion of the data;
      
      determining a priority of the information flow; and
      
      scheduling at least one of the retrieving the portion of the data and the transferring the operated-on portion of the data from memory based on the priority of the information flow associated with the portion of the data.
  - 21. The computer readable storage medium of claim 18, wherein the computer program comprises executable instructions for:
    - compressing the portion of the data prior to performing the security operations when the retrieved portion is non-secure data; and
      
      decompressing the portion of the data after performing the security operations when the retrieved portion is secure data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Gaur, Santosh P., Hall, William Eric
Primary Examiner(s)
ZECHER, CORDELIA P K

Application Number

US10/790,966
Publication Number

US 20050198492A1
Time in Patent Office

3,395 Days
Field of Search

713/153
US Class Current

713/153
CPC Class Codes

H04L 49/9036   Common buffer combined with...

H04L 63/164   at the network layer

H04L 9/0844   with user authentication or...

Secure data transfer over a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure data transfer over a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links