As part of INSIDE Secure’s award-winning silicon Intellectual Property (IP) product portfolio, the SafeXcel-IP-94 is Silicon-proven Intellectual Property (IP) for accelerating IPSec, SSL/TLS/DTLS, SRTP and MACsec. This engine supports an AHB or a PLB interface.
Delivery includes the SafeXcel-IP-150 Public Key Processor, which is an integrated module combining the Public Key Acceleration module.
Designed for fast integration, maximum performance and full transforms, the SafeXcel IP Packet Engine provide a reliable and cost-effective Embedded IP solution that is easy to integrate into SoC designs.
The approximate gatecount of the EIP-94 Security Packet Engine is
380K gates (90nm, AHB) excluding memories.
The Packet Engine uses 36 Kbit in 6 dual port memory instantiations, the PKP uses up to 36Kbit of program memory (RAM or ROM) and between 16Kbit and 64Kbit of operand/data RAM (depending on vector size to support).
The PLB interface has a 4 Kbit input buffer and a 4 Kbit output buffer, the AHB interface requires no buffers.
The maximum clock frequencies are ~300MHz in 65nm CMOS technology, ~250MHz in 90nm and ~200 MHz in 130nm. At 300MHz, typical IPsec performance is 578k pps (packets per second) for 64 Byte packets using ESPAES-SHA1 and 126K pps for large packets.
Using IPsec with AES-GCM increases performance to 923K pps for 64 Byte packets and 218K pps for large packets.
At 300MHz, the Public Key Processor performs an RSA-1024 operation
in 13ms (19.5ms @ 200MHz), an ECC-Add-384 operation in 0.34ms (0.51ms @ 200MHz) and an ECC-MUL-384 operation in 20ms (30ms @ 200MHz).
- Protocol performance (at 350 MHz)
- Performance for large packet sizes is > 1 Gbps for any supported protocol. IPsec performance for small packet sizes is > 350 Mbps.
- Gate count (without memories or interfaces):
- EIP-94is 287k gates + 41k for PKA/TRNG
- EIP-94ies 329k gates + 41k for PKA/TRNG
- IPsec (IPv4 and IPv6)
- Full IPsec packet ESP transforms according to latest RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4301, 4303, 4308, 4309 and 4868). ESP tunnel and transport mode.
- Full header processing:
- Insert ESP header for outbound packets,
- Strip and verify ESP header for inbound packets,
- Anti-replay check,
- Calculate and insert ICV for outbound packets, strip and verify for inbound packets.
- Trailer processing:
- Outbound: Insert up to 255 bytes of padding,
- Inbound: Strip and verify up to 255 bytes of padding
- SSLv3.0 / TLSv1.0 / TSLv1.1 / TLSv1.2 / DTLS
- Full single pass packet transforms according to latest RFCs (2246, 3546, 4346, 4347, 4366, 5246).
- Full header processing:
- Insert header for outbound packets,
- Strip and verify header for inbound packets,
- Anti-replay check.
- Trailer processing:
- Outbound: Insert up to 255 bytes of padding, calculate and insert MAC,
- Inbound: Strip and verify up to 255 bytes of padding, strip and verify MAC.
- SA -Manager
- Optimized Security Association format,
- Supports unlimited number of Security Associations.
- SRTP (transforms according RFC3711)
- Calculate TAG for outbound packets,
- Strip TAG for inbound packets.
- MACsec (transforms according IEEE 802.1AE)
- Header insertion and removal,
- Integrity only or integrity and confidentiality.
- CRYPTO ENGINE
- The engine supports the following cryptographic algorithms:
- DES (CFB1-8-64, OFB1-8-64, ECB, CBC),
- 3DES (CFB1-8-64, OFB1-8-64, ECB, CBC),
- AES in ECB, CBC, OFB128, CFB1-8-128, ICM, CTR mode with 128, 196, 256-bit keys,
- ARC4 in stateful, stateless mode, up to 128-bit key,
- Automatic padding up to 255 bytes.
- HASH ENGINE
- The Hash engine supports the following algorithms:
- MD5, SHA-1, SHA-224, SHA-256, SHA-384 (EIP-94ies), SHA-512 (EIP-94ies),
- AES-CCM, AES-XCBC-MAC, AES-CBC-MAC-PRF,
- HMAC transforms for SHA-1, MD5 and SHA-2 ,
- SSL MAC transforms for SHA-1,
- GHASH, GCM, AES-GCM and AES-GMAC.
- DMA CONTROLLER
- The integrated DMA controller supports:
- Scatter/Gather capability,
- Source Address and Destination address of 32 bit size,
- Up to 2048 bytes per DMA transfer over the bus,
- Automatic arbitration and bus flow control,
- Big and little endian host systems.
- PUBLIC KEY PROCESSOR
- Stand-alone Public Key Processor EIP-150 provides acceleration for public key operations and random number generation.
- Public Key operations up to 4096-bit modulus support,
- ECC, RSA, DSA, CRT, D-H sign/verify operations,
- D-H negotiate 180-bit exp., 1024-bit mod.: 3 ms,
- RSA 1024-bit sign: 16 ms,
- RSA 1024-bit sign (CRT): 5 ms,
- RSA 1024-bit verify (17 bits exp., no CRT): 0.4 ms,
- DSA 160 bit sign 1024-bit mod.: 2.7 ms
- DSA 160 bit verify: 5.3 ms,
- ECDSA 192-bit sign: 6 ms; ECDSA verify: 12 ms,
- True Random Number Generator (TRNG) for the non-deterministic generation of keys, IVs cookies and nonces,
- Post processing to ANSI X9.31 Annex A.
- Packet Engine, master and slave AHB, PLB, or AXI,
- Public Key Processor slave AHB, PLB, or AXI.
- Input and output buffers, both 2048 bytes, decouple the Packet Engine from the system bus interface.
- EIP-94-AHB / EIP-94-PLB
- 250 MHz
- 338 k gates / 353 k gates
- Complete HW/SW system.
- High-speed Crypto Packet Engine
- Silicon-proven implementation
- Fast and easy to integrate into SoCs.
- Flexible layered design.
- Complete range of configurations.
- World-class technical support.
- SafeXcel-IP-94 Hardware Specification
- SafeXcel-IP-94 Integration Manual
- SafeXcel-IP-94 Operation Manual
- SafeXcel-IP-94 Programmer Manual
- SafeXcel-IP-94 Verification Specification
- Synthesizable Verilog RTL source code
- Self-checking RTL test bench, including test vectors and expected result vectors
- Simulation scripts
- Synthesis scripts
- Driver Development Kit
- The SafeXcel EIP-94 is a Security Packet Engine designed to off-load the host processor to improve the speed of IPsec ESP, IPsec AH, SRTP, SSL, (D)TLS and MACsec protocol operations and reduce power in cost-sensitive networking products, such as:
- Multi-function printers,
- DSL & SOHO routers,
- VoIP Servers,
- E-commerce Servers,
- General Purpose Communications Processors,
- Cable Modems and VPN Appliances.