CLP-600: Security Protocol Accelerator- with Virtualization and QoS Capabilities
The Security Protocol Accelerator (SPAcc) offers designers unprecedented configurability to address the complex security requirements that are commonplace in today’s multi-function, high-performance SoC designs.
Secure environments like ARM TrustZone® are a solid foundation for security solutions in Embedded Systems. Elliptic provides versatile embedded hardware and software security solutions, designed for ARM TrustZone users, which range from hardware protocol accelerators and co-processors to platform security, DRM and content protection. The CLP-600 SPAcc is an ideal fit for the ARM TrustZone architecture as it provides a reliable protection mechanism for sensitive data and transactions, and it can be shared simultaneously with secure and application processors.
Increasingly, these designs include security at the MAC layer (e.g. WiMAX, Wi-Fi, MACsec or 3GPP/LTE), VPN security with IPsec and/or SSL, applications layer security such as SRTP and content protection such as DTCP. Compounding the challenge is the need to support high throughput requirements with mixed packet size traffic characteristics along with low latency requirements to preserve Quality of Service in voice and video applications in single- and multi-core processor architectures.
Most security protocols require computationally intensive confidentiality and authentication algorithms to be applied to the data. The CLP-600 SPAcc provides a framework including a programmable sequencer, Secure DMA engine, and cryptographic/hashing resources that can handle a high variety of protocols , such as MACsec, IPsec, SSL/TLS/DTLS, SRTP, WiMAX, Wi-Fi, content protection, and 3GPP/LTE/LTE-A.
NIST has recently released a new draft specification, FIPS 180-4 Secure Hash Standard, intended to supersede FIPS 180-3. Two additional algorithms, SHA-512/224 and SHA-512/256, have been introduced to allow for more efficient implementation alternatives on platforms optimized for 64-bit operations. Elliptic's family of hardware and software solutions, including the CLP-600 SPAcc, fully support these new algorithms.
The CLP-600 SPAcc reduces the bus traffic and offers increased throughput by supporting efficient data sequencing as well as parallel processing of cryptographic operations (authentication and encryption/decryption).
The security engine supports all ciphers and MAC algorithms used major protocols. Certain ciphers such as AES, DES, KASUMI, SNOW 3G and ZUC also have performance options that must be determined at build-time. It is also possible to run the crypto and hash cores in a different clock domain than the interface logic.
- Highly configurable security accelerator
- Support for all ciphers, hashes and MAC algorithms used in major protocols such as IPsec, WiMAX, Wi-Fi, 3GPP LTE/LTE-A, SRTP, SSL/TLS/DTLS, MACsec
- Cipher algorithms: AES, DES/3DES, ARC4 [RC4], MULTI2, KASUMI, SNOW 3G, ZUC
- Cipher modes: ECB, CBC, CTR, OFB, CFB, f8, XTS, UEA1, UEA2, 128-EEA1, 128-EEA2, 128-EEA3
- Authenticated Encryption with Associated Data (AEAD) modes: CCM, GCM
- Hash/MAC algorithms: MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, AES-XCBC-MAC, AES-CMAC, KASUMI-f9, KASUMI-UIA1, SNOW-3G-UIA2, SNOW-3G-128-EIA1, AES-128-EIA2, ZUC-128-EIA3, CRC-32-IEEE802.3
- Hash modes: raw hash, SSLMAC, HMAC
- Other modes: GSM A5/3, ECSD A5/3 and GEA3 keystream generation
- Built-in scatter/gather DMA capability offloads system CPU
- Optimal bus utilization
- Increased throughput through parallel hashing and encryption
- IV import feature – permits DMA of IV with associated payload
- Secure key port to access secrets stored in NVM
- Secure bus option for systems which differentiate between secure and normal processing modes
- ARM TrustZone support
- Command and status FIFO depth selection offers interrupt coalescence
- Dual-clock domain capability to run interface and crypto content in different clock domains
- Support for big- or little-endian
Configurable 32- or 64-bit bus interfaces
- AMBA AXI4
- AMBA AHB
- Lower level of interfacing available
- Virtualization – allows sharing between multiple CPUs
- QoS capability allows multiple command priority queues for enhanced traffic management capabilities
- Silicon proven
- Highly integrated
- SoC/ASIC developers and embedded system OEMs benefit from
- Reduced time to market
- Reduced risk
- Highly tuned solutions for performance, power and size
- IP developed by industry experts through a structured and rigorous development and verification program
- MACsec (802.1 AE)
- VoIP/SIP gateways
- WiFi (802.11)
- WiMAX (802.16)
- 3GPP, LTE, LTE-A
- Base stations
- DRM & Content protection
A highly programmable and unique Security Protocol Accelerator specifically designed to efficiently process data for high capacity wireless and network applications. The engine is perfectly suited for applications that deal with multiple active connections and significant traffic load on different contexts, such as 4G LTE-Advanced wireless cellular base stations and femtocells.