CLP-600: Security Protocol Accelerator- with Virtualization and QoS Capabilities

The Security Protocol Accelerator (SPAcc) offers designers unprecedented configurability to address the complex security requirements that are commonplace in today’s multi-function, high-performance SoC designs.

Secure environments like ARM TrustZone® are a solid foundation for security solutions in Embedded Systems. Elliptic provides versatile embedded hardware and software security solutions, designed for ARM TrustZone users, which range from hardware protocol accelerators and co-processors to platform security, DRM and content protection. The CLP-600 SPAcc is an ideal fit for the ARM TrustZone architecture as it provides a reliable protection mechanism for sensitive data and transactions, and it can be shared simultaneously with secure and application processors.

Increasingly, these designs include security at the MAC layer (e.g. WiMAX, Wi-Fi, MACsec or 3GPP/LTE), VPN security with IPsec and/or SSL, applications layer security such as SRTP and content protection such as DTCP. Compounding the challenge is the need to support high throughput requirements with mixed packet size traffic characteristics along with low latency requirements to preserve Quality of Service in voice and video applications in single- and multi-core processor architectures.

Most security protocols require computationally intensive confidentiality and authentication algorithms to be applied to the data. The CLP-600 SPAcc provides a framework including a programmable sequencer, Secure DMA engine, and cryptographic/hashing resources that can handle a high variety of protocols , such as MACsec, IPsec, SSL/TLS/DTLS, SRTP, WiMAX, Wi-Fi, content protection, and 3GPP/LTE/LTE-A.

NIST has recently released a new draft specification, FIPS 180-4 Secure Hash Standard, intended to supersede FIPS 180-3. Two additional algorithms, SHA-512/224 and SHA-512/256, have been introduced to allow for more efficient implementation alternatives on platforms optimized for 64-bit operations. Elliptic's family of hardware and software solutions, including the CLP-600 SPAcc, fully support these new algorithms.

The CLP-600 SPAcc reduces the bus traffic and offers increased throughput by supporting efficient data sequencing as well as parallel processing of cryptographic operations (authentication and encryption/decryption).

The security engine supports all ciphers and MAC algorithms used major protocols. Certain ciphers such as AES, DES, KASUMI, SNOW 3G and ZUC also have performance options that must be determined at build-time. It is also possible to run the crypto and hash cores in a different clock domain than the interface logic.

Features

test
Highly configurable security accelerator
Support for all ciphers, hashes and MAC algorithms used in major protocols such as IPsec, WiMAX, Wi-Fi, 3GPP LTE/LTE-A, SRTP, SSL/TLS/DTLS, MACsec
- Cipher algorithms: AES, DES/3DES, ARC4 [RC4], MULTI2, KASUMI, SNOW 3G, ZUC
- Cipher modes: ECB, CBC, CTR, OFB, CFB, f8, XTS, UEA1, UEA2, 128-EEA1, 128-EEA2, 128-EEA3
- Authenticated Encryption with Associated Data (AEAD) modes: CCM, GCM
- Hash/MAC algorithms: MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, AES-XCBC-MAC, AES-CMAC, KASUMI-f9, KASUMI-UIA1, SNOW-3G-UIA2, SNOW-3G-128-EIA1, AES-128-EIA2, ZUC-128-EIA3, CRC-32-IEEE802.3
- Hash modes: raw hash, SSLMAC, HMAC
- Other modes: GSM A5/3, ECSD A5/3 and GEA3 keystream generation
Built-in scatter/gather DMA capability offloads system CPU
Optimal bus utilization
Increased throughput through parallel hashing and encryption
IV import feature – permits DMA of IV with associated payload
Secure key port to access secrets stored in NVM
Secure bus option for systems which differentiate between secure and normal processing modes
- ARM TrustZone support
Command and status FIFO depth selection offers interrupt coalescence
Dual-clock domain capability to run interface and crypto content in different clock domains
Support for big- or little-endian

Configurable 32- or 64-bit bus interfaces

AMBA AXI4
- Low-Power
AMBA AHB
Lower level of interfacing available

Optional Enhancements

Virtualization – allows sharing between multiple CPUs
QoS capability allows multiple command priority queues for enhanced traffic management capabilities

Benefits

Silicon proven
Highly integrated
SoC/ASIC developers and embedded system OEMs benefit from
- Reduced time to market
- Reduced risk
- Highly tuned solutions for performance, power and size
IP developed by industry experts through a structured and rigorous development and verification program

Applications

Networking/VPN
- MACsec (802.1 AE)
- IPsec
- VoIP/SIP gateways
- SSL/TLS/DTLS
- SRTP
Wireless
- WiFi (802.11)
- WiMAX (802.16)
- 3GPP, LTE, LTE-A
- Femtocells
- Base stations
DRM & Content protection
- DTCP
- HDCP
- DRM
- WMDRM
- OMA
Storage
Printers

Downloads

Product Brief: CLP-600: Security Protocol Accelerator- with Virtualization and QoS Capabilities

Featured Products

ETS-020: tVault HDCP 2.2

A proven HDCP-based content protection solution that provides robust security inside Trusted Execution Environments (TEEs) and enforces the protection of sensitive information to ensure that it is stored, processed and accessed only by authorized applications.The solution integrates seamlessly within frameworks such as ARM TrustZone™, where the critical security components are embedded in a trusted and secure OS environment. The non-critical components are executed by the rich OS, such as Android.

CLP-630: Multi-Packet Manager Security Engine
A highly programmable and unique Security Protocol Accelerator specifically designed to efficiently process data for high capacity wireless and network applications. The engine is perfectly suited for applications that deal with multiple active connections and significant traffic load on different contexts, such as 4G LTE-Advanced wireless cellular base stations and femtocells.