Security Icon

Security

PacketEngine-IP-96 / EIP-96 Security Transform pipeline, 5Gbps

The PacketEngine-IP-96 (EIP-96) is IP for accelerating IPSec, SSL/TLS, SRTP and MACsec transforms up to 5Gbps offering a large selection of cipher algorithms. Designed for fast integration, low gate count and full transforms, the PacketEngine-IP-96 transform engine provides a reliable and cost-effective embedded IP solution that is easy to integrate into high-speed processing pipelines.

IPsec/TLS/MACsec/DTLS transform pipeline

5..10Gbps, programmable, supports new and legacy crypto algorithms,
AMBA interface

Supported by SA and token builder SW kit

How the PacketEngine-IP-96 works

The PacketEngine-IP-96 (EIP-96) packet transform engine is the transform engine embedded in all PacketEngine-IP-97/98/197 protocol aware security engines. It is the processing pipeline that takes full packets in and processes it into encrypted or decrypted packets based on instructions that it gets through tokens. The PacketEngine-IP-96 is fully flexible through these tokens that are either generated by the supplied software token builder or by the hardware classifiers found in the PacketEngine-IP-98 or PacketEngine-IP-197.

The PacketEngine-IP-96 is designed to be the cryptographic pipeline in high-end security designs. Main targets are high-end servers of network CPUs, tile based designs and multi-homogeneous core designs.

Sustained performance for large packet sizes is 5000 Mbps for any supported protocol (2500 Mbps for small packets) @500MHz (and 1Gbps @1GHz). Gate count is between 250 and 500k gates depending on the configuration. Multiple PacketEngine-IP-96 cores can be cascaded.

PacketEngine-IP-96 Packet Information

Key benefits:

  • Silicon-proven implementation
  • Fast and easy to integrate into SoCs
  • Flexible layered design
  • Complete range of configurations
  • World-class technical support
  • SA and token builder SW kit
 

IPsec (IPv4 and IPv6):

  • Full IPsec packet ESP/AH transforms according to latest RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4106, 4301, 4303, 4308, 4309, 4543, 4868, 4869, 6054, 6071 and 6379)
  • IPsec ESP and AH tunnel & transport mode
  • Insert ESP/AH header for outbound packets, strip and verify ESP/AH header for inbound packets
  • Full sequence number processing, including ESN and full anti-replay check with various mask sizes
  • Calculate and insert integrity check value for outbound packets, strip and verify for inbound packets
  • Append (outbound) / strip and verify (inbound) padding up to 255 bytes
 

MACsec

  • MACsec frame transforms according to IEEE 802.1AE-2006 and Draft 802.1AEbn/D1.0
  • SecTAG insertion and removal,
  • PN insertion, removal and verification
  • ICV generation, insertion, removal and verification
 

SSL3.0 / TLS1.0 / TSL1.1 / TLS1.2 / DTLS1.0 / DTLS 1.2:

  • Full single pass packet transforms according to latest RFCs (2246, 4346, 5246, 6101 and 6347).
  • Full header processing
    • Insert header for outbound packets
    • Strip and verify header for inbound packets
    • Anti-replay check
    • Trailer processing:
      • Insert padding up to 255 bytes for outbound packets
      • Strip and verify padding up to 255 bytes for inbound packets
      • Calculate and insert message authentication code for outbound packets, strip and verify for inbound packets
 

SRTP packet transforms according to RFC3711:

  • SRTP packet transforms according to RFC3711
  • ROC insertion and removal
  • MKI insertion and removal
  • TAG generation and insertion
 

Wireless algorithms and SAR mode of operation 


  • Kasumi f8 and f9, 

  • SNOW 3G, 

  • ZUC. 
Storage algorithms 

  • AES-XTS (including CTS mode) 

 

The cryptographic engine supports the following cryptographic algorithms:

  • (3)DES in ECB and CBC with (3x) 56-bit key,
  • AES in ECB, CBC, ICM, CTR mode with 128/192/256 bit keys, GCM, GMAC and CCM modes,
  • ARC4 in Stateful and Stateless mode, up to 128-bit key, (EIP-97is, EIP-97ies),
  • Kasumi in basic and f8 mode (UEA1),
  • SNOW3G in basic and 128-EEA1 mode (UEA2),
  • ZUC in basic and 128-EEA3 mode (UEA3)
  • AES in XTS mode.
 

The hash engine supports the following algorithms:

  • SHA-1, SHA-2-224, SHA-2-256, SHA-2-384, SHA-2-512, MD5,
  • HMAC transforms for SHA-1, SHA-2, MD5,
  • SSL-MAC transforms for SHA-1, MD5,
  • AES-CCM, AES-XCBC-MAC, AES-CBC-MAC-PRF,
  • GHASH, GCM, AES-GCM and AES-GMAC,
  • CRC32.
  • Kasumi in f9 mode (UIA1)
  • SNOW3G in basic and 128-EIA1 mode (UIA2),
  • ZUC in basic and 128-EIA3 mode (UIA3).
 

The Pseudo Random Number Generator supports:

  • ANSI X9.31 compliant; based on the AES cipher
  • Automatic IV generation
 

Interface option 1 (default):

  • Data busses have a master DMA and target TCM interface to allow optimal packet data requests by the EIP-96
  • SA (context) bus has a master DMA and target TCM interface to allow optimal context data requests by the EIP- 96
  • Streaming token input and output interfaces
  • Target TCM interface for SW debug and configuration
 

Interface option 2:

  • Streaming data input and output interfaces
  • Selection between of context interface:
    • SA (context) bus can have a master DMA and target TCM interface to allow optimal context data requests by the EIP-96
    • Optionally this interface is configured for two independent streaming context input and output interface (EIP-96-cf)
    • Streaming token input and output interfaces
    • Target TCM interface for SW debug and configuration
CryptoManager Root of Trust Cover

The CryptoManager Root of Trust

Built around a custom RISC-V CPU, the Rambus CryptoManager Root of Trust (CMRT) is at the forefront of a new category of programmable hardware-based security cores. Siloed from the primary processor, it is designed to securely run sensitive code, processes and algorithms. More specifically, the CMRT provides the primary processor with a full suite of security services, such as secure boot and runtime integrity, remote attestation and broad crypto acceleration for symmetric and asymmetric algorithms.

Related Markets & Applications

FREE Webinar: Understanding Fault Injection Attacks and Their Mitigation