Security IP icon

Security

Protocol-IP-93 Multi-Protocol Engine, Look-Aside, 1 Gbps

The Protocol-IP-93 Multi-Protocol Engine is a protocol-aware packet engine for accelerating IPSec, SSL/TLS, and SRTP up to 1 Gbps in SoCs. Designed for fast integration, low gate count and full packet transforms, it provides a reliable and cost-effective embedded IP solution that is easy to integrate into SoC designs. It is ideal for securing cloud connection with TLS and acceleration of other application that require cryptographic operations, such as secure boot.

Protocol-aware IPsec/TLS packet engine with Look-Aside interface for IoT.

Up to 1 Gbps, lowest gate count in the industry, just 100K gates
(ex AMBA interface).

Supported by Driver Development Kit, QuickSec IPsec toolkit,
Secure Boot Toolkit.

How the Protocol-IP-93 Multi-Protocol Engine works

The Multi-Protocol Engine is a protocol-aware packet engine IP with a Look-Aside bus interface and a packet transform engine. The Multi-Protocol engine is used as a bus master in the data plane of the system and processes packets with very little CPU intervention. This engine supports an AMBA (AXI, AHB, TCM) or a PLB SoC bus interface and can be delivered in different configurations to support IPsec as well as SSL and TLS up to the latest 1.3 release. It is the world’s only 100K gate IPsec/TLS accelerator (excluding interface).
Diagram: PacketEngine-IP-93 Security Packet Engine, Look-Aside, 300Mbps
Protocol-IP-93 Multi-Protocol Engine Block Diagram

The Multi-Protocol Engine is designed to off-load the host processor to improve the speed of protocol operations and reduce power in cost-sensitive networking products, such as: high-end IoT devices; IoT gateways; femtocells; DSL routers; SOHO routers; cable modems; VPN appliances; and surveillance cameras.

Performance for large packet sizes is > 1 Gbps for any supported protocol. IPsec performance for small packet sizes is > 500 Mbps, at a system clock speed of 500 MHz.

Features and Benefits

Key benefits:

  • Silicon-proven implementation
  • Fast and easy to integrate into SoCs
  • Flexible layered design
  • Complete range of configurations
  • World-class technical support
  • Driver Development Kit
  • Descriptor ring infrastructure, with master DMA controller
  • SA manager
 

IPsec (IPv4 and IPv6):

  • Full IPsec packet ESP transforms, for tunnel & transport mode, according to RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4301, 4303, 4308, 4309, 4835 and 4868)
  • Complete IPsec (IPv4 and IPv6) header processing:
  • Insert ESP header for outbound packets
  • Strip and verify ESP header for inbound packets
  • Anti-replay check
  • IPsec trailer processing:
  • Insert padding up to 255 bytes for outbound packets
  • Strip and verify padding up to 255 bytes for inbound packets
  • Calculate and insert integrity check value for outbound packets, strip and verify for inbound packets
 

SSL3.0 / TLS1.0 / TSL1.1 / TLS1.2 / TLS1.3 / DTLS:

  • Full single pass packet transforms according to RFCs (2246, 3268, 3546, 4346, 4347, 4366, 5246 and 8446).
  • Full Header processing:
  • Insert header for outbound packets,
  • Strip and verify header for inbound packets,
  • Anti-replay check.
  • Trailer processing:
      • Insert padding up to 255 bytes for outbound packets
      • Strip and verify padding up to 255 bytes for inbound packets
      • Calculate and insert Message Authentication Code for outbound packets, strip and verify for inbound packets
 

The cryptographic engine supports the following cryptographic algorithms:

  • (Triple-)DES in ECB and CBC with 56-bit key
  • AES in ECB, CBC, ICM, CTR mode with 128-bit 192-bit and 256-bit key
  • Special HDCP cipher mode combination with AES-CTR
  • Optional ARC4 in stateful, stateless mode, up to 128-bit key
  • Automatic padding up to 255 bytes
 

The hash engine supports the following algorithms:

  • SHA-1, SHA-2-224/256, MD5
  • HMAC transforms for SHA-1, SHA-2, MD5
  • SSL-MAC transforms for SHA-1, MD5
 

Combined AECD Cipher algorithms

  • AES-CCM, AES-(X)CBC-MAC, AES-CMAC
  • Optional: AES-GCM, AES-GMAC 
CryptoManager Root of Trust Cover

The CryptoManager Root of Trust

Built around a custom RISC-V CPU, the Rambus CryptoManager Root of Trust (CMRT) is at the forefront of a new category of programmable hardware-based security cores. Siloed from the primary processor, it is designed to securely run sensitive code, processes and algorithms. More specifically, the CMRT provides the primary processor with a full suite of security services, such as secure boot and runtime integrity, remote attestation and broad crypto acceleration for symmetric and asymmetric algorithms.

Upcoming Webinar: AI Requires Tailored DRAM Solutions