SafeXcel-3141 - SafeNet

SafeXcel-3141 

Reliance Series High-Performance Security System on a Chip 

for IPsec & SSL/TLS Acceleration 

Benefits 

IPsec Performance 

• 4.6 Gbps ESP (AES-128/SHA-1 - 

1500 bytes) 

• 1.8 Gbps ESP (AES-128/SHA-1 

- 64 bytes) 

• 2.7 Gbps ESP (3-DES/SHA-1 - 

1500 bytes) 

• 1.5 Gbps ESP (3-DES/SHA-1 - 

64 bytes) 

Crypto Core (Per Engine x6) 

• 1.6 Gbps DES 

• 530 Mbps 3-DES 

• 1.28 Gbps AES 128-bit key 

• 914 Mbps AES 256-bit key 

• Cipher Modes: ECB, CBC, CTR 

• Multi-mode Padding support 

Hash Block (Per Engine x6) 

• 800 Mbps MD5 

• 1.28 Gbps SHA-1/2 

• Intelligent mutable bit handler 

for AH 

ARM9 processor 

• Two redundant processor cores 

and logic 

• 85 MIPS sustained performance, 

100 MIPS peak 

• Single-cycle instruction execution 

Public Key Accelerator 

• Supports up to 3072-bit modulus 

size 

• Diffie-Hellman negotiate: 

500us (1024-bit modulus, 180 

exponent) 

• RSA Sign (1024 bit modulus, 

1024 bit exponent) 2.3 msec 

w/o CRT, 750 msec w/CRT 

• RSA 1024-bit verify: 75us 

• DSA Sign: 750us 

• DSA Verify: 1.8ms 

The SafeNet SafeXcelTM-3141 is a highly 

integrated, high speed network security system 

on a chip. With the 3141 installed via a PCI-X 

or SPI-3 interface, host processors can off-load 

not only packet processing but also the crypto 

computations, thereby optimizing overall system 

performance. 

The SafeXcel-3141 incorporates a complete 

suite of security features in hardware, including: 

• IPsec v2 ESP and AH transforms 

• Full suite of IKE macro operations 

• Suite B Compliant Algorithms 

• SafeNet CGX 4.0 Cryptographic Library 

Intelligent Protocol Handling 

Key features implemented in hardware: 

• ESP header insertion/validation, including 

SPI and replay counter processing 

• Full AH ‘mutable bit’ processing, including 

IPv4 options fields and IPV6 extension 

headers 

• HMAC ICV validation on inbound packets 

• Automatic IV generation and insertion 

• Optional ‘Black Key’ handling. Keys in SA 

database are stored encrypted and are 

decrypted on the fly by the 3141prior to 

use 

Full Suite of Algorithms 

The SafeNet SafeXcel-3141 incorporates all 

of the necessary algorithms for VPN and SSL 

applications: 

• AES, DES, and 3-DES encryption 

• MD-5, SHA-1, and SHA-2 Hashing with 

HMAC 

• Public Key computations – Diffie-Hellman, 

RSA, DSA, and Elliptic Curve 

• True Hardware Based Random Number 

Generation 

Gigabit Throughput 

The SafeXcel-3141 achieves very high 

throughput not only with fast core 

processing engines, but also with an integration 

strategy that has been carefully designed 

to remove performance bottlenecks. For 

network packet processing, data packets are 

transferred on dedicated red and black SPI-3 

interfaces. This data is clocked directly into 

each of the cryptographic cores. An on-chip 

Resource Manager then intelligently allocates 

the crypto core requests amongst the multiple 

cryptographic engines to keep an optimal flow 

of data through the ASIC. Each crypto core 

contains dedicated core crypto engines and 

hashing engines, allowing them to function 

independently. Each cryptographic core contains 

its own 2K-byte input buffer and 2K-byte 

output buffer that allows the packet engines 

to run in parallel. Security Associations are 

managed across the external memory interface. 

A Command Descriptor Ring is used for IKE 

processing across the PCI interface. This allows 

asynchronous processing between the Host and 

the SafeXcel-3141. 

Hardware-Based Security 

The SafeNet SafeXcel-3141 has been designed 

from the ground-up with security in mind. It 

provides uncompromised protection for its 

algorithms, key material, and key generation 

processes. Unencrypted (red) key material is 

never permitted to leave the SafeXcel-3141 

chip. A sophisticated Key Management system 

is contained within the CGX library on the 

SafeXcel-3141. The Key Management is carefully 

architected to enforce hacker resistant security 

while at the same time providing a very 

flexible set of key handling options. Additional 

user selectable features such as SA integrity 

checks, error checking, and dual AES engines 

provide enhanced security. The SafeXcel-3141 

even protects against poor application 

programming techniques that could otherwise 

compromise system security. For example, the 

Application Programming Interface (API) to the 

SafeXcel-3141 is designed to disallow requests 

that violate good security practice.

FIPS Compatibility 

The SafeXcel-3141 is designed to facilitate FIPS 

140-2 Level 2 and Level 3 certification. 

Powerful Embedded Crypto Library 

The SafeNet SafeXcel-3141 is unique in its 

class by providing an entire cryptographic 

library right on the IC. This library, designated 

CryptoGraphic eXtensions (CGX), includes 

functions such as: 

• Secret Public Key Generation 

• ECC, RSA, DSA, and D-H public key 

operations 

• Data hashing and encryption 

• Sophisticated key management 

infrastructure 

• DSS Signature Verification 

The CGX library contains a full suite of macro 

commands designed to optimize IKE processing, 

SSL/TLS handshaking, and SA database 

management. 

www.safenet-inc.com 

® 

Device Boot 

The SafeXcel-3141 is initialized via the host 

processor though an easy to use Universal 

Driver Module (UDM) API. This enables the 

3141 to quickly load a high performance IPsec 

packet driver to bring the 3141 device online. 

Development Support 

SafeNet, Inc. offers a full suite of source code 

Software Developer’s Kits to assist OEMs with 

the system integration process. These toolkits 

range from including basic drivers to full IPsec 

stack implementations that allow an OEM 

to build a highly interoperable and scalable 

IPsec product. All major OS and platform 

configurations are available. 

Applications: 

• High-end Routers, Switches, etc. 

• Telecom Class Gateways (UMA, IMS, etc) 

• Link Encryption 

• VPN Gateway Appliances 

• iSCSI / FC-SP / FCoEthernet Storage 

Security 

• Hardware Security Modules (HSM’s) 

Corporate Headquarters: 

4690 Millennium Drive, Belcamp, Maryland 21017 USA 

Tel.: +1 410 931 7500 or 800 533 3958, Fax: +1 410 931 7524, 

Email: info@safenet-inc.com 

EMEA Headquarters: 

Tel.: +44 (0) 1276 608 000, Email: info.emea@safenet-inc.com 

APAC Headquarters: 

Tel: +852 3157 7111, Email: info.apac@safenet-inc.com 

For all office locations and contact information, please visit 

www.safenet-inc.com/company/contact.asp 

Random Number Generator 

(TRNG) 

• Non-deterministic Hardware 

based True Random Number 

Generator 

• Can internally generate sessionkeys, 

IV’s, nonce’s, cookies, public 

and private keys, etc. 

• Up to 1 Mbit of random data 

per second 

PCI-X/PCI Interface 

• 64-bit 3.3V bus interface, 5V 

tolerant 

• 100 MHz max bus speed 

• 6.4 Gbps max. burst speed 

• PCI v2.2 Compliant 

• Bus Master and Target capability 

SPI-3 Interface 

• Separate Red and Black Interfaces 

• 125MHz Max bus Speed 

• 32-bit bus interface for both Red 

and Black Interfaces 

External Memory Interface 

• 32/64-bit (selectable) 3.3V bus 

interface 

• Up to 268 Mbyte RAM addressable 

Async SRAM, Sync dual-port 

SRAM, and PC-100/133 SDRAM 

supported 

• Support for mixed SRAM and 

SDRAM 

• Programmable SRAM wait states 

Electrical 

• Core Power: 1.8V ±10% 

• I/O Power: 3.3V ±10% 

• PCI Voltages: 3.3V or 5V ±10% 

• Core Clock Speed: 100 MHz 

(internal PLL, input frequency of 

25 MHz or 40 MHz) 

• Power Consumption: 5.4W peak 

Packages 

• 788-pin EPBGA-T 

• JTAG and Boundary Scan Support 

Real Time Clock 

• 32 kHz 

Temperature 

• 0°C to +70°C 

©2008 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. 

All other product names are trademarks of their respective owners.

SafeXcel-3141 - SafeNet

Create successful ePaper yourself

Delete template?

Save as template?