SafeXcel-3141 - SafeNet
SafeXcel-3141 - SafeNet
SafeXcel-3141 - SafeNet
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>SafeXcel</strong>-<strong>3141</strong><br />
Reliance Series High-Performance Security System on a Chip<br />
for IPsec & SSL/TLS Acceleration<br />
Benefits<br />
IPsec Performance<br />
• 4.6 Gbps ESP (AES-128/SHA-1 -<br />
1500 bytes)<br />
• 1.8 Gbps ESP (AES-128/SHA-1<br />
- 64 bytes)<br />
• 2.7 Gbps ESP (3-DES/SHA-1 -<br />
1500 bytes)<br />
• 1.5 Gbps ESP (3-DES/SHA-1 -<br />
64 bytes)<br />
Crypto Core (Per Engine x6)<br />
• 1.6 Gbps DES<br />
• 530 Mbps 3-DES<br />
• 1.28 Gbps AES 128-bit key<br />
• 914 Mbps AES 256-bit key<br />
• Cipher Modes: ECB, CBC, CTR<br />
• Multi-mode Padding support<br />
Hash Block (Per Engine x6)<br />
• 800 Mbps MD5<br />
• 1.28 Gbps SHA-1/2<br />
• Intelligent mutable bit handler<br />
for AH<br />
ARM9 processor<br />
• Two redundant processor cores<br />
and logic<br />
• 85 MIPS sustained performance,<br />
100 MIPS peak<br />
• Single-cycle instruction execution<br />
Public Key Accelerator<br />
• Supports up to 3072-bit modulus<br />
size<br />
• Diffie-Hellman negotiate:<br />
500us (1024-bit modulus, 180<br />
exponent)<br />
• RSA Sign (1024 bit modulus,<br />
1024 bit exponent) 2.3 msec<br />
w/o CRT, 750 msec w/CRT<br />
• RSA 1024-bit verify: 75us<br />
• DSA Sign: 750us<br />
• DSA Verify: 1.8ms<br />
The <strong>SafeNet</strong> <strong>SafeXcel</strong>TM-<strong>3141</strong> is a highly<br />
integrated, high speed network security system<br />
on a chip. With the <strong>3141</strong> installed via a PCI-X<br />
or SPI-3 interface, host processors can off-load<br />
not only packet processing but also the crypto<br />
computations, thereby optimizing overall system<br />
performance.<br />
The <strong>SafeXcel</strong>-<strong>3141</strong> incorporates a complete<br />
suite of security features in hardware, including:<br />
• IPsec v2 ESP and AH transforms<br />
• Full suite of IKE macro operations<br />
• Suite B Compliant Algorithms<br />
• <strong>SafeNet</strong> CGX 4.0 Cryptographic Library<br />
Intelligent Protocol Handling<br />
Key features implemented in hardware:<br />
• ESP header insertion/validation, including<br />
SPI and replay counter processing<br />
• Full AH ‘mutable bit’ processing, including<br />
IPv4 options fields and IPV6 extension<br />
headers<br />
• HMAC ICV validation on inbound packets<br />
• Automatic IV generation and insertion<br />
• Optional ‘Black Key’ handling. Keys in SA<br />
database are stored encrypted and are<br />
decrypted on the fly by the <strong>3141</strong>prior to<br />
use<br />
Full Suite of Algorithms<br />
The <strong>SafeNet</strong> <strong>SafeXcel</strong>-<strong>3141</strong> incorporates all<br />
of the necessary algorithms for VPN and SSL<br />
applications:<br />
• AES, DES, and 3-DES encryption<br />
• MD-5, SHA-1, and SHA-2 Hashing with<br />
HMAC<br />
• Public Key computations – Diffie-Hellman,<br />
RSA, DSA, and Elliptic Curve<br />
• True Hardware Based Random Number<br />
Generation<br />
Gigabit Throughput<br />
The <strong>SafeXcel</strong>-<strong>3141</strong> achieves very high<br />
throughput not only with fast core<br />
processing engines, but also with an integration<br />
strategy that has been carefully designed<br />
to remove performance bottlenecks. For<br />
network packet processing, data packets are<br />
transferred on dedicated red and black SPI-3<br />
interfaces. This data is clocked directly into<br />
each of the cryptographic cores. An on-chip<br />
Resource Manager then intelligently allocates<br />
the crypto core requests amongst the multiple<br />
cryptographic engines to keep an optimal flow<br />
of data through the ASIC. Each crypto core<br />
contains dedicated core crypto engines and<br />
hashing engines, allowing them to function<br />
independently. Each cryptographic core contains<br />
its own 2K-byte input buffer and 2K-byte<br />
output buffer that allows the packet engines<br />
to run in parallel. Security Associations are<br />
managed across the external memory interface.<br />
A Command Descriptor Ring is used for IKE<br />
processing across the PCI interface. This allows<br />
asynchronous processing between the Host and<br />
the <strong>SafeXcel</strong>-<strong>3141</strong>.<br />
Hardware-Based Security<br />
The <strong>SafeNet</strong> <strong>SafeXcel</strong>-<strong>3141</strong> has been designed<br />
from the ground-up with security in mind. It<br />
provides uncompromised protection for its<br />
algorithms, key material, and key generation<br />
processes. Unencrypted (red) key material is<br />
never permitted to leave the <strong>SafeXcel</strong>-<strong>3141</strong><br />
chip. A sophisticated Key Management system<br />
is contained within the CGX library on the<br />
<strong>SafeXcel</strong>-<strong>3141</strong>. The Key Management is carefully<br />
architected to enforce hacker resistant security<br />
while at the same time providing a very<br />
flexible set of key handling options. Additional<br />
user selectable features such as SA integrity<br />
checks, error checking, and dual AES engines<br />
provide enhanced security. The <strong>SafeXcel</strong>-<strong>3141</strong><br />
even protects against poor application<br />
programming techniques that could otherwise<br />
compromise system security. For example, the<br />
Application Programming Interface (API) to the<br />
<strong>SafeXcel</strong>-<strong>3141</strong> is designed to disallow requests<br />
that violate good security practice.
FIPS Compatibility<br />
The <strong>SafeXcel</strong>-<strong>3141</strong> is designed to facilitate FIPS<br />
140-2 Level 2 and Level 3 certification.<br />
Powerful Embedded Crypto Library<br />
The <strong>SafeNet</strong> <strong>SafeXcel</strong>-<strong>3141</strong> is unique in its<br />
class by providing an entire cryptographic<br />
library right on the IC. This library, designated<br />
CryptoGraphic eXtensions (CGX), includes<br />
functions such as:<br />
• Secret Public Key Generation<br />
• ECC, RSA, DSA, and D-H public key<br />
operations<br />
• Data hashing and encryption<br />
• Sophisticated key management<br />
infrastructure<br />
• DSS Signature Verification<br />
The CGX library contains a full suite of macro<br />
commands designed to optimize IKE processing,<br />
SSL/TLS handshaking, and SA database<br />
management.<br />
www.safenet-inc.com<br />
®<br />
Device Boot<br />
The <strong>SafeXcel</strong>-<strong>3141</strong> is initialized via the host<br />
processor though an easy to use Universal<br />
Driver Module (UDM) API. This enables the<br />
<strong>3141</strong> to quickly load a high performance IPsec<br />
packet driver to bring the <strong>3141</strong> device online.<br />
Development Support<br />
<strong>SafeNet</strong>, Inc. offers a full suite of source code<br />
Software Developer’s Kits to assist OEMs with<br />
the system integration process. These toolkits<br />
range from including basic drivers to full IPsec<br />
stack implementations that allow an OEM<br />
to build a highly interoperable and scalable<br />
IPsec product. All major OS and platform<br />
configurations are available.<br />
Applications:<br />
• High-end Routers, Switches, etc.<br />
• Telecom Class Gateways (UMA, IMS, etc)<br />
• Link Encryption<br />
• VPN Gateway Appliances<br />
• iSCSI / FC-SP / FCoEthernet Storage<br />
Security<br />
• Hardware Security Modules (HSM’s)<br />
Corporate Headquarters:<br />
4690 Millennium Drive, Belcamp, Maryland 21017 USA<br />
Tel.: +1 410 931 7500 or 800 533 3958, Fax: +1 410 931 7524,<br />
Email: info@safenet-inc.com<br />
EMEA Headquarters:<br />
Tel.: +44 (0) 1276 608 000, Email: info.emea@safenet-inc.com<br />
APAC Headquarters:<br />
Tel: +852 3157 7111, Email: info.apac@safenet-inc.com<br />
For all office locations and contact information, please visit<br />
www.safenet-inc.com/company/contact.asp<br />
Random Number Generator<br />
(TRNG)<br />
• Non-deterministic Hardware<br />
based True Random Number<br />
Generator<br />
• Can internally generate sessionkeys,<br />
IV’s, nonce’s, cookies, public<br />
and private keys, etc.<br />
• Up to 1 Mbit of random data<br />
per second<br />
PCI-X/PCI Interface<br />
• 64-bit 3.3V bus interface, 5V<br />
tolerant<br />
• 100 MHz max bus speed<br />
• 6.4 Gbps max. burst speed<br />
• PCI v2.2 Compliant<br />
• Bus Master and Target capability<br />
SPI-3 Interface<br />
• Separate Red and Black Interfaces<br />
• 125MHz Max bus Speed<br />
• 32-bit bus interface for both Red<br />
and Black Interfaces<br />
External Memory Interface<br />
• 32/64-bit (selectable) 3.3V bus<br />
interface<br />
• Up to 268 Mbyte RAM addressable<br />
Async SRAM, Sync dual-port<br />
SRAM, and PC-100/133 SDRAM<br />
supported<br />
• Support for mixed SRAM and<br />
SDRAM<br />
• Programmable SRAM wait states<br />
Electrical<br />
• Core Power: 1.8V ±10%<br />
• I/O Power: 3.3V ±10%<br />
• PCI Voltages: 3.3V or 5V ±10%<br />
• Core Clock Speed: 100 MHz<br />
(internal PLL, input frequency of<br />
25 MHz or 40 MHz)<br />
• Power Consumption: 5.4W peak<br />
Packages<br />
• 788-pin EPBGA-T<br />
• JTAG and Boundary Scan Support<br />
Real Time Clock<br />
• 32 kHz<br />
Temperature<br />
• 0°C to +70°C<br />
©2008 <strong>SafeNet</strong>, Inc. All rights reserved. <strong>SafeNet</strong> and <strong>SafeNet</strong> logo are registered trademarks of <strong>SafeNet</strong>.<br />
All other product names are trademarks of their respective owners.