Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > EDA/IP

Security in silicon: A guide to secure, high-speed SoC devices (Part 2)

Posted: 18 Oct 2007 ?? ?Print Version ?Bookmark and Share

Keywords:security in silicon? high-speed SoC? secure devices?

To view Part 1, click here.

Support for cryptographic security has become a basic requirement for many networking and mobile silicon devices. The complex nature of cryptographic security processing often creates a challenge for semiconductor designers to achieve the levels of protection and throughput required by today's systems and applications. Implementing security functionality on dedicated hardware enables designers to achieve higher throughput performance, lower power consumption and a higher degree of security over software-based implementations running on a general-purpose processor.

The small-packet challenge
While IPsec security processing of large IP packets (1,500bytes) has been accelerated to multigigabit performance in many systems, achieving the same performance levels for small packets (64bytes) has proven to be quite a challenge.

Since the percentage of overhead data, and associated packet processing, is much higher for a given data stream of small packets than it is for big packets, the performance of small packet security processing has been a problem for security system designers for a long time.

The architectural bottleneck to higher packet performance comes from the fact that each IP packet still needs to be processed to some extent by a general-purpose CPU before and after it gets offloaded for security processing to the embedded security accelerator. For small packets, this CPU processing burden is relatively higher compared to large packets.

This situation is becoming more critical with the rise of small packets in today�s data traffic, mostly driven by realtime applications such as VoIP.

Traditional look-aside security architectures
In traditional SoC architectures, hardware assist is usually limited to dedicated modules that perform cryptographic security processing under full control of an embedded general-purpose processor. In these architectures, the general-purpose processor still needs to process each IP packet to some extent.

Especially at high data rates and for small packet sizes, this approach creates a significant burden on the processor, resulting in an overall throughput bottleneck.

NetworkI/FPKATRNGPacketProcessingNetworkI/FCPUMemoryI/FInternal SOC busSafeXcel IP Packet EngineQuickSecDriverControl PlaneDMA/OtherPeripheralsData Plane

Figure 1: Example of a look-aside security architecture.
Click image to view Figure 1

Inline security processing
The latest achievement in security processing (and an excellent solution for the small packet challenge) was delivered in 2005 when SafeNet introduced a unique solution for completely autonomous packet processing (fastpath inline security processing).

In contrast to previous �look-aside? security architectures (Figure 1), the new concept of inline security processing eliminates any data plane-processing related interaction with the general-purpose CPU core (e.g. packet classification, filtering and flow processing) and completely offloads all these security functions to the dedicated inline security system.

The result is superior data rates across all packet sizes and a significant reduction of general-purpose processor utilization for security functions.

SafeNet's Inline Security Engine design
The Inline Security Engine IP is designed based on a proven board-level hardware/software security system. In this hardware/software system, the hardware chip was mainly responsible for high-speed cryptographic processing, while the security software (running on a general purpose processor) performed any other processing required for each data packet. More specifically, the security software implemented both Control Plane and Data Plane functionality (packet classification, data flow lookup, flow administration, firewalling, etc.).

1???2???3?Next Page?Last Page

Article Comments - Security in silicon: A guide to secu...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top