Skip to main content
Springer Nature Link
Log in

A Gbps IPSec SSL Security Processor Design and Implementation in an FPGA Prototyping Platform

  • Published:
Journal of Signal Processing Systems Aims and scope Submit manuscript

Abstract

This paper presents a high performance Network Security Processor (NSP) system architecture implementation intended for both Internet Protocol Security (IPSec) and Secure Socket Layer (SSL) protocol acceleration, which are widely employed in Virtual Private Network (VPN) and e-commerce applications. The efficient data transfer skeleton and optimized integration scheme of the parallel crypto engine arrays lead to a Gbps rate NSP, which is programmable with domain specific descriptor-based instructions for Gbps throughput IPSec and SSL applications. The descriptor-based control flow fragments large data packets and distributes them to the parallel crypto engine arrays, which fully utilizes the computation resources and improves the overall system data throughput. A prototyping platform for this NSP design is implemented with Xilinx XC3S5000 based FPGA chip set. Results show that the design gives a peak throughput for the IPSec ESP tunnel mode of 1.851 Gbps with over 1600 full SSL handshakes per second at a clock rate of 150 MHz.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9

Similar content being viewed by others

References

  1. Kent, S., & Atkinson, R. (1998). Security architecture for the internet protocol. In IETF network working group. RFC 2401.

  2. Frier, A., Karlton, P., & Kocher, P. (1996). The SSL protocol version 3.0. http://wp.netscape.com/eng/ssl3/draft302.txt. Netscape.

  3. Chou, W. (2002). Inside SSL: Accelerating secure transactions. IT Professional, 4(5), 37–41.

    Article  Google Scholar 

  4. Gammage, N. (2001). Security application note. Release 2.1. [Online]. http://www.freescale.com.

  5. Calson, D., Brasili, D., Hughes, A., Jain, A., Kiszely, T., Kodandapani, P., et al. (2003). A high performance SSL IPSEC protocol aware security processor. In Proc. int’l solid-state circuites conf. (ISSCC ’03) (Vol. 1, pp. 142–483).

  6. Wang, C., Lo, C., Lee, M., Yeh, J., Huang, C., Wu, C., et al. (2006). A network security processor design based on an integrated soc design and test platform. In Proc. IEEE/ACM design automation conf. (DAC ’06) (pp. 490–495).

  7. Motorola (2003). MPC 190 security processor fact sheet. [Online]. http://www.freescale.com/files/netcomm/doc/fact_sheet/MPC190FACT.pdf.

  8. Broadcom (2004). BCM 5840 Gigabit security processor. [Online]. http://www.broadcom.com/collateral/pb/5840-PB03- R.pdf.

  9. HIFN (2008). HIFNTM 7954 Security accelerator data sheet. [Online]. http://www.hifn.com/uploadedFiles/Library/Product_Briefs/7954.pdf.

  10. China CoreTM C*Core310 User guide. [Online]. http://www.china-core.com/data/summary/C310_datasheet_chinese.pdf.

  11. Verbauwhede, I., Schaumont, P., & Kuo, H. (2003). Design and performance testing of a 2.29 Gb/s Rijndael processor. IEEE Journal of Solid-State Circuits, 28(3), 569–572.

    Article  Google Scholar 

  12. Yu, M., Zhou, T., Wang, J., & Ye, Y. (2004). An efficient asic implementation of SHA-1 engine for TPM. In Proc. IEEE asia-pacific conference on circuits and systems, 2004 (Vol. 2, pp. 873–876).

  13. Stallings, W. (2007). Network security essentials–applications and standards (3rd ed.). Upper Saddle River: Pearson Prentice Hall.

    Google Scholar 

  14. Chen, G., Bai, G., & Chen, H. (2007). A high-performance elliptic curve cryptographic processor for general curves over GF(p) based on a systolic arithmetic unit. IEEE Transactions on Circuits and Systems. 2, Expr. Briefs, 54(5), 412–416.

    Article  MathSciNet  Google Scholar 

  15. Wang, H., Yue, Y., Zhang, C., Bai, G., & Chen, H. (2007). A novel unified control architecture for a high-performance network security accelerator. In Proc. international conference on security and management (SAM’07) (pp. 538–544).

  16. Mcloone, M. & Mccanny, J. V. (2002). A single-chip IPSec cryptographic processor. In Proc. IEEE workshop on signal processing systems (pp. 133–138).

  17. Lu, J., & Lockwood, J. (2005). IPSec implementation on xilinx virtex-II pro FPGA and its application. In Proc. 19th IEEE international parallel and distributed processing symposium (pp. 1536–1542).

Download references

Author information

Authors and Affiliations

  1. Institute of Micro Electronics, Tsinghua University, Beijing, 100084, People’s Republic of China

    Haixin Wang, Guoqiang Bai & Hongyi Chen

Authors
  1. Haixin Wang
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Guoqiang Bai
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Hongyi Chen
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Haixin Wang.

Additional information

This work was supported by the National Natural Science Foundation of China under Grant 60273004, Grant 60576027, and Grant 60544008, and by the Hi-Tech Research and Development Program of China under Grant 2006AA01Z415.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Wang, H., Bai, G. & Chen, H. A Gbps IPSec SSL Security Processor Design and Implementation in an FPGA Prototyping Platform. J Sign Process Syst Sign Image Video Technol 58, 311–324 (2010). https://doi.org/10.1007/s11265-009-0371-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11265-009-0371-2

Keywords