Laboratory for Reliable Computing Department of Electrical Engineering National Tsing Hua University Hsinchu, Taiwan Security Processor: A Review Chih-Pin Su and Cheng-Wen Wu
Chih-Pin Su 2 Outline Introduction to Security System Security service, mechanism and algorithm Security System Architecture Conclusion
Chih-Pin Su 3 Reference “Cryptography and Network Security”, William Stallings “Network Processors: Architectures, Protocols and, Platforms”, Panos C. Lekkas “SSL: Foundation for Web Security”, William Stallings, IPJ, Vol.1, No.1 “Security: Adding Protection to the Network via the Network Processor”, Intel Technology journal, Vol.6, Issue 3, P40-49
Chih-Pin Su 4 Security Requirement Access Control – unauthorized users are kept out Authentication – Assurance of identity of person or originator of data Confidentiality – Protection from disclosure to unauthorized person Integrity – Maintain data consistency, protection against unauthorized data alternation Non-repudiation – Originator of communications can not deny it later Availability – Legitimate users have access when they need it
Chih-Pin Su 5 Security Threat Information disclosure Integrity violation Masquerading Denial of service Illegitimate use Generic threat: backdoors, Trojan horses, insider attacks
Chih-Pin Su 6 Security Service From Open System Interconnection (OSI) definition Access Control Authentication Confidentiality Integrity Non-repudiation ITU-TT, X.800: Security Service of OSI
Chih-Pin Su 7 Security Mechanisms Three basic building blocks are used Encryption is used to provide confidentiality, can provide authentication and integrity protection Digital signatures are used to provide authentication, integrity protection, and non- repudiation Checksums/hash algorithms are used to provide integrity, can provide authentication Multiple security mechanisms are combined to provide a security service
Chih-Pin Su 8 Service, Mechanism, Algorithm Services are built from Mechanisms Mechanisms are implemented using algorithms SSL SignaturesEncryptionHashing RSADSAAESSHA1MD5DES Service (in security Protocol) Mechanism Algorithm
Chih-Pin Su 9 Conventional Encryption Using a shared key Problem of transferring a large message in secret reduced to transferring a small key in secret Also called Private- or Symmetric-Key Encryption Block cipher and stream cipher Cryptographic mode – ECB, CBC, CFB, OFB mode
Chih-Pin Su 10 Public-Key Encryption Uses matched public/private key pairs Asymmetric-key encryption Anyone can encrypt with the public key, only one person can decrypt with the private key
Chih-Pin Su 11 Key Agreement Allow two parties to agree on a shared key Provides part of the required secured channel for exchanging a conventional encryption key
Chih-Pin Su 12 Hash Function Create a unique “fingerprint” for a message Anyone can alter the message and create a new hash value
Chih-Pin Su 13 MAC Message Authentication Code, adds a password/key to a hash Only password/key holder can generate the MAC HMAC-SHA, HMAC-MD5
Chih-Pin Su 14 Digital Signatures Combines a hash with a digital signature algorithm
Chih-Pin Su 15 Message/Data Encryption Combines symmetric- and asymmetric-key encryption
Chih-Pin Su 16 Security Protocol Layers
Chih-Pin Su 17 SSL Secure Socket Layer – TCP/IP socket encryption Usually authenticates server using digital signature Can authenticate client but never used Confidentiality protection via encryption Integrity protection via MAC’s Provides end-to-end protection of communication sessions
Chih-Pin Su 18 SSL Handshake Negotiate the cipher suite Established a shared session key Authenticate the server (opt.) Authenticate the client (opt.) Authenticate previously exchange data
Chih-Pin Su 19 SSL Data Transfer
Chih-Pin Su 20 Popular Security Algorithm Hash algorithm: HMAC-MD5, HMAC-SHA1, RIPEMD-128/160 Encryption algorithm: DES/3DES, AES, ARC4 Public Key algorithm: RSA, DSA sign and verify, ECC
Chih-Pin Su 21 Key Management Key management is the hardest part of cryptography Two classes of keys Short-term session keys Generated automatically and invisibly Used for one message or session and discarded Long-term keys Generated explicitly by the user Long-term keys are used for two purposes Authentication (including access control, integrity, and non- repudiation) Confidentiality (encryption) Establish session keys Protect stored data
Chih-Pin Su 22 Key Management Problem Key certification Key distribution Obtaining someone else’s public key Distributing your own public key Establishing a shared key with another party Confidentiality: Is it really known only to the other party? Authentication: is it really shared with the intended party? Key storage Secure storage of keys Revocation Revoking published key Determining whether the published key is still valid
Chih-Pin Su 23 Key Distribution A Certification Authority (CA) solve the problem Intercept!
Chih-Pin Su 24 Functional Block of Network Processing Host Processing Switch Fabric chip PHY layer chip Queuing Compression Encryption Modification Lookup/classification Parsing/Framing Slow Path Processing Transmission medium
Chih-Pin Su 25 Security System Architecture (1) Look-aside architecture Switch Fabric Network Processor PHY/MAC Security Coprocessor Host CPU subsystem SDRAM Session State memory Incoming trafficOutgoing traffic
Chih-Pin Su 26 Security System Architecture (2) Flow-through architecture Switch Fabric Network Processor PHY/MAC Security Coprocessor Host CPU subsystem SDRAM Session State memory Incoming trafficOutgoing traffic
Chih-Pin Su 27 SafeNet 1741 IPSec accelerator
Chih-Pin Su 28 Motorola MPC8272 PowerQUICC with integrated security engine
Chih-Pin Su 29 Intel IXP2850
Chih-Pin Su 30 Crypto-Engine in IXP2850
Chih-Pin Su 31 Conclusion Basic concept of a security system is introduced System architecture of security processor Look-aside architecture Flow-through architecture Integrated architecture