News Archive (1999-2012) | 2013-current at LinuxGizmos | Current Tech News Portal |    About   

Security processors do SHA-2, AES-GCM, AES-f8, and run Linux

Oct 18, 2005 — by LinuxDevices Staff — from the LinuxDevices Archive — 27 views

Cavium Networks will sample a chip at the top of its Nitrox II security processor line in Q1, 2006. The CN28xx will support emerging cryptography algorithms, while retaining backward compatibility with the Nitrox II API, the company says. Linux drivers and sample applications will be included.

Cavium's Nitrox processors are based on a proprietary RISC architecture, and feature multiple cores that can be programmed in microcode to support various security algorithms. The CN28xx offers software compatibility with currently available Nitrox II processors, while adding support for a number of algorithms needed to build next-generation security equipment, Cavium says.

Emergent cryptographic requirements

Cavium says popular hashing algorithm SHA-1 was broken in early 2005, and that SHA-2 will be widely adopted by 2008. The CN28xx will support “all variations of SHA-2,” including SHA-224, SHA-256, SHA-384, and SHA-512, the company says. The company expects the chip to be the only available security processor to support SHA-384 and SHA-512.

Cavium also says that IPsec ESP (IP security — encapsulated security payload) requirements are driving the security industry to adopt AES-GCM (advanced encryption standard — Galois Counter Mode), which the company says provides an efficient implementation for confidentiality and data origin authentication. The CN28xx will support data speeds greater than 10Gbps when using AES-GCM, the company claims.

Additionally, the CN28xx will support AES-f8, an algorithm used for SRTP (secure real-time transport protocol).

Other features of the CN2800

The CN28xx supports up to eight gigabit Ethernet MIIs, or up to two SPI-4.2 (serial packet interfaces), for total throughputs from 2-10Gbps. The processor also features a PCI-X interface.


Nitrox II CN28xx diagram
(Click to enlarge)

Additional features include:

  • Supports inline and look-aside system architectures
  • Security protocol processors that can concurrently support IPsec, SSL, WLAN security, and multi-protocol
  • General purpose CPU can process security control plane protocols such as IKEv1/v2
  • Supports a variety of symmetric, asymmetric, and hashing protocols
  • IP packet fragmentation and re-assembly support
  • NAT traversal over UDP
  • IPv4 and IPv6

Planned CN28xx models include:

Model Max RSA
1024-bit Exponent
Max DH 180-bit Exponent with 1024-bit Mod Inline full IPsec processing Full SSL record throughput (w/AES+MD5)
CN2830 4K 5K 2.5 Gbps 2.5 Gbps
CN2840 8K 10K 5 Gbps 5 Gbps
CN2850 12K 15K 7.5 Gbps 7.5 Gbps
CN2860 16K 20K 10 Gbps 10 Gbps


Director of Product Marketing Rajneesh Gaur said, “Cavium Networks' NITROX family has become the most widely deployed security processor family for IPsec and SSL applications in networking equipment worldwide. The NITROX II CN2800 [will meet] critical customer requirements.”

Cavium is a privately held, fabless chip design house with offices in Massachussetts and India. It employs many engineers from DEC's former Alpha chip design team, it says. It claims its Nitrox security processors are used in devices made by nine of the top 10 vendors of multi-gigabit VPN/firewall equipment, L4+ switches, wireless LAN switches, and storage security appliances.

Availability

Cavium expects to sample the CN28xx in Q1, 2006, along with a development kit that includes Linux drivers and sample applications. When it reaches production, the CN28xx chips are expected to sell for $250 to $725, in quantities greater than 5K.


 
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.



Comments are closed.