Laboratory for Reliable Laboratory for Reliable ComputingComputingDepartment of Electrical Department of Electrical EngineeringEngineeringNational Tsing Hua UniversityNational Tsing Hua UniversityHsinchu, TaiwanHsinchu, Taiwan

Security Processor: A ReviewSecurity Processor: A Review

Chih-Pin Su and Cheng-Wen Wu

Chih-Pin Su 2

OutlineOutline Introduction to Security System

Security service, mechanism and algorithm

Security System Architecture

Conclusion

Chih-Pin Su 3

ReferenceReference “Cryptography and Network Security”, William Stalli

ngs “Network Processors: Architectures, Protocols and, Pl

atforms”, Panos C. Lekkas “SSL: Foundation for Web Security” , William Stalling

s, IPJ, Vol.1, No.1 “Security: Adding Protection to the Network via the Ne

twork Processor”, Intel Technology journal, Vol.6, Issue 3, P40-49

Chih-Pin Su 4

Security RequirementSecurity Requirement Access Control – unauthorized users are kept

out

Authentication – Assurance of identity of person or originator of data

Confidentiality – Protection from disclosure to unauthorized person

Integrity – Maintain data consistency, protection against unauthorized data alternation

Non-repudiation – Originator of communications can not deny it later

Availability – Legitimate users have access when they need it

Chih-Pin Su 5

Security ThreatSecurity Threat Information disclosure

Integrity violation

Masquerading

Denial of service

Illegitimate use

Generic threat: backdoors, Trojan horses, insider attacks

Chih-Pin Su 6

Security ServiceSecurity Service From Open System Interconnection (OSI)

definition Access Control Authentication Confidentiality Integrity Non-repudiation

ITU-TT, X.800: Security Service of OSI

Chih-Pin Su 7

Security MechanismsSecurity Mechanisms Three basic building blocks are used

Encryption is used to provide confidentiality, can provide authentication and integrity protection

Digital signatures are used to provide authentication, integrity protection, and non-repudiation

Checksums/hash algorithms are used to provide integrity, can provide authentication

Multiple security mechanisms are combined to provide a security service

Chih-Pin Su 8

Service, Mechanism, AlgorithmService, Mechanism, Algorithm Services are built from Mechanisms

Mechanisms are implemented using algorithms

SSL

Signatures Encryption Hashing

RSA DSA AES SHA1MD5DES

Service (in security

Protocol)

Mechanism

Algorithm

Chih-Pin Su 9

Conventional EncryptionConventional Encryption Using a shared key

Problem of transferring a large message in secret reduced to transferring a small key in secret

Also called Private- or Symmetric-Key Encryption Block cipher and stream cipher Cryptographic mode – ECB, CBC, CFB, OFB mode

Chih-Pin Su 10

Public-Key EncryptionPublic-Key Encryption Uses matched public/private key pairs

Asymmetric-key encryption

Anyone can encrypt with the public key, only one person can decrypt with the private key

Chih-Pin Su 11

Key AgreementKey Agreement Allow two parties to agree on a shared key

Provides part of the required secured channel for exchanging a conventional encryption key

Chih-Pin Su 12

Hash FunctionHash Function Create a unique “fingerprint” for a message

Anyone can alter the message and create a new hash value

Chih-Pin Su 13

MACMAC Message Authentication Code, adds a

password/key to a hash Only password/key holder can generate the MAC HMAC-SHA, HMAC-MD5

Chih-Pin Su 14

Digital SignaturesDigital Signatures Combines a hash with a digital signature

algorithm

Chih-Pin Su 15

Message/Data EncryptionMessage/Data Encryption Combines symmetric- and asymmetric-key

encryption

Chih-Pin Su 16

Security Protocol LayersSecurity Protocol Layers

Chih-Pin Su 17

SSLSSL Secure Socket Layer – TCP/IP socket encryption

Usually authenticates server using digital signature

Can authenticate client but never used

Confidentiality protection via encryption

Integrity protection via MAC’s

Provides end-to-end protection of communication sessions

Chih-Pin Su 18

SSL HandshakeSSL Handshake Negotiate the cipher suite

Established a shared session key

Authenticate the server (opt.)

Authenticate the client (opt.)

Authenticate previously exchange data

Chih-Pin Su 19

SSL Data TransferSSL Data Transfer

Chih-Pin Su 20

Popular Security AlgorithmPopular Security Algorithm Hash algorithm: HMAC-MD5, HMAC-SHA1,

RIPEMD-128/160

Encryption algorithm: DES/3DES, AES, ARC4

Public Key algorithm: RSA, DSA sign and verify, ECC

Chih-Pin Su 21

Key ManagementKey Management Key management is the hardest part of

cryptography

Two classes of keys Short-term session keys

Generated automatically and invisibly Used for one message or session and discarded

Long-term keys Generated explicitly by the user

Long-term keys are used for two purposes Authentication (including access control, integrity, and non-

repudiation) Confidentiality (encryption)

Establish session keys Protect stored data

Chih-Pin Su 22

Key Management ProblemKey Management Problem Key certification

Key distribution Obtaining someone else’s public key Distributing your own public key

Establishing a shared key with another party Confidentiality: Is it really known only to the other party? Authentication: is it really shared with the intended party?

Key storage Secure storage of keys

Revocation Revoking published key Determining whether the published key is still valid

Chih-Pin Su 23

Key DistributionKey Distribution A Certification Authority (CA) solve the problem

Intercept!

Chih-Pin Su 24

Functional Block of Network ProcessingFunctional Block of Network Processing

Host

Processing

Switch Fabric chip

PHY layer chip

Queuing

CompressionEncryption

Modification

Lookup/classification

Parsing/Framing

Slow

Path

Processing

Transmission medium

Chih-Pin Su 25

Security System Architecture (1)Security System Architecture (1) Look-aside architecture

Switch Fabric

Network

Processor

PHY/MAC

Security

Coprocessor

Host CPU

subsystem

SDRAMSession

Statememory

Incoming trafficOutgoing traffic

Chih-Pin Su 26

Security System Architecture (2)Security System Architecture (2) Flow-through architecture

Switch Fabric

Network

Processor

PHY/MAC

Security

Coprocessor

Host CPU

subsystem

SDRAMSession

Statememory

Incoming trafficOutgoing traffic

Chih-Pin Su 27

SafeNet 1741SafeNet 1741 IPSec accelerator

Chih-Pin Su 28

Motorola MPC8272Motorola MPC8272 PowerQUICC with integrated security engine

Chih-Pin Su 29

Intel IXP2850Intel IXP2850

Chih-Pin Su 30

Crypto-Engine in IXP2850Crypto-Engine in IXP2850

Chih-Pin Su 31

ConclusionConclusion Basic concept of a security system is introduced

System architecture of security processor Look-aside architecture Flow-through architecture Integrated architecture