Since its inception in around 1970's, application of networking has experienced a humungous boom in every aspect of our day-to-day life. World of networking offering us with numerous benefits and positives, its security issues should be handled with utmost priority. Networks have always been prone to viruses, hacks and many different types of attacks. To counter this eavesdropping, we have witnessed a very mature and dominant approach in fields of Cryptography and Network protection [TB].
Many protocols such as IPSEC, Secure Socket Layer (SSL) have been devised for secure communication across the web. This project concentrates on IPSEC protocol which enables in securing one of the most important protocols in the internet stack - Internet Protocol (IP). IPSEC, which is implemented at a lower layer, can be used to provide security to all applications, thus it has an upper hand over other security protocols such as TLS which are performed at a higher layer. Execution of higher layer security protocols such as TLS (SSL) demands modifications in the application by itself to incorporate the security features. [Wikipedia]
Protocols mentioned above are of paramount importance while designing a Virtual Private Network (VPN) which involves establishing a confidential connection between two network entities over an open internet network. VPN's enables a business to expand its network utilities to distant users, branch offices and its associates. It simulates public internet so that it acts as a private WAN [VPN intro]. VPN enables its security strategy by using a process called ‘tunneling'. Tunneling establishes a protective channel through which guaranteed secure communication can be carried out between two network entities.
Our work revolves around the in-depth study of IPSEC literature. Implementation of IPSEC in hardware needed an intricate analysis of Encryption algorithms like AES, DES, 3DES and also authentication algorithms like SHA-1, MD5, and HMAC. After examinations of these algorithms, AES was found to be the most secure encryption algorithm around since DES is already cracked and 3DES needs far more computation resources. SHA-1 was chosen over other authentication algorithms because it is stronger and more secure than others [single chip IPSEC].
Security databases are one of the most important factions of IPSEC, which are responsible for distribution of secret keys, required by the security algorithms mentioned above. Designing these databases is of extreme importance since they procure random and secure keys from the key database, making our system more secure.
Technology Trends and Market Review:
Network Security Processors from dealers like Broadcom, Freescale, Intel and Cavium have replaced previously rampant low-end IPSEC accelerators with their improved designs. These chips have a high throughput rate of around 100Mbps and can establish a secure channel. Rather than a CPU processor incorporating security function within, network security chips are preferred, which integrate well with the core and associated memories. This speeds up the process of delivering safe transmission across the network by offloading the algorithms computational overhead on the primary CPU, which can be entirely utilized to performing its foremost duties.
Following an escalation of 19% in 2005 to $66 million, Network Security accelerator market reported a growth of 15% in 2006 to reach a mark of $76 million. Two-third of the sales in the year 2006 came out from IPSEC and other VPN applications [Linley Group].
Recent implementations of IPSEC have clearly given importance towards improving the throughput of the system and reducing the area of chip. Several AES implementations concentrate on improving the SubByte transformation, which is most critical step of the algorithm.
Jing Lu and John Lockwood [inbound outbound] have proposed as IPSEC implementation on XILINX FPGA in which they move the key databases part in the software and they invoke it only when required since use of software bottlenecks their systems performance. Their work compares AES performance on 128,192 and 256 bits of data blocks over XILINX FPGA. The performance comparisons of Authentication algorithms MD5 and SHA-1 are also made.
Hung-Ching Chang, Chun-Chin Chen and Chih-Feng Lin have proposed Advanced RISC machine architecture which is equipped with three security coprocessors, each of them been used for DES, AES and Hashing calculations. They also propose to provide software assistance to integrate their hardware cores with IPSEC clients. They also conclude that implementations of the security algorithms in hardware is far more faster and efficient than in software.[Xscale Hardware acceleration]
Alberto Ferrante and Vincenzo Piuri have carved a high-level architecture of IPSEC System on Chip. In this work they also suggest that there is fine line of separation between actions which can be performed in hardware and in software. Even though most of the operations, when carried out in hardware turn out be faster, software provides flexibility to the system and newer additions can be integrated with the existing design with ease.