簡易檢索 / 詳目顯示

回結果列表
研究生: 梁文宗
Liang, Wen-Tsung
論文名稱: 以電子系統層級方法設計之網路安全硬體加速器
Applying Electronic System Level Methodology in an IP Security(IPsec)Hardware Accelerator Design
指導教授: 陳中和
Chen, Chung-Ho
學位類別: 碩士
Master
系所名稱: 電機資訊學院 - 電腦與通信工程研究所
Institute of Computer & Communication Engineering
論文出版年: 2008
畢業學年度: 96
語文別: 中文
論文頁數: 72
中文關鍵詞: IPsecSecurity offload電子系統層級Flow-through
外文關鍵詞: IPsec, Electronic System Level, Flow-through, Security offload
相關次數: 點閱:70下載:3
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 本論文中我們先對軟體版本IPsec做分析,以了解IPsec效能之瓶頸。依照分析的結果,在IPsec的系統中,非密碼學演算法運算的操作,亦是影響整體系統效能的關鍵。僅將密碼學演算法硬體化,無法滿足高傳輸量的需求。因此,我們將以flow-through之架構來實現IPsec硬體加速器。此方法為將整個IPsec協定卸載,並將IPsec硬體加速器置於封包資料的處理路徑中。
    由於整個IPsec系統非常龐大,因此我們採用電子系統層級設計方式來實現此硬體加速器。透過電子系統層級設計之概念,我們得以用較快速的方式建構系統內的各處理單元。在此系統中提供AH與ESP協定,在Transport mode與Tunnel mode皆能操作。在密碼學演算法上提供HMAC-MD5、HMAC-SHA1、DES與AES等演算法。藉由不同系統組態的安排,我們可以了解各處理單元對系統效能的影響以及評估不同安全服務之效能。依照處理單元之間的連結方式,我們提出了三種實作IPsec硬體加速器的方案,並對這三種架構做效能的評估。
    根據測試的結果,Queue-based架構是我們提出的三個架構中最合適的實作方案。此架構的傳輸量為1.05Gbps,工作頻率為125MHz。此為對1,400-byte的封包採用ESP協定,使用AES-128-CBC密碼演算法所得之量測結果。

    To find out the performance bottleneck of the IPsec protocol, we start by analyzing the protocol which is implemented in software. Based on our analysis, it shows that non-cryptographic operations are also critical in reaching high performance. Thus, the methods that accelerate only the cryptographic algorithm computations will not fulfill high throughput requirement. As a result, we implement the IPsec hardware accelerator by a flow-through architecture. In this methodology, the complete IPsec protocol suite is offloaded onto a host bus adapter and the accelerator is placed on the main data path of packet processing.
    In the flow-through architecture, since the complete IPsec protocol suite needs to be implemented, we use electronic system level (ESL) methodology to implement the IPsec hardware accelerator. In our system, it provides AH and ESP protocols which can operate in either transport mode or tunnel mode. The cryptographic algorithms supported include HMAC-MD5, HMAC-SHA1, DES and AES. Through various system configurations, we can measure system performance running under different security services and investigate the relationship between each processing unit and how it affects performance. According to the different interconnection schemes of processing units, we propose three kinds of architecture to implement the IPsec hardware accelerator and evaluate the three individual performances.
    Based on the simulation result, Queue-based is the most appropriate architecture for implementing the accelerator. The system throughput is 1.05Gbps at 125MHz. This result was achieved by sending 1400-byte IP packets, using AES-128-CBC cipher algorithm in ESP protocol.

    CHAPTER 1 序論 1 1.1 研究動機與方向 1 1.2 研究貢獻 2 1.3 內容編排 2 CHAPTER 2 背景知識的介紹 3 2.1 網路攻擊與安全服務 3 2.2 密碼學的介紹 5 2.2.1 對稱式密碼系統 5 2.2.2 非對稱式密碼系統 8 2.2.3 雜湊函數 9 2.2.4 金鑰管理 10 2.3 IPSEC 11 2.3.1 Security Association 12 2.3.2 AH and ESP protocol 15 2.3.3 Transport Mode and Tunnel Mode 17 2.3.4 Outbound Processing Flow 19 2.3.5 Inbound Processing Flow 21 2.4 相關研究 22 CHAPTER 3 IPSEC系統分析 26 3.1 IPSEC協定效能分析 26 3.1.1 安全協定處理 27 3.1.2 資料庫查詢處理 31 3.2 系統開發平台 33 3.2.1 電子層級系統設計 33 3.2.2 SystemC語言與CoWare Platform Architect平台 34 3.2.3 QEMU虛擬機器 34 CHAPTER 4 設計與實作 37 4.1 系統概觀 37 4.2 封包管理單元 41 4.2.1 緩衝記憶體管理資料結構 43 4.3 資料庫查詢單元 44 4.3.1 SPD查詢模組 44 4.3.2 SAD查詢模組 46 4.4 控制單元 48 4.5 安全協定處理單元 50 4.6 密碼學演算法處理單元 52 4.7 輸出處理單元 54 CHAPTER 5 模擬與驗證 56 5.1 實驗環境 56 5.2 模擬結果 57 5.2.1 功能驗證 57 5.2.2 系統效能 59 5.2.3 效能改善 64 CHAPTER 6 結論與未來發展 69 6.1 結論 69 6.2 未來發展 69

    [1] R. Shirey, “Internet Security Glossary,” RFC 2828, May. 2000.
    [2] William Stallings, “Cryptography and Network Security,” 4th ed. Prentice Hall, 26 Nov. 2005.
    [3] US National Bureau of Standards, “Data Encryption Standard,” Federal Information Processing Standard (FIPS) publication 46-2, Dec. 1993. [Online]. Available: http://www.itl.nist.gov/fipspubs/fip46-2.htm
    [4] US National Bureau of Standards, “DES modes of operation,” Federal Information Processing Standard (FIPS) publication 81, Dec. 1980. [Online]. Available: http://www.itl.nist.gov/fipspubs/fip81.htm
    [5] US National Bureau of Standards, “Advanced Encryption Standard,” Federal Information Processing Standard (FIPS) publication 197, 26. Nov. 2001. [Online]. Available: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
    [6] R. Rivest, “The MD5 Message-Digest Algorithm,” RFC1321, Apr. 1992.
    [7] National Institute of Standards and Technology (NIST), “Secure Hash Standard,” Federal Information Processing Standard (FIPS) publication 180-2, 2. Aug. 2002. [Online]. Available: http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf.
    [8] H. Krawczyk, M. Bellare, and R. Canetti, “HMAC: Keyed-Hashing for Message Authentication,” RFC 2104, Feb. 1997.
    [9] S. Kent, and R. Atkinson, “Security Architecture for the Internet Protocol,” IETF RFC 2401, 1998.
    [10] S. Kent, and R. Atkinson, “IP Authentication Header,” IETF RFC 2402, 1998.
    [11] S. Kent, and R. Atkinson, “IP Encapsulating security Payload (ESP),” IETF RFC 2406, 1998.
    [12] A. Ferrante, V. Piuri, and J. Owen, “IPSec Hardware Resource Requirements Evaluation,” in Proc Next Generation Internet Networks, pp. 240-246, Apr. 2005.
    [13] H. Niedermayer, A. Klenk, and G. Carle, “The Networking Perspective of Security Performance - a Measurement Study -,” [Online]. Available: http://net.informatik.uni-tuebingen.de/html/publications/papers/niedermayer-mmb06.pdf
    [14] C.S. Ha, J.H. Lee, D.S. Leem, M.S. Park, and B.Y. Choi, “ASIC Design of IPSec Hardware Accelerator for Network Security,” in Proc APASIC’04, pp. 168 – 171, Aug. 2004.
    [15] Broadcom Inc., “BCM5823,” [Online]. Available: http://www.broadcom.com/
    [16] R. Friend, “Making the Gigabit IPSec VPN Architecture Secure,” IEEE Computer, vol. 37, no. 6, pp. 54–60, Jun. 2004.
    [17] Hifn Inc., “HIPP III Security Processor,” [Online]. Available: http://www.hifn.com.
    [18] C. Madson and R. Glenn, “The use of HMAC-MD5-96 within ESP and AH,” RFC 2403, the Internet Society, Nov. 1998.
    [19] C. Madson and R. Glenn, “The use of HMAC-SHA-1-96 within ESP and AH,” RFC 2404, the Internet Society, Nov. 1998.
    [20] M. R. Kastelino, “IPsec forwarding application level benchmark,” Jul. 2003. [Online]. Available: http://www.oiforum.com/public/documents/IPSec_Forward_BM_IA.pdf
    [21] M. Cano, J. Malgosa-Sanahuja, F. Cerdan and J. Garcia-Haro, “Internet Measurements and Data Study over the Regional,” in Proc PACRIM, pp. 393 – 396, Aug. 2001.
    [22] A. Ferrante and S. Chandra, “A Query Unit for the IPSec Database,” in Proc SECRYPT 2007, Jul. 2007.
    [23] D. C. Black and J. Donovan, “SystemC: From the Ground Up,” Ekletic Ally, Inc., 2004.
    [24] CoWare, “ConvergenSC Training Manual rev: 1Mar06,” CoWare, Inc., 2006.
    [25] U.Boiko, A. Ferrante, A. L. Duca, and V. Piuri, “A Methodology for Testing IPSec-based Systems,” in Proc SoftCOM 2004, pp. 22-26, Oct. 2004.
    [26] Bellard and Fabrice, “QEMU,” [Online]. Available: http://bellard.org/qemu/
    [27] GreenSocs, “QEMU-SystemC, ” [Online]. Available: http://www.greensocs.com/projects/QEMUSystemC
    [28] ARM Corporation, “AMBA Specification (Rev 2.0)”
    [29] ARM Corporation, “AMBA University Kit Technical Reference Manual”
    [30] C.P. Su, T.F. Lin, C.T. Huang and C.W. Wu, “ A high-throughput low-cost AES processor, ” Communications Magazine, IEEE, Volume 41, Issue 12, pp. 86-91 ,Dec. 2003.
    [31] S. Morioka and A. Satoh, “ A 10-Gbps full-AES crypto design with a twisted BDD S-Box architecture, ” IEEE Transactions on VLSI Systems, Volume 12, Issue 7, pp.686-691 Jul. 2004.
    [32] M.Y. Wang, C.P. Su, C.T. Huang, and C.W. Wu, “An HMAC processor with integrated SHA-1 and MD5 algorithms, ” in Proc ASP-DAC 2004, pp. 456-458, Jan. 2004.
    [33] “Wireshark,” [Online]. Available :http://www.wireshark.org/

    下載圖示 校內:2010-08-25公開
    校外:2010-08-25公開
    QR CODE