1Hardware Implementation ofIP Security cryptographictransformationsPawel Chodowiec, [email protected] Radzikowski, [email protected] Andoni, [email protected] Goals of the projectz IPSec overviewz Hardware implementations of symmetric key ciphersz Integration of hardware with FreeS/WAN IPSec implementationz Conclusions2Goals And objectivesz Hardware Implementation of DES,3DES, and AES.z Investigate Hardwareimplementation of Diffie-Hellmanalgorithmz Investigate possible integrationwith public IPSec implementationIP Security objectivesz IPSec provides high quality,cryptographically-based securityservices at the IP layer:z Access Controlz Connectionless Integrityz Data origin authenticationz Protection against replaysz Confidentialityz Traffic flow confidentiality3IP Security ComponentszSecurityPolicyzFilterszSecurityTransformszSAzTransport VsTunnel ModeProtocols:•ESP•AH•IKEPre-Shared key creationz Materials used to create the keys are:z A pair of “NONCES" (random numbers),one from the source, one from thedestinationz The Diffie-Hellman public keysz A pair of "cookies" (a 64-bit hash of apseudorandom number, the source anddestination addresses, the source anddestination ports and the system time)4Key Exchange Main ModeINITIATORRESPONDERInitiator's cookie and the list of proposed TransformsExtract proposedTransforms and decidebased on its ISAKMPpolicywhich Transform toacceptResponder's cookie and the accepted TransformAt this point the Initiatorand Responder share aTransform for creatingthe ISAKMP SecurityAssociationInitiator's DH public info, nonce, and authentication infoGenerate Diffie-Hellmancomponents andNONCE and send themto the responderGenerate his Diffie-Hellmankey pairs and NONCE.ComputeDH=(I-Public)^R-Privatemod pThis can be done inHardware using MongomryModular MultiplicationThen compute the Pre-shared keyskeyid = hash (Ni | Nr , DH )Responder's DH public info, nonce, and authentication infoComputeDH=(R-Public)^I-Private mod pThen compute thePre-shared keyskeyid = hash (Ni | Nr , DH )Symmetric key ciphers consideredfor IPSec• Required– DES in CBC• Recommended– DES and 3DES in CBC, CFB and OFB modes• Very likely to be included– AES in CBC and counter modes• Other ciphers can be implemented as well5DES and 3DES considerations• Originally planned to take code developed by two students Po Khuon and Tanvir Joy as a senior design project– the code did not pass tests– very hard to debug• Developed own description from scratchDES/3DES round architectureFInput L32 3232 32Input ROutput L Output R6DES key schedule architecture<<<1 <<<2>>>1 >>>2compressioncompressionedTwo banksof key memoryKey inputRound keyDES/3DES modes of operationDES/3DEScoreData inputData inputData outputIV vector/counter• CBC and counter modes implementedIV vector/counter7Implementation of DES/3DES• Tools• Described in VHDL, simulated in Active-HDL• Synthesized in Foundation Series 3.1i• Device• Xilinx FPGA: Virtex 1000• Tested on SLAAC1V cardDES/3DES area requirements• DES/3DES alone596 CLB Slices: 4% of the area• DES/3DES together with PCI interface2948 CLB Slices: 23% of the area8DES/3DES performance• Performance reported by timing analyzerMax. clock frequency: 69.7 MHzDES performance: 265.9 Mbps3DES performance: 88.9 Mbps•Performance measured on the SLAAC1V cardMax. clock frequency: 86 MHzDES performance: 328 Mbps3DES performance: 109.3 MbpsTesting procedure (1)Known Answer Test• KAT taken from NIST Special Publication 800-20• Passed for data• Did not pass for key schedule• Reason: keys could not be written to any of the memory banks• Need to look into implementation details to resolve this problem9Testing procedure (2)Modified Monte Carlo test• Single test procedure• encrypt 256 randomly chosen data blocks• result feed back to next iteration as plaintext• perform 1024 iterations => 2MB of data encrypted per one set of parameters• compare results with software implementation taken from Crypto++ 4.1 library• When single test passes increase clock frequency and test again until failure detectedAES implementation procedure• Take ready implementation of Rijndael in basic architecture capable of processing 128-bit data blocks1037 CLB Slices + 16 BlockRAMsmax. clock frequency: 31.2 MHzthroughput: 380 Mbps• Develop key schedule capable of processing 128-, 192-, 256-bit key sizes• Develop CBC and counter modes10AES key schedule architecturerotSubInput 64 bitsRcon3232ki-2ki-1ki-4ki-3ki-6ki-5ki-8ki-7kiki+1ki-Nkki-Nk+1ki+1 = ki-Nk+1 + ki-Nk + ki-1 ki = ki-Nk + ki-1 Output 64 bitsAES key schedule characteristics• Key schedule circuit size259 CLB Slices + 2 BlockRAMs• Maximum clock frequency51.5 MHz• Performance reported by implementation tools, not measured on SLAAC1V11AES implementation status• Need to integrate cipher body with key schedule circuit• Add CBC and counter modes of operation• basically the same circuit as for DES/3DES, just need to change size of data busesFreeS/WANOverviewzOpen Source software implementation of IPSecprotocol for LinuxzCan run on almost any hardware capable to runLinuxzSupports AH, ESP and IKE protocolszSupports 3DES-CBC, HMAC-SHA1, HMAC-MD5zSingle DES considered as insecure and notimplementedzDivided into kernel- and user-space partszTransport encryption performed by KLIPS –kernel modulezConnection setup performed by Pluto - user-space daemon12FreeS/WANGoals and resultszThe goal:–Examine the software–Try to integrate hardware implementation of encryptionalgorithm with kernel module–Examine possibility to add Rijndael encryptionzThe result:–Because of efficiency requirements the code is quiteobscure and difficult to analyze–It is impossible to use user-space SLAAC API library withkernel module–Whole API would have to be rewritten to make it possible tointegrate hardware encryption performed by SLAAC boardwith kernel moduleFreeS/WANExperiment setupAnnaDorotaeth0eth0:0eth0:1eth0:0eth0eth0:1192.168.1.0/24192.168.2.0/24129.174.40.0/22Externalnetworktcpblast: 10000 blocks of 20000 bytesping: 10000 packets 56 bytes eachTest tool:3DES-CBC, HMAC-MD5IPSec setup:2.4.2Kernel:Ethernet 100Mbps, 3C905C-TXNetwork card:256 MBMemory:Pentium III 865 MHzProcessor:13FreeS/WANPerformance1.2 sConnectionsetup time0.196 ms39 Mbps,86% CPU44 Mbps,96% CPUIPSec,uniformdata0.082 msAvg. pingtime27 Mbps,65% CPU93 Mbps,27% CPUTCP28 Mbps,65% CPUIPSec,randomdata95