1Hot Chips 20031(C) Broadcom Corporation. All rights reserved.Multi-Gigabit SSL & TLS Record Layer Protocol ProcessorandMulti-Gigabit IPsec ProcessorDavid Chin ([email protected])Terry Tham ([email protected])2Hot Chips 20032(C) Broadcom Corporation. All rights reserved.OutlineOutline• SSL/TLS Protocol Overview • BCM5850 SSL/TLS Record Layer Protocol Processor– Key Features– Implementation Challenges– Technology and Performance• BCM5841 Multi-Gigabit Security Processor– Key Features– Description– Performance• Summary3Hot Chips 20033(C) Broadcom Corporation. All rights reserved.Where Security is ImplementedWhere Security is ImplementedInternetVPN Tunnel- Large payload traffic- Few connections- Long life per connectionSecure SSL Sessions- Small payload traffic- Many connections- Short life per connectionHeadquartersBranch OfficeSOHO/Remote UsersCentral OfficeServiceProviderSecure Server or Load Balancer- Must manage sessions fast- Exchange keys quicklySecure Router, Switch, Appliance- Must do Security at Gigabit ratesSecure Gigabit, Terabit Routers- Must do Security at Multi-Gigabit ratesWebBrowsersLoad BalancerWeb SwitchServerFarmServiceProviderCentral OfficeBuySellBuyBuyBuySell4Hot Chips 20034(C) Broadcom Corporation. All rights reserved.Introduction to SSL/TLSIntroduction to SSL/TLSApplicationSSL/TLSTCPIP••http, telnet, ftp, etc. (e.g., http, telnet, ftp, etc. (e.g., web server): User Data web server): User Data Input to SSL/TLSInput to SSL/TLS••Sits right below application Sits right below application in the network stackin the network stack••Sits directly above TCPSits directly above TCP••Usually requires application Usually requires application to be modifiedto be modified5Hot Chips 20035(C) Broadcom Corporation. All rights reserved.SSL/TLS RecordSSL/TLS Recordtypeversionlengthdata_fragment••1 byte1 byte••2 bytes (major, minor)2 bytes (major, minor)••2 bytes2 bytes••221414bytes max. (MAC bytes max. (MAC security consideration)security consideration)MACpadEncrypted••16 (MD5) or 20 (SHA16 (MD5) or 20 (SHA--1)1)••00--8 bytes, count in last 8 bytes, count in last byte, only for block cipherbyte, only for block cipher6Hot Chips 20036(C) Broadcom Corporation. All rights reserved.SSL/TLS Fragments User Data into RecordsSSL/TLS Fragments User Data into RecordsUser DataData FragmentMACData FragmentMACEncrypted DataEncrypted DataRecordHeaderRecordHeaderPadPad• SSL records are independent of user buffers– One user buffer may be fragmented across multiple records– Multiple user buffers may be aggregated into one record– However, one-to-one is quite common7Hot Chips 20037(C) Broadcom Corporation. All rights reserved.TCP Segments Recordsinto Frames (Packets)TCP Segments Recordsinto Frames (Packets)SSL Record SSL RecordSegmentTCPIPn+MSSn+MSS+1n+2xMSSRest of record (less than MSS)nSegmentTCPIPSegmentTCPIPRetain until acknowledged Re-transmit if timeout8Hot Chips 20038(C) Broadcom Corporation. All rights reserved.BCM5850 Block DiagramBCM5850 Block DiagramPCI/PCI-XLDTDMAOUTInputParser(IPU)InputParser(IPU)InputParser(IPU)InputParser(IPU)Connection State Management (CMU)KeyDerivation(KDU)CryptographicProcessing(CPU)CryptographicProcessing(CPU)CryptographicProcessing(CPU)CryptographicProcessing(CPU)DMA Channel Distribution (CDU)INMem Controller (MCU)SerialControlInputParser(IPU)DMA Channel Collection (CCU)LDT8 Bit400 MHzDDRRAM64 Bit133 MHzUp to 512MBPCI32/64 Bit33/66 MHzPCI-X64 Bit133 MHzClockResetJTAGSCANSerial EEPROM9Hot Chips 20039(C) Broadcom Corporation. All rights reserved.BCM5850 Key FeaturesBCM5850 Key Features• SSL/TLS Record Layer Processing– 3DES, ARCFOUR, AES, SHA-1, MD5– Single Pass Authentication / Encryption for SSLv3/TLSv1– Key derivations for SSLv2, SSLv3, and TLSv1– Finished message Processing/client certificate verification– Support for SSL v2 record processing: • Single-pass authentication/encryption for inbound records– Streaming record buffer processing w/ TCP segmentation– TCP partial checksum computation– Maintains > 500K complete connections• 32-bit and 64-bit Addressing Mode Support– All 16 combinations of the Bus/Processor endians supported10Hot Chips 200310(C) Broadcom Corporation. All rights reserved.DMA Data FlowDMA Data FlowINPUT RING(IRING)OUTPUT RING(ORING)D3D2D1ControlApplicationDescriptorsControlApplicationData1ApplicationDatanDxControlApplicationDescriptorsControlApplicationData1ApplicationDatanBCM5850Pkt Status11Hot Chips 200311(C) Broadcom Corporation. All rights reserved.SSLv3/TLSv1 Record Stream Cipher (Decrypt)SSLv3/TLSv1 Record Stream Cipher (Decrypt)Record InBuffer OutDATA(8 Bytes)Message Authentication Code(20 Bytes)ALEN = 33 0x00 0x00ALEN = 33ContentTypeVersion(Major)Version(Minor)Len[15:8]Len[7:0]AUTH = 13DEC = 28ContentType0x00ALEN = 8 Application ContextDATA(8 Bytes)Application Context12Hot Chips 200312(C) Broadcom Corporation. All rights reserved.SSLv3/TLSv1 Record Block Cipher (Encrypt)SSLv3/TLSv1 Record Block Cipher (Encrypt)Record OutBuffer InContentType0x00ALEN = 8 DATA(8 Bytes)DATA(8 Bytes)Message Authentication Code(20 Bytes)ALEN = 37ContentType0x00ALEN = 37ContentTypeVersion(Major)Version(Minor)Len[15:8]Len[7:0]0x03 0x03 0x030x03AUTH = 13ENC = 32PADApplication Context Application Context13Hot Chips 200313(C) Broadcom Corporation. All rights reserved.SSLv2 Record Block Cipher(Decrypt)SSLv2 Record Block Cipher(Decrypt)Record InBuffer OutDATA(12 Bytes)Message Authentication Code(16 Bytes)ALEN = 35 0x00 0x00ALEN = 350xXX0xXX 0xXX0xXXAUTH = 16DEC = 320x00 0x00ALEN = 12DATA(12 Bytes)Pad Count0x04FLAGS / LENGTHPADApplication ContextApplication Context14Hot Chips 200314(C) Broadcom Corporation. All rights reserved.SSLv2 Record Stream Cipher(Encrypt)SSLv2 Record Stream Cipher(Encrypt)0x00 0x00ALEN = 12 DATA(12 Bytes)DATA(12 Bytes)Key Stream(16 Bytes)ALEN = 30 0x00 0x00ALEN = 30AUTH = 12ENC = 28FLAGS / LENGTHApplication Context Application ContextBuffer InMessage Authentication Code(16 Bytes)HASH VALUE FIELDRecord Out15Hot Chips 200315(C) Broadcom Corporation. All rights reserved.Finished Message ProcessingFinished Message ProcessingClient HelloPROTO 0x00HLENServer Hello512 bits512 bits512 bits512 bits512 bitsn-1 blockClient Finished MessageMD5 HASH (16 bytes)20 LEN = 36SHA1 HASH (20 bytes)MD5 HASH (16 bytes)20LEN = 36SHA1 HASH (20 bytes)Handshake ContextBCM5850Server Finished Message16Hot Chips 200316(C) Broadcom Corporation. All rights reserved.TCP