SafeNet, The Foundation of Information Security
 
 
 
sample image
   SafeXcel 3140 Reliance Series
Customized solutions from world-renowned designers.

SafeXcel-3140
Reliance Series

High-Performance Security System on a Chip (IPSec)

The SafeNet SafeXcel™-3140 is a highly integrated, high speed network security system on a chip. With the 3140 installed, host processors can off-load not only packet processing but also the crypto computations, thereby optimizing overall system performance.

The SafeXcel-3140 incorporates a complete suite of security features in hardware, including:

  • IPSec ESP and AH transforms
  • Full suite of IKE macro operations
  • SafeNet CGX 4.0 Cryptographic Library

Not only are the core algorithms supplied in the SafeXcel-3140, but the surrounding protocol handling, including header insertion and stripping is included as well. Key features implemented in hardware that are unavailable with other competitive chip solutions include:

  • ESP header insertion/validation, including SPI and replay counter processing
  • Full AH 'mutable bit' processing, including IPv4 options fields and IPV6 extension headers
  • HMAC ICV validation on inbound packets
  • Automatic IV generation and insertion
  • 'Black Key' handling. Keys in SA database are stored encrypted and are decrypted on the fly by the 3140 prior to use

Full Suite of Algorithms

The SafeNet SafeXcel-3140 incorporates all of the necessary algorithms for VPN and SSL applications:

  • AES, DES, and Triple-DES encryption
  • MD-5 and SHA-1 Hashing with HMAC
  • Public Key computations:
    • Diffie-Hellman Key Negotiation
    • RSA Encryption & Signatures
    • DSA Signatures
  • U.S. Government Random Number Generation

Gigabit Throughput

The SafeXcel-3140 achieves very high throughput not only with fast core processing engines, but also with an integration strategy that has been carefully designed to remove performance bottlenecks. For network packet processing, data packets are transferred on dedicated red and black SPI-3 interfaces. This data is clocked directly into each of the cryptogrpahic cores. An on-chip Resource Manager then intelligently allocates the crypto core requests amongst the multiple cryptographic engines to keep an optimal flow of data through the ASIC. Each crypto core contains dedicated core crypto engines and hashing engines, allowing them to function independently. Each cryptographic core contains its own 2K-byte input buffer and 2K-byte output buffer that allows the packet engines to run in parallel.

Security Associations are managed across the external memory interface. A Command Descriptor Ring is used for IKE processing across the PCI interface. This allows asynchronous processing between the Host and the SafeXcel-3140.

Hardware-Based Security

The SafeNet SafeXcel-3140 has been designed from the ground-up with security in mind. It provides uncompromised protection for its algorithms, key material, and key generation processes. Unencrypted (red) key material is never permitted to leave the SafeXcel-3140 chip.

A sophisticated Key Management system is contained within the CGX library on the SafeXcel-3140. The Key Management is carefully architected to enforce hacker-resistant security while at the same time providing a very flexible set of key handling options.

Additional user selectable features such as SA integrity checks, error checking, and dual AES engines provide enhanced security.

The SafeXcel-3140 even protects against poor application programming techniques that could otherwise compromise system security. For example, the Application Programming Interface (API) to the SafeXcel-3140 is designed to disallow requests that violate good security practice.

SafeXcel-3140 Functional Block Diagram



The SafeXcel-3140 is designed for FIPS 140-2 security. The 3140 and the earlier generation SafeXcel-2142 are the only single-chip FIPS 140-1 solutions that provide full IPSec support.

Powerful CGX Library

The SafeNet SafeXcel-3140 is unique in its class by providing an entire cryptographic library right on the IC. This library, designated CryptoGraphic eXtensions (CGX), includes functions such as:

  • Secret and Public Key Generation
  • RSA, DSA, and D-H public key operations
  • Data hashing and Encryption
  • Sophisticated key management infrastructure
  • DSS Signature Verification

Thus, the programmer is spared the significant work required to write a proprietary library, or link-in a costly purchased one.

In addition to the full suite of basic CGX library functions, the SafeXcel-3140 with version 4.0 of the CGX Library includes new macro commands to optimize IKE processing, SSL, and TLS handshaking, and SA database management. These new commands compress many primitive crypto functions into a single call.

CGX also now incorporates powerful endian handling controls which allow interfacing in either big or little endian environments.

Direct Boot

The SafeXcel-3140 hits the ground running with its Direct Boot feature. This turnkey option allows the 3140 to auto-load a high-performance IPSec packet driver. This means that the OEM developer doesn't have to write any code to run on the 3140 in order to achieve full throughput.

Development Support

SafeNet, Inc. offers a full suite of Software Developer's Kits to assist OEMs with the system integration process. These toolkits range from including basic drivers to full IPSec implementations that allow an OEM to build a highly interoperable and scalable IPSec product based on the IETF standards. Each Developer's Kit is available for several hardware platforms and operating systems. Contact SafeNet for further details.

Applications:

  • Crypto Engine for High-end Internetworking Devices (Routers, Switches, etc.)
  • Firewall accelerator
  • Server VPN
  • Workstation Security Module
  • VPN Appliances
  • iSCSI Storage Security

Technical Specifications

IPSec Performance

  • 2.7 Gbps sustained ESP(3-DES, SHA-1, 1500 byte packets)
  • 1.5 Gbps sustained ESP (3-DES, SHA-1, 64 byte packets)
  • 4.6 Gbps sustained ESP (AES-128 bit, SHA-1 1500 byte packets)
  • 3.2 Gbps sustained ESP (AES-256 bit, SHA-1 1500 byte packets)
  • 1.8 Gbps sustained ESP (AES-128 bit, SHA-1 64 byte packets)

Crypto Core

  • 1.6 Gbps Single-DES
  • .53 Gbps Triple-DES
  • 1.28 Gbps AES 128-bit key,
  • .914 Gbps AES 256-bit key
  • Supports all modes: ECB, CBC, for DES, 3-DES,and AES
  • Supports CTR mode for AES
  • Multi-mode Padding support
  • Implements IPSec ESP transforms

Hash Block (One per core)

  • 0.8 Gbps MD-5
  • 1.28 Gbps SHA-1
  • Implements IPSec AH and HMAC Intelligent mutable bit handler for AH

ARM9 processor

  • Two redundant processor cores and logic
  • 85 MIPS sustained performance, 100 MIPS peak
  • Single-cycle instruction execution
  • Redundant Memories
    - 32 Kbytes on-chip boot ROM
    - 128 Kbytes on-chip Program RAM
    - 16 Kbytes on-chip Data RAM
  • 8 Kbytes on-chip Data RAM
  • 512 bytes Tamper Protected Battery Backed RAM
  • 512 bytes Zeroize Protected Battery Backed RAM

Public Key Accelerator

  • Accelerator for math-intensive public key operations
  • Supports up to 3072-bit modulus size
  • Diffie-Hellman negotiate: 500us (1024-bit modulus, 180 exponent)
  • RSA Sign (1024 bit modulus, 1024 bit exponent) 2.3 msec w/o CRT, 750 msec w/CRT
  • RSA 1024-bit verify: 75us
  • DSA Sign: 750us
  • DSA Verify: 1.8ms

Random Number Generator (RNG)

  • Non-deterministic USG Random Number Generator
  • Can internally generate session keys, IV's, nonce's, cookies, public and private keys, etc.
  • Up to 1 Mbit of random data per second

PCI-X/PCI Interface

  • 64-bit 3.3V bus interface, 5V tolerant
  • 100 MHz max bus speed
  • 6.4 Gbps max. burst speed
  • PCI v2.2 Compliant
  • Bus Master and Target capability

SPI-3 Interface

  • Separate Red and Black Interfaces
  • 125MHz Max bus Speed
  • 32-bit bus interface for both Red and Black Interfaces

External Memory Interface

  • 32/64-bit (selectable) 3.3V bus interface
  • Up to 268 Mbyte RAM addressable Async SRAM, Sync dual-port SRAM, and PC-100/133 SDRAM supported
  • Support for mixed SRAM and SDRAM
  • Programmable SRAM wait states

DMA Block

  • Multi-Channel, 64-bit DMA Controller
  • Can DMA between PCI, Local Memory bus, External Memory Interface and Packet Engine
  • Complete bus flow control and automatic arbitration

Key Management Block

  • Support for storage of both public and symmetric keys
  • Trust-model rules enforcement
  • Only encrypted keys allowed off chip
  • Random Generated local unique key in local BRAM.

Electrical

  • Core Power: 1.8V ±10%
  • I/O Power: 3.3V ±10%
  • PCI Voltages: 3.3V or 5V ±10%
  • Core Clock Speed: 100 MHz (internal PLL, input frequency of 25 MHz or 40 MHz)
  • Power Consumption: 5.4W peak

Packages

  • 788-pin EPBGA-T
  • JTAG Support

Real Time Clock

  • 32 kHz

Temperature

  • 0°C to +70°C
Related Documents
     Company | Site Map | Privacy Statement | Contact Us | Send Feedback | Terms & Conditions of Sale
     © 2009 SafeNet Inc. All rights reserved. | Use of this website signifies your agreement to the Terms of Use.