IPSEC与SSL的安全性研究

IPSEC与SSL在为互联网提供安全的通信方面均起到了重要的作用,同样这两种技术也是各有长处.本文对这两种技术进行了比较,分析了这两种协议的安全性能.     

A high-performance CMOS 32-bit parallel CRC engine

Design highlights for a 32-bit parallel cyclic redundancy check (CRC) generator engine are presented. In a 0.8-μm three-layer-metal CMOS process, the engine could handle about 5 Gbps data throughput. A compact layout is achieved by predecoding eight groups of four bits followed by performing a binary tree reduction on nets that are sorted by fanout. There are six gate delays plus a single-phase clock edge-triggered register     

Real-Time FFT Computation Using GPGPU for OFDM-Based Systems

In optical and wireless communications systems, the goal is to reach 10 Gbps or above data rates. In order to support such extremely high data rates, the physical layer generally uses orthogonal frequency division multiplexing (OFDM) modulation. Unlike serial transmission of symbols, the OFDM modulation transmits data with many parallel sub-carriers, which help to provide high bandwidth. Field programmable gate arrays (FPGAs) and digital signal processors (DSPs) are usually employed to process OFDM blocks in real time. However, FPGAs and DSPs are not cost effective, and they are difficult to adapt to new standards. One of the most computationally intensive functions in OFDM systems is the fast Fourier transform (FFT) computation process. This paper aims to accelerate the FFT process to achieve high communication throughput in real time. Two parallel approaches are implemented for two different NVIDIA graphics processing unit (GPU) architectures. To obtain the best performance values, several optimizations are implemented. Our general purpose graphics processing unit (GPGPU)-based FFT computation achieves up to 24 Gbps throughput in real time.     

Design and Performance Analysis of a Unified, Reconfigurable HMAC-Hash Unit

Hash functions are important security primitives used for authentication and data integrity. Among the most popular hash functions are MD5, SHA-1, and RIPEMD-160, which are all based on the function MD4. This similarity can be exploited for designing a unified engine to perform all three hash functions. Hash message authentication code (HMAC) is a shared-key security algorithm that uses these hash functions alternatively for IPSec authentication. Since some other security applications, such as digital signature, also use these three hash functions, it is prudent to design a unified, reconfigurable engine that can perform any one of them alone or with HMAC. In this work, we design an HMAC-hash unit that can be reconfigured to perform one of six standard security algorithms; namely, MD5, SHA-1, RIPEMD-160, HMAC-MD5, HMAC-SHA-1, and HMAC-RIPEMD-160. This paper applied pipelining and parallelism to the design of the HMAC-hash unit to improve throughput, especially for large message sizes. We achieved higher throughput than engines that integrated three hash functions or more and comparable throughput to those integrated only two hash functions.     

一种高性能硬件加密引擎阵列架构

该文提出一种高性能硬件加密引擎阵列架构,为大数据应用提供了先进的安全解决方案。该模块架构包括一个高速接口、一个中央管理和监视模块(CMMM)、一组多通道驱动加密引擎阵列,其中CMMM将任务分配给加密引擎,经由专用算法处理后再将数据传回主机。由于接口吞吐量和加密引擎阵列规模会限制模块性能,针对PCIe高速接口,采用MMC/eMMC总线连接构建阵列,发现更多加密引擎集成到系统后,模块性能将会得到提升。为验证该架构,使用55 nm制程工艺完成了一个PCIe Gen2×4接口的ASIC加密卡,测试结果显示其平均吞吐量高达419.23 MB。     

基于Tomcat的SSL VPN网关服务器的设计与实现

随着企业信息化程度的加深,安全套接层虚拟专网(SSLVPN)技术逐渐成为企业用户远程安全接入的重要方式.SSL VPN 网关服务器承担着代理远程客户端访问内部服务器的重要任务,主要实现Web转发功能.着重介绍基于Tomcat的Web转发功能模块的设计与实现.     

基于Tomcat的SSLVPN网关服务器的设计与实现

随着企业信息化程度的加深,安全套接层虚拟专网（SSLVPN）技术逐渐成为企业用户远程安全接入的重要方式。SSLVPN网关服务器承担着代理远程客户端访问内部服务器的重要任务。主要实现Web转发功能。着重介绍基于Tomcat的Web转发功能模块的设计与实现。     

Configuration and Extension of Embedded Processors to Optimize IPSec Protocol Execution

Security protocols, such as IPSec and SSL, are being increasingly deployed in the context of networked embedded systems. The resource-constrained nature of embedded systems and, in particular, the modest capabilities of embedded processors make it challenging to achieve satisfactory performance while executing security protocols. A promising approach for improving performance in embedded systems is to use application-specific instruction set processors that are designed based on configurable and extensible processors. In this paper, we perform a comprehensive performance analysis of the IPSec protocol on a state-of-the-art configurable and extensible embedded processor (Xtensa from Tensilica Inc.). We present performance profiles of a lightweight embedded IPSec implementation running on the Xtensa processor, and examine in detail the various factors that contribute to the processing latencies, including cryptographic and protocol processing. In order to improve the efficiency of IPSec processing on embedded devices, we then study the impact of customizing an embedded processor by synergistically 1) configuring architectural parameters, such as instruction and data cache sizes, processor-memory interface width, write buffers, etc., and 2) extending the base instruction set of the processor using custom instructions for both cryptographic and protocol processing. Our experimental results demonstrate that upto 3.2times speedup in IPSec processing is possible over a popular embedded IPSec software implementation     

星地高速数传系统低复杂度可重构LDPC编码器设计

为满足近地轨道(LEO)卫星星地高速数传系统对高通量、低复杂度、高可靠性信道编码的应用需求,该文提出一种基于国际空间数据系统咨询委员会(CCSDS)近地卫星通信标准低密度奇偶校验(LDPC)码的低复杂度可重构编码器设计实现方案。通过对输入信息比特插0处理和拆分循环矩阵,并分析不同并行度编码的结构特点,实现了可重构编码方案,提高了编码器的灵活性和编码数据吞吐率;采用优化的移位寄存器累加单元,降低了编码器的整体硬件资源规模。在Xilinx FPGA上对提出的编码器进行了实现,结果表明,在125 MHz系统工作时钟下,编码数据吞吐率最高可达1 Gbps,归一化编码数据吞吐率与其它文献并行度相近的编码器相比提高了17.1%,其寄存器资源和查找表资源与相同平台已有方案相比分别降低了13.7%和14.8%。     

一种可重构体系结构用于高速实现DES、3DES和AES

可重构密码芯片提高了密码芯片的安全性和灵活性,具有良好的应用前景.然而目前的可重构密码芯片吞吐率均大大低于专用芯片,因此,如何提高处理速度是可重构密码芯片设计的关键问题.本文分析了常用对称密码算法DES、3DES和AES的可重构性,利用流水线、并行处理和可重构技术,提出了一种可重构体系结构.基于该体系结构实现的DES、3DES和AES吞吐率在110MHz工作频率下分别可达到7Gbps、2.3Gbps和1.4Gbps.与其他同类设计相比,本文设计在处理速度上有较大优势,可以很好地应用到可重构密码芯片设计中.     

Large Antenna Array with Hybrid Beamforming System for 5G Outdoor Mobile Broadband Communication Deployments

Millimeter wave (mmWave) communication requires large antenna arrays to increase the capability of cellular networks of the fifth generation with good beam-forming gains and a substantial reduction in path losses for both transmitting and receiving terminals. As large antenna arrays require one radio frequency chain per antenna element, the fully digital beamforming technique results in high cost and high-power consumption, and it is therefore not feasible. However, in analog solutions, adaptive gain control cannot be used as it reduces the likelihood of advanced processing and contributes to poor efficiency. Hybrid schemes are possible exciting solutions that overcome the deficiencies of pure digital or analog beam forming. The following are the three key contributions of the proposed work: a typical link budget specification for target data rate 3.10 Gbps in downlink and 0.6 Gbps in uplink is provided, micro strip patch antenna with a single element is designed to operate at 28 GHz and then converted into a standard linear array and a Kalman-based hybrid analog/digital precoding is used with a downlink rate of 4.64 Gbps/cell and an uplink rate of 1.84 Gbps/cell in multi-user environments. And the influence of both base station (BS) and 5G User equipment (UEs) beam steering capability is also explored. From the simulation result, it is evident that the proposed work offers a substantial increase in spectral efficiency approximately 9.28 bps/Hz at 20 dB with 10 channel paths.

     

Improved Sliced Message Passing Architecture for High Throughput Decoding of LDPC Codes

This paper presents an architecture for high-throughput decoding of high-rate Low-Density Parity-Check (LDPC) codes. The proposed architecture is a modification of the sliced message passing (SMP) decoding architecture which overlaps the check-node and variable-node update stages, achieving a good tradeoff between area and throughput, and also, high hardware utilization efficiency (HUE). The proposed modification does not affect the performance of the SMP algorithm and yields an area reduction of 33%. As an example, SMP architecture and the proposed modification was synthesized in a 90 nm CMOS process for the 2048-bit LDPC code of the IEEE802.3an standard with 16 iterations achieving a throughput of 5.9 Gbps with 15.3 mm² and 6.2 Gbps with 10.2 mm², respectively.     

基于SafeXcel芯片的IPV6安全模块的设计

讨论将高速密码芯片应用到IPV6安全模块研制中的一种应用方案。方案以SafeXcel系列安全芯片作为加／解密算法模块的内核。给出这种用于增强IPV6路由器安全性的安全模块的结构设计方案和实现方法,该安全模块可以实现对IPV6数据包的实时IPSec保护,大大改进高性能网络中对数据流进行实时加／解密的性能。     

WEB服务安全防护技术发展综述

叙述了采用WEB服务方式实现SOA时的标准和模型，重点描述了WEB服务安全所采用的两大技术体制，给出了几种适用的用户身份鉴别机制，并分析了在传输层采用传统的SSL／TLS、IPSec等安全保密机制的不足之处，提出了在消息层实施加密保护的需求和思路。同时文中列举了国外关于WEB服务安全的相关产品的功能和典型配置情况。最后归纳了WEB服务安全技术发展趋势和几个显著特点。     

mDFA: A Memory Efficient DFA-Based Pattern Matching Engine on FPGA

Security applications such as network intrusion detection system (NIDS) and virus scanning engine utilize pattern matching as an essential mechanism for detecting harmful activities or malicious codes. The increase of pattern set in size and complexity as well as the high demand of scanning data volume make pattern matching task on general purpose processor more challenging. One solution for this issue is employing reconfigurable device, field programmable gate array (FPGA), to offload this time-consuming task. In this paper, we introduce a memory efficient FPGA-based pattern matching architecture. We utilized Deterministic Finite Automata (DFA) as main pattern matching algorithm and propose modifications (mDFA) to reduce redundant logic. The proposed design, with better memory utilization, is capable of dynamic update and compatible to stateful NIDSs and virus scanners. The analysis of memory efficiency and the hardware implementation of proposed architecture are also presented in this paper. We experiment our approach on contemporary NIDS pattern sets and virus signature database and build a prototype using NetFPGA 1G platform to test on real network environment. The results show that our design could save up to 90 % hardware resources as compared to traditional DFA approach and gain a throughput of 1.9 Gbps. The prototype could achieve 2.7–4.5 \(\times \) speed up to software-based matching engine.     

A signal-swing suppressing strategy for power and layout areasavings using time-multiplexed differential data-transfer scheme

This paper presents a signal-swing suppression strategy which uses a time-multiplexed differential data-transfer (TMD) scheme combined with a data-transition detector (DTD) circuit, featuring shared complementary wires, which are originally allocated to adjacent signal bits, respectively. TMD can be exploited to reduce the signal voltage-swing and to realize a charge-recycling bus (CRB) architecture. This enables a dramatic power reduction without the throughput-loss due to time-multiplexing, while maintaining the same number of signal wires compared to a single signal line (SSL) scheme. This is because the differential transfer scheme inherently has a more capability in terms of throughput and noise tolerance compared to SSL. To demonstrate the effectiveness of TMD with DTD and TMD with CRB (TM-CRB), power consumption comparisons were made between SSL, the parallel architecture, TMD with DTD, and TM-CRB. For all measurements, the same throughput conditions were used based on the simulated and measured data of the 0.5 μm CMOS devices. This paper presents why TM-CRB can reduce the power dissipation on heavily loaded bus lines to less than 1/31 and 1/8, with bus activity of 100% and 25%, respectively, while maintaining the same number of signal wires, compared to SSL     

使用SNMPv2配合IPSec或SNMPv3实现安全网络管理

主要讨论的是如何在主干网上为SNMP提供安全性。通过比较SNMPv3内建的安全特性和SNMPv2配合IPSec这两种不同的实现方法,得出:在大型网络上,SNMPv2配合IPSec比SNMPv3在功能和性能上具有更多的优点。最后,提出将这两种实现方案配合使用的方法将更加适合大型主干网上对SNMP设备的管理。     

IEEE802.1AE中GCM的高速硬件实现

该文设计了一种适用于IEEE802.1AE协议的GCM高速硬件结构。GCM的核心模块包括AES和Ghash两部分。该文中Ghash模块采用了一种新型的并行乘加器,可以同时处理多组数据,而不需要预先确定等待处理的分组数据总数;为了支持密钥每个时钟周期不断变化,AES中密钥扩展模块采用了循环展开结构。该文采用二度并行的Ghash模块实现了GCM高速加密电路,使用Fujitsu 0.13 m 1.2 V 1P8M CMOS工艺进行逻辑综合,得到吞吐率为97.9 Gbps,面积为547 k门,时钟频率达到764.5 MHz。     

A Gigabit Link CMOS Analog Interface for High Performance Signaling

In this brief, design of a gigabit link CMOS analog interface composed of a transmitter, a receiver, and clocking circuits is addressed with focus on high-performance signaling in terms of interference and jitter. The low-cost, low-power interface is targeted at parallel link applications. The transmitter adopts one-tap preemphasis to mitigate the intersymbol interference (ISI) problem. The receiver samples two adjacent bits and stores the difference of them to a capacitor, so it is more immune to timing uncertainties caused by nonideal sampling clocks and it is dependent only on the direction or difference of two consecutive bits, not on the absolute values of them. With these circuits, robust clocking circuits to multiplex and demultiplex the data on the transmit and receive side, respectively, are designed. Pseudo-differential-type delay elements are used in the oscillator and delay line to enable high power supply rejection ratio and low jitter. The delay locked loop (DLL) is designed to prevent harmonic locking. The transceiver performance is tested at 1 Gbps and 2 Gbps for double and quadruple interleaving, respectively. The maximum operating speed is about 1.7 Gbps for double interleaving and about 3 Gbps for the quadruple-interleaving receiver under a 3.3 V, 0.35 μm CMOS process. Sungkyung Park Large Scale SoC Research Department, Electronics and Telecommunications Research Institute(ETRI), 161 Gajeong-dong, Yuseong-gu, Daejeon 305–350, Korea (fitzgerald1971@yahoo.com) Sungkyung Park received B.S. (with highest honors) and M.S. degrees from Seoul National University, Korea, in 1995 and 1997, respectively. He received a Ph.D. degree in CMOS IC design from Seoul National University, Korea, in 2002. During the military service, from 2002 to Sep. 2004, he was with the Telecommunication Network, Samsung Electronics, Inc., Korea, as a Senior Engineer, where he was engaged in developing cdma 2000 system-level simulators. From Oct. 2004 until now, he has been with the Large Scale SoC Research Department, Electronics and Telecommunications Research Institute (ETRI), Korea, as a Senior Researcher. His research interests cover high-speed analog and mixed-mode CMOS IC design including RF CMOS IC design, data converter design, and issues in wireless/wireline communication SoC/NoC.