Based On High-speed Cryptographic Chip Ipv6 Router Security Module Design And Realization

With the degree of depending on network being more serious, the security of network information becomes more important. It makes people to find many ways to protect network information. At present, we commonly use the IPSec protocol to protect network information. IPSec is realized by software mostly in today. However, because the large resource of CPU is tied up by authentication and encryption arithmetic computing, the implementation way of IPSec by software will make system performance descend and the bandwidth of network decrease. Few security products perform the IPSec function by hardware, but the processing speed is only several hundred millions bits per second. This is because there is no high performance specialized cipher chip to support the large amount of authentication and encryption arithmetic computing.In 2004, National Digital Switching System Engineering & Technological Center (NDSC) and Beijing Duosi Science and Technology Park Co. Ltd together developed two types of chips(one type is SSXII-B-01 (support the SHA-1, MD5 and 3DES arithmetic), and another type is SSXII-B-03 (support the RIJNDAEL arithmetic))and have done tests for them. The tests results show that the SSXII series chips can meet the design requirement and are very suitable to encrypt the data stream in high performance network.In order to put the types of cipher chips into facility as soon as possible, this paper discusses an applicable resolution of the SSXII series cipher chips. To be specific, we design a security module for the IPV6 router developed by NDSC. This module takes the high speed specialized cipher chip as encrypt/decrypt arithmetic module and process data with the IPSec protocol under FPGA control.The main research contents of this thesis are: The general configuration design of the security module in IPV6 router based on the SSXII series high speed cipher chip. The design and implementation scheme of FPGA in the security module. The hardware design of security policy database (SPD) and security association database (SAD) which are suitable for fast lookup.