Design And Implementation Of IPSec Security Chip

Internet Protocol Security (IPSec) is widely used to prevent the networks from attacks and intrusions.Software-based implementation of the IPSec Protocol can be very sophisticated, because it will take a great lot of time to perform complicated cryptological algorithms. These result in the performance issue. At present, some hardware-based implementation of IPSec can not satisfy the demands of maximum operation frequency, high speed (throughput), chip area and power dissipation.In this dissertation, a chip-based method of designing and implementing IPSec protocol is researched which is applied to network interface card.Firstly, the security architecture of IPSec is analyzed, emphasized on Authentication Header, Encapsulation Security Payload and processing for incoming or outgoing packets. Furthermore, the improvements of work modes and seurity protocols are studried. The new IPSec architecture has enough agility to adapt to user different requirements. A scheme of implementing IPSec security chip which is FPGA based is presented including its whole architecture. And then a scheme to testing and validating all designs is designed.Secondly, to fulfill functions which include data and identity integrity, SHA-2 algorithm that is improved from four aspects has higher security and operation speed. Implemation of SHA-384 and SHA-512 on single-chip using EP20K200EFC484-2x chip is presented in detail. And then synthesis, timing simulation and validation with testing scheme mentioned above are made. Experiment result and samples are given to support designs' validity and rationality. The maximal managing speed can attain 469.69Mbps and can achieved goals expected. HMAC-SHA-2 is implemented and present synthesis, timing simulation. The minimum speed can attain 252.48Mbps and the managing speed can attain 503.98Mbps when IP package is in maximal length.Thirdly, based on existing optimized techniques, taking into account various performance targets, research new four techniques of reduced word length, combined unrolled-pipelined, output module optimized and parallel counters.