Filter
Top Products
Intel
®
IXP400 Software
Access-Layer Components: Security (IxCryptoAcc) API
Programmer’s Guide IXP400 Software Version 2.0 April 2005
Document Number: 252539, Revision: 007 103
4. The NPE will read the descriptor on the Crypto Ready Queue and performs the encryption/
decryption/authentication operations, as defined in the CCD for the submitted crypto context.
The NPE inserts the Integrity Checksum Value (ICV) for a forward-authentication operation
and verifies the ICV for a reverse-authentication operation.
5. The NPE writes the resulting data to the destination IX_OSAL_MBUF in SDRAM. This may
be the same IX_OSAL_MBUF in which the original source data was located, if the crypto
context defined in-place operations. The NPE will then enqueue a descriptor onto the Crypto
Complete Queue to alert the IxCryptoAcc component that the perform operation is complete.
6. IxCryptoAcc will call the registered Perform Complete callback function.
7.4.5 Special API Use Cases
7.4.5.1 HMAC with Key Size Greater Than 64 Bytes
As specified in the RFC 2104, the authentication key used in HMAC operation must be at least of
L bytes length, where L = 20 bytes for SHA1 or L = 16 bytes for MD5. Authentication key with a
key length greater than or equal to ‘L’ and less than or equal to 64 bytes can be used directly in
HMAC authentication operation. No further hashing of authentication key is needed. Thus the
authentication key can be used directly in crypto context registration.
However, authentication key with key length greater than 64 bytes must be hashed to become
L bytes of key size before it can be used in HMAC authentication operation. The authentication
key must be hashed before calling crypto context registration API as shown in steps below:
a. Call ixCryptoAccHashKeyGenerate() function and pass in the original authentication key
using an IX_MBUF. Also, you will need to register a callback function for when this opera-
tion is complete.
b. Wait for callback from IxCryptoAcc.
c. Copy generated authentication key from IX_MBUF into a cryptographic context structure
(IxCryptoAccCtx) and call ixCryptoAccCtxRegister() to register the crypto context for this
HMAC operation.
7.4.5.2 Performing CCM (AES CTR-Mode Encryption and AES
CBC-MAC Authentication) for IPSec
A generic CCM cipher is not supported in the IXP400 software. However, it is possible to perform
AES-CCM operations in an IPSec-application style. Single-pass AES-CCM is supported for WEP
Services only, as documented in “Counter-Mode Encryption with CBC-MAC Authentication
(CCM) for CCMP in 802.11i” on page 112.
The overall strategy to accomplish the AES-CCM request involves two operations. The first
operation does the AES-CBC operation to get the CBC-MAC. The second operation is to perform
a AES-CTR encryption operation to encrypt the payload and create the CBC-MAC to get the MIC.
Two crypto contexts are registered and two crypto perform service requests are invoked in order to
complete the encryption and authentication for a packet.
Figure 37 on page 104 and Figure 38 on page 104 show the steps needed to encrypt and
authenticate a packet in general by using CCM mode. Those steps are:
1. Use AES CBC-MAC to compute a MIC on plaintext header, and payload.
The last cipher block from this operation will become MIC.