Filter
Top Products
Intel
®
IXP400 Software
Access-Layer Components: Security (IxCryptoAcc) API
April 2005 IXP400 Software Version 2.0 Programmer’s Guide
110 Document Number: 252539, Revision: 007
4. The NPE will read the descriptor on the Crypto Request Queue and performs the encryption/
decryption/authentication operations, as defined in the CCD for the submitted crypto context.
The NPE will also insert or verify the WEP ICV integrity check value.
5. The NPE writes the resulting data to the destination IX_MBUF in SDRAM. This may be the
same IX_MBUF in which the original source data was located, if the crypto context defined
in-place operations. The NPE will then enqueue a descriptor onto the WEP Complete Queue to
alert the IxCryptoAcc component that the perform operation is complete.
6. If the ixCryptoAccNpeWepPerform() function was executed in Step 2, IxCryptoAcc will call
the registered Perform Complete callback function. Otherwise the client will need initiate any
callback-type actions itself.
7.6 SSL and TLS Protocol Usage Models
SSL version 3 and TLS version 1 protocol clients can use several features provided by the IPSec
and WEP services, described in earlier sections of this chapter. SSL and TLS are similar is many
ways. The primary difference related to the IxCryptoAcc API is that TLS uses the HMAC (RFC
2104) hashing method for record protocol authentication. SSLv3 uses a keyed hashing mechanism
for MAC generation that is similar, but not identical, to the HMAC specification.
Authentication
SSL does not use the HMAC method of MAC generation that is provided with the IxCryptoAcc
ixCryptoAccAuthCryptPerform() function. An SSL client can instead use
ixCryptoAccHashPerform() for basic SHA-1 or MD-5 hashing capabilities, as part of its MAC
calculation activities. Refer to “ixCryptoAccHashKeyGenerate()” on page 95.
TLS clients may use the ixCryptoAccAuthCryptPerform() function for authentication calculation
or verification crypto contexts.
Encryption/Decryption
Both protocols can take advantage of the DES-CBC and 3DES-CBC encryption. The CipherSpec
value of DES_EDE_CBC in the SSL and TLS protocols refers to the 3DES-CBC operation mode.
Both types of clients may use the ixCryptoAccAuthCryptPerform() function for encrypt-only or
decrypt-only contexts.
ARC4 Steam Cipher
SSL and TLS clients may use the ARC4 cipher capabilities of the ixCryptoAccNpeWepPerform()
and ixCryptoAccXscaleWepPerform() functions. Note that only 128-bit key strength is supported
for contexts that do not use WEP-CRC calculation.
Combined Mode Operations
One fundamental difference between SSL / TLS protocols and IPSec operations lies in the order of
authenticate and encryption/decryption operations. SSL and TLS protocols generate the MAC prior
to encryption (and verify the authentication code after decrypting the message). The IPSec ESP
protocol generates its HMAC-based Integrity Check Value (ICV) on the encrypted IP packet
payload (and verifies the ICV before decrypting the packet payload).