Media Speed Encryption Using Network Processors
Original Publication Date: 2001-May-01
Included in the Prior Art Database: 2003-Jun-20
Invention: Disclosed is a technique for providing media speed encryption/decryption above 100 Mbps utilizing Network Processor technology. This is accomplished by using the inherent high speed processing (typically >1Gbps), coupled in some cases with a specialized embedded coprocessor. Where a specialized embedded coprocessor is required, an encryption/decryption hardware assist engine is added to each protocol processor in the Network Processor to enable the encryption and decryption of network traffic at high data rates at maximum speeds in excess of 1 Gbps. Using this approach, a Network Processor could encrypt or decrypt a single packet via multiple, parallel operations. Likewise, the Network Processor could encrypt or decrypt multiple packets simultaneously. Description of Invention: This technique, teaches a method to perform encryption/decryption on a Network Processor at high speeds instead of on a separate processor(s) or hardware. The Network Processor consists of a plurality of programmable protocol processors, with each protocol processor having direct access to one or more of the internal hardware assist coprocessors. For this purpose, the Network Processor is equipped with encryption assists, including special-purpose embedded hardware “coprocessor” support along with assembler-level software support that enables the programmable protocol processors within the network processor to encrypt or decrypt portions of a data packet in parallel. A packet to be encrypted is first passed to the Network Processor, which in turn, segments the packet into multiple fixed-length segments (e.g., 32 bytes). Each segment is passed to a protocol processor with encryption capability, resulting in the execution of multiple encryption operations in parallel (e.g., one operation for each 32-byte segment). The encrypted segments of the packet are reassembled within the network processor memory to form the complete packet for transmission. A packet to be decrypted is first passed to the Network Processor, which in turn, segments the packet into multiple-fixed length segments (e.g., 32 bytes) so that the reverse process can be executed. Again, each segment is passed to a protocol processor with decryption capability, with the decryption process being executed in parallel on multiple segments simultaneously. The decrypted segments are reassembled within the network processor memory to form the complete packet.