Intel® IXP400 Software

Access-Layer Components: Security (IxCryptoAcc) API

4.The NPE will read the descriptor on the Crypto Ready Queue and performs the encryption/ decryption/authentication operations, as defined in the CCD for the submitted crypto context. The NPE inserts the Integrity Checksum Value (ICV) for a forward-authentication operation and verifies the ICV for a reverse-authentication operation.

5.The NPE writes the resulting data to the destination IX_OSAL_MBUF in SDRAM. This may be the same IX_OSAL_MBUF in which the original source data was located, if the crypto context defined in-place operations. The NPE will then enqueue a descriptor onto the Crypto Complete Queue to alert the IxCryptoAcc component that the perform operation is complete.

6.IxCryptoAcc will call the registered Perform Complete callback function.

7.4.5Special API Use Cases

7.4.5.1HMAC with Key Size Greater Than 64 Bytes

As specified in the RFC 2104, the authentication key used in HMAC operation must be at least of L bytes length, where L = 20 bytes for SHA1 or L = 16 bytes for MD5. Authentication key with a key length greater than or equal to ‘L’ and less than or equal to 64 bytes can be used directly in HMAC authentication operation. No further hashing of authentication key is needed. Thus the authentication key can be used directly in crypto context registration.

However, authentication key with key length greater than 64 bytes must be hashed to become L bytes of key size before it can be used in HMAC authentication operation. The authentication key must be hashed before calling crypto context registration API as shown in steps below:

a.Call ixCryptoAccHashKeyGenerate() function and pass in the original authentication key using an IX_MBUF. Also, you will need to register a callback function for when this opera- tion is complete.

b.Wait for callback from IxCryptoAcc.

c.Copy generated authentication key from IX_MBUF into a cryptographic context structure (IxCryptoAccCtx) and call ixCryptoAccCtxRegister() to register the crypto context for this HMAC operation.

7.4.5.2Performing CCM (AES CTR-Mode Encryption and AES CBC-MAC Authentication) for IPSec

A generic CCM cipher is not supported in the IXP400 software. However, it is possible to perform AES-CCM operations in an IPSec-application style. Single-pass AES-CCM is supported for WEP Services only, as documented in “Counter-Mode Encryption with CBC-MAC Authentication (CCM) for CCMP in 802.11i” on page 112.

The overall strategy to accomplish the AES-CCM request involves two operations. The first operation does the AES-CBC operation to get the CBC-MAC. The second operation is to perform

aAES-CTR encryption operation to encrypt the payload and create the CBC-MAC to get the MIC. Two crypto contexts are registered and two crypto perform service requests are invoked in order to complete the encryption and authentication for a packet.

Figure 37 on page 104 and Figure 38 on page 104 show the steps needed to encrypt and authenticate a packet in general by using CCM mode. Those steps are:

1.Use AES CBC-MAC to compute a MIC on plaintext header, and payload. The last cipher block from this operation will become MIC.

Programmer’s Guide

IXP400 Software Version 2.0

April 2005

 

Document Number: 252539, Revision: 007

103

Page 103
Image 103
Intel IXP400 manual Special API Use Cases, Hmac with Key Size Greater Than 64 Bytes