Intel IXP400 manual SSL and TLS Protocol Usage Models, Authentication, Encryption/Decryption

Intel® IXP400 Software

Access-Layer Components: Security (IxCryptoAcc) API

4.The NPE will read the descriptor on the Crypto Request Queue and performs the encryption/ decryption/authentication operations, as defined in the CCD for the submitted crypto context. The NPE will also insert or verify the WEP ICV integrity check value.

5.The NPE writes the resulting data to the destination IX_MBUF in SDRAM. This may be the same IX_MBUF in which the original source data was located, if the crypto context defined in-place operations. The NPE will then enqueue a descriptor onto the WEP Complete Queue to alert the IxCryptoAcc component that the perform operation is complete.

6.If the ixCryptoAccNpeWepPerform() function was executed in Step 2, IxCryptoAcc will call the registered Perform Complete callback function. Otherwise the client will need initiate any callback-type actions itself.

7.6SSL and TLS Protocol Usage Models

SSL version 3 and TLS version 1 protocol clients can use several features provided by the IPSec and WEP services, described in earlier sections of this chapter. SSL and TLS are similar is many ways. The primary difference related to the IxCryptoAcc API is that TLS uses the HMAC (RFC 2104) hashing method for record protocol authentication. SSLv3 uses a keyed hashing mechanism for MAC generation that is similar, but not identical, to the HMAC specification.

Authentication

SSL does not use the HMAC method of MAC generation that is provided with the IxCryptoAcc ixCryptoAccAuthCryptPerform() function. An SSL client can instead use ixCryptoAccHashPerform() for basic SHA-1 or MD-5 hashing capabilities, as part of its MAC calculation activities. Refer to “ixCryptoAccHashKeyGenerate()” on page 95.

TLS clients may use the ixCryptoAccAuthCryptPerform() function for authentication calculation or verification crypto contexts.

Encryption/Decryption

Both protocols can take advantage of the DES-CBC and 3DES-CBC encryption. The CipherSpec value of DES_EDE_CBC in the SSL and TLS protocols refers to the 3DES-CBC operation mode. Both types of clients may use the ixCryptoAccAuthCryptPerform() function for encrypt-only or decrypt-only contexts.

ARC4 Steam Cipher

SSL and TLS clients may use the ARC4 cipher capabilities of the ixCryptoAccNpeWepPerform() and ixCryptoAccXscaleWepPerform() functions. Note that only 128-bit key strength is supported for contexts that do not use WEP-CRC calculation.

Combined Mode Operations

One fundamental difference between SSL / TLS protocols and IPSec operations lies in the order of authenticate and encryption/decryption operations. SSL and TLS protocols generate the MAC prior to encryption (and verify the authentication code after decrypting the message). The IPSec ESP protocol generates its HMAC-based Integrity Check Value (ICV) on the encrypted IP packet payload (and verifies the ICV before decrypting the packet payload).