MOTOROLA MPC180TS

Advance Information
MPC180TS/D
Rev. 0.1, 2/2003
MPC180 Security Processor
Technical Summary
This document provides an overview of the MPC180 security processor, including a brief
development history, target applications, key features, typical system architecture, as well as
an MPC180 architectural overview.
1 Development History
The MPC180 is the first in the Smart Networks platform’s S1 family of security processors
developed for the commercial networking market. It is derived from security technologies
Motorola has developed over the past 30 years, primarily for government applications. The
third-generation execution units (EUs) in the MPC180 have been previously used in products
for wireless base stations and secure wire-line communication.
2 Typical Applications
The MPC180 is suited for applications such as the following:
•
•
•
•
•
•
•
•
SOHO and low-end routers
xDSL access equipment
ISDN access equipment
Wireless base stations
Broadband access
WAP gateways
DSLAMS
Customer premise equipment (CPE)
3 Features
The MPC180 is a flexible and powerful addition to any networking system currently using
Motorola’s MPC8xx or MPC826x family of PowerQUICC™ communication processors. The
MPC180 is designed to off-load computationally intensive security functions such as key
generation and exchange, authentication, and bulk data encryption.
The MPC180 is optimized to process all of the algorithms associated with IPSec, IKE,
WTLS/WAP and SSL/TLS. In addition, the MPC180 is the only security processor on the
market capable of executing the elliptic curve cryptography that is especially important for secure wireless
communications.
MPC180 features include the following:
•
•
•
•
•
•
•
•
•
•
•
•
Public key execution unit (PKEU), which supports the following:
— RSA and Diffie-Hellman
– Programmable field size 80- to 2048-bits
– 1024-bit signature time of 32ms
– 10 IKE handshakes/second
— Elliptic Curve operations in either F 2 m or F p
– Programmable field size from 55- to 511-bits
– 155-bit signature time of 11ms
– 30 IKE handshakes/second
Data encryption standard execution units (DEUs)
— DES and 3DES algorithm acceleration
– Two key (K1, K2, K1) or Three key (K1, K2, K3)
— ECB and CBC modes for both DES and 3DES
— 15 Mbps 3DES-HMAC-SHA-1 (memory to memory)
Message authentication unit (MAU)
— SHA-1 with 160-bit message digest
— MD5 with 128-bit message digest
— HMAC with either algorithm
ARC four execution unit (AFEU)
— Implements a stream cipher compatible with the RC4 algorithm
— 40- to 128-bit programmable key
— 20 Mbps ARC Four performance (memory to memory)
Random Number Generator (RNG)
— Supplies up to 160 bit strings at up to 5 Mbps data rate
Input Buffer (4kbits)
Output Buffer (4kbits)
Glueless interface to MPC8xx system or MPC826x local bus (50MHz and 66MHz operation)
DMA hardware handshaking signals for use with the MPC826x
1.8v Vdd, 3.3v I/O
100pin LQFP package
HIP4 0.25µm process
4 Typical System Architecture
The MPC180 works well in most load/store, memory-mapped systems. An external processor may execute
application code from its ROM and RAM, using RAM and optional non-volatile memory (such as
EEPROM) for data storage. Figure 4-1 shows an example of the MPC180 in an MPC8xx system, and
Figure 4-2 shows the MPC180 connected to the local bus of the MPC826x. In these examples, the MPC180
2
MPC180 Security Processor Technical Summary
MOTOROLA
resides in the memory map of the processor; therefore, when an application requires cryptographic
functions, it reads and writes to the appropriate memory location in the security processor.
EEPROM
MPC180
MPC860
System Bus
SDRAM
I/O or Network
Interface
Figure 4-1. MPC8xx System Example
MPC180
EEPROM
60x Bus
MPC8260
Local Bus
SDRAM
DIMMs
SDRAM
SDRAM
I/O or Network
Interface
Figure 4-2. MPC826x System Example
5 Architectural Overview
The MPC180 has a slave interface to the MPC8xx system bus and MPC8260 local bus and maps into the
host processor’s memory space. Each encryption algorithm is mapped to a unique address space. To perform
encryption operations, the host reads and writes to the MPC180 to setup the execution unit and, then,
transfers data to the execution unit directly or through the external bus interface.
In FIFO mode, the MPC180 accepts data into the 4-Kbit input buffer and returns burst data through the
output buffer. In this way, the host can automatically transfer bulk data through a given EU. This minimizes
host management overhead and increases overall system throughput. Once the host configures the external
bus interface (EBI), it receives an interrupt only after all data has been transferred or processed by the
MPC180.
MOTOROLA
MPC180 Security Processor Technical Summary
3
Public Key Execution Unit (PKEU)
DMA Request
8xx/6xx
I/F
(Slave)
DMA Request
INPUT
4K bit
FIFO
DMA
Logic
RSA
ECC
SHA-1
MD 5
DES/
3DES
ARC4
RNG
Controller
OUTPUT
4K bit
FIFO
DMA
Logic
Figure 5-1. MPC180 Block Diagram
The interrupt controller organizes hardware interrupts coming from individual EUs into a single maskable
interrupt, IRQ_B, for the host processor. Multiple internal interrupt sources are logically ORed to create a
single, non-prioritized interrupt for the host processor. The controller lets the host read the unmasked
interrupt source status as well as the request status of masked interrupt sources, thereby indicating whether
a given unmasked interrupt source will generate an interrupt request to the host processor.
6 Execution Units (EU)
The execution units (EU) are the actual processing engines that implement the most common industry
algorithms for cryptographic processing. The MPC180 has five execution units, each described below.
6.1 Public Key Execution Unit (PKEU)
The PKEU is capable of performing many advanced mathematical functions to support RSA and
Diffie-Hellman as well as ECC in both F 2 m (polynomial-basis) and F p. The accelerator supports all levels
of functions to assist the host microprocessor in performing its desired cryptographic function. For example,
at the highest level, the accelerator performs modular exponentiations to support RSA and point multiplies
to support ECC. At lower levels, the PKEU can perform simple operations such as modular multiplies.
6.2 Data Encryption Standard Execution Unit (DEU)
The DEU is used for bulk data encryption. It can also execute the Triple-DES algorithm, which is based on
DES. The host processor supplies data to the DEU as input, and this data is encrypted and made available
for reading. The session key is input to the DEU prior to encryption. The DEU computes the data encryption
standard algorithm (ANSI X3.92) for bulk data encryption and decryption.
DES is a block cipher that uses a 56-bit key to encrypt 64-bit blocks of data, one block at a time. DES is a
symmetric algorithm; therefore, each of the two communicating parties share the same 56-bit key. DES
processing begins after this shared session key is agreed upon. The message to be encrypted (typically plain
text) is partitioned into n sets of 64-bit blocks. Each block is processed, in turn, by the DES engine,
4
MPC180 Security Processor Technical Summary
MOTOROLA
Public Key Execution Unit (PKEU)
producing n sets of encrypted (ciphertext) blocks. Decryption is handled in the reverse manner. The
ciphertext blocks are processed one at a time by a DES module in the recipient’s system. The same key is
used, and the DEU manages the key processing internally so that the plaintext blocks are recovered.
The DES/3DES execution unit supports the following modes:
•
•
ECB (electronic code book)
CBC (cipher block chaining)
In addition to these modes, the DEU can compute Triple-DES. Triple-DES is an extension to the DES
algorithm in which every 64-bit input block is processed three times. There are several ways that Triple-DES
can be computed. The DES accelerator on the MPC180 supports two key (K1, K2, K1) or three key (K1,
K2, K3) Triple-DES.
THe MPC180 supports two of the modes of operation defined for Triple-DES (see draft ANSI Standard
X9.52-1998):
•
•
TECB (Triple DES analogue of ECB)
TCBC (Triple DES analogue of CBC)
6.3 ARC Four Execution Unit (AFEU)
The AFEU processes an algorithm that is compatible with the RC4 stream cipher from RSA Security, Inc.
The RC4 algorithm is byte-oriented; therefore, a byte of plaintext is encrypted with a key to produce a byte
of ciphertext. The key is variable length, and the AFEU supports 40-bit to 128-bit key lengths, providing a
wide range of security levels. RC4 is a symmetric algorithm, so each of the two communicating parties share
the same key.
AFEU processing begins after this shared session key is agreed upon. The plaintext message to be encrypted
is logically partitioned into n sets of 8-bit blocks. In practice, the host processor groups 4 bytes at a time into
32-bit blocks and write that data to the AFEU. The AFEU internally processes each word one byte at a time.
The AFEU engine processes each block in turn, byte by byte, producing n sets of encrypted (ciphertext)
blocks. Decryption is handled in the reverse manner. The ciphertext blocks are processed one at a time by
an AFEU in the recipient’s system. The same key is used, and the AFEU manages the key processing
internally so that the plaintext blocks are recovered.
The AFEU accepts data in 32-bit words per write cycle and produces 4 bytes of ciphertext for every 4 bytes
of plaintext. Before any processing occurs, the key data is written to the AFEU, after which an initial
permutation on the key happens internally. After the initial permutation is finished, processing on 32-bit
words can begin.
6.4 Message Authentication Unit (MAU)
The MAU can perform SHA-1, MD5 and MD4, three of the most popular public message digest algorithms.
At its simplest, the MAU receives 16 32-bit registers containing a message, and produces a hashed message
of 128 bits for MD4/MD5 and 160 bits for SHA-1. The MAU also includes circuitry to automate the process
of generating an HMAC (hashed message authentication code) as specified by RFC 2104. The HMAC can
be built upon any of the hash functions supported by MAU.
MOTOROLA
MPC180 Security Processor Technical Summary
5
Public Key Execution Unit (PKEU)
6.5 Random Number Generator (RNG)
Because many cryptographic algorithms use random numbers as a source for generating a secret value, it is
desirable to have a private RNG for use by the MPC180. The anonymity of each random number must be
maintained, as well as the unpredictability of the next random number. The private RNG allows the system
to develop random challenges or random secret keys. The secret key can thus remain hidden from even the
high-level application code, providing an added measure of physical security. The RNG is also useful for
digital signature generation.
The RNG is a digital integrated circuit capable of generating 32-bit random numbers. It is designed to
comply with FIPS-140 standards for randomness and non-determinism. The RNG creates an unpredictable
sequence of bits and assembles a string of those bits into a register. The random number in that register is
accessible to the host through the host interface of the RNG.
7
Software and Hardware Support
Customers will have access to device drivers integrated with the WindRiver VxWorks OS. Sample drivers
will also be provided to customers wishing to integrate MPC180 support into other operating systems.
Third-party support for the MPC180 includes a development system for both the MPC860 and the
MPC8260. The WindRiver/EST SBC8260C development system and Zephyr Engineering ZPC860C, both
of which include a board support package, are available to accelerate customer design cycles.
8
Revision History
Table 8-1 summarizes the revision history of this document.
Table 8-1. Revision History
Revision No.
0
0.1
6
Substantive Change(s)
Initial release.
Added revision history and updated with new template.
MPC180 Security Processor Technical Summary
MOTOROLA
THIS PAGE INTENTIONALLY LEFT BLANK
HOW TO REACH US:
USA/EUROPE/LOCATIONS NOT LISTED:
Motorola Literature Distribution
P.O. Box 5405, Denver, Colorado 80217
1-303-675-2140
(800) 441-2447
JAPAN:
Motorola Japan Ltd.
SPS, Technical Information Center
3-20-1, Minami-Azabu Minato-ku
Tokyo 106-8573 Japan
81-3-3440-3569
Information in this document is provided solely to enable system and software implementers to use
Motorola products. There are no express or implied copyright licenses granted hereunder to design
ASIA/PACIFIC:
or fabricate any integrated circuits or integrated circuits based on the information in this document.
Motorola Semiconductors H.K. Ltd.
Silicon Harbour Centre, 2 Dai King Street
Tai Po Industrial Estate, Tai Po, N.T., Hong Kong
852-26668334
Motorola reserves the right to make changes without further notice to any products herein.
Motorola makes no warranty, representation or guarantee regarding the suitability of its products
for any particular purpose, nor does Motorola assume any liability arising out of the application or
use of any product or circuit, and specifically disclaims any and all liability, including without
TECHNICAL INFORMATION CENTER:
limitation consequential or incidental damages. “Typical” parameters which may be provided in
(800) 521-6274
Motorola data sheets and/or specifications can and do vary in different applications and actual
HOME PAGE:
performance may vary over time. All operating parameters, including “Typicals” must be validated
for each customer application by customer’s technical experts. Motorola does not convey any
www.motorola.com/semiconductors
license under its patent rights nor the rights of others. Motorola products are not designed,
intended, or authorized for use as components in systems intended for surgical implant into the
body, or other applications intended to support or sustain life, or for any other application in which
the failure of the Motorola product could create a situation where personal injury or death may
occur. Should Buyer purchase or use Motorola products for any such unintended or unauthorized
application, Buyer shall indemnify and hold Motorola and its officers, employees, subsidiaries,
affiliates, and distributors harmless against all claims, costs, damages, and expenses, and
reasonable attorney fees arising out of, directly or indirectly, any claim of personal injury or death
associated with such unintended or unauthorized use, even if such claim alleges that Motorola was
negligent regarding the design or manufacture of the part.
Motorola and the Stylized M Logo are registered in the U.S. Patent and Trademark Office.
digital dna is a trademark of Motorola, Inc. All other product or service names are the property of
their respective owners. Motorola, Inc. is an Equal Opportunity/Affirmative Action Employer.
© Motorola, Inc. 2003
MPC180TS/D