Abstract: Systems and methods for protocol processing using a systolic array (e.g., programmed in an FPGA). For example, protocol processing is performed for incoming data (e.g., received for storage) prior to encryption and/or sending to a remote storage device (e.g., cloud storage or server).

Abstract: Systems, methods, and apparatus for a MILS HPC, data storage system (DSS) system architecture that incorporates a multi-crypto module (MCM) to provide end-to-end multi-independent level security (MILS) protection. Configuration of each MCM enables a high performance computing (HPC) resource to compute different security domains with the associated security level keys from a key/node manager. The HPC resource can be dynamically re-allocated to different security level domain(s) by the key/node manager. In one embodiment, the DSS stores encrypted data regardless of the domains.

Abstract: A system includes a security device, configured for cryptographic processing, coupled to receive incoming data from a plurality of data sources (e.g., data from different customers), wherein the incoming data includes first data from a first data source; a controller (e.g., an external key manager) configured to select a first set of keys from a plurality of key sets, each of the key sets corresponding to one of the plurality of data sources, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device.

Abstract: Systems and methods to securely send or write data to a cloud storage or server. In one embodiment, a method includes: establishing a connection to a client using a client-side transport protocol; receiving, over the connection, data from the first client; decrypting, using a client session key, the received data to provide first decrypted data; encrypting the first decrypted data using a stored payload key (that is associated with the client) to provide first encrypted data; encrypting, using a cloud session key, the first encrypted data using a remote-side transport protocol to provide second encrypted data; and sending the second encrypted data to the cloud storage or server.

Abstract: A system includes programmable systolic cryptographic modules for security processing of packets from a data source. A first programmable input/output interface routes each incoming packet to one of the systolic cryptographic modules for encryption processing. A second programmable input/output interface routes the encrypted packets from the one systolic cryptographic module to a common data storage. In one embodiment, the first programmable input/output interface is coupled to an interchangeable physical interface that receives the incoming packets from the data source. In another embodiment, each cryptographic module includes a programmable systolic packet input engine, a programmable cryptographic engine, and a programmable systolic packet output engine, each configured as a systolic array (e.g., using FPGAs) for data processing.

Abstract: In one embodiment, a method includes: receiving, by a first computing device on a first port of a plurality of ports, a data packet, wherein each of the ports corresponds to one of a plurality of security classes, and the first computing device comprises a plurality of cryptographic modules, each module configured to encrypt data for a respective one of the security classes; tagging the data packet, wherein tagging data identifies one of the security classes and the first port; routing, based on at least one header, the data packet to a first cryptographic module of the plurality of cryptographic modules; encrypting the data packet using the first cryptographic module; and storing the encrypted data packet in a first data storage device.

Abstract: Systems and methods to securely store data in a remote storage (e.g., cloud storage or server). In one approach, a method includes: receiving, from a local device, data blocks to be stored; generating a hash from a hash of each data block; storing each respective hash (e.g., in a local or remote memory for later use); and writing the data blocks to remote storage. Data integrity is verified when each data block is read from the remote storage by generating a hash of the respective read data block, and comparing the generated hash to the respective stored hash.

Abstract: Systems and methods for protocol processing using a systolic array (e.g., programmed in an FPGA). For example, protocol processing is performed for incoming data (e.g., received for storage) prior to encryption and/or sending to a remote storage device (e.g., cloud storage or server).

Abstract: Systems and methods to securely send or write data to a cloud storage or server. In one embodiment, a method includes: establishing a connection to a client using a client-side transport protocol; receiving, over the connection, data from the first client; decrypting, using a client session key, the received data to provide first decrypted data; encrypting the first decrypted data using a stored payload key (that is associated with the client) to provide first encrypted data; encrypting, using a cloud session key, the first encrypted data using a remote-side transport protocol to provide second encrypted data; and sending the second encrypted data to the cloud storage or server.

Abstract: A system includes a security device, configured for cryptographic processing, coupled to receive incoming data from a plurality of data sources (e.g., data from different customers), wherein the incoming data includes first data from a first data source; a controller (e.g., an external key manager) configured to select a first set of keys from a plurality of key sets, each of the key sets corresponding to one of the plurality of data sources, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device.

Abstract: Systems and methods for a random number generator including a systolic array to provide a random number output. In one approach, the systolic array can be arranged in two or greater dimensions, and each cell of the array comprises a ring oscillator. Data is read from a random access memory to provide the inputs to the systolic array. A linear feedback shift register receives the random number output as a feedback signal used to address the memory to read data to provide as the inputs to the systolic array.

Abstract: Systems, methods, and apparatus related to transferring encrypted data over a wireless network. In one approach, an encryptor includes a host interface configured to transmit data and commands with a local computing device, a wireless communication interface configured to transmit data and commands over a radio access network, a storage interface configured to interface a local storage medium to store data, and at least one processing device configured to perform operations comprising: encrypting first data from the local computing device to be written into the local storage medium upon receiving a first command from the local computing device; decrypting the encrypted first data from the local storage medium to be read by the local computing device upon receiving a second command from the local computing device; and transmitting the encrypted first data through the wireless communication interface to the radio access network upon receiving a third command.

Abstract: Systems and methods to securely store data in a remote storage (e.g., cloud storage or server). In one approach, a method includes: receiving, from a local device, data blocks to be stored; generating a hash from a hash of each data block; storing each respective hash (e.g., in a local or remote memory for later use); and writing the data blocks to remote storage. Data integrity is verified when each data block is read from the remote storage by generating a hash of the respective read data block, and comparing the generated hash to the respective stored hash.

Abstract: In one embodiment, a method includes: receiving, by a first computing device on a first port of a plurality of ports, a data packet, wherein each of the ports corresponds to one of a plurality of security classes, and the first computing device comprises a plurality of cryptographic modules, each module configured to encrypt data for a respective one of the security classes; tagging the data packet, wherein tagging data identifies one of the security classes and the first port; routing, based on at least one header, the data packet to a first cryptographic module of the plurality of cryptographic modules; encrypting the data packet using the first cryptographic module; and storing the encrypted data packet in a first data storage device.

Abstract: A computing device (e.g., an FPGA or integrated circuit) processes an incoming packet comprising data to compute a Galois hash. The computing device includes a plurality of circuits, each circuit providing a respective result used to determine the Galois hash, and each circuit including: a first multiplier configured to receive a portion of the data; a first exclusive-OR gate configured to receive an output of the first multiplier as a first input, and to provide the respective result; and a second multiplier configured to receive an output of the first exclusive-OR gate, wherein the first exclusive-OR gate is further configured to receive an output of the second multiplier as a second input. In one embodiment, the computing device further comprises a second exclusive-OR gate configured to output the Galois hash, wherein each respective result is provided as an input to the second exclusive-OR gate.

Abstract: Systems, methods, and apparatus related to transferring encrypted data over a wireless network. In one approach, an encryptor includes a host interface configured to transmit data and commands with a local computing device, a wireless communication interface configured to transmit data and commands over a radio access network, a storage interface configured to interface a local storage medium to store data, and at least one processing device configured to perform operations comprising: encrypting first data from the local computing device to be written into the local storage medium upon receiving a first command from the local computing device; decrypting the encrypted first data from the local storage medium to be read by the local computing device upon receiving a second command from the local computing device; and transmitting the encrypted first data through the wireless communication interface to the radio access network upon receiving a third command.

Abstract: Systems and methods for a random number generator including a systolic array to provide a random number output. In one approach, the systolic array can be arranged in two or greater dimensions, and each cell of the array comprises a ring oscillator. Data is read from a random access memory to provide the inputs to the systolic array. A linear feedback shift register receives the random number output as a feedback signal used to address the memory to read data to provide as the inputs to the systolic array.

Abstract: A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage.

Abstract: Systems, methods, and apparatus related to transferring encrypted data over a wireless network. In one approach, an encryptor includes a host interface configured to transmit data and commands with a local computing device, a wireless communication interface configured to transmit data and commands over a radio access network, a storage interface configured to interface a local storage medium to store data, and at least one processing device configured to perform operations comprising: encrypting first data from the local computing device to be written into the local storage medium upon receiving a first command from the local computing device; decrypting the encrypted first data from the local storage medium to be read by the local computing device upon receiving a second command from the local computing device; and transmitting the encrypted first data through the wireless communication interface to the radio access network upon receiving a third command.

Abstract: A computing device (e.g., an FPGA or integrated circuit) processes an incoming packet comprising data to compute a Galois hash. The computing device includes a plurality of circuits, each circuit providing a respective result used to determine the Galois hash, and each circuit including: a first multiplier configured to receive a portion of the data; a first exclusive-OR gate configured to receive an output of the first multiplier as a first input, and to provide the respective result; and a second multiplier configured to receive an output of the first exclusive-OR gate, wherein the first exclusive-OR gate is further configured to receive an output of the second multiplier as a second input. In one embodiment, the computing device further comprises a second exclusive-OR gate configured to output the Galois hash, wherein each respective result is provided as an input to the second exclusive-OR gate.