Abstract: Systems and methods for in-line TCP processing using a systolic array. For example, data received for storage is processed in-line prior to encryption and/or sending to a remote storage device (e.g., cloud storage or server).

Abstract: Apparatus and methods related to securely transmitting data between a portable storage or other medium and a data storage system. In one approach, a portable storage medium drive reads data from a portable storage medium, and a password key decryption unit automatically decrypts the data using a password key in response to having obtained the password key. A storage key encryption unit automatically encrypts the first password key decrypted data using a storage key in response to an availability of the password key decrypted data. A storage interface automatically transmits the storage key encrypted data to the data storage system in response to an availability of the storage key encrypted data.

Abstract: Systems and methods for protocol processing using a systolic array (e.g., programmed in an FPGA). For example, protocol processing is performed for incoming data (e.g., received for storage) prior to encryption and/or sending to a remote storage device (e.g., cloud storage or server).

Abstract: Systems and methods for a random number generator including a systolic array to provide a random number output. In one approach, the systolic array can be arranged in two or greater dimensions, and each cell of the array comprises a ring oscillator. Data is read from a random access memory to provide the inputs to the systolic array. A linear feedback shift register receives the random number output as a feedback signal used to address the memory to read data to provide as the inputs to the systolic array.

Abstract: A computing device (e.g., an FPGA or integrated circuit) processes an incoming packet comprising data to compute a Galois hash. The computing device includes a plurality of circuits, each circuit providing a respective result used to determine the Galois hash, and each circuit including: a first multiplier configured to receive a portion of the data; a first exclusive-OR gate configured to receive an output of the first multiplier as a first input, and to provide the respective result; and a second multiplier configured to receive an output of the first exclusive-OR gate, wherein the first exclusive-OR gate is further configured to receive an output of the second multiplier as a second input. In one embodiment, the computing device further comprises a second exclusive-OR gate configured to output the Galois hash, wherein each respective result is provided as an input to the second exclusive-OR gate.

Abstract: Systems, methods, and apparatus related to transferring encrypted data over a wireless network. In one approach, an encryptor includes a host interface configured to transmit data and commands with a local computing device, a wireless communication interface configured to transmit data and commands over a radio access network, a storage interface configured to interface a local storage medium to store data, and at least one processing device configured to perform operations comprising: encrypting first data from the local computing device to be written into the local storage medium upon receiving a first command from the local computing device; decrypting the encrypted first data from the local storage medium to be read by the local computing device upon receiving a second command from the local computing device; and transmitting the encrypted first data through the wireless communication interface to the radio access network upon receiving a third command.

Abstract: Systems, methods, and apparatus for a MILS HPC, data storage system (DSS) system architecture that incorporates a multi-crypto module (MCM) to provide end-to-end multi-independent level security (MILS) protection. Configuration of each MCM enables a high performance computing (HPC) resource to compute different security domains with the associated security level keys from a key/node manager. The HPC resource can be dynamically re-allocated to different security level domain(s) by the key/node manager. In one embodiment, the DSS stores encrypted data regardless of the domains.

Abstract: A secure end-to-end communication system is implemented via one or more security processing devices. In one embodiment, a method includes: loading, by a key manager, a first set of keys into a security device; encrypting first data with the first set of keys using the security device; and sending, over a network, the encrypted first data to an external site or a mobile device. The method may further include: requesting the encrypted data from the external site or mobile device; receiving, over the network, the encrypted first data; and decrypting the received encrypted first data with the first set of keys using the security device.

Abstract: In one embodiment, a method includes: receiving, by a first computing device on a first port of a plurality of ports, a data packet, wherein each of the ports corresponds to one of a plurality of security classes, and the first computing device comprises a plurality of cryptographic modules, each module configured to encrypt data for a respective one of the security classes; tagging the data packet, wherein tagging data identifies one of the security classes and the first port; routing, based on at least one header, the data packet to a first cryptographic module of the plurality of cryptographic modules; encrypting the data packet using the first cryptographic module; and storing the encrypted data packet in a first data storage device.

Abstract: A computing device (e.g., an FPGA or integrated circuit) processes an incoming packet comprising data to compute a Galois hash. The computing device includes a plurality of circuits, each circuit providing a respective result used to determine the Galois hash, and each circuit including: a first multiplier configured to receive a portion of the data; a first exclusive-OR gate configured to receive an output of the first multiplier as a first input, and to provide the respective result; and a second multiplier configured to receive an output of the first exclusive-OR gate, wherein the first exclusive-OR gate is further configured to receive an output of the second multiplier as a second input. In one embodiment, the computing device further comprises a second exclusive-OR gate configured to output the Galois hash, wherein each respective result is provided as an input to the second exclusive-OR gate.

Abstract: A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage.

Abstract: A computing device (e.g., an FPGA or integrated circuit) processes an incoming packet comprising data to compute a Galois hash. The computing device includes a plurality of circuits, each circuit providing a respective result used to determine the Galois hash, and each circuit including: a first multiplier configured to receive a portion of the data; a first exclusive-OR gate configured to receive an output of the first multiplier as a first input, and to provide the respective result; and a second multiplier configured to receive an output of the first exclusive-OR gate, wherein the first exclusive-OR gate is further configured to receive an output of the second multiplier as a second input. In one embodiment, the computing device further comprises a second exclusive-OR gate configured to output the Galois hash, wherein each respective result is provided as an input to the second exclusive-OR gate.

Abstract: A system includes programmable systolic cryptographic modules for security processing of packets from a data source. A first programmable input/output interface routes each incoming packet to one of the systolic cryptographic modules for encryption processing. A second programmable input/output interface routes the encrypted packets from the one systolic cryptographic module to a common data storage. In one embodiment, the first programmable input/output interface is coupled to an interchangeable physical interface that receives the incoming packets from the data source. In another embodiment, each cryptographic module includes a programmable systolic packet input engine, a programmable cryptographic engine, and a programmable systolic packet output engine, each configured as a systolic array (e.g., using FPGAs) for data processing.