Abstract: Methods and systems are provided for a programmable parallel computation and data manipulation accelerator that may be used, for example, in cryptographic calculations. They allow acceleration of a broad variety of cryptographic algorithms and/or portions of algorithms, and are not algorithm specific. This system comprises a butterfly and inverse butterfly multiplexing permuter network and a lookup table. This system may allow replication of input registers, “expansion,” so that an individual bit may be used in multiple calculations in parallel, accelerating completion of the cryptographic algorithm. The system may allow “diffusion” of the expanded bits through the system's butterfly and inverse butterfly network, and may provide for “confusion” of the resulting bits through the system's lookup table. In some implementations, the system may allow completion of a computation within an algorithm within one clock cycle.

Abstract: An apparatus and method for updating security association database entries in a system having multiple security channels by selectively granting access to the entries by a plurality of the multiple security channels that may need to update the same entry using a first-come, first-served scheme. The apparatus includes a controller circuit that functions to carry out the method which, for each of the multiple security channels, includes determining whether another of the security channels has a higher priority to access a particular security association database entry. If no other channel has a higher priority, then the channel requesting access to the entry retrieves it from its address location, modifies it, and writes the modified entry back to its address location. The controller prevents other channels from simultaneously, or substantially simultaneously, retrieving and modifying the same entry.

Abstract: Methods and systems are provided for a programmable parallel computation and data manipulation accelerator that may be used, for example, in cryptographic calculations. They allow acceleration of a broad variety of cryptographic algorithms and/or portions of algorithms, and are not algorithm specific. This system comprises a butterfly and inverse butterfly multiplexing permuter network and a lookup table. This system may allow replication of input registers, “expansion,” so that an individual bit may be used in multiple calculations in parallel, accelerating completion of the cryptographic algorithm. The system may allow “diffusion” of the expanded bits through the system's butterfly and inverse butterfly network, and may provide for “confusion” of the resulting bits through the system's lookup table. In some implementations, the system may allow completion of a computation within an algorithm within one clock cycle.

Abstract: An apparatus and method for updating security association database entries in a system having multiple security channels by selectively granting access to the entries by a plurality of the multiple security channels that may need to update the same entry using a first-come, first-served scheme. The apparatus includes a controller circuit that functions to carry out the method which, for each of the multiple security channels, includes determining whether another of the security channels has a higher priority to access a particular security association database entry. If no other channel has a higher priority, then the channel requesting access to the entry retrieves it from its address location, modifies it, and writes the modified entry back to its address location. The controller prevents other channels from simultaneously, or substantially simultaneously, retrieving and modifying the same entry.

Abstract: An apparatus and method for updating security association database entries in a system having multiple security channels by selectively granting access to the entries by a plurality of the multiple security channels that may need to update the same entry using a first-come, first-served scheme. The apparatus includes a controller circuit that functions to carry out the method which, for each of the multiple security channels, includes determining whether another of the security channels has a higher priority to access a particular security association database entry. If no other channel has a higher priority, then the channel requesting access to the entry retrieves it from its address location, modifies it, and writes the modified entry back to its address location. The controller prevents other channels from simultaneously, or substantially simultaneously, retrieving and modifying the same entry.

Abstract: An apparatus and method for updating security association database entries in a system having multiple security channels by selectively granting access to the entries by a plurality of the multiple security channels that may need to update the same entry using a first-come, first-served scheme. The apparatus includes a controller circuit that functions to carry out the method which, for each of the multiple security channels, includes determining whether another of the security channels has a higher priority to access a particular security association database entry. If no other channel has a higher priority, then the channel requesting access to the entry retrieves it from its address location, modifies it, and writes the modified entry back to its address location. The controller prevents other channels from simultaneously, or substantially simultaneously, retrieving and modifying the same entry.

Abstract: An apparatus and method for updating security association database entries in a system having multiple security channels by selectively granting access to the entries by a plurality of the multiple security channels that may need to update the same entry using a first-come, first-served scheme. The apparatus includes a controller circuit that functions to carry out the method which, for each of the multiple security channels, includes determining whether another of the security channels has a higher priority to access a particular security association database entry. If no other channel has a higher priority, then the channel requesting access to the entry retrieves it from its address location, modifies it, and writes the modified entry back to its address location. The controller prevents other channels from simultaneously, or substantially simultaneously, retrieving and modifying the same entry.

Abstract: A method for establishing a secure communication channel for information flow between two or more computers communicating via an interconnected computer network, and a system for implementing the method, in response to receiving a security association data structure from one of the computers. The received security association data structure is stored in a memory region having a specific memory address value, and the specific memory address value is assigned as the security parameter index value associated with the received inbound security association data structure. Additionally, a method of processing information received over a previously established secure communication channel, and a system for implementing the method, in response to receiving a data packet that includes an encrypted data portion, and a header portion that includes a security parameter index value. A memory region is located using the security parameter index value as an address pointer.

Abstract: A system for processing a data packet to determine if a replay condition exists for the data packet, wherein the data packet comprises a sequence number for comparison to a highest sequence number. The processing system includes a mask register to store a mask value, wherein the mask value provides an indication of prior receipt by the system of a plurality of data packets, and a shifter comprising an input coupled to receive the mask value from the mask register, wherein the shifter is operable to shift a binary value by a number of bit positions, the number determined by a difference between the sequence number and the highest sequence number.

Abstract: A packet processing system is embodied on an ASIC is optimized for processing IPSec security protocol packets in a hardware configuration. Embedded RISC processors operate with hardware support modules providing for IPSec packet processing at OC24 data rates and greater. IPSec packets are received through a streaming interface and buffered in an external memory. When the entire packet is in external memory, portions are buffered in a local memory for crypto-processing. As portions of the packets complete processing, the portions are buffered to an output portion of the external memory associated with the channel. When an entire packet competes processing, portions are buffered to a local memory for streaming. The hardware accordingly reduces the involvement of the RISC processors and significantly increases channel throughput providing for high-speed IPSec packet processing.

Abstract: A system for processing a data packet to determine if a replay condition exists for the data packet, wherein the data packet comprises a sequence number for comparison to a highest sequence number. The processing system includes a mask register to store a mask value, wherein the mask value provides an indication of prior receipt by the system of a plurality of data packets, and a shifter comprising an input coupled to receive the mask value from the mask register, wherein the shifter is operable to shift a binary value by a number of bit positions, the number determined by a difference between the sequence number and the highest sequence number.

Abstract: An apparatus and method for updating security association database entries in a system having multiple security channels by selectively granting access to the entries by a plurality of the multiple security channels that may need to update the same entry using a first-come, first-served scheme. The apparatus includes a controller circuit that functions to carry out the method which, for each of the multiple security channels, includes determining whether another of the security channels has a higher priority to access a particular security association database entry. If no other channel has a higher priority, then the channel requesting access to the entry retrieves it from its address location, modifies it, and writes the modified entry back to its address location. The controller prevents other channels from simultaneously, or substantially simultaneously, retrieving and modifying the same entry.

Abstract: A method for establishing a secure communication channel for information flow between two or more computers communicating via an interconnected computer network, and a system for implementing the method, in response to receiving a security association data structure from one of the computers. The received security association data structure is stored in a memory region having a specific memory address value, and the specific memory address value is assigned as the security parameter index value associated with the received inbound security association data structure. Additionally, a method of processing information received over a previously established secure communication channel, and a system for implementing the method, in response to receiving a data packet that includes an encrypted data portion, and a header portion that includes a security parameter index value. A memory region is located using the security parameter index value as an address pointer.

Abstract: A packet processing system is embodied on an ASIC is optimized for processing IPSec security protocol packets in a hardware configuration. Embedded RISC processors operate with hardware support modules providing for IPSec packet processing at OC24 data rates and greater. IPSec packets are received through a streaming interface and buffered in an external memory. When the entire packet is in external memory, portions are buffered in a local memory for crypto-processing. As portions of the packets complete processing, the portions are buffered to an output portion of the external memory associated with the channel. When an entire packet competes processing, portions are buffered to a local memory for streaming. The hardware accordingly reduces the involvement of the RISC processors and significantly increases channel throughput providing for high-speed IPSec packet processing.

Abstract: An IPSec packet processing system includes an IPSec manager to interface with an IPSec engine, to manage memory and to handle exceptions associated with IPSec packet processing. The IPSec manager may be a software module operating as part of a software stack on a host processor while the IPSec engine may perform IPSec packet processing. The IPSec manager may also initiate the negotiation of new keys, send ICMP messages for PMTU violations and log entries for exceptions.

Abstract: A processor-based system in a vehicle may be quickly suspended to a lower power consumption state after detecting a signal indicative of engine cranking. Advantageously, the system may be caused to enter the lower power consumption state prior to the time that power is reduced as a result of engine cranking. If the operating system is active when the signal is detected, a routine may be called which causes device contexts to be saved before returning the system to a reduced power consumption state. Otherwise, if the operating system is inactive, an interrupt handler may be called which immediately returns the system to a reduced power consumption state. In this way, the system may be reliably restored to a lower power consumption state before being exposed to the power reduction inherent in engine cranking.