| version 1.87, 2001/06/27 11:51:21 |
version 1.88, 2001/06/28 18:04:25 |
|
|
| version 1 and had many added features, |
version 1 and had many added features, |
| <ul> |
<ul> |
| <li> |
<li> |
| all components of a restrictive nature (ie. patents, see |
all components of a restrictive nature (i.e., patents, see |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ssl>ssl</a>)) |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ssl>ssl</a>)) |
| had been directly removed from the source code; any licensed or |
had been directly removed from the source code; any licensed or |
| patented components used external libraries. |
patented components used external libraries. |
|
|
| performance even for the software case. |
performance even for the software case. |
| <p> |
<p> |
| <li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hifn&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hifn&sektion=4"> |
| HiFn 7751</a></b><br> |
Hifn 7751</a></b><br> |
| Cards using the <a href="http://www.hifn.com/products/7751.html">HiFn 7751</a> |
Cards using the Hifn 7751 can be used as a symmetric cryptographic |
| can be used as a symmetric cryptographic accelerator (ie. |
accelerator (i.e., <a href="http://www.powercrypt.com">PowerCrypt</a>). |
| <a href="http://www.powercrypt.com">PowerCrypt</a>). |
|
| Current performance using a single Hifn 7751 on each end of a tunnel |
Current performance using a single Hifn 7751 on each end of a tunnel |
| is 63Mbit/sec for 3DES/SHA1 ESP, nearly a 600% improvement over |
is 64Mbit/sec for 3DES/SHA1 ESP, nearly a 600% improvement over |
| using a P3/550 cpu. Further improvements are under way to resolve a |
using a P3/550 CPU. Further improvements are under way to resolve a |
| few more issues, but as of April 13, 2000 the code is considered |
few more issues, but as of April 13, 2000 the code is considered |
| stable. We wrote our own driver for supporting this chip, rather |
stable. We wrote our own driver for supporting this chip, rather |
| than using the (USA-written) |
than using the (USA-written) |
| <a href="http://www.powercrypt.com">powercrypt</a> driver, as well |
<a href="http://www.powercrypt.com">PowerCrypt</a> driver, as well |
| our driver links in properly to the IPsec stack. |
our driver links in properly to the IPsec stack. |
| The 7751 is now considered slow by industry standards and many vendors |
The 7751 is now considered slow by industry standards and many vendors |
| have faster chips (even HiFn now has a faster but more expensive |
have faster chips (even Hifn now has a faster but more expensive |
| chip). Peak performance with 3DES SHA1 ESP is around 63MBit/sec. |
chip). Peak performance with 3DES SHA1 ESP is around 64MBit/sec. |
| <p> |
<p> |
| (As an aside, HiFn was a difficult company to deal with; they even |
(As an aside, Hifn was a difficult company to deal with; they even |
| threatened to sue us over our non-USA reverse engineering of their |
threatened to sue us over our non-USA reverse engineering of their |
| crypto unlock algorithm). |
crypto unlock algorithm). |
| <p> |
<p> |
|
|
| Bluesteelnet was bought by Broadcom and started making real parts. |
Bluesteelnet was bought by Broadcom and started making real parts. |
| Their new BCM5805 is similar, except that they also add an asymmetric |
Their new BCM5805 is similar, except that they also add an asymmetric |
| engine for running DSA, RSA, and other such algorithms. With approximate |
engine for running DSA, RSA, and other such algorithms. With approximate |
| performance starting at more than four times as fast as the HiFn, |
performance starting at more than four times as fast as the Hifn, |
| hopefully this chip will become more common soon. |
hopefully this chip will become more common soon. |
| <p> |
<p> |
| The Broadcom/Bluesteelnet people have been great to deal with. They gave |
The Broadcom/Bluesteelnet people have been great to deal with. They gave |
|
|
| <p> |
<p> |
| |
|
| <li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ises&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ises&sektion=4"> |
| Pijnenburg PCC-ISES</a></b><br> |
Securealink PCC-ISES</a></b><br> |
| The <a href="http://www.pcc.pijnenburg.nl/pcc-ises.htm">PCC-ISES</a> is a |
The <a href="http://www.securealink.com/pcc-ises.html">PCC-ISES</a> is |
| new chipset from the Netherlands. We have received sample hardware and |
a new chipset from the Netherlands. We have received sample hardware |
| documentation, and work on a driver is in progress. At the moment, the |
and documentation, and work on a driver is in progress. At the moment, |
| driver is capable of feeding random numbers into the kernel entropy pool. |
the driver is capable of feeding random numbers into the kernel entropy |
| |
pool. |
| <p> |
<p> |
| |
|
| <li><b>SafeNet 2141</b><br> |
<li><b>SafeNet SafeXcel 2141</b><br> |
| We have received documentation and sample hardware for the |
We have received documentation and sample hardware for the |
| <a href="http://www.safenet-inc.com/OEM/OEMTechnologyDefault.htm">SafeNet</a> |
<a href="http://www.safenet-inc.com/technology/chips/Chip2141.asp">SafeNet</a> |
| crypto cards. Work to support at least the symmetric cryptography of |
crypto cards. Work to support at least the symmetric cryptography of |
| these devices has started. |
these devices has started. |
| <p> |
<p> |
|
|
| 3com gave us a driver to support the ethernet component of this chipset, |
3com gave us a driver to support the ethernet component of this chipset, |
| and based on that, we have written our own ethernet driver. This driver |
and based on that, we have written our own ethernet driver. This driver |
| has now been integrated once we were able to get a free license on the |
has now been integrated once we were able to get a free license on the |
| microcode. We have also received (all?) the information needed for |
microcode. We have also received the information needed for supporting |
| supporting the cryptographic functions, which will require a little bit of |
the cryptographic functions, which will require a little bit of IPsec |
| IPsec subsystem rearranging. Check back later.. |
subsystem rearranging. Check back later.. |
| <p> |
<p> |
| |
|
| <li><b>Intel IPsec card</b><br> |
<li><b>Intel IPsec card</b><br> |
|
|
| <li><b>OpenSSL</b><br> |
<li><b>OpenSSL</b><br> |
| We have grand schemes for supporting crypto cards that can do RSA or DSA, |
We have grand schemes for supporting crypto cards that can do RSA or DSA, |
| and exporting the functions of all crypto cards to OpenSSL so that |
and exporting the functions of all crypto cards to OpenSSL so that |
| userland programs (ie. <a href="http://www.openssh.com">ssh</a>, |
userland programs (i.e., <a href="http://www.openssh.com">ssh</a>, |
| <a href="http://www.modssl.org/">apache https</a>, etc) |
<a href="http://www.modssl.org/">apache https</a>, etc) |
| can benefit. |
can benefit. |
| </ul> |
</ul> |
![[BACK]](/icons/back.gif){kind=icon}
Return to crypto.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www