version 1.87, 2001/06/27 11:51:21 |
version 1.88, 2001/06/28 18:04:25 |
|
|
version 1 and had many added features, |
version 1 and had many added features, |
<ul> |
<ul> |
<li> |
<li> |
all components of a restrictive nature (ie. patents, see |
all components of a restrictive nature (i.e., patents, see |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ssl>ssl</a>)) |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ssl>ssl</a>)) |
had been directly removed from the source code; any licensed or |
had been directly removed from the source code; any licensed or |
patented components used external libraries. |
patented components used external libraries. |
|
|
performance even for the software case. |
performance even for the software case. |
<p> |
<p> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hifn&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hifn&sektion=4"> |
HiFn 7751</a></b><br> |
Hifn 7751</a></b><br> |
Cards using the <a href="http://www.hifn.com/products/7751.html">HiFn 7751</a> |
Cards using the Hifn 7751 can be used as a symmetric cryptographic |
can be used as a symmetric cryptographic accelerator (ie. |
accelerator (i.e., <a href="http://www.powercrypt.com">PowerCrypt</a>). |
<a href="http://www.powercrypt.com">PowerCrypt</a>). |
|
Current performance using a single Hifn 7751 on each end of a tunnel |
Current performance using a single Hifn 7751 on each end of a tunnel |
is 63Mbit/sec for 3DES/SHA1 ESP, nearly a 600% improvement over |
is 64Mbit/sec for 3DES/SHA1 ESP, nearly a 600% improvement over |
using a P3/550 cpu. Further improvements are under way to resolve a |
using a P3/550 CPU. Further improvements are under way to resolve a |
few more issues, but as of April 13, 2000 the code is considered |
few more issues, but as of April 13, 2000 the code is considered |
stable. We wrote our own driver for supporting this chip, rather |
stable. We wrote our own driver for supporting this chip, rather |
than using the (USA-written) |
than using the (USA-written) |
<a href="http://www.powercrypt.com">powercrypt</a> driver, as well |
<a href="http://www.powercrypt.com">PowerCrypt</a> driver, as well |
our driver links in properly to the IPsec stack. |
our driver links in properly to the IPsec stack. |
The 7751 is now considered slow by industry standards and many vendors |
The 7751 is now considered slow by industry standards and many vendors |
have faster chips (even HiFn now has a faster but more expensive |
have faster chips (even Hifn now has a faster but more expensive |
chip). Peak performance with 3DES SHA1 ESP is around 63MBit/sec. |
chip). Peak performance with 3DES SHA1 ESP is around 64MBit/sec. |
<p> |
<p> |
(As an aside, HiFn was a difficult company to deal with; they even |
(As an aside, Hifn was a difficult company to deal with; they even |
threatened to sue us over our non-USA reverse engineering of their |
threatened to sue us over our non-USA reverse engineering of their |
crypto unlock algorithm). |
crypto unlock algorithm). |
<p> |
<p> |
|
|
Bluesteelnet was bought by Broadcom and started making real parts. |
Bluesteelnet was bought by Broadcom and started making real parts. |
Their new BCM5805 is similar, except that they also add an asymmetric |
Their new BCM5805 is similar, except that they also add an asymmetric |
engine for running DSA, RSA, and other such algorithms. With approximate |
engine for running DSA, RSA, and other such algorithms. With approximate |
performance starting at more than four times as fast as the HiFn, |
performance starting at more than four times as fast as the Hifn, |
hopefully this chip will become more common soon. |
hopefully this chip will become more common soon. |
<p> |
<p> |
The Broadcom/Bluesteelnet people have been great to deal with. They gave |
The Broadcom/Bluesteelnet people have been great to deal with. They gave |
|
|
<p> |
<p> |
|
|
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ises&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ises&sektion=4"> |
Pijnenburg PCC-ISES</a></b><br> |
Securealink PCC-ISES</a></b><br> |
The <a href="http://www.pcc.pijnenburg.nl/pcc-ises.htm">PCC-ISES</a> is a |
The <a href="http://www.securealink.com/pcc-ises.html">PCC-ISES</a> is |
new chipset from the Netherlands. We have received sample hardware and |
a new chipset from the Netherlands. We have received sample hardware |
documentation, and work on a driver is in progress. At the moment, the |
and documentation, and work on a driver is in progress. At the moment, |
driver is capable of feeding random numbers into the kernel entropy pool. |
the driver is capable of feeding random numbers into the kernel entropy |
|
pool. |
<p> |
<p> |
|
|
<li><b>SafeNet 2141</b><br> |
<li><b>SafeNet SafeXcel 2141</b><br> |
We have received documentation and sample hardware for the |
We have received documentation and sample hardware for the |
<a href="http://www.safenet-inc.com/OEM/OEMTechnologyDefault.htm">SafeNet</a> |
<a href="http://www.safenet-inc.com/technology/chips/Chip2141.asp">SafeNet</a> |
crypto cards. Work to support at least the symmetric cryptography of |
crypto cards. Work to support at least the symmetric cryptography of |
these devices has started. |
these devices has started. |
<p> |
<p> |
|
|
3com gave us a driver to support the ethernet component of this chipset, |
3com gave us a driver to support the ethernet component of this chipset, |
and based on that, we have written our own ethernet driver. This driver |
and based on that, we have written our own ethernet driver. This driver |
has now been integrated once we were able to get a free license on the |
has now been integrated once we were able to get a free license on the |
microcode. We have also received (all?) the information needed for |
microcode. We have also received the information needed for supporting |
supporting the cryptographic functions, which will require a little bit of |
the cryptographic functions, which will require a little bit of IPsec |
IPsec subsystem rearranging. Check back later.. |
subsystem rearranging. Check back later.. |
<p> |
<p> |
|
|
<li><b>Intel IPsec card</b><br> |
<li><b>Intel IPsec card</b><br> |
|
|
<li><b>OpenSSL</b><br> |
<li><b>OpenSSL</b><br> |
We have grand schemes for supporting crypto cards that can do RSA or DSA, |
We have grand schemes for supporting crypto cards that can do RSA or DSA, |
and exporting the functions of all crypto cards to OpenSSL so that |
and exporting the functions of all crypto cards to OpenSSL so that |
userland programs (ie. <a href="http://www.openssh.com">ssh</a>, |
userland programs (i.e., <a href="http://www.openssh.com">ssh</a>, |
<a href="http://www.modssl.org/">apache https</a>, etc) |
<a href="http://www.modssl.org/">apache https</a>, etc) |
can benefit. |
can benefit. |
</ul> |
</ul> |