WO2005034410A2 - Method and apparatus of integrating link layer security into a physical layer transceiver - Google Patents
Method and apparatus of integrating link layer security into a physical layer transceiver Download PDFInfo
- Publication number
- WO2005034410A2 WO2005034410A2 PCT/US2004/032555 US2004032555W WO2005034410A2 WO 2005034410 A2 WO2005034410 A2 WO 2005034410A2 US 2004032555 W US2004032555 W US 2004032555W WO 2005034410 A2 WO2005034410 A2 WO 2005034410A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- phy
- data
- encrypted data
- transmitting
- receiving
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04K—SECRET COMMUNICATION; JAMMING OF COMMUNICATION
- H04K1/00—Secret communication
Definitions
- the disclosure relates generally to link layer data communications.
- PHY Physical Layer Transceivers
- MAC Media Access Controller
- FIG. 1 is a functional block diagram of a typical prior art PHY 100.
- the PHY 100 is typically configured to interface between the MAC 110 of the host device and the medium 120.
- the PHY 100 typically includes analog circuitry 130 configured for receiving data from the medium 120 and decoding the data into a form appropriate for the host device using techniques known in the art.
- the PHY 100 further includes digital circuitry 140 configured for receiving data from the MAC 110 and converting the data into a form appropriate for the medium 120.
- the PHY 100 further includes memory and control circuitry 150 configured to control the operation of the PHY, and in particular the digital circuitry 140.
- the memory and control circuitry 150 will typically include circuitry to interface with the MAC 110 through a bus interface 160.
- Nonlimiting examples include the Medium Independent Interface (“Mil”), Gigabit Medium Independent Interface (“GMLT”), Ten Gigabit Medium Independent Interface (“XGMII” or “XAUI”), Reduced Gigabit Media Independent Interface (RGMH), and Serial Gigabit Media Independent Interface (SGML).
- Mil Medium Independent Interface
- GMLT Gigabit Medium Independent Interface
- XGMII Ten Gigabit Medium Independent Interface
- RGMH Reduced Gigabit Media Independent Interface
- SGML Serial Gigabit Media Independent Interface
- This disclosure may relate to data communications. Various disclosed aspects may be embodied in various computer and machine readable data structures. Furthermore, it is contemplated that data structures embodying the teachings of the disclosure may be transmitted across computer and machine readable media, and through communications systems by use of standard protocols such as those used to enable the Internet and other computer networking standards.
- the disclosure may relate to machine readable media on which are stored various aspects of the disclosure. It is contemplated that any media suitable for retrieving instructions is within the scope of the present disclosure. By way of example, such media may take the form of magnetic, optical, or semiconductor media, and may be configured to be accessible by a machine as is known in the art.
- Various aspects of the disclosure may be described through the use of flowcharts.
- the link layer may be defined in accordance with the OSI reference standard.
- the I.E.E.E. 802.3 standard defines the link layer as devices residing between the MAC and medium, and is so defined herein.
- FIG. 2 is a diagram of a link layer data transmission system 205 configured in accordance with the teachings of this disclosure.
- the system 205 includes a transmitting device 200 coupled to a receiving device 260 through a medium 240.
- the transmitting device 200 includes an ASIC configured to function as a MAC using techniques known in the art, and a PHY 230, such as that described in FIG. 1.
- the crypto device 220 is preferably configured to encrypt authenticate the data packet 250 using DES, 3DES, MD5, SHA1, RC4, or AES, or other similar protocols.
- the data packet is received by the crypto device 220 from the MAC 210, and encrypted/authenticated prior to being provided to the PHY 230 and transmitted onto medium 240.
- the system 205 also includes a receiving device 260 that is configured similar to the transmitting device 200, including a MAC 270, a crypto device 280, and a PHY 290.
- FIG. 3 is a conceptual block diagram of a further embodiment of a PHY configured in accordance with the teachings of this disclosure.
- the embodiment of FIG. 3 provides that the crypto device is deployed on the same chip as the PHY, providing a single-chip link layer security solution.
- the device 300 includes a MAC 310 and a PHY 305.
- the PHY 305 includes analog circuitry 330 configured in a receive mode for receiving data from the medium 350 and decoding the data into a form appropriate for the host device using techniques known in the art.
- the analog circuitry is configured to receive data from the MAC 310, and convert it into a form appropriate for the medium 350.
- the PHY 305 further includes digital circuitry 320 configured for receiving data from the MAC 310 and converting the data into a form appropriate for the medium 350 in a transmit mode, and for receiving data from the analog circuitry 330 and converting it into a format appropriate for the MAC 310 in a receive mode.
- the PHY 305 further includes memory and control circuitry 325 configured to control the operation of the PHY, and in particular the digital circuitry 320.
- the memory and control circuitry 325 will typically include circuitry to interface with the MAC 310 through a bus interface 360, such as a Mil or a GMII or XGMLT or XAUI or SGMII or RGMH
- the PHY 305 also includes a crypto module 340 coupled to the digital circuitry 320.
- the crypto module may include control and memory circuitry 345 for operation of the cryptographic functions.
- the crypto module 340 is preferably configured to encrypt/authenticate data received from the MAC 310 prior to presentation to the analog circuitry 330, and decrypt authenticate data received from the analog circuitry 330 prior to presentation to the MAC 310.
- the crypto module may employ the cryptographic techniques disclosed above.
- the crypto device 340 may be deployed using existing hardware already present in the PHY. It will be appreciated that by reusing existing hardware already present on the PHY to enable crypto features, significant real estate savings in the device may result. It is contemplated that a wide array of PHY components may be reused when implementing the disclosed cryptographic features.
- the crypto device may reuse the PHY's pin or interface layout, memory map, various elements of the state machine, logic gates, or even one or more of the above.
- devices exist that contain multiple PHYs, such as an Octal PHY that contain 8 PHY interfaces. In these devices the reuse of pins and other elements that already exist in the PHY can reduce die and package size, thus making the devices less expensive to manufacture.
- some chips incorporate the MAC as a portion of the PHY chip. In this case it may be possible to take advantage of elements from both the MAC and the PHY.
- the additional functionality provided by the crypto device may be utilized for other functions or features.
- the crypto device may be configured to perform data compression.
- the crypto device 3 may comprise a router in which the MAC 310 comprises an ASIC configured to also function as a switching fabric.
- the crypto device may be employed to improve the overall performance and reliability of a data transmission system. As is appreciated by those of ordinary skill in the art, many such devices operate using a half duplex mode, where a common performance issue is the collision of data packets. It is contemplated that the additional functionality provided by the encryption device may improve collision management.
- the encryption memory 345 may be employed to temporarily store the data and associated security information as the packet is transmitted.
- the stored information may be immediately reused and resent, without the need for the processor or MAC to resend the data, or to send new security information such as a security association.
- this benefit may save processor cycle time, and may also improve performance by offloading some processing time from ASIC to the PHY. It is contemplated that the crypto device may take advantage of certain areas of memory on the PHY. If the PHY complies with certain industry standards, such as I.E.E.E. 802.3,
- PHYs are provided with certain registers of memory that are reserved for specific purposes, known as the Mil Management Interface.
- registers 11-14 are reserved, and registers 16-31 are vendor-specific areas.
- SAD security association database
- PHYs are provided with certain registers of memory that are reserved for specific purposes, known as the Mil Management Interface.
- registers 11-14 are reserved, and registers 16-31 are vendor-specific areas.
- SAD security association database
- the crypto may need data, such as a key or security association, to perform a crypto function. This data could be accessed through register 12. This takes advantage of memory management techniques and structure already present. Of course, other registers may be used.
- FIG. 4 is a flowchart of a method of encrypting/authenticating data at the link layer of a data transmission system.
- the PHYs wishing to communicate may auto-negotiate a link using techniques known in the art. It is to be understood that the encryption/authentication techniques disclosed herein may also be applied prior to auto- negotiation of a link.
- the MAC of the transmitting PHY (“TX PHY”) provides the data to be transmitted to the crypto engine.
- the data is ciphered by the crypto engine and placed on the medium linking the PHYs by the TX PHY.
- the receiving PHY (“RCV PHY”) receives the cipher data from the link and presents the data to the RCV PHY's crypto engine, where the data is decrypted, authenticated, or both.
- FIG. 5 is a flowchart of a method for managing packet collisions using a crypto engine.
- the MAC of the TX PHY provides the data to be transmitted to the crypto engine.
- the data is encrypted, authenticated or both by the crypto engine and placed on the medium linking the PHYs by the TX PHY.
- the PHYs wishing to communicate may auto-negotiate a link using techniques known in the art, but the data may also be encrypted prior to auto-negotiation of a link.
- the encrypted/authenticated data is stored by the encryption engine.
- the PHY determines whether a packet collision has occurred.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP04789506.5A EP1668807B1 (en) | 2003-09-30 | 2004-09-30 | Method and apparatus of integrating link layer security into a physical layer transceiver |
CA2536532A CA2536532C (en) | 2003-09-30 | 2004-09-30 | Method and apparatus of integrating link layer security into a physical layer transceiver |
CN2004800263285A CN1856951B (en) | 2003-09-30 | 2004-09-30 | Method and apparatus of integrating link layer security into a physical layer transceiver |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/676,390 US7313686B2 (en) | 2003-09-30 | 2003-09-30 | Method and apparatus of integrating link layer security into a physical layer transceiver |
US10/676,390 | 2003-09-30 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2005034410A2 true WO2005034410A2 (en) | 2005-04-14 |
WO2005034410A3 WO2005034410A3 (en) | 2006-03-30 |
Family
ID=34377381
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2004/032555 WO2005034410A2 (en) | 2003-09-30 | 2004-09-30 | Method and apparatus of integrating link layer security into a physical layer transceiver |
Country Status (5)
Country | Link |
---|---|
US (1) | US7313686B2 (en) |
EP (1) | EP1668807B1 (en) |
CN (1) | CN1856951B (en) |
CA (1) | CA2536532C (en) |
WO (1) | WO2005034410A2 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8036202B2 (en) * | 2006-07-27 | 2011-10-11 | Cisco Technology, Inc. | Physical layer transceiver with integrated time synchronization |
US7885296B2 (en) * | 2006-07-27 | 2011-02-08 | Cisco Technology, Inc. | Maintaining consistency among multiple timestamp counters distributed among multiple devices |
US20090080660A1 (en) * | 2007-09-20 | 2009-03-26 | Shih Mo | Processorless media access control architecture for wireless communication |
US8775790B2 (en) * | 2007-10-30 | 2014-07-08 | Honeywell International Inc. | System and method for providing secure network communications |
US9544767B2 (en) * | 2014-07-21 | 2017-01-10 | Imagination Technologies Limited | Encryption key updates in wireless communication systems |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5689568A (en) * | 1995-06-29 | 1997-11-18 | Hughes Electronics | Medium access control for a mobile satellite system |
US6094439A (en) * | 1997-08-15 | 2000-07-25 | Advanced Micro Devices, Inc. | Arrangement for transmitting high speed packet data from a media access controller across multiple physical links |
US6222852B1 (en) | 1997-10-10 | 2001-04-24 | Nortel Networks Limited | Method and apparatus for transmitting dual speed ethernet information (10BASE-T and 100BASE-TX) across a physical layer device service interface |
US6324288B1 (en) * | 1999-05-17 | 2001-11-27 | Intel Corporation | Cipher core in a content protection system |
US7031267B2 (en) | 2000-12-21 | 2006-04-18 | 802 Systems Llc | PLD-based packet filtering methods with PLD configuration data update of filtering rules |
US7317732B2 (en) | 2000-09-28 | 2008-01-08 | Teridian Semiconductor, Corp. | Method and apparatus for handling link suspend pulse and silent line state transitions of a network device |
US6973566B2 (en) * | 2001-07-09 | 2005-12-06 | Advanced Micro Devices, Inc. | Software modem with privileged mode oversight of control parameters |
US7142557B2 (en) * | 2001-12-03 | 2006-11-28 | Xilinx, Inc. | Programmable logic device for wireless local area network |
CA2455010C (en) * | 2001-07-25 | 2009-09-22 | Xilinx, Inc. | Configurable communication integrated circuit |
TW573259B (en) * | 2001-12-28 | 2004-01-21 | Admtek Inc | LIFM algorithm for security association database lookup in IPSec application |
US8230114B2 (en) | 2002-08-07 | 2012-07-24 | Broadcom Corporation | System and method for implementing a single chip having a multiple sub-layer PHY |
US7577129B2 (en) * | 2002-10-17 | 2009-08-18 | Broadcom Corporation | Supporting multiple logical channels in a physical interface |
-
2003
- 2003-09-30 US US10/676,390 patent/US7313686B2/en not_active Expired - Fee Related
-
2004
- 2004-09-30 CA CA2536532A patent/CA2536532C/en not_active Expired - Fee Related
- 2004-09-30 CN CN2004800263285A patent/CN1856951B/en active Active
- 2004-09-30 WO PCT/US2004/032555 patent/WO2005034410A2/en active Application Filing
- 2004-09-30 EP EP04789506.5A patent/EP1668807B1/en active Active
Non-Patent Citations (2)
Title |
---|
KHOUSSAINOV R. ET AL.: "LAN security: problems and solutions for Ethernet networks", COMPUTER STANDARDS & INTERFACES, vol. 22, no. 3, 1 August 2000 (2000-08-01), pages 191 - 202, XP004215511, DOI: doi:10.1016/S0920-5489(00)00047-7 |
SUN-SIK ROH ET AL.: "Security model and authentication protocol in EPON-based optical access network", PROCEEDINGS OF 5TH INTERNATIONAL CONFERENCE ON TRANSPARENT OPTICAL NETWORKS, vol. 1, 29 June 2003 (2003-06-29), pages 99 - 102, XP010681404, DOI: doi:10.1109/ICTON.2003.1264588 |
Also Published As
Publication number | Publication date |
---|---|
US20050071629A1 (en) | 2005-03-31 |
WO2005034410A3 (en) | 2006-03-30 |
US7313686B2 (en) | 2007-12-25 |
CA2536532A1 (en) | 2005-05-14 |
EP1668807A4 (en) | 2012-05-09 |
CA2536532C (en) | 2011-05-31 |
EP1668807A2 (en) | 2006-06-14 |
CN1856951A (en) | 2006-11-01 |
EP1668807B1 (en) | 2017-09-13 |
CN1856951B (en) | 2011-03-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8843735B2 (en) | Method and apparatus of communicating security/encryption information to a physical layer transceiver | |
CN102132530B (en) | Method and apparatus for integrating precise time protocol and media access control security in network elements | |
CN1926839B (en) | Two parallel engines for high speed transmit IPSEC processing | |
US7548532B2 (en) | Method and apparatus to provide inline encryption and decryption for a wireless station via data streaming over a fast network | |
US20050216751A1 (en) | Modular cryptographic device providing multi-mode wireless lan operation features and related methods | |
MXPA06009235A (en) | Method and apparatus for cryptographically processing data. | |
WO2005104464A1 (en) | Four layer architecture for network device drivers | |
US11190528B2 (en) | Light-weight mechanism for checking message integrity in data packets | |
CN101222512A (en) | Enciphering and deciphering card, enciphering and deciphering method | |
US7580519B1 (en) | Triple DES gigabit/s performance using single DES engine | |
US7523306B2 (en) | Simplified CCMP mode for a wireless local area network | |
EP1580932A2 (en) | Methods and modular cryptographic device with status determination | |
US7545928B1 (en) | Triple DES critical timing path improvement | |
US7313686B2 (en) | Method and apparatus of integrating link layer security into a physical layer transceiver | |
US7877595B2 (en) | Modular cryptographic device and related methods | |
US7505598B2 (en) | On-the-fly encryption/decryption for WLAN communications | |
WO2014137351A1 (en) | Routing a data packet to a shared security engine | |
US20220078138A1 (en) | Trusted remote management unit | |
JP2003273894A (en) | Bridge device and method for transmission | |
KR19990079826A (en) | Ethernet lan system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200480026328.5 Country of ref document: CN |
|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
ENP | Entry into the national phase |
Ref document number: 2536532 Country of ref document: CA |
|
REEP | Request for entry into the european phase |
Ref document number: 2004789506 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2004789506 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2004789506 Country of ref document: EP |