(Encryption/Decryption) + (Auth/De-Auth) in one go

RCReddy

Hi Ti Folks,

Taking case of AES ciphering + AES_CMAC auth and going by Ti SA UG, can i conclude the following.

1. In one-go [one qmss_queue push with appropriate command labels] packet being sent to encryption engine [AES] and automatically the same is routed to Auth engine [AES_CMAC] to do ?? Is this possible [looks like possible, as i see this in test1_1.c ], i just wanted confirmation by Ti folks ?

2. In one-go [i am looking at one qmss_queue push], it is NOT possible by using air cipher engine because of combined channel creation of cipher+auth not possible due to LLD limitations [based on my earlier post and Ti's reply].

3. I relooked at the Table 2-5 [Ti SA UG] [i pasted the table below] and i see that there are two points

AES CMAC ---> air cipher engine

CMAC ----> Authentication engine

is CMAC different from AES CMAC ??

can i perform AES CMAC using Auth engine ??

Thanks

RC Reddy

over 12 years ago

0 Eric Ruei over 12 years ago

TI__Intellectual 2810 points

Hi, RC:

I believe that you are using SASS in the Air-Ciphering mode, aren't you?

For IPSEC mode, SASS does support both encryptionn and authentication at a channel. However, simultaneous ciphering and authentication is not supported in Air-ciphering mode due to hardwaere limitation. Please note that both IPSEC and Air-ciphering use AES-CMAC as an authentication algorithm, but the detailed operation is different.

In the air-ciphering mode, the data PDU only requires ciphering operation and the authentication operation is only applicable to control PDU , which is at pretty low rate. You can create two SA LLD channels, one for encryption and one for authentication in this case.

If you just want to perform the protocol-independent ciphering and authentication operation, you may want to use (non-protocol) data mode.

Best regards,

Eric

0 RCReddy over 12 years ago in reply to Eric Ruei

Genius 3575 points

Hi,

Thanks for your reply. Can you please confirm the following possible combinations.

data-mode

=========

Pkt [to be encrypted AND integrity verific byte inserted] ----> 647 -----> [ (encryption,decryption engine)+(authentication,de-authentication) ]

explanation: - this [both cipher+auth] should happen in one go

Pkt [to be encrypted OR integrity verific byte inserted] ----> 646 -----> [ (air cipher engine) ]

explanation: - since here its either cipher or auth, this should also happen in one go.

Thanks

RC Reddy

0 Eric Ruei over 12 years ago in reply to RCReddy

TI__Intellectual 2810 points

Hi, RC:

It has nothing to do with the SA queue where you send the packets. It all depnds on which protocol mode you used.

For IPSEC and SRTP mode, the SASS supports simultaneous encryption and authentication.
For 3GPP Air-Ciphering mode, the SASS does not support simultaneous ciphering and authentication operation.

Besides, it is required not to send the same type of traffic to multiple queues and that is why we recomment to use queue 646 for air-ciphering traffic and queue 647 for IPSEC and SRTP traffic.

Best regards,

Eric

0 RCReddy over 12 years ago in reply to Eric Ruei

Genius 3575 points

Hi Eric,

your statements confused me further. Probably i am unable to put my question properly in my earlier post. [letme re-iterate, my requirement is only in DATA Mode] [i DONT want to do any IPSEC,SRTP...etc].

my objective/aim:-

1. I want to do AES+AES_auth [under data mode {no protocol mode} ] in one go [one security channel + one qmss queue push].

i plan to use data mode and prepare commands to push to cipher/decipher engine and auth/de-auth engine. is it possible to get two things in one go under data mode.

2. I plan to use air cipher engine for requirement of only ciphering/deciphering. say a data buffer needs to be ONLY AES encrypted, i plan to use air cipher engine. is this possible ?

3. I plan to use air cipher engine for requirement of only auth/de-auth. say a data buffer needs to be ONLY AES authed, i plan to use air cipher engine. is this possible ?

Thanks

RC Reddy

0 Eric Ruei over 12 years ago in reply to RCReddy

TI__Intellectual 2810 points

Hi, RC:

Please see my answers below:

1. I want to do AES+AES_auth [under data mode {no protocol mode} ] in one go [one security channel + one qmss queue push].

[Eric] There is no restriction in data mode. You should be able to do AES-CTR(CBC) and AES-CMAC in one-go. Please refer to the supported encryption/ciphering and authentication mode based on the symbols provided at salld.h

typedef enum {
sa_CipherMode_NULL = 0,        /**< No encryption */
sa_CipherMode_AES_CTR,         /**< AES Counter mode */
sa_CipherMode_AES_F8,          /**< AES F8 mode */
sa_CipherMode_AES_CBC,         /**< AES CBC mode */
sa_CipherMode_DES_CBC,         /**< DES CBC mode */
sa_CipherMode_3DES_CBC,        /**< 3DES CBC mode */
sa_CipherMode_CCM,             /**< Counter with CBC-MAC mode */
sa_CipherMode_GCM,             /**< Galois Counter mode */
sa_CipherMode_GSM_A53,         /**< 3GPP GSM A5/3 encryption: Key stream generation */
sa_CipherMode_ECSD_A53,        /**< 3GPP ECSD A5/3 encryption: Key stream generation */
sa_CipherMode_GEA3,            /**< 3GPP GPRA encryption: Key stream generation */
sa_CipherMode_KASUMI_F8,       /**< 3GPP Kasumi F8 mode */
sa_CipherMode_SNOW3G_F8,       /**< 3GPP Snow3G F8 mode */
sa_CipherMode_LAST
} Sa_CipherMode_e;

typedef enum {
sa_AuthMode_NULL = 0,          /**< No idviudal Authentication */
sa_AuthMode_MD5 = sa_CipherMode_LAST, /**< MD5 mode */
sa_AuthMode_SHA1,              /**< SHA1 mode */
sa_AuthMode_SHA2_224,          /**< 224-bit SHA2 mode */
sa_AuthMode_SHA2_256,          /**< 256-bit SHA2 mode */
sa_AuthMode_HMAC_MD5,          /**< HMAC with MD5 mode */
sa_AuthMode_HMAC_SHA1,         /**< HMAC with SHA1 mode */
sa_AuthMode_HMAC_SHA2_224,     /**< HMAC with 224-bit SHA2 mode */
sa_AuthMode_HMAC_SHA2_256,     /**< HMAC with 256-bit SHA2 mode */
sa_AuthMode_GMAC,              /**< Galois Message Authentication Code mode */
sa_AuthMode_GMAC_AH,           /**< Galois Message Authentication Code mode for IPSEC AH operation
                                      @note: This mode is used at Data Mode only */
sa_AuthMode_CMAC,              /**< Cipher-based Message Authentication Code mode */
sa_AuthMode_CBC_MAC,           /**< Cipher Block Chaining - Message Autnentication Code mode */
sa_AuthMode_AES_XCBC,          /**< AES Extended Cipher Block Chaining - Message Autnentication Code mode */
sa_AuthMode_KASUMI_F9          /**< 3GPP Kasumi F9 mode */
} Sa_AuthMode_e;

i plan to use data mode and prepare commands to push to cipher/decipher engine and auth/de-auth engine. is it possible to get two things in one go under data mode.

2. I plan to use air cipher engine for requirement of only ciphering/deciphering. say a data buffer needs to be ONLY AES encrypted, i plan to use air cipher engine. is this possible ?

[Eric] The user (application) should interfcae with LLD only. The user should specify the security protocol, encryption and authentication mode, it is up to LLD to select which internal engine to be invoked.

3. I plan to use air cipher engine for requirement of only auth/de-auth. say a data buffer needs to be ONLY AES authed, i plan to use air cipher engine. is this possible ?

[Eric] Please refer to the answers above. In data mode, the air-ciphering engine will be used for air-ciphering algorithm such as Kasumi and Snow3G only.

Best regards,

Eric

Processors

Processors forum

(Encryption/Decryption) + (Auth/De-Auth) in one go