IP secure communication is a general means for encrypting information that flows on a network. In IPv6, IPsec for performing encrypted communication is standardized as a default function, by an RFC (Request For Comment).
To perform IP secure communication, encryption/decryption authentication processing to involve high-load processing, needs to be performed on a real-time basis. Consequently, when IP secure communication requires specially high speed in, for example, servers or routers, or when IP secure communication is implemented using less powerful machines such as embedded devices, cases might occur where IP secure communication is implemented using special hardware (hereinafter “HW engine”) for performing encryption authentication processing (see patent literature 1). Hereinafter “hardware” may be abbreviated to simply as “HW.”
Generally, to perform encryption/decryption authentication processing using a HW engine, pre-processing such as setting up the HW engine and post-processing for collecting calculation results from the HW engine, need to be performed using software. Consequently, generally, unless post-processing for the first packet is finished first, pre-processing for a second packet cannot be started.
Patent literature 2 proposes a method of providing an encryption/decryption unit and a plurality of authentication units in an encryption/decryption authentication engine, so that, by operating these units through pipeline processing, pre-processing for a second packet can be started at the time processing for the first packet is finished in the encryption/decryption unit or the authentication units.
FIG. 1 explains communication stack processing when HW encryption authentication is performed, where FIG. 1A illustrates normal communication stack processing and FIG. 1B illustrates communication stack processing when HW encryption authentication is performed.
In FIG. 1, secure communication apparatus 10 is configured with communication stack section 11 that executes layer processing 1 and layer processing 2, buffer 12 that stores received/transmitting information on a temporary basis, and encryption authentication processing section 13 that issues a HW processing request to a HW engine and executes encryption authentication processing.
As shown in FIG. 1A, in normal communication stack processing, communication stack section 11 executes layer processing 1 and layer processing 2 via buffer 12 by means of a transmission command or a reception interrupt.
As shown in FIG. 1B, in the event HW encryption authentication is performed, communication stack section 11, upon receiving a transmission command or a reception interrupt, commands processing to encryption authentication processing section 131 in layer processing 1, and encryption authentication processing section 13 issues a HW processing request to encryption/decryption authentication processing section 14 to be described later (see FIG. 2). HW encryption/decryption authentication processing section 14 (see FIG. 2) receives this HW processing request, performs encryption/decryption authentication processing by means of HW and returns delay processing for completing encryption authentication processing, to communication stack section 11, via encryption authentication processing section 13. Communication stack section 11 receives the encryption authentication processing result in encryption authentication processing section 13, and executes layer processing 2 via buffer 12.
In the event encryption/decryption authentication processing by means of HW encryption/decryption authentication processing section 14 (see FIG. 2) is performed while transmission/reception processing by means of layer processing 1 and layer processing 2 is in progress, communication stack section 11 performs the first half processing and the second half processing asynchronously. By performing the first half processing and the second half processing asynchronously, communication stack section 11 is able to improve the efficiency of use of HW encryption/decryption authentication processing section 14 (see FIG. 2) and network devices (not shown).
FIG. 2 shows a detailed configuration of encryption authentication processing section 13. FIG. 3 is a timing chart showing operating timings of encryption authentication processing section 13 and HW encryption/decryption authentication processing section 14. In FIG. 2 and FIG. 3, the numbers (1) to (7) are codes for explaining the process flow.
In FIG. 2, secure communication apparatus 10 is configured with communication stack section 11, encryption authentication processing section 13, and HW encryption/decryption authentication processing section 14 that executes encryption/decryption authentication processing by means of a HW engine. Furthermore, encryption authentication processing section 13 includes request control section 21, HW pre-processing section 22, HW post-processing section 23, and queue 24.
When encryption authentication processing is commanded from layer processing 1 of communication stack section 11, request control section 21 stacks this request in queue 24 (see (1)). When HW is not busy, request control section 21 commands HW pre-processing to HW pre-processing section 22 (see (2)).
HW pre-processing section 22 acquires a request from queue 24 (see (3)), and issues a processing request to HW encryption/decryption authentication processing section 14 according to the acquired request (see (4)).
HW encryption/decryption authentication processing section 14 performs encryption/decryption authentication processing by HW according to HW processing request from encryption authentication processing section 13. When the encryption/decryption authentication processing in response to the HW processing request is finished, HW encryption/decryption authentication processing section 14 issues a HW interrupt signal (see FIG. 3) and outputs a delay processing start command based on this HW interrupt signal to HW post-processing section 23 (see (5)).
Encryption authentication processing section 13, upon receiving a delay processing start command from HW encryption/decryption authentication processing section 14, starts HW post-processing. As shown in FIG. 3, from the perspective of layer processing 1, the period of time after HW pre-processing section 22 finishes HW pre-processing, until HW post-processing section 23 starts HW post-processing, becomes a period of time in which HW post-processing section 23 cannot perform HW post-processing. Encryption authentication processing section 13 acquires a HW processing result from HW encryption/decryption authentication processing section 14 (see (6)) and executes HW post-processing. Encryption authentication processing section 13, upon finishing HW post-processing, commands the second half processing to layer processing 2. Encryption authentication processing section 13 executes layer processing 2. By this means, as shown in FIG. 3, encryption authentication processing in response to a request received from queue 24 is finished, and the next HW pre-processing is executed in the same way