Security device with programmable systolic-matrix cryptographic module and programmable input/output interface

摘要

A system includes programmable systolic cryptographic modules for security processing of packets from a data source. A first programmable input/output interface routes each incoming packet to one of the systolic cryptographic modules for encryption processing. A second programmable input/output interface routes the encrypted packets from the one systolic cryptographic module to a common data storage. In one embodiment, the first programmable input/output interface is coupled to an interchangeable physical interface that receives the incoming packets from the data source. In another embodiment, each cryptographic module includes a programmable systolic packet input engine, a programmable cryptographic engine, and a programmable systolic packet output engine, each configured as a systolic array (e.g., using FPGAs) for data processing.

主权项

1. A system, comprising:
a plurality of cryptographic computing devices, each cryptographic device comprising at least one processor and at least one memory, each cryptographic device configured to perform security processing, and each cryptographic device comprising a programmable systolic packet input engine, a programmable systolic cryptographic engine, and a programmable systolic packet output engine; wherein the packet input engine, the cryptographic engine, and the packet output engine each are configured as a systolic-matrix array and include a respective field-programmable gate array (FPGA); wherein the packet input engine comprises a systolic array configured for packet routing, and the cryptographic engine comprises a systolic array configured for cryptographic functions; each cryptographic device further comprising a plurality of additional FPGAs configured as a top layer in a two-dimensional systolic array to support the security processing, wherein a first FPGA of the additional FPGAs is coupled to the packet input engine, a second FPGA of the additional FPGAs is coupled to the cryptographic engine, and a third FPGA of the additional FPGAs is coupled to the packet output engine; an interchangeable physical interface configured to receive a plurality of incoming packets from a data source; a first programmable input/output interface, comprising an FPGA, coupled to the interchangeable physical interface, configured to route each of the plurality of incoming packets to one of the cryptographic devices for encryption to provide a plurality of encrypted packets; and a second programmable input/output interface, comprising an FPGA, configured to route the encrypted packets to a common data storage.