JP2004157164A - Message digest generating circuit and padding circuit - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To conduct a padding addition and a length addition without imposing a load on a CPU. <P>SOLUTION: A message is divided into data having a prescribed data length by a message input circuit 100 and the divided data are successively inputted starting from leading data. Moreover, information indicating the length of the message is inputted by the circuit 100. Then, the last data of the message is discriminated by a padding circuit 210 in accordance with the total amount and the information on the length of the data inputted by the circuit 100 and padding is outputted following the last data. Then, the completion position of the padding is discriminated by a length adding circuit 220 in accordance with the total amount of the padding outputted by the circuit 210 and the length information is outputted following the padding. <P>COPYRIGHT: (C)2004,JPO

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a message digest generating circuit that generates a message digest and a padding circuit that performs padding at the time of message authentication, and more particularly to a message digest generating circuit and a padding circuit that perform processing according to a message digest algorithm of a hash function.
[0002]
[Prior art]
As the range of use of information communication expands, high security regarding communication data is required. Therefore, the importance of data security technology is increasing.
[0003]
As one of data security technologies, there is an authentication technology for preventing data tampering and the like. The authentication technology is a technology for authenticating that received data is transmitted from a correct source and that the data is not falsified by a third party.
[0004]
As a data authentication technique, there is a technique using a hash function. Examples of the hash function algorithm include MD (Message Digest algorithm) 5 and SHA (Secure Hash Algorithm) 1. MD5 is defined in RFCs (Requests For Comments) 1321 issued by the IETF (Internet Engineering Task Force). SHA1 is defined in RFC2841. These hash function algorithms are hash functions most used in communication encryption techniques such as message authentication and digital signature methods used in networks.
[0005]
In message authentication using a hash function, when digitally signing a large sentence, a hash function is applied to the original long message (a variable-length message such as a document or data file) to generate a fixed-length character string. I do. This fixed-length character string is called a message digest. This is a concept that a long message or document is computer-processed and represented as a simple digest, and can be regarded as a “digital fingerprint” of the original input information (message).
[0006]
When the message digest is used, the usage form is determined in consideration of the security of the communication path used and the importance of the message itself. For example, a hash function is used for message authentication when dealing with information (for example, an order quantity in e-commerce) in which the message itself has few problems even if it is made public, but is falsified if it is tampered with. . Also, when handling information that would cause a problem if the message itself becomes public (for example, a credit card number in electronic commerce), encryption is performed after adding a message digest. This protects the entire information to be transmitted.
[0007]
Meanwhile, there is a protocol called IP (Internet Protocol) sec (security) in which a security function is added to the IP protocol. Implementation of IPsec is mandatory in IPv6, the next generation IP. Therefore, IPsec is the most promising security protocol at present.
[0008]
With the use of IPsec, the security of communication via a LAN (Local Area Network), a private or public WAN (Wide Area Network), and the Internet can be secured at the IP level. By ensuring security at the IP level, a network operator can provide a secure network environment for not only applications with security mechanisms but also many applications without security provisions. That is, secure communication can be performed for each application without mounting security-related functions.
[0009]
IP-level security includes three elements: authentication, confidentiality, and key management. The authentication mechanism verifies that the received packet actually comes from the sender described in the packet header. It also guarantees that this packet has not been altered during transmission. The function of maintaining confidentiality encrypts the message so that the communication node prevents eavesdropping from a third party. Key management concerns secure exchange of keys.
[0010]
As described above, the technology using the hash function is a technology that is increasingly required in the future. In a message authentication technique using a hash function, padding addition processing and length information addition processing (hereinafter, simply referred to as length addition) processing are generally performed.
[0011]
For example, in the SHA1 message digest algorithm, which is a typical hash function, when a message of an arbitrary length is input, a 160-bit message digest for the input message is generated and output. The SHA1 algorithm has roughly the following five configurations.
[First processing] Addition of padding bit
[Second processing] Addition of length
[Third processing] Initialization of message digest buffer
[Fourth processing] Processing of 16-word (512-bit) block message
[Fifth processing] Output
Here, attention is paid to [first processing] addition of padding bits and [second processing] addition of length. Hereinafter, one word indicates 32 bits.
[0012]
When SHA1 is used as a hash function, padding processing for a message is performed as follows.
The message is 2 ⁶⁴ It is assumed that the length is less than the byte L. Before being input to SHA1, the message is padded on the right side as follows.
[0013]
First, one “1” is added. Subsequently, zero or more “0” s are added ([first processing]). The number of “0” depends on the length of the original message. That is, the number of “0” to be added is determined so that the length (bit) of the message after padding conforms to 448 modulo 512 (the bit length is 448 longer than a multiple of 512).
[0014]
Note that padding is always performed even if the message length conforms to 448 modulo 512. For example, if the length of the message is 448 bits, 512 bits of padding are added so that the length becomes 960 bits. Therefore, padding of at least one bit and 512 bits at the maximum is added as a whole.
[0015]
Next, 64 bits indicating the length of the original data are added to the padding result ([second processing]). Since the message length after padding conforms to 448 modulo 512, if the 64-bit data that is the length information is added, the bit length of the message to which the length information is added becomes a multiple of 512.
[0016]
Here, a specific example of padding addition and length addition processing will be described. For example, let the original message be the following bit string:
"01100001 01100010 01000011 01100100 01100101"
According to the [first processing], the bit string becomes as follows.
[0017]
First, “1” is added.
"01100001 01100010 01000011 01100100 01100101 1"
When the length L (L is an integer of 0 or more) is 40 (bits), the number of bits after adding “1” is 41. Therefore, 407 “0” s are added to conform to 448 modulo 512, and the total number of bits becomes 448. This is in hexadecimal notation:
61626364 65800000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000
[Second processing] A two-word expression (one word is 32 bits) having a length L which is the number of bits of the original message is obtained. If length L <2 ³² Then the first word is all zeros. Add the two words to the padded message.
[0018]
In this example, L = 40. The two-word notation of 40 is 0000000000000002 in hexadecimal. As a result, the final assigned message is as follows in hexadecimal.
61626364 65800000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
000000000 00000000 00000000 000028
At this time, the length of the resulting message is an exact multiple of 512 bits. Since 512 bits is 16 32-bit words, the length of this message is also an exact multiple of 16 words.
[0019]
Such a message authentication technique using a hash function is described in detail in Non-Patent Documents 1 and 2, for example.
Patent Document 1 discloses an example of a security technique using a hash function.
[0020]
[Non-patent document 1]
Shinichi Ikeno and Kenji Koyama, "Modern Cryptography", IEICE, September 1, 1986.
[Non-patent document 2]
Bruce Schneier, "Applied Cryptography (Second Edition)", John Wiley & Sons, Inc. 1996, P429-P459.
[Patent Document 1]
JP-T-2001-527325 (Pages 27 to 30)
[0021]
[Problems to be solved by the invention]
By the way, conventionally, the entire processing by a hash function and the processing of configuring a HMAC (Hash-based Message Authentication Code) message authentication function using a specific hash function are defined by software. The CPU (Central Processing Unit) was executing. Therefore, the MD5 and SHA1 algorithms have been coded to increase the efficiency of software execution by the CPU. The code was designed to run efficiently on a 32-bit machine.
[0022]
HMAC is a mechanism for performing message authentication using a cryptographic hash function. HMAC uses an iterative cryptographic hash function such as MD5 or SHA1 in combination with a secret shared key.
[0023]
However, even if the padding process is designed to operate efficiently, its speed is completely dependent on CPU occupancy and CPU performance. For this reason, a sufficient speed may not be obtained, and in a situation in which the processing is combined with processing of another application or the like, the processing speed is further reduced. In addition, if processing of large data such as IP packet authentication of IPsec is executed by software, it takes an enormous amount of time.
[0024]
Furthermore, in order for the CPU to add padding and length, it is necessary to store a message to be transmitted in a memory, which consumes a storage area of the memory. If the storage capacity in the memory is used for padding or the like, the memory capacity that can be used for executing other applications decreases, and the processing efficiency decreases.
[0025]
As described above, the conventional processing such as padding addition is software processing by the CPU, so that the processing load on the CPU is heavy, and it is difficult to obtain a sufficient processing speed. Moreover, causing the CPU to execute the padding addition processing may interfere with the processing of other applications in some cases, greatly affecting the processing performance of the entire system.
[0026]
The present invention has been made in view of such a point, and an object of the present invention is to provide a message digest generation circuit capable of adding padding and length without imposing a load on a CPU.
[0027]
Another object of the present invention is to provide a padding circuit capable of adding padding without imposing a load on a CPU.
[0028]
[Means for Solving the Problems]
In the present invention, in order to solve the above problem, a message digest generation circuit as shown in FIG. 1 is provided. A message digest generation circuit according to the present invention performs message authentication processing. The message digest generation circuit includes a message input circuit 100, a padding circuit 210, and a length adding circuit 220. The message input circuit 100 divides a message into data having a predetermined data length, inputs the data sequentially from the beginning, and inputs length information indicating the length of the message. The padding circuit 210 determines the last data of the message according to the total amount of data and the length information input by the message input circuit 100, and outputs padding following the last data. The length adding circuit 220 determines a padding end position according to the total amount of the data input by the message input circuit and the padding output by the padding circuit, and transmits the length information following padding. Output.
[0029]
According to such a message digest generation circuit, the message is divided into data of a predetermined data length by the message input circuit 100 and is sequentially input from the top. Further, the message input circuit 100 inputs length information indicating the length of the message. Then, the padding circuit 210 determines the last data of the message according to the total amount of data and the length information input by the message input circuit 100, and outputs padding following the last data. Thereafter, the padding end position is determined by the length adding circuit 220 according to the total amount of the data input by the message input circuit and the padding output by the padding circuit, and the length information is output following the padding. You.
[0030]
According to another aspect of the present invention, in a padding circuit for adding padding to a message, the message is divided into data of a predetermined data length, input in order from the beginning, and indicates the length of the message. When length information is input, a determination circuit that determines the last data of the message according to the total amount of the input data and the length information, and the last data determined by the determination circuit. A padding output circuit that outputs padding following data.
[0031]
According to such a padding circuit, the message is divided into data of a predetermined data length and sequentially input from the beginning, and when length information indicating the length of the message is input, the length information is input by the determination circuit. The last data of the message is determined according to the total amount of data and the length information. Then, padding is output by the padding output circuit following the last data determined by the determination circuit.
[0032]
BEST MODE FOR CARRYING OUT THE INVENTION
Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a diagram showing a schematic configuration of a message digest generation circuit according to the present embodiment. The message digest generation circuit is roughly composed of a message input circuit 100, an information addition circuit 200, and a message processing circuit 300.
[0033]
The message input circuit 100 divides the message into data of a predetermined data length and inputs the data in order from the beginning, and inputs length information indicating the length of the message to the information adding circuit 200. Further, the message input circuit 100 outputs a signal indicating block switching every time data of one block is input.
[0034]
The information adding circuit 200 executes the first half of the message digest generation processing. Specifically, the information adding circuit 200 adds padding and length. The information adding circuit 200 has a padding circuit 210 for adding padding and a length adding circuit 220 for adding length.
[0035]
The padding circuit 210 determines the last data of the message according to the total amount of data and the length information input by the message input circuit 100, and outputs padding following the last data. Information according to the total amount of input data and the length information can be converted into a numerical value by, for example, subtracting the input data amount from the numerical value of the length information.
[0036]
More specifically, the padding circuit 210 includes a subtractor for sequentially subtracting the capacity of the data input from the message input circuit 100 from the length information, and a subtraction result of the subtractor for a data length of one block (for example, 64). And a comparator that outputs a signal indicating the padding target block when the number of bytes becomes equal to or less than (byte). For example, when a signal indicating block switching is output, the subtractor subtracts the data length of one block from the length information. Since the subtraction result is equal to or less than the data length of one block, it is known that the next input block is the block to be padded.
[0037]
Then, when the signal indicating the padding target block is output from the comparator, the padding circuit 210 determines the last data from the data in one block.
[0038]
For example, when the size of the data input to the message input circuit 100 is N bytes (N is a natural number), the padding circuit 210 outputs the subtraction result of the subtractor by N when the signal indicating the padding target block is output from the comparator. And then count the number of times data has been input. When the counted value reaches the value of the quotient by division, it is determined that the data input at that time is the last data of the message, and the padding circuit 210 follows the last data and responds to the value of the remainder by division. Output padding.
[0039]
That is, the data length of the remaining message in the block to which padding is to be added is divided by the size N of the input data (4 if it is 1 word) to obtain the last word including the original message in the block. Is specified. The remainder (lower 2 bits of the remaining data length) when divided by N indicates from which byte in the 32-bit word where padding starts padding is to be performed.
[0040]
The data length division process can be realized by a bit shift circuit. The size of the data input by the message input circuit 100 is 2 ⁿ In the case of a byte (n is a natural number), the padding circuit 210 has a bit shift circuit that shifts the subtraction result of the subtractor by n bits to the right, and uses the shift result by the bit shift circuit as a division result. One word (2 ² When data of (byte) is input, the quotient may be obtained by shifting the value of the remaining data length to the right by 2 bits. By performing division by a bit shift circuit, a circuit can be efficiently formed.
[0041]
In addition, padding addition processing for a 23-bit word at which padding starts can be realized by performing a logical OR operation on the word and a word indicating a padding value. That is, it can be realized using an OR operation circuit.
[0042]
At this time, the value of the padding input to the OR operation circuit is determined as follows, for example. The size of the data input by the message input circuit 100 is 2 ⁿ It is a byte (n is a natural number).
[0043]
That is, the padding circuit 210 stores the padding value in the storage device in advance in association with each numerical value represented by n bits. Then, the padding circuit 210 selects a padding value to be output from the storage device according to the value of the lower n bits of the subtraction result (data length of the remaining bytes of the message) of the subtractor by the selector.
[0044]
If the subtractor performs the subtraction in units of a block length (for example, 64 bytes), the value of the lower two bits of the length information indicating the data length of the original message does not change by the subtraction processing. Therefore, in that case, the padding value can be selected based on the lower two bits of the length information indicating the data length of the original message.
[0045]
The padding value selected here is a value to be added to data including the end of the message by an OR operation. After that, padding with a value of “0” is added until the data length reaches a predetermined data length (448 modulo 512).
[0046]
The length adding circuit 220 determines the padding end position according to the total amount of the data input by the message input circuit and the padding output by the padding circuit, and outputs length information following the padding. For example, the length adding circuit 220 outputs data (for example, 448 modulo 512) and padding corresponding to the data amount obtained by subtracting the data length of the length information from the multiple of the data length of one block, and then outputs the length. Output information.
[0047]
Specifically, the data length of one block is 64 bytes, and the data length of the length information is 8 bytes (the maximum message length (2 ⁶⁴ If the data length is a data length capable of expressing a numerical value up to byte), the total data length of the message and the padding becomes 64 bytes by adding 8 bytes to a multiple of 64 bytes minus 8 bytes. ) (When conforming to 448 modulo 512) is determined as the padding end position.
[0048]
That is, the word indicating the length information is added as the last two words of one block. Therefore, after padding is added to the block including the last data of the message, if an area for two words cannot be secured, length information is added to the next block.
[0049]
For example, if the remaining data length is 56 bytes or more, padding is performed up to 56 bytes of the block next to the block containing the data at the end of the message, and then 2 words indicating length information are added. You. If the remaining data length is 55 bytes or less, padding is performed up to 56 bytes of the block including the last data of the message, and then two words indicating length information are added.
[0050]
The message processing circuit 300 executes the latter half of the message digest generation processing, and generates a final message digest. More specifically, the message processing circuit 300 initializes a message digest buffer, processes a block message having a length of 16 words, and outputs a message digest. The processing of a block message having a length of 16 words is a compression function consisting of processing called four “rounds”.
[0051]
According to such a message digest generation circuit, the message input circuit 100 is capable of receiving a message from another CPU or the like. ⁶⁴ Wait for a message of bytes or less.
In general, the bit length of a message is a positive integer of 0 or more, and need not always be a multiple of 8 (byte unit). However, in the following embodiment, a case in which a message digest is adapted to a character code is assumed, and a specific example of generating a message digest based on a message in byte units will be specifically described.
[0052]
Upon receiving the message, the message input circuit 100 inputs the message to the information adding circuit 200 in order of 32 bits (one word) from the top.
FIG. 2 is a diagram illustrating a data structure of the divided message. The message 10 is theoretically handled in units of blocks 11 every 512 bits. That is, the message 10 is composed of one or more blocks 11. Each block 11 is divided into 16 words 12 composed of 32-bit data. Then, data is input from the message input circuit 100 to the information adding circuit 200 in word units.
[0053]
Although not described in detail here, for example, in the case of using a CPU that performs processing in units of 64 bits or 128 bits or more, data input from the message input circuit 100 includes 64-bit 8-stage data and 128-bit data. There are four stages. Even if the data length of the processing unit changes, there is basically no need to change the hardware configuration described later.
[0054]
However, if the data is in 64-bit units, the right shift at the time of division is 3 bits (division by 8). Since the remainder of the division is a value of 0 to 7, a padding value corresponding to each value is prepared in advance. Then, a padding value corresponding to the lower three bits of the data length is output.
[0055]
Similarly, for data in units of 128 bits, the right shift at the time of division is 4 bits (division by 16). Since the remainder of the division is a value of 0 to 15, a padding value corresponding to each value is prepared in advance. Then, a padding value corresponding to the lower 4 bits of the data length is output.
[0056]
When the divided words are input to the information adding circuit 200, the padding circuit 210 adds padding. Padding is one “1” bit and a required number (0 or more) of “0” bits. Padding has a bit length of 1 or more and 512 or less. After the padding is added, the length adding circuit 220 adds 64-bit data (length information) indicating the message length. The length of the message with padding and length information added is a multiple of 512 bits.
[0057]
Data to which padding and length information have been added is passed to the message processing circuit 300 in order from the first word. The message processing circuit 300 processes a word-length block message and outputs a message digest.
[0058]
Hereinafter, the processing of the information adding circuit 200 will be described in detail.
FIG. 3 is a schematic flowchart of a process performed by the information adding circuit. Hereinafter, the processing illustrated in FIG. 3 will be described along with step numbers.
[0059]
[Step S11] The information adding circuit 200 receives an input of a message in bytes and an input of information (length information) indicating the data length of the message, and the padding circuit 210 detects the end of the message. That is, it detects that the number of bytes of the input message has reached the data length of the message.
[0060]
[Step S12] The padding circuit 210 adds padding (1000... 000) to the end of the message.
[Step S13] After the padding, the length adding circuit 220 adds 64-bit data (length information) indicating the message length before the padding is added. As a result, a message having a length of a multiple of 512 bits is generated and input to the message processing circuit 300.
[0061]
Here, the padding addition processing will be described in detail.
First, the process of detecting the end of the message shown in step S11 will be described. In the present embodiment, data is input in 32-bit word units. The padding circuit 210 detects the padding position using the length information of the original message in bytes and the comparator, the subtractor, and the like. That is, the padding circuit 210 counts the number of input words (one word is 32 bits) and determines the last word of the message and the padding start position in the word.
[0062]
More specifically, the padding circuit 210 determines the number of words in the message and the position in the word at which padding is to be started, based on a bit string (64 bits) representing the length (number of bytes) of the original message to be hashed. . That is, the length is divided by 4, and the quotient and remainder are obtained. When a bit shift circuit is used, the upper bits (62 bits) of the bit string representing the length, excluding the lower 2 bits, are determined to be a quotient obtained by dividing by 4, and the lower 2 bits are determined to be a remainder.
[0063]
The quotient resulting from the division indicates the word at which to start padding. Specifically, when the same number of words as the quotient are input, padding is performed from the next input word.
[0064]
The remainder obtained as a result of the division indicates from which byte in the word to start padding the padding is to be performed. In other words, since the message data remains in the word to be padded by the number of bytes represented by the remainder, when the same number of byte data as the remainder is input, it is understood that padding should be performed from the next byte data.
[0065]
Next, the padding processing in step S12 will be described in detail. The padding circuit 210 adds a “1” bit to the head of the padding start position of the word to start padding. Next, “0” bits are continuously added until the padding end position. In terms of the circuit, when the input message is completed, a word having a value of 0 is input from the message input circuit 100 thereafter. Therefore, it is only necessary to set “1” at the padding start position of the padding start word, and then maintain “0” of the input data from the message input circuit 100.
[0066]
FIG. 4 is a diagram illustrating an example of padding addition and length addition processing. In the illustrated example, a 40-bit message 10 is input. The message 10 is passed to the padding circuit 210 in 32-bit words sequentially from the top. In the case of the 40-bit message 10, it is divided into one word 13 and 14 and passed to the padding circuit 210. Since the first word 13 is not a padding target, no processing is performed in the padding circuit 210. Since the next word 14 is a word to be padded, padding is added after valid message data (“01100101” in the example of FIG. 4). Thereafter, a word 16 having a value of "0" is added until the total number becomes 448 bits.
[0067]
The message 20 after padding has a data length of 448 bits (the message 20 is represented in hexadecimal).
Then, the length adding circuit 220 adds two words (64 bits) representing the original data length after the padded message. In the example of FIG. 4, since the data length is 40 bits, a value of “00000000 0000028” is added.
[0068]
If L <2 ³² If so, "0" is set to the last word of the block to which the padding start word belongs. “0” is set from the first word to the fourteenth word of the next block. Then, a value indicating the data length is set in the last two words.
[0069]
In the present embodiment, such processing of padding addition and length addition is performed by an electronic circuit in the information adding circuit 200 without passing through the CPU.
FIG. 5 is a diagram showing the internal configuration of the information adding circuit. The message input circuit 100 receives the data length 110 (the number of bytes (length information) of the message), the DREQ signal 120, and the input data 130, and outputs the output data 310 to the message processing circuit 300. Is output.
[0070]
The DREQ signal 120 is a signal that is output each time the message input circuit 100 inputs data of one block (64 bytes in the present embodiment). This DREQ signal 120 indicates the start of input of the next block. That is, the message input circuit 100 notifies the padding circuit 210 of the block switching position when the message is divided into blocks by the DREQ signal 120.
[0071]
The information adding circuit 200 includes a padding circuit 210, a length adding circuit 220, and an OR operation circuit 201.
The padding circuit 210 includes a data length countdown register 211, a subtractor 212, a comparator 213, a bit shift circuit 214, a counter circuit 215, a remaining data length register 216, a selector 217, and a padding value constant ROM 218.
[0072]
The padding circuit 210 can be broadly divided into a judgment circuit and a padding output circuit. The determination circuit is a circuit that determines the last data of the message according to the total amount of the input data (word unit) and the length information of the message. In the example of FIG. 5, the determination circuit includes a data length countdown register 211, a subtractor 212, a comparator 213, a bit shift circuit 214, and a counter circuit 215. The padding output circuit is a circuit that outputs padding following the last data of the message. In the example of FIG. 5, the padding output circuit includes a remaining data length register 216, a selector 217, and a padding value constant ROM 218.
[0073]
The length addition circuit 220 includes a comparator 221, a comparator 222, a counter + selector circuit 223, a data length storage register 224, and a bit shift circuit 225.
[0074]
The data length 110 is input to the data length countdown register 211 and the data length storage register 224. The DREQ signal 120 is input to a subtractor 212. The input data 130 is input to the OR operation circuit 201, the counter circuit 215, and the counter + selector circuit 223.
[0075]
First, the internal configuration of the padding circuit 210 will be described.
The data length (byte number) is input to the data length countdown register 211 as an initial value. The input initial value is passed to the bit shift circuit 214. Then, each time the subtractor 212 performs the subtraction, it is updated to the subtraction result. As a result, the data length countdown register 211 holds the remaining data amount of the message to be processed.
[0076]
The subtracter 212 is connected to the data length countdown register 211. Each time the DREQ signal 120 is input, the subtractor 212 acquires the value of the data length countdown register 211 and subtracts a value (the number of bytes) corresponding to the input data amount (one block). In the present embodiment, 64 (bytes) is subtracted. Then, the subtractor 212 stores the subtraction result in the data length countdown register 211.
[0077]
The comparator 213 is connected to the data length countdown register 211 and the bit shift circuit 214. The comparator 213 compares the value stored in the data length countdown register 211 (remaining data amount (byte number) of the message to be processed) with the byte number M of one block (64 (byte) in the present embodiment). Compare. Then, when the number of bytes M of one block of the input data 130 becomes larger, the comparator 213 outputs a signal indicating the padding target block to the bit shift circuit 214.
[0078]
The bit shift circuit 214 is connected to the data length countdown register 211, the comparator 213, and the counter circuit 215. The bit shift circuit 214 is a circuit that realizes division by a power of two by right bit shift. In the present embodiment, a quotient divided by 4 is obtained by performing a right 2 bit shift (discarding the lower 2 bits).
[0079]
That is, when receiving the signal indicating the padding target block from the comparator 213, the bit shift circuit 214 acquires the remaining data amount of the processing target message stored in the data length countdown register 211 at that time. Then, the bit shift circuit 214 shifts the value of the obtained data remaining amount by two bits to the right, and generates a quotient obtained by dividing the data remaining amount (the number of bytes) by four. The bit shift circuit 214 passes the generated value to the counter circuit 215. As a result, a value indicating how many words the data remaining amount of the padding target block is passed to the counter circuit 215.
[0080]
The counter circuit 215 is connected to the input data 130, the bit shift circuit 214, and the pad value setting ROM 218. The counter circuit 215 holds a counter value that is cleared to “0” each time a division quotient is input by the bit shift circuit 214 (when a padding target block is detected). The counter circuit 215 counts up the counter value by one each time one word of the input data 130 is input. The counter circuit 215 compares the stored counter value with the value of the bit shift circuit 214 every time the counter value is counted up. When both values become equal, the counter circuit 215 outputs a signal indicating the start of padding.
[0081]
The remaining data length register 216 is connected to the data length countdown register 211 and the selector 217. The remaining data length register 216 acquires and holds the remaining data length (the number of bytes) stored in the data length countdown register 211. Then, the remaining data length register 216 passes the value of the lower two bits of the remaining data length to the selector 217. In FIG. 5, the least significant bit is indicated as LA [0], and the second bit from the lower order is indicated as LA [1]. The lower two bits of the remaining data length indicate a remainder obtained by dividing the remaining data length by four.
[0082]
The selector 217 is connected to the remaining data length register 216 and the padding value setting ROM 218. The selector 217 outputs a selection signal corresponding to the lower two bits of the remaining data length input from the remaining data length register 216 to the padding value setting ROM 218.
[0083]
The padding value setting ROM 218 is connected to the counter circuit 215, the selector 217, and the OR operation circuit 201. The padding value setting ROM 218 stores a padding value for each of the lower two bits of the remaining data length. When a signal indicating the start of padding is input from the counter circuit 215, the padding value setting ROM 218 outputs the padding value selected by the selection signal input from the selector 217 to the OR operation circuit 201.
[0084]
Next, the internal configuration of the length adding circuit 220 will be described.
The comparator 221 is connected to the data length countdown register 211 and the counter + selector circuit 223. In the comparator 221, a data length (number of bytes) W of one block and a value (number of bytes) Z obtained by subtracting the data length of the data indicating the message length + 1 from the data length W of one block are set in advance. I have. In the present embodiment, the data length of one block is 64 bytes, and the data length of the message is represented by data of 8 bytes (64 bits). Therefore, W = 64 and Z = 55 are set.
[0085]
Each time the data remaining amount LA of the message to be processed stored in the data length countdown register 211 is updated, the comparator 221 compares LA with W and Z, respectively. If Z <LA <W, a length addition position selection signal is output to the counter + selector circuit 223.
[0086]
The comparator 222 is connected to the data length countdown register 211 and the counter + selector circuit 223. The data length Z is set in the comparator 222 in advance. The comparator 222 compares LA and Z each time the remaining data amount LA of the message to be processed stored in the data length countdown register 211 is updated. If LA ≦ Z, a length addition position selection signal is output to the counter + selector circuit 223.
[0087]
The counter + selector circuit 223 receives the input data 130 and is connected to the comparator 221, the comparator 222, and the bit shift circuit 225. The counter + selector circuit 223 holds a counter value that is cleared to “0” when the length addition start signal is output from the comparator 221 or 222. Then, the counter + selector circuit 223 counts up the counter value by one each time one word of the input data 130 is input.
[0088]
The counter + selector circuit 223 has two types of length addition start position information.
The length addition start position designation information is information that is valid when the comparator 221 outputs a length addition position selection signal. This length addition start position designation information is information for designating the position of the last two words of the block next to the padding target block. For example, if one block is 16 words, 31 is set in word units.
[0089]
The other length addition start position designation information is information that is valid when the comparator 222 outputs a length addition position selection signal. This length addition start position designation information is information for designating the position of the last two words of the padding target block. For example, if one block has 16 words, 15 is set in word units.
[0090]
Each time the counter value is counted up, the counter + selector circuit 223 compares the valid length addition position designation information with the counter value. As a result of the comparison, when the values match, the counter + selector circuit 223 outputs a signal indicating the start of length addition to the bit shift circuit 225.
[0091]
The data length storage register 224 receives the data length 110 and is connected to the bit shift circuit 225. The data length storage register 224 holds the input data length 110 and outputs it to the bit shift circuit 225.
[0092]
The bit shift circuit 225 is a circuit that realizes multiplication by a power of two by left bit shift. In the present embodiment, a left 3 bit shift is performed in order to convert a byte unit value into a bit unit. By shifting left three bits, the original value is multiplied by eight. That is, the value in byte units is converted to a value in bit units.
[0093]
Specifically, upon receiving a signal indicating the start of length addition from the counter + selector circuit 223, the bit shift circuit 225 acquires the data stored in the data length storage register 224, and performs a left 3 bit shift process. . As a result, the data length set in byte units is converted into bit units. The bit shift circuit 225 outputs the data of two words representing the data length in bit units to the logical sum operation circuit 201 in two divided words, one word at a time.
[0094]
The above is the internal configuration of the padding circuit 210 and the length adding circuit 220. The input data 130, the output value from the padding value constant ROM 218 of the padding circuit 210, and the output value from the bit shift circuit 225 of the length adding circuit 220 are input to the OR operation circuit 201. The logical sum operation circuit 201 calculates the logical sum of the input data and outputs the result to the message processing circuit 300 as output data 310.
[0095]
The padding and the length are added by the electronic circuit configured as described above.
Here, the correspondence between the value input to the selector 217 and the padding value setting ROM 218 will be described.
[0096]
FIG. 6 is a diagram showing the correspondence between the lower two bits of the data length and the contents of the padding start word.
When the lower two bits of the remaining data length are “00”, the remainder is 0 (byte). That is, the head of the padding word is the padding start position. Therefore, the content of the padding value to be added by the OR operation is “80000000” (hexadecimal notation). If this is converted into bit notation, it becomes "10000000 00000000 00000000 00000000".
[0097]
When the lower two bits of the remaining data length are “01”, the remainder is 1 (byte). That is, the second byte of the padding word is the padding start position. Therefore, the content of the padding value to be added by the OR operation is “00800000” (hexadecimal notation). If this is converted into bit notation, it becomes “00000000 10000000 00000000 00000000”.
[0098]
When the lower 2 bits of the remaining data length are “10”, the remainder is 2 (bytes). That is, the third byte of the padding word is the padding start position. Therefore, the content of the padding value to be added by the OR operation is “00008000” (hexadecimal notation). If this is converted into a bit notation, it becomes "00000000 00000000 10000000 00000000".
[0099]
When the lower 2 bits of the remaining data length are “11”, the remainder is 3 (bytes). That is, the fourth byte of the padding word is the padding start position. Therefore, the content of the padding value to be added by the OR operation is “00000080” (hexadecimal notation). If this is converted into bit notation, it becomes "00000000 00000000 00000000 10000000".
[0100]
The addition of padding and the addition of length are performed by the information adding circuit 200 configured as described above. Here, the operation of the information adding circuit 200 will be described using an example in which the 40-bit message 10 shown in FIG. 4 is input.
[0101]
When the message 10 is input, the value “5” of the length of the message 10 (40 bits) in byte units is input as the data length 110. As the input data 130, the first word 13 of the message 10 is input.
[0102]
First, a value “5” indicating the data length 110 is stored in the data length countdown register 211 and the data length storage register 224. The value stored in the data length countdown register 211 is compared by the comparator 213 with the number of bytes M “64” of one block. In this example, since M is larger, a signal indicating that the block is a padding target is output from the comparator 213 to the bit shift circuit 214.
[0103]
The bit shift circuit 214 that has received the signal acquires the value “5” indicating the remaining data length of the message 10 from the data length countdown register 211, and performs a right two-bit shift process. As a result, a quotient “1” when the remaining data length is divided by “4” is obtained. The quotient “1” is passed to the counter circuit 215.
[0104]
When the first word 13 is input, the block to be padded is detected, and the value of the counter circuit 215 is set to 0. At this time, since “1” is input from the bit shift circuit 214, no signal indicating the start of padding is output. As a result, no padding value is output from padding circuit 210.
[0105]
On the other hand, in the length adding circuit 220, the two comparators 221 and 222 compare the remaining data length LA with predetermined data. In this example, the remaining data length LA is "5", Z is "55", and W is "64". Therefore, the comparison result of the comparator 221 is false (the requirement (Z <LA <W) is not satisfied), but the comparison result of the comparator 222 is true (the requirement (LA ≦ Z) is satisfied). Therefore, the comparator 222 outputs a length addition position selection signal to the counter + selector circuit 223.
[0106]
The counter + selector circuit 223 sets the counter value to “1” when the first word 13 is input from the input data 130. Then, when the length addition position selection signal is output from the comparator 222, the counter + selector circuit 223 causes the length addition start position designation information “15” previously associated with the comparator 222 and the counter value “ 1 "is compared. As a result of the comparison, since the values do not match, no signal indicating the start of length addition is output. As a result, the length data is not output from the length adding circuit 220.
[0107]
By the operations of the padding circuit 210 and the length adding circuit 220 as described above, only the word 13 is input to the OR circuit 201. As a result, the word 13 is output as it is as the output data 310.
[0108]
When the next word 14 is input as the input data 130, the counter value of the counter circuit 215 is counted up to "1". Then, the counter circuit 215 outputs a signal indicating the start of padding to the padding value setting ROM 218.
[0109]
At this time, the value “5” of the data length countdown register 211 is set in the remaining data length register 216. When this value is represented by a bit string, it becomes “101”. In this case, the value of the least significant bit LA [0] is “1”, and the value of the second least significant bit LA [1] is “0”. That is, when the value of “01”, in which the lower two bits of the data length is “01”, is input to the selector 217, a selection signal corresponding to the value is output from the selector 217 to the padding value setting ROM 218.
[0110]
The padding value setting ROM 218 supplies the padding value “00000000 10000000 00000000 00000000” stored in advance in association with the remainder 1 (the lower 2 bits are “01”) obtained by dividing the data length by 4 to the OR circuit 201. Output.
[0111]
On the other hand, in the length adding circuit 220, in response to the input of the word 14, the counter value of the counter + selector circuit 223 is counted up to “2”. Since this counter value has not reached the predetermined value “15”, a signal indicating the start of length addition is not output from the counter + selector circuit 223. As a result, the length data is not output from the length adding circuit 220.
[0112]
By the operations of the padding circuit 210 and the length adding circuit 220 as described above, the word 14 and the padding value output from the padding circuit 210 are input to the OR circuit 201. The logical sum of these values is calculated by the logical sum operation circuit 201, and the output data 310 having the content “01100101 10000000 00000000 00000000” is output.
[0113]
Thereafter, since the content of the message 10 has been completed, words in which all bits are set to “0” are sequentially input as input data 130. From the third word to the fourteenth word, counted in order from the word 13, the data as it is is output as output data 310. During this time, the counter value of the counter + selector circuit 223 is incremented by one sequentially.
[0114]
When the fifteenth word counted from word 13 is input, the counter value of the counter + selector circuit 223 is counted up to “15”. Then, the value “15” set in association with the comparator 222 in the counter + selector circuit 223 matches the counter value, and the counter + selector circuit 223 outputs a signal indicating the start of length addition.
[0115]
Then, “00000000” (hexadecimal notation) for the upper one word of the two-word data indicating the length of the message 10 in bit units is output from the bit shift circuit 225 to the logical sum operation circuit 201. The logical sum of the data of the upper one word indicating the length and the word input as the input data 130 is calculated by the logical sum operation circuit 201 and output as the output data 310.
[0116]
Next, when the 16th word counted from the word 13 is input, the bit shift circuit 225 supplies the OR operation circuit 201 with the lower one word of the two-word data indicating the length of the message 10 in bit units. 0000028 "(hexadecimal notation) is output. The logical sum of the data of the lower one word indicating the length and the word input as the input data 130 is calculated by the logical sum operation circuit 201 and output as the output data 310.
[0117]
In this manner, the padding and the length can be added to the message to be authenticated by the hardware electronic circuit. As a result, the message authentication process can be performed at high speed without imposing a burden on the CPU. Moreover, the consumption of the main memory of the computer is small.
[0118]
A circuit that performs the message authentication process using the present embodiment can be implemented in various devices that perform communication via a network. For example, the present embodiment can be applied to a computer (a personal computer, a server computer, or the like) or a router connected to the Internet.
[0119]
Hereinafter, a hardware configuration example of a computer having a message authentication function according to the present embodiment will be described.
FIG. 7 is a diagram illustrating a hardware configuration example of a computer to which the circuit of the present embodiment is applied. The entire device of the computer 400 is controlled by the CPU 401. A RAM (Random Access Memory) 402, a hard disk drive (HDD: Hard Disk Drive) 403, a graphic processing device 404, an input interface 405, a communication interface 406, and an HMAC operation circuit 407 are connected to the CPU 401 via a bus 408. I have.
[0120]
The RAM 402 temporarily stores at least a part of an OS (Operating System) program and application programs to be executed by the CPU 401. Further, the RAM 402 stores various data necessary for processing by the CPU 401. The HDD 403 stores an OS and application programs.
[0121]
The monitor 11 is connected to the graphic processing device 404. The graphic processing device 404 displays an image on the screen of the monitor 11 according to a command from the CPU 401. The keyboard 12 and the mouse 13 are connected to the input interface 405. The input interface 405 transmits a signal transmitted from the keyboard 12 or the mouse 13 to the CPU 401 via the bus 408.
[0122]
The communication interface 406 is connected to the network 10. The communication interface 406 sends and receives data to and from another computer via the network 10.
[0123]
The HMAC operation circuit 407 is a circuit that performs an HMAC operation on an input message and outputs a message after authentication. For example, when a message to be transmitted via the network 10 is input to the HMAC operation circuit 407, predetermined message processing is performed for each word after padding and length are added, and a message digest is generated. The generated message digest is sent out onto the network 10 via the communication interface 406.
[0124]
With the above hardware configuration, the processing functions of the present embodiment can be realized. For example, a computer that executes IPsec processing by a hardware circuit is provided.
[0125]
Hereinafter, the authentication range of IPsec and the size of the IP packet will be described with reference to FIG. 8, FIG. 9, and FIG. IPsec requires an authentication function to prevent tampering and spoofing of IP packets. IPsec is a group of protocols and is composed of ESP (Encapsulating Security Payload) and AH (Authentication Header).
[0126]
FIG. 8 is a diagram showing an authentication range of the transport mode ESP. FIG. 8A shows an IPv4 packet, and FIG. 8B shows an IPv6 packet.
The IPv4 packet 40 includes an IP header 41, an ESP header 42, a TCP header 43, data 44, an ESP trailer 45, and an ESP authentication header 46. Among them, the ESP header 42, the TCP header 43, the data 44, and the ESP trailer 45 are the authentication range.
[0127]
The IPv6 packet 50 includes an IPv6 header 51, a route control header 52, an ESP header 53, an end point option header 54, a TCP header 55, data 56, an ESP trailer 57, and an ESP authentication header 58. Among them, the ESP header 53, the end point option header 54, the TCP header 55, the data 56, and the ESP trailer 57 are the authentication range.
[0128]
For example, at the time of generating a packet when using the transport ESP, authentication processing using a hash function with a key (HMAC-SHA1, HMAC-MD5) is performed on range information.
[0129]
FIG. 9 is a diagram showing the AH authentication range. The configuration of the AH packet 60 is the same for both IPv4 and IPv6. The AH packet 60 includes an IP header 61, an AH header 62, a TCP header 63, and data 64. All of the AH packets 60 fall within the authentication range. That is, an authentication process using a hash function with a key (HMAC-SHA1, HMAC-MD5) for the entire packet is required.
[0130]
The maximum packet size is determined by the connection medium of the network. For example, the size of an IP packet when a network (IEEE 802.3) called Ethernet (registered trademark) is used as a network connection physical medium will be described.
[0131]
The operation of the present invention will be described using an example of an authentication process of one packet as an example of an IEEE802.3 network. In the authentication processing, the HMAC processing is performed first and last, so that functionally, the hardware processing is performed seamlessly after setting (mode setting such as HMAC processing, MD5 / SHA1 or the like) by the CPU. Done. As a result, it is possible to reduce the CPU load and extract the performance value of the hardware. In addition, authentication processing in which processing is performed in a CPU using a DMAC (Direct Memory Access Controller) can be independently executed.
[0132]
FIG. 10 is a diagram illustrating the IP packet size. As shown in FIG. 10, the IP packet 70 includes an IPv6 header 71, a route control header 72, an end point option header 73, a TCP header 74, and data 75. The maximum IP packet size of a network according to IEEE802.3 having such a configuration is about 1500 bytes (IPv6 header 40 bytes, other 1460 bytes or less).
[0133]
The hash functions MD5 and SHA1, which are authentication algorithms, are 64-byte (512-bit) block functions. Therefore, even for processing of one packet, hash processing is performed more than about 20 times at the maximum. A hash function is also used in key management.
[0134]
If this embodiment is applied to an IP packet having such a data structure, the data communication capability of the Internet or the like can be improved. For example, the hash value function is used in the authentication process of the next-generation protocol IPsec, and the IP packet generation process performs the IP packet authentication operation shown in FIG. The ESP header is used not only for authentication at the IP packet level but also for transmission after encryption. In IPsec, encryption is performed for each packet, and the packet is packed and transmitted in a container called ESP. Note that the latest IPsec version 2.0 has been revised so that both authentication and encryption can be performed by ESP.
[0135]
ESP has two modes, a tunneling mode and a transport mode. The tunneling mode is a procedure for encrypting an IP packet together with a header. The transport mode is a procedure for encrypting only the data portion of an IP packet.
[0136]
In IPsec, two methods, a "transport mode" and a "tunnel mode", are provided depending on a portion to be encrypted. In the transport mode, only the data portion carried by the IP packet is encrypted, and the packet is transmitted with an IP header specifying a destination or the like. On the other hand, in the tunnel mode, a combination of the IP header and the data portion once received from another host is collectively encrypted, and then the IP header is re-attached and transmitted. At the time of transmission, authentication processing is performed after this encryption, and at the time of reception, authentication processing is performed first.
[0137]
Basically, the data size of the upper protocol is limited to the data size of the lower protocol. Therefore, if the lower order is Ethernet (registered trademark), the maximum size of the IP packet to enter is the maximum size (1500 bytes) of the data portion of the MAC frame when the IP packet is not fragmented.
[0138]
FIG. 11 is a flowchart illustrating a procedure of a transmission process based on IPsec. Hereinafter, the processing illustrated in FIG. 11 will be described along with step numbers.
[Step S21] The CPU 401 generates a transmission packet including a transmission message.
[0139]
[Step S22] The CPU 402 performs a packet encryption process. The encrypted message is passed to the HMAC operation circuit 407.
[Step S23] The HMAC operation circuit 407 performs authentication processing (HMAC) of the passed message. As a result, a message digest for authentication is added to the message encrypted by the CPU 401. The encrypted message and the message digest are both passed to the communication interface 406.
[0140]
[Step S24] The communication interface 406 generates a communication frame.
[Step S25] The communication interface 406 transmits the generated frame via the network 10.
[0141]
FIG. 12 is a flowchart showing the procedure of the receiving process by IPsec. Hereinafter, the processing illustrated in FIG. 12 will be described along with step numbers.
[Step S31] The communication interface 406 receives the frame transmitted via the network 10. The received frame is passed to the HMAC operation circuit 407.
[0142]
[Step S32] The HMAC operation circuit 407 authenticates a message in the frame based on the message digest of the received frame. That is, it is confirmed that the message has not been falsified. The correctly authenticated message (encrypted) is passed to the CPU 401.
[0143]
[Step S33] The CPU 401 decrypts the encrypted message and reproduces the original plaintext message.
As described above, in the computer in which the circuit according to the present embodiment is mounted, the authentication processing is performed both at the time of transmission and at the time of reception. Note that the CPU 401 performs complicated protocol processing in addition to encryption processing and authentication processing.
[0144]
As described above, by performing message authentication using a hardware circuit, message authentication can be performed at high speed, and the processing capability of the entire computer can be increased.
[0145]
That is, the processing of the hash function algorithm can be performed by independent hardware without imposing a software load on the CPU. With such dedicated hardware, the occupancy of the CPU can be reduced, and for example, the performance of the entire system can be improved.
[0146]
Specifically, when the authentication process is performed by software, other processes cannot be performed until the CPU 401 completes the authentication process, and the process is kept waiting. On the other hand, by mounting the HMAC operation circuit 407 (hardware circuit dedicated to the hash function) illustrated in FIG. 7, the CPU 401 can perform other processing while the dedicated hardware performs the authentication processing. As a result, the processing time of another application on the computer is reduced.
[0147]
Moreover, the HMAC operation circuit 407 sequentially processes and outputs the input message, so that there is no need to load data into the RAM 402 unlike the operation by the CPU 401. Therefore, the system can provide stable performance without using the storage capacity of the RAM 402 unnecessarily.
[0148]
Note that an authentication circuit such as the HMAC operation circuit 407 can be incorporated in various devices. Therefore, even a device controlled by a CPU that does not have a high degree of arithmetic capability can provide IPsec communication. For example, the authentication circuit can be incorporated in a PDA (Personal Digital (Data) Assistants), a mobile phone, or the like.
[0149]
Next, the effect of shortening the processing time by executing the addition of padding and the addition of length by an electronic circuit will be described.
In the following example, a microcomputer that employs a 32-bit RISC processor for the CPU core and a PLD (Programmable Logic Device) / FPGA that implements a hardware circuit dedicated to “add padding” and “add length” according to the present embodiment. (Field Programmable Gate Array) was used to evaluate the mounting.
[0150]
In the mounting evaluation, test data was input to hardware to which the present embodiment was applied, and output data was compared with known data (RFC1321, FIPS180-1) to confirm that the operation was correct. At that time, a comparison was made between a conventional technique (addition of padding and length addition by software) and the present embodiment (execution of padding and addition of length by hardware). Specifically, the processing speed of processing 1280 bytes of data 1000 times is represented by the total time required for software execution and hardware execution by the CPU, including the register write to the hardware macro. This is a comparison.
[0151]
1. For algorithm MD5
[Software execution time] 11667 (milliseconds)
[Hardware execution time] 1178 (milliseconds)
In this case, software execution time / hardware execution time = 9.92. In other words, execution on dedicated hardware is 9.92 times faster.
[0152]
2. For algorithm HMAC-MD5
[Software execution time] 14067 (milliseconds)
[Hardware execution time] 1206 (millisecond)
In this case, software execution time / hardware execution time = 11.66. In other words, execution on dedicated hardware is 11.66 times faster.
[0153]
3. For algorithm SHA1
[Software execution time] 32000 (milliseconds)
[Hardware execution time] 1473 (milliseconds)
In this case, the software execution time / hardware execution time is 21.73. In other words, execution with dedicated hardware is 21.73 times faster.
[0154]
4. Algorithm HMAC-SHA1
[Software execution time] 38643 (milliseconds)
[Time required for software execution of HMAC-hardware execution of SHA1] 3372 (milliseconds)
[Hardware execution time] 1500 (milliseconds)
In this case, the software execution time / hardware execution time is 25.76. That is, it is 25.76 times faster when both HMAC-SHA1 are executed by dedicated hardware than when both are executed by software.
[0155]
From this result, the effectiveness of the dedicated hardware according to the present embodiment with respect to the related art is clearly understood. From the above results, it can be said that the longer the IP packet length is, the more effective this IPsec hardware processing is.
[0156]
As described above, according to the present embodiment, “addition of padding” and “addition of length” in processing using a hash function and HMAC can be executed by dedicated hardware. Therefore, in the hash function processing and the authentication processing using the hash function, the processing can be speeded up without imposing a load on the CPU, and the processing load on the CPU can be greatly reduced.
[0157]
Further, the memory capacity required for padding and adding a length can be reduced.
Furthermore, since the CPU occupancy for padding and adding a length is reduced, reliable performance can be guaranteed even when functioning as a system. In addition, high-speed processing can be performed even with an inexpensive microcomputer, which is effective in reducing costs.
[0158]
(Supplementary Note 1) In a message digest generation circuit that generates a message digest,
A message input circuit that divides a message into data of a predetermined data length and sequentially inputs the data from the beginning, and inputs length information indicating the length of the message,
A padding circuit that determines the last data of the message in accordance with the total amount of the data and the length information input in the message input circuit, and outputs padding following the last data.
Determining the end position of the padding according to the total amount of the data input by the message input circuit and the padding output by the padding circuit, and adding a length to output the length information following the padding Circuit and
A message digest generation circuit comprising:
[0159]
(Supplementary Note 2) The padding circuit subtracts the capacity of the data input from the message input circuit from the length information sequentially, and a subtraction result of the subtractor is set to a data length of one block or less. The message digest generation circuit according to claim 1, further comprising: a comparator that outputs a signal indicating the padding target block when the message digest is generated.
[0160]
(Supplementary Note 3) The message input circuit outputs a signal indicating block switching each time the data for one block is input,
3. The message digest generation circuit according to claim 2, wherein the subtractor subtracts the data length of the one block from the length information when the signal indicating the block switching is output.
[0161]
(Supplementary Note 4) The message input circuit sets the size of the data to N bytes (N is a natural number),
The padding circuit, when a signal indicating the padding target block is output from the comparator, divides the subtraction result of the subtractor by N, then counts the number of times the data is input, and counts the value. 3. The message digest generation circuit according to claim 2, wherein when the value of the quotient by the division reaches the value, the padding corresponding to the value of the remainder by the division is output following the input data.
[0162]
(Supplementary Note 5) The message input circuit sets the size of the data to 2 ⁿ Bytes (n is a natural number)
5. The message according to claim 4, wherein the padding circuit has a bit shift circuit that shifts the subtraction result of the subtractor to the right by n bits, and uses a shift result by the bit shift circuit as the division result. Digest generation circuit.
[0163]
(Supplementary Note 6) The message input circuit sets the size of the data to 2 ⁿ Bytes (n is a natural number)
The padding circuit includes a storage device in which the padding value is stored in association with each of numerical values represented by n bits, and a padding value output from the storage device according to a value of lower n bits of the subtraction result of the subtractor. 5. The message digest generation circuit according to claim 4, further comprising: a selector for selecting the message digest.
[0164]
(Supplementary Note 7) The length adding circuit outputs the data corresponding to a data amount obtained by subtracting a data length of the length information from a multiple of a data length of one block and the padding, and then outputs the length. 3. The message digest generating circuit according to claim 1, wherein the message digest generating circuit outputs the information.
[0165]
(Supplementary note 8) In a padding circuit for adding padding to a message,
When the message is divided into data of a predetermined data length and sequentially input from the beginning, and when length information indicating the length of the message is input, the total amount of the input data and the length information become A determining circuit for determining the last data of the message accordingly;
A padding output circuit that outputs padding following the last data determined by the determination circuit;
A padding circuit comprising:
[0166]
(Supplementary Note 9) The judgment circuit is configured to sequentially subtract the capacity of the input data from the length information, and to perform padding when the subtraction result of the subtractor becomes equal to or less than the data length of one block. The padding circuit according to claim 8, further comprising: a comparator that outputs a signal indicating the target block.
[0167]
(Supplementary Note 10) The data is in units of N bytes (N is a natural number),
The determination circuit, when a signal indicating the padding target block is output from the comparator, divides the subtraction result of the subtractor by N, and then counts the number of times the data is input,
The padding output circuit according to claim 9, wherein the padding output circuit outputs padding according to the value of the remainder after the division following the input data when the counted value reaches the value of the quotient by the division. Padding circuit.
[0168]
(Supplementary Note 11) In a communication device that transmits an authenticated message,
A CPU for generating a message to be transmitted;
A message input circuit for dividing the message generated by the CPU into data of a predetermined data length and inputting the data in order from the beginning, and inputting length information indicating the length of the message;
A padding circuit that determines the last data of the message in accordance with the total amount of the data and the length information input in the message input circuit, and outputs padding following the last data.
Determining the end position of the padding according to the total amount of the data input by the message input circuit and the padding output by the padding circuit, and adding a length to output the length information following the padding Circuit and
A message processing circuit that generates a message digest based on the message input from the message input circuit, padding output from the padding circuit, and length information output from the length adding circuit;
A communication device comprising:
[0169]
(Supplementary Note 12) In a message authentication method for performing message authentication processing,
Generating a message to be transmitted by the CPU,
The message input circuit divides the message generated by the CPU into data of a predetermined data length and inputs the data to the padding circuit sequentially from the beginning, and inputs length information indicating the length of the message to the padding circuit. ,
The padding circuit determines the last data of the message according to the total amount of the data and the length information input by the message input circuit, and outputs padding following the last data.
A length adding circuit determines an end position of the padding according to a total amount of the data input by the message input circuit and the padding output by the padding circuit, and determines the length information following the padding. And output
The message processing circuit generates a message digest based on the message input from the message input circuit, the padding output from the padding circuit, and the length information output from the length adding circuit.
A message authentication method, comprising:
[0170]
【The invention's effect】
As described above, in the present invention, the padding circuit determines the last data of the message, outputs padding following the last data, and the length addition circuit determines the end position of the padding, and continues the padding. Output length information. As a result, padding and length information can be added to the input message without imposing a load on the CPU.
[Brief description of the drawings]
FIG. 1 is a diagram showing a schematic configuration of a message digest generation circuit according to the present embodiment.
FIG. 2 is a diagram showing a data structure of a divided message.
FIG. 3 is a schematic flowchart of a process performed by an information adding circuit.
FIG. 4 is a diagram illustrating an example of padding addition and length addition processing.
FIG. 5 is a diagram showing an internal configuration of an information adding circuit.
FIG. 6 is a diagram showing a correspondence relationship between lower two bits of a data length and the contents of a padding start word.
FIG. 7 is a diagram illustrating an example of a hardware configuration of a computer to which the circuit of this embodiment is applied.
FIG. 8 is a diagram showing an authentication range of a transport mode ESP. FIG. 8A shows an IPv4 packet, and FIG. 8B shows an IPv6 packet.
FIG. 9 is a diagram showing an AH authentication range.
FIG. 10 is a diagram showing an IP packet size.
FIG. 11 is a flowchart showing a procedure of transmission processing by IPsec.
FIG. 12 is a flowchart illustrating a procedure of a reception process by IPsec.
[Explanation of symbols]
100 Message input circuit
200 Information addition circuit
210 padding circuit
220 Length addition circuit
300 Message processing circuit

Claims (10)

In a message digest generation circuit for generating a message digest,
A message input circuit that divides a message into data of a predetermined data length and sequentially inputs the data from the beginning, and inputs length information indicating the length of the message,
A padding circuit that determines the last data of the message in accordance with the total amount of the data and the length information input in the message input circuit, and outputs padding following the last data.
Determining the end position of the padding according to the total amount of the data input by the message input circuit and the padding output by the padding circuit, and adding a length to output the length information following the padding Circuit and
A message digest generation circuit comprising: The padding circuit includes a subtracter for sequentially subtracting the data capacity input from the message input circuit from the length information, and a subtractor that reduces a data length of one block or less. 2. The message digest generation circuit according to claim 1, further comprising: a comparator that outputs a signal indicating the padding target block. The message input circuit outputs a signal indicating block switching each time the data for one block is input,
3. The message digest generation circuit according to claim 2, wherein the subtractor subtracts the data length of the one block from the length information when the signal indicating the block switching is output. The message input circuit sets the size of the data to N bytes (N is a natural number),
The padding circuit, when a signal indicating the padding target block is output from the comparator, divides the subtraction result of the subtractor by N, then counts the number of times the data is input, and counts the counted value. 3. The message digest generating circuit according to claim 2, wherein when the value of the quotient by the division reaches the value, the padding corresponding to the value of the remainder by the division is output following the input data. The message input circuit sets the size of the data to 2 ⁿ bytes (n is a natural number),
5. The padding circuit according to claim 4, wherein the padding circuit includes a bit shift circuit that shifts the subtraction result of the subtractor to the right by n bits, and sets a shift result by the bit shift circuit as the division result. 6. Message digest generation circuit. The message input circuit sets the size of the data to 2 ⁿ bytes (n is a natural number),
The padding circuit includes a storage device in which the padding value is stored in association with each of numerical values represented by n bits, and a padding value output from the storage device according to a value of lower n bits of the subtraction result of the subtractor. 5. The message digest generation circuit according to claim 4, further comprising: a selector for selecting the message digest. The length adding circuit outputs the length information after outputting the data and the padding corresponding to the data amount obtained by subtracting the data length of the length information from a multiple of the data length of one block. 2. The message digest generation circuit according to claim 1, wherein: In a padding circuit that adds padding to a message,
When the message is divided into data of a predetermined data length and sequentially input from the beginning, and when length information indicating the length of the message is input, the total amount of the input data and the length information become A determining circuit for determining the last data of the message accordingly;
A padding output circuit that outputs padding following the last data determined by the determination circuit;
A padding circuit comprising: The determination circuit indicates a subtractor for sequentially subtracting the capacity of the input data from the length information, and indicates a padding target block when the subtraction result of the subtractor becomes equal to or less than the data length of one block. The padding circuit according to claim 8, further comprising a comparator that outputs a signal. The data is in units of N bytes (N is a natural number),
The determination circuit, when a signal indicating the padding target block is output from the comparator, divides the subtraction result of the subtractor by N, and then counts the number of times the data is input,
10. The padding output circuit according to claim 9, wherein when the counted value reaches the value of the quotient by the division, the padding output circuit outputs padding according to the value of the remainder by the division following the input data. Padding circuit.

Images