High-performance, Low-latency Secure Communication
The integration of the TCP Offload Engine (PTU) and the Cryptographic Engine accelerates and offloads the computational processing required for encryption, authentication, and signing in SSL/TLS via hardware processing.
This enables complete hardware offloading of record layer processing. Consequently, user applications only need to prepare the data they wish to send and receive securely, dramatically reducing CPU load.
Furthermore, by offloading packet TLS encryption and tunneling between endpoints and the network to hardware, secure communication and VPNs are achieved with high performance and low latency.
Integration with the TCP Offload Engine
Our SSL/TLS offload engine is a hardware protocol stack with tightly integrated TCP/IP offload and cryptographic engines, enabling high-speed data transmission and reception processing to be completed entirely in hardware.
Even where using dedicated hardware for encryption, the TCP/IP protocol is typically implemented in software, resulting in memory transfers before and after encryption (left diagram).
However, using our TLS-extended TCP offload engine enables inline handover with the TCP/IP protocol, eliminating memory transfers for encrypted data (right diagram).
OpenSSL Integration
Intellectual Highway’s SSL/TLS offload engine integrates with the OpenSSL software stack, accelerating any server application utilizing OpenSSL. By using the driver provided by our company, the FPGA PTU handles SSL/TLS packet transmission and reception as the OpenSSL backend. At this time, all SSL/TLS processing and processing of the underlying protocol layers is performed by hardware.
Furthermore, since the PTU supports all protocols beyond SSL/TLS, it enables transmission and reception from the FPGA board’s Ethernet port equivalent to that of a NIC.
Virtualization and multi-tenant support
The SSL/TLS offload engine supports SR-IOV (Single-Root I/O Virtualization), enabling multiple VMs and containers to utilize the full performance of the offload engine without software overhead. This allows for multi-tenant usage, where a single physical machine can serve multiple customers.
Usecase: SSL/TLS Proxy (HTTPS Proxy)
As a proxy server, it reliably secures plaintext communications (e.g., HTTP) from client machines to secure protocols (e.g., HTTPS) using hardware. This reduces the load of HTTPS encryption processing on client machines while ensuring all external communications are encrypted, thereby enhancing security. Internal intranet traffic remains plaintext, simplifying security management.
This demonstration converts HTTP access from clients to HTTPS using a PTU on an FPGA, replacing server-to-server communication with TLS communication. Captured logs show that the communication has been TLS-encrypted.
Major Specifications
| SSL/TLS | Version: TLS1.3 Data Encryption/Decryption:AES128, AES192, AES256 Message Authentication:GCM, SHA2 Key Exchange:RSA, Diffie-Hellman |
| Performance | Throughput: up to 50-100Gbps (depends on number of sessions) |
| Target devices | Altera: Agilex5/7 series Supports Open FPGA Stack (OFS) AMD UltraScale+ series, Versal series Supports Vitis environments |
We have evaluation licenses and research licenses, please contact us.