IPS ECCO: A Lightweight and Reconfigurable IPSec Core Benedikt Driessen, Tim Güneysu, Elif Bilge Kavun, Oliver Mischke, Christof Paar, Thomas Pöppelmann Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany {benedikt.driessen, tim.gueneysu, elif.kavun, oliver.mischke, christof.paar, thomas.poeppelmann}@rub.de Abstract—In this paper we propose a reconfigurable lightweight Internet Protocol Security (IPSec) hardware core. Our architecture supports the main IPSec protocols; namely Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE). In this work, the cryptographic algorithms and their modes of operation, which are at the heart of the IPSec protocols, are implemented in hard- ware. Instead of re-implementing common IPSec configurations, which are deemed “too heavy” for pervasive devices, we evaluate efficient implementations of standardized and/or well-known lightweight and hardware-friendly algorithms. In particular, we examine different versions of PRESENT,GRØSTL,PHOTON, and a very compact ECC core. As a consequence, we present IPSECCO, a core with adequate security and only moderate resource requirements, making it suitable for lightweight devices. We selected the Xilinx Spartan family of Field Programmable Gate Arrays (FPGA) as target platform due its low-power footprint and reduced costs compared to other FPGAs. Our results show that it is possible to realize a high performance IPSec core even on members of the Spartan-3 family. Keywords-Lightweight; IPSec; FPGA; Reconfigurability I. I NTRODUCTION With the technological development in today’s world, more and more computing devices enter the market and many of them are connected over the Internet or local networks in order to communicate with each other. An increasing number of these devices are resource-constrained devices and used in pervasive computing applications. These lightweight devices also need to connect to the Internet for device-to-device communication and product updates – mostly over a wireless network. There must be a common language for devices across networks to share information with each other. The Internet Protocol (IP) [1]–[3] is the primary communication protocol for transferring data between parties across a net- work. It defines datagram structures that are encapsulating the data to be delivered. For resource-constrained environments like embedded systems, there is even a lightweight version of IP, namely lwIP [4], which reduces the resource utilization. The rapid increase in the utilization of computing devices led to security problems especially in communication over networks. Nowadays, many devices require authentication and encryption of the data they receive and send. The same is valid for area-constrained devices, many of them provide critical data. For devices with no resource limitation, a security enhancement to IP, called IPSec [5]–[7], has already been pro- posed. IPSec defines a family of protocols to provide security services such as confidentiality – to prevent undesired access attempts to the data transmission, data integrity – to make sure that the transferred data is not changed, and authentication – to identify the information source. In IPSec, there are different protocols to provide mentioned services. For instance, the Authentication Header (AH) protocol provides data authenti- cation. The Encapsulating Security Payload (ESP) protocol defines mechanisms for confidentiality and data integrity. Finally, the Internet Key Exchange (IKE) protocol is used for establishing secure connections. These protocols use different cryptographic primitives such as encryption, hashing and modular arithmetic in order to provide security services. A minimum set of algorithms, which must be supported in an IPSec implementation for AH, ESP, and IKE protocols, was defined in “Cryptographic Suites for IPSec” [6], [7] for standardization purposes. For example, in “Cryptographic Suite B” [7], the AES [8] cipher is used in Galois/Counter Mode (GCM) [9] to provide authenticated encryption. The Hashed Message Authentication Code (HMAC) [10] con- struction is used with the Secure Hash Algorithm (SHA) [11] for AH services. For exchanging keys between parties, IKE uses the Diffie-Hellman key exchange [12]. However, none of these recommendations are actually targeted at resource- constrained devices. To the best of our knowledge, there exists no standardized lightweight IPSec protocol in the literature. In this paper, in order to have a lightweight IPSec core, we exchange regular algorithms with lightweight ones – standardized and/or well-known lightweight algorithms. For instance, instead of AES we use PRESENT [13], which is already standardized by ISO/IEC [14]. As hash functions we evaluate SHA-3 candidate GRØSTL [15] and the lightweight proposal PHOTON [16], which uses the PRESENT Sbox. Due to already mentioned lightweight device constraints, a lightweight crypto core must be low-cost and low-power. Software solutions suffer from low performance (when com- pared to hardware) and some hardware implementations, such as ASIC (Application-Specific Integrated Circuit) implemen- tations, lack the flexibility and programmability offered by software. Hence, using an FPGA platform for the designed hardware core seems to be the perfect solution to achieve our goals and reconfigurability. We implement both the en- cryption/hashing algorithms and modes of operation in hard- ware. Selecting Xilinx Spartan FPGAs as the target platform provides us with reconfigurability, we therefore can switch between different lightweight algorithms or implementations depending on our needs with less effort. For these platforms,