Accelerated your secure server with TLS1.3 Server 10Gbps IP Core (TLS10GS-IP)

Discover how this IP Core revolutionizes security and performance by offloading encryption and decryption tasks, ensuring optimal bandwidth utilization and data integrity.

Learn about the key features of TLS 1.3, including support for advanced cipher suites and encryption methods.

Witness real-world performance demonstrations showcasing near 10 Gbps transfer speeds and CPU optimization.

High-performance secure servers are designed to handle large volumes of data efficiently.

However, ensuring security without compromising performance is a significant challenge.

In secure connection such as HTTPs, TLS 1.3 is implemented to establish a connection. TLS encrypts and secures data before transit between the client and server, significantly increasing the complexity for potential attackers attempting to intercept or read the data, thus imposing an additional task for both the client and server.

In PC-based systems, the CPU is responsible for encrypting data before transmission across the network and decrypting received data for further processing. These cryptographic tasks can consume a significant amount of CPU resources, sometimes reaching 100% CPU usage, consequently affecting the transfer speed. For example, the transfer speed can decrease to 60% in half-duplex mode.

In high-speed networks, CPU limitations become the bottleneck of the system and prevent the system from achieving the full bandwidth capacity for data transfer.

DG offers the TLS 1.3 10G IP core as a hardware-accelerated solution for implementing TLS 1.3 over 10 Gigabit Ethernet, effectively managing handshake, encryption, and decryption processes without CPU workload.

By utilizing our TLS 1.3 10G Server IP core, the transfer speed on your secure server can be achieved to nearing 10 Gbps.

Your CPU can seamlessly handle other tasks while ensuring security and high-speed data transfer, making TLS 1.3 Server IP Core ideal for high-performance and highly secure servers.

Key Feature

Let’s see the Key features of TLS1.3 Server IP or TLS10GS-IP.

  • Support for cipher suites TLS_AES_256_GCM_SHA384
  • The key exchange using X25519
  • The key derivation with HKDF and SHA384
  • AES256GCM for encryption/decryption
  • RSA2048 for certificates
  • rsa_pss_rsae_sha256 for signature algorithms

TLS1.3 10G Server Performance

Let’s take a closer look at the transfer speeds for both half-duplex and full-duplex scenarios.

When transferring data between the web browser and both node.js server and TLS10GS.

We observe a transfer speed of only 7600 Mbps, even in half-duplex mode.

This limitation is attributed to the encryption and decryption processes occurring during data transfer.

To optimize data transfer speed, we employ specialized test software as the client. This software is designed to separate encryption and transmission tasks during Tx mode, and reception and decryption tasks during Rx mode.

In half-duplex mode, we achieve transfer speeds nearing 10 Gbps with 100% intel i7 CPU usage.

However, in full duplex mode, we observe a decrease in transfer speeds. This suggests that the CPU struggles to handle both receiving and transmitting tasks concurrently in a secure connection, thereby impacting the ability to maintain the 10 Gbps throughput.

By leveraging DG’s TLS10Gx solution to offload encryption/decryption tasks, we can effectively restore transfer speeds to nearing 10 Gbps in both full-duplex and half-duplex scenarios.

The performance summary is shown as a current comparison table. Our TLS 1.3 10G Server IP Core can free up the CPU for other essential tasks and can achieve nearly 10,000 Mbps with our TLS 1.3 IP Core on both the Server and Client side.

Example applications

The “Aerospace Telemetry” is one of the most mission critical application that needs to ensure the integrity and confidentiality of sensitive inflight data streams from space remote sensors to ground storage.

FPGA-accelerated TLS 1.3 outpaces software-only solutions, safeguarding critical flight information.

Another example is the “Medical Device Connectivity”. To protect highly confidential patient data in transit between medical devices and healthcare or data storage systems.

Our TLS 1.3 IP solution can provides the robust encryption and authentication mechanisms needed to comply with stringent healthcare regulations and safeguard patient privacy.

TLS10GS Demo set up

Now, let’s dive into the practical demonstration of TLS10GS on the ZCU102 FPGA board.

Through this demo, we’ll showcase the functionality and performance of TLS10GS in real-world scenarios, including interactions with PC-based clients and other FPGAs.

Our demo setup features an FPGA board equipped with TLS10GS IPcore, connected to a 10-Gigabit Ethernet network.

During the demo, we’ll showcase how users can interact with TLS10GSdemo using a web browser, transfer data with a specialized client application, and compare performance across two FPGA boards.

Users can configure network parameters and, the server’s certificate, and set rsa private key via the serial console.

TLS10GSdemo is designed to show that TLS10GS-IP can handle a TLS1.3 connection similar to the example node.js server.

TLS10GSdemo is capable of receiving a data pattern from the web browser and displaying the TLS payload. This mirrors the process where the node.js server receives data from the web browser.

Users can request data via a web browser’s GET command, displaying results identical to the node.js server’s response.

During large data downloads, transfer speeds may decrease due to encryption and decryption processes.

As you can see, the transfer speed reaches only 954 MBps or approximately 7600 Mbps on a 10G Ethernet connection. We’ll employ a specialized “client” application optimized for peak throughput to analyze the transfer speeds.

The “Client” application is designed to encrypt data before transmission through the network in Tx mode, decrypt the last data block, and verify the total received data size after finishing reception in Rx mode. 

This refined approach ensures that the CPU doesn’t simultaneously handle encryption and transmission tasks during Tx mode, and reception and decryption tasks during Rx mode.

Through half-duplex (download/upload) testing, we observe transfer speeds nearing 10 Gbps, accompanied by near full CPU utilization, as monitored by the PC’s task manager.

For full-duplex mode, we’ll observe a reduction in transfer speeds between the “client” application and TLS10GSdemo.

This decline suggests a CPU limitation in handling simultaneous reception, transmission, and cryptographic tasks, consequently affecting the maintenance of throughput at the targeted 10 Gbps level.

To break CPU limitations,  we conduct transfer speed tests between two FPGA boards.

TLS10GSdemo, implemented on ZCU102, serves as the server, while TLS10GCdemo, implemented on ZCU106, operates as the client.

This setup allows us to evaluate the performance of TLS10GS in a real-world scenario, free from CPU constraints.

By offloading cryptographic tasks entirely to hardware, including encryption and decryption, we achieve a remarkable throughput of 9360 Mbps, representing the maximum achievable throughput with TCP/IP in this demonstration scenario.

Elevate your server’s security and speed with DG’s TLS10GS-IP Core. Contact us for more information.