Cryptographic data communication apparatus

Abstract

In one embodiment, data communication apparatus includes a network interface for connection to a network and configured to receive a sequence of data packets from a remote device over the network, the sequence including data blocks, ones of the data blocks having block boundaries that are not aligned with payload boundaries of the packets, and packet processing circuitry to cryptographically process the data blocks using a block cipher so as to write corresponding cryptographically processed data blocks to a memory, while holding segments of respective ones of the received data blocks in the memory, such that the packet processing circuitry stores a first segment of a data block of a first packet in the memory until a second packet is received, and then cryptographically processes the first and second segments together so as to write a corresponding cryptographically processed data block to the memory.

Claims

1. Data communication apparatus, comprising: a network interface which comprises one or more ports for connection to a packet data network and is configured to receive a sequence of data packets from a remote device over the packet data network via the one or more ports responsively to a data transfer request, the received sequence including received data blocks, ones of the received data blocks having block boundaries that are not aligned with payload boundaries of the packets, such that respective ones of the received data blocks are divided into two respective segments contained in successive respective ones of the packets in the sequence; and packet processing circuitry configured to cryptographically process the received data blocks using a block cipher so as to write corresponding cryptographically processed data blocks to a memory, while holding segments of respective ones of the received data blocks in the memory, such that the packet processing circuitry stores a first segment of a respective one of the received data blocks of a first one of the packets in the memory until a second one of the packets is received via the network interface, and then cryptographically processes the first and second segments together so as to write a corresponding cryptographically processed data block to the memory, wherein the packet processing circuitry is configured to: find that the second segment is a partial block; and retrieve the first segment from the memory, and cryptographically process the first and second segments together as a whole block using the block cipher, responsively to the second segment being a partial block.

2. The apparatus according to claim 1, further comprising a host interface configured to be connected to a host computer having a processing unit configured to manage fulfilment of the data transfer request, wherein the packet processing circuitry is configured to cryptographically process the received data blocks using the block cipher so as to write the corresponding cryptographically processed data blocks to the host computer via the host interface, while holding segments of respective ones of the received data blocks in the memory, such that the packet processing circuitry stores the first segment of the respective received data block of the first packet in the memory until the second packet is received via the network interface, and then cryptographically processes the first and second segments together so as to write the corresponding cryptographically processed data block to the host computer via the host interface.

3. The apparatus according to claim 1, wherein each of the data packets includes whole data blocks for cryptographically processing by the block cipher.

4. The apparatus according to claim 1, wherein the packet processing circuitry is configured to: read cryptographic parameters registered in the memory by a processing unit, the cryptographic parameters including an initial cryptographic key and an initial value; compute a first cryptographic key responsively to the initial cryptographic key and the initial value; cryptographically process a first block of the received data blocks responsively to the first cryptographic key; compute an updated value responsively to the initial value and a size of the first block; compute a second cryptographic key responsively to the initial cryptographic key and the updated value; cryptographically process a second block of the received data blocks responsively to the second cryptographic key; and write the cryptographically processed first block and second block to the memory.

5. The apparatus according to claim 4, wherein the updated value is indicative of a storage location of the second block.

6. The apparatus according to claim 1, wherein the packet processing circuitry is configured to encrypt the received data blocks using the block cipher so as to write corresponding ciphertext data blocks to the memory.

7. The apparatus according to claim 6, wherein the packet processing circuitry is configured to: compute respective signatures of the received data blocks or the ciphertext data blocks; and write the computed signatures to the memory.

8. The apparatus according to claim 1, wherein the packet processing circuitry is configured to decrypt the received data blocks using the block cipher so as to write corresponding plaintext data blocks to the memory.

9. The apparatus according to claim 8, wherein the packet processing circuitry is configured to: authenticate respective signatures of the received data blocks or the plaintext data blocks; and write respective ones of the plaintext data blocks to the memory responsively to respective ones of the signatures being authenticated.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) The present invention will be understood from the following detailed description, taken in conjunction with the drawings in which:

(2) FIG. 1 is a block diagram view of data communication system constructed and operative in accordance with an embodiment of the present invention;

(3) FIG. 2 is a flowchart including steps in a method of cryptographically processing data blocks for sending in packets to a remote device in the system of FIG. 1;

(4) FIG. 3 is a flowchart including steps in a method of cryptographically processing data blocks for sending in a first packet in the system of FIG. 1;

(5) FIG. 4 is a block diagram illustrating the method of the flowchart of FIG. 3;

(6) FIG. 5 is a flowchart including steps in a method of cryptographically processing data blocks for sending in a second packet in the system of FIG. 1;

(7) FIG. 6 is a block diagram illustrating the method of the flowchart of FIG. 5;

(8) FIG. 7 is a flowchart including steps in a method of key computation in the system of FIG. 1;

(9) FIG. 8 is a flowchart including steps in a method of cryptographically processing data blocks of received packets in the system of FIG. 1;

(10) FIG. 9 is a flowchart including steps in a method of cryptographically processing data blocks of a first packet in the system of FIG. 1;

(11) FIG. 10 is a block diagram illustrating the method of the flowchart of FIG. 9;

(12) FIG. 11 is a flowchart including steps in a method of cryptographically processing data blocks of a second packet in the system of FIG. 1; and

(13) FIG. 12 is a block diagram illustrating the method of the flowchart of FIG. 11.

DESCRIPTION OF EXAMPLE EMBODIMENTS

Overview

(14) Data may be stored in a storage device in an encrypted form using a self-encrypting disk to protect the data at rest. When data is retrieved from the storage device by an authorized entity, for example, based on an RDMA request, the data may be decrypted by the storage device. Encryption and decryption by the storage device may be inefficient and involve additional latency.

(15) One solution is to perform encryption of data to be stored (and/or decryption of data retrieved from storage) in data communication apparatus such as a network interface controller (NIC). The encryption and/or decryption may be performed as part of the packet processing pipeline. For example, data retrieved from a local storage device for sending to a remote device, may be decrypted in the NTC and then packetized for sending over a network to the remote device. Data received from a local host for storing in a remote storage device may be encrypted in the NIC and then packetized for sending over the network to the remote storage device. In another example, packets received from a remote device for storing in a local storage device may be encrypted in the NIC for storage in the local storage device. Packets received from a remote storage device may be decrypted in the NIC for transferring to a local host.

(16) The data stored in the storage device may be stored in blocks having sizes which are defined by the storage device, for example, in blocks of 512 or 520 bytes. However, when the data is encrypted using a block cipher (e.g., using AES or any suitable block cipher), the block size (e.g., 16 bytes) of the block cipher may not align with the size of the storage blocks. Additionally, the packets used to transfer the data across the network may not comply with either the block cipher size or the block size used by the storage device. In some applications the payload size of the packets may be fixed or may be dynamic. The above creates a problem when performing encryption and decryption in the NIC, which is generally processing data according to packet size.

(17) Embodiments of the present invention solve the above problems by providing data communication apparatus that detects partial data blocks in data received from a memory (e.g., from a host memory of a host computer) and requests additional data so that whole blocks conforming with the size of the block cipher may be cryptographically processed (e.g., encrypted or decrypted) by the block cipher. Some of the cryptographically processed data blocks may be non-aligned with packet boundaries of packets to which the cryptographically processed data blocks are to be added. Therefore, the non-aligned blocks are split into respective segments with one segment being included in one packet and the other segment being included in a subsequent packet.

(18) When packets are received by the data communication apparatus, the packets may similarly include one or more partial data blocks. The data communication apparatus cryptographically processes (e.g., encrypts or decrypts) the whole data blocks conforming with the size of the block cipher and writes the cryptographically processed whole data blocks to memory (for example, to the host memory of the host computer). A partial block may be stored in memory until the next packet is received. The stored partial block is then retrieved from memory and cryptographically processed (e.g., encrypted or decrypted) with a partial block from the next packet so that a whole data block conforming with the size of the block cipher is cryptographically processed and written to memory (for example, to a host memory or a host computer).

(19) In some embodiments, cryptographically processing may include computing signatures for encrypted blocks or blocks to be encrypted. The computed signatures may be stored (in memory) or sent (to the remote device) with the encrypted blocks.

(20) In some embodiments, cryptographically processing may include authenticating signatures associated with decrypted blocks or blocks to be decrypted. Providing a decrypted block (e.g., plaintext block) to a memory or the remote device may be contingent on the signature of that block being authenticated.

(21) In some embodiments, the blocks are cryptographically processed according to cryptographic parameters registered in memory (e.g., host memory) by a processing unit, such as, a central processing unit (CPU) or a graphics processing unit (GPU) of a host computer. The GPU may be configured to implement a graphics rendering pipeline to perform various operations related to generating pixel data based on graphics data supplied by a central processing unit (CPU). GPUs are employed to generate three-dimensional (3D) graphics objects and two-dimensional (2D) graphics objects for a variety of applications, including feature films, computer games, virtual reality (VR) and augmented reality (AR) experiences, mechanical design, and/or the like.

(22) The cryptographic parameters may include the block size of the block cipher, an initial value, and an initial cryptographic key. The cryptographic key used to cryptographically process an initial block may be computed based on the initial value and the initial cryptographic key. The initial value is generally updated for subsequent blocks, for example, the size of the block. For example, if the initial value is 2000, the updated value for the next block may be equal to 2016 based on the 16-byte block size. The cryptographic key used to cryptographically process subsequent blocks may be computed based on the updated value and the initial cryptographic key. In some embodiments, the updated value is indicative of the storage location of the current block being cryptographically processed. In some embodiments, the update value may comprise two values, for example, one value indicative of the storage block number and another value indicative of a location within that storage block.

(23) The terms “scrambled” and “encrypted”, in all of their grammatical forms, are used interchangeably throughout the present specification and claims to refer to any appropriate scrambling and/or encryption methods for scrambling and/or encrypting a data stream, and/or any other appropriate method for intending to make a data stream unintelligible except to an intended recipient(s) thereof. Well known types of scrambling or encrypting include, but are not limited to DES, 3DES, and AES (e.g., XTS-AES). Similarly, the terms “descrambled” and “decrypted” are used throughout the present specification and claims, in all their grammatical forms, to refer to the reverse of “scrambled” and “encrypted” in all their grammatical forms.

(24) The block cipher may use any suitable encryption/decryption type and/or mode and may process blocks of any suitable size.

System Description

(25) Reference is now made to FIG. 1, which is a block diagram view of data communication system 10 constructed and operative in accordance with an embodiment of the present invention. The data communication system 10 includes data communication apparatus 12, a remote device 14, a host computer 16, and at least one storage device 18.

(26) The data communication apparatus 12 includes a network interface 20, which comprises one or more ports 22 for connection to a packet data network 24. The remote device 14 is connected to the data communication apparatus 12 via the packet data network 24.

(27) The data communication apparatus 12 also includes a host interface 26, which is configured to be connected to the host computer 16 via a suitable connection. The data communication apparatus 12 also includes packet processing circuitry 28, which processes data packets received over the network interface 20 from the remote device 14 or any other remote device, and processes data and packetizes that data for sending over the network interface 20 to the remote device 14 or any other remote device. The packet processing circuitry 28 includes a block cipher 36 for performing cryptographic processing such as encryption, decryption, signature generation and authentication, by way of example only.

(28) In practice, some or all of the functions of the packet processing circuitry 28 may be combined in a single physical component or, alternatively, implemented using multiple physical components. These physical components may comprise hard-wired or programmable devices, or a combination of the two. In some embodiments, at least some of the functions of the packet processing circuitry 28 may be carried out by a programmable processor under the control of suitable software. This software may be downloaded to a device in electronic form, over a network, for example. Alternatively, or additionally, the software may be stored in tangible, non-transitory computer-readable storage media, such as optical, magnetic, or electronic memory.

(29) The host computer 16 includes an interface 30, a memory 32, and a processing unit 34. The interface 30 connects the host computer 16 to the data communication apparatus 12 via the host interface 26. The memory 32 stores data used by the processing unit 34 and optionally used by the data communication apparatus 12. For example, the data communication apparatus 12 may write data to the memory 32 and read data from the memory 32. In some embodiments, the data communication apparatus 12 may include its own memory in which it stores data, while other data is optionally stored in the memory 32. The processing unit 34 may be connected locally to a storage device 18-1.

(30) The remote device 14 may be connected locally to a storage device 18-2.

(31) The processing unit 34 is configured to manage fulfilment of a data transfer request. The data transfer request may originate from the remote device 14 or from the host computer 16 or from any other suitable device. The data transfer request may include any one or more of the following: a request from the remote device 14 (or any suitable device) to store data in the storage device 18-1; a request from the remote device 14 (or any suitable device) to retrieve data from the storage device 18-1; a request from the host computer 16 to store data in the storage device 18-2; and a request from the host computer 16 to read data from the storage device 18-2. The data transfer request may include transferring data to or from another remote device via the data communication apparatus 12 with or without involvement of the processing unit 34 of the host computer 16. In some embodiments, the data communication apparatus 12 may include its own processing unit or array of processing units to process the data transfer request. The processing unit 34 may fulfil the data transfer request in accordance with any suitable protocol, for example, RDMA.

(32) In practice, some or all of the functions of the processing unit 34 may be combined in a single physical component or, alternatively, implemented using multiple physical components. These physical components may comprise hard-wired or programmable devices, or a combination of the two. In some embodiments, at least some of the functions of the processing unit 34 may be carried out by a programmable processor (e.g., CPU or GPU) under the control of suitable software. This software may be downloaded to a device in electronic form, over a network, for example. Alternatively, or additionally, the software may be stored in tangible, non-transitory computer-readable storage media, such as optical, magnetic, or electronic memory.

(33) Reference is now made to FIG. 2, which is a flowchart 50 including steps in a method of cryptographically processing data blocks for sending in packets to the remote device 14 (FIG. 1) in the system 10 of FIG. 1. Reference is also made to FIG. 1.

(34) The packet processing circuitry 28 is configured to receive (block 52) data from the memory 32 (or any other suitable memory). The data may be provided in the memory 32 according to a data transfer request from the remote device 14 and/or the data communication apparatus 12. In some embodiments, the packet processing circuitry 28 is configured to receive the data from the host computer 16 over the host interface 26 via the memory 32 responsively to the data transfer request. In some embodiments, the data is read from the storage device 18-1 and written in the memory 32 from where is it is read by the data communication apparatus 12.

(35) The packet processing circuitry 28 is configured to cryptographically process (block 54) the received data in units of data blocks using the block cipher 36 so as to add corresponding cryptographically processed data blocks to a sequence of data packets. The sequence of packets may include some cryptographically processed data blocks having block boundaries that are not aligned with (i.e. straddle) payload boundaries of respective packets, such that some cryptographically processed data blocks are divided into two respective segments, which are contained in successive respective ones of the packets in the sequence. For example, a cryptographically processed data block may be divided with one part of the cryptographically processed data block being disposed in one packet and another part of the cryptographically processed data block being disposed in another (adjacent) packet.

(36) The packets generally include whole cryptographically processed data blocks and may also include one or more partial data blocks. For example, some of the packets may include one partial block (either at the beginning or the end of the packet payload), some packets may include two partial blocks (one at the beginning and one at the end of the packet payload), and some packets may include whole data blocks without any partial data blocks in the packet payload.

(37) The processing of partial data blocks is described in more detail with reference to FIGS. 3-6.

(38) The step of block 54 may include one or more sub-steps of blocks 56-62 described in more detail below.

(39) If the received data blocks are plaintext, the packet processing circuitry 28 is configured to encrypt (block 56) the received data blocks using the block cipher 36 so as to add corresponding ciphertext data blocks to the sequence of data packets. The packet processing circuitry 28 is optionally configured to compute (block 58) respective signatures of the received data blocks or the ciphertext data blocks. The steps of blocks 56 and 58 may be performed in any order. For example, the signatures may be computed based on plaintext blocks or on ciphertext blocks. Computation of cryptographic keys is described in more detail with reference to FIG. 7.

(40) If the received data blocks are ciphertext, the packet processing circuitry 28 is optionally configured to authenticate (block 60) respective signatures of the received data blocks or the plaintext data blocks (i.e., after decryption). The packet processing circuitry 28 is configured to decrypt (block 62) the received data blocks using the block cipher 36 so as to add corresponding plaintext data blocks to the sequence of data packets. The steps of blocks 60 and 62 may be performed in any order. For example, the signatures may be authenticated using the plaintext blocks or the ciphertext blocks.

(41) The packet processing circuitry 28 is configured to add (block 64) the cryptographically processed data blocks to their respective packets with some of the blocks being divided between successive respective packets. In some embodiments, the packet processing circuitry 28 is configured to add the computed signatures to the sequence of data packets. In some embodiments, the packet processing circuitry 28 is configured to add respective ones of the plaintext data blocks to the sequence of data packets responsively to respective ones of the signatures being authenticated. In other words, plaintext data blocks of which corresponding signatures have been successfully authenticated are added to the packets, while plaintext data blocks where their corresponding signatures have not been successfully authenticated are not added to the packets.

(42) The network interface 20 is configured to send (block 66) the sequence of data packets to the remote device 14 over the packet data network 24 via the one or more ports 22.

(43) Reference is now made to FIGS. 3 and 4. FIG. 3 is a flowchart 100 including steps in a method of cryptographically processing data blocks for sending in a packet P1 in the system 10 of FIG. 1. FIG. 4 is a block diagram 118 illustrating the method of the flowchart 100 of FIG. 3 showing the flow of data between the memory 32 and the network interface 20. Reference is also made to FIG. 1.

(44) The packet processing circuitry 28 is configured to receive (block 102, arrow 120 in FIG. 4) a data chunk A from the memory 32 (or any suitable memory). The packet processing circuitry 28 is configured to find (block 104) that data chunk A includes a partial block B. The packet processing circuitry 28 is configured to request (block 106, arrow 122 in FIG. 4) an additional data chunk C from a memory controller (not shown) of the memory 32, responsively to finding that data chunk A includes partial block B.

(45) The packet processing circuitry 28 is configured to cryptographically process (block 108, arrow 124 in FIG. 4) the whole blocks of data chunk A yielding cryptographically processed blocks A′. The packet processing circuitry 28 is configured to cryptographically process (block 110, arrow 126 in FIG. 4) the partial block B and additional data chunk C together as a whole block using the block cipher 36 yielding a cryptographically processed data block E. The packet processing circuitry 28 is configured to divide (block 112) cryptographically processed data block E into segments S1 an S2.

(46) The packet processing circuitry 28 is configured to add (block 114, arrows 128 in FIG. 4) blocks A′ and segment S1 to the packet P1, which is then forwarded (arrow 132 in FIG. 4) to the network interface 20. The packet processing circuitry 28 is configured to store (block 116, arrow 130 in FIG. 4) segment S2 in the memory 32 (or any suitable memory) until a packet P2 is processed by the packet processing circuitry 28 as described in more detail with reference to FIGS. 5 and 6.

(47) Reference is now made to FIGS. 5 and 6. FIG. 5 is a flowchart 150 including steps in a method of cryptographically processing data blocks for sending in a packet P2 in the system 10 of FIG. 1. FIG. 6 is a block diagram 170 illustrating the method of the flowchart of FIG. 5. Reference is also made to FIG. 1.

(48) The packet processing circuitry 28 is configured to find (block 152, arrow 172 of FIG. 6) the stored segment S2 in the memory 32 (or any suitable memory) and retrieve segment S2 from the memory 32. The packet processing circuitry 28 is configured to request (block 154, arrow 174 of FIG. 6) a new data chunk F from the memory controller of the memory 32 (or any suitable memory). The packet processing circuitry 28 may be configured to adjust a size of the data chunk F, responsively to the found segment S2. For example, if the packet processing circuitry 28 generally requests a data chunk having a size suitable for adding to a packet, the packet processing circuitry 28 may adjust its request to reduce the size of the data chunk request by the size of segment S2 (i.e., the requested size will be equal to the general packet size less the size of segment S2).

(49) The packet processing circuitry 28 is configured to find (block 156) that data chunk F includes a partial block G. In some cases, the data chunk may include a whole number of blocks without a partial block. The packet processing circuitry 28 is configured to request (block 158, arrow 176 of FIG. 6) an additional data chunk H from the memory controller of the memory 32 (or any suitable memory), responsively to finding that data chunk F includes the partial block G.

(50) The packet processing circuitry 28 is configured to cryptographically process (block 160, arrow 178 of FIG. 6) the whole block(s) of data chunk F (i.e., data chunk F without partial block G) using the block cipher 36 yielding cryptographically processed data block(s) F′. The packet processing circuitry 28 is configured to cryptographically process (block 162, arrow 180 of FIG. 6) the partial block G and additional data chunk H together as a whole block using the block cipher 36 yielding an additional cryptographically processed data block K.

(51) The packet processing circuitry 28 is configured to divide (block 164) cryptographically processed data block K into segments S3 and S4. The packet processing circuitry 28 is configured to add (block 166, arrows 182 of FIG. 6) segment S2, cryptographically processed data block(s) F′, and segment S3 to packet P2, which is then forwarded (arrow 186 of FIG. 6) to the network interface 20. The packet processing circuitry 28 is configured to store (block 168, arrow 184 of FIG. 6) segment S4 in the memory 32 (or any suitable memory) until a packet P3 is processed by the packet processing circuitry 28, and so on.

(52) Reference is now made to FIG. 7, which is a flowchart 200 including steps in a method of key computation in the system 10 of FIG. 1. Reference is also made to FIG. 1. The steps described below may be used for key computation whether the data communication apparatus 12 is processing packets received over the packet data network 24 or packets to be sent over the packet data network 24.

(53) The processing unit 34 of the host computer 16 or another processing unit (for example in the data communication apparatus 12) is configured to register cryptographic parameters in the memory 32 (or any suitable memory), for example, responsively to the data transfer request. The cryptographic parameters may include an initial cryptographic key K, an initial value V, and a block size of the block cipher 36. The cryptographic parameters may be registered in the memory 32 with other parameters, for example, as part of an M-key.

(54) The packet processing circuitry 28 is configured to read (block 202) the cryptographic parameters registered in the memory 32 (or any suitable memory).

(55) The packet processing circuitry 28 is configured to compute (block 204) a cryptographic key K1 responsively to the initial cryptographic key K and the initial value V. The computation may be according to any suitable key modification algorithm, for example, combing K and V using an XOR operation, or encrypting V using K. The packet processing circuitry 28 is configured to cryptographically process (block 206) a block B1 of the received data blocks responsively to the cryptographic key K1.

(56) The packet processing circuitry 28 is configured to compute (block 208) an updated value V1 responsively to the initial value V and a size of block B1 or any other suitable value. The updated value V1 may be indicative of a storage location of a block B2. For example, if the initial value V is 2000, the updated value V1 for the next block may be equal to 2016 based on the 16-byte block size. The cryptographic key used to cryptographically process subsequent blocks may be computed based on the updated value and the initial cryptographic key K or the key used for the previous encryption, e.g., K1. In some embodiments, the updated value is indicative of the storage location (in the storage device 18-1 or the storage device 18-2) of the block to be cryptographically processed. In some embodiments, the update value may comprise two values, for example, one value indicative of the storage block number (i.e. a block reference of a block of data in one of the storage devices 18) and another value indicative of a location within that storage block.

(57) The packet processing circuitry 28 is configured to compute (block 210) a cryptographic key K2 responsively to the initial cryptographic key K (or the key K1) and the updated value V1. The packet processing circuitry 28 is configured to cryptographically process (block 212) a block B2 of the received data blocks responsively to the cryptographic key K2.

(58) For a subsequent block B.sub.n, the packet processing circuitry 28 is configured to compute (block 214) a new updated value V.sub.n responsively to the previous updated value V.sub.n-1 and a size of the previous block B.sub.n-1 (or any suitable value). The updated value V.sub.n may be indicative of a storage location of the block B.sub.n. The packet processing circuitry 28 is configured to compute (block 216) a cryptographic key K.sub.n, responsively to the initial cryptographic key K (or K.sub.n-1) and the updated value V.sub.n. The packet processing circuitry 28 is configured to cryptographically process (block 218) block B.sub.n responsively to the cryptographic key K.sub.n. The steps of blocks 214-218 may be repeated (arrow 220) for subsequent blocks.

(59) Reference is now made to FIG. 8, which is a flowchart 300 including steps in a method of cryptographically processing data blocks of received packets in the system 10 of FIG. 1. Reference is also made to FIG. 1.

(60) The network interface 20 of the data communication apparatus 12 is configured to receive (block 302) a sequence of data packets from the remote device 14 over the packet data network 24 via the port(s) 22 responsively to a data transfer request. The received sequence of packets includes received data blocks. Some of the received data blocks have block boundaries that are not aligned with (i.e. straddle) payload boundaries of at least some of the packets, such that respective received data blocks are divided into two respective segments contained in successive respective packets in the sequence. For example, a data block may be divided with one part of the data block being disposed in one packet and another part of the data block being disposed in another (adjacent) packet. The packets generally include whole data blocks and may also include one or more partial data blocks. For example, some of the packets may include one partial block (either at the beginning or the end of the packet payload), some packets may include two partial blocks (one at the beginning and one at the end of the packet payload), and some packets may include whole data blocks without any partial data blocks.

(61) The packet processing circuitry 28 is configured to cryptographically process (block 304) the received data blocks using the block cipher 36 so as to write corresponding cryptographically processed data blocks to the memory 32 (or any suitable memory), while holding segments of some of the received data blocks in the memory 32, such that the packet processing circuitry 28 stores a segment S1 of a respective received data block B1 of a packet P1 in the memory 32 (or any suitable memory) until a packet P2 (including a segment S2 of the data block B1) is received via the network interface 20, and then cryptographically processes segments S1 and S2 together so as to write a corresponding cryptographically processed data block to the memory 32 (or any suitable memory). The processing of partial data blocks is described in more detail with reference to FIGS. 9-12. Each of the data packets generally also includes whole data blocks for cryptographically processing by the block cipher 36.

(62) In some embodiments, the packet processing circuitry 28 is configured to cryptographically process the received data blocks using the block cipher 36 so as to write the corresponding cryptographically processed data blocks to the memory 32 of the host computer 16 via the host interface 26, while holding segments of respective received data blocks in the memory 32 (or any suitable memory), such that the packet processing circuitry 28 stores segment S1 in the memory 32 (or any suitable memory) until packet P2 is received via the network interface 20, and then cryptographically processes the segments S1 and S2 together so as to write the corresponding cryptographically processed data block to the memory 32 of the host computer 16 via the host interface 26.

(63) The step of block 304 may include one or more sub-steps of blocks 30-312 described in more detail below.

(64) If the received data blocks are plaintext, the packet processing circuitry 28 is configured to encrypt (block 306) the received data blocks using the block cipher 36 so as to write corresponding ciphertext data blocks to the memory 32 (or any suitable memory). The packet processing circuitry 28 is optionally configured to compute (block 308) respective signatures of the received data blocks or the ciphertext data blocks. The steps of blocks 306 and 308 may be performed in any order. For example, the signatures may be computed based on plaintext blocks or on ciphertext blocks. Computation of cryptographic keys was described above in more detail with reference to FIG. 7.

(65) If the received data blocks are ciphertext, the packet processing circuitry 28 is optionally configured to authenticate (block 310) respective signatures of the received data blocks or the plaintext data blocks (i.e., after decryption). The packet processing circuitry 28 is configured to decrypt (block 312) the received data blocks using the block cipher 36 so as to write corresponding plaintext data blocks to the memory 32 (or any suitable memory). The steps of blocks 310 and 312 may be performed in any order. For example, the signatures may be authenticated using the plaintext blocks or the ciphertext blocks.

(66) The packet processing circuitry 28 is configured to write (block 314) the cryptographically processed data blocks and optionally computed signatures to the memory 32 (or any suitable memory). In some embodiments, the packet processing circuitry 28 is configured to write respective plaintext data blocks to the memory 32 responsively to respective signatures being authenticated. In other words, plaintext data blocks of which corresponding signatures have been successfully authenticated are written to the memory 32, while plaintext data blocks where their corresponding signatures have not been successfully authenticated are not written to the memory 32.

(67) Reference is now made to FIGS. 9 and 10. FIG. 9 is a flowchart 400 including steps in a method of cryptographically processing data blocks of a first packet in the system 10 of FIG. 1. FIG. 10 is a block diagram 412 illustrating the method of the flowchart of FIG. 9. Reference is also made to FIG. 1.

(68) The packet processing circuitry 28 is configured to receive (block 402, arrow 414 of FIG. 10) a packet P1 over the network interface 20. The packet processing circuitry 28 is configured to find (block 404) that a part of packet P1 includes a partial block (segment S1). The packet processing circuitry 28 is configured to store (block 406, arrow 418 of FIG. 10) segment S1 in the memory 32 (or any suitable memory). The packet processing circuitry 28 is configured to cryptographically process (block 408, arrow 420 of FIG. 10) the whole blocks M of packet P1 yielding cryptographically processed blocks M′. The packet processing circuitry 28 is configured to write (block 410, arrow 422 of FIG. 10) the cryptographically processed blocks M′ to the memory 32 (or any suitable memory).

(69) Reference is now made to FIGS. 11 and 12. FIG. 11 is a flowchart 430 including steps in a method of cryptographically processing data blocks of a packet P2 in the system 10 of FIG. 1. FIG. 12 is a block diagram 450 illustrating the method of the flowchart of FIG. 11. Reference is also made to FIG. 1.

(70) The packet processing circuitry 28 is configured to receive (block 432, arrow 452 of FIG. 12) a packet P2 over the network interface 20. The packet processing circuitry 28 is configured to find (block 434) that packet P2 includes an initial partial block (segment S2) and a final partial block (segment S3). The packet processing circuitry 28 is configured to store (block 436, arrow 456 of FIG. 12) segment S3 in memory. The packet processing circuitry 28 is configured to retrieve (block 438, arrow 458 of FIG. 12) segment S1 from the memory, responsively to finding segment S2 in packet P2.

(71) The packet processing circuitry 28 is configured to cryptographically process (block 440, arrow 460 of FIG. 12) segments S1 and S2 together as a whole block using the block cipher 36 yielding a cryptographically processed block C′, responsively to finding that segment S2 is a partial block. The packet processing circuitry 28 is configured to cryptographically process (block 442, arrow 462 of FIG. 12) the whole blocks N of packet P2 yielding cryptographically processed blocks N′. The packet processing circuitry 28 is configured to write (block 444, arrow 464 of FIG. 12) cryptographically processed blocks C′ and M′ to the memory 32 (or any suitable memory).

(72) Various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable sub-combination.

(73) The embodiments described above are cited by way of example, and the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the invention includes both combinations and sub combinations of the various features described hereinabove, as well as variations and modifications thereof which would occur to persons skilled in the art upon reading the foregoing description and which are not disclosed in the prior art.