XIP7131C is a compact 1 Intellectual Property (IP) core for TLS 1.3 client-side functionality. Transport Layer Security (TLS) is a cryptographic protocol, which provides communication security in computer networks and is used for securing a multitude of different applications ranging from casual Internet browsing to critical infrastructure communications. TLS 1.3 was published as RFC 8446 in August 2018, and it is the most recent version of the TLS standard and includes major modifications and security improvements compared to the earlier TLS versions.
XIP7131C provides a hardware-based security solution level required for mission-critical applications. XIP7131C is optimized for low-area footprint, and it is ideally suited for high-volume FPGA applications, for example industrial automation, energy distribution, and secure edge computing. While the IP core itself has been optimized for low FPGA resource usage, it is capable of encrypting and decrypting bulk transmission speeds in excess of 1 Gbps after the secure connection has been established.
XIP7131C supports the TLS 1.3 handshakes for session establishment and the TLS 1.3 record protocol for bulk communication. The IP core implements all cryptographic computations and key management activities required for secure TLS connections with a server. Critical cryptographical computations and key management are both isolated inside the FPGA from the rest of the system, offering a very high level of protection from different types of attacks. All computations are performed in constant time, thus nullifying timing-based side-channel attacks and protecting also against various other types of side-channel attacks.
Due to the need to optimize the resource requirements, the supported cryptographic algorithms were carefully selected. XIP7131C supports X25519, Ed25519, SHA-2, HMAC, HKDF, and AES-GCM with 128-bit keys. Internally, XIP7131C includesa True Random Number Generator (TRNG) for generating truly random numbers needed in the TLS protocol, for example, ephemeral  keys.
The TLS 1.3 IP Core is available for all Intel ® FPGAs.
The functionality of XIP7131C complies with the TLS 1.3 protocol definition in RFC 8446, and it implements at hardware level the required functionality for TLS 1.3 client side operation. The TLS 1.3 client (the FPGA-based XIP7131C IP core) opens a TLS connection with a server by running the client side of the TLS 1.3 handshake protocol. First XIP7131C generates a ClientHello message including the client’s ephemeral X25519 public share and sends it to the server. The server responds with a ServerHello message which includes the server’s ephemeral X25519 public share, the server’s certificate, a signature over the exchanged messages. After XIP7131C has received the ServerHello message it computes the shared session secret from the received public share and its own private share, verifies the certificate and the digital signature, and derives the required keys from the shared session secret for securing the bulk communications.
After a secure connection has been established, the bulk communication is protected with the Authentication Encryption with Associated Data (AEAD) scheme AES-GCM with 128-bit key length. This AEAD scheme protects both confidentiality and integrity, the former meaning that no malicious party in the middle of the communication can see the contents of the communication, and the latter that the communicated messages cannot be manipulated without being noticed. XIP7131C adds the required TLS 1.3 fields to each outgoing frame for a given IP address and destination port and encrypts the data payload. For the incoming messages XIP7131C removes the TLS 1.3 fields from the message frames, and decrypts the encrypted data payload.
For more technical and commercial details, including FPGA resources & peak performance as well as ordering instructions, open the full product brief in PDF. Contact us by sending and email to , and we’ll get back to you as soon as possible.
Figure 1: Internal high-level block diagram of XIP7131C
 An ephemeral cryptographic key is generated and used only for a single session.
Xiphera Ltd © 2021