Design and analysis of an FPGA-based, multi-processor HW-SW system for SCC applications

The last 30 years have seen an increase in the complexity of embedded systems from a collection of simple circuits to systems consisting of multiple processors managing a wide variety of devices. This ever increasing complexity frequently requires that high assurance, fail-safe and secure design techniques be applied to protect against possible failures and breaches. To facilitate the implementation of these embedded systems in an efficient way, the FPGA industry recently created new families of devices. New features added to these devices include anti-tamper monitoring, bit stream encryption, and optimized routing architectures for physical and functional logic partition isolation. These devices have high capacities and are capable of implementing processors using their reprogrammable logic structures. This allows for an unprecedented level of hardware and software interaction within a single FPGA chip. High assurance and fail-safe systems can now be implemented within the reconfigurable hardware fabric of an FPGA, enabling these systems to maintain flexibility and achieve high performance while providing a high level of data security. The objective of this thesis was to design and analyze an FPGA-based system containing two isolated, softcore Nios processors that share data through two crypto-engines. FPGA-based single-chip cryptographic (SCC) techniques were employed to ensure proper component isolation when the design is placed on a device supporting the appropriate security primitives. Each crypto-engine is an implementation of the Advanced Encryption Standard (AES), operating in Galois/Counter Mode (GCM) for both encryption and authentication. The features of the microprocessors and architectures of the AES crypto-engines were varied with the goal of determining combinations which best target high performance, minimal hardware usage, or a combination of the two

Algorithms and Architectures for Secure Embedded Multimedia Systems

Embedded multimedia systems provide real-time video support for applications in entertainment (mobile phones, internet video websites), defense (video-surveillance and tracking) and public-domain (tele-medicine, remote and distant learning, traffic monitoring and management). With the widespread deployment of such real-time embedded systems, there has been an increasing concern over the security and authentication of concerned multimedia data. While several (software) algorithms and hardware architectures have been proposed in the research literature to support multimedia security, these fail to address embedded applications whose performance specifications have tighter constraints on computational power and available hardware resources. The goals of this dissertation research are two fold: 1. To develop novel algorithms for joint video compression and encryption. The proposed algorithms reduce the computational requirements of multimedia encryption algorithms. We propose an approach that uses the compression parameters instead of compressed bitstream for video encryption. 2. Hardware acceleration of proposed algorithms over reconfigurable computing platforms such as FPGA and over VLSI circuits. We use signal processing knowledge to make the algorithms suitable for hardware optimizations and try to reduce the critical path of circuits using hardware-specific optimizations. The proposed algorithms ensures a considerable level of security for low-power embedded systems such as portable video players and surveillance cameras. These schemes have zero or little compression losses and preserve the desired properties of compressed bitstream in encrypted bitstream to ensure secure and scalable transmission of videos over heterogeneous networks. They also support indexing, search and retrieval in secure multimedia digital libraries. This property is crucial not only for police and armed forces to retrieve information about a suspect from a large video database of surveillance feeds, but extremely helpful for data centers (such as those used by youtube, aol and metacafe) in reducing the computation cost in search and retrieval of desired videos

Digital Communication System with High Security and High Immunity

Today, security issues are increased due to huge data transmissions over communication media such as mobile phones, TV cables, online games, Wi-Fi and satellite transmission etc. for uses such as medical, military or entertainment. This creates a challenge for government and commercial companies to keep these data transmissions secure. Traditional secure ciphers, either block ciphers such as Advanced Encryption Standard (AES) or stream ciphers, are not fast or completely secure. However, the unique properties of a chaotic system, such as structure complexity, deterministic dynamics, random output response and extreme sensitivity to the initial condition, make it motivating for researchers in the field of communication system security. These properties establish an increased relationship between chaos and cryptography that create strong and fast cipher compared to conventional algorithms, which are weak and slow ciphers. Additionally, chaotic synchronisation has sparked many studies on the application of chaos in communication security, for example, the chaotic synchronisation between two different systems in which the transmitter (master system) is driving the receiver (slave system) by its output signal. For this reason, it is essential to design a secure communication system for data transmission in noisy environments that robust to different types of attacks (such as a brute force attack). In this thesis, a digital communication system with high immunity and security, based on a Lorenz stream cipher chaotic signal, has been perfectly applied. A new cryptosystem approach based on Lorenz chaotic systems was designed for secure data transmission. The system uses a stream cipher, in which the encryption key varies continuously in a chaotic manner. Furthermore, one or more of the parameters of the Lorenz generator is controlled by an auxiliary chaotic generator for increased security. In this thesis, the two Lorenz chaotic systems are called the Main Lorenz Generator and the Auxiliary Lorenz Generator. The system was designed using the SIMULINK tool. The system performance in the presence of noise was tested, and the simulation results are provided. Then, the clock-recovery technique is presented, with real-time results of the clock recovery. The receiver demonstrated its ability to recover and lock the clock successfully. Furthermore, the technique for synchronisation between two separate FPGA boards (transmitter and receiver) is detailed, in which the master system transmits specific data to trigger a slave system in order to run synchronously. The real-time results are provided, which show the achieved synchronisation. The receiver was able to recover user data without error, and the real-time results are listed. The randomness test (NIST) results of the Lorenz chaotic signals are also given. Finally, the security analysis determined the system to have a high degree of security compared to other communication systems

Encriptación sobre Capa Física para Ethernet Óptico de Alta Velocidad

INTRODUCCIÓN-------------------------Hoy en día, los enlaces ópticos con tasas de transmisión de hasta 100 Gbps y superiores son ya una realidad. Gracias a los avances logrados en las comunicaciones ópticas durante las últimas décadas es posible afrontar anchos de banda cada vez mayores, lo que satisface las demandas de las aplicaciones más exigentes [CIS16], como por ejemplo las basadas en cloud computing o big data. Por otro lado, la seguridad en la información sigue siendo un asunto de gran importancia en las comunicaciones ya que el volumen de amenazas en la red se ha incrementado durante los últimos años [CIS18]. Los fallos en la seguridad podrían llevar al mal funcionamiento de un servicio o la pérdida de confidencialidad en datos críticos de los clientes. En un sistema de comunicaciones por capas, como por ejemplo en el modelo OSI (Open System Interconnection) o TCP/IP (Transmission Control Protocol/Internet Protocol), se pueden llevar a cabo tanto ataques pasivos como activos en los diferentes niveles de la comunicación. Dependiendo de las capas de comunicación utilizadas, distintos mecanismos pueden ser adoptados para lograr la seguridad de la información. Por ejemplo, protocolos estandarizados tales como MACsec [IEE06] o IPsec [KEN05] son empleados normalmente en la capa 2 (capa de enlace de datos) y capa 3 (capa de red), respectivamente. En ambos casos la encriptación es llevada a cabo en cada trama o paquete de datos de forma individual. Para el caso particular de las redes ópticas, el análisis de las amenazas en su capa 1 (capa física) también es considerado crítico para garantizar unas comunicaciones seguras [SKO16], [FUR14]. En este caso se pueden destacar tres tipos de ataques: ataques de inserción de señal, ataques por splitting y ataques a las infraestructuras físicas. Los ataques por splitting son normalmente empleados para espionaje pasivo o para producir degradación en la señal [SKO16], estos se pueden llevar a cabo fácilmente gracias a técnicas de derivación en la fibra. De hecho, hoy en día ya existen métodos de bajo coste para interceptar la señal óptica gracias a dispositivos de acoplamiento óptico y conversores electroópticos sin la necesidad de interferir perceptiblemente en las comunicaciones [ZAF11]. Con el fin de tratar estas amenazas y proteger la confidencialidad de los datos en la capa física, varios mecanismos relacionados con tecnologías fotónicas han sido propuestos [FOK11], por ejemplo OCDM (Optical Code Division Multiplexing) [JI17], SCOC (Secure Communications using Optical Chaos) [HIZ10] o QKD (Quantum Key Distribution) [ELK13]. Otras técnicas, también relacionadas con protocolos de capa física, cifran la información a nivel de bit independientemente de la tecnología fotónica empleada, como la encriptación de los datos del payload en las tramas OTN (Optical Transport Network) [GUA16]. Algunas de las ventajas reivindicadas por estas técnicas de encriptación consisten en cifrar la información “al vuelo” introduciendo un overhead nulo en los datos y una latencia muy baja (en el rango de nanosegundos) en la información transmitida [GUA16]. De hecho, hoy en día ya están disponibles en el mercado equipos de comunicaciones OTN que realizan el cifrado a la velocidad de línea sin mermar el throughput, es decir consiguiendo un rendimiento de la transmisión del 100% [MIC16]. Esto contrasta con lo que hacen ciertos protocolos en otras capas de comunicación [KOL13], [XEN06]. Por ejemplo, IPsec generalmente introduce latencias en el rango de milisegundos. Además, el overhead introducido por IPsec durante el cifrado limita el rendimiento de transmisión a valores entre el 20% y el 90% de la máxima tasa de datos posible sin encriptación [TRO05], [KOL13]. Aparte de lograr la confidencialidad, alguno de los métodos mencionados anteriormente también es capaz de conseguir privacidad contra intrusos pasivos [FOK11], entendiendo esta como la amenaza cuando dichos intrusos pueden detectar simplemente la presencia de comunicaciones, aunque sean incapaces de descifrar el contenido de la información de las mismas. Esta habilidad puede ofrecer seguridad contra ataques basados en el análisis de los patrones del tráfico, que permitirían revelar información del comportamiento de una compañía o instalación. Dentro de los estándares de comunicaciones ópticas, Ethernet es uno de los más empleados hoy día. Un claro ejemplo es el acceso a las redes de transporte ópticas donde este estándar es utilizado normalmente cuando las tasas de acceso superan el gigabit por segundo. Tal y como se muestra en la Fig.1-1, algunas tecnologías de acceso en los tramos de última milla de las CEN (Carrier Ethernet Networks) son Ethernet sobre fibra (Fibra Directa con Ethernet, Ethernet sobre SONET/SDH, Ethernet sobre PON), Ethernet sobre PDH o Ethernet inalámbrico [MET09]. Dos de los estándares ópticos Ethernet más empleados hoy en día son los denominados 1000Base-X y 10GBase-R con tasas de transmisión de 1 Gbps y 10 Gbps, respectivamente.OBJETIVOS-------------------En el caso de las comunicaciones sobre Ethernet óptico no existe ningún mecanismo que logre la mencionada privacidad al mismo tiempo que la confidencialidad, sin que además introduzca un overhead o latencias indeseadas. El objetivo de esta tesis es el de proporcionar soluciones a dos de los estándares ópticos Ethernet más empleados, tales como 1000Base-X o 10GBase-R, logrando las características citadas anteriormente. En general los principales aspectos que se pretenden desarrollar en esta tesis son los siguientes: • Realizar propuestas viables de modificación de ambos estándares, 1000Base-X y 10GBase-R, de forma que se pueda llevar a cabo la encriptación en la capa física. • Lograr la compatibilidad de las nuevas arquitecturas de encriptación con dichos estándares de forma que el hardware electrónico más dependiente del medio de transmisión, como los módulos ópticos SFP, los SERDES o los circuitos de recuperación de reloj y datos, no necesite modificaciones adicionales. • Realizar un estudio de los posibles esquemas de encriptación por streaming que sean capaces de cifrar datos a velocidades superiores a 1 Gbps y adaptarlos a las arquitecturas propuestas. • Estudiar posibles mecanismos para llevar a cabo la sincronización de los módulos de encriptación entre dos terminales remotos.• Lograr que las soluciones propuestas lleven a cabo la encriptación introduciendo la menor latencia posible, al menos en un orden de magnitud igual o inferior al de soluciones en otros estándares de comunicaciones como OTN. • Llevar a cabo un análisis de la seguridad de las soluciones propuestas, incluyendo el estudio de la capacidad de privacidad en las comunicaciones. • Proponer un esquema de chequeo de integridad, autenticación y refresco de claves a nivel de capa física. • Llevar a cabo la implementación y verificación física de las soluciones propuestas.PUBLICACIONES----------------------------[PER19a] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Chaotic Encryption Applied to Optical Ethernet in Industrial Control Systems". IEEE Transactions on Instrumentation and Measurement, 68(12):4876–4886, Dec 2019. [PER19b] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Physical Layer Encryption for Industrial Ethernet in Gigabit Optical Links". IEEE Transactions on Industrial Electronics, 66(4):3287–3295, April 2019. [PER19c] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Chaotic Encryption for 10-Gb Ethernet Optical Links". IEEE Transactions on Circuits and Systems I: Regular Papers, 66(2):859–868, Feb. 2019. [PER19d] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Self-Synchronized Encryption for Physical Layer in 10Gbps Optical Links". IEEE Transactions on Computers, 68(6):899–911, June 2019. [PER19e] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Self-Synchronized Encryption Using an FPE Block Cipher for Gigabit Ethernet". In 2019 15th Conference on Ph.D Research in Microelectronics and Electronics (PRIME), pages 81–84, Lausanne, Switzerland, July 2019. [PER20a] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "A New Method for Format Preserving Encryption in High-Data Rate Communications". IEEE Access, 8:21003–21016, 2020. [PER20b] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Self-synchronized Encryption for Physical Layer in 1Gbps Ethernet Optical Links". IEEE Access, Pending Acceptance.<br /

Digital Communication System with High Security and High Immunity

Today, security issues are increased due to huge data transmissions over communication media such as mobile phones, TV cables, online games, Wi-Fi and satellite transmission etc. for uses such as medical, military or entertainment. This creates a challenge for government and commercial companies to keep these data transmissions secure. Traditional secure ciphers, either block ciphers such as Advanced Encryption Standard (AES) or stream ciphers, are not fast or completely secure. However, the unique properties of a chaotic system, such as structure complexity, deterministic dynamics, random output response and extreme sensitivity to the initial condition, make it motivating for researchers in the field of communication system security. These properties establish an increased relationship between chaos and cryptography that create strong and fast cipher compared to conventional algorithms, which are weak and slow ciphers. Additionally, chaotic synchronisation has sparked many studies on the application of chaos in communication security, for example, the chaotic synchronisation between two different systems in which the transmitter (master system) is driving the receiver (slave system) by its output signal. For this reason, it is essential to design a secure communication system for data transmission in noisy environments that robust to different types of attacks (such as a brute force attack). In this thesis, a digital communication system with high immunity and security, based on a Lorenz stream cipher chaotic signal, has been perfectly applied. A new cryptosystem approach based on Lorenz chaotic systems was designed for secure data transmission. The system uses a stream cipher, in which the encryption key varies continuously in a chaotic manner. Furthermore, one or more of the parameters of the Lorenz generator is controlled by an auxiliary chaotic generator for increased security. In this thesis, the two Lorenz chaotic systems are called the Main Lorenz Generator and the Auxiliary Lorenz Generator. The system was designed using the SIMULINK tool. The system performance in the presence of noise was tested, and the simulation results are provided. Then, the clock-recovery technique is presented, with real-time results of the clock recovery. The receiver demonstrated its ability to recover and lock the clock successfully. Furthermore, the technique for synchronisation between two separate FPGA boards (transmitter and receiver) is detailed, in which the master system transmits specific data to trigger a slave system in order to run synchronously. The real-time results are provided, which show the achieved synchronisation. The receiver was able to recover user data without error, and the real-time results are listed. The randomness test (NIST) results of the Lorenz chaotic signals are also given. Finally, the security analysis determined the system to have a high degree of security compared to other communication systems

Design and implementation of a multi-modal sensor with on-chip security

With the advancement of technology, wearable devices for fitness tracking, patient monitoring, diagnosis, and disease prevention are finding ways to be woven into modern world reality. CMOS sensors are known to be compact, with low power consumption, making them an inseparable part of wireless medical applications and Internet of Things (IoT). Digital/semi-digital output, by the translation of transmitting data into the frequency domain, takes advantages of both the analog and digital world. However, one of the most critical measures of communication, security, is ignored and not considered for fabrication of an integrated chip. With the advancement of Moore\u27s law and the possibility of having a higher number of transistors and more complex circuits, the feasibility of having on-chip security measures is drawing more attention. One of the fundamental means of secure communication is real-time encryption. Encryption/ciphering occurs when we encode a signal or data, and prevents unauthorized parties from reading or understanding this information. Encryption is the process of transmitting sensitive data securely and with privacy. This measure of security is essential since in biomedical devices, the attacker/hacker can endanger users of IoT or wearable sensors (e.g. attacks at implanted biosensors can cause fatal harm to the user). This work develops 1) A low power and compact multi-modal sensor that can measure temperature and impedance with a quasi-digital output and 2) a low power on-chip signal cipher for real-time data transfer

HAL-ASOS - Linux com aceleração em hardware para sistemas operativos dedicados à aplicação

Programa doutoral em Engenharia Eletrónica e de Computadores (PDEEC) (especialidade de Informática Industrial e Sistemas Embebidos)O ecossistema de sistemas embebidos de hoje tornou-se enorme, cobrindo vários e diferentes sistemas, exigindo desempenho e mobilidade completa enquanto atingem autonomias de bateria cada vez maiores. Mas a crescente frequência de relógio que resultou em dispositivos cada vez mais rápidos começou a estagnar antes dos transístores pararem de encolher. Plataformas Field Programmable Gate Array (FPGA) são uma solução alternativa para a implementação de sistemas completos e reconfiguráveis. Fornecem desempenho e eficiência computacional para satisfazer requisitos da aplicação e do sistema embebido. Vários Sistemas Operativos (SO) assistidos por FPGA foram propostos, mas ao estreitar seu foco na síntese do datapath do acelerador de hardware, a grande maioria ignora a integração semântica destes no SO. Ambientes de síntese de alto nível (HLS) elevaram a abstração além da linguagem de transferência de registo (RTL), seguindo uma abordagem específica de domínio enquanto misturam software e abstrações de hardware ad hoc, que dificultam as otimizações. Além disso, os modelos de programação para software e hardware reconfigurável carecem de semelhanças, o que com o tempo dificultará a Exploração do Ambiente de Design (DSE) e diminuirá o potencial de reutilização de código. Para responder a estas necessidades, propomos HAL-ASOS, uma ferramenta para implementar sistemas embebidos baseados em Linux que fornece (1) elasticidade no design em conformidade com a natureza evolutiva deste SO, (2) integração semântica profunda de tarefas de hardware nos modelos de programação do Linux, (3) facilidade na gestão de complexidade através de metodologia e ferramentas para apoiar o design, verificação e implementação, (4) orientada por princípios de design híbridos e eficiência no sistema. Para avaliar as funcionalidades da ferramenta, foi implementado um aplicativo criptográfico que demonstra alcance de desempenho enquanto se emprega a metodologia de design. Novos níveis de desempenho são atingidos numa aplicação de Visão por Computador que explora recursos de programação assíncrona-síncrona. Os resultados demonstram uma abordagem flexível na reconfiguração entre hardware e software, e desempenho que aumenta consistentemente com acréscimo de recursos ou frequência de relógio.Today’s embedded systems ecosystem became huge while covering several and different computer-based systems, demanding for performance and complete mobility while experiencing longer battery lives. But the rampant frequency that resulted in faster devices began hitting a wall even before transistors stopped shrinking. Field Programmable Gate Array (FPGA) platforms are an alternative solution towards implementing complete reconfigurable systems. They provide computational power, efficiency, in a lightweight solution to serve the application requirements and increase performance in the overall system. Several FPGA-assisted Operating Systems (OS) have been proposed, but by narrowing their focus on datapath synthesis of the hardware accelerator, they completely ignore the deep semantic integration of these accelerators into the OS. State-of-the-art High-Level Synthesis (HLS) environments have raised the level of abstraction beyond Register Transfer Language (RTL) by following a domain-specific approach while mixing ad hoc software and hardware abstractions, making harder for performance optimizations. Furthermore, the programming models for software and reconfigurable hardware lack commonalities, which in time will hinder the Design Space Exploration (DSE) and lower the potential for code reuse. To overcome these issues, we propose HAL-ASOS, a framework to implement Linux-based Embedded systems which provides (1) elasticity by design to comply with the evolutive nature of Linux, (2) deep semantic integration of the hardware tasks in the Linux programming models, (3) easy complexity management using methodology and tools to fully support design, verification and deployment, (4) hybrid and efficiency-oriented design principles. To evaluate the framework functionalities, a cryptographic application was implemented and demonstrates performance achievements while using the promoted application-driven design methodology. To demonstrate new levels of performance that can be achieved, a Computer Vision application explores several mixed asynchronous-synchronous programming features. Experiments demonstrate a flexible design approach in terms of hardware and software reconfiguration, and significant performance that increases consistently with the rising in processing resources or clock frequencies.Financial support received from Portuguese Foundation for Science and Technology (FCT) with the PhD grant SFRH/BD/82732/2011

Placement and routing for reconfigurable systems.

Applications using reconfigurable logic have been widely demonstrated to offer better performance over software-based solutions. However, good performance rating is often destroyed by poor reconfiguration latency - time required to reconfigure hardware to perform the new task. Recent research focus on design automation techniques to address reconfiguration latency bottleneck. The contribution to novelty of this thesis is in new placement and routing techniques resulting in minimising reconfiguration latency of reconfigurable systems. This presents a part of design process concerned with positioning and connecting design blocks in a logic gate array. The aim of the research is to optimise the placement and interconnect strategy such that dynamic changes in system functionality can be achieved with minimum delay. A review of previous work in the field is given and the relevant theoretical framework developed. The dynamic reconfiguration problem is analysed for various reconfigurable technologies. Several algorithms are developed and evaluated using a representative set of problem domains to assess their effectiveness. Results obtained with novel placement and routing techniques demonstrate configuration data size reduction leading to significant reconfiguration latency improvements

On the Edge of Secure Connectivity via Software-Defined Networking

Securing communication in computer networks has been an essential feature ever since the Internet, as we know it today, was started. One of the best known and most common methods for secure communication is to use a Virtual Private Network (VPN) solution, mainly operating with an IP security (IPsec) protocol suite originally published in 1995 (RFC1825). It is clear that the Internet, and networks in general, have changed dramatically since then. In particular, the onset of the Cloud and the Internet-of-Things (IoT) have placed new demands on secure networking. Even though the IPsec suite has been updated over the years, it is starting to reach the limits of its capabilities in its present form. Recent advances in networking have thrown up Software-Defined Networking (SDN), which decouples the control and data planes, and thus centralizes the network control. SDN provides arbitrary network topologies and elastic packet forwarding that have enabled useful innovations at the network level. This thesis studies SDN-powered VPN networking and explains the benefits of this combination. Even though the main context is the Cloud, the approaches described here are also valid for non-Cloud operation and are thus suitable for a variety of other use cases for both SMEs and large corporations. In addition to IPsec, open source TLS-based VPN (e.g. OpenVPN) solutions are often used to establish secure tunnels. Research shows that a full-mesh VPN network between multiple sites can be provided using OpenVPN and it can be utilized by SDN to create a seamless, resilient layer-2 overlay for multiple purposes, including the Cloud. However, such a VPN tunnel suffers from resiliency problems and cannot meet the increasing availability requirements. The network setup proposed here is similar to Software-Defined WAN (SD-WAN) solutions and is extremely useful for applications with strict requirements for resiliency and security, even if best-effort ISP is used. IPsec is still preferred over OpenVPN for some use cases, especially by smaller enterprises. Therefore, this research also examines the possibilities for high availability, load balancing, and faster operational speeds for IPsec. We present a novel approach involving the separation of the Internet Key Exchange (IKE) and the Encapsulation Security Payload (ESP) in SDN fashion to operate from separate devices. This allows central management for the IKE while several separate ESP devices can concentrate on the heavy processing. Initially, our research relied on software solutions for ESP processing. Despite the ingenuity of the architectural concept, and although it provided high availability and good load balancing, there was no anti-replay protection. Since anti-replay protection is vital for secure communication, another approach was required. It thus became clear that the ideal solution for such large IPsec tunneling would be to have a pool of fast ESP devices, but to confine the IKE operation to a single centralized device. This would obviate the need for load balancing but still allow high availability via the device pool. The focus of this research thus turned to the study of pure hardware solutions on an FPGA, and their feasibility and production readiness for application in the Cloud context. Our research shows that FPGA works fluently in an SDN network as a standalone IPsec accelerator for ESP packets. The proposed architecture has 10 Gbps throughput, yet the latency is less than 10 µs, meaning that this architecture is especially efficient for data center use and offers increased performance and latency requirements. The high demands of the network packet processing can be met using several different approaches, so this approach is not just limited to the topics presented in this thesis. Global network traffic is growing all the time, so the development of more efficient methods and devices is inevitable. The increasing number of IoT devices will result in a lot of network traffic utilising the Cloud infrastructures in the near future. Based on the latest research, once SDN and hardware acceleration have become fully integrated into the Cloud, the future for secure networking looks promising. SDN technology will open up a wide range of new possibilities for data forwarding, while hardware acceleration will satisfy the increased performance requirements. Although it still remains to be seen whether SDN can answer all the requirements for performance, high availability and resiliency, this thesis shows that it is a very competent technology, even though we have explored only a minor fraction of its capabilities