Daily News |  Current Issue |  Archives  |  Blogs |  Keywords |  Mediakit  |  Advertise |    |  Free Trial!
System News
System News > Volume 143 > Issue 2 > Sun SysAdmin >
Sign in  |   Register  |   Password Help   |   Membership types
"Taking Advantage of Wire-Speed Cryptography"
 It Doesn't Have to Be Complicated
January 15, 2010,
Volume 143, Issue 2

Taking the complexity out of cryptographic operations
 

The Sun BluePrints paper "Taking Advantage of Wire-Speed Cryptography" (login or registration required) provides an overview of how to off-load application security functions that include cryptographic operations in conjunction with Oracle WebLogic Server and Java Platform, Enterprise Edition (Java EE platform) application environments in order to accelerate performance while minimizing compromises.

In their paper, authors Ramesh Nagappan and Chad Prucha emphasize a simple approach to implementation that does not require the reader to become an expert in the subtleties of cryptographic techniques and Public Key Infrastructure (PKI). They do also include incidental treatment of many of the more arcane functional details of cryptography and related technologies.

The authors acknowledge the utility of both the network appliance approach and the use of cryptography cards in meeting security demands, though they point out the operational costs of both approaches. As an alternative, they point to Sun's CoolThreads technology, which utilizes on-chip hardware cryptographic capabilities targeted at throughput applications that are built in to Sun's servers with UltraSPARC T1, T2, or T2 Plus processors.

On-chip cryptographic acceleration, the authors contend, eliminates the need for additional coprocessor cards, special licensing, network appliances, or power hungry add-on components. Deploying Sun servers with CoolThreads technology in HTTP environments can help reduce system overhead, improve performance, and increase overall computing and network efficiency by improving responsiveness across the entire solution, they argue.

Nagappan and Prucha write that Sun created the UltraSPARC T1, T2, and T2 Plus, combining chip multiprocessing and hardware multithreading with an efficient instruction pipeline to enable chip multithreading (CMT). The resulting processor design provides multiple physical instruction execution pipelines and several active thread contexts per pipeline.

To meet the ever-increasing demand on cryptographic operations, Sun produced the UltraSPARC T2 and T2 Plus processors to use a unique System-on-a-Chip (SoC) design that incorporates additional cryptographic features as well as on-chip I/O and on-chip 10 Gigabit Ethernet networking capabilities to help improve performance.

The paper explains that the cryptographic capabilities of the UltraSPARC T1, T2, and T2 Plus processors can be accessed via the Solaris Cryptographic Framework (SCF), which provides cryptographic services for kernel-level and user-level consumers, as well as several software encryption modules. SCF continues to include Kernel SSL proxy (KSSL), which off-loads SSL processing from user applications and enables them to transparently take advantage of hardware accelerators, such as those available in UltraSPARC T1, T2, and T2 Plus processors.

The authors go on to say that Sun servers with chip multithreading technology provide on-chip cryptographic acceleration support through a dedicated cryptographic accelerator, called the Niagara Crypto Provider (NCP), implemented on each processor core. The introductory UltraSPARC T1 processor included a NCP implementation that introduced public-key cryptographic mechanisms, including RSA and DSA algorithms.

The latest UltraSPARC T2 and T2 Plus processors extend algorithm support by introducing symmetric key-based encryption and decryption mechanisms, such as Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standards (AES-128, AES-192, and AES-256), Ron’s Code 4 (RC4), as well as hashing operations such as Message Digest 5 (MD5) algorithm, SHA1, SHA256, and Elliptic Curve Cryptography (ECC) mechanisms, such as the ECCp-160 and ECCb-163 algorithms.

In addition, the authors write, UltraSPARC T2 processors provide an on-chip Random Number Generator (N2RNG) to support random number generation operations intended for cryptographic applications. In practice, the NCP uses the Solaris Cryptographic Framework (SCF) to allow user-level applications to off-load cryptographic operations and take advantage of NCP-based on-chip cryptographic acceleration.

Nagappan and Prucha explain the Solaris Cryptograplhic Framework Library, which they describe as a set of cryptographic services for kernel-level and user-level consumers that is based on the PKCS#11 public key cryptography standard created by RSA Security, Inc., and that provides a mechanism and API whereby both kernel- and user-based cryptographic functions can transparently use hardware accelerators configured on the system.

The paper goes on to discuss the use of NCP with the Java Development Kit, noting that Java EE application servers can take advantage of NCP for performing cryptographic operations, particularly in transport-layer security of Web applications (SSL) and Java Remote Method Invocation (Java RMI) over Internet Internet-Orb Protocol (IIOP) with SSL.

The authors then take up the techniques for accessing hardware acceleration, which include using KSSL as an SSL proxy; configuring KSSL for off-loading Oracle WebLogic Server SSL; and configuring Oracle WebLogic Server for SSL acceleration.

Finally, Nagappan and Prucha discuss the performance improvements made possible by on-chip cryptographic acceleration. They point out that Sun research has shown that workloads even as small as only 10 users ramping up usage over 10 minutes and sustained activity for 10 minutes running a simple application can benefit greatly from investing a few minutes in configuring the system to off-load cryptographic operations to the MAUs in the server.

Throughput and transaction rates improved application responsiveness to near original unencrypted speeds when hardware cryptography was enabled, they conclude.

More Information

Taking Advantage of Wire-Speed Cryptography (log-in or registration required)

Solaris Operating System

Solaris 10 OS Reference Manual Collection

Sun Servers with CoolThreads Technology

Using the Cryptographic Accelerators in the UltraSPARC T1 and T2 Processors (log-in or registration required)

Crypto Activation CD for UltraSPARC T2 and T2 Plus-based Servers

Solaris 10 Security Deep Dive Presentation [...read more...]

Keywords:

fullsource
Print
Email
Current
Profile
Archive
Blog
Generate newsletter
 

Other articles in the Sysadmin section of Volume 143, Issue 2:

See all archived articles in the Sysadmin section.

Top 10 Most Popular Articles in Current Issue (Vol 168, Issue 1)

Featured Articles



Archive by Section
Archive by Activity
Archive by Date
News and Solutions for Users of Solaris, Java and Oracle's Sun hardware products
Just the news you need, none of what you don't – 42,000+ Members – 24,000+ Articles Published since 1998
BigAdmin Cloud Developer Disk Events FOSS Features HPC Hardware Intel
Java MySQL NetBeans News OpenOffice OpenSolaris OpenStorage Partners Performance Publications
Security Servers Service Software Solaris Storage SysAdmin Tape Workstation VendorVoice

Latest Issue  |   Archived Articles  |   Edit Account  |   Blogs  |   About SNI  |   Mediakit  |   NewsToLeads  |   Headlines  |   NewsToLeads  |   RSS Feeds
Copyright © 1998-2011 System News, Inc.