Crypto Acceleration and Security for SOA
Transcript of Crypto Acceleration and Security for SOA
Crypto Acceleration and Security for SOA
Presenter: Mark BalsomRole: Sales Engineering ManagerDate: 25th September 2008
Crypto Acceleration and Security for SOA Page 230/09/2008
Corporate Overview
nCipher is the world’s leading cryptographic hardware security provider> Developer of World’s first SSL Accelerator
Founded in 1996 in Cambridge, UK ~200 employees worldwide
Global presence with corporate centres in Cambridge, Boston, Tokyo> Also sales offices in Atlanta, Chicago, New York, San Francisco, Washington, Paris,
Madrid, Frankfurt, Hong Kong, Singapore, Sydney.
Publicly traded since October 2000 on London Stock Exchange (LSE:NCH)A Microsoft “Security Partner of the Year”Well regarded by Gartner, KPMG and other industry analysts
nCipher
Crypto Acceleration and Security for SOA Page 330/09/2008
• Security is based on Public Key cryptography• SSL delivers encrypted, confidential links• Certificates establish identity between entities
Who are you?
??
SSL Background
Crypto Acceleration and Security for SOA Page 430/09/2008
FirewallFirewall
ServerServer
Client makes Client makes connection to siteconnection to site
Server has Server has x509v3 Certificatex509v3 Certificate
Establishing the Session
Crypto Acceleration and Security for SOA Page 530/09/2008
ServerServer
Server sends copy of Server sends copy of Certificate to ClientCertificate to Client
Serial Number: 6cb0dad0137a5fa79888f
Validity: Nov.08,1997 Nov.08,1998
Subject / Name / OrganizationLocality = InternetOrganization = VeriSign, Inc.Organizational Unit = VeriSign Class 2 CA - Individual Subscriber
Status: ValidPublic Key:ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl
Signed By: VeriSign, Inc.: kdiowurei495729hshsg0925h309afhwe09721h481903207akndnxnzkjoaioeru10591328y5
The Client verifies the server by checking the validity and origin of
the certificateValid Chain ✔
Not Revoked ✔Not Expired ✔
URL Matches ✔
Client Validates Server
Crypto Acceleration and Security for SOA Page 630/09/2008
ServerServer
1) The Client generates a random 128 bit symmetric keyThis will be the basis of the “session key”
13434344573912457624572541343434457391245762457254
2) The Client encrypts this “session key”with the Server’s Public Key
(found in the certificate)
^&W£*SDH£&SHD&£H&DH£&^&W£*SDH£&SHD&£H&DH£&
3) The Client sends the 1024 bit encrypted “session key” to the Server
Client Sends Encrypted Session Key
Crypto Acceleration and Security for SOA Page 730/09/2008
ServerServer
13434344573912457624572541343434457391245762457254
The Server decrypts the “Session Key”with its Private Key
13434344573912457624572541343434457391245762457254
The RSA decryption operation saps server CPU - this is the problem!
Server Decrypts Session Key
Crypto Acceleration and Security for SOA Page 830/09/2008
ServerServer
This encrypted tunnel prevents eavesdropping and positively identifies
the Server to the Client
An encrypted tunnel, based on that key, is established
between Client and Server
13434344573912457624572541343434457391245762457254
13434344573912457624572541343434457391245762457254
The Session Key has now been shared securely
Encrypted Tunnel
Crypto Acceleration and Security for SOA Page 930/09/2008
Average and Peak Loads
Crypto Acceleration and Security for SOA Page 1030/09/2008
Ser
ver R
eque
sts
Time
Length of queue
Peak Load Management
Crypto Acceleration and Security for SOA Page 1130/09/2008
Unaccelerated
Crypto Acceleration and Security for SOA Page 1230/09/2008
Accelerator Assisted
Crypto Acceleration and Security for SOA Page 1330/09/2008
‘Web 2.0’ – Additional Security Features
In addition to SSL functionality, used to secure communications, Vordel’s products also provide the rich XML Security Functionality demanded by Service-Oriented Architectures;
• XML Signing (non-repudiation)• XML Encryption/Decryption
XML Signatures and XML Encryption underpin WS-Security and SAML
Beyond SSL – Web Services
Crypto Acceleration and Security for SOA Page 1430/09/2008
‘Web 2.0’ – Additional Security Overhead
Each message needs protection. The overhead of the cryptography required to sign a single XML message or to decrypt any XML message is just as high as that required to perform an SSL handshake. Without Crypto Acceleration there could be very little CPU left...
Performance bottlenecks could be experienced as a result of peaky traffic, or while batches of operations are processed. This should be a concern to anyone concerned about latency (eg. Telcos, Financial Services).
Offloading this security processing is the solution.nCipher hardware provides up to 4000 transactions per second (up to 600 at 2048-bit).
Beyond SSL – Web Services
Crypto Acceleration and Security for SOA Page 1530/09/2008
XML Gateways are dedicated appliances, the best designs taking on both the cryptographic processing and the associated XML processing, removing this overhead from your application hosts.
Vordel solutions feature onboard nCipher Hardware in addition to XML processing acceleration.
Vordel VX4000 and VX8000 platforms are availablewith onboard nFast Accelerator or nShield HSM
Offloading Intensive Operations
Crypto Acceleration and Security for SOA Page 1630/09/2008
Key finding attacks
A simple CGI script can search the virtual memory of the server or cause a core dump… to gain access to the key
“…scientists recently demonstrated a simple program that can extract the secret keys locked in a Web server used to process credit card transactions…” January 5, 2000
Why HSMs : Needle in a Haystack?
Crypto Acceleration and Security for SOA Page 1730/09/2008
nCipher Crypto Hardware
nFast Accelerator
4000 cryptographic transactions per secondStandard PCI 2.3 compliant card
nShield Hardware Security Module
Available in FIPS 140-2 Level 2 (Tamper Evident) or Level 3 (Tamper Resistant) versions.4000 cryptographic transactions per secondStandard PCI 2.3 compliant card
Crypto Acceleration and Security for SOA Page 1830/09/2008
Sample Users
Crypto Acceleration and Security for SOA Page 1930/09/2008
Summary
Processing Web Services transactions is highly processor intensive – each individual message generating crypto overhead
nCipher’s hardware solve the performance issues that will be obvious to Systems Administrators, and can address the security issues that are less apparent
Vordel’s appliance solutions harness these technologies, but also accelerate the processing of XML transactions, removing this workload from your servers and moving it out to the network
Any Questions?
Conclusion