Cryptography provides powerful mechanisms to protect data but it carries a relatively high price in terms of computing power when executed on standard computers. A personal computer is perfectly adequate to carry out strong encryption for email etc. for a single user.
However, even the largest of commercial transaction processing systems are likely to grind to a halt if all transactions require strong cryptography. On the other hand it is quite possible to design machines or subsystems with special hardware and software architectures to carry out cryptographic functions at commercial speed.
These are called cryptographic accelerators. By adding an accelerator to a heavily loaded server system, one can dramatically increase the number of transactions per second at a much lower cost than would be the case if one were to try to increase the speed of the server itself, or to add additional parallel server systems.
In addition standard computers do not provide particularly secure storage of keys. Most cryptographic accelerators are validated to security standards. This means that an accredited third party has validated all of the claims made by the manufacturer for the device.
As the functions performed by cryptographic accelerators are relatively few and simple (if compute intensive) it is possible to verify the quality of the software far beyond the level which can practically be applied to general purpose applications and system software. This provides for enhanced security.
A reputable cryptographic accelerator vendor should make all of the source code to the accelerator system available for inspection both by third party accreditation labs and by large customers. This can ensure the absence of deliberate “back doors” into the system.
The physical enclosure of the cryptographic accelerator can provide a cryptographic boundary so that attempted tampering can be detected and keys deleted. Cryptographic accelerators allow for the enforcement of enterprise-wide standards for key management etc.
Cryptographic accelerators are set to become one of the key elements of the enabling infrastructure for world-wide electronic commerce providing for instantly secure transactions between parties who have never before traded together.
In the light of the poor performance of general-purpose computers when performing modulo exponentiation, a number of companies have produced hardware accelerators that transfer the complex mathematics of the cryptography onto a separate processor. The nFast cryptographic accelerator can carry out approximately three hundred 1,024-bit RSA signatures per second. The overhead to the host operating system when issuing each command is approximately 60 microseconds when running on the Linux server mentioned above, while the time taken to perform the housekeeping tasks of SSL connections or SET transactions stays the same.
Testing the accelerator for SSL connections, we have so far failed to saturate the server with requests (due to a lack of enough suitably fast clients) but calculations indicate that with our accelerator fitted, the same 166MHz Intel Pentium based server should be able to handle around 240 new SSL connections each second. In the context of SET, the accelerator gives a slightly larger improvement when fully loaded.
As the time spent performing the cryptographic computation is large compared to the time spent performing other computations, and as the server is capable of carrying out more than one request at a time, the cryptography remains the largest part of the computation on the server. The result is a server that can carry out about 50 SET transactions per second, providing the acquirer can keep up with this rate. As it is likely that the banks will employ cryptographic accelerators themselves, this seems plausible.
Table shows a summary of these figures.
Therefore, we see that cryptoghraphy is very important in computer architecture and accelerating the cryptoghraphy improves computers’ performances.
The Internet is an inherently insecure medium. Sensitive data must be encrypted before being dispatched, meaning that all Virtual Private Network (VPN) traffic must be encrypted before it is transmitted. This is particularly important for e-commerce involving credit card numbers, bank statements, corporate proprietary records, and other sensitive data.
The growing popularity of e-commerce and VPNs is making cryptographic security a critical gateway feature. But at the same time, it is creating a major gateway bottleneck. Internet gateways handle enormous volumes of traffic from many simultaneous sessions. Computational demands of security are greater compared to other gateway tasks. Consequently, as secure sessions become more common, the usual gateway architecture is increasingly less suitable.
Security functions are overly burdensome largely due to the nature of algorithms employed and the fact every byte in a packet must be processed. Most other gateway tasks only operate on packet headers. Cryptography works on the premise that an encrypted message is virtually impossible to decode by an unauthorized user, but is merely difficult to the authorized user. The algorithms used to implement security, encryption, compression, and authentication can be performed in software, which is ideal for systems handling small numbers of connections.
However, when large numbers of users exercise the same security features at the same time, they create a bottleneck that cannot be alleviated with software implementations. In this instance, performance must be achieved through specialized hardware.
Internet Protocol security or IPSec is the security measure for protecting corporate data and access to corporate resources over the Internet, regardless whether those accesses come from the remote user or branch office. These users access the Internet via a local connection to their service provider and data is encrypted via that channel to create the VPN. The implementation of IPSec can be in a firewall, integrated as a feature in a router, or in a separate dedicated VPN gateway.
Remote access and branch office applications take into account a great number of telecommuters and field sales personnel in most cases. Plus, branch offices may have upwards of 50 or more remote locations worldwide. Each may have multiple T1 or T3 lines to the Internet, and they transfer data among themselves, as well as with headquarters. Hence, the requirements on the headquarters gateway are exceptionally high in terms of the demanded bandwidth, which, in turn, creates major traffic bottlenecks.
Crypto Servers are used to handle the problems related to security issues while remote data communication occurs.
Next PagePrevious Page