Crypto Acceleration and Security for SOA

Crypto Acceleration and Security for SOA

Presenter: Mark BalsomRole: Sales Engineering ManagerDate: 25th September 2008

Crypto Acceleration and Security for SOA 30/09/2008

Corporate Overview

nCipher is the world’s leading cryptographic hardware security provider> Developer of World’s first SSL Accelerator

Founded in 1996 in Cambridge, UK ~200 employees worldwide

Global presence with corporate centres in Cambridge, Boston, Tokyo> Also sales offices in Atlanta, Chicago, New York, San Francisco, Washington, Paris,

Madrid, Frankfurt, Hong Kong, Singapore, Sydney.

Publicly traded since October 2000 on London Stock Exchange (LSE:NCH)A Microsoft “Security Partner of the Year”Well regarded by Gartner, KPMG and other industry analysts

nCipher


• Security is based on Public Key cryptography• SSL delivers encrypted, confidential links• Certificates establish identity between entities

Who are you?

??

SSL Background


FirewallFirewall

ServerServer

Client makes Client makes connection to siteconnection to site

Server has Server has x509v3 Certificatex509v3 Certificate

Establishing the Session


ServerServer

Server sends copy of Server sends copy of Certificate to ClientCertificate to Client

Serial Number: 6cb0dad0137a5fa79888f

Validity: Nov.08,1997 Nov.08,1998

Subject / Name / OrganizationLocality = InternetOrganization = VeriSign, Inc.Organizational Unit = VeriSign Class 2 CA - Individual Subscriber

Status: ValidPublic Key:ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl

Signed By: VeriSign, Inc.: kdiowurei495729hshsg0925h309afhwe09721h481903207akndnxnzkjoaioeru10591328y5

The Client verifies the server by checking the validity and origin of

the certificateValid Chain ✔

Not Revoked ✔Not Expired ✔

URL Matches ✔

Client Validates Server


ServerServer

1) The Client generates a random 128 bit symmetric keyThis will be the basis of the “session key”

13434344573912457624572541343434457391245762457254

2) The Client encrypts this “session key”with the Server’s Public Key

(found in the certificate)

^&W£*SDH£&SHD&£H&DH£&^&W£*SDH£&SHD&£H&DH£&

3) The Client sends the 1024 bit encrypted “session key” to the Server

Client Sends Encrypted Session Key


ServerServer

13434344573912457624572541343434457391245762457254

The Server decrypts the “Session Key”with its Private Key

13434344573912457624572541343434457391245762457254

The RSA decryption operation saps server CPU - this is the problem!

Server Decrypts Session Key


ServerServer

This encrypted tunnel prevents eavesdropping and positively identifies

the Server to the Client

An encrypted tunnel, based on that key, is established

between Client and Server

13434344573912457624572541343434457391245762457254

13434344573912457624572541343434457391245762457254

The Session Key has now been shared securely

Encrypted Tunnel


Average and Peak Loads


Ser

ver R

eque

sts

Time

Length of queue

Peak Load Management


Unaccelerated


Accelerator Assisted


‘Web 2.0’ – Additional Security Features

In addition to SSL functionality, used to secure communications, Vordel’s products also provide the rich XML Security Functionality demanded by Service-Oriented Architectures;

• XML Signing (non-repudiation)• XML Encryption/Decryption

XML Signatures and XML Encryption underpin WS-Security and SAML

Beyond SSL – Web Services


‘Web 2.0’ – Additional Security Overhead

Each message needs protection. The overhead of the cryptography required to sign a single XML message or to decrypt any XML message is just as high as that required to perform an SSL handshake. Without Crypto Acceleration there could be very little CPU left...

Performance bottlenecks could be experienced as a result of peaky traffic, or while batches of operations are processed. This should be a concern to anyone concerned about latency (eg. Telcos, Financial Services).

Offloading this security processing is the solution.nCipher hardware provides up to 4000 transactions per second (up to 600 at 2048-bit).

Beyond SSL – Web Services


XML Gateways are dedicated appliances, the best designs taking on both the cryptographic processing and the associated XML processing, removing this overhead from your application hosts.

Vordel solutions feature onboard nCipher Hardware in addition to XML processing acceleration.

Vordel VX4000 and VX8000 platforms are availablewith onboard nFast Accelerator or nShield HSM

Offloading Intensive Operations


Key finding attacks

A simple CGI script can search the virtual memory of the server or cause a core dump… to gain access to the key

“…scientists recently demonstrated a simple program that can extract the secret keys locked in a Web server used to process credit card transactions…” January 5, 2000

Why HSMs : Needle in a Haystack?


nCipher Crypto Hardware

nFast Accelerator

4000 cryptographic transactions per secondStandard PCI 2.3 compliant card

nShield Hardware Security Module

Available in FIPS 140-2 Level 2 (Tamper Evident) or Level 3 (Tamper Resistant) versions.4000 cryptographic transactions per secondStandard PCI 2.3 compliant card


Sample Users


Summary

Processing Web Services transactions is highly processor intensive – each individual message generating crypto overhead

nCipher’s hardware solve the performance issues that will be obvious to Systems Administrators, and can address the security issues that are less apparent

Vordel’s appliance solutions harness these technologies, but also accelerate the processing of XML transactions, removing this workload from your servers and moving it out to the network

Any Questions?

Conclusion

Crypto Acceleration and Security for SOA

Thank You!Mark Balsom

Email: [email protected]

Crypto Acceleration and Security for SOA

Documents

Transcript of Crypto Acceleration and Security for SOA