| Secure Socket Layer |
| Q1. |
What is Secure Sockets Layer (SSL)? |
| A1. |
Secure Sockets Layer (SSL) is the de facto industry standard cryptographic protocol for the Internet today. Unlike other well-known protocols, such as Secure Electronic Transactions (SET) for credit card transactions over the Internet, SSL does not require a complex architecture to be in place before use. SSL is efficient, easy to integrate, and is interoperable in most cases. For these reasons, SSL is not just for Internet payments applications, but has been deployed in many different application areas within the Internet. |
|
| Q2. |
Go a little deeper into what SSL really is? |
| A2. |
SSL is defined as "a cryptographic protocol to protect the digital communications between a browser (or client) and a server (or host)." This protocol allows for the choice of different cryptographic algorithms, but the one constant is that the server must authenticate itself to the browser with a certificate trusted by the browser. Client-side authentication is an option that is used by less than one percent of SSL implementations. |
|
| Q3. |
How is SSL implemented in products today? |
| A3. |
The Gartner Group estimates that SSL has been implemented in over 1200 Internet application solutions worldwide. All but a few have been implemented in software, at best a partial security solution. Software running on a general-purpose server provides an inherently insecure processing envelope for cryptographic keys, algorithms, and data. But security is really about risk management and for most implementations software is adequate today. |
|
| SSL Market |
| Q1. |
What is the market for SSL? |
| A1. |
Because SSL is deployed on Microsoft Internet Explorer and Netscape Navigator browsers on millions of clients, SSL easily became the de facto market standard that it is. According to Giga and Netcraft (a company focused on surveying the secure web market) , SSL is implemented in over 1,000,000 secure servers worldwide, a figure that is growing by 300 percent per year. The server market is large today and it is growing. |
|
| Q2. |
What are the major secure web servers in the market? |
| A2. |
According to Giga and Netcraft, the secure web server market is led by Microsoft's IIS (IIS 5.0 on Win 2000, and IIS 6 on WS2003) (31 percent) and the open source Apache, both with 31 percent of the market. Netscape Enterprise Server (with many variations) holds the next position at 20 percent and the rest of the market, comprising many solutions, has 19 percent. Netscape and Microsoft may have more "production-ready" web servers than does the Apache web server. But Apache is the low-cost alternative and is used in the majority (over 54 percent) of non-secure web servers. Within secure Apache sites, about half build SSL support by compiling in the open source OpenSSL toolkit and the other half opt for a ready-made product like Stronghold. |
|
| Q3. |
What SSL-secured applications are appropriate targets for the AXL300? |
| A3. |
In general, SSL-secured applications that expect random user access with high traffic loads throughout the workday will be good targets for the AXL300. Each new user logging on represents a new SSL connection that requires a computationally intensive exponentiation to occur. On the other hand, intranets that have a finite number of users logging on to the server each morning may not be a good target. |
|
| General |
| Q1. |
What SSL-secured applications are appropriate targets for the AXL300? |
| A1. |
In general, SSL-secured applications that expect random user access with high traffic loads throughout the workday will be good targets for the AXL300. Each new user logging on represents a new SSL connection that requires a computationally intensive exponentiation to occur. On the other hand, intranets that have a finite number of users logging on to the server each morning may not be a good target.
Some target applications for the AXL300 are freight shipping records, digital tickets, real estate assessments, digital content/property, on-line voting, package tracking, equities trading, insurance applications, patient record access, on-line registration, passenger security, order validation, claims processing, frequent flyer programs, home banking, and payment applications.
Wireless applications are expected to benefit greatly from security acceleration because wireless traffic patterns are expected to be comprised of a large quantity of relatively small sessions. It is this "session establishment" processing which places the greatest load on the server, and can receive the greatest benefit from an accelerator co-processor like the AXL300.
|
|
| Q2. |
What Web Servers are supported by the AXL300? |
| A2. |
The AXL300 Accelerator PCI Card supports Netscape Enterprise Server releases 3.5 and 3.6, and iPlanet. The AXL300 further supports Microsoft IIS 5 on Windows 2000. The Open SSL group supports the AXL300 in release 0.9.5 or later of its Open Source SSL toolkit for Apache. However, HP recommends customers use OpenSSL 0.9.6k or later because of security issues identified with earlier versions.
|
|
| Q3. |
What about Microsoft IIS 4.0 running on Windows NT4? |
| A4. |
The prerequisite construct to support the AXL300 (Offload ModExpo) does not exist in IIS 4.0. It was a decision by Microsoft. |
|
| Q4. |
What operating systems are supported by the HP/Atalla AXL300? |
| A4. |
The AXL300 has driver support for Windows 2000 and Windows NT4. |
|
| SSL Performance Bottleneck |
| Q1. |
What is the general performance of SSL? |
| A1. |
SSL is the most popular network security protocol ever deployed, with millions of copies in use. SSL provides the benefits of privacy, authentication, and message integrity. However, those benefits come can decrease a server's capacity by up to two orders of magnitude. A study by Networkshop showed a Pentium server with Linux and Apache supporting 322 unsecured sessions. When SSL was turned on; the connects per second decreased to 2.4. |
|
| Q2. |
What is the SSL performance bottleneck? |
| A2. |
A mandatory component of the initial SSL handshake between browser and server is that the server authenticates itself to the browser. This requires the server to compute at least a single RSA operation, a private key decryption, to establish a secure session. The most common key length for this operation is 1024 bits. The basic math behind RSA is a modular exponentiation of a set of 1024 bit numbers. RSA private key operations are very compute intense requiring a tenth of a second on a Pentium II. This single operation may account for up to 95% of the processing of a SSL transaction. More than a few new SSL connections per second can overwhelm a web server. |
|
| Q3. |
How do you overcome the SSL performance bottleneck? |
| A3. |
The only way to overcome the SSL performance bottleneck is to offload the special-purpose cryptographic processing (modular exponentiation) from the general-purpose ProLiant Server to a special purpose co-processor such as the AXL300 Accelerator PCI Card. |
|
| Performance |
| Q1. |
What is the raw performance of the AXL300? |
| A1. |
The maximum performance throughput of the HP/Atalla AXL300 Accelerator PCI Card using today's standard web servers is 333 SSL connections per second using 1024-bit RSA operations.This was derived using a special test application (Mercury Interactive's LoadRunner web test tool) to simulate web traffic from a large web browser population. |
|
| Q2. |
What will I see in my web server environment? |
| A2. |
Server performance with the AXL300 installed will vary with several factors. A major variable is the size of the web pages being processed by SSL. Processing large web pages will take CPU cycles away from SSL connections and diminish the number of new users that can sign on. In the many tests run thus far, no single processor has been capable of overrunning the capacity of the card. It has always taken at least a four-processor ProLiant to approach the practical maximum performance of the AXL300. This means you are assured not to hit the SSL performance bottleneck once an AXL300 is installed. |
|
| Q3. |
How does the AXL300 achieve its extraordinary performance? |
| A3. |
What is extraordinary is that the AXL300 achieves over 300 SSL connections with, figuratively, one hand tied behind its back. Each AXL300 has a single chip which houses two special purpose cryptographic engines to accelerate SSL authentication processing. Today's web servers do not send the necessary mathematical constructs to take complete advantage of both engines. If web servers were to send the proper input to the AXL300, then both engines would be utilized to their maximum and overall performance would be dramatically improved. |
|
| Q4. |
Are you talking about MultiPrime™ now? |
| A4. |
Yes, MultiPrime™ is a technology patented by HP that greatly accelerates the processing of the industry-standard RSA public key cryptography used by most SSL-secured web servers.It allows the compute-intense crypto operation to be split into three or more smaller mathematical problems, processed, and recombined for a final result without sacrificing security. RSA has licensed HP's MultiPrime™ technology and is implementing it in all of its cryptographic toolkits. RSA is in the process of making MultiPrime™ an industry standard. Although it is not in any standard web servers today, it is in everyone's best interests to put it there in the near future. |
Printable version
