Since its inception in 1995, SSL or Secure Socket Layer has been the standard protocol for providing critical security services to Internet users worldwide. SSL encompasses multiple cryptographic algorithms of varying strengths, making it appropriate for use in both domestic and export scenarios simply by manipulating the supported ciphers. SSL has gone through a number of versions over the past 7 years, and has recently come to be known as TLS, or Transport Layer Security. SSL version 3.1 and TLS version 1.0 are different names for the same protocol.

Background

In addition to encrypting data or providing confidentiality, the characteristic for which it is best known, SSL also offers message integrity, authentication, and key exchange services. Although SSL neatly comprises these four security services, they are actually offered by three to four distinct mechanisms within SSL:

Confidentiality is offered by symmetric ciphers, or shared-secret key cryptography. This sort of cryptography is very fast, not very computationally demanding, and uses a single key for both encrypting and decrypting data. Symmetric ciphers used by SSL include DES, 3DES, RC2, and RC4 and can range in strengths from 40 bits to 168 bits.

Message Integrity is a mechanism through which SSL guarantees that data that has been transferred has not been tampered with. The way in which SSL provides this service is via Message Digests, or Hashing. Message Digests work by taking input of any length and calculating based on that input a unique fixed length output. Changing even a single character in the source would result in a change to the output, or the digest, and it is theoretically impossible for two different sources to result in the same digest. Message digests used by SSL include MD5 and SHA1.

Authentication and Key Exchange, although separate functions, are commonly grouped together because they are usually provided by the same routine, namely, the RSA “Handshake”. Authentication is based upon x.509 certificates, commonly known as Digital Certificates. Digital Certificates are issued by well-known Certificate Authorities such as Verisign, and they contain digitally signed identifying information for the subject and the issuer, a range of temporal validity, and the subject’s Public-Key. It is the public key that is at the core of the RSA key exchange, along with its mated counterpart, the private key. This key exchange employs a technique known as asymmetric or public-key cryptography, which means that one key is used for encryption (generally the public key) and another is used for decryption (the private key). Unlike symmetric cryptography, asymmetric cryptography is terribly computationally intensive, and can burden even today’s fastest processors. Because each new SSL connection that is established incurs an RSA operation, high-traffic secure sites realized long ago that they needed a means of minimizing the performance degradation their sites were experiencing by bearing the necessary burden of cryptography.

The SSL Accelerator was introduced in 1998 to solve the problem of site slow-downs caused by running SSL in software. Available in either PCI or SCSI form factors, the hardware SSL Accelerator was a dedicated co-processor that excelled at random number generation, and at performing modular exponentiation, the math behind the RSA operation. Although the accelerator sped the RSA operation, it had a number of drawbacks: it required special software and drivers in order to work, it was only able to accelerate one server at a time, and it did nothing for the other components of SSL. While the first two drawbacks affected interoperability, maintainability, and scalability, the third proved to be the greatest limiting factor of the accelerator.

SonicWALL SSL Offloaders

Beginning where SSL accelerators left off, SSL offloaders process not only the asymmetric component of SSL, but all components of SSL. This means that with an offloader, the host CPU on the web-server is not responsible for processing any portion of the SSL traffic. Also, offloaders are appliance-based rather than bus-attached solutions, providing universal compatibility with web and application server platforms, and obviating the need to load special software or drivers on the servers. Moreover, because offloaders are network attached, they can offload multiple servers rather than just one, and they can also scale easily to accommodate any size site.