|
| |
| SSi |
SSL Technology Solutions
|
Since its
inception in 1995, SSL or Secure Socket Layer has been the standard protocol
for providing critical security services to Internet users worldwide. SSL
encompasses multiple cryptographic algorithms of varying strengths, making it
appropriate for use in both domestic and export scenarios simply by
manipulating the supported ciphers. SSL has gone through a number of versions
over the past 7 years, and has recently come to be known as TLS, or Transport
Layer Security. SSL version 3.1 and TLS version 1.0 are different names for
the same protocol.
Background
In addition to encrypting data or providing
confidentiality, the characteristic for which it is best known, SSL also
offers message integrity, authentication, and key exchange services.
Although SSL neatly comprises these four security services, they are
actually offered by three to four distinct mechanisms within SSL:
 | Confidentiality is
offered by symmetric ciphers, or shared-secret key cryptography. This
sort of cryptography is very fast, not very computationally demanding,
and uses a single key for both encrypting and decrypting data.
Symmetric ciphers used by SSL include DES, 3DES, RC2, and RC4 and can
range in strengths from 40 bits to 168 bits. |
|
| Message Integrity
is a mechanism through which SSL guarantees that data that has been
transferred has not been tampered with. The way in which SSL provides
this service is via Message Digests, or Hashing. Message Digests work
by taking input of any length and based on that input, calculating a
unique fixed length output. Changing even a single character in the
source would result in a change to the output, or the digest, and it
is theoretically impossible for two different sources to result in the
same digest. Message digests used by SSL include MD5 and SHA1. |
|
| Authentication and Key Exchange,
although separate functions, are commonly grouped together because
they are usually provided by the same routine, namely, the RSA
“Handshake”. Authentication is based upon x.509 certificates, commonly
known as Digital Certificates. Digital Certificates are issued by
well-known Certificate Authorities such as Verisign, and they contain
digitally signed identifying information for the subject and the
issuer, a range of temporal validity, and the subject’s Public-Key. It
is the public key that is at the core of the RSA key exchange, along
with its mated counterpart, the private key. This key exchange employs
a technique known as asymmetric or public-key cryptography, which
means that one key is used for encryption (generally the public key)
and another is used for decryption (the private key). Unlike symmetric
cryptography, asymmetric cryptography is terribly computationally
intensive, and can burden even today’s fastest processors. Because
each new SSL connection that is established incurs an RSA operation,
high-traffic secure sites realized long ago that they needed a means
of minimizing the performance degradation their sites were
experiencing by bearing the necessary burden of cryptography. |
|
The SSL Accelerator was introduced in 1998 to solve the
problem of site slow-downs caused by running SSL in software. Available in
either PCI or SCSI form factors, the hardware SSL Accelerator was a
dedicated co-processor that excelled at random number generation, and at
performing modular exponentiation, the math behind the RSA operation.
Although the accelerator sped the RSA operation, it had a number of
drawbacks: it required special software and drivers in order to work, it was
only able to accelerate one server at a time, and it did nothing for the
other components of SSL. While the first two drawbacks affected
interoperability, maintainability, and scalability, the third proved to be
the greatest limiting factor of the accelerator.
 SonicWALL SSL Offloaders
Beginning where SSL accelerators left off, SSL
offloaders process not only the asymmetric component of SSL, but all
components of SSL. This means that with an offloader, the host CPU on the
web-server is not responsible for processing any portion of the SSL traffic.
Also, offloaders are appliance-based rather than bus-attached solutions,
providing universal compatibility with web and application server platforms,
and obviating the need to load special software or drivers on the servers.
Moreover, because offloaders are network attached, they can offload multiple
servers rather than just one, and they can also scale easily to accommodate
any size site.
|
