TLS acceleration
   HOME

TheInfoList



Click Here for Items Related To - TLS acceleration
OR:
TLS acceleration on:   [Wikipedia]   [Google]   [Amazon]

TLS acceleration (formerly known as SSL acceleration) is a method of offloading processor-intensive
public-key encryption Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...
for
Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
(TLS) and its predecessor Secure Sockets Layer (SSL) to a hardware accelerator. Typically this means having a separate card that plugs into a
PCI slot Peripheral Component Interconnect (PCI) is a local computer bus for attaching hardware devices in a computer and is part of the PCI Local Bus standard. The PCI bus supports the functions found on a processor bus but in a standardized format t ...
in a computer that contains one or more
coprocessors A coprocessor is a computer processor used to supplement the functions of the primary processor (the CPU). Operations performed by the coprocessor may be floating-point arithmetic, graphics, signal processing, string processing, cryptography o ...
able to handle much of the SSL processing. TLS accelerators may use off-the-shelf
CPUs A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, and ...
, but most use custom ASIC and RISC chips to do most of the difficult computational work.


Principle of TLS acceleration operation

The most computationally expensive part of a TLS session is the TLS handshake, where the TLS server (usually a webserver) and the TLS client (usually a web browser) agree on a number of parameters that establish the security of the connection. During the TLS handshake the server and the client establish session keys (symmetric keys, used for the duration of a given session), but the encryption and signature of the TLS handshake messages itself is done using asymmetric keys, which requires more computational power than the symmetric cryptography used for the encryption/decryption of the session data. Typically a hardware TLS accelerator will offload processing of the TLS handshake while leaving it to the server software to process the less intense symmetric cryptography of the actual TLS
data exchange Data exchange is the process of taking data structured under a ''source'' schema and transforming it into a ''target'' schema, so that the target data is an accurate representation of the source data.A. Doan, A. Halevy, and Z. Ives.Principles of da ...
, but some accelerators handle all TLS operations and terminate the TLS connection, thus leaving the server seeing only decrypted connections. Sometimes data centers employ dedicated servers for TLS acceleration in a
reverse proxy In computer networks, a reverse proxy is the application that sits in front of back-end applications and forwards client (e.g. browser) requests to those applications. Reverse proxies help increase scalability, performance, resilience and securi ...
configuration.


Central processor support

Modern
x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was intr ...
CPUs support
Advanced Encryption Standard The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is a varian ...
(AES) encoding and decoding in hardware, using the
AES instruction set An Advanced Encryption Standard instruction set is now integrated into many processors. The purpose of the instruction set is to improve the speed and security of applications performing encryption and decryption using Advanced Encryption Standard ...
proposed by Intel in March 2008.
Allwinner Technology Allwinner Technology Co., Ltd is a fabless semiconductor company that designs mixed-signal systems on a chip (SoC). The company is headquartered in Zhuhai, Guangdong, China. It has a sales and technical support office in Shenzhen, Guangdong ...
provides a hardware cryptographic accelerator in its A10, A20, A30 and A80
ARM In human anatomy, the arm refers to the upper limb in common usage, although academically the term specifically means the upper arm between the glenohumeral joint (shoulder joint) and the elbow joint. The distal part of the upper limb between th ...
system-on-chip A system on a chip or system-on-chip (SoC ; pl. ''SoCs'' ) is an integrated circuit that integrates most or all components of a computer or other electronic system. These components almost always include a central processing unit (CPU), memor ...
series, and all ARM CPUs have acceleration in the later ARMv8 architecture. The accelerator provides the RSA public-key algorithm, several widely used symmetric-key algorithms,
cryptographic hash function A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output re ...
s, and a cryptographically secure
pseudo-random number generator A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. The PRNG-generate ...
.[PATCH v5] crypto: Add Allwinner Security System crypto accelerator
on Linux ARM kernel mailing list


See also

* Coprocessor *
Public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
* Stunnel *
Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
*
Application delivery controller An application delivery controller (ADC) is a computer network device in a datacenter, often part of an application delivery network (ADN), that helps perform common tasks, such as those done by web accelerators to remove load from the web servers ...
*
Hardware security module A hardware security module (HSM) is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptogr ...


References


External links


SSL Acceleration and Offloading: What Are the Security Implications?
{{Hardware acceleration Hardware acceleration Computer optimization Cryptographic hardware Transport Layer Security