| Secure Socket Layer |
| Q1. |
What is Secure Sockets Layer (SSL)? |
| A1. |
Secure Sockets Layer (SSL) is the de facto industry standard cryptographic protocol for the Internet today. Unlike other well-known protocols, such as Secure Electronic Transactions (SET) for credit card transactions over the Internet, SSL does not require a complex architecture to be in place before use. SSL is efficient, easy to integrate, and is interoperable in most cases. For these reasons, SSL is not just for Internet payments applications, but has been deployed in many different application areas within the Internet. |
|
| Q2. |
Go a little deeper into what SSL really is? |
| A2. |
SSL is defined as "a cryptographic protocol to protect the digital communications between a browser (or client) and a server (or host)." This protocol allows for the choice of different cryptographic algorithms, but the one constant is that the server must authenticate itself to the browser with a certificate trusted by the browser. Client-side authentication is an option that is used by less than one percent of SSL implementations. |
|
| Q3. |
How is SSL implemented in products today? |
| A3. |
The Gartner Group estimates that SSL has been implemented in over 1200 Internet application solutions worldwide. All but a few have been implemented in software, at best a partial security solution. Software running on a general-purpose server provides an inherently insecure processing envelope for cryptographic keys, algorithms, and data. But security is really about risk management and for most implementations software is adequate today. |
|
| SSL Market |
| Q1. |
What is the market for SSL? |
| A1. |
Because SSL is deployed on Microsoft Internet Explorer and Netscape Navigator browsers on millions of clients, SSL easily became the de facto market standard that it is. According to Giga and Netcraft (a company focused on surveying the secure web market) , SSL is implemented in over 1,000,000 secure servers worldwide, a figure that is growing by 300 percent per year. The server market is large today and it is growing. |
|
| Q2. |
What are the major secure web servers in the market? |
| A2. |
According to Giga and Netcraft, the secure web server market is led by Microsoft's IIS (both IIS 4.0 on NT4.0 and IIS 5.0 on Windows 2000) (31 percent) and the open source Apache, both with 31 percent of the market. Netscape Enterprise Server (with many variations) holds the next position at 20 percent and the rest of the market, comprising many solutions, has 19 percent. Netscape and Microsoft may have more "production-ready" web servers than does the Apache web server. But Apache is the low-cost alternative and is used in the majority (over 54 percent) of non-secure web servers. Within secure Apache sites, about half build SSL support by compiling in the open source OpenSSL toolkit and the other half opt for a ready-made product like Stronghold. |
|
| General |
| Q1. |
What SSL-secured applications are appropriate targets for the hp/Atalla AXL600L? |
| A1. |
In general, SSL-secured applications that expect random user access with high traffic loads throughout the workday will be good targets for the hp/Atalla AXL600L. Each new user logging on represents a new SSL connection that requires a computationally intensive exponentiation to occur. On the other hand, intranets that have a finite number of users logging on to the server each morning may not be a good target.
Some target applications for the hp/Atalla AXL600L are freight shipping records, digital tickets, real estate assessments, digital content/property, on-line voting, package tracking, equities trading, insurance applications, patient record access, on-line registration, passenger security, order validation, claims processing, frequent flyer programs, home banking, and payment applications. |
|
| Q2. |
What Web Servers are supported by the hp/Atalla AXL600L? |
| A2. |
AXL600L SSL Accelerator Card supports Netscape Enterprise Server release 6. The Open SSL group supports the AXL600L in release 0.9.5a or later of its Open Source SSL toolkit for Apache. However, HP recommends customers use OpenSSL 0.9.6k or later because of security issues identified with earlier versions.
|
|
| Q3. |
What operating systems are supported by the hp/Atalla AXL600L? |
| A3. |
The AXL600L has driver support for Red Hat Linux (kernel version 2.4.x or earlier). |
|
| SSL Performance Bottleneck |
| Q1. |
What is the general performance of SSL? |
| A1. |
SSL is the most popular network security protocol ever deployed, with millions of copies in use. SSL provides the benefits of privacy, authentication, and message integrity. However, those benefits come can decrease a server's capacity by up to two orders of magnitude. A study by Networkshop showed a Pentium server with Linux and Apache supporting 322 unsecured sessions. When SSL was turned on; the connects per second decreased to 2.4. |
|
| Q2. |
What is the SSL performance bottleneck? |
| A2. |
A mandatory component of the initial SSL handshake between browser and server is that the server authenticates itself to the browser. This requires the server to compute at least a single RSA operation, a private key decryption, to establish a secure session. The most common key length for this operation is 1024 bits. The basic math behind RSA is a modular exponentiation of a set of 1024 bit numbers. RSA private key operations are very compute intensive. This single operation may account for up to 95 percent of the processing of a SSL transaction. More than a few new SSL connections per second can overwhelm a web server. |
|
| Q3. |
How do you overcome the SSL performance bottleneck? |
| A3. |
The only way to overcome the SSL performance bottleneck is to offload the special-purpose cryptographic processing (modular exponentiation) from the general-purpose ProLiant or hp server to a special purpose co-processor such as the hp/Atalla AXL600L SSL Accelerator Card. |
|
| Performance |
| Q1. |
What is the raw performance of the hp/Atalla AXL600L? |
| A1. |
The maximum performance throughput of the hp/Atalla AXL600L SSL Accelerator Card using today's standard web servers is 600 SSL connections per second using 1024-bit RSA operations. This was accomplished using a special test application (Mercury Interactive's LoadRunner web test tool) to simulate web traffic from a large web browser population. |
|
| Q2. |
What will I see in my web server environment? |
| A2. |
Server performance with the hp/Atalla AXL600L installed will vary with several factors. A major variable is the size of the web pages being processed by SSL. Processing large web pages will take CPU cycles away from SSL connections and diminish the number of new users that can sign on. In the many tests run thus far, no single processor has been capable of overrunning the capacity of the card. It has always taken at least a four-processor ProLiant server to approach the practical maximum performance of the hp/Atalla AXL600L. This means you are assured not to hit the SSL performance bottleneck once a hp/Atalla AXL600L is installed. |
|
| Q3. |
How does the hp/Atalla AXL600L achieve its extraordinary performance? |
| A3. |
The new ProLiant ML570G2 will be supporting the following two PCI-X adapters:
- 10/100/1000 Cu Gigabit PCI-X compatible NIC
- SA-5312 U3 Dual Channel PCI-X Smart Array Controller with 128MB BBC
|
|
| Q4. |
Are you talking about MultiPrime™ now? |
| A4. |
Yes, MultiPrime™ is a technology patented by hp/Atalla that greatly accelerates the processing of the industry-standard RSA public key cryptography used by most SSL-secured web servers. It allows the compute-intense crypto operation to be split into three or more smaller mathematical problems, processed, and recombined for a final result without sacrificing security. RSA has licensed hp/Atalla's MultiPrime™ technology and is implementing it in all of its cryptographic toolkits. RSA is in the process of making MultiPrime™ an industry standard. Although it is not in any standard web servers today, it is in everyone's best interests to put it there in the near future. |
Printable version
