Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emphasis on Hardware Assisted Cryptography

Analysis of Security and Compliance using Sun UltraSPARC T-Series Servers Ramesh Nagappan, Principal Security Engineer Chad Prucha, Principal Solutions Manager

Agenda •  Oracle Security and Compliance Portfolio <Insert Picture Here> –  Technologies Overview •  Security using Oracle T-Series Servers –  Enabling On-chip Cryptographic Acceleration –  Role of Solaris Crypto Framework –  Applied scenarios in Oracle Database and Middleware –  Role of Sun Crypto Accelerator 6000 •  Performance Characteristics •  Achieving Compliance Goals –  HIPPA, PCI-DSS…. •  Summary

The Perfect Storm: IT Insecurity Security has taken unprecedented importance ….everywhere!   Security is one of today’s most critical IT business challenges. o  Cyber threats, attacks and associated data exposures are the fastest growing crimes ! o  Greater business impacts due to increasing threats and exploits.   Regulatory statutes enforce organizations act proactively to secure information lifecycle. o  PCI DSS, SOX, HIPAA, FISMA, EU Data Protection and more. o  Mandates organizations to enforce data confidentiality, integrity and compliance in critical business processes and Web applications.   Stronger demand for high-performance security in applications, data, communications and networks.   Encryption is becoming crucial to IT Security   Deliver predictable scalability, end-to-end latencies and response times including security, virtualization and QoS characteristics.

IT Security: Pre-judicial Barriers   Security is often considered as an afterthought or a retrofit solution. o  Many of them late to realize…..“NO ROLLBACK” for a security breach. o  After a breach…all post-mortem reactive measures hardly recover any damage. o  Ignorance and blind assumptions often leads to underestimating security risks.   Security options are commonly ignored as “Performance Overheads”. o  Performance benchmarks usually do not include real-world application characteristics o  Cryptographic operations, access control & authentication schemes, non-deterministic payloads, content-encoding schemes burdens CPU & Network. •  2X+ slowdowns are widely common after going secure ! •  Crypto overheads vary by content/usage scenario – tuning don’t make sense! o  Lack of understanding to security technologies   Growing IT costs and complexity to identify and defend applications against known risks and vulnerabilities. o  Higher costs hindering adoption of security technologies

Security & Compliance Who is behind the scene

Security & Compliance Infrastructure Security Components of a Oracle SPARC Enterprise T-Series Server

Exploring Security

Role and Relevance of Cryptography Adopting Cryptography for IT Security   Cryptography plays a vital role in IT Security. o  Securing the Network, Applications, Communications and Data •  Confidentiality and Integrity of data and communication •  Non-repudiation of transactions •  Access control and Availability o  Data privacy and regulatory compliance   Cryptographic algorithms and operations contributes to all levels of application security. o  Network-layer Security o  Transport-level Security o  Message-level security o  Application-layer security

Adopting Cryptography: Pain Points Common challenges and stumbling issues   Cryptographic functions tends to be computationally- intensive and requires lot of CPU and Network bandwidth. o  Applications slowdown while performing cryptographic operations   How to avoid performance degradation using cryptographic accelerators or Hardware Security Modules (HSM). o  Eliminate performance overheads associated with cryptographic functions.   How to enable applications to incorporate cryptographic functions for application-level security.   May use non-invasive mechanisms (ex. using PKCS11) … or go intrusive with tight integration of proprietary frameworks.   Understanding the usage of relevant cryptographic algorithms and its application scenarios. o  There is no silver bullet – It is critical to know the applied scenario and how the crypto mechanism is being used.

Applied Cryptography Common security applications using Crypto mechanisms   SSL o  De-facto standard for securing HTTP in Web applications and Browser based VPNs o  Based on public-key algorithms   IPSec o  Widely used in enabling Site-to-Site/Host-to-Host VPN o  Based on symmetric-key encryption and message digest algorithms   SSH   Remote authentication to hosts using a secure channel using public-key encrption.   WS-Security   OASIS Standard for securing XML Web Services and SOA applications   XML Encryption and Signature use Public-key Cryptography   PKI based Applications. o  Identity Management and Assurance, Telco (3G/4G/WiMAX), Digital signature based DRM, Smartcards and Biometrics

Security vs. Performance Understanding the overheads with Cryptography – SOA Scenario SSL using RSA-2048 and WS-SecurityPolicy using Basic128Sha256Rsa15 (Algorithm suite). Significant performance slowdown occurs after using SSL and WS-Security.

Anatomy of SSL Ciphers vs. Execution times “Significant time” spent on cryptographic functions with specified ciphers.

Effect of Cryptographic Acceleration Understanding the performance gains for an SSL scenario Significant performance GAINS can be achieved only using Hardware SSL accelerator.

Cryptographic Acceleration Using Oracle SPARC Enterprise T-Series Servers

On-chip Crypto Accelerators: Evolution The UltraSPARC T-Series Processor Family   UltraSPARC T1 – 8 Crypto Accelerators o  8 Cores with One accelerator per core o  Introduced industry-first on-chip cryptographic accelerators o  Cryptographic accelerators run in parallel with clock-speed o  Introduced “Public-key Encryption” algorithms (ex. RSA)   UltraSPARC T2/T2+ – 8 Crypto Accelerators o  8 Cores with One accelerator per core o  Introduced support for Bulk-encryption (AES,3DES/DES, RC4) and Message digests (MD5, SHA-1, SHA-2) o  Introduced support for Elliptic-curve Cryptography (ECC)   UltraSPARC T3 – 16 Crypto Accelerators o  16 cores with One accelerator per core o  Additional algorithms for Message digests (SHA-512) o  Introduced support for Kasumi algorithm.

Cryptographic Capabilities and Algorithms T3 Processor 16

On-Chip Crypto Accelerators System Characteristics   Crypto Accelerators operate in parallel with CPU speed delivering encryption and decryption   Accelerators are shared by all the core’s strands   T1/T2/T2+/T3 provide light-weight accelerator drivers for Solaris o  /dev/ncp0 o  Handles Public-key Encryption Algorithms o  /dev/n2cp0 o  Handles Bulk Encryption and Hash algorithms o  /dev/n2rng0 o  Handles Random Number Generation o  Communicates via Memory-based Word Queue o  Stateless communication, just fire and forget. o  Consumer is informed when the operation is complete   Access to accelerators are controlled using Solaris Cryptographic Framework and Kernel Modules o  Using PKCS#11 standard interfaces and Solaris Kernel modules

On-chip vs Off-chip Accelerators Comparison with Commercial Accelerators

SPARC T-Series – Onchip Crypto Comparison with Commercial Accelerators/HSMs 6 Crypto Unit + = Up to Six Virtual Machines with Full Crypto Capability Six card slots filled (maximum) SPARC Enterprise T3-1 16 Crypto Units = Up to 16 Virtual Machines with Full Crypto All card slots available 2x Capacity 19

Accessing On-chip Crypto Accelerators Operational Characteristics   Access to accelerators are managed using Solaris Cryptographic Framework (SCF). o  SCF acts as an intermediary gateway between applications and cryptographic providers. o  Applications use Sun PKCS#11 Provider to access accelerator o  Java Sun-PKCS#11 o  OpenSSL PKCS#11 Engine o  NSS/JSS APIs using PKCS11   Solaris Kernel Modules can directly access accelerators. o  Kernel SSL (KSSL) o  IPSec

Sun Cryptographic Accelerator 6000 – PCIe Card   A full-fledged Hardware Security Module (HSM) o  Secure Key Storage (Escrow and Recovery) o  High-performance cryptographic accelerator o  FIPS-140-3 Compliant o  Supports Solaris SPARC/X64 and Linux   NIST approved cryptographic algorithms   RSA, DSA, DH, ECC   AES, DES, 3DES   MD5, SHA-1, SHA-512   Intended for Financial and Government applications where Secure Key Storage is critical. o  Oracle Advanced Security, Financials, etc. o  PIN and Card Verification Functions

SCA 6000 – Usage Scenarios   Tested and Certified for use in FIPS and NON-FIPS modes o  Oracle Database Advanced Security Scenarios o  TDE Master Key Management o  TDE Network Encryption and Acceleration o  Oracle Fusion Middleware (SOA and XML Web Services Security) o  Oracle Web Services Manager (SSL and WS-Security scenarios) o  Oracle WebLogic (SSL and WS-Security scenarios)

Enabling Cryptographic Acceleration Applied Techniques and Usage Scenarios

Solaris Cryptographic Framework   Common framework for performing /consuming / integrating cryptographic providers. o  Hardware or Software. o  Kernel or Userland. o  Extensible in order to permit custom functions o  Facilitates PKCS#11 for consumer and providers   By default, supports major NIST approved algorithms o  Encryption: AES, Blowfish, RC4, DES, 3DES, RSA. o  Digests: MD5, SHA-1, SHA-256, SHA-384, SHA-512. o  MAC: DES MAC, MD5 HMAC, SHA1 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC o  Optimized for SPARC, Intel and AMD

Solaris KSSL   Facilitates an SSL Proxy service for applications and performs SSL operations right in the Solaris Kernel. o  Integrates Solaris Cryptographic Framework and its supporting ciphers.   Makes use of underlying Hardware based Cryptographic accelerators and Hardware Security Modules (HSM). o  Automatically makes use of cryptographic accelerators for SSL operations, no additional configuration. o  Use PKCS#11 for supporting HSMs for private key storage.   Non-intrusive SSL configuration, independent of relying applications. o  Managed via Solaris Service Management Facility (SMF)   Can act as SSL proxy for Non-SSL aware applications that does not provide PKCS#11 support.   Delivers 25% - 35% faster SSL performance.

Using KSSL for Transport-layer Security Applied Scenario 26

End-to-End Transaction Security Applied Use Cases HTTP HTTP HTTP HTTP SQLNET SSL Oracle Oracle Web Server Fusion Database SSL SSL Middleware SSL Server SSL / WS-Security Encrypt/ SOAP Decrypt SSL / WS-Security Oracle Archive Database •  SPARC T3 accelerates Oracle WebLogic SSL and Web Services Manager 11g (OWSM). •  SSL, WS-Security scenarios •  SPARC T3 accelerates Oracle Transparent Data Encryption (TDE) operations 27

Performance Studies

Secure Performance With and Without Acceleration ^134h>96can#A*IC! Ajladsf0^HLh3f*&lJ 4704 1234 5678 1594 *NHSD6%lk)+>kjh!1 Without T3 Crypto Assist T3 Crypto Assist Enabled 3.5x Faster CPU MEM CPU MEM 80% 70% 50% 25% 29

Secure Performance With and Without Acceleration ^134h>96can#A*IC! 4704 1234 5678 1594 Ajladsf0^HLh3f*&lJ 4704 1234 5678 1594 *NHSD6%lk)+>kjh!1 Without T3 Crypto Assist T3 Crypto Assist Enabled 3.5x Faster CPU MEM CPU MEM 80% 70% 40% 25% 30

SPARC Enterprise T-Series Only Enterprise Server with Built-in Crypto 6 Crypto Unit + = Up to Six Virtual Machines with Full Crypto Capability Six card slots filled (maximum) SPARC Enterprise T3-1 16 Crypto Units = Up to 16 Virtual Machines with Full Crypto All card slots available 2x Capacity 31

Effect of Accelerated SSL vs No SSL Weblogic SSL Performance on T3 : Using KSSL vs. JCE vs. No SSL

Oracle TDE performance using T3 •  T3 crypto speeds up query execution by 3-5x !!

Achieving Compliance

HIPAA-HITECH Compliance Scenario Rules of Thumb: Encrypt PHI – in transit, in situ HTTP -50% -50% -30% HTTP HTTP HTTP SQLNET SSL Oracle Oracle Web Server Fusion Database SSL SSL SSL Middleware SSL Server WebLogic 11g SOAP Web Services Manager 11g SSL Oracle Archive Database 35

HIPAA-HITECH Options Rules of Thumb: Mitigation Strategies NLB – SSL Accelerator NLB – SSL Accelerator NLB – SSL Accelerator Aftermarket Card HTTP -50% -50% -30% HTTP HTTP HTTP SQLNET SSL Oracle Oracle Web Server Fusion Database SSL SSL SSL Middleware SSL Server WebLogic 11g SOAP Web Services Manager 11g SSL Oracle Archive   Add 6 RUs Aftermarket Card Database   Add 50% Cooling   Add 30% Power   Add 30% Admin 36

PCI-DSS Compliance Scenario Rules of Thumb: Especially in situ, Even Warehoused Data HTTP -50% -50% -40% HTTP HTTP HTTP SQLNET SSL Oracle Oracle Web Server Fusion Database SSL SSL SSL Middleware SSL Server WebLogic 11g SOAP Web Services Manager 11g SSL Oracle Archive Database 37

PCI-DSS Options Rules of Thumb: Mitigation Strategies NLB – SSL Accelerator NLB – SSL Accelerator NLB – SSL Accelerator HTTP -50% -50% -30% HTTP HTTP HTTP SQLNET SSL Oracle Oracle Web Server Fusion Database SSL SSL SSL Middleware SSL Server WebLogic 11g SOAP Web Services Manager 11g SSL Oracle Archive   Add 12 RUs Aftermarket Card Database   Add 50% Cooling Aftermarket Card   Add 50% Power   Add 30% Admin 38

Summary

The cost of security Better TCO with T3 crypto } Twice server capacity = half the footprint Crypto overhead reduced to 10% from 30% CPU Latency reduced by 20X No add-ons and introduction of complexity Lower TCO Simple to administrate Faster to deploy 40

Program Agenda Example •  Our understanding of XYZ <Insert Picture Here> •  Capabilities and value drivers •  Benefits and assessments •  Oracle solutions •  Oracle credentials •  Appendix

Q&A Chad Prucha, albert.prucha@oracle.com Ramesh Nagappan, ramesh.nagappan@oracle.com

Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emphasis on Hardware Assisted Cryptography

by Ramesh Nagappan

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emphasis on Hardware Assisted Cryptography Presentation Transcript