• Save
High Performance Security With SPARC T4 Hardware Assisted Cryptography
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

High Performance Security With SPARC T4 Hardware Assisted Cryptography

on

  • 648 views

Cryptographic Acceleration

Cryptographic Acceleration

Statistics

Views

Total Views
648
Views on SlideShare
648
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

High Performance Security With SPARC T4 Hardware Assisted Cryptography Presentation Transcript

  • 1. 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 2. 2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. High Performance Security With SPARC T4 Hardware Assisted Cryptography Glenn Brunette, Ramesh Nagappan, Chad Prucha Oracle Corporation
  • 3. 3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 4. 4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
  • 5. 5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
  • 6. 6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Security Impacts the Business
  • 7. 7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. A Careful Balancing Act
  • 8. 8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Performance and Scalability with Security SPARC T4 and Solaris 11
  • 9. 9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
  • 10. 10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Understanding Encryption Overheads •  Adopting to Encryption requires more CPU, memory, and network bandwidth! –  Overhead varies by choice of key algorithm, key size and applied scenarios •  Security becomes more critical demanding predictable latencies, response times, throughput and other QoS characteristics. End-to-end Security – Multi-tier Applications Scenario
  • 11. 11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Performance Impact without Hardware Assist Example: Security Impact on SOA and Web Services • Two-way SSL • RSA-2048 • AES-256
  • 12. 12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. SPARC T4 Cryptographic Acceleration Significant Performance Gains for SSL (Using Hardware) • Two-way SSL • RSA-2048 • AES-256
  • 13. 13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Hardware Assisted Cryptography •  UltraSPARC T1 – 8 Crypto Accelerators –  Industry’s first on-chip cryptographic accelerators –  Acts as a Crypto coprocessor running in parallel at CPU speeds •  UltraSPARC T2 / T2+ - 8 Crypto Accelerators –  Added support for Symmetric-Key algorithms, Message digests •  SPARC T3 – 16 Crypto Accelerators –  Expanded support for A/Symmetric-key algorithms, Message digests •  SPARC T4 – On-Core Crypto –  Hardware based crypto algorithms available as unprivileged ISA instructions –  Direct access to on-core acceleration for fast processing, no drivers required –  No special permissions and No setup required Oracle SPARC T-Series Processors – Evolution of Crypto Acceleration
  • 14. 14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. SPARC T3 and T4 Operational Models
  • 15. 15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle SPARC T-Series Capabilities Supported Cryptographic Algorithms and Mechanisms Processor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4 Asymmetric / Public Key Encryption RSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC Symmetric Key / Bulk Encryption AES, DES, 3DES, RC4 AES, DES, 3DES, Kasumi AES, DES, 3DES, Camellia, Kasumi Message Digest / Hash Functions MD5, SHA-1, SHA- 256 CRC32c, MD5, SHA-1, SHA-256, SHA-384, SHA-512 CRC32c, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 Random Number Generation Supported Supported Supported API Support PKCS#11 Standard PKCS#11 Standard PKCS#11 Standard, uCrypto API
  • 16. 16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Role of the Solaris 11 Cryptographic Framework •  Manages access to hardware-assisted cryptography. –  SPARC T-series processors and also supports Intel Westmere (AES-NI) and PKCS#11 based Hardware Security Modules (HSMs) •  Acts as an intermediary gateway between applications and the underlying cryptographic hardware. •  Applications all use an open, standard protocol (PKCS#11) –  Java, OpenSSL, NSS/JSS, Apache, –  Oracle Database and Fusion Middleware •  Additional Solaris Security services –  ZFS Encryption, SSH, Kernel SSL (KSSL), and IPsec
  • 17. 17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. The Role of Solaris Cryptographic Framework Managing Cryptographic Accelerators and HSMs via PKCS#11 SPARC T3/T2/T1 On Chip Accelerators Sun CryptoAccelerator 6000 Hardware Security Module SPARC T4 On Core Crypto Instructions Third Party Accelerators and Hardware Security Modules Oracle Database 11g - Transparent Data Encryption Oracle Fusion Middleware 11g Java JCE PKCS#11 Provider pkcs11_softtoken.so Apache Web Server OpenSSL Shared Libraries libpkcs11.so Pluggable Interface libpkcs11_kernel.so Service Provider Interface Softtoken KeyStore $HOME/.sunw Application User Kernel Scheduler and Load Balancer libsoftcrypto.so
  • 18. 18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. End-to-End Security Scenario on Oracle T4 •  Oracle SPARC T4 has been verified to perform acceleration of encryption operations across: –  Oracle Solaris (KSSL and ZFS Encryption), WebLogic (SSL), Web Services Manager (WS-Security and SSL), and Database (Transparent Data Encryption) –  Solaris PKCS#11 Softtoken acts as a unified key store. –  Use SCA-6000 for FIPS-140 requirements
  • 19. 19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Advanced Security Network Encryption Strong Authentication Solaris 11 Softtoken or SCA-6000 (HSM) Master Key Oracle Wallet TDE Column Encryption TDE Tablespace Encryption Encrypted (and compressed) disk backups Encrypted (and compressed) export filesOracle SPARC T-series Servers CRYPTOGRAPHIC ACCELERATION Transparent Data Encryption using SPARC T4 Acceleration
  • 20. 20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Database Security •  Oracle Transparent Data Encryption (TDE) has been integrated to use T4 Crypto for “Tablespace and Column-level Encryption” operations. –  Oracle TDE directly access T4 on core cryptography –  Enable configuration using init.ora parameters. –  Availability as part of Oracle 11g R2 (11.2.0.3) release •  Centralized key management and Tamper-proof storage for Master Key Wallet and Network Encryption acceleration. –  T4 Crypto accelerates SSL/TLS supporting SQLNET’s network encryption. •  Oracle Wallet tested and verified to store Master Key in Solaris Softtoken or SCA-6000 (FIPS 140-2 scenarios) Data and Network Encryption using SPARC T4 Crypto
  • 21. 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Fusion Middleware Security •  WebLogic integrates T4 Crypto via JSSE and Java SunPKCS#11 Provider for SSL •  Oracle Fusion Middleware 11g (11.1.1.4) Security automatically leveragesT4 Crypto via Web Services Manager (OWSM) •  Verified to use JKS, Solaris PKCS#11, SCA-6000 and NSS Softtoken (FIPS mode) •  T4 based Hardware assisted Crypto acceleration •  Weblogic SSL and Fusion Middleware Security via OWSM •  Transport-level Security using Weblogic SSL and Solaris KSSL •  Message-level security using WS-Security and WS- SecurityPolicy defined algorithm suites WebLogic and Oracle Web Services Manager Using SPARC T4 Crypto SPARC T3 and T4 Servers Cryptographic Acceleration Java PKCS#11 Provider     Java Keystore / Solaris PKCS#11 Softtoken     Solaris Cryptographic Framework
  • 22. 22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
  • 23. 23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Reduced Attack Surface •  Expose only required services to the network –  Reduce the operating system network foot print –  Most services are disabled; a few are set to “local only” •  Integrated with Service Management Facility –  Common administrative model for all service operations –  Fully customizable based upon unique site requirements •  Foundation for Additional Protections and Configuration Solaris 11 Secure by Default
  • 24. 24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Separation of Duty •  Role-based Access Control –  Compose collections of administrative rights for users and roles –  Roles can only be assumed by authorized users –  Accountability is preserved – original UID is always tracked •  New in Solaris 11 –  By default, the root account is now a role –  Role authentication can use either user or role’s password –  CLI for managing users, roles, rights and groups Solaris 11 Role-based Access Control (RBAC)
  • 25. 25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Separation of Duty •  Fine-Grained Process Privileges –  Sandbox users and applications to limit potential for damage –  Decomposes administrative capabilities into discrete privileges –  Eliminates need for many services to start as ‘root’ –  Always enabled and enforced by the Solaris kernel •  New in Solaris 11 –  New privileges: file_read, file_write, and net_access –  Support for “forced privileges” for set-uid root programs –  Stop profile to limit specific commands and authorizations Solaris 11 Fine-Grained Process Privileges
  • 26. 26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Strong Service Isolation •  Zones –  Restricted operating environment for enhanced security –  Per-zone hardening, RBAC, privileges, resource controls, etc. –  Per-zone system resources, networking, data sets, etc. •  New in Solaris 11 –  Zone Integrity Policies (Flexible, Strict, Fixed, None) –  Delegated Administration (Console, Install, Boot, Shutdown) –  Virtual Networking (NICs, Switches, etc.) Solaris 11 Zones (Containers)
  • 27. 27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Holistic Data Protection •  Encryption policy is set at the ZFS data set level •  Supports delegation of key management operations •  Leverages a dual key model: wrapping vs. encryption key •  Variety of options for format/location of the wrapping key •  Wrapping key inherited by child data sets Solaris 11 ZFS Encryption
  • 28. 28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Comprehensive Monitoring •  Auditing –  Kernel-based fine-grained introspection –  Captured events include: admin. actions, commands, syscalls –  Configurable audit policy at both the system / user level –  Zones can be audited from within the global zone –  Audit logs can be exported as binary, text, or XML files •  New in Solaris 11 –  Auditing on by default with no performance penalty –  Greater visibility into system events with less “noise” Solaris 11 Auditing
  • 29. 29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
  • 30. SPARC T4 Leads in On-Chip Algorithms IBM & HP
  • 31. OpenSSL : RSA Sign/Verify (RSA 1024) 0 100000 200000 300000 400000 T4-1 X4270 (Westmere) 48583.5 14629.8 384615.2 188261.3 ops/sec Verify ops/sec Sign ops/sec *Westmere running Solaris10u9 (AES-NI optimized)
  • 32. Java Crypto : RSA Sign/Verify (RSA 2048) 0 10000000 20000000 30000000 40000000 50000000 60000000 70000000 T4-1 X4270 (Westmere) 18356014 50296420 28942706 61446300 Timeinnsec SHA1withRSA SHA256withRSA No of Clients = 1000 Message size = 1024k bytes
  • 33. Java Crypto : AES Bulk Encryption 0 5000000 10000000 15000000 20000000 25000000 X4270 (Westmere) T4-1 Timeinnsec AES-128 AES-256 AES-512 *Westmere running Linux (AES-NI optimized) No of Clients = 1000 Message size = 1024k bytes
  • 34. Fusion Middleware Security On T4 *JAX-WS Application, WS-SecurityPolicy – Basic256, SSL Cipher - TLS_RSA_WITH_AES_128_CBC_SHA • Two-way SSL • RSA-1024
  • 35. 35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
  • 36. 36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Stop by the Oracle Support Stars Bar Moscone West, Level 2 •  Oracle Support experts on hand •  2-minute videos describing key Oracle proactive support tools and mission-critical services •  Live demos •  Enter to win an iPad 2 (Mon-Wed) •  Hours: §  Monday & Tuesday: 10:00 – 6:00 §  Wednesday: 9:00 – 5:00 §  Thursday: 9:00 – 1:00
  • 37. 37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. For More Information / Try Out Today •  Product overview and download –  oracle.com/solaris •  Oracle Technology Network –  oracle.com/technetwork/server-storage/solaris11 •  System administrators community –  oracle.com/technetwork/systems •  @ORCL_Solaris •  facebook.com/oraclesolaris •  Oracle Solaris Insider 37
  • 38. 38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Q&A
  • 39. 39 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 40. 40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 41. 41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Appendix
  • 42. 42 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Architectural Strategies Building the Nesting Doll Public Domain Image Courtesy: Sergiev Posad Museum of Toys, Russia
  • 43. 43 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Non-Global Zone Architectural Strategies Building the Nesting Doll A Binaries and Libraries Configuration Files Temporary and Log Files Application Data ZFS Encrypted Data Set A Delegated Application Administration Secure by Default / Hardening
  • 44. 44 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Architectural Strategies Building the Nesting Doll System Resources Monitoring / Auditing Delegated Admin. Packet Filtering System Resources Monitoring / Auditing Delegated Admin. Packet Filtering System Resources Monitoring / Auditing Delegated Admin. Packet Filtering
  • 45. 45 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Solaris 11 Instance (Global Zone) Architectural Strategies Building the Nesting Doll Monitoring / Auditing Delegated Administration Integrated Cryptography
  • 46. 46 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Architectural Strategies Building the Nesting Doll Oracle VM Server for SPARC TBD – Insert Images of T4-based Servers