More Related Content
Similar to High Performance Security With SPARC T4 Hardware Assisted Cryptography (20)
More from Ramesh Nagappan (13)
High Performance Security With SPARC T4 Hardware Assisted Cryptography
- 1. 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
- 2. 2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
High Performance Security With SPARC T4
Hardware Assisted Cryptography
Glenn Brunette, Ramesh Nagappan, Chad Prucha
Oracle Corporation
- 3. 3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
- 4. 4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
The following is intended to outline our general product
direction. It is intended for information purposes only, and
may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing
decisions. The development, release, and timing of any
features or functionality described for Oracle s products
remains at the sole discretion of Oracle.
- 5. 5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Security and the Business
• Hardware Assisted Cryptography
• Solaris 11 Security
• Competitive Landscape
• Next Steps
- 6. 6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Security Impacts the Business
- 7. 7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
A Careful Balancing Act
- 8. 8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Performance
and Scalability
with Security
SPARC T4 and Solaris 11
- 9. 9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Security and the Business
• Hardware Assisted Cryptography
• Solaris 11 Security
• Competitive Landscape
• Next Steps
- 10. 10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Understanding Encryption Overheads
• Adopting to Encryption requires more CPU, memory, and network
bandwidth!
– Overhead varies by choice of key algorithm, key size and applied scenarios
• Security becomes more critical demanding predictable latencies,
response times, throughput and other QoS characteristics.
End-to-end Security – Multi-tier Applications Scenario
- 11. 11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Performance Impact without Hardware Assist
Example: Security Impact on SOA and Web Services
• Two-way SSL
• RSA-2048
• AES-256
- 12. 12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
SPARC T4 Cryptographic Acceleration
Significant Performance Gains for SSL (Using Hardware)
• Two-way SSL
• RSA-2048
• AES-256
- 13. 13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Hardware Assisted Cryptography
• UltraSPARC T1 – 8 Crypto Accelerators
– Industry’s first on-chip cryptographic accelerators
– Acts as a Crypto coprocessor running in parallel at CPU speeds
• UltraSPARC T2 / T2+ - 8 Crypto Accelerators
– Added support for Symmetric-Key algorithms, Message digests
• SPARC T3 – 16 Crypto Accelerators
– Expanded support for A/Symmetric-key algorithms, Message digests
• SPARC T4 – On-Core Crypto
– Hardware based crypto algorithms available as unprivileged ISA instructions
– Direct access to on-core acceleration for fast processing, no drivers required
– No special permissions and No setup required
Oracle SPARC T-Series Processors – Evolution of Crypto Acceleration
- 14. 14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
SPARC T3 and T4 Operational Models
- 15. 15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle SPARC T-Series Capabilities
Supported Cryptographic Algorithms and Mechanisms
Processor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4
Asymmetric /
Public Key Encryption
RSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC
Symmetric Key /
Bulk Encryption
AES, DES, 3DES, RC4
AES, DES, 3DES,
Kasumi
AES, DES, 3DES,
Camellia, Kasumi
Message Digest /
Hash Functions
MD5, SHA-1, SHA-
256
CRC32c, MD5,
SHA-1, SHA-256,
SHA-384, SHA-512
CRC32c, MD5,
SHA-1, SHA-224,
SHA-256, SHA-384,
SHA-512
Random Number
Generation
Supported Supported Supported
API
Support
PKCS#11
Standard
PKCS#11
Standard
PKCS#11 Standard,
uCrypto API
- 16. 16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Role of the Solaris 11 Cryptographic Framework
• Manages access to hardware-assisted cryptography.
– SPARC T-series processors and also supports Intel Westmere
(AES-NI) and PKCS#11 based Hardware Security Modules (HSMs)
• Acts as an intermediary gateway between applications
and the underlying cryptographic hardware.
• Applications all use an open, standard protocol (PKCS#11)
– Java, OpenSSL, NSS/JSS, Apache,
– Oracle Database and Fusion Middleware
• Additional Solaris Security services
– ZFS Encryption, SSH, Kernel SSL (KSSL), and IPsec
- 17. 17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
The Role of Solaris Cryptographic Framework
Managing Cryptographic Accelerators and HSMs via PKCS#11
SPARC T3/T2/T1 On Chip
Accelerators
Sun CryptoAccelerator 6000
Hardware Security Module
SPARC T4 On Core Crypto
Instructions
Third Party Accelerators and
Hardware Security Modules
Oracle Database 11g -
Transparent Data Encryption
Oracle Fusion Middleware 11g
Java JCE
PKCS#11 Provider
pkcs11_softtoken.so
Apache
Web Server
OpenSSL
Shared Libraries
libpkcs11.so
Pluggable Interface libpkcs11_kernel.so
Service Provider Interface
Softtoken KeyStore
$HOME/.sunw
Application
User
Kernel
Scheduler and Load Balancer
libsoftcrypto.so
- 18. 18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
End-to-End Security Scenario on Oracle T4
• Oracle SPARC T4 has been verified to perform acceleration of
encryption operations across:
– Oracle Solaris (KSSL and ZFS Encryption), WebLogic (SSL), Web Services
Manager (WS-Security and SSL), and Database (Transparent Data Encryption)
– Solaris PKCS#11 Softtoken acts as a unified key store.
– Use SCA-6000 for FIPS-140 requirements
- 19. 19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Advanced Security
Network
Encryption
Strong
Authentication
Solaris 11 Softtoken
or SCA-6000 (HSM)
Master Key
Oracle Wallet
TDE Column
Encryption
TDE Tablespace
Encryption
Encrypted (and compressed) disk backups
Encrypted (and compressed) export filesOracle SPARC
T-series Servers
CRYPTOGRAPHIC ACCELERATION
Transparent Data Encryption using SPARC T4 Acceleration
- 20. 20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Database Security
• Oracle Transparent Data Encryption (TDE) has been integrated to use
T4 Crypto for “Tablespace and Column-level Encryption” operations.
– Oracle TDE directly access T4 on core cryptography
– Enable configuration using init.ora parameters.
– Availability as part of Oracle 11g R2 (11.2.0.3) release
• Centralized key management and Tamper-proof storage for
Master Key Wallet and Network Encryption acceleration.
– T4 Crypto accelerates SSL/TLS supporting SQLNET’s network encryption.
• Oracle Wallet tested and verified to store Master Key in Solaris
Softtoken or SCA-6000 (FIPS 140-2 scenarios)
Data and Network Encryption using SPARC T4 Crypto
- 21. 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Fusion Middleware Security
• WebLogic integrates T4 Crypto via JSSE and
Java SunPKCS#11 Provider for SSL
• Oracle Fusion Middleware 11g (11.1.1.4)
Security automatically leveragesT4 Crypto
via Web Services Manager (OWSM)
• Verified to use JKS, Solaris PKCS#11, SCA-6000 and
NSS Softtoken (FIPS mode)
• T4 based Hardware assisted Crypto
acceleration
• Weblogic SSL and Fusion Middleware Security via OWSM
• Transport-level Security using Weblogic SSL and Solaris
KSSL
• Message-level security using WS-Security and WS-
SecurityPolicy defined algorithm suites
WebLogic and Oracle Web Services Manager Using SPARC T4 Crypto
SPARC T3 and T4
Servers Cryptographic
Acceleration
Java PKCS#11 Provider
Java Keystore / Solaris PKCS#11 Softtoken
Solaris Cryptographic Framework
- 22. 22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Security and the Business
• Hardware Assisted Cryptography
• Solaris 11 Security
• Competitive Landscape
• Next Steps
- 23. 23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Reduced Attack Surface
• Expose only required services to the network
– Reduce the operating system network foot print
– Most services are disabled; a few are set to “local only”
• Integrated with Service Management Facility
– Common administrative model for all service operations
– Fully customizable based upon unique site requirements
• Foundation for Additional Protections and Configuration
Solaris 11 Secure by Default
- 24. 24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duty
• Role-based Access Control
– Compose collections of administrative rights for users and roles
– Roles can only be assumed by authorized users
– Accountability is preserved – original UID is always tracked
• New in Solaris 11
– By default, the root account is now a role
– Role authentication can use either user or role’s password
– CLI for managing users, roles, rights and groups
Solaris 11 Role-based Access Control (RBAC)
- 25. 25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duty
• Fine-Grained Process Privileges
– Sandbox users and applications to limit potential for damage
– Decomposes administrative capabilities into discrete privileges
– Eliminates need for many services to start as ‘root’
– Always enabled and enforced by the Solaris kernel
• New in Solaris 11
– New privileges: file_read, file_write, and net_access
– Support for “forced privileges” for set-uid root programs
– Stop profile to limit specific commands and authorizations
Solaris 11 Fine-Grained Process Privileges
- 26. 26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Strong Service Isolation
• Zones
– Restricted operating environment for enhanced security
– Per-zone hardening, RBAC, privileges, resource controls, etc.
– Per-zone system resources, networking, data sets, etc.
• New in Solaris 11
– Zone Integrity Policies (Flexible, Strict, Fixed, None)
– Delegated Administration (Console, Install, Boot, Shutdown)
– Virtual Networking (NICs, Switches, etc.)
Solaris 11 Zones (Containers)
- 27. 27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Holistic Data Protection
• Encryption policy is set at the ZFS data set level
• Supports delegation of key management operations
• Leverages a dual key model: wrapping vs. encryption key
• Variety of options for format/location of the wrapping key
• Wrapping key inherited by child data sets
Solaris 11 ZFS Encryption
- 28. 28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Comprehensive Monitoring
• Auditing
– Kernel-based fine-grained introspection
– Captured events include: admin. actions, commands, syscalls
– Configurable audit policy at both the system / user level
– Zones can be audited from within the global zone
– Audit logs can be exported as binary, text, or XML files
• New in Solaris 11
– Auditing on by default with no performance penalty
– Greater visibility into system events with less “noise”
Solaris 11 Auditing
- 29. 29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Security and the Business
• Hardware Assisted Cryptography
• Solaris 11 Security
• Competitive Landscape
• Next Steps
- 31. OpenSSL : RSA Sign/Verify (RSA 1024)
0
100000
200000
300000
400000
T4-1
X4270 (Westmere)
48583.5
14629.8
384615.2
188261.3
ops/sec
Verify ops/sec
Sign ops/sec
*Westmere running Solaris10u9 (AES-NI optimized)
- 32. Java Crypto : RSA Sign/Verify (RSA 2048)
0
10000000
20000000
30000000
40000000
50000000
60000000
70000000
T4-1
X4270 (Westmere)
18356014
50296420
28942706
61446300
Timeinnsec
SHA1withRSA
SHA256withRSA
No of Clients = 1000
Message size = 1024k bytes
- 33. Java Crypto : AES Bulk Encryption
0
5000000
10000000
15000000
20000000
25000000
X4270 (Westmere)
T4-1
Timeinnsec
AES-128
AES-256
AES-512
*Westmere running Linux (AES-NI optimized)
No of Clients = 1000
Message size = 1024k bytes
- 34. Fusion Middleware Security On T4
*JAX-WS Application, WS-SecurityPolicy – Basic256, SSL Cipher - TLS_RSA_WITH_AES_128_CBC_SHA
• Two-way SSL
• RSA-1024
- 35. 35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Security and the Business
• Hardware Assisted Cryptography
• Solaris 11 Security
• Competitive Landscape
• Next Steps
- 36. 36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Stop by the Oracle Support Stars Bar
Moscone West, Level 2
• Oracle Support experts on hand
• 2-minute videos describing key Oracle proactive support
tools and mission-critical services
• Live demos
• Enter to win an iPad 2 (Mon-Wed)
• Hours:
§ Monday & Tuesday: 10:00 – 6:00
§ Wednesday: 9:00 – 5:00
§ Thursday: 9:00 – 1:00
- 37. 37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
For More Information / Try Out Today
• Product overview and download
– oracle.com/solaris
• Oracle Technology Network
– oracle.com/technetwork/server-storage/solaris11
• System administrators community
– oracle.com/technetwork/systems
• @ORCL_Solaris
• facebook.com/oraclesolaris
• Oracle Solaris Insider
37
- 38. 38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Q&A
- 39. 39 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
- 40. 40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
- 41. 41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Appendix
- 42. 42 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Architectural Strategies
Building the Nesting Doll
Public Domain Image Courtesy: Sergiev Posad Museum of Toys, Russia
- 43. 43 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Non-Global Zone
Architectural Strategies
Building the Nesting Doll
A
Binaries and Libraries
Configuration Files
Temporary and Log Files
Application Data
ZFS Encrypted
Data Set
A
Delegated Application Administration
Secure by Default / Hardening
- 44. 44 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Architectural Strategies
Building the Nesting Doll
System Resources
Monitoring / Auditing
Delegated Admin.
Packet Filtering
System Resources
Monitoring / Auditing
Delegated Admin.
Packet Filtering
System Resources
Monitoring / Auditing
Delegated Admin.
Packet Filtering
- 45. 45 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Solaris 11 Instance (Global Zone)
Architectural Strategies
Building the Nesting Doll
Monitoring / Auditing
Delegated Administration
Integrated Cryptography
- 46. 46 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Architectural Strategies
Building the Nesting Doll
Oracle VM Server for SPARC
TBD – Insert Images of T4-based Servers