SlideShare a Scribd company logo

High Performance Security With SPARC T4 Hardware Assisted Cryptography

Ramesh Nagappan
Ramesh Nagappan

Cryptographic Acceleration

TechnologyEducation
1 of 46
1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. High Performance Security With SPARC T4 Hardware Assisted Cryptography Glenn Brunette, Ramesh Nagappan, Chad Prucha Oracle Corporation
3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Security Impacts the Business
7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. A Careful Balancing Act
8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Performance and Scalability with Security SPARC T4 and Solaris 11
9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Understanding Encryption Overheads •  Adopting to Encryption requires more CPU, memory, and network bandwidth! –  Overhead varies by choice of key algorithm, key size and applied scenarios •  Security becomes more critical demanding predictable latencies, response times, throughput and other QoS characteristics. End-to-end Security – Multi-tier Applications Scenario
11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Performance Impact without Hardware Assist Example: Security Impact on SOA and Web Services • Two-way SSL • RSA-2048 • AES-256
12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. SPARC T4 Cryptographic Acceleration Significant Performance Gains for SSL (Using Hardware) • Two-way SSL • RSA-2048 • AES-256
13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Hardware Assisted Cryptography •  UltraSPARC T1 – 8 Crypto Accelerators –  Industry’s first on-chip cryptographic accelerators –  Acts as a Crypto coprocessor running in parallel at CPU speeds •  UltraSPARC T2 / T2+ - 8 Crypto Accelerators –  Added support for Symmetric-Key algorithms, Message digests •  SPARC T3 – 16 Crypto Accelerators –  Expanded support for A/Symmetric-key algorithms, Message digests •  SPARC T4 – On-Core Crypto –  Hardware based crypto algorithms available as unprivileged ISA instructions –  Direct access to on-core acceleration for fast processing, no drivers required –  No special permissions and No setup required Oracle SPARC T-Series Processors – Evolution of Crypto Acceleration
14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. SPARC T3 and T4 Operational Models
15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle SPARC T-Series Capabilities Supported Cryptographic Algorithms and Mechanisms Processor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4 Asymmetric / Public Key Encryption RSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC Symmetric Key / Bulk Encryption AES, DES, 3DES, RC4 AES, DES, 3DES, Kasumi AES, DES, 3DES, Camellia, Kasumi Message Digest / Hash Functions MD5, SHA-1, SHA- 256 CRC32c, MD5, SHA-1, SHA-256, SHA-384, SHA-512 CRC32c, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 Random Number Generation Supported Supported Supported API Support PKCS#11 Standard PKCS#11 Standard PKCS#11 Standard, uCrypto API
16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Role of the Solaris 11 Cryptographic Framework •  Manages access to hardware-assisted cryptography. –  SPARC T-series processors and also supports Intel Westmere (AES-NI) and PKCS#11 based Hardware Security Modules (HSMs) •  Acts as an intermediary gateway between applications and the underlying cryptographic hardware. •  Applications all use an open, standard protocol (PKCS#11) –  Java, OpenSSL, NSS/JSS, Apache, –  Oracle Database and Fusion Middleware •  Additional Solaris Security services –  ZFS Encryption, SSH, Kernel SSL (KSSL), and IPsec
17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. The Role of Solaris Cryptographic Framework Managing Cryptographic Accelerators and HSMs via PKCS#11 SPARC T3/T2/T1 On Chip Accelerators Sun CryptoAccelerator 6000 Hardware Security Module SPARC T4 On Core Crypto Instructions Third Party Accelerators and Hardware Security Modules Oracle Database 11g - Transparent Data Encryption Oracle Fusion Middleware 11g Java JCE PKCS#11 Provider pkcs11_softtoken.so Apache Web Server OpenSSL Shared Libraries libpkcs11.so Pluggable Interface libpkcs11_kernel.so Service Provider Interface Softtoken KeyStore $HOME/.sunw Application User Kernel Scheduler and Load Balancer libsoftcrypto.so
18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. End-to-End Security Scenario on Oracle T4 •  Oracle SPARC T4 has been verified to perform acceleration of encryption operations across: –  Oracle Solaris (KSSL and ZFS Encryption), WebLogic (SSL), Web Services Manager (WS-Security and SSL), and Database (Transparent Data Encryption) –  Solaris PKCS#11 Softtoken acts as a unified key store. –  Use SCA-6000 for FIPS-140 requirements
19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Advanced Security Network Encryption Strong Authentication Solaris 11 Softtoken or SCA-6000 (HSM) Master Key Oracle Wallet TDE Column Encryption TDE Tablespace Encryption Encrypted (and compressed) disk backups Encrypted (and compressed) export filesOracle SPARC T-series Servers CRYPTOGRAPHIC ACCELERATION Transparent Data Encryption using SPARC T4 Acceleration
20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Database Security •  Oracle Transparent Data Encryption (TDE) has been integrated to use T4 Crypto for “Tablespace and Column-level Encryption” operations. –  Oracle TDE directly access T4 on core cryptography –  Enable configuration using init.ora parameters. –  Availability as part of Oracle 11g R2 (11.2.0.3) release •  Centralized key management and Tamper-proof storage for Master Key Wallet and Network Encryption acceleration. –  T4 Crypto accelerates SSL/TLS supporting SQLNET’s network encryption. •  Oracle Wallet tested and verified to store Master Key in Solaris Softtoken or SCA-6000 (FIPS 140-2 scenarios) Data and Network Encryption using SPARC T4 Crypto
21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Fusion Middleware Security •  WebLogic integrates T4 Crypto via JSSE and Java SunPKCS#11 Provider for SSL •  Oracle Fusion Middleware 11g (11.1.1.4) Security automatically leveragesT4 Crypto via Web Services Manager (OWSM) •  Verified to use JKS, Solaris PKCS#11, SCA-6000 and NSS Softtoken (FIPS mode) •  T4 based Hardware assisted Crypto acceleration •  Weblogic SSL and Fusion Middleware Security via OWSM •  Transport-level Security using Weblogic SSL and Solaris KSSL •  Message-level security using WS-Security and WS- SecurityPolicy defined algorithm suites WebLogic and Oracle Web Services Manager Using SPARC T4 Crypto SPARC T3 and T4 Servers Cryptographic Acceleration Java PKCS#11 Provider     Java Keystore / Solaris PKCS#11 Softtoken     Solaris Cryptographic Framework
22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Reduced Attack Surface •  Expose only required services to the network –  Reduce the operating system network foot print –  Most services are disabled; a few are set to “local only” •  Integrated with Service Management Facility –  Common administrative model for all service operations –  Fully customizable based upon unique site requirements •  Foundation for Additional Protections and Configuration Solaris 11 Secure by Default
24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Separation of Duty •  Role-based Access Control –  Compose collections of administrative rights for users and roles –  Roles can only be assumed by authorized users –  Accountability is preserved – original UID is always tracked •  New in Solaris 11 –  By default, the root account is now a role –  Role authentication can use either user or role’s password –  CLI for managing users, roles, rights and groups Solaris 11 Role-based Access Control (RBAC)
25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Separation of Duty •  Fine-Grained Process Privileges –  Sandbox users and applications to limit potential for damage –  Decomposes administrative capabilities into discrete privileges –  Eliminates need for many services to start as ‘root’ –  Always enabled and enforced by the Solaris kernel •  New in Solaris 11 –  New privileges: file_read, file_write, and net_access –  Support for “forced privileges” for set-uid root programs –  Stop profile to limit specific commands and authorizations Solaris 11 Fine-Grained Process Privileges
26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Strong Service Isolation •  Zones –  Restricted operating environment for enhanced security –  Per-zone hardening, RBAC, privileges, resource controls, etc. –  Per-zone system resources, networking, data sets, etc. •  New in Solaris 11 –  Zone Integrity Policies (Flexible, Strict, Fixed, None) –  Delegated Administration (Console, Install, Boot, Shutdown) –  Virtual Networking (NICs, Switches, etc.) Solaris 11 Zones (Containers)
27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Holistic Data Protection •  Encryption policy is set at the ZFS data set level •  Supports delegation of key management operations •  Leverages a dual key model: wrapping vs. encryption key •  Variety of options for format/location of the wrapping key •  Wrapping key inherited by child data sets Solaris 11 ZFS Encryption
28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Comprehensive Monitoring •  Auditing –  Kernel-based fine-grained introspection –  Captured events include: admin. actions, commands, syscalls –  Configurable audit policy at both the system / user level –  Zones can be audited from within the global zone –  Audit logs can be exported as binary, text, or XML files •  New in Solaris 11 –  Auditing on by default with no performance penalty –  Greater visibility into system events with less “noise” Solaris 11 Auditing
29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
SPARC T4 Leads in On-Chip Algorithms IBM & HP
OpenSSL : RSA Sign/Verify (RSA 1024) 0 100000 200000 300000 400000 T4-1 X4270 (Westmere) 48583.5 14629.8 384615.2 188261.3 ops/sec Verify ops/sec Sign ops/sec *Westmere running Solaris10u9 (AES-NI optimized)
Java Crypto : RSA Sign/Verify (RSA 2048) 0 10000000 20000000 30000000 40000000 50000000 60000000 70000000 T4-1 X4270 (Westmere) 18356014 50296420 28942706 61446300 Timeinnsec SHA1withRSA SHA256withRSA No of Clients = 1000 Message size = 1024k bytes
Java Crypto : AES Bulk Encryption 0 5000000 10000000 15000000 20000000 25000000 X4270 (Westmere) T4-1 Timeinnsec AES-128 AES-256 AES-512 *Westmere running Linux (AES-NI optimized) No of Clients = 1000 Message size = 1024k bytes
Fusion Middleware Security On T4 *JAX-WS Application, WS-SecurityPolicy – Basic256, SSL Cipher - TLS_RSA_WITH_AES_128_CBC_SHA • Two-way SSL • RSA-1024
35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Stop by the Oracle Support Stars Bar Moscone West, Level 2 •  Oracle Support experts on hand •  2-minute videos describing key Oracle proactive support tools and mission-critical services •  Live demos •  Enter to win an iPad 2 (Mon-Wed) •  Hours: §  Monday & Tuesday: 10:00 – 6:00 §  Wednesday: 9:00 – 5:00 §  Thursday: 9:00 – 1:00
37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. For More Information / Try Out Today •  Product overview and download –  oracle.com/solaris •  Oracle Technology Network –  oracle.com/technetwork/server-storage/solaris11 •  System administrators community –  oracle.com/technetwork/systems •  @ORCL_Solaris •  facebook.com/oraclesolaris •  Oracle Solaris Insider 37
38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Q&A
39 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Appendix
42 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Architectural Strategies Building the Nesting Doll Public Domain Image Courtesy: Sergiev Posad Museum of Toys, Russia
43 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Non-Global Zone Architectural Strategies Building the Nesting Doll A Binaries and Libraries Configuration Files Temporary and Log Files Application Data ZFS Encrypted Data Set A Delegated Application Administration Secure by Default / Hardening
44 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Architectural Strategies Building the Nesting Doll System Resources Monitoring / Auditing Delegated Admin. Packet Filtering System Resources Monitoring / Auditing Delegated Admin. Packet Filtering System Resources Monitoring / Auditing Delegated Admin. Packet Filtering
45 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Solaris 11 Instance (Global Zone) Architectural Strategies Building the Nesting Doll Monitoring / Auditing Delegated Administration Integrated Cryptography
46 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Architectural Strategies Building the Nesting Doll Oracle VM Server for SPARC TBD – Insert Images of T4-based Servers

Recommended

High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...
Ramesh Nagappan
 
Infraestructura oracle
Infraestructura oracleInfraestructura oracle
Infraestructura oracle
Fran Navarro
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
mohannadalhanahnah
 
LAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted ProtocolLAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted Protocol
Linaro
 
Module 9: CDB Technical Intro
Module 9: CDB Technical Intro Module 9: CDB Technical Intro
Module 9: CDB Technical Intro
Tail-f Systems
 
Osdc2014 openstack networking yves_fauser
Osdc2014 openstack networking yves_fauserOsdc2014 openstack networking yves_fauser
Osdc2014 openstack networking yves_fauser
yfauser
 
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...
Shawn Wells
 
Developer and Fusion Middleware 1 _ Kevin Powe _ Log files - a wealth of fore...
Developer and Fusion Middleware 1 _ Kevin Powe _ Log files - a wealth of fore...Developer and Fusion Middleware 1 _ Kevin Powe _ Log files - a wealth of fore...
Developer and Fusion Middleware 1 _ Kevin Powe _ Log files - a wealth of fore...
InSync2011
 

Recommended

High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...
Ramesh Nagappan
 
Infraestructura oracle
Infraestructura oracleInfraestructura oracle
Infraestructura oracle
Fran Navarro
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
mohannadalhanahnah
 
LAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted ProtocolLAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted Protocol
Linaro
 
Module 9: CDB Technical Intro
Module 9: CDB Technical Intro Module 9: CDB Technical Intro
Module 9: CDB Technical Intro
Tail-f Systems
 
Osdc2014 openstack networking yves_fauser
Osdc2014 openstack networking yves_fauserOsdc2014 openstack networking yves_fauser
Osdc2014 openstack networking yves_fauser
yfauser
 
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...
Shawn Wells
 
Developer and Fusion Middleware 1 _ Kevin Powe _ Log files - a wealth of fore...
Developer and Fusion Middleware 1 _ Kevin Powe _ Log files - a wealth of fore...Developer and Fusion Middleware 1 _ Kevin Powe _ Log files - a wealth of fore...
Developer and Fusion Middleware 1 _ Kevin Powe _ Log files - a wealth of fore...
InSync2011
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
Shovan Sargunam
 
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
Sandesh Rao
 
Oracle Linux Nov 2011 Webcast
Oracle Linux Nov 2011 WebcastOracle Linux Nov 2011 Webcast
Oracle Linux Nov 2011 Webcast
Terry Wang
 
Module 1: ConfD Technical Introduction
Module 1: ConfD Technical IntroductionModule 1: ConfD Technical Introduction
Module 1: ConfD Technical Introduction
Tail-f Systems
 
Oracle Traffic Director Instances, Processes and High Availability explained
Oracle Traffic Director Instances, Processes and High Availability explainedOracle Traffic Director Instances, Processes and High Availability explained
Oracle Traffic Director Instances, Processes and High Availability explained
Tom Hofte
 
A Path to NFV/SDN - Intel. Michael Brennan, INTEL
A Path to NFV/SDN - Intel. Michael Brennan, INTELA Path to NFV/SDN - Intel. Michael Brennan, INTEL
A Path to NFV/SDN - Intel. Michael Brennan, INTEL
Walton Institute
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overview
ali raza
 
Accelerate the SDN with Intel ONP
Accelerate the SDN with Intel ONPAccelerate the SDN with Intel ONP
Accelerate the SDN with Intel ONP
Odinot Stanislas
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentation
saddepalli
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & Ecosystem
Kingston Smiler
 
LF_OVS_17_Riley: Pushing networking to the edge
LF_OVS_17_Riley: Pushing networking to the edgeLF_OVS_17_Riley: Pushing networking to the edge
LF_OVS_17_Riley: Pushing networking to the edge
LF_OpenvSwitch
 
LF_OVS_17_IPSEC and OVS DPDK
LF_OVS_17_IPSEC and OVS DPDKLF_OVS_17_IPSEC and OVS DPDK
LF_OVS_17_IPSEC and OVS DPDK
LF_OpenvSwitch
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
Michelle Holley
 
Software defined network and Virtualization
Software defined network and VirtualizationSoftware defined network and Virtualization
Software defined network and Virtualization
idrajeev
 
AIOUG-GroundBreakers-Jul 2019 - 19c RAC
AIOUG-GroundBreakers-Jul 2019 - 19c RACAIOUG-GroundBreakers-Jul 2019 - 19c RAC
AIOUG-GroundBreakers-Jul 2019 - 19c RAC
Sandesh Rao
 
Check Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course OverviewCheck Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course Overview
daisuke_tanabe
 
NETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network DevicesNETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network Devices
Cisco DevNet
 
Industrial Internet of Things: Protocols an Standards
Industrial Internet of Things: Protocols an StandardsIndustrial Internet of Things: Protocols an Standards
Industrial Internet of Things: Protocols an Standards
Javier Povedano
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
The Linux Foundation
 
Oracle Trace File Analyzer Overview
Oracle Trace File Analyzer OverviewOracle Trace File Analyzer Overview
Oracle Trace File Analyzer Overview
Gareth Chapman
 
Eci sparc
Eci sparcEci sparc
Eci sparc
Fran Navarro
 
Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)
Fran Navarro
 

More Related Content

What's hot

LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
Shovan Sargunam
 
Oracle Linux Nov 2011 Webcast
Oracle Linux Nov 2011 WebcastOracle Linux Nov 2011 Webcast
Oracle Linux Nov 2011 Webcast
Terry Wang
 
Oracle Traffic Director Instances, Processes and High Availability explained
Oracle Traffic Director Instances, Processes and High Availability explainedOracle Traffic Director Instances, Processes and High Availability explained
Oracle Traffic Director Instances, Processes and High Availability explained
Tom Hofte
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overview
ali raza
 
NETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network DevicesNETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network Devices
Cisco DevNet
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
The Linux Foundation
 

What's hot (20)

LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
 
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
 
Oracle Linux Nov 2011 Webcast
Oracle Linux Nov 2011 WebcastOracle Linux Nov 2011 Webcast
Oracle Linux Nov 2011 Webcast
 
Module 1: ConfD Technical Introduction
Module 1: ConfD Technical IntroductionModule 1: ConfD Technical Introduction
Module 1: ConfD Technical Introduction
 
Oracle Traffic Director Instances, Processes and High Availability explained
Oracle Traffic Director Instances, Processes and High Availability explainedOracle Traffic Director Instances, Processes and High Availability explained
Oracle Traffic Director Instances, Processes and High Availability explained
 
A Path to NFV/SDN - Intel. Michael Brennan, INTEL
A Path to NFV/SDN - Intel. Michael Brennan, INTELA Path to NFV/SDN - Intel. Michael Brennan, INTEL
A Path to NFV/SDN - Intel. Michael Brennan, INTEL
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overview
 
Accelerate the SDN with Intel ONP
Accelerate the SDN with Intel ONPAccelerate the SDN with Intel ONP
Accelerate the SDN with Intel ONP
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentation
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & Ecosystem
 
LF_OVS_17_Riley: Pushing networking to the edge
LF_OVS_17_Riley: Pushing networking to the edgeLF_OVS_17_Riley: Pushing networking to the edge
LF_OVS_17_Riley: Pushing networking to the edge
 
LF_OVS_17_IPSEC and OVS DPDK
LF_OVS_17_IPSEC and OVS DPDKLF_OVS_17_IPSEC and OVS DPDK
LF_OVS_17_IPSEC and OVS DPDK
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
 
Software defined network and Virtualization
Software defined network and VirtualizationSoftware defined network and Virtualization
Software defined network and Virtualization
 
AIOUG-GroundBreakers-Jul 2019 - 19c RAC
AIOUG-GroundBreakers-Jul 2019 - 19c RACAIOUG-GroundBreakers-Jul 2019 - 19c RAC
AIOUG-GroundBreakers-Jul 2019 - 19c RAC
 
Check Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course OverviewCheck Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course Overview
 
NETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network DevicesNETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network Devices
 
Industrial Internet of Things: Protocols an Standards
Industrial Internet of Things: Protocols an StandardsIndustrial Internet of Things: Protocols an Standards
Industrial Internet of Things: Protocols an Standards
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 
Oracle Trace File Analyzer Overview
Oracle Trace File Analyzer OverviewOracle Trace File Analyzer Overview
Oracle Trace File Analyzer Overview
 

Similar to High Performance Security With SPARC T4 Hardware Assisted Cryptography

New Generation of SPARC Processors Boosting Oracle S/W Angelo Rajadurai
New Generation of SPARC Processors Boosting Oracle S/W Angelo RajaduraiNew Generation of SPARC Processors Boosting Oracle S/W Angelo Rajadurai
New Generation of SPARC Processors Boosting Oracle S/W Angelo Rajadurai
Orgad Kimchi
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault Overview
Troy Kitch
 
Oracle ExaLogic Overview
Oracle ExaLogic OverviewOracle ExaLogic Overview
Oracle ExaLogic Overview
Peter Doolan
 

Similar to High Performance Security With SPARC T4 Hardware Assisted Cryptography (20)

Eci sparc
Eci sparcEci sparc
Eci sparc
 
Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)
 
Oracle virtual appliance
Oracle virtual applianceOracle virtual appliance
Oracle virtual appliance
 
Introduction to MySQL
Introduction to MySQLIntroduction to MySQL
Introduction to MySQL
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
 
Oracle super cluster m7
Oracle super cluster m7Oracle super cluster m7
Oracle super cluster m7
 
Oracle Sparc M7-8 Servers
Oracle Sparc M7-8 ServersOracle Sparc M7-8 Servers
Oracle Sparc M7-8 Servers
 
Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015
 
Presentation deploying oracle database 11g securely on oracle solaris
Presentation deploying oracle database 11g securely on oracle solarisPresentation deploying oracle database 11g securely on oracle solaris
Presentation deploying oracle database 11g securely on oracle solaris
 
Understanding oracle rac internals part 1 - slides
Understanding oracle rac internals part 1 - slidesUnderstanding oracle rac internals part 1 - slides
Understanding oracle rac internals part 1 - slides
 
Simplify IT: Oracle SuperCluster
Simplify IT: Oracle SuperCluster Simplify IT: Oracle SuperCluster
Simplify IT: Oracle SuperCluster
 
Presentation oracle super cluster t5-8 technical deep dive
Presentation oracle super cluster t5-8 technical deep divePresentation oracle super cluster t5-8 technical deep dive
Presentation oracle super cluster t5-8 technical deep dive
 
Virtual Compute Appliance Oracle IaaS
Virtual Compute Appliance Oracle IaaS Virtual Compute Appliance Oracle IaaS
Virtual Compute Appliance Oracle IaaS
 
New Generation of SPARC Processors Boosting Oracle S/W Angelo Rajadurai
New Generation of SPARC Processors Boosting Oracle S/W Angelo RajaduraiNew Generation of SPARC Processors Boosting Oracle S/W Angelo Rajadurai
New Generation of SPARC Processors Boosting Oracle S/W Angelo Rajadurai
 
Oracle Exalogic X3-02 Elastic Cloud System
Oracle Exalogic X3-02 Elastic Cloud SystemOracle Exalogic X3-02 Elastic Cloud System
Oracle Exalogic X3-02 Elastic Cloud System
 
Why_Oracle_Hardware.ppt
Why_Oracle_Hardware.pptWhy_Oracle_Hardware.ppt
Why_Oracle_Hardware.ppt
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault Overview
 
Oracle ExaLogic Overview
Oracle ExaLogic OverviewOracle ExaLogic Overview
Oracle ExaLogic Overview
 
Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5
 
FOISDBA-Ver1.1.pptx
FOISDBA-Ver1.1.pptxFOISDBA-Ver1.1.pptx
FOISDBA-Ver1.1.pptx
 

More from Ramesh Nagappan

Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Ramesh Nagappan
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture review
Ramesh Nagappan
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
Ramesh Nagappan
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
Ramesh Nagappan
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security Architecture
Ramesh Nagappan
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlManaging PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Ramesh Nagappan
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSO
Ramesh Nagappan
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityWire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Ramesh Nagappan
 

More from Ramesh Nagappan (13)

Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
 
Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005
 
Interoperable Provisioning in a distributed world
Interoperable Provisioning in a distributed worldInteroperable Provisioning in a distributed world
Interoperable Provisioning in a distributed world
 
Secure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperClusterSecure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperCluster
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture review
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security Architecture
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlManaging PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSO
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityWire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

High Performance Security With SPARC T4 Hardware Assisted Cryptography

  • 1. 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 2. 2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. High Performance Security With SPARC T4 Hardware Assisted Cryptography Glenn Brunette, Ramesh Nagappan, Chad Prucha Oracle Corporation
  • 3. 3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 4. 4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
  • 5. 5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
  • 6. 6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Security Impacts the Business
  • 7. 7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. A Careful Balancing Act
  • 8. 8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Performance and Scalability with Security SPARC T4 and Solaris 11
  • 9. 9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
  • 10. 10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Understanding Encryption Overheads •  Adopting to Encryption requires more CPU, memory, and network bandwidth! –  Overhead varies by choice of key algorithm, key size and applied scenarios •  Security becomes more critical demanding predictable latencies, response times, throughput and other QoS characteristics. End-to-end Security – Multi-tier Applications Scenario
  • 11. 11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Performance Impact without Hardware Assist Example: Security Impact on SOA and Web Services • Two-way SSL • RSA-2048 • AES-256
  • 12. 12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. SPARC T4 Cryptographic Acceleration Significant Performance Gains for SSL (Using Hardware) • Two-way SSL • RSA-2048 • AES-256
  • 13. 13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Hardware Assisted Cryptography •  UltraSPARC T1 – 8 Crypto Accelerators –  Industry’s first on-chip cryptographic accelerators –  Acts as a Crypto coprocessor running in parallel at CPU speeds •  UltraSPARC T2 / T2+ - 8 Crypto Accelerators –  Added support for Symmetric-Key algorithms, Message digests •  SPARC T3 – 16 Crypto Accelerators –  Expanded support for A/Symmetric-key algorithms, Message digests •  SPARC T4 – On-Core Crypto –  Hardware based crypto algorithms available as unprivileged ISA instructions –  Direct access to on-core acceleration for fast processing, no drivers required –  No special permissions and No setup required Oracle SPARC T-Series Processors – Evolution of Crypto Acceleration
  • 14. 14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. SPARC T3 and T4 Operational Models
  • 15. 15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle SPARC T-Series Capabilities Supported Cryptographic Algorithms and Mechanisms Processor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4 Asymmetric / Public Key Encryption RSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC Symmetric Key / Bulk Encryption AES, DES, 3DES, RC4 AES, DES, 3DES, Kasumi AES, DES, 3DES, Camellia, Kasumi Message Digest / Hash Functions MD5, SHA-1, SHA- 256 CRC32c, MD5, SHA-1, SHA-256, SHA-384, SHA-512 CRC32c, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 Random Number Generation Supported Supported Supported API Support PKCS#11 Standard PKCS#11 Standard PKCS#11 Standard, uCrypto API
  • 16. 16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Role of the Solaris 11 Cryptographic Framework •  Manages access to hardware-assisted cryptography. –  SPARC T-series processors and also supports Intel Westmere (AES-NI) and PKCS#11 based Hardware Security Modules (HSMs) •  Acts as an intermediary gateway between applications and the underlying cryptographic hardware. •  Applications all use an open, standard protocol (PKCS#11) –  Java, OpenSSL, NSS/JSS, Apache, –  Oracle Database and Fusion Middleware •  Additional Solaris Security services –  ZFS Encryption, SSH, Kernel SSL (KSSL), and IPsec
  • 17. 17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. The Role of Solaris Cryptographic Framework Managing Cryptographic Accelerators and HSMs via PKCS#11 SPARC T3/T2/T1 On Chip Accelerators Sun CryptoAccelerator 6000 Hardware Security Module SPARC T4 On Core Crypto Instructions Third Party Accelerators and Hardware Security Modules Oracle Database 11g - Transparent Data Encryption Oracle Fusion Middleware 11g Java JCE PKCS#11 Provider pkcs11_softtoken.so Apache Web Server OpenSSL Shared Libraries libpkcs11.so Pluggable Interface libpkcs11_kernel.so Service Provider Interface Softtoken KeyStore $HOME/.sunw Application User Kernel Scheduler and Load Balancer libsoftcrypto.so
  • 18. 18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. End-to-End Security Scenario on Oracle T4 •  Oracle SPARC T4 has been verified to perform acceleration of encryption operations across: –  Oracle Solaris (KSSL and ZFS Encryption), WebLogic (SSL), Web Services Manager (WS-Security and SSL), and Database (Transparent Data Encryption) –  Solaris PKCS#11 Softtoken acts as a unified key store. –  Use SCA-6000 for FIPS-140 requirements
  • 19. 19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Advanced Security Network Encryption Strong Authentication Solaris 11 Softtoken or SCA-6000 (HSM) Master Key Oracle Wallet TDE Column Encryption TDE Tablespace Encryption Encrypted (and compressed) disk backups Encrypted (and compressed) export filesOracle SPARC T-series Servers CRYPTOGRAPHIC ACCELERATION Transparent Data Encryption using SPARC T4 Acceleration
  • 20. 20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Database Security •  Oracle Transparent Data Encryption (TDE) has been integrated to use T4 Crypto for “Tablespace and Column-level Encryption” operations. –  Oracle TDE directly access T4 on core cryptography –  Enable configuration using init.ora parameters. –  Availability as part of Oracle 11g R2 (11.2.0.3) release •  Centralized key management and Tamper-proof storage for Master Key Wallet and Network Encryption acceleration. –  T4 Crypto accelerates SSL/TLS supporting SQLNET’s network encryption. •  Oracle Wallet tested and verified to store Master Key in Solaris Softtoken or SCA-6000 (FIPS 140-2 scenarios) Data and Network Encryption using SPARC T4 Crypto
  • 21. 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Fusion Middleware Security •  WebLogic integrates T4 Crypto via JSSE and Java SunPKCS#11 Provider for SSL •  Oracle Fusion Middleware 11g (11.1.1.4) Security automatically leveragesT4 Crypto via Web Services Manager (OWSM) •  Verified to use JKS, Solaris PKCS#11, SCA-6000 and NSS Softtoken (FIPS mode) •  T4 based Hardware assisted Crypto acceleration •  Weblogic SSL and Fusion Middleware Security via OWSM •  Transport-level Security using Weblogic SSL and Solaris KSSL •  Message-level security using WS-Security and WS- SecurityPolicy defined algorithm suites WebLogic and Oracle Web Services Manager Using SPARC T4 Crypto SPARC T3 and T4 Servers Cryptographic Acceleration Java PKCS#11 Provider     Java Keystore / Solaris PKCS#11 Softtoken     Solaris Cryptographic Framework
  • 22. 22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
  • 23. 23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Reduced Attack Surface •  Expose only required services to the network –  Reduce the operating system network foot print –  Most services are disabled; a few are set to “local only” •  Integrated with Service Management Facility –  Common administrative model for all service operations –  Fully customizable based upon unique site requirements •  Foundation for Additional Protections and Configuration Solaris 11 Secure by Default
  • 24. 24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Separation of Duty •  Role-based Access Control –  Compose collections of administrative rights for users and roles –  Roles can only be assumed by authorized users –  Accountability is preserved – original UID is always tracked •  New in Solaris 11 –  By default, the root account is now a role –  Role authentication can use either user or role’s password –  CLI for managing users, roles, rights and groups Solaris 11 Role-based Access Control (RBAC)
  • 25. 25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Separation of Duty •  Fine-Grained Process Privileges –  Sandbox users and applications to limit potential for damage –  Decomposes administrative capabilities into discrete privileges –  Eliminates need for many services to start as ‘root’ –  Always enabled and enforced by the Solaris kernel •  New in Solaris 11 –  New privileges: file_read, file_write, and net_access –  Support for “forced privileges” for set-uid root programs –  Stop profile to limit specific commands and authorizations Solaris 11 Fine-Grained Process Privileges
  • 26. 26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Strong Service Isolation •  Zones –  Restricted operating environment for enhanced security –  Per-zone hardening, RBAC, privileges, resource controls, etc. –  Per-zone system resources, networking, data sets, etc. •  New in Solaris 11 –  Zone Integrity Policies (Flexible, Strict, Fixed, None) –  Delegated Administration (Console, Install, Boot, Shutdown) –  Virtual Networking (NICs, Switches, etc.) Solaris 11 Zones (Containers)
  • 27. 27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Holistic Data Protection •  Encryption policy is set at the ZFS data set level •  Supports delegation of key management operations •  Leverages a dual key model: wrapping vs. encryption key •  Variety of options for format/location of the wrapping key •  Wrapping key inherited by child data sets Solaris 11 ZFS Encryption
  • 28. 28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Comprehensive Monitoring •  Auditing –  Kernel-based fine-grained introspection –  Captured events include: admin. actions, commands, syscalls –  Configurable audit policy at both the system / user level –  Zones can be audited from within the global zone –  Audit logs can be exported as binary, text, or XML files •  New in Solaris 11 –  Auditing on by default with no performance penalty –  Greater visibility into system events with less “noise” Solaris 11 Auditing
  • 29. 29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
  • 30. SPARC T4 Leads in On-Chip Algorithms IBM & HP
  • 31. OpenSSL : RSA Sign/Verify (RSA 1024) 0 100000 200000 300000 400000 T4-1 X4270 (Westmere) 48583.5 14629.8 384615.2 188261.3 ops/sec Verify ops/sec Sign ops/sec *Westmere running Solaris10u9 (AES-NI optimized)
  • 32. Java Crypto : RSA Sign/Verify (RSA 2048) 0 10000000 20000000 30000000 40000000 50000000 60000000 70000000 T4-1 X4270 (Westmere) 18356014 50296420 28942706 61446300 Timeinnsec SHA1withRSA SHA256withRSA No of Clients = 1000 Message size = 1024k bytes
  • 33. Java Crypto : AES Bulk Encryption 0 5000000 10000000 15000000 20000000 25000000 X4270 (Westmere) T4-1 Timeinnsec AES-128 AES-256 AES-512 *Westmere running Linux (AES-NI optimized) No of Clients = 1000 Message size = 1024k bytes
  • 34. Fusion Middleware Security On T4 *JAX-WS Application, WS-SecurityPolicy – Basic256, SSL Cipher - TLS_RSA_WITH_AES_128_CBC_SHA • Two-way SSL • RSA-1024
  • 35. 35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Program Agenda •  Security and the Business •  Hardware Assisted Cryptography •  Solaris 11 Security •  Competitive Landscape •  Next Steps
  • 36. 36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Stop by the Oracle Support Stars Bar Moscone West, Level 2 •  Oracle Support experts on hand •  2-minute videos describing key Oracle proactive support tools and mission-critical services •  Live demos •  Enter to win an iPad 2 (Mon-Wed) •  Hours: §  Monday & Tuesday: 10:00 – 6:00 §  Wednesday: 9:00 – 5:00 §  Thursday: 9:00 – 1:00
  • 37. 37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. For More Information / Try Out Today •  Product overview and download –  oracle.com/solaris •  Oracle Technology Network –  oracle.com/technetwork/server-storage/solaris11 •  System administrators community –  oracle.com/technetwork/systems •  @ORCL_Solaris •  facebook.com/oraclesolaris •  Oracle Solaris Insider 37
  • 38. 38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Q&A
  • 39. 39 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 40. 40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 41. 41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Appendix
  • 42. 42 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Architectural Strategies Building the Nesting Doll Public Domain Image Courtesy: Sergiev Posad Museum of Toys, Russia
  • 43. 43 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Non-Global Zone Architectural Strategies Building the Nesting Doll A Binaries and Libraries Configuration Files Temporary and Log Files Application Data ZFS Encrypted Data Set A Delegated Application Administration Secure by Default / Hardening
  • 44. 44 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Architectural Strategies Building the Nesting Doll System Resources Monitoring / Auditing Delegated Admin. Packet Filtering System Resources Monitoring / Auditing Delegated Admin. Packet Filtering System Resources Monitoring / Auditing Delegated Admin. Packet Filtering
  • 45. 45 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Solaris 11 Instance (Global Zone) Architectural Strategies Building the Nesting Doll Monitoring / Auditing Delegated Administration Integrated Cryptography
  • 46. 46 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Architectural Strategies Building the Nesting Doll Oracle VM Server for SPARC TBD – Insert Images of T4-based Servers