Quicksearch
Disclaimer
The individual owning this blog works for Oracle in Germany. The opinions expressed here are his own, are not necessarily reviewed in advance by anyone but the individual author, and neither Oracle nor any other party necessarily agrees with them.
The need for cryptography everywhere
Tuesday, September 11. 2007
Computer security is to some extend a feeled asset. Thus user tend to do less than nescessary to protect their computers. They install a firewall and think "I don't need a virus scanner" or vice versa. Or they think "I use an anonymizer, i don't need encrypted communication" . At least this is a good explanation for the findings of DEranged: DEranged gives you 100 passwords to Governments & Embassies. The trick to gather such informations was really trivial: Out of security reasons many people use networks like Tor to anonoymize traffic. So, you give your communication to other peoples systems to deliver them on your behalf, so you can't be tracked as the source by the logfiles of the accessed server. Okay, good thing. The dark side: They can snoop your traffic. Bad thing. Especially, when you used unencrypted communication. And this is exactly the way, how DEranged was able to gather such high profile account informations.
But this leads to an interesting question: Why do service provider offer unencrypted communications or switch back to unencrypted communication, after they have authenticated their users. Simple reason: It's incredible expensive to encrypt every communication, and albeit many service providers for communication default to SSL, they are glad of every user, who doesn't use encryption. Most of the time you can't even use is for not visible services, many providers don't offer SSL for their authenticated POP3, IMAP or SMTP connection, and when they offer such a server, they do not force their users to use it.
The reason is simple: As fast as a general purpose CPU like Opteron or Xeon is, so slow is it at encrypting all this traffic. The led to the invention of SSL Accelerator Cards, but as these add extra costs to the hardware they are not as ubiquious as they should be.
Sun saw this problem and integrated encryption supporting circuits into UltraSPARC T1 and a full-fledged accelerator into UltraSPARC T2. You get encryption for free, when you use this processor, as the accelerator computes in parallel to the other pipelines. When you use the Sun modified SSL libraries (enabled to use the Solaris Cryptographic Framework) or the in kernel SSL proxy is as easy a few configuration statements to have the performance to force all your users to encryption without loosing performance on your webserver.
I don't believe that Opterons or Xeons will go the same way. Out of the reason, where the money in x86 is earned: The server manufacturers participate from the ever elastic demand in computing power in regard to gaming and HPC. They are not genuine server processors, and compared to the amount of system selled by desktop manufactures, the amount of processor for servers is small. So: When Intel or AMD have the choice to invest - let' say - 5 million transistors to 5 or 10 frames more in Quake 10 or for hardware accelerated encryption i doubt, they will decide for the second choice. You can make more money out of the 5 frames. And this get worser, as the horde of enthusiasts websites without knowledgeabout useful benchmarking and the real life in datacenters with their adjactent fanboy entourage got the role of appointing prestigious "the fastest processor" title. And those people doesn't benchmark SSL webserver performance.
Sun has an advantage here, as we designed the T1 and T2 specifically for server usagePerhaps this brings Sun backs to the place where we had a big stronghold. You remember, we were the dot in .com , before we got really bad marketing claims (Who understood the nth claim ?)
But this leads to an interesting question: Why do service provider offer unencrypted communications or switch back to unencrypted communication, after they have authenticated their users. Simple reason: It's incredible expensive to encrypt every communication, and albeit many service providers for communication default to SSL, they are glad of every user, who doesn't use encryption. Most of the time you can't even use is for not visible services, many providers don't offer SSL for their authenticated POP3, IMAP or SMTP connection, and when they offer such a server, they do not force their users to use it.
The reason is simple: As fast as a general purpose CPU like Opteron or Xeon is, so slow is it at encrypting all this traffic. The led to the invention of SSL Accelerator Cards, but as these add extra costs to the hardware they are not as ubiquious as they should be.
Sun saw this problem and integrated encryption supporting circuits into UltraSPARC T1 and a full-fledged accelerator into UltraSPARC T2. You get encryption for free, when you use this processor, as the accelerator computes in parallel to the other pipelines. When you use the Sun modified SSL libraries (enabled to use the Solaris Cryptographic Framework) or the in kernel SSL proxy is as easy a few configuration statements to have the performance to force all your users to encryption without loosing performance on your webserver.
I don't believe that Opterons or Xeons will go the same way. Out of the reason, where the money in x86 is earned: The server manufacturers participate from the ever elastic demand in computing power in regard to gaming and HPC. They are not genuine server processors, and compared to the amount of system selled by desktop manufactures, the amount of processor for servers is small. So: When Intel or AMD have the choice to invest - let' say - 5 million transistors to 5 or 10 frames more in Quake 10 or for hardware accelerated encryption i doubt, they will decide for the second choice. You can make more money out of the 5 frames. And this get worser, as the horde of enthusiasts websites without knowledgeabout useful benchmarking and the real life in datacenters with their adjactent fanboy entourage got the role of appointing prestigious "the fastest processor" title. And those people doesn't benchmark SSL webserver performance.
Sun has an advantage here, as we designed the T1 and T2 specifically for server usagePerhaps this brings Sun backs to the place where we had a big stronghold. You remember, we were the dot in .com , before we got really bad marketing claims (Who understood the nth claim ?)
Comments
Display comments as
(Linear | Threaded)
Well speaking of cryptography, I red last week that AMD's planned SSE5 instructions will enhanced the performance in that field.
However I doubt that it will be as good as Sun's dedicated crypto circuits.
But my guess is that AMD or Intel will advertise addon CoProzessor for that purpose in the future, conneced either by Torrenza or Geneseo.
However that wont be in the near future, thus Sun has the chance to sell a lot of servers in the meantime
cheers
Alex
P.S: The only competition could come from VIA, if there were SMP chipsets available
However I doubt that it will be as good as Sun's dedicated crypto circuits.
But my guess is that AMD or Intel will advertise addon CoProzessor for that purpose in the future, conneced either by Torrenza or Geneseo.
However that wont be in the near future, thus Sun has the chance to sell a lot of servers in the meantime
cheers
Alex
P.S: The only competition could come from VIA, if there were SMP chipsets available
having to use sun modified ssl libraries can be a painful experience regarding compiler and compiler options you have to use. Also means you have to maintain a Sun branch of openssl. Actually the Sun libraries had quite a few bugs as I tested them (granted, this was 9 month ago) whicht I submitted to support. And, btw, you're loosing support of the openssl community.
1. What is complex at FLAGS='-DSSL_EXPERIMENTAL -DSSL_ENGINE' ./configure -enable-ssl --enable-rule=SSL_EXPERIMENTAL \
--with-ssl=/usr/sfw
2. You get a vastly more efficient encryption in return.
3. When this task are to complex or impossible, you can still use the in Kernel SSL Proxy, which is accelerated as well.
4. This library is support by Sun itself. When you have a T1000/T2000 you have most of the times maintainance, thus you can get support from Sun for this stuff, as Solaris Support ist included in HW support.
--with-ssl=/usr/sfw
2. You get a vastly more efficient encryption in return.
3. When this task are to complex or impossible, you can still use the in Kernel SSL Proxy, which is accelerated as well.
4. This library is support by Sun itself. When you have a T1000/T2000 you have most of the times maintainance, thus you can get support from Sun for this stuff, as Solaris Support ist included in HW support.
I used the lines in (1) but SSL handshake kept failing (only worked with the standard SSL Libraries) - as support in germany could not help me I was transfered to developers in shanghai. They found the bug too - but it took weeks for a new release of the libraries to show up (the fate of early adopters I guess). So what was left of my advantages? "vastly more efficient encryption" didn't work, SUN Support took very long for fixing this. Using standard openssl was not an option because it was incredibly slow due to lack of dedicated FPUs on Niagara (openssl actually does integer on FPU just because it is fully pipelined)
But I don't want to bore you with long and sad stories
But I don't want to bore you with long and sad stories
If I remember it correctly, with apache 2.2.XX you just need:
--enable-ssl \
--with-ssl=/usr/sfw
And remember to use 2048bit keys. As on T1 this is the maximum key length.
You can check with kstat if the
--enable-ssl \
--with-ssl=/usr/sfw
And remember to use 2048bit keys. As on T1 this is the maximum key length.
You can check with kstat if the
You are correct ...
Bugs occur everywhere. The scourge of the IT. The easy way for you would be the usage of the In-Kernel-SSL-Proxy. I've got some good experience with the SSL-Accelerator.
That isn't boring ... Sun is far from beeing perfect (as every company, that doesn't do "box moving" or throwing pro service people on product deficiencies). So such informations is good. I just don't like unfounded or too simplified reports of problems, as they shed a wrong light ...
That isn't boring ... Sun is far from beeing perfect (as every company, that doesn't do "box moving" or throwing pro service people on product deficiencies). So such informations is good. I just don't like unfounded or too simplified reports of problems, as they shed a wrong light ...
+1
The LKSF book
The book with the consolidated Less known Solaris Tutorials is available for download here
Web 2.0
Contact
Networking
xing.com
LinkedIn
Facebook
My photos
- mail: joerg@c0t0d0s0.org
- icq: 144000169
- Me, myself and I
- openBC
- My del.icio.us
- c0t0d0s0@twitter
- c0t0d0s0@last.fm
- wiki@c0t0d0s0
- Amazon Wishlist
Networking
xing.com
My photos
Comments
about Nanosecond
Wed, 23.05.2012 00:11
I remember this being drummed
into us during Digital Design
at Uni. It's important to cons
ider it when laying out [...]
Mon, 21.05.2012 18:04
Hello Kevin, Im not surprised
with what you are seeing or ha
ve seen when attaching a SSD t
o a USB2.0. USB3.0 helps [...]
Mon, 21.05.2012 04:44
Hi Greg,
With regards to IO
PS I have seen terrible result
s using a 60GB SATA2 SSD with
USB2.0 - USB2 really cho [...]
about ZFS Dedup Internals
Sat, 19.05.2012 09:50
There is no impact to boot/imp
ort times, as the DDT is loade
d as needed ... so the pool is
imported as fast as wit [...]
Buttons
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Germany License
Ich hatte als amtierender Securityfuzzi einmal die Aufgabe, die benötigte Verschlüsselungskapazität eines großen Webdienstleisters für eine Konsolidierungsmaßnahme auszurechnen. Das gesamte Rechenzentrum dieses Ladens hatte damals eine Leistungsaufnah
Tracked: Sep 21, 00:57