Security /

Ensuring end-to-end security with SSL

By MARY BULL
Network World, 05/15/00

To provide the fastest Secure Sockets Layer transactions with truly secure connections, systems administrators can install SSL off-loading devices in a PCI-card format directly into Web servers. The benefits include:

Data security all the way from clients to secure Web servers.
Substantially increased throughput as the offloader performs all SSL processing routines and TCP/IP negotiations.
Simplification of key management and maintenance.

The addition of SSL acceleration and offloading devices to e-commerce and other secure Web sites results in increased transaction processing speeds. But because the devices are installed as appliances on networks, data is unsecured between the devices and secure servers. Installing an SSL off-loading device as a PCI expansion card directly in a secure server ensures the security of the connection from browser to server.

Secure transactions are a necessity with e-commerce and sensitive corporate intranets and extranets. While many security standards are in place, SSL is the most common. The SSL standard is not a single protocol, but rather a set of accepted data transfer routines that are designed to protect the integrity of transmitted messages.

SSL relies on certificates - digital identification cards - and keys. Certificates include the name of the certificate authority that issued the certificate, the name of the entity to which the certificate was issued, the entity's public key, and time stamps that indicate the certificate's expiration date.

Two types of keys are used as ciphers to encrypt and decrypt data. Private keys are issued to entities and are never given out. Public keys are given out freely. Both keys are necessary for authentication routines. Data encrypted with the public key cannot be decrypted with the same key: The private key must be used.

SSL transactions use complicated mathematical formulas for data encryption and decryption, formulas whose complexity varies depending on the strength of the cipher. The high-level calculations bog down most servers, resulting in poor performance. Most Web servers display a significant reduction in throughput when executing SSL-related tasks, performing up to 50 times more slowly than when servicing only HTTP 1.0 connections.

To combat this performance loss, systems administrators have been able to reduce delays in SSL transactions by installing SSL accelerators and offloaders. Accelerators increase transaction speeds by performing some of the SSL processing tasks while relying on secure Web server software to do the rest. Offloaders take on all SSL processing tasks and do not require secure Web server software, allowing Web servers to provide secure and nonsecure services at the same high speeds. Key management and maintenance procedures are also more efficient on offloaders because they do not rely on manual configuration of application software.

Most of the devices are installed as network appliances in rack-mountable or small-footprint forms. Because they provide encryption/decryption services for an entire network, data is unsecured between devices and Web servers.

By installing an SSL offloader directly onto a server, systems administrators can solve speed and security problems. Secure data is transferred from clients through the Internet and network directly to a server. The offloader installed in the server decrypts the data and transfers it along the PCI bus directly to the processor. The result is that host servers can provide secure transaction services at the same speeds as nonsecure ones while guaranteeing the security of data during transit between clients and servers.

Bull is a communications engineer at Phobos, an Internet traffic management company in Salt Lake City. She can be contacted at mbull@phobos.com

Ensuring end-to-end security with SSL

Related Links