1. Analysis of Security and Compliance using Sun UltraSPARC T-Series
Servers
Ramesh Nagappan, Principal Security Engineer
Chad Prucha, Principal Solutions Manager

2. Agenda
• Oracle Security and Compliance Portfolio <Insert Picture Here>
– Technologies Overview
• Security using Oracle T-Series Servers
– Enabling On-chip Cryptographic Acceleration
– Role of Solaris Crypto Framework
– Applied scenarios in Oracle Database and Middleware
– Role of Sun Crypto Accelerator 6000
• Performance Characteristics
• Achieving Compliance Goals
– HIPPA, PCI-DSS….
• Summary

3. The Perfect Storm: IT Insecurity
Security has taken unprecedented importance ….everywhere!
 Security is one of today’s most critical IT business
challenges.
o Cyber threats, attacks and associated data exposures are the fastest
growing crimes !
o Greater business impacts due to increasing threats and exploits.
 Regulatory statutes enforce organizations act
proactively to secure information lifecycle.
o PCI DSS, SOX, HIPAA, FISMA, EU Data Protection and more.
o Mandates organizations to enforce data confidentiality, integrity and
compliance in critical business processes and Web applications.
 Stronger demand for high-performance security in
applications, data, communications and networks.
 Encryption is becoming crucial to IT Security
 Deliver predictable scalability, end-to-end latencies and response
times including security, virtualization and QoS characteristics.

4. IT Security: Pre-judicial Barriers
 Security is often considered as an afterthought or a retrofit
solution.
o Many of them late to realize…..“NO ROLLBACK” for a security breach.
o After a breach…all post-mortem reactive measures hardly recover any damage.
o Ignorance and blind assumptions often leads to underestimating security risks.
 Security options are commonly ignored as “Performance
Overheads”.
o Performance benchmarks usually do not include real-world application characteristics
o Cryptographic operations, access control & authentication schemes, non-deterministic
payloads, content-encoding schemes burdens CPU & Network.
• 2X+ slowdowns are widely common after going secure !
• Crypto overheads vary by content/usage scenario – tuning don’t make sense!
o Lack of understanding to security technologies
 Growing IT costs and complexity to identify and defend
applications against known risks and vulnerabilities.
o Higher costs hindering adoption of security technologies

5. Security & Compliance
Who is behind the scene

6. Security & Compliance Infrastructure
Security Components of a Oracle SPARC Enterprise T-Series Server

7. Exploring Security

8. Role and Relevance of Cryptography
Adopting Cryptography for IT Security
 Cryptography plays a vital role in
IT Security.
o Securing the Network, Applications,
Communications and Data
• Confidentiality and Integrity of data and
communication
• Non-repudiation of transactions
• Access control and Availability
o Data privacy and regulatory compliance
 Cryptographic algorithms and
operations contributes to all levels
of application security.
o Network-layer Security
o Transport-level Security
o Message-level security
o Application-layer security

9. Adopting Cryptography: Pain Points
Common challenges and stumbling issues
 Cryptographic functions tends to be computationally-
intensive and requires lot of CPU and Network bandwidth.
o Applications slowdown while performing cryptographic operations
 How to avoid performance degradation using cryptographic
accelerators or Hardware Security Modules (HSM).
o Eliminate performance overheads associated with cryptographic functions.
 How to enable applications to incorporate cryptographic
functions for application-level security.
 May use non-invasive mechanisms (ex. using PKCS11) … or go intrusive with tight
integration of proprietary frameworks.
 Understanding the usage of relevant cryptographic
algorithms and its application scenarios.
o There is no silver bullet – It is critical to know the applied scenario and how the crypto
mechanism is being used.

10. Applied Cryptography
Common security applications using Crypto mechanisms
 SSL
o De-facto standard for securing HTTP in Web applications and Browser based VPNs
o Based on public-key algorithms
 IPSec
o Widely used in enabling Site-to-Site/Host-to-Host VPN
o Based on symmetric-key encryption and message digest algorithms
 SSH
 Remote authentication to hosts using a secure channel using public-key encrption.
 WS-Security
 OASIS Standard for securing XML Web Services and SOA applications
 XML Encryption and Signature use Public-key Cryptography
 PKI based Applications.
o Identity Management and Assurance, Telco (3G/4G/WiMAX), Digital signature based
DRM, Smartcards and Biometrics

11. Security vs. Performance
Understanding the overheads with Cryptography – SOA Scenario
SSL using RSA-2048 and WS-SecurityPolicy using Basic128Sha256Rsa15 (Algorithm suite).
Significant performance slowdown occurs after using SSL and WS-Security.

12. Anatomy of SSL
Ciphers vs. Execution times
“Significant time” spent on cryptographic functions with specified ciphers.

13. Effect of Cryptographic Acceleration
Understanding the performance gains for an SSL scenario
Significant performance GAINS can be achieved only using Hardware SSL accelerator.

14. Cryptographic Acceleration
Using
Oracle SPARC Enterprise T-Series Servers

15. On-chip Crypto Accelerators: Evolution
The UltraSPARC T-Series Processor Family
 UltraSPARC T1 – 8 Crypto Accelerators
o 8 Cores with One accelerator per core
o Introduced industry-first on-chip cryptographic accelerators
o Cryptographic accelerators run in parallel with clock-speed
o Introduced “Public-key Encryption” algorithms (ex. RSA)
 UltraSPARC T2/T2+ – 8 Crypto Accelerators
o 8 Cores with One accelerator per core
o Introduced support for Bulk-encryption (AES,3DES/DES, RC4)
and Message digests (MD5, SHA-1, SHA-2)
o Introduced support for Elliptic-curve Cryptography (ECC)
 UltraSPARC T3 – 16 Crypto Accelerators
o 16 cores with One accelerator per core
o Additional algorithms for Message digests (SHA-512)
o Introduced support for Kasumi algorithm.

16. Cryptographic Capabilities and Algorithms
T3 Processor
16

17. On-Chip Crypto Accelerators
System Characteristics
 Crypto Accelerators operate in parallel with CPU speed
delivering encryption and decryption
 Accelerators are shared by all the core’s strands
 T1/T2/T2+/T3 provide light-weight accelerator drivers for
Solaris
o /dev/ncp0
o Handles Public-key Encryption Algorithms
o /dev/n2cp0
o Handles Bulk Encryption and Hash algorithms
o /dev/n2rng0
o Handles Random Number Generation
o Communicates via Memory-based Word Queue
o Stateless communication, just fire and forget.
o Consumer is informed when the operation is complete
 Access to accelerators are controlled using Solaris
Cryptographic Framework and Kernel Modules
o Using PKCS#11 standard interfaces and Solaris Kernel modules

18. On-chip vs Off-chip Accelerators
Comparison with Commercial Accelerators

19. SPARC T-Series – Onchip Crypto
Comparison with Commercial Accelerators/HSMs
6 Crypto Unit
+ = Up to Six Virtual
Machines with Full
Crypto Capability
Six card slots filled
(maximum)
SPARC Enterprise T3-1 16 Crypto Units
= Up to 16 Virtual
Machines with Full
Crypto
All card slots available
2x Capacity
19

20. Accessing On-chip Crypto Accelerators
Operational Characteristics
 Access to accelerators are
managed using Solaris
Cryptographic Framework
(SCF).
o SCF acts as an intermediary gateway
between applications and cryptographic
providers.
o Applications use Sun PKCS#11
Provider to access accelerator
o Java Sun-PKCS#11
o OpenSSL PKCS#11 Engine
o NSS/JSS APIs using PKCS11
 Solaris Kernel Modules can
directly access accelerators.
o Kernel SSL (KSSL)
o IPSec

21. Sun Cryptographic Accelerator 6000 – PCIe Card
 A full-fledged Hardware Security
Module (HSM)
o Secure Key Storage (Escrow and Recovery)
o High-performance cryptographic accelerator
o FIPS-140-3 Compliant
o Supports Solaris SPARC/X64 and Linux
 NIST approved cryptographic
algorithms
 RSA, DSA, DH, ECC
 AES, DES, 3DES
 MD5, SHA-1, SHA-512
 Intended for Financial and
Government applications where
Secure Key Storage is critical.
o Oracle Advanced Security, Financials, etc.
o PIN and Card Verification Functions

22. SCA 6000 – Usage Scenarios
 Tested and Certified for use in FIPS and NON-FIPS modes
o Oracle Database Advanced Security Scenarios
o TDE Master Key Management
o TDE Network Encryption and Acceleration
o Oracle Fusion Middleware (SOA and XML Web Services Security)
o Oracle Web Services Manager (SSL and WS-Security scenarios)
o Oracle WebLogic (SSL and WS-Security scenarios)

23. Enabling Cryptographic Acceleration
Applied Techniques and Usage Scenarios

24. Solaris Cryptographic Framework
 Common framework for
performing /consuming / integrating
cryptographic providers.
o Hardware or Software.
o Kernel or Userland.
o Extensible in order to permit custom functions
o Facilitates PKCS#11 for consumer and
providers
 By default, supports major NIST
approved algorithms
o Encryption: AES, Blowfish, RC4, DES, 3DES,
RSA.
o Digests: MD5, SHA-1, SHA-256, SHA-384,
SHA-512.
o MAC: DES MAC, MD5 HMAC, SHA1 HMAC,
SHA-256 HMAC, SHA-384 HMAC, SHA-512
HMAC
o Optimized for SPARC, Intel and AMD

25. Solaris KSSL
 Facilitates an SSL Proxy service for applications and performs
SSL operations right in the Solaris Kernel.
o Integrates Solaris Cryptographic Framework and its supporting ciphers.
 Makes use of underlying Hardware based Cryptographic
accelerators and Hardware Security Modules (HSM).
o Automatically makes use of cryptographic accelerators for SSL operations, no additional
configuration.
o Use PKCS#11 for supporting HSMs for private key storage.
 Non-intrusive SSL configuration, independent of relying
applications.
o Managed via Solaris Service Management Facility (SMF)
 Can act as SSL proxy for Non-SSL aware applications that
does not provide PKCS#11 support.
 Delivers 25% - 35% faster SSL performance.

26. Using KSSL for Transport-layer Security
Applied Scenario
26

27. End-to-End Transaction Security
Applied Use Cases
HTTP
HTTP HTTP HTTP SQLNET
SSL Oracle Oracle
Web Server Fusion Database
SSL SSL Middleware SSL Server
SSL /
WS-Security Encrypt/
SOAP
Decrypt
SSL /
WS-Security Oracle Archive
Database
• SPARC T3 accelerates Oracle WebLogic SSL and Web
Services Manager 11g (OWSM).
• SSL, WS-Security scenarios
• SPARC T3 accelerates Oracle Transparent Data Encryption
(TDE) operations
27

28. Performance Studies

29. Secure Performance
With and Without Acceleration
^134h>96can#A*IC!
Ajladsf0^HLh3f*&lJ
4704 1234 5678 1594
*NHSD6%lk)+>kjh!1
Without T3 Crypto Assist T3 Crypto Assist Enabled
3.5x Faster
CPU MEM CPU MEM
80% 70% 50% 25%
29

30. Secure Performance
With and Without Acceleration
^134h>96can#A*IC!
4704 1234 5678 1594 Ajladsf0^HLh3f*&lJ
4704 1234 5678 1594
*NHSD6%lk)+>kjh!1
Without T3 Crypto Assist T3 Crypto Assist Enabled
3.5x Faster
CPU MEM CPU MEM
80% 70% 40% 25%
30

31. SPARC Enterprise T-Series
Only Enterprise Server with Built-in Crypto
6 Crypto Unit
+ = Up to Six Virtual
Machines with Full
Crypto Capability
Six card slots filled
(maximum)
SPARC Enterprise T3-1 16 Crypto Units
= Up to 16 Virtual
Machines with Full
Crypto
All card slots available
2x Capacity
31

32. Effect of Accelerated SSL vs No SSL
Weblogic SSL Performance on T3 : Using KSSL vs. JCE vs. No SSL

33. Oracle TDE performance using T3
• T3 crypto speeds up query execution by 3-5x !!

34. Achieving Compliance

35. HIPAA-HITECH Compliance Scenario
Rules of Thumb: Encrypt PHI – in transit, in situ
HTTP
-50% -50% -30%
HTTP HTTP HTTP SQLNET
SSL Oracle Oracle
Web Server Fusion Database
SSL SSL SSL Middleware SSL Server
WebLogic 11g
SOAP Web Services Manager 11g
SSL
Oracle Archive
Database
35

36. HIPAA-HITECH Options
Rules of Thumb: Mitigation Strategies
NLB – SSL Accelerator
NLB – SSL Accelerator
NLB – SSL Accelerator
Aftermarket Card
HTTP
-50% -50% -30%
HTTP HTTP HTTP SQLNET
SSL Oracle Oracle
Web Server Fusion Database
SSL SSL SSL Middleware SSL Server
WebLogic 11g
SOAP Web Services Manager 11g
SSL
Oracle Archive
 Add 6 RUs Aftermarket Card Database
 Add 50% Cooling
 Add 30% Power
 Add 30% Admin
36

37. PCI-DSS Compliance Scenario
Rules of Thumb: Especially in situ, Even Warehoused Data
HTTP
-50% -50% -40%
HTTP HTTP HTTP SQLNET
SSL Oracle Oracle
Web Server Fusion Database
SSL SSL SSL Middleware SSL Server
WebLogic 11g
SOAP Web Services Manager 11g
SSL
Oracle Archive
Database
37

38. PCI-DSS Options
Rules of Thumb: Mitigation Strategies
NLB – SSL Accelerator
NLB – SSL Accelerator
NLB – SSL Accelerator
HTTP
-50% -50% -30%
HTTP HTTP HTTP SQLNET
SSL Oracle Oracle
Web Server Fusion Database
SSL SSL SSL Middleware SSL Server
WebLogic 11g
SOAP Web Services Manager 11g
SSL
Oracle Archive
 Add 12 RUs Aftermarket Card
Database
 Add 50% Cooling
Aftermarket Card
 Add 50% Power
 Add 30% Admin
38

39. Summary

40. The cost of security
Better TCO with T3 crypto
}
Twice server capacity = half
the footprint
Crypto overhead reduced to
10% from 30%
CPU Latency reduced
by 20X
No add-ons and
introduction of complexity Lower TCO
Simple to administrate
Faster to deploy
40

41. Program Agenda Example
• Our understanding of XYZ <Insert Picture Here>
• Capabilities and value drivers
• Benefits and assessments
• Oracle solutions
• Oracle credentials
• Appendix

42. Q&A
Chad Prucha, albert.prucha@oracle.com
Ramesh Nagappan, ramesh.nagappan@oracle.com