Tata AIG General Insurance Company - Insurer Innovation Award 2024
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emphasis on Hardware Assisted Cryptography
1. Analysis of Security and Compliance using Sun UltraSPARC T-Series
Servers
Ramesh Nagappan, Principal Security Engineer
Chad Prucha, Principal Solutions Manager
2. Agenda
• Oracle Security and Compliance Portfolio <Insert Picture Here>
– Technologies Overview
• Security using Oracle T-Series Servers
– Enabling On-chip Cryptographic Acceleration
– Role of Solaris Crypto Framework
– Applied scenarios in Oracle Database and Middleware
– Role of Sun Crypto Accelerator 6000
• Performance Characteristics
• Achieving Compliance Goals
– HIPPA, PCI-DSS….
• Summary
3. The Perfect Storm: IT Insecurity
Security has taken unprecedented importance ….everywhere!
Security is one of today’s most critical IT business
challenges.
o Cyber threats, attacks and associated data exposures are the fastest
growing crimes !
o Greater business impacts due to increasing threats and exploits.
Regulatory statutes enforce organizations act
proactively to secure information lifecycle.
o PCI DSS, SOX, HIPAA, FISMA, EU Data Protection and more.
o Mandates organizations to enforce data confidentiality, integrity and
compliance in critical business processes and Web applications.
Stronger demand for high-performance security in
applications, data, communications and networks.
Encryption is becoming crucial to IT Security
Deliver predictable scalability, end-to-end latencies and response
times including security, virtualization and QoS characteristics.
4. IT Security: Pre-judicial Barriers
Security is often considered as an afterthought or a retrofit
solution.
o Many of them late to realize…..“NO ROLLBACK” for a security breach.
o After a breach…all post-mortem reactive measures hardly recover any damage.
o Ignorance and blind assumptions often leads to underestimating security risks.
Security options are commonly ignored as “Performance
Overheads”.
o Performance benchmarks usually do not include real-world application characteristics
o Cryptographic operations, access control & authentication schemes, non-deterministic
payloads, content-encoding schemes burdens CPU & Network.
• 2X+ slowdowns are widely common after going secure !
• Crypto overheads vary by content/usage scenario – tuning don’t make sense!
o Lack of understanding to security technologies
Growing IT costs and complexity to identify and defend
applications against known risks and vulnerabilities.
o Higher costs hindering adoption of security technologies
8. Role and Relevance of Cryptography
Adopting Cryptography for IT Security
Cryptography plays a vital role in
IT Security.
o Securing the Network, Applications,
Communications and Data
• Confidentiality and Integrity of data and
communication
• Non-repudiation of transactions
• Access control and Availability
o Data privacy and regulatory compliance
Cryptographic algorithms and
operations contributes to all levels
of application security.
o Network-layer Security
o Transport-level Security
o Message-level security
o Application-layer security
9. Adopting Cryptography: Pain Points
Common challenges and stumbling issues
Cryptographic functions tends to be computationally-
intensive and requires lot of CPU and Network bandwidth.
o Applications slowdown while performing cryptographic operations
How to avoid performance degradation using cryptographic
accelerators or Hardware Security Modules (HSM).
o Eliminate performance overheads associated with cryptographic functions.
How to enable applications to incorporate cryptographic
functions for application-level security.
May use non-invasive mechanisms (ex. using PKCS11) … or go intrusive with tight
integration of proprietary frameworks.
Understanding the usage of relevant cryptographic
algorithms and its application scenarios.
o There is no silver bullet – It is critical to know the applied scenario and how the crypto
mechanism is being used.
10. Applied Cryptography
Common security applications using Crypto mechanisms
SSL
o De-facto standard for securing HTTP in Web applications and Browser based VPNs
o Based on public-key algorithms
IPSec
o Widely used in enabling Site-to-Site/Host-to-Host VPN
o Based on symmetric-key encryption and message digest algorithms
SSH
Remote authentication to hosts using a secure channel using public-key encrption.
WS-Security
OASIS Standard for securing XML Web Services and SOA applications
XML Encryption and Signature use Public-key Cryptography
PKI based Applications.
o Identity Management and Assurance, Telco (3G/4G/WiMAX), Digital signature based
DRM, Smartcards and Biometrics
11. Security vs. Performance
Understanding the overheads with Cryptography – SOA Scenario
SSL using RSA-2048 and WS-SecurityPolicy using Basic128Sha256Rsa15 (Algorithm suite).
Significant performance slowdown occurs after using SSL and WS-Security.
12. Anatomy of SSL
Ciphers vs. Execution times
“Significant time” spent on cryptographic functions with specified ciphers.
13. Effect of Cryptographic Acceleration
Understanding the performance gains for an SSL scenario
Significant performance GAINS can be achieved only using Hardware SSL accelerator.
15. On-chip Crypto Accelerators: Evolution
The UltraSPARC T-Series Processor Family
UltraSPARC T1 – 8 Crypto Accelerators
o 8 Cores with One accelerator per core
o Introduced industry-first on-chip cryptographic accelerators
o Cryptographic accelerators run in parallel with clock-speed
o Introduced “Public-key Encryption” algorithms (ex. RSA)
UltraSPARC T2/T2+ – 8 Crypto Accelerators
o 8 Cores with One accelerator per core
o Introduced support for Bulk-encryption (AES,3DES/DES, RC4)
and Message digests (MD5, SHA-1, SHA-2)
o Introduced support for Elliptic-curve Cryptography (ECC)
UltraSPARC T3 – 16 Crypto Accelerators
o 16 cores with One accelerator per core
o Additional algorithms for Message digests (SHA-512)
o Introduced support for Kasumi algorithm.
17. On-Chip Crypto Accelerators
System Characteristics
Crypto Accelerators operate in parallel with CPU speed
delivering encryption and decryption
Accelerators are shared by all the core’s strands
T1/T2/T2+/T3 provide light-weight accelerator drivers for
Solaris
o /dev/ncp0
o Handles Public-key Encryption Algorithms
o /dev/n2cp0
o Handles Bulk Encryption and Hash algorithms
o /dev/n2rng0
o Handles Random Number Generation
o Communicates via Memory-based Word Queue
o Stateless communication, just fire and forget.
o Consumer is informed when the operation is complete
Access to accelerators are controlled using Solaris
Cryptographic Framework and Kernel Modules
o Using PKCS#11 standard interfaces and Solaris Kernel modules
19. SPARC T-Series – Onchip Crypto
Comparison with Commercial Accelerators/HSMs
6 Crypto Unit
+ = Up to Six Virtual
Machines with Full
Crypto Capability
Six card slots filled
(maximum)
SPARC Enterprise T3-1 16 Crypto Units
= Up to 16 Virtual
Machines with Full
Crypto
All card slots available
2x Capacity
19
20. Accessing On-chip Crypto Accelerators
Operational Characteristics
Access to accelerators are
managed using Solaris
Cryptographic Framework
(SCF).
o SCF acts as an intermediary gateway
between applications and cryptographic
providers.
o Applications use Sun PKCS#11
Provider to access accelerator
o Java Sun-PKCS#11
o OpenSSL PKCS#11 Engine
o NSS/JSS APIs using PKCS11
Solaris Kernel Modules can
directly access accelerators.
o Kernel SSL (KSSL)
o IPSec
21. Sun Cryptographic Accelerator 6000 – PCIe Card
A full-fledged Hardware Security
Module (HSM)
o Secure Key Storage (Escrow and Recovery)
o High-performance cryptographic accelerator
o FIPS-140-3 Compliant
o Supports Solaris SPARC/X64 and Linux
NIST approved cryptographic
algorithms
RSA, DSA, DH, ECC
AES, DES, 3DES
MD5, SHA-1, SHA-512
Intended for Financial and
Government applications where
Secure Key Storage is critical.
o Oracle Advanced Security, Financials, etc.
o PIN and Card Verification Functions
22. SCA 6000 – Usage Scenarios
Tested and Certified for use in FIPS and NON-FIPS modes
o Oracle Database Advanced Security Scenarios
o TDE Master Key Management
o TDE Network Encryption and Acceleration
o Oracle Fusion Middleware (SOA and XML Web Services Security)
o Oracle Web Services Manager (SSL and WS-Security scenarios)
o Oracle WebLogic (SSL and WS-Security scenarios)
24. Solaris Cryptographic Framework
Common framework for
performing /consuming / integrating
cryptographic providers.
o Hardware or Software.
o Kernel or Userland.
o Extensible in order to permit custom functions
o Facilitates PKCS#11 for consumer and
providers
By default, supports major NIST
approved algorithms
o Encryption: AES, Blowfish, RC4, DES, 3DES,
RSA.
o Digests: MD5, SHA-1, SHA-256, SHA-384,
SHA-512.
o MAC: DES MAC, MD5 HMAC, SHA1 HMAC,
SHA-256 HMAC, SHA-384 HMAC, SHA-512
HMAC
o Optimized for SPARC, Intel and AMD
25. Solaris KSSL
Facilitates an SSL Proxy service for applications and performs
SSL operations right in the Solaris Kernel.
o Integrates Solaris Cryptographic Framework and its supporting ciphers.
Makes use of underlying Hardware based Cryptographic
accelerators and Hardware Security Modules (HSM).
o Automatically makes use of cryptographic accelerators for SSL operations, no additional
configuration.
o Use PKCS#11 for supporting HSMs for private key storage.
Non-intrusive SSL configuration, independent of relying
applications.
o Managed via Solaris Service Management Facility (SMF)
Can act as SSL proxy for Non-SSL aware applications that
does not provide PKCS#11 support.
Delivers 25% - 35% faster SSL performance.
26. Using KSSL for Transport-layer Security
Applied Scenario
26
27. End-to-End Transaction Security
Applied Use Cases
HTTP
HTTP HTTP HTTP SQLNET
SSL Oracle Oracle
Web Server Fusion Database
SSL SSL Middleware SSL Server
SSL /
WS-Security Encrypt/
SOAP
Decrypt
SSL /
WS-Security Oracle Archive
Database
• SPARC T3 accelerates Oracle WebLogic SSL and Web
Services Manager 11g (OWSM).
• SSL, WS-Security scenarios
• SPARC T3 accelerates Oracle Transparent Data Encryption
(TDE) operations
27
29. Secure Performance
With and Without Acceleration
^134h>96can#A*IC!
Ajladsf0^HLh3f*&lJ
4704 1234 5678 1594
*NHSD6%lk)+>kjh!1
Without T3 Crypto Assist T3 Crypto Assist Enabled
3.5x Faster
CPU MEM CPU MEM
80% 70% 50% 25%
29
30. Secure Performance
With and Without Acceleration
^134h>96can#A*IC!
4704 1234 5678 1594 Ajladsf0^HLh3f*&lJ
4704 1234 5678 1594
*NHSD6%lk)+>kjh!1
Without T3 Crypto Assist T3 Crypto Assist Enabled
3.5x Faster
CPU MEM CPU MEM
80% 70% 40% 25%
30
31. SPARC Enterprise T-Series
Only Enterprise Server with Built-in Crypto
6 Crypto Unit
+ = Up to Six Virtual
Machines with Full
Crypto Capability
Six card slots filled
(maximum)
SPARC Enterprise T3-1 16 Crypto Units
= Up to 16 Virtual
Machines with Full
Crypto
All card slots available
2x Capacity
31
32. Effect of Accelerated SSL vs No SSL
Weblogic SSL Performance on T3 : Using KSSL vs. JCE vs. No SSL
40. The cost of security
Better TCO with T3 crypto
}
Twice server capacity = half
the footprint
Crypto overhead reduced to
10% from 30%
CPU Latency reduced
by 20X
No add-ons and
introduction of complexity Lower TCO
Simple to administrate
Faster to deploy
40
41. Program Agenda Example
• Our understanding of XYZ <Insert Picture Here>
• Capabilities and value drivers
• Benefits and assessments
• Oracle solutions
• Oracle credentials
• Appendix