In response to my question "Anyone know of an SSL encryption chip for
Suns? I received quite a few speedy replies.
Thanks go out to:
Jason K. Schechner" <firstname.lastname@example.org>
Joel Lee" <Joel.Lee@avnet.com>
pat eyler" <email@example.com>
Johnie Stafford <firstname.lastname@example.org>
Richard Bond <email@example.com>
Ronald Loftin <firstname.lastname@example.org>
Al Hopper <email@example.com>
Harvey Wamboldt <firstname.lastname@example.org>
Victor Churchill <email@example.com>
Riccardo Veraldi <Riccardo.Veraldi@bo.infn.it>
Joe Thykattil <firstname.lastname@example.org>
Harvey Wamboldt suggested some alternatives for doing SSL encryption:
Their "CryptoSwift PCI" product reportedly has Solaris support. They
do sell chips as well (FastMAP). [FastMAP is the basis of HP's new
Speed Card Crypto Accelerator].
If you are only looking for a chip, you could try HiFn:
Their chips are used in several commercial products.
Then there's NCipher:
They sell PCI and SCSI based products.
I'm certain a more thorough search would turn up more choices.
Hope this is useful,
Jason Schechner also like Ncipher:
We're running Ncipher SSL accelerators in our Sparcs and they seem
to work pretty well. They're available as a PCI card or as a SCSI device.
Check www.ncipher.com for more detail.
Al Hopper suggested a box from Intel:
The only product that I know of is a stand alone box that Intel sells.
This is independent of the machine you use for you http server and avoids
the complexity of configuring Apache for SSL operation.
Let me know if you find any other alternatives.
Richard Loftin suggested a CPU upgrade:
You probably won't find the chip you're looking for, but for the issue you
describe, I'd suggest considering a CPU upgrade for the machine. Apart from
the raw speed increase, the faster Ultra-II<mumble> CPUs come with more
cache than what you have now, which should help your SSL performance.
Riccardo Veraldi discussed some security issues:
are you sure that these chips you heard about can implement all the
standard Secure Socket Layer protocl features ? Including also SHA1 and
3DES ? Anyway look that SSL does not implement the strongest ever
cryptography algorithm. For Example SSL does not use RSA, it uses instead
triple DES as the strongest algorithm. If you have very important data to
protect maybe you want to use something stronger than SSL even if for many
porpouses SSL is strong enough.
SSL implements various level of cryptography, these levels starts from a
stronger one which uses triple DES and SHA1 hashing function, but it also
implements weaker but faster crypto systems such as standard DES and MD5
hashing function. Look that MD5 anyway has been hacked on May 96.
Anyway I Am not sure if a chip can implement inside all the SSL features
which are many, and after all I think it is not an easy thing to interface
a chip like that with an operative system, I mean there is some work to do
Joe Thykattil discussed tuning Solaris for a web server:
The hardware should be more than enough and I'm assuming that you've
either taken sar or iostat data to verify.
Assuming above it true, I would check into DNS response times. Other
items you may want to tune kernel parameters for example /dev/tcp
tcp_close_wait_interval. There are some resources on the web for tuning
Solaris for web servers.
Of course I could be totally off...but hey, its just a hint.
Hope that helps.
Thanks for the responses. We're looking into Rainbow and NCipher.
Thanks again for the excellent answers that put us in the right direction...
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:05 CDT