[MUD-Dev] strong encryption for authentication

J C Lawrence claw at 2wire.com
Fri Jul 13 19:25:16 CEST 2001


On Thu, 12 Jul 2001 11:56:12 +0100 
Daniel Harman <Daniel.Harman at barclayscapital.com> wrote:

> Just as an aside, the CPU overhead for having many encrypted
> connections probably shouldn't be overlooked. A colleague did
> something similar for a system, and we had to go hardware based to
> keep performance up.

Assuming a standard setup of using public key crypto to securely
exchange secret stream ciphers (ie like SSH, SSL, TLS, etc), the
cost of doing the public key crypto at connection time is roughly
2,5 orders of magnitude more expensive than running the stream
cipher (RC4, RES, triple DES etc).  Thus Rainbow, Nchiper, Nuron
(who I used to work for) etc are particularly popular with
e-commerce sites for HTTPS transactions, which, by their nature,
have high connection rates.  

The primary value those cards offer is offloading the public key
(typically RSA) generation, as the most expensive part of the
transaction.  Several also offer ASIC or FPGA based acceleration for
the streaming cipher more on the that they have spare room on the
die and they might as well put something on thst silicon more than
its great need or presence as a bottleneck.  The fact that the
streaming ciphers generally lend themselves very well to hardware
implementations (versus general purpose CPU instruction sets) just
makes it more attractive (at Nuron for our tests we'd run usually
three RSA cores plues one RC4 and one DES).

MUDs are a little different.  Connection rates are comparatively low
as connections are long lived, and packet rates and volumes are
high.  Crypto acceleration in that space is a different beast.  The
value of offloading the PK work is relatively minor (the reverse of
everyone else), and conversely the streaming cipher is
overwhelmingly interesting.  The main products that are hitting this
space are various networking product groups offering in-line crypto
support for low level network protocols.  eg: routers and NICs that
offload the streaming cipher work for IPSec.

Aside: Crytped communications use will rapidly approach and then
pass non-crypted communications in both data volume and numbers of
users as and when IPv6 is widely deployed.  The temptations (and
business justifications) to use ad-hoc IPSec VLANs/VPNs on a
per-application/per-use basis are already pushing that way, PKI
infrastructure problems or no.

--
J C Lawrence                               ("`-''-/").___..--''"`-._         
---------(*)                                 `6_ 6  )   `-.  (     ).`-.__.`)
claw at kanga.nu                               (_Y_.)'  ._   )  `._ `. ``-..-'  
http://www.kanga.nu/~claw/                _..`--'_..-_/  /--'_.' ,'         
I never claimed I was human             (il),-''  (li),'  ((!.-'           
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev



More information about the mud-dev-archive mailing list