Task #659
Sun Crypto Accelerator Research
| Status: | Development / Work In Progress | Start date: | December 01, 2010 | ||
|---|---|---|---|---|---|
| Priority: | Normal | Due date: | December 24, 2010 | ||
| Assignee: |  Wijayanti Nitya | % Done: | 20% | ||
| Category: | - | Spent time: | 8.00 hours | ||
| Target version: | - |
Description
already research about Sun Crypto Accelerator for last few days. From my understanding, it is a PCI Express adapter that can be used to accelerate SSL (secure socket layer) cryptographic function.
For hashing, it supports HMAC-SHA-1, SHA1 and MD5.
For encryption, it performs bulk encryption and asymmetric encryption. The algorithms are RSA (for asymmetric encryption), Triple DES and AES. For key-exchange algorithm it uses DH (Diffie-Hellman).
And I've found useful link about this product:
product overview and specifications
History
#1
Updated by Tan Lee Yong almost 14 years ago
Please continue to research on the below comment:-
The next step is can you figure out on how to do SHA-1 using the Sun Crypto Accelerator? Is there a jar file for to use? Do we need to buy the card for testing? Or is there a simulator to use for development?
#2
Updated by Wijayanti Nitya almost 14 years ago
- % Done changed from 0 to 10
How to do SHA-1 using Sun Crypto Accelerator:
----------------------------------------------------------------
- The concept is, the board /card acts as a Cryptographic Service Provider to the Oracle Solaris Cryptographic Framework, allowing applications to access the board’s functionality with PKCS11, OpenSSL, and JAVA (J2SE)
ref: [[http://docs.sun.com/source/819-5536-12/1_overview.html]]
- java SecurityAPI works as a bridge between user application and Cryptographic Service Provider (the card)
Therefore the flow is:
Sun Crypto Accelerator (as Cryptographic Service Provider) - java SecurityAPI - user application
- Because it acts as Cryptographic Service Provider, it will provide a package (or a set of packages) that supplies a concrete implementation of a subset of the cryptography aspects of the Security API.
ref: [[http://download.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html]]
It is also include implementation of SHA-1
- We can create an object from MessageDigest class and call the method:
MessageDigest.getInstance("SHA-1")
ref: [[http://download.oracle.com/javase/1.4.2/docs/guide/security/CryptoSpec.html#MessageDigest]]
- However, I need to research more on how to relate this card with java Security API because there are some configurations when installing this card into different WebServer.
#3
Updated by Wijayanti Nitya almost 14 years ago
simulator for Sun Crypto Accelerator 6000?
------------------------------------------
I've found that there is no simulator provided for this card. To test it, we need to have the card and plug it to the slot, then do the configuration as described in this user manual:
[[http://docs.sun.com/source/819-5536-12/2_install.html]]
notes:
-----
need to understand about Oracle Solaris Cryptographic Framework. Brief information can be read here:
[[http://docs.sun.com/app/docs/doc/816-4863/chapter1-1?l=en&a=view]]
#4
Updated by Wijayanti Nitya almost 14 years ago
- % Done changed from 10 to 20
How to do SHA-1 using Sun Crypto Accelerator 6000 (continued)
---------------------------------------------------------------------
------------------------------------------------
OS, WebServer and software requirements:
------------------------------------------------
1.Determine which Operating System we use, because different OS will have different configuration when installing
this card.
Are we using:
- Oracle Solaris 10 operating system ?
- Red Hat Linux 4.0 and SUSE Linux 9.x ?
2.Determine our Web Server Environments, because different Web Server will have different platform to access the card
and perform cryptographic/hasing function.
Are we using:
- Sun Java Enterprise Web Server / other Sun Java Enterprise software ?
(we can implement Solaris Encryption Framework, PKCS#11)
- Apache Web server ?
(we can use openSSL dynamic linking support)
note : because we use Linux and Apache Web Server environments in the office, I will emphasize more to the
requirement/tool that we will needed to perform SHA-1 hashing for above environments.
3. if we use Linux platform we'll need:
- openCryptoki 2.2.2-rc6 software.
The Sun Crypto Accelerator 6000 board uses openCryptoki as the interface for PKCS#11 applications.
openCryptoki provides user level interface that allows selecting specific cryptographic providers.
The openCryptoki software is used as the PKCS#11 framework.
4. if we use Apache Web server installed on Linux platform, we'll need to:
- Prepare OpenSSL Libraries,
- enabling PKCS#11 for OpenSSL
5. Now that we have openSSL with PKCS#11-enabled, we can do SHA-1 hashing function. The details can be found here:
[[http://www.openssl.org/docs/crypto/sha.html#SYNOPSIS]]
------------------------------------------------------------------------------
Sun Crypto Accelerator 6000 card in Java application environment
------------------------------------------------------------------------------
- According to the product specification, Sun Crypto Accelerator 6000 does support Java 1.5 APIs.
- This means that we can do cryptographic function provided in Java Security API, including SHA-1 while using this
card.
- Therefore from my understanding, we don't need to add another jar files because the messageDigest class (to perform
SHA-1)is already include in java.security package.
- The main function of Sun Crypto Accelerator is to act as an accelerator that offloads SSL functions and bulk
encryption from host processors. The card is used to operate and store cryptographic keys, because it has secure key
store.
- Therefore to perform the hashing function, we need cryptographic framework that is supported by this card (PKCS#11,
openSSL, or Java Security API)
- However, if we want to use this card in Java environment, we need to fulfill the requirements. Based on the
specifications/requirement, we need to use Sun Java Enterprise Web Server. If we use Apache Web server, we need to
use openSSL binaries.
note : please let me know whether or not I am in the right track, because maybe I've made any misconceptions.
#5
Updated by Tan Lee Yong almost 14 years ago
Targeted OS: Sun Solaris 10. JDK: 5 or 6.
I think you have done enough research on this. You can put this on hold and continue to complete your messagebox task.
Thank.s