Companies often employ data security techniques with computer networks to maintain privacy and integrity of the data traveling through such networks. Such data travels via a variety of physical paths and transmission mediums from sources to destinations. As the network transmissions travel from the source to the destination, they are subject to a variety of security threats. Such threats include loss of privacy, loss of data integrity, identity spoofing, and denial of service, to name several. Other threats are present and known to those skilled in the art.
Such threats may compromise the data traveling through the network in various ways. For example, a loss of privacy attack includes a fairly simple “sniffer” application running on a node through which data travels. The sniffer reads the information in a noninvasive manner and is undetectable to the sender and the receiver. Another example is an integrity attack, in which an intruder modifies someone else's data traveling through a network (e.g., altering a balance amount in a bank deposit transaction). This type of attack differs from a privacy attack, for example, because although a user might not care if their transaction is known, the user probably would not want others to be able to modify the transaction. Yet another example is an Authentication attack which deals with identity spoofing, or altering the apparent sender or receiver of a transaction. Unauthorized Internet use of a credit card represents a typical authentication attack, in which an unauthorized imposter purports to be the true holder of the card.
There are a variety of conventional methods for implementing security techniques to guard against security threats. Typical methods include applying cryptographic operations such as encryption and authentication to the data. A user may employ a variety of cryptographic operations, also known as ciphers, to the data. A user selects a cipher based on several factors, including the type of transmission protocol, the perceived security threat and type, the processing power available for cryptographic operations, and the data throughput performance desired. Each of the ciphers has encryption variables that affect these factors. The variables include the number of encryption bits (key size), the number of authentication bits, whether the communications use symmetric or public keys, and whether the cipher is acceptable based on legal and/or practical criteria such as export laws, technical interoperability, and other legal requirements concerning the use of cryptographic ciphers.
In general, the cryptographic operations involve applying mathematical convolutions to the data to render it in an encrypted form. The encrypted form (ciphertext, or “black” data) protects against security attacks, unlike the non-encrypted form, also called plaintext, or “red” data, which is readable by the casual observer. In a crytographic operation, the sender applies a mathematical cryptographic function to the data to generate the ciphertext, transmits the data, and the receiver applies the inverse cryptographic function to recover the plaintext. Such use of ciphertext data protects communications from such security attacks.
The encryption operations typically employ mathematically intensive computations using keys, or predetermined numerical values selected according to the cipher. Such encryption operations include, for example, one-way trap door functions that involve factoring large prime numbers. The security of the encryption rests on the notion that substantial computational resources are required to decrypt, or compute the inverse cryptographic function, without the key. Accordingly, an attacker finds it computationally infeasible to intercept and decrypt a message (e.g. “crack the code”) without the key. Note that encryption and authentication involve similar operations. However, a user typically employs encryption to represent data in an unintelligible form to protect confidentiality (privacy attack), while a user typically employs authentication to verify integrity, i.e. ensuring sender identity and that the data has not been modified. Accordingly, “encryption” refers to cryptographic functions which a user employs for encoding transmitted data for security reasons such as encryption or authentication, or both.
An encryption key has a certain number of bits. Generally, a larger key having a greater number of bits provides stronger security, but also imposes a more computationally intensive encryption operation, therefore reducing throughput due to overhead. Accordingly, encryption ciphers typically specify encryption variables including the number of bits. The user specifies an encryption medium having an appropriate level of security by selecting the number of bits based on the threat of attack and the computation resources available, as well as the throughput requirements. Because of the computationally expensive nature of such encryption operations, the computing resources available are often a limiting factor in the degree of security that the specified encryption medium applies to a given connection while still maintaining required throughput.
One conventional approach employs a Secure Socket Layer (SSL) protocol to define a secure connection. SSL defines a mechanism to specify and coordinate encryption ciphers and the associated encryption variables for a secure connection between users. A user employs SSL via a handshaking exchange that computes a session key to be employed for encryption functions for the duration of the connection. However, SSL operations impose throughput constraints because of the computationally intensive nature of the encryption. Specifically, the SSL handshake requires substantial processing to set up the SSL connection. Further, the endpoint computing devices perform the SSL handshake between each pair of users employing a connection, imposing the SSL setup/teardown for each end-to-end connection between users.
Other conventional methods include IPsec/IPv4. IPsec, however, implements security at the network level (layer 3) of the OSI model. SSL, on the contrary, is implemented above layer 4 (session) level. While both approaches are aimed at preventing the content of the payload to be intercepted by a non-terminating device, SSL remains more content oriented. In other words, IPsec-based security generally will not invade the content corresponding to the upper layers, while SSL will generally prevent the content routing and content switching products from recognizing items such as URL strings, cookies, and other strings in the TCP/IP payload of datagrams.
One conventional approach attempts to offload SSL security overhead onto an alternate device. Such SSL offloaders typically break the TCP/IP connection from an initiating client to an intended receiver, decrypt the data in the offloader, and retransmit the data to the intended recipient. However, this conventional approach generates a separate connection from the SSL offloader itself to the intended recipient. The new connection appears to the intended receiver as a connection from the SSL offloader, not as a connection from the client (or server) node that initiated the connection to the SSL offloader. Further, conventional approaches delegate SSL termination only, and are not concerned with a mechanism to implement security from the SSL offloader to the intended recipient. One conventional device that operates in a manner similar to that described above is the SSL-Rx family of SSL Accelerators, marketed commercially by Sonicwall, Inc., of Sunnyvale, Calif.