The information age has radically changed the way companies do business. Over the last two decades, networks have continually expanded through wide area network (WAN) to WAN connections and Internet-based network extensions, such as portals and corporate Web sites. Companies have implemented private networks to securely communicate with key partners, with customers worldwide via e-commerce sites, and with employees accessing corporate data across Local Area Networks (LANs), WANs, and remote access connections. As a result, companies must ensure the security of ever expanding network boundaries. At the same time, Information Technology departments need security implementations that do not slow down system throughput (See, Enhanced Cryptography for Enhanced Security, Sun® Microsystems, 2003).
One approach to create secure network communication involves cryptography, where data is scrambled, or encrypted, for secure transfer across the network. Cryptography can be employed, for example, using the IPsec (Internet Protocol Security) protocol to securely transfer data between computers across the network. Cryptography is also commonly employed using the SSL (Secure Sockets Layer) protocol to encrypt web-based traffic, such as data sent over e-commerce sites, portals, or secure mail servers.
The software-based cryptographic mechanisms (e.g., MD5, 3DES, etc.) used in conjunction with the aforementioned protocols (e.g., SSL) are typically implemented within applications (at both the user-level and kernel-level) using an internal implementation of the cryptographic mechanism that the application or kernel module supports.
While cryptography can help increase the security of communications across a network, it unfortunately can degrade secure application performance because compute-intensive cryptographic operations such as operations used in SSL session establishment and bulk encryption/decryption use software-based cryptographic mechanisms. One method of countering this effect is to off-load cryptography functions from the system processor to specialized hardware devices (i.e., hardware cryptographic accelerators).