There are several known security protocols for use in data networks. For example Secure Sockets Layer (SSL) developed originally by Netscape (trademark) has become widely accepted in the World Wide Web for encrypted and authenticated data communications between a client and server. The Internet Engineering Task Force (IETF) standard Transport Layer Security (TLS) is based upon SSL.
The SSL/TLS protocol runs above the TCP/IP layer in the protocol stack, but below higher level application protocols such as HTTP (Hypertext Transport Protocol), IMAP (Internet Messaging Access Protocol) and so on. The SSL/TLS protocol establishes a secure connection between a client and a server, allowing optionally the client to authenticate itself to the server and the server to authenticate itself to the client and to establish a secured connection.
Like other security protocols, the SSL/TLS protocol includes a secured key exchange process. This is known as a handshake in SSL/TLS. During a handshake, a client sends a pre-master secret encrypted by the server's public key. The server is required to perform the corresponding private key decryption to retrieve the pre-master secret. Private key decryption (e.g. RSA in SSL/TLS) is extremely CPU intensive. This operation has been measured to cost more than 70% of the CPU cycles required for an entire handshake.
This problem has spurred the introduction of many SSL/TLS accelerators in the market. A proxy approach is taken where an intermediate box/switch (between a client and a server) will act as an accelerator and a virtual server. This virtual server terminates SSL/TLS and sends the corresponding data in clear to the destined server—the real server.
As data security becomes a priority, clear data in the intranet is not acceptable to industries such as the government and the financial sectors. As such, accelerator vendors address the data security requirement by securing the data connection between an accelerator and a server.
Effectively, this doubles the resource requirements at an accelerator—for each client connection, an accelerator has to decrypt and re-encrypt all payload. In addition, there are two handshakes for the connection—one between the client and the virtual server and another between the virtual server and the real server. Although some accelerators reuse the connection between the virtual server and the real server as a performance enhancement, decryption and re-encryption of the payload is still required at the virtual server.