Conventionally employed computer systems commonly use both a Transmission Control Protocol (TCP) and an Internet Protocol (IP) processing layer to facilitate the transmission and receipt of data over a network system. Further, Network Interface Cards (NICs) are commonly used to enable computers to connect to a network. With the steadily increasing volume and rates of data transfer, processing at the TCP/IP layers can burden a system. To address this issue, network interface cards (NICs) have been designed that are capable of processing TCP protocol in hardware (i.e., TNICs). Using TNICs, the processing of message streams can be offloaded onto the TCP/IP layers of the TNIC, resulting in a reduced processing burden on the CPU of a system.
When secure data is exchanged over a network system, secure protocols, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS), are used to secure web traffic. SSL and TLS make extensive use of encryption to secure the traffic exchanged between two peers in a network system. Communication through SSL/TLS can be divided into two phases: a handshake phase followed by a data transfer phase. During the handshake phase, one peer authenticates with the other peer and exchanges cryptographic keys using public-key cryptography. During the data exchange phase, the peers use the keys to encrypt the traffic to be exchanged between them.
Cryptographic operations using public and private keys are typically compute intensive operations. In order to alleviate the host from performing such operations, cryptographic hardware accelerators are often used to perform cryptographic operations. Typically, cryptographic hardware accelerators are implemented using a proxy or an accelerator card. If a proxy is used, the proxy performs both the SSL/TLS processing as well as the cryptographic processing. Specifically, the proxy communicates with the remote hosts using the SSL/TLS protocols on one side, and the hosts with non-encrypted traffic on the other side. The proxy implements a TCP/IP stack, SSL/TLS functionality, as well as cryptographic hardware capabilities. A proxy can be implemented as a standalone machine, part of a router or switch, or as a add-on card that plugs into a host computer. In a proxy implementation of a cryptographic hardware accelerator, the information carried as part of the original SSL/TLS data becomes unavailable upon reaching the host software that acts on the non-encrypted traffic.
Alternatively, an accelerator card is an add-on card that plugs into a host computer through an input/output (I/O) bus (e.g., peripheral component interconnect (PCI) bus). The SSL/TLS protocol is implemented by the software executing on the host computer, and the cryptographic operations are performed in hardware by the accelerator card. The software component that implements the SSL/TLS protocol typically invokes the cryptographic hardware using e.g., a library, a framework, etc. Because the host software implements the SSL/TLS protocols when using an accelerator card, the SSL/TLS data crosses the 10 bus several times when the data is encrypted or decrypted. For example, when encrypted data is received, the data has to cross the bus once to go from the NIC (or TNIC) to the host memory, to go from the host memory to the accelerator card, and again to go from the accelerator card to host memory in decrypted form.