Conventionally employed computer systems commonly use both a Transmission Control Protocol (TCP) and an Internet Protocol (IP) processing layer to facilitate the transmission and receipt of data over a network system. Further, Network Interface Cards (NICs) are commonly used to enable computers to connect to a network. With the steadily increasing volume and rates of data transfer, processing at the TCP/IP layers can burden a system. To address this issue, network interface cards (NICs) have been designed that are capable of processing TCP protocol in hardware (i.e., TNICs). Using TNICs, the processing of message streams can be offloaded onto the TCP/IP layers of the TNIC, resulting in a reduced processing burden on the CPU of a system.
When secure data is exchanged over a network system, secure protocols, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS), are used to secure web traffic. SSL and TLS make extensive use of encryption to secure the traffic exchanged between two peers in a network system. Communication through SSL/TLS can be divided into two phases: a handshake phase followed by a data transfer phase. During the handshake phase, one peer authenticates with the other peer and exchanges cryptographic keys using public-key cryptography. The messages exchanged between peers during the handshake phase generate overhead such as system calls, input/output traffic across the host bus, interrupts, etc. During the data exchange phase, the peers use the keys to encrypt the traffic to be exchanged between them.
Cryptographic operations performed during the handshake phase using public and private keys are typically compute intensive operations. In order to alleviate the host from performing such operations, cryptographic hardware accelerators are often used to perform cryptographic operations. Typically, cryptographic hardware accelerators are implemented using a proxy or an accelerator card. If a proxy is used, the proxy performs both the SSL/TLS processing as well as the cryptographic processing. Specifically, the proxy communicates with the remote hosts using the SSL/TLS protocols on one side, and the hosts with non-encrypted traffic on the other side. The proxy implements a TCP/IP stack, SSL/TLS functionality, as well as cryptographic hardware capabilities. A proxy can be implemented as a standalone machine, part of a router or switch, or as a add-on card that plugs into a host computer. In a proxy implementation of a cryptographic hardware accelerator, the information carried as part of the original SSL/TLS data becomes unavailable upon reaching the host software that acts on the non-encrypted traffic.
Alternatively, an accelerator card is an add-on card that plugs into a host computer through an input/output bus (e.g., PCI bus). The SSL/TLS protocol is implemented by the software running on the host computer, and the cryptographic operations are performed in hardware by the accelerator card. The software component that implements the SSL/TLS protocol typically invokes the cryptographic hardware using e.g., a library, a framework, etc. Because the host software implements the SSL/TLS protocols when using an accelerator card, the SSL/TLS data crosses the IO bus several times during the key exchange portion of the handshake phase.