Is Hardware-Based Encryption Dead Yet?

DoomDoom writes: "OK, been checking out some of the h/w encryption stuff. Liked Intel's dual purpose card. But just wondering if this PA SEC 100 card has any purpose. I mean , this baby costs around $2k+ and will probably sit in a server with 2 or more CPUs (Pentium III or above). So why even bother with hardware encryption? I mean in the era of Pentium IV etc. powered servers, does it even make sense to have hardware based encryption cards?" Maybe another way to think of this question is "Are encryption-breaking schemes advancing faster than the processing power you're able to spare from your server's primary job?" If so, even a few thousand dollars may be a worthwhile investment. Any thoughts from those who've chosen (or avoided) in-hardware encryption?

Short answer: NO

[Anonymous Coward]

Hardware based encryption is not dead, nor is it expected to die anytime soon.

Examine the trend of banking to extend secure transactions to your internet connection, An HP-UX server with SSL hardware can handle 100's of thousands simultaneous SSL connections/second at less than 80% CPU load. Remove the hardware and the reliable SSL connection rate drops to less 10% of the hardward based SSL connections with a maxed out CPU.

Examine the case for VPN solutions. A software only vpn box (Checkpoint VPN-1 on NT) maxes out high end Intel server class machines with more than 80% cpu load when 500 VPN connections are going. Adding a Luna vpn card [chrysalisits.com] extends that to thousands of connections at less than 20% cpu load.

All numbers here are from a production lab environment. YMWV (Your Mileage WILL Vary).

Hardware-Based Encryption not dead yet.

[the cleaner]

there are still a couple of hardware-crypto-boosters out there. when using ssl-secured web-transactions, the big deal is calculationg the session key through asymmetric encrytion. the session itself is encrypted with this key then (symmetric encryption). without hardware-booster a typical webserver (eg. sun e250) manages to do around 30-40 sessions per second. the hardware boxes make it do 300 transactions / second / box (yes, you can use several boxes in one server). check out http://www.ncipher.com or http://www.rainbow.com or reply to olaf@thormaehlen.net

crypto in hardware is just takeing off

[johnjones]

do you remeber the DEC minis ?

why do that when you had a mainframe ?

(yeah yeah cost but look @ the convenice as well such as haveing one in the office instead of paying for phone lines to connect)

most crpto cards have assureances that they cant be pheaked (they enclose it to some degree in in a faraday cage) but lets face it its lame

the main reason is you have crypto for everything so instead of just a few keys this becomes the workload of the PC now it pays to have speailized hardware just like it pays to have nice graphics

AES is quite intensive and I am waiting for good implementations of this to come out (DES sucks in my eyes)

Serpent is nice as well

hey you are in the US where they dont even do ANY crpto on your phones let alone weak so its a start

phones and PDA's are where most crpto hardware will end up IHO

regards

john jones

Re:other markets

[Bryan Andersen]

OpenBSD allows you to encrypt the swap disk if you so desire. Not perfect, but better. After all your data is still unencrypted in memory. Any root process could peak at it.

In my opinion the HW crypto card is there to both speed things up and provide secure key space for inuse keys. Despite popular opinion keys are easy to extract from a running program given the memory map of the program. just look for areas of high randomness. They will likely be word bounded, and have pointers pointing to their starting position. With a hardware card you can put the key on the card and erase it from memory. A good hardware crypto card has it's key space write only. Better ones the input buffer space is also write only.

Often Overlooked Advantage

[cowbutt]

An often overlooked advantage of hardware-based encryption devices is that if they are properly designed and implemented (i.e. tested and conformant with FIPS-140-1 security level of 3+) then the private key can be reasonably assured to never leave the device, even if it is disassembled.

hardware

[joq]

Certainly it's not dead, and with all the security incidences going on, more and more companies will eventually turn to other means of safeguarding data than the usual suspects (PKI, etc).

One of the problems with hw based encryption, is the pricing however major corporations esepcially in the financial markets look to hw, as does the military, but there are actually some restrictions on what can be sold due to crypto laws.

And FYI when you say hw crypto you should note that there are different types of hw, e.g. network, optical, embedded, datalink, etc.

network based
Caneware is capable of encrypting and decrypting at through put rates from 1200 bps to 750 kbps full duplex and supports I/O rates up to the T1 rate (1.544 Mbps). cost is $19,500.

embedded based
Fascinator can be used for non-tactical communication nets. It is approved for use at all classification levels. the MCX-100, NX 300, Portable Repeater, SABER, SPECTRA, SYNTOR X-9000, SYNTO X-9000 E, Console Interface Unit, and SPECTRA Mobile SVMS have been endorsed. This product is available from Motorola, Inc. The price ranges from $495 for hand-held to $1200 for portable repeaters.

optical based
KG-189 is a trunk encryptor designed to be compatible with Synchronous Optical Network (SONET) standard interfaces. It provides optical transport at both the RED and BLACK interfaces to communications systems. The KG-189 program currently consists of models supporting two standard SONET data rates. The OC-3 model operates at 155 Mb/s and the OC-12 model operates at 622 Mb/s. The development of a model supporting the SONET OC-48 data rate of 2.5 Gigab/s has been terminated. The KG-189 supports BENIGN fill capability, traditional key and remote loading of FIREFLY vectors. It is approved for use at all classification levels. The product was developed by Motorola GSTG and Nortel. Production of the KG-189 is provided by Motorola Sectel. The cost for the OC-3 model is $37,654, and the OC-12 model is $62,664.

datalink based
Motorola STU-III SECTEL serves as two-wire and four-wire switched telephone systems used in CONUS and Overseas. They are approved for use at all classification levels. The authorized vendor is Motorola, Inc. The cost for a STU-III Sectel is $3,795.

And the list goes on [antioffline.com]

Banks

[randombit]

Hardware crypto will never go away entirely. It's not really needed for user machines, as other people have mentioned, but financial instituations want hardware.

First, they have to fit crypto into places without much traditional processing power (ATMs, etc).

Secondly, they have to process lots of inter-bank communications, those all have to be secured, that's a lot of processing time.

Third, I believe hardware is required by at least some banking standards, and it probably helps for insurance reasons, etc as well.

Fourth, better safety against compromise (both leaking the key, and altering the algorithm somehow).

Check out some of the crypto hardware that IBM has made for the AS/400 (popular in financial areas). PCI crypto cards an inch thick, protected by some really serious anti-tampering mechanisms.

OTOH, if I could find a cheap DES PCI card with drivers for *BSD/Linux, I would probably get a couple. :) Hardware is cool.

What about encryption implemented in the OS

[crovax]

Hardware based products are very expensive as you pointed out.
But what about implementing the encryption in the OS [slashdot.org].
Not as secure as hardware but a lot cheaper.
Check this out [slashdot.org] too.

--
Spelling by m-w.com [m-w.com].

Not dead yet

[JohnTheFisherman]

It's getting better. ;)

Perspective

[flynt]

From the end user point of view, hardware encryption is rarely seen. I mean, how many people do you know who buy special purpose encryption devices for their PC's? Not many I'd guess. But for military/government/large organizations, hardware encryption is the way to go. I've read in the last 10 years, well over 90% of encryption is done in specialized hardware devices. This is real stuff. This is big stuff. Why though, why not software? Well, as Schneier points out, software encryption is scary. Why? Software can be replaced by an attacker much easier than hardware. True, not likely to happen in your home, but I'm not talking about your home. Also, software may swap memory to a disk, maybe your key is in memory, now your key is on a disk. That's not good. So hardware is safer (home users 99999/100,000 won't need that safety), it is faster (once again, not appreciably for encrypting your email, but what about encrypting a T3 data stream between corporate offices?), and it can be made to be tamperproof. There is still a very large market for hardware encryption (and there will be for the forseeable future), just not for home users.

Hardware encryption is certainly NOT dead

[hafree]

If you are just creating an encrypted tunnel between 2 locations on T1 links, a software-based solution on a fast processor is more than sufficient. But what happens when you need to connect 50 offices on T3 or faster links with 3DES IPSEC tunnels and 2000 satellite locations? That's way too much processing to do through software, even on multiple WAN access devices. Hardware encryption is certainly overkill for SOHO applications, but for larger faster networks, it is really the only option.

other markets

[zoombah]

if one is speaking from the "i host a web server on linux" viewpoint, then of course hardware encryption seems rather expensive and unnecessary. However, special interests call for specialized hardware. For example, web servers don't need great video cards. However, desktop and workstation users require excellent video cards, for their tasks are oriented in such a manner. Similarly, those with special needs require specialized hardware.

Hardware crypto, of course, takes the encryption burden off of the central CPU. Hardware crypto is more secure as well. General purpose operating systems are bad news for cryptography. In an environment of multithreading and shared memory, sensitive information can be held in insecure places (that is, unencrypted in memory or on disk). This is particularly an issue with virtual memory - sensitive data passing through memory could remain on disk for days, insecure. Hardware crypto alleviates this problem by bypassing the CPU and OS crypto software, and does all of it on board.