UNIX password security—ten years later
CRYPTO '89 Proceedings on Advances in cryptology
The importance of non-data touching processing overheads in TCP/IP
SIGCOMM '93 Conference proceedings on Communications architectures, protocols and applications
Improving SSL Handshake Performance via Batching
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Exploiting Parallelism in Hardware Implementations of the DES
CRYPTO '91 Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology
The Design and Implementation of a Transparent Cryptographic File System for UNIX
Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference
A Study of the Relative Costs of Network Security Protocols
Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference
Using modern graphics architectures for general-purpose computing: a framework and analysis
Proceedings of the 35th annual ACM/IEEE international symposium on Microarchitecture
Performance analysis of TLS Web servers
ACM Transactions on Computer Systems (TOCS)
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
An open-source cryptographic coprocessor
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
The design of a cryptographic security architecture
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Cryptography in OpenBSD: an overview
ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
Cryptographics: secret key cryptography using graphics cards
CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
Highly scalable web applications with zero-copy data transfer
Proceedings of the 18th international conference on World wide web
A session key caching and prefetching scheme for secure communication in cluster systems
Journal of Parallel and Distributed Computing
| Hi-index | 0.00 |
Cryptographic transformations are a fundamental building block in many security applications and protocols. To improve performance, several vendors market hardware accelerator cards. However, until now no operating system provided a mechanism that allowed both uniform and efficient use of this new type of resource.We present the OpenBSD Cryptographic Framework (OCF), a service virtualization layer implemented inside the operating system kernel, that provides uniform access to accelerator functionality by hiding card-specific details behind a carefully designed API. We evaluate the impact of the OCF in a variety of benchmarks, measuring overall system performance, application throughput and latency, and aggregate throughput when multiple applications make use of it.We conclude that the OCF is extremely efficient in utilizing cryptographic accelerator functionality, attaining 95% of the theoretical peak device performance and over 800 Mbps aggregate throughput using 3DES. We believe that this validates our decision to opt for ease of use by applications and kernel components through a uniform API and for seamless support for new accelerators. Furthermore, our evaluation points to several bottlenecks in system and operating system design: data copying between user and kernel modes, PCI bus signaling inefficiency, protocols that use small data units, and single-threaded applications. We identify some of these limitations through a set of measurements focusing on application-layer cryptographic protocols such as SSL. We offer several suggestions for improvements and directions for future work. We provide experimental evidence of the effectiveness of a new approach which we call operating system shortcutting. Shortcutting can improve the performance of application-layer cryptographic protocols by 27% with very small changes to the kernel.