research-article

Encrypting the internet

Authors:

Michael E. Kounavis,

Mathew Eszenyi,

David DurhamAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 40, Issue 4

Pages 135 - 146

https://doi.org/10.1145/1851275.1851200

Published: 30 August 2010 Publication History

Abstract

End-to-end communication encryption is considered necessary for protecting the privacy of user data in the Internet. Only a small fraction of all Internet traffic, however, is protected today. The primary reason for this neglect is economic, mainly security protocol speed and cost. In this paper we argue that recent advances in the implementation of cryptographic algorithms can make general purpose processors capable of encrypting packets at line rates. This implies that the Internet can be gradually transformed to an information delivery infrastructure where all traffic is encrypted and authenticated. We justify our claim by presenting technologies that accelerate end-to-end encryption and authentication by a factor of 6 and a high performance TLS 1.2 protocol implementation that takes advantage of these innovations. Our implementation is available in the public domain for experimentation.

References

[1]

"Advanced Encryption Standard". Website. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.

[2]

"Cisco WebVPN Services Module - Cryptographic Accelerator". Website, hardware.com. http://us.hardware.com/store/cisco/WS-SVC-WEBVPN-K9=/campaign/1-85819001.

[3]

"Crypto++". Crypto++ Website. http://www.cryptopp.com.

[4]

"Data-stealing Malware on the Rise, Solutions to Keep Businesses and Consumers Safe". Website. http://us.trendmicro.com/imperia/md/content/us/pdf/ threats/securitylibrary/data_stealing_malware_focus_ report_-_june_2009.pdf.

[5]

The Galois/Counter Mode of Operation (GCM). Website, NIST. http://csrc.nist.gov/groups/ST/toolkit/BCM/ documents/proposedmodes/gcm/gcm-spec.pdf.

[6]

"Intel AVX, Intel Software Network". Intel Website. http://software.intel.com/en-us/avx/.

[7]

"Internet Passes 600,000 SSL Sites". Website, SSL Shopper. http://www.sslshopper.com/ article-internet-passes-600000-ssl-sites.html/.

[8]

"OpenSSL Library". OpenSSL Website. http://www.openssl.org.

[9]

"OProfile". OProfile Website. http://oprofile.sourceforge.net/news/.

[10]

"PowerEdge Rack Servers". Website, dell.com. http://www.dell.com/us/en/gen/servers/rack_ optimized/cp.aspx?refid=rack_optimized&s=gen.

[11]

"SSL Acceleration and Offloading: What Are the Security Implications?". Website, WindowSecurity.com. http://www.windowsecurity.com/articles/SSL-Acceleration-Offloading-Security-Implications.html.

[12]

"SSL Decryption and Re-encryption". Website, zeus.com. http://www.zeus.com/products/traffic-manager/secure/ssl.html.

[13]

"The Total Number of Web Sites on Earth". Website, Get Netted. http://www.wlug.net/the-total-number-of-websites-on-earth/.

[14]

"TLS 1.2 Open Source Release". Website. http://www.mail-archive.com/[email protected]/msg27172.html.

[15]

"Two Year Study of Global Internet Traffic, NANOG47". Website, Internet Society. http://isoc-dc.org/wordpress/?p=920.

[16]

P. Barrett. "Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor". Masters Thesis, University of Oxford, UK, 1986.

[17]

A. Bosselaers, R. Govaerts, and J. Vandewalle. "Comparison of Three Modular Reduction Functions". Proceedings, Advances in Cryptology (CRYPTO 1993), 1993.

Digital Library

[18]

D. Canright. "A Very Compact S-Box for AES". Proceedings, Workshop on Cryptographic Hardware and Embedded Systems (CHES 2005), 2005.

Digital Library

[19]

A. J. Elbirt. "Fast and Efficient Implementation of AES via Instruction Set Extensions". Proceedings, 21st International Conference on Advanced Information Networking and Applications Workshops, 2007.

Digital Library

[20]

N. Farrell. "google tightens Gmail security". Website, January 2010. http://www.theinquirer.net/inquirer/ news/1586138/google-tightens-gmail-security.

[21]

M. Feldhofer, J. Wolkerstorfer, and V. Rijmen. "AES Implementation on a Grain of Sand". IEE Proceedings on Information Security, 2005.

[22]

D. Feldmeier. "Fast Software Implementation of Error Detection Codes". IEEE Transactions on Networking, pages 640--651, 1995.

Digital Library

[23]

A. M. Fiskiran and R. B. Lee. "On Chip Lookup Tables for Fast Symmetric Key Encryption". Proceedings, IEEE International Conf. on Application-Specifoc Systems, Architectures and Processors, pages 356--363, 2005.

Digital Library

[24]

K. Grewal and M. Miller. "Next Generation Scalable, Cost-e ective E2E Security". RSA Conference, 2010.

[25]

S. Gueron. "Intel's New AES Instructions for Enhanced Performance and Security". Proceedings, 16th International Workshop on Fast Software Encryption (FSE 2009), LNCS 5665, pages 51 -- 66, 2009.

Digital Library

[26]

A. Hodjat, D. Hwang, B.-C. Lai, K. Tiri, and I. Verbauwhede. "A 3.84 Gbits/s AES Crypto Coprocessor with Modes of Operation in a 0.18-um CMOS Technology". Proceedings, 15th ACM Great Lakes Symposium on VLSI, pages 60--63, 2005.

Digital Library

[27]

A. Hodjat and I. Verbauwhede. "A 21.54 Gbits/s Fully Pipelined AES Processor on FPGA". Proceedings, 12th IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM 2004), pages 308--309, 2005.

Digital Library

[28]

D. Knuth. "Seminumerical Algorithms". The Art of Computer Programming, Addison-Wesley, 2, 1997.

Digital Library

[29]

C. K. Koc. "Analysis of Sliding Window Techniques for Exponentiation". Computers and Mathematics with Application, 30(10):17--24, 1995.

[30]

C. K. Koc, T. Acar, and B. S. Kaliski. "Analyzing and Comparing Montgomery Multiplication Algorithms". IEEE Micro, 16(3):26--33, 1996.

Digital Library

[31]

M. Kounavis. "A New Method for Fast Integer Multiplication and its Application to Cryptography". Proceedings, 2007 International Symposium on Performance Evaluation of Computer and Telecommunication Systems, 2007.

[32]

M. Kounavis and L. Xu. "AES-NI: New Technology for Improving Encryption Efficiency and Enhancing Data Security in the Enterprise Cloud". Intel Developer Forum, 2009. https://intel.wingateweb. com/us09/scheduler/sessions.do?searchGroup= 9&searchGroupID=10133&profileItem_id=10004.

[33]

D. McGrew. "An Interface and Algorithms for Authenticated Encryption". Website, January 2008. http://www.faqs.org/rfcs/rfc5116.html.

[34]

A. Menezes, P. Oorschot, and S. Vanstone. "Handbook of Applied Cryptography". CRC Press, 1997.

Digital Library

[35]

N. Mentens, L. Batina, B. Preneel, and I. Verbauwhede. "A Systematic Evaluation of Compact Hardware Implementations for the Rijndael S-Box". Proceedings of CT-RSA 2005, 2005.

Digital Library

[36]

P. Montgomery. "Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor". Masters Thesis, University of Oxford, UK, 1986.

[37]

P. Montogomery. "Five, Six and Seven-term Karatsuba-like Formulae". IEEE Transactions on Computers, 2005.

Digital Library

[38]

S. Moriokah and A. Satoh. "An Optimized S-Box Circuit Architecture for Low Power AES Design". Proceedings, Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002), pages 172--186, May 2002.

Digital Library

[39]

K. K. Peretti. "Data Breaches: What the Underground World of Carding Reveals". the Santa Clara Computer and High Technology Journal, 25(2):375--413, January 2009.

[40]

C. Rebeiro, D. Selvakumar, and A. S. L. Devi. "Bitslice Implementation of AES". Cryptology and Network Security, LNCS 4301, 2006.

Digital Library

[41]

A. Rudra, P. K. Dubey, C. S. Jutla, V. Kumar, J. R. Rao, and P. Rohatgi. "Efficient Rijndael Encryption with Composite Field Arithmetic". Proceedings, Workshop on Cryptographic Hardware and Embedded Systems (CHES 2001), pages 175--188, May 2001.

Digital Library

[42]

A. Satoh, S. Moriokah, K. Takano, and S. Munetoh. "A Compact Rijndael Hardware Architecture with SBox Optimization". Lecture Notes in Computer Science, LNCS 2248, pages 239--254, 2001.

Digital Library

[43]

S. Schillace. "Default HTTPS Access for gmail". Website, January 2010. http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html.

[44]

SecurityFocus. "Data Breach Costs Rise, Response Costs Fall". Website, February 2009. http://www.securityfocus.com/brief/900.

[45]

I. Verbauwhede, P. Schaumont, and H. Kuo. "Design and Performance Testing of a 2.29 Gb/s Rijndael Processor". IEEE Journal of Solid-State Circuits, pages 569--572, 2003.

[46]

A. Weimerskirch and C. Paar. "Generalizations of the Karatsuba Algorithm for Efficient Implementations. Technical Report, University of Ruhr, Bochum, Germany, 2003.

[47]

A. Whitten. "HTTPS Security for Web Applications". Website, June 2009. http://googleonlinesecurity.blogspot.com/2009/06/https-security-for-web-applications.html.

[48]

J. Wolkerstorfer, E. Oswald, and M. Lamberger. "An ASIC Implementation of the AES SBoxes". Proceedings, CT-RSA 2002, 2002.

Digital Library

Cited By

LeMay MRakshit JDeutsch SDurham DGhosh SNori AGaur JWeiler ASultana SGrewal KSubramoney S(2021)Cryptographic Capability ComputingMICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3466752.3480076(253-267)Online publication date: 18-Oct-2021
https://dl.acm.org/doi/10.1145/3466752.3480076
Qin YSheng Q(2018)Big Data Analysis and IoTEncyclopedia of Big Data Technologies10.1007/978-3-319-63962-8_308-1(1-12)Online publication date: 29-May-2018
https://doi.org/10.1007/978-3-319-63962-8_308-1
Dong HSong LWang JYang J(2016)SSLSARD: A Request Distribution Technique for Distributed SSL Reverse ProxiesJournal of Communications10.12720/jcm.11.4.374-382Online publication date: 2016
https://doi.org/10.12720/jcm.11.4.374-382
Show More Cited By

Index Terms

Encrypting the internet
1. Hardware
2. Information systems

Recommendations

Encrypting the internet
SIGCOMM '10: Proceedings of the ACM SIGCOMM 2010 conference

End-to-end communication encryption is considered necessary for protecting the privacy of user data in the Internet. Only a small fraction of all Internet traffic, however, is protected today. The primary reason for this neglect is economic, mainly ...
An End-to-End Measurement of Certificate Revocation in the Web's PKI
IMC '15: Proceedings of the 2015 Internet Measurement Conference

Critical to the security of any public key infrastructure (PKI) is the ability to revoke previously issued certificates. While the overall SSL ecosystem is well-studied, the frequency with which certificates are revoked and the circumstances under which ...
Analysis of SSL certificate reissues and revocations in the wake of heartbleed
IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

Central to the secure operation of a public key infrastructure (PKI) is the ability to revoke certificates. While much of users' security rests on this process taking place quickly, in practice, revocation typically requires a human to decide to reissue ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 40, Issue 4

SIGCOMM '10

October 2010

481 pages

ISSN:0146-4833

DOI:10.1145/1851275

Issue’s Table of Contents

SIGCOMM '10: Proceedings of the ACM SIGCOMM 2010 conference
August 2010
500 pages
ISBN:9781450302012
DOI:10.1145/1851182
General Chairs:
Shiv Kalyanaraman
IBM Research, India
,
Venkat Padmanabhan
Microsoft Research, India
,
K. K. Ramakrishnan
IBM Research, India
,
Rajeev Shorey
NIIT University, India
,
Program Chairs:
K. K. Ramakrishnan
IBM Research, India
,
Geoffrey M. Voelker
University of California, San Diego, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 August 2010

Published in SIGCOMM-CCR Volume 40, Issue 4

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

43
Total Citations
View Citations
1,396
Total Downloads

Downloads (Last 12 months)118
Downloads (Last 6 weeks)6

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

LeMay MRakshit JDeutsch SDurham DGhosh SNori AGaur JWeiler ASultana SGrewal KSubramoney S(2021)Cryptographic Capability ComputingMICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3466752.3480076(253-267)Online publication date: 18-Oct-2021
https://dl.acm.org/doi/10.1145/3466752.3480076
Qin YSheng Q(2018)Big Data Analysis and IoTEncyclopedia of Big Data Technologies10.1007/978-3-319-63962-8_308-1(1-12)Online publication date: 29-May-2018
https://doi.org/10.1007/978-3-319-63962-8_308-1
Dong HSong LWang JYang J(2016)SSLSARD: A Request Distribution Technique for Distributed SSL Reverse ProxiesJournal of Communications10.12720/jcm.11.4.374-382Online publication date: 2016
https://doi.org/10.12720/jcm.11.4.374-382
Dong HYang JSheng Y(2016)Request distribution with pre-learning for distributed SSL reverse proxies2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD)10.1109/SNPD.2016.7515895(161-167)Online publication date: May-2016
https://doi.org/10.1109/SNPD.2016.7515895
Dong HWang JYang J(2016)Effective Request Distributing in Distributed SSL Reverse Proxies2016 International Symposium on Computer, Consumer and Control (IS3C)10.1109/IS3C.2016.111(412-416)Online publication date: Jul-2016
https://doi.org/10.1109/IS3C.2016.111
Zhang XYang YHan ZWang HGao C(2013)Object class detectionACM Computing Surveys10.1145/2522968.252297846:1(1-53)Online publication date: 11-Jul-2013
https://dl.acm.org/doi/10.1145/2522968.2522978
Bianchi GDetti ACaponi ABlefari Melazzi N(2013)Check before storingACM SIGCOMM Computer Communication Review10.1145/2500098.250010643:3(59-67)Online publication date: 1-Jul-2013
https://dl.acm.org/doi/10.1145/2500098.2500106
Wang HXia YBergman KNg TSahu SSripanidkulchai K(2013)Rethinking the physical layer of data center networks of the next decadeACM SIGCOMM Computer Communication Review10.1145/2500098.250010543:3(52-58)Online publication date: 1-Jul-2013
https://dl.acm.org/doi/10.1145/2500098.2500105
Basso SMeo MDe Martin J(2013)Strengthening measurements from the edgesACM SIGCOMM Computer Communication Review10.1145/2500098.250010443:3(45-51)Online publication date: 1-Jul-2013
https://dl.acm.org/doi/10.1145/2500098.2500104
Frank BPoese ILin YSmaragdakis GFeldmann AMaggs BRake JUhlig SWeber R(2013)Pushing CDN-ISP collaboration to the limitACM SIGCOMM Computer Communication Review10.1145/2500098.250010343:3(34-44)Online publication date: 1-Jul-2013
https://dl.acm.org/doi/10.1145/2500098.2500103
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents