By Topic

Secure Blue: an architecture for a scalable, reliable high volume SSL Internet server

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

1 Author(s)
Mraz, R. ; IBM Thomas J. Watson Res. Center, Hawthorne, NY, USA

Although there exist accelerator products to increase throughput of encrypted transactions produced by an Internet HTTP server there are no current architectures that provide a truly coordinated and scalable solution for Secure Socket Layer (SSL) encrypted communications. This paper presents an architecture that facilitates high volume SSL Internet serving, scaling from thousands to millions of independently active SSL sessions. Reliability, availability, serviceability, and on-line error recovery requirements for such an application are also addressed. Our approach is to offload SSL set-up protocol activity that was traditionally executed by transaction engines (and dedicated co-processors), to a scalable array of SSL handshake protocol-specific servers. This significantly reduces utilization on the transaction engines since SSL session set-up is a CPU intensive operation. Additionally, the actual encryption/decryption processing is offloaded as well, to a dedicated and scalable array of in-line encryption engine(s). The in-line encryption engine is architected such that requests and responses flowing to and from the transaction servers are in clear text. A benefit of this arrangement is that transaction engines (as well as Web accelerator proxies) will retain the ability to cache Web objects, while firewalls will retain the ability to perform packet level inspection of all traffic directed to the transaction engines. Such features have been sacrificed in prior SSL implementations.

Published in:

Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual

Date of Conference:

10-14 Dec. 2001