|
Home > Archive > Unix administration > April 2005 > Hardware blowfish encryption?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Hardware blowfish encryption?
|
|
| Dave Hinz 2005-04-19, 6:06 pm |
| We've got an encryption process which currently runs on one of my
ancient Sun boxes (a 4500), and (gasp!) is slow. While I could
just throw it onto something made during this century, I wonder if
I couldn't instead go with some sort of a hardware or hybrid solution.
Can anyone suggest a hardware device, or accelerator card, which would
let me speed up our encryption and decryption times? Decryption is more
critical, as that's done while the user is waiting for their data.
I've looked at Ingrian's site, they look OK but it seems nobody does
blowfish in hardware.
Or, should I just build a stripped down *BSD box and make my own
appliance? The possible side-benefit to that is that other programs
here at work will probably also want encryption solutions, so I could
use one appliance for many projects.
Any comments, suggestions, or insights are most welcome.
Thanks,
Dave Hinz
| |
|
| Begin <3cl64oF6htmq7U1@individual.net>
On 2005-04-19, Dave Hinz <DaveHinz@spamcop.net> wrote:
> Can anyone suggest a hardware device, or accelerator card, which would
> let me speed up our encryption and decryption times? Decryption is more
> critical, as that's done while the user is waiting for their data.
> I've looked at Ingrian's site, they look OK but it seems nobody does
> blowfish in hardware.
If you can find it, ncipher used to make a 5.25"-drive-sized box that
attaches to a SCSI chain. I know it exists but I couldn't find it on
their website inside of a minute or so.
> Or, should I just build a stripped down *BSD box and make my own
> appliance? The possible side-benefit to that is that other programs
> here at work will probably also want encryption solutions, so I could
> use one appliance for many projects.
Look at soekris.com for example. More specifically:
http://soekris.com/vpn1401.htm
FreeBSD and OpenBSD are fully supported, says the website. On my FreeBSD
5.3 box the crypto(4) and hifn(4) pages are of interest. crypto(4) also
references safe(4), and a quick google indicates safenet-inc.com may be
another option to consider.
--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
| |
| Dave Hinz 2005-04-20, 5:52 pm |
| On 20 Apr 2005 08:29:47 GMT, jpd <read_the_sig@do.not.spam.it.invalid> wrote:
> Begin <3cl64oF6htmq7U1@individual.net>
> On 2005-04-19, Dave Hinz <DaveHinz@spamcop.net> wrote:
>
> If you can find it, ncipher used to make a 5.25"-drive-sized box that
> attaches to a SCSI chain. I know it exists but I couldn't find it on
> their website inside of a minute or so.
Ah, sorry, we're looking to encrypt it on it's way to a few TB of SAN disk.
>
> Look at soekris.com for example. More specifically:
> http://soekris.com/vpn1401.htm
> safenet-inc.com may be another option to consider.
Ah, now that's interesting. Thanks.
Dave Hinz
| |
| Coy Hile 2005-04-20, 5:52 pm |
| Dave Hinz wrote:
> On 20 Apr 2005 08:29:47 GMT, jpd <read_the_sig@do.not.spam.it.invalid> wrote:
>
>
>
> Ah, sorry, we're looking to encrypt it on it's way to a few TB of SAN disk.
>
>
Would one of the Sun crypto accelerator boards do what you need?
http://www.sun.com/products/network...ccel/index.html
--
Coy Hile
hile@cse.psu.edu
| |
| Dave Hinz 2005-04-20, 5:52 pm |
| On Wed, 20 Apr 2005 12:17:14 -0400, Coy Hile <hile@cse.psu.edu> wrote:
> Dave Hinz wrote:
>
> Would one of the Sun crypto accelerator boards do what you need?
> http://www.sun.com/products/network...ccel/index.html
I've been wondering those, myself. Apparently not for Blowfish, but
we're not absolutely tied to that particular flavor of encryption.
That'd certainly be the quickest thing to implement, and it looks like
it's got excellent throughput. Added benefit is that I could throw it
into my existing hardware and not add yet another host to manage.
Close to 100 boxes, with 4 guys, is getting kinda heavy, y'know?
| |
| Jeremiah DeWitt Weiner 2005-04-20, 5:52 pm |
| Coy Hile <hile@cse.psu.edu> wrote:
> Would one of the Sun crypto accelerator boards do what you need?
> http://www.sun.com/products/network...ccel/index.html
The company formerly known as Rainbow, now SafeNet, also makes
accelerator cards: http://www.safenet-inc.com/ (can't link to a
products page due to crappy site design) I had a very small amount of
experience with the Rainbow stuff; I don't know if the SafeNet stuff is
similar, but Rainbow always had good Sun support, AFAIK.
JDW
| |
| Nick Bachmann 2005-04-20, 8:48 pm |
| Dave Hinz wrote:
> On Wed, 20 Apr 2005 12:17:14 -0400, Coy Hile <hile@cse.psu.edu> wrote:
>
>
>
> I've been wondering those, myself. Apparently not for Blowfish, but
> we're not absolutely tied to that particular flavor of encryption.
Switching to another algorithm (like AES) might be advisable, if for no
other reason than better hardware availability. Also, while Blowfish was
subject to quite a bit of scrutiny during its AES bid, the fact that it
didn't win means that far fewer of the academic types are spending their
time looking for its weaknesses.
> That'd certainly be the quickest thing to implement, and it looks like
> it's got excellent throughput.
It looks like the Sun cards are geared more towards SSL and public-key
encryption, which may or may not be acceptable to you.
Nick
| |
| Dave Hinz 2005-04-21, 5:59 pm |
| On Wed, 20 Apr 2005 19:54:40 -0400, Nick Bachmann <usenet@not-real.org> wrote:
> Dave Hinz wrote:
>
> Switching to another algorithm (like AES) might be advisable, if for no
> other reason than better hardware availability. Also, while Blowfish was
> subject to quite a bit of scrutiny during its AES bid, the fact that it
> didn't win means that far fewer of the academic types are spending their
> time looking for its weaknesses.
That seems to be consistant with what I've been learning over the last week,
as well.
[vbcol=seagreen]
> It looks like the Sun cards are geared more towards SSL and public-key
> encryption, which may or may not be acceptable to you.
My Sun guy is going to have a techie get back to me, but I think you're
right. So at the moment it looks like something like a Sun 240, with
a hardware AES card, that I can then use as an enterprise-wide solution.
When I need more capacity, I can add another 240 with hardware card. We
have only two projects using encryption in this manner right now, and
the 4500 they're using to encrypt is getting old & tired.
Thanks (all) for your thoughts, I'll summarize when I come up with
a workable solution. Of course, then someone will post a "hey, why didn't
you (thing that is cheaper and faster)", but that's OK ...
Dave Hinz
|
|
|
|
|