Mathematics and development of fast TLS handshakes
Blemings Labs | Sun 24 Jan 11:40 a.m.–12:25 p.m.
Presented by
-
Alexander Krizhanovsky
@a_krizhanovsky
http://tempesta-tech.com/
Alexander is the CEO of Tempesta Technologies, Inc., and is the architect of Tempesta FW, a high performance open source Linux application delivery controller. Alexander is responsible for the design and performance of several products in the areas of network traffic processing and databases. He designed the core architecture of a Web application firewall, mentioned in the Gartner Magic Quadrant, and MariaDB temporal data tables.
Alexander Krizhanovsky
@a_krizhanovsky
http://tempesta-tech.com/
Abstract
Tempesta TLS is an implementation of TLS handshakes for the Linux kernel. Since the kernel already provides symmetric ciphers, we focus on asymmetric cryptography only, elliptic curves in particular.
Use used the mbed TLS library as the foundation and almost fully rewrote it to make is x40 faster. During our development we also use parts of WolfSSL library. While WolfSSL outperforms OpenSSL, it uses the same algorithms, which are 5-7 years of old. Tempesta TLS uses newer and more efficient algorithms from the modern cryptography research.
While we still improving performance of Tempesta TLS, the implementation already establishes 40-80% more TLS handshakes per second than OpenSSL/Nginx and provides up to x4 lower latency in several tests.
This talk covers following topics with plenty of benchmarks:
* The fundamentals of elliptic curve computations and the most "hot spots"
* Side channel attacks (SCA) and methods to prevent them
* How the recent CPU vulnerabilities impact TLS handshakes
* Basics of the new fast algorithms used in the Tempesta TLS
* The design trade offs in OpenSSL, WolfSSL, mbed TLS, and Tempesta TLS
* The funny assembly code with is more straightforward than C
Tempesta TLS is an implementation of TLS handshakes for the Linux kernel. Since the kernel already provides symmetric ciphers, we focus on asymmetric cryptography only, elliptic curves in particular. Use used the mbed TLS library as the foundation and almost fully rewrote it to make is x40 faster. During our development we also use parts of WolfSSL library. While WolfSSL outperforms OpenSSL, it uses the same algorithms, which are 5-7 years of old. Tempesta TLS uses newer and more efficient algorithms from the modern cryptography research. While we still improving performance of Tempesta TLS, the implementation already establishes 40-80% more TLS handshakes per second than OpenSSL/Nginx and provides up to x4 lower latency in several tests. This talk covers following topics with plenty of benchmarks: * The fundamentals of elliptic curve computations and the most "hot spots" * Side channel attacks (SCA) and methods to prevent them * How the recent CPU vulnerabilities impact TLS handshakes * Basics of the new fast algorithms used in the Tempesta TLS * The design trade offs in OpenSSL, WolfSSL, mbed TLS, and Tempesta TLS * The funny assembly code with is more straightforward than C