Tales from the Crypto

BOSTON (05/23/2000) - E-commerce is all about getting customers to buy your stuff. When they can 't because your system is slow, they go somewhere else.

One of the biggest drains on Web server resources is data encryption.

Encryption pulls CPU cycles away from business transaction processing and limits the number of simultaneous transactions the server can support. The resulting network lethargy not only annoys users, but also may cause them to leave your site altogether. This clearly spells death for e-business.

Special hardware called cryptographic accelerators is now available to take over the encryption processing and free up Web servers to handle core business transactions. Cryptographic accelerators perform all of the intensive algorithmic calculations necessary for data encryption.

The calculations are performed in the accelerator, which can produce results faster than a server can. However, at an average cost of $10,000 each, these products aren 't cheap. If an accelerator doesn 't increase performance significantly, it only adds to the overall cost of Web site security without improving server performance or customer wait time.

With that in mind, we set out to test the value proposition of hardware-based cryptographic accelerators. We tested nCipher Corporation Ltd.'s nForce 300 and Rainbow Technologies Inc.'s CryptoSwift 600. We invited Phobos Inc.'s to participate with its IN-Boost product, but the company declined because the latest version of its card wasn 't ready until after our testing deadline.

For its outstanding performance, comprehensive management, ease of use and overall value, the CryptoSwift 600 wins our Blue Ribbon Award. However, the nForce 300 is still a good performer with good scalability at a slightly lower price.

The heart of the matter

We began the tests by establishing a baseline of performance on Web servers without cryptographic accelerator cards. Our testing found that our dual Pentium II 350-MHz server handled about 14 secured transactions per second and had an average response time of about 5 seconds without any hardware enhancement. When the frequency was increased to 200 requests per second, the unassisted server crashed. Adding either of the cryptographic accelerators enabled the server to handle more than 10 times the number of transactions.

The CryptoSwift 600 handled up to 230 secured transactions per second, while the nForce 300 managed about 190. In fact, the CryptoSwift 600 outperformed the nForce 300 at every turn: response times were lower, the number of transactions handled was greater, and the number of simultaneous connections was higher.

However, the nForce 300 had an interesting feature that the Crypto-Swift 600 lacked. The nForce 300 is completely tamper-proof, locked in polymer casing that prevents any kind of meddling with circuitry. The CryptoSwift does not have tamper-resistant casing.

We wondered whether that was really a big issue in this case. If someone gets into your server room, you have more to worry about than whether your cryptographic accelerator has a tamper-resistant case.

Matters of management

Both cryptographic accelerator cards were fairly simple to install and configure. The CryptoSwift 600 was a bit easier to install, and its Windows interface was a bit more intuitive, although not by much.

However, the nForce 300 installation CDs came with all of the drivers and patches necessary for installation, while the CryptoSwift 600 CDs weren 't so up-to-date. This isn 't a serious or uncommon problem, and a CryptoSwift representative says the company is updating its installation CDs.

Although their installation procedures were comparable, the difference between the management utilities and scalability of these cards was significant. Both cards come with a variety of utilities to help network managers diagnose and resolve problems with the cryptographic accelerators. The CryptoSwift card also has monitoring tools that let network managers monitor the number of RSA encryption algorithm signings the card is performing, as well as conduct stress tests on Web servers to determine their breaking point. We found these tools very useful for network traffic forecasting and planning. The nForce card lacked such tools, although nCipher says it plans to add a monitor in a future release.

Scalability was also a difference. In the PCI model of both cards, you can install as many cards as there are available PCI slots in a server. Using the nForce 300 's Fast SCSI-2 interface option, you can put up to seven nForce 300 cards in a single server. The CryptoSwift, while it doesn 't have a SCSI model, does come in an external configuration, which is a box that connects to servers via an Ethernet connection. In practice, this probably puts the nForce 300 a bit ahead in scalability, due to the faster nature of the SCSI interface.

Putting it in writing

Documentation wasn 't a strong point for either product, although nCipher had all of its documentation and installation patches for the nForce 300 readily available on the company 's Web site. The documentation for the CryptoSwift 600 was skimpy at best, and we couldn 't find any additional documentation on the Rainbow Technologies Web site. The company says it keeps the documentation off the site for security reasons.

Overall, we were impressed with the performance boost that both cryptographic accelerator cards gave our server. In the light of the 10 times or more boost to server performance that crypto-acceleration cards provide, we state unequivocally that no e-commerce site should be without crypto-acceleration.

However, for about the same money, the CryptoSwift 600 gave more of just about everything: performance, management and ease of installation.

Bracco is principal analyst for enterprise infrastructure at Current Analysis.

She can be reached at tbracco@currentanalysis.com.

Join the newsletter!

Error: Please check your email address.

More about nCipherPhobosRainbow technologies

Show Comments

Market Place