SSL/TLS Encryption: Today's Challenge
Secure Sockets Layer (SSL), more properly called Transport Layer Security (TLS), has become the default approach for protecting sensitive data flowing over the Internet. SSL uses encryption to provide data confidentiality for connections between users and websites and the web-based services they provide. The vast majority of sensitive web traffic, such as user login screens, e-commerce checkout pages, and online banking, is encrypted using SSL. While organizations may wrestle with whether and where to use encryption elsewhere in the enterprise, the use of SSL encryption for Internet traffic is rarely in question. However, the growth in the use of web applications and cloud-based services and even the need to encrypt internal networks is driving rapid increase in the number of SSL connections and a corresponding population of SSL related keys and certificates. Very often the operational challenges of managing this growth can overshadow important security considerations.
SSL security relies on master keys and associated SSL certificates that identify the parties involved in the connection and enable unique encryption keys to be derived for each individual session. Like other cryptographic keys, SSL master keys should be safeguarded. An attacker who steals an SSL key can impersonate your site and read your traffic. Given that the security of an SSL solution is directly related to the security of the keys, organizations that require a high level of assurance may want to take additional steps to protect SSL keys and the SSL connection process. These organizations might include banks and other institutions that process credit and debit card transactions, cloud service providers whose reputations and service value depend on high levels of security, or any organization that exchanges high-value information over public or virtual private networks. One way to achieve a higher level of assurance is to protect SSL cryptographic keys in hardware security modules (HSMs); in fact, for some government applications, this protection is formally mandated. These dedicated hardware devices can also offload cryptographic processing from the web server or host, significantly boosting capacity and reducing CPU overhead.
Risks Associated with SSL TLS Encryption
- Attackers who gain access to SSL keys can steal confidential information, impersonate your site, and damage your business.
- SSL keys stored in software can be vulnerable to insider attack.
- Because SSL encryption/decryption is a resource-intensive process, it can degrade performance of servers and high-volume applications.
- SSL-based operations aren’t just limited to web servers and business applications. Increasingly SSL connections are terminated within network appliances, traffic inspection gateways and firewalls, and other performance monitoring devices. In all these cases keys need to be protected in a consistent fashion.
SSL/TLS Encryption: Thales e-Security Solutions
Products and services from Thales e-Security can help you deploy high assurance, high-performance SSL encryption to protect your business and your customers’ information while delivering the efficiency your critical web applications require. nShield HSMs add value to SSL implementations in multiple ways:
- Protect master SSL encryption keys, ensuring the overall integrity of the SSL process. Through standard APIs and pre-certified integration with common web platforms and SSL tools, developers and IT security staff can achieve higher levels of assurance by protecting and managing SSL private keys within the secure boundary of the nShield HSM.
- Accelerate SSL session set-up and connection time by executing these processes on optimized HSM devices. For higher-volume applications where performance is critical, you can dramatically improve application efficiency by executing SSL session handshaking using cryptographic offload capabilities provided by the HSM. This dedicated SSL processing enables the web server or host to handle more connections to the Internet, at a higher rate, thereby boosting overall capacity and minimizing hardware costs.
- Secure the entire SSL connection. For applications that require maximum protection, architects can choose to bring the entire SSL software stack and associated application logic within the secure boundary of the HSM, taking advantage of the nShield HSM’s CodeSafe SSL capability.
- Add levels of assurance to commercial devices and appliances that embed SSL capabilities. Given that SSL termination is incorporated into many different types of devices such as gateways, firewalls, network switches, load balancers, and others, product vendors can integrate HSMs with these devices to create a high assurance, high-performance and FIPS-certified SSL capability.
- Ensure integrity of the SSL encryption/decryption process using independently certified HSMs (FIPS 140-2 Level 3 and Common Criteria EAL4+).
- Ease compliance reporting through the use of tamper-resistant key generation and key management capabilities that enforce separation of duties.
- Achieve high availability and improved server performance with cryptographic offloading.
- Deploy cost-effective solutions for both low-volume and high-volume applications. Take advantage of a choice of speeds and form factors, so you can deploy exactly what you need and only what you need, and upgrade easily as your needs change.