`
`I
`
`n'·'
`r-!'\..-\
`\J \.) '
`~
`, -., ;
`
`'
`
`UCID- 19892
`
`PERFORMANCE EVALUATION OF A HOST
`PERIPHERAL DES CRYPTOGRAPHIC CONTROLLER
`IMPLEMENTING A CAPABILITY PROTECTION SCHEME
`
`C. James Buchanan
`Arthur Sorkin
`
`September 12, 1983
`
`This is an informal report Intended primarily for Internal or limited external distribution. The
`opinions and condusiom stated are thOle of the author and may or may not be tho!ie of the
`Laboratory.
`Work performed under the auspices of the U.S. Department of Energy by the Lawrence
`Livermore Laboratory under Contract W-7405-Eng-48.
`
`IPR2017-00430
`UNIFIED EX1007
`
`
`
`DISCLAIMER
`
`This document was prepared as an account of work sponsored by an agency of the United States Government. Neither
`the United States Government nor the University of California nor any of their employees, makes any warranty, express
`or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any
`information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned
`rights. Reference herein to any specific commercial product, process, or service by trade name, trademark,
`manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by
`the United States Government or the University of California. The views and opinions of authors expressed herein do
`not necessarily state or reflect those of the United States Government or the University of California, and shall not be
`used for advertising or product endorsement purposes.
`
`This report has been reproduced
`directly from the best available copy.
`
`Available to DOE and DOE contractors from the
`Office of Scientific and Technical Information
`P.O. Box 62, Oak Ridge, TN 37831
`Prices available from (615) 576-8401, FIS 626-8401
`
`Available to the public from the
`National Technical Information Service
`U.S. Department of Commerce
`5285 Port Royal Rd.,
`Springfield, VA 22161
`
`
`
`PERFORMANCE EVALUATION OF A HOST
`
`PERIPHERAL DES CRYPTOGRAPHIC CONTROLLER
`
`IMPLEMENTING A CAPABILITY PROTECTION SCHEME*
`
`C. James Buchanan
`
`Arthur Sorkin
`
`September 12, 1983
`
`*The work reported here was conducted at Lawrence Livermore National
`Laboratory and supported by the U.S. Department of Energy, Office of
`Safeguards and Security, under Contract No. W-7405-ENG-48. The author
`is with Lawrence Livermore National Laboratory, University of
`California, Livermore, California 94550.
`
`
`
`
`
`
`
`TABLE OF CONTENTS
`
`1.0
`
`INTRODUCTION
`
`1.1 Purpose and Scope
`
`1.2 Report Organization
`
`2.0 CONTEXT OF TEST
`
`2.1 Host and Peripheral Cryptographic Controller Configuration
`
`2.2 Secret-Key Capability Protection
`
`3.0 TEST PROCEDURES
`
`4.0 TEST RESULTS
`
`4.1
`
`Individual Capability Protection Operation Tests
`
`4.2 Grouped Operation Tests
`
`5.0 CONCLUSION
`
`6.0 ACKNOWLEDGEMENT
`
`7.0 REFERENCES
`
`1
`
`2
`
`3
`
`3
`
`3
`
`4-10
`
`11
`
`12
`
`12-15
`
`16
`
`17-19
`
`20
`
`21
`
`
`
`
`
`
`1.0
`
`INTRODUCTION
`
`Distributed operating system security requirements within the Octopus
`
`Network at LLNL have led to efforts in improving the security and
`
`efficiency of distributed resource access. These and other requirements
`
`have led to the design and implementation of the LINCS distributed
`
`operating system [2, 3, SJ. Resource access control in LINCS is based on
`
`capabilities which may be passed between processes and which must be
`
`presented before access to a particular resource is granted.
`
`Based on previous work [l] a proposal has been made ,for the
`
`implementation of a secret-key capability protection scheme [3], which
`
`utilizes a cryptographic controller to protect requisite encryption keys
`
`and perform system encryption functions necessary for safely passing
`
`capabilities between processes. A secret-key DES capability protection
`
`scheme has been implemented by Sorkin [4]. As part of this
`
`implementation, a peripheral cryptographic controller is attached to a
`
`host computer to off-load from it the capability protection operation.
`
`For some host computers, this not only eliminates software processing
`
`time, but also improves the protection of encryption keys and the
`
`efficiency (speed) of the capability protection operation.
`
`The peripheral cryptographic controller chosen must be capable of high
`
`speed DES operations, be programmable to allow implementation of the
`
`capability protection operations, and be capable of communications
`
`through serial and/or parallel ports to the host computer at acceptable
`
`data rates.
`
`1
`
`
`
`
`
`
`
`1.1 PURPOSE AND SCOPE
`
`The purpose of the investigation reported here was to measure the
`
`efficiency (speed) of the peripheral cryptographic controller
`
`implementing the secret-key capability protection operations. The
`
`major point of interest was to compare experimental measurements of
`
`the peripheral cryptographic controller operations with host
`
`software implementation of the secret-key capability operations.
`
`Once the measurements of the peripheral cryptographic controller
`
`have been established, the decisions of software or peripheral
`
`device implmentation of secret-key capability protection can be
`
`determined for a particular host computer.
`
`This report will present the results of a performance test with a
`
`DEC VAX 11/780 and an attached peripheral cryptographic device. The
`
`cryptographic device is under prototype testing by LLNL for Xypher
`
`Security Systems and is referred to as the Secure Network Access
`
`Processor (SNAP).
`
`The investigation is concerned only in timing considerations of the
`
`peripheral cryptographic controller. Aspects of equipment
`
`reliabilty, availability, or security penetration measurements were
`
`not investigated at this time.
`
`2
`
`
`
`1.2 REPORT ORGANIZATION
`
`This report is divided into five sections:
`
`Section 2 describes the host computer, the peripheral cryptographic
`
`controller and the secret-key capability protection
`
`operation.
`
`Section 3 describes the procedures for conducting the test giving
`
`the specific timing measurements necessary to establish
`
`the efficiency characteristics of the peripheral
`
`cryptographic controller.
`
`Section 4 presents the measurement results described in section 3.
`
`Section 5 summarizes the major conclusions developed during the
`
`investigation.
`
`2.0 CONTEXT OF TEST
`
`2.1 HOST COMPUTER AND PERIPHERAL CRYPTOGRAPHIC CONTROLLER CONFIGURATION.
`
`Testing of the cryptographic controller was carried out using a DEC
`
`VAX 11/780 running the VMS operating system. The peripheral
`
`controller (SNAP) was connected to the VAX through a DZll serial
`
`RS232 port with a data rate of 9600 bits per second. The capability
`
`protection operations were programmed into the peripheral
`
`controller, by Xypher Security Systems, and invoked under command
`
`from the host computer test program. The test program allows
`
`operator terminal control over testing and provides capability
`
`operation time measurements at the terminal as determined by the
`
`VAX/VMS operation system.
`
`3
`
`
`
`2.2 SECRET-KEY CAPABILITY PROTECTION
`
`A brief description will be given of the capability protection
`
`operations as implemented by the peripheral controller. The number
`
`of DES block operations and the host-peripheral protocol byte size
`
`for each capability operation are significant in interpreting test
`
`results, and so will be described in some detail. Each of the DES
`
`operations in the capability protection operations requires a
`
`different key value to be loaded which causes considerable impact on
`
`the speed of each capability protection operation. Other details of
`
`the secret-key capability protection algorithm can be found in [4).
`
`There are four major operations necessary to the secret-key
`
`capability protection scheme to assure capability validation and the
`
`safe passing of capabilities.
`
`1. CREATE, generates a capability checksum. CREATE performs a
`
`cryptographic operation, based upon the information supplied, to
`
`generate a capability checksum for a newly created resource.
`
`The process requesting creation of the resource is returned a
`
`capability and checksum for future resource access.
`
`The capability checksum is derived from four 64-bit DES
`
`operations. The DES operations are based upon three parameters
`
`provided in the CREATE command. Format and parameter
`
`descriptions are indicated in Figure 2.1.
`
`
`
`2. CHECK, verifies the cryptographic checksum for a capability
`
`value. The CHECK operation, requested by a resource server,
`
`assures that the "capability" presented by the process
`
`requesting resource access has the right to access that
`
`resource. Figure 2.2 shows the CHECK request/response format.
`
`The checksum value provided in the CHECK request is compared
`
`against a generated checksum. The generated checksum is
`
`produced in the same manner as in the CREATE operation with
`
`information supplied in the CHECK request. Four DES operations
`
`are performed with a comparison of the two checksums. The
`
`response from the cryptographic controller indicates a
`
`successful/unsuccessful comparison or incorrect network address
`
`parameters supplied in the CHECK request.
`
`3. TRANSMIT, converts a capability checksum for secure transfer to
`
`another process. The TRANSMIT operation allows a process to
`
`securely transfer its capability for resource access to another
`
`process. The cryptographic operation performed by the TRANSMIT
`
`operation transforms the capability checksum, used for resource
`
`access authorization (CHECK), into another checksum that can
`
`only be decyphered by the addressed receiving process. Five
`
`64-bit DES operations are involved in the checksum trans(cid:173)
`
`formation. Figure 2.3 shows the TRANSMIT request/response
`
`format.
`
`5
`
`
`
`4. RECEIVE, converts a capability checksum received from another
`
`process. The RECEIVE operation allows the process receiving a
`
`protected capability checksum, from another process, to
`
`transform the capability checksum into a form useful in
`
`presenting to a resource server for resource access. Five
`
`64-bit DES operations are used in the checksum transformations.
`
`Figure 2.4 shows the RECEIVE request/response format •
`
`. 6
`
`
`
`request format to cryptographic controller:
`
`COMMAND I SRV I RCV I XO
`I (8) I (8) I (8)
`(1)*
`I
`I
`I
`
`Xl
`(8)
`
`*(II of bytes)
`
`Total bytes • 33
`
`COMMAND
`SRV
`RCV
`
`XO, Xl
`
`identifies the CREATE operation
`=
`"" host resource server network address
`= network address of process receiving
`capability and checksum.
`= capability value
`
`the
`
`response from cryptographic controller:
`
`status
`(1)*
`
`CHKSUM or
`ERROR
`(8)
`
`Total bytes = 9
`
`*(fl of bytes)
`
`status
`
`=
`
`CHKSUM or =
`ERROR
`
`checksum identifier if operation successful
`or error identifier if unsuccessful
`capability checksum value or error reason
`(ex:
`incorrect network addresses)
`
`Total bytes transferred for CREATE request/response = 42 bytes
`
`FIGURE 2.1
`
`CREATE Operation Request/Response Format
`
`7
`
`
`
`request format to cryptographic controller:
`
`COMMAND
`(l)*
`
`SRV
`( 8)
`
`XMT
`(8)
`
`XO
`( 8)
`
`Xl
`( 8)
`
`CK SUM
`( 8)
`
`Total bytes
`
`41
`
`*{If of bytes)
`
`COMMAND
`SRV
`XMT
`
`XO, Xl
`
`identifies the CHECK operation
`=
`= host resource server network address
`network address of process presenting
`capability for resource access
`= capability value
`
`response from cryptographic controller:
`
`status
`(l)*
`
`reason
`
`Total bytes = 9
`
`*(// of bytes)
`
`status
`
`reason
`
`= Acknowledge (ACK) for successful checksum
`comparison or negative acknowledge (NAK) for
`network address not defined or checksum
`comparison unsuccessful
`(ACK) status, reason not used
`(NAK) status, network address error or
`unsuccessful comparison
`
`=
`
`Total bytes transferred for CHECK request/response = 50 bytes
`
`FIGURE 2. 2
`
`CHECK Operation Request/Response Format
`
`
`
`request format to cryptographic controller:
`
`COMMAND
`(l)*
`
`SRV
`(8)
`
`XMT
`(8)
`
`RVC
`(8)
`
`CK SUM
`( 8)
`
`Total bytes = 33
`
`*(II of bytes)
`
`COMMAND
`SRV
`XMT
`RVC
`CK SUM
`
`=
`=
`
`=
`=
`
`identifies the TRANSMIT operation
`host resource server network address
`process network address sending capability
`process network address receiving capability
`capability checksum returned in previous
`CREATE operation
`
`response from cryptographic controller:
`
`status
`(l)*
`
`CKSUM or
`ERROR
`(8)
`
`Total bytes = 9
`
`*(It of bytes)
`
`status
`
`CKSUM or
`ERROR
`
`= Acknowledge (ACK) successful
`CKSUM conversion
`Negative acknowledge (NAK) for network
`address undefined
`= CHECKSUM value if successful
`error code reasons
`
`Total bytes transferred fo~~equest/response = 42 bytes
`·f {<.Ir /Jffe If ( '?;)
`
`FIGURE 2.3
`
`TRANSMIT Operation Request/Response Format
`
`9
`
`
`
`request format to cryptographic controller:
`
`COMMAND
`(l)*
`
`SRV I XMT
`(8) I (8)
`I
`
`*(II of bytes)
`
`RVC
`(8)
`
`CK.SUM
`( 8)
`
`Total bytes = 33
`
`COMMAND
`SRV
`XMT
`RVC
`CK.SUM
`
`=
`=
`=
`=
`
`identifies the RECEIVE operation
`host resource server network address
`process network address sending capability
`process network address receiving capability
`capability checksum returned in previous
`TRANSMIT operation
`
`response from cryptographic controller:
`
`status
`(l)*
`
`CKSUM or
`ERROR
`(8)
`
`Total bytes = 9
`
`*(II of bytes)
`
`status
`
`CKSUM or
`ERROR
`
`= Acknowledge (ACK) successful
`CKSUM conversion
`Negative acknowledge (NAK) for
`address undefined
`= CHECKSUM value if successful
`error code reasons
`
`network
`
`Total bytes transferred for CHECK request/response = 42 bytes
`
`FIGURE 2.4
`
`RECEIVE Operation Request/Response Format
`
`10
`
`
`
`3.0 TEST PROCEDURES
`
`Timing measurements of the cryptographic controller were measured in two
`
`parts. The first part consisted of individual timing measurements for
`
`each capability protection operation (CREATE, CHECK, XMT and RCV). The
`
`capability protection operations were initiated by a test program on the
`
`VAX. Elapsed time measurements for each operation were obtained from the
`
`VAX/VMS timing facility and represented the request/response time of the
`
`operation as seen by the test program.
`
`In addition, a logic analyzer
`
`(Hewlett-Packard Model 1610A) was placed at the peripheral cryptographic
`
`controller to measure the interval from the arrival of the last byte of
`
`the request block to the arrival of the first byte of the response. The
`
`time measurements obtained by the logic analyzer were used to determine
`
`the peripheral controller processing time of the operation.
`
`The second part of the test consisted of sending a group of 100 identical
`
`cryptographic protection operations to the cryptographic controller. The
`
`VAX/VMS timing facility measured the time from the request of the first
`
`operation to the response of the lOOth operation. Timing measurements
`
`recorded by the logic analyzer at the peripheral controller measured the
`
`interval time of 62 out of the 100 operations for each trial.
`
`(62
`
`measurements is the memory limitation of the logic analyzer for each
`
`trial).
`
`11
`
`
`
`The elapsed time measurement of the grouped operation, obtained by the
`
`VAX, was then divided by 100 for an average elapsed time to perform one
`
`capability protection operation. The average of the 62 individual
`
`recordings obtained by the logic analyzer was also used to represent the
`
`average time taken by the SNAP unit to perform one capability protection
`
`operation. Each capability protection operation (CREATE, CHECK, XMT and
`
`RCV) was tested in this manner.
`
`4.0 TEST RESULTS
`
`4.1
`
`INDIVIDUAL CAPABILITY OPERATION TESTS
`
`Thirty trials of each capability operation were observed. Figure
`
`4.1 shows a diagram of the measured components. The statistical
`
`results of the four operations are indicated in Table 4.1. The
`
`total operation time was determined by the VAX/VMS timing facility.
`
`Individual capability operation times taken from the VAX were too
`
`irregular for use in timing calculations, so total operation time
`
`(ttot) values shown in Table 4.1 were taken from the group
`
`) was
`operation test. The peripheral controller time segment (t
`pee
`obtained from the logic analyzer. The serial interface time segment
`
`was calculated from the serial line characteristics and the
`
`remaining time was attributed to the VAX/VMS I/O subsystem
`
`). A percentage of total elapsed time attributed to the
`(t
`vms
`timed components are indicated in Table 4.2.
`
`12
`
`
`
`HOST: VAX 11/780
`
`VMS
`
`PERIPHERAL
`CRYPTOGRAPHIC CONTROLLER
`
`n(cid:173)
`z
`1
`1
`
`SNAP
`
`serial interface
`9600 bits/s
`
`tvms = VAX/VMS I/O Facility time.
`
`tI/O
`
`Represents the input-output time for interface.
`
`tpcc = Peripheral cryptographic controller time.
`
`Figure 4.1 Time Components of Capability Protection Operations
`
`13
`
`
`
`Operation
`
`Mean Time
`Measurements
`Peripheral
`Crypto Con(cid:173)
`t roller Time
`(tpcc>
`
`(MS)
`
`Total
`Operation
`Time
`(ttot>*
`(MS)
`
`Calculated Time
`Serial
`VAX/VMS
`Interface
`I/O Facility
`**
`Time ***
`(tI/o)
`(tvms>
`
`(MS)
`
`(MS)
`
`CREATE
`
`CHECK
`
`TRANSMIT
`
`RECEIVE
`
`54.5
`
`61. 2
`
`56.5
`
`56.5
`
`6.3
`
`4.7
`
`8.9
`
`8.9
`
`43.8
`
`52.1
`
`43.8
`
`43.8
`
`4.5
`
`4.5
`
`3.8
`
`3.8
`
`* ttot =
`
`tpcc + tI/O + tvms
`
`** tI/o =
`
`(response/request) (10 Bits)
`Total Bytes
`Byte
`9600 Bits
`Sec
`
`Table 4.1 Statistical Time Results of Individual
`Capability Operations with a 9600 bit/sec
`Serial Interface
`
`
`
`\ . _____ 14 - - - - -
`
`
`
`Percentages of Total Elapse Time
`
`Operation
`
`CREAtE
`
`CHECK
`
`TRANSMIT
`
`RECEIVE
`
`11.6
`
`7.6
`
`15.8
`
`15.8
`
`% tI/o
`
`% tvms
`
`80.2
`
`85.1
`
`77 .5
`
`77 .5.
`
`8.2
`
`7.3
`
`6.7
`
`6.7
`
`Table 4.2
`
`Time Component Percentage of Capability Protection
`Operations for Tested Configuration
`
`15
`
`
`
`4.2 GROUPED OPERATION TEST
`
`Twenty trials of the grouped operations were observed for each capability
`
`protection operation. Each group operation consisted of 100 identical
`
`operations performed in sequence. The time between the first and last
`
`operation was measured by the VAX/VMS test software. The twenty trial results
`
`were averaged to produce a mean time for each of the four capability
`
`protection operations. The logic analyzer was used to obtain the elapsed time
`
`of 62 out of the 100 operations for each of the twenty trials. The average of
`
`the 62 recordings from each trial was then averaged to obtain an overall
`
`average for each of the four capability protection operations. The final
`
`averaged time values are indicated in Table 4.3. Results from the two
`
`different timing sources were shown to be similar indicating reasonable
`
`accuracy in the resulting values.
`
`Elapsed Time,
`Measured Using
`VAX/VMS Facilities (MS)
`
`Elapse Time,
`Measured Using
`Logic Analyzer at
`Peripheral Controller (MS)
`
`54.5
`
`61.2
`
`56.5
`
`56.5
`
`54.5
`
`61.0
`
`56.4
`
`56.5
`
`Operation
`
`CREATE
`
`CHECK
`
`TRANSMIT
`
`RECEIVE
`
`Table 4.3
`
`Mean Time Capability Protection Operation Using Grouped
`Operation Tests.
`
`16
`
`
`
`5.0 CONCLUSION
`
`Performance measurements of the peripheral cryptographic controller
`
`have indicated that use of an outboard capability protection
`
`peripheral is economically justified with some qualifying
`
`considerations.
`
`Tests conducted on the DEC VAX 11/780 indicate that the time taken to
`
`perform a capability protection operation using the SNAP cryptographic
`
`controller can be broken down into three major components: 1) the
`
`time taken by the operating system to initiate and process an
`
`operation, 2) the time taken to move the operation request and
`
`response over the interface between the VAX and the SNAP unit, and 3)
`
`the time taken by the SNAP unit to perform the operation. Tests
`
`showed that 9.2 - 12.7 ms was necessary for the operating system and
`
`SNAP unit to perform an operation. Since a software implementation
`
`takes 14.8 - 17.9 ms to perform a capability operation, the SNAP unit
`
`will perform as well or better than a software implementation when the
`
`I/O interface operates at a rate of 65k bits per second or higher.
`
`Design has begun by Xypher Security Systems for a DRllW parallel
`
`interface to its SNAP unit that will operate at
`
`2 Mbps. Figure 5.1 shows the decrease in total capability protection
`
`operation time as the I/O rate increases. As can be seen, performance
`
`at DRllW data rates will be superior to the software implementation
`
`performance.
`
`17
`
`
`
`In addition, the VAX system will not have to expend 14.8 - 17.9 ms of
`
`processor time when using the SNAP \lllit implementation.
`
`Improvements
`
`to the capability protection code in the SNAP unit and minor SNAP
`
`hardware improvements (not available in the prototype unit used for
`
`this test report) are continuing. SNAP processing time of less than
`
`4 ms are expected due to these improvements. Thus, it is expected
`
`that the advantages of the SNAP unit implementation will be even
`
`higher in the future.
`
`18
`
`
`
`Total
`operation
`time
`(ms)
`
`60
`
`50
`
`40
`
`30
`
`20
`
`10
`
`0
`
`0
`
`serif l
`asvnc l"onous
`inter ace
`
`serial srochionous
`or par .l.le
`inter ace
`
`( ® measured pts. in test )
`
`operational time range of
`peripheral controller
`implementation (tt 0 t). *
`
`operational time range of
`software implementation
`
`20
`
`40
`
`60
`
`80
`
`100
`
`120
`
`140 160
`
`180
`
`200
`
`220
`
`I/O data rate (k bits/sec)
`
`*
`
`Figure 5.1
`
`Total operation time vs I/O data rate
`for VAX 11/780 to peripheral controller (SNAP).
`
`19
`
`
`
`6.0 ACKNOWLEDGEMENTS
`
`I would like to acknowledge Dan Nessett (LLNL) and Chuck Cole (LLNL) for
`
`their helpful suggestions in the development of this report, and to Rich
`
`Belles (LLNL) for his optimized VAX machine language DES implementation
`
`used to estimate software capability protection time values.
`
`Acknowledgement is also due to the concerted efforts of Wayne Catlett
`
`(Xypher Security Systems) for contributions in obtaining the test
`
`measurements required of the SNAP peripheral cryptographic controller
`
`implementation.
`
`20
`
`
`
`7.0 REFERENCES:
`
`1.
`
`J. E. Donnelley and J. G. Fletcher, "Resource Access Control in a
`
`Network Operating System," Proceedings of ACM Pacific '80,
`
`Moon-Lith Press, Mountain View, California, 1980.
`
`2.
`
`J. G. Fletcher and R. W. Watson, "Service Support in a Network
`
`Operating System," Proceedings of IEEE COMCON
`
`'80, San Francisco,
`
`California, February 25-28, 1980, 415-424.
`
`3. D. N. Nessett, "Identifier Protection in a Distributed Operations
`
`System", Proceedings of the National Electronics Conference,
`
`October, 1981, Vol. 35, also appeared in Operating System Review,
`
`January, 1982.
`
`4.
`
`A. Sorkin, "Measurement of Cryptographic Capability Protection
`
`Algorithms", in press.
`
`5.
`
`R. W. Watson and J. G. Fletcher, "An Architecture for Support of
`
`Network Operating Systems Services." Computer Networks 4, 1,
`
`33-49 (1980).
`
`21
`
`
`
`