Browse Prior Art Database

Cryptographic Algorithm Throttle

IP.com Disclosure Number: IPCOM000132394D
Original Publication Date: 2005-Dec-12
Included in the Prior Art Database: 2005-Dec-12
Document File: 1 page(s) / 21K

Publishing Venue

IBM

Abstract

There are a variety of cryptographic algorithms available; e.g. des, 3des, blowfish,mars,etc. Each algorithm has it's tradeoffs of speed vs. strength. If a computer must send all network traffic encrypted with a heavy security, which consumes the resources of the CPU, then this is just as bad as a denial of service attack. It is akin to a security policy: unplug your computer for optimal security. This policy is not practical. Equally impractical is to use a CPU intensive cryptographic algorithm which drains system performance and response time. Some computers may have the horsepower to use these stronger crpto algorithms. But even these computers, under a heavy load, give up performance and response time when strong crypto algorithms are being used, making the strong crypto impractical. Because of this dilemma, system administrators have had to make trade offs on which encryption algorithm to use, thus, the development of of so many different algorithms. In addition, once an algorithm is chosen, it does not adjust to the system load. Cryptographic Algorithm Throttle (CAT) uses a protocol handshake opportunity in the Ipsec/IKE protocol, to dynamically adjust the crypto algorithms to performance needs, without ever braking a network connection or any communication stream. Make no mistake, Systems Admins must make these same performance vs. security balances today when they configure IPsec.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 68% of the total text.

Page 1 of 1

Cryptographic Algorithm Throttle

The idea of CAT is to leverage the periodic handshaking of IPsec with loadbalancing the system, and the optimal data protection. The Internet Key Exchange (IKE) protocol describes how a Security Associate (aka Virtual Private Network) is set up between two network connected computers. The IKE protocol is used by the two computers to security negotiate the crypto algorithm to be used and a randomly generated session key.

Internet Key Exchange RFC2409 (ftp://ftp.rfc-editor.org/in-notes/rfc2409.txt) page 34, also defines Life Type in seconds or kilobytes. This is intended to protect the integrity of the session key. If a Life Type 120 seconds is specified, then after two minutes the IKE protocol, via handshaking with the remote side will negotiate a session key. This does not interrupt existing TCP connections, UDP, etc.

CAT would extend it's negotion to that of the crypto algorithm being used in the Security Association. CAT would use system performance monitor , e.g vmstat) to monitor the sytsem during the same life time. In the case of vmstat, CAT could use the average of Idle Time or Extended Capacity Consumed to determine if a stronger or more performance friendy crypto algorithm should be proposed during the Life Time key Negotiation.

Currently an IKE Security Association can be configured to support multiple protocols. CAT would reorganize these based on system performance needs. Thus, if more performance is needed, CAT would...