Performance Analysis of SSL/TLS - ijiset.comijiset.com/v1s6/IJISET_V1_I6_87.pdf · IJISET -...
Transcript of Performance Analysis of SSL/TLS - ijiset.comijiset.com/v1s6/IJISET_V1_I6_87.pdf · IJISET -...
IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 1 Issue 6, August 2014.
www.ijiset.com
ISSN 2348 – 7968
Performance Analysis of SSL/TLS Shazia Riaz, Shafia, Asma Sajid, Madiha Kanwal
Department of Information Technology (GC University, Faisalabad, Pakistan
Department of Computer Science
(GC University, Faisalabad, Pakistan
Department of Computer Science (GC University, Faisalabad, Pakistan
Department of Computer Science
(GC University, Faisalabad, Pakistan Abstract:The Internet has undoubtedly become the largest public data network, enabling and facilitating both personal and business communications worldwide. While the Internet has opened the door to an increasing number of security threats from which corporations must protect themselves. With the growth of the Internet, many applications need to securely transmit data to remote applications and computers. TCP/IP protocol suit is core part for the communication for any network, by means that TCP/IP with the collaboration of SSL/TLS provides the solid security. SSL is designed to resolve the security issues as an open standard. Secure Sockets Layer (SSL) is the Internet security protocol for point-to-point connections. This study focuses on the performance analysis of SSL/TLS with different protocols as well as it will lead us to learn about the limiting behavior of SSL/TLS in TCP/IP. Further, future extensions of SSL/TLS must be the part of this research. Keywords: Phishing, Spoofing, OTP, LDAP, SSL/TLS, TCP/IP, FTP, IMAP, POP3, HTTP
1 Introduction Securing the modern business network and IT infrastructure demands an end-to-end approach and a firm grasp of vulnerabilities and associated protective measures. Most electronic commerce (e-commerce) applications in use today employ the Secure Sockets Layer (SSL) which is now also known as the Transport Layer Security protocol (TLS), defined by the draft Internet standard RFC2246 to authenticate the server and to cryptographically protect the communication channel between the client and the server. The SSL protocol, allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection. SSL/TLS provides support for user authentication based on public key certificates. But in practice, due to the slow deployment of these certificates, user authentication usually occurs at the application layer. There are many options here; including personal
identification numbers (PINs), passwords, passphrases, as well as“strong” authentication mechanisms, such as one-time password (OTP) and challenge-response (C/R) systems. In theory, the SSL/TLS protocol is assumed to be sound and secure. In practice, however, the vast majority of SSL/TLS-based e-commerce applications, employing user authentication at the application layer, are vulnerable to phishing, Web spoofing and most importantly man-in-the-middle (MITM) attacks. SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. It was originally invented by Netscape and has become a de facto Internet standard. For the SSL 3.0 specification (also called SSL v3) in plain text form, SSL, or more specifically, the RSA public-key cryptographic operations usually used to exchange the session key at the start of a connection, is computationally intensive. It takes far more CPU time to establish an SSL connection than a normal connection. In this study the strength of SSL/TLS is proved as a greatest protocol working with TCP/IP for secure network communication
Fig. 1SSL Session Initiation between Client and Server
524
IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 1 Issue 6, August 2014.
www.ijiset.com
ISSN 2348 – 7968
2 Previous Research [Homin K. Lee et al., 2007] proved the strength of SSL (Secure Socket Layer) or TLS (Transport Layer Security) as a strongest security mechanism in client server environment publically. SSL/TLS uses cryptographic algorithms to encrypt data and communication. Homin K. Lee et al. developed a mechanism for this purpose named Probing SSL Security Tool (PSST) and checked its performance on more than 19,000 public servers. This tool checks the security by varying levels of security and changing the encryption algorithms used in SSL cryptography acceptable over the larger networks including internet. The outcomes of the tool shows an encouraging use of advanced security algorithms but there is not as fast adoption as needed. [Rolf Oppliger et al., 2007] addressed the severe danger caused by Man in The Middle Attacks for SSL/TLS web application especially dealing financial transactions. Man in The Middle Attacks has no counter measure even for application running in support of SSL/TLS because those applications have no clear procedure for verification of user. Rolf Oppliger et al. demonstrated that their mechanism named “SSL/TLS session-aware user authentication” provides remedies to these problems. They make some variations in their mechanism and check it for user authentication. It begins with self-verification with passwords. After that improvements and expansions are discussed. Options for putting into practice their approach are also discussed. [Zanin et al., 2007] designed a signature protocol for distributed systems especially useful for extensive and temporary mobile networks, which used encryption based on RSA algorithms. Security constraints and structural restrictions are also presented in the protocol designed, even it is very vigorous, adoptable and for scattered networks. According to researchers performance of the designed protocol can be increased to a level if the number of participants in the network is limited. Protocol proposed by Zanin et al. is robust according to them as it worked well for limited number of nodes and allow them to create suitable encrypted digital signature. An intruder is unable to break security for chosen number of participants, hence cannot disturb the performance of network or make digital signature illegal. The characteristics of this protocol are immense as compared to the limitations of less number of nodes. [Shi qun li et al.,2008] argued the network performance degrades in the presence of SSL/TLS. Secure Socket Layer is based on encryption algorithms to encrypt data and keys. This algorithm used complex calculation which involves intensive arithmetic for keys that
degrades performance, thus making SSL/TLS snowed under and loses its power in terms of efficiency while deciphering the data and keys. When number of requests to server containing SSL/TLS increases performance decreases. Shi Qun li et al. proposed a solution by suggesting modifications in RSA algorithm called “Batched RSA decryption algorithm”. This suggested algorithm increases network efficiency by offering accountably acceptable response time. At the same time deciphering process is also enhanced and accelerated, comparative to the size of b for batch. This technique is analyzed with some variations by the researchers in this study. [Wooyoung Jung et al.,2009] worked for IPv6 security issues I wireless networks. Wooyoung Jung et al. developed a cryptographic protocol for Internet Protocol – Wireless Sensor Networks. Wireless sensor networks architecture integrating their mechanism with IPv6, are immensely used everywhere in the world. But this architecture failed to provide security, because it is a known fact that IPWSN take it as a heavy load to become accustom with cryptographic protocols of internet. These mobile networks are light Wight in hardware having RAM inn Kilobytes, and a slow processor, so it uses very light components o Secure Socket Layer (SSL) protocol. By implementing the proposed protocol in these light Wight systems, utilization of resources are low such as only 7 Kilobytes of RAM, 64 Kilobytes of flash memory for verification of user. It uses RC4 algorithm for message encryption. Session initiation of SSL handshake in this protocol take much less time and transmit a large size of data. It can be very smoothly used for domestic purposes as well as for healthcare and in army. [Fang Qi et al.,2009] introduced that the suggested SSL session initialization can be enhanced in efficiency by secret swap over algorithm.This research at first shows that several certificates are needed in earlier version of SSL which uses batch RSA that is not practical for implementation.After that it presented only one of its kind certificate, which cope with the problem of multiple certificates.The optimized approach, concentrate over public key size to get better results, which have its foundation on the constrained model taking into account the user requirements for raking of aware security . Optimized arguments usage is also introduced while combining them with consumer needs for quality of service over internet. Constancy of the system and the bearable response time are example of QoS. At the end, by analysis and simulations shows that suggested algorithm are appraised to be practical and efficient.
525
IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 1 Issue 6, August 2014.
www.ijiset.com
ISSN 2348 – 7968
[Pratik Guha and Shawn Fitzgerald, 2013] claimed that overlastfewyears,anumberofvulnerabilitieshavebeendiscoveredintheTransportLayerSecurityprotocol. ThepurposeofthispaperistoserveasananalysisofrecentattacksonSSL/TLS andasareferenceforrelatedmitigationtechniques;particularlyastheyrelatetoHTTPS. [Devdatta Akhawe et al., 2013]performeda large-scale measurement study of common TLS warnings.Using a set of passive network monitors located at differentsites, they checked the population of about 300,000 users over a nine-month period. Theyidentified low-risk scenarios that consume a large chunk of theuser attention budget and make concrete recommendationsto browser vendors that helped to maintain user attentionin high-risk situations. They studied the impact on end userswith a data set much larger in scale than the data sets usedin previous TLS measurement studies. A key novelty of approach involves the use of internal browser code instead ofgeneric TLS libraries for analysis, providing more accurateand representative results.
3 Proposed Work
3.1 Testing Roadmap
1. Construction of hypothesis 2. Analyzing Test bed requirements. 3. Installing and configuring LAN
Installing and configuring Windows 2003 server on server machine
Installing and configuring Windows XP on client machines.
4. Installing and configuring network monitoring tools
5. Configuring security mechanisms. 6. Perform statistical analysis of LAN
performance
3.2 Testing Hypothesis
1. Presence of security (SSL/TLS) affects the performance of network in terms of response time, delay, bandwidth utilization and throughput.
2. Presence of security (SSL/TLS) does not affect the performance of network in terms of response time, delay, bandwidth utilization and throughput.
3.3 Testing Procedures
Testing is done to check response time of FTP, POP3 and IMAP protocols. For each protocol two cases are made, in first case reading are taken in the presence
of SSL/TLS and in second case readings are taken in the absence of SSL/TLS.
Fig.2 SSL/TLS and TCP for Secure communication
Case 1: FTP Service with Security(In the Presence of SSL/TLS)
Configuring one machine as FTP Server with Security. FTP Server IP = 172.16.0.1 255.255.0.0
Configuring other machine as FTP Client. FTP Client IP = 172.16.0.2 255.255.0.0
At server side configuring a folder for FTP sharing and copying zip files of size 20, 40, 60...4000 MB.
At client side downloading files using FileZilla and noticing response time.
Fig.3 FTP Service in Presence of SSL/TLS
Case 2: FTP Service withoutSecurity (In Absence of SSL/TLS)
Configuring one machine as FTP Server with no Security. FTP Server IP = 172.16.0.1 255.255.0.0
Configuring other machine as FTP Client. FTP Client IP = 172.16.0.2 255.255.0.0
At server side configuring a folder for FTP sharing and copying zip files of size 20, 40, 60 ...4000 MB from client.
At client side downloading files using FileZilla and noticing response time.
526
IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 1 Issue 6, August 2014.
www.ijiset.com
ISSN 2348 – 7968
Fig.4 FTP Service in Absence of SSL/TLS
Case 3: IMAP Service With Security(In the Presence of SSL/TLS)
Configuring one machine as E-mail Server (IMAP) with Security.
– IMAP Server IP = 172.16.0.1 255.255.0.0
– Installing MS Outlook at server machine.
Configuring other machine as E-mail Client (IMAP).
– IMAP Client IP = 172.16.0.2 255.255.0.0
– Installing MS Outlook at client machine.
At server side sending emails to clients and attach zip files of size 20, 40, 60 ...4000 MB.
At client side configuring MS-Outlook to receive emails from server, and noting down response time.
Fig. 4 IMAP Service in Presence of SSL/TLS
Case 4: IMAP Service withoutSecurity (In the Absence of SSL/TLS)
Configuring one machine as E-mail Server (IMAP) with no Security.
– IMAP Server IP = 172.16.0.1 255.255.0.0
– Installing MS Outlook at server machine.
Configuring other machine as E-mail Client(IMAP).
– IMAP Client IP = 172.16.0.2 255.255.0.0
– Installing MS Outlook at client machine.
At server side sending emails to clients and attach zip files of size 20,40,60...4000 MB.
At client side configuring MS-Outlook to receive emails from server, and noting down response time.
Fig. 5 IMAP Service in Absence of SSL/TLS
Case 5: POP3 Service withSecurity (In the Presence of SSL/TLS)
Configuring one machine as E-mail Server (POP3) with Security.
– POP3 Server IP = 172.16.0.1 255.255.0.0
– Installing MS Outlook at server machine.
Configuring other machine as E-mail Client (POP3).
– IMAP Client IP = 172.16.0.2 255.255.0.0.
– Installing MS Outlook at client machine.
At server side sending emails to clients and attach zip files of size 20, 40, 60 ...4000 MB.
At client side configuring MS-Outlook to receive emails from server, and noting down response time.
Fig. 6 POP3 Service in Presence of SSL/TLS
Case 6: POP3 Service without Security(In the Absence of SSL/TLS)
Configuring one machine as E-mail Server (POP3) with no Security.
527
4
Dtitoao
So
–
–
Config(POP3
–
–
At serattach
At clreceivrespon
Fig. 7
4 Results
Data in graph sime of FTP. To show the di
and absence of of network.
Fig.8 FTP Respo
Sum of responsof security on
IJISET - Internati
POP3 Se255.255.0.0
Installing machine.
guring other 3). POP3 Cl
255.255.0.0 Installing
machine. rver side sendzip files of siz
lient side cove emails fromnse time.
7 POP3 Service in
shows that secThese values ar
fference in resf SSL/TLS. Sec
onse Time Graph f
se time is takenresponse time
ional Journal of In
erver IP =0.
MS Outlook
machine as E
lient IP = 0.
MS Outlook
ding emails toze 20, 40, 60 …onfiguring MSm server, and
Absence of SSL/T
curity increasesre taken as measponse time incurity degrades
for Data With Resp
n to see the coof FTP in the
nnovative Science,
ww
= 172.16.0.1
k at server
E-mail Client
172.16.0.2
k at client
o clients and …4000 MB. S-Outlook to noting down
TLS
s the response an of 5 values n the presence s performance
pect to Security
ollective effect e absence and
Engineering & Te
ww.ijiset.com
presensecuritime i
Tabl
Su
Graphclearly
Fig.9 S
Averaeffectand pof secsecuridecrea
Table
A
Graphmore FTP.
echnology, Vol. 1
nce of SSL/TLity on the perincreases with
le 1: Sum of Respo
No Sum 3346
h for sum of ry that how SSL
Sum of Response T
age of responst of security onpresence of SScurity on the ity response ases.
e 2: Average Resp
No Average 167
h for average clearly that ho
Issue 6, August 20
LS. This showrformance of security and ef
onse Time for FTP
Security 60
response time L degrades the
Time Graph for FT
se time is takn response timeSL/TLS. This s
performance time increas
ponse Time for FTP
Security 7.300
of response ow SSL degrad
014.
ISSN 2
ws the actual network that fficiency decre
P With Respect to
SSL/TLS33475
shows the resperformance o
TP With Respect t
ken to see thee of FTP in theshows the actu
of network tses and perf
P With Respect to
SSL/TLS167.375
time shows thdes the perform
348 – 7968
effect of response
eases.
Security
S
sult more of FTP.
to Security
e average e absence ual effect that with formance
o Security
he result mance of
528
Dtitoao
F
Sopsti
Fig.10 Average
Data in graph sime of IMAP. o show the di
and absence of of network.
Fig.11 IMAP Resp
Sum of responsof security on rpresence of SSsecurity on theime increases w
Table 3: Sum of R
Sum
IJISET - Internati
e Response Time G
Secur
shows that secThese values
fference in resf SSL/TLS. Sec
ponse Time Graph
se time is takenresponse time oSL/TLS. This e performancewith security a
Response Time fo
No Security 63597
ional Journal of In
Graph for FTP Wi
rity
curity increasesare taken mea
sponse time incurity degrades
h for Data With Re
n to see the coof IMAP in theshows the ac
e of network and efficiency d
r IMAP With Resp
SSL/T63770
nnovative Science,
ww
ith Respect to
s the response an of 5 values n the presence s performance
espect to Security
ollective effect e absence and
ctual effect of that response decreases.
pect to Security
TLS
Engineering & Te
ww.ijiset.com
GraphclearlyIMAP
Fig
Averaeffectabseneffectwith decrea
Table
A
Graphmore IMAP
Fig.
echnology, Vol. 1
h for sum of ry that how
P.
.12 Sum of Respo
age of responst of security nce and presenct of security osecurity respoases.
4: Average Respo
No Average 317
h for average clearly that ho
P.
13 Average Respo
Issue 6, August 20
response time SSL degrades
nse Time Graph fo
Security
se time is takon response tce of SSL/TLSon the performnse time incre
onse Time for IMA
Security 7.985
of response ow SSL degrad
onse Time Graph f
Security
014.
ISSN 2
shows the ress the perform
or IMAP With Res
ken to see thetime of IMAP
S. This shows tmance of netweases and perf
AP With Respect to
SSL/TLS318.35
time shows thdes the perform
for IMAP With Re
348 – 7968
sult more mance of
spect to
e average P in the the actual work that formance
o Security
he result mance of
espect to
529
Dtitoao
F
Sopsti
Gc
Data in graph sime of POP3. o show the di
and absence of of network.
Fig.14 POP3 Resp
Sum of responsof security on rpresence of SSsecurity on theime increases w
Table 5: Sum of R
Sum
Graph for sumclearly that how
IJISET - Internati
shows that secThese values fference in res
f SSL/TLS. Sec
ponse Time Graph
se time is takenresponse time SL/TLS. This e performancewith security a
Response Time fo
No Security 63595
m of response tw SSL degrade
ional Journal of In
curity increasesare taken mea
sponse time incurity degrades
for Data With Re
n to see the coof POP3 in theshows the ac
e of network and efficiency d
or POP3 With Resp
SSL/T63980
time shows thes the performa
nnovative Science,
ww
s the response an of 5 values n the presence s performance
spect to Security
ollective effect e absence and
ctual effect of that response decreases.
pect to Security
LS
he result more ance of POP3.
Engineering & Te
ww.ijiset.com
Fig
Averaeffectabseneffectwith decrea
Table
A
Graphmore POP3
Fig.
5 C
SSL pperfortime fand pthe staby Rcompuestabl
Otherbandwstreng
echnology, Vol. 1
g.15Sum of Respon
age of responst of security nce and presenct of security osecurity respoases.
6: Average Respo
No Average 317
h for average clearly that ho.
15 Average Respo
Conclusion
provides high-rmance of thefor FTP, IMAP
performance ofart of the conn
RSA public utationally intlish SSL conne
r parameters width utilizatigth of SSL/TLS
Issue 6, August 20
nse Time Graph fo
Security
se time is takon response
ce of SSL/TLSon the performnse time incre
onse Time for IMA
Security 7.975
of response ow SSL degrad
onse Time Graph f
Security
-level securitye network to sP and POP3 inf network degrnection of SSL
key cryptogrtensive. It takection than a no
such as deon can be cS.
014.
ISSN 2
or POP3 With Res
ken to see thetime of POP3
S. This shows tmance of netweases and perf
AP With Respect to
SSL/TLS319.9
time shows thdes the perform
for IMAP With Re
y, but it also some extent. Rncreased with Srades. Session
L are usually exraphy operaties more CPUormal connecti
elay, throughpchecked to pr
348 – 7968
spect to
e average 3 in the the actual work that formance
o Security
he result mance of
espect to
degrades Response SSL/TLS n keys at xchanged ion, are
U time to ion.
put and rove the
530
IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 1 Issue 6, August 2014.
www.ijiset.com
ISSN 2348 – 7968
6 Future Work
The main aim behind the thesis was to check the effect of SSL/TLS on the performance of network at the cost of security. The process can be continued to check effect on other protocols like LDAP etc. Furthermore, other parameters such as delay, throughput and bandwidth utilization can be checked to prove the strength of SSL/TLS. Performance of a secure network can increase in the presence on SSL/TLS by improving the strength of SSL/TLS without degrading performance. Cryptographic algorithm with reduced key size might be used to provide maximum security, especially the size of session keys exchanged at session establishment might be reduced which is done using asymmetric encryption.
References
[1] Homin, K., Lee. Malkin, T,andNahum, E.“Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices”;New York Software Industry Association, USA, ACM 978-1-59593-908, 2007.
[2]Oppliger, R. Hauser, R. andBasin, D.” SL/TLS Session-Aware User Authentication”Proceedings of the 15th GI/ITG Conference on “Kom-munikation in Verteilten Systemen” (KiVS ’07), Berne (Switzerland), Springer-Verlag, Berlin, LNCS, 2007, 225–236.
[3] Zanin, G. Pietro, D, R. and Mancini, L.,“Robust RSA distributed signatures for large-scale long-lived ad hoc networks”, Journal of Computer Security, 15, 1, 2007, 171-196.
[4] Shi-Qun Li. Dong, Y Wu. Zhou,Y and Chen, K. A,“Practical SSL server performance improvement algorithm based on batch RSA decryption”,Journal of Shanghai Jiaotong University (Science), 13, 1, 2008, 67-70.
[5] Jung,W. Hong, S. Minkeun Ha. Kim, Y and Kim, D.,“SSL-based lightweight security of IP-based wireless sensor networks”, Korea Science and Engineering Foundation (KOSEF), Korea, 2009.
[6] Fang Qi. Tang, Z. Wang, G. and Wu, A.,“User Requirements aware Security Ranking in SSL Protocol” Mater Thesis, Department of Science and Engineering, Central South University, Changsha, China, 2009.
[7] Guha,P. S and Fitzgerald,S.,“Attacks on SSL A comprehensive study of beast, crime, time, breach, lucky” 13 & RC4 BIASES, iSEC Partners. Available at:https://www.isecpartners.com/ media/106031/ssl_attacks_survey.pdf2013.
[8] Akhawe, D. Amann, B. Vallentin, M. and Sommer, R., “Here's My Cert, So Trust Me, Maybe? Understanding TLS Errors on the Web” WWW 2013, May 13–17, 2013, Rio de Janeiro, Brazil.ACM 978-1-4503-2035-1/13/05, 2013.
531