Performance Analysis of SSL/TLS - ijiset.comijiset.com/v1s6/IJISET_V1_I6_87.pdf · IJISET -...

IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 1 Issue 6, August 2014.

www.ijiset.com

ISSN 2348 – 7968

Performance Analysis of SSL/TLS Shazia Riaz, Shafia, Asma Sajid, Madiha Kanwal

Department of Information Technology (GC University, Faisalabad, Pakistan

Department of Computer Science

(GC University, Faisalabad, Pakistan

Department of Computer Science (GC University, Faisalabad, Pakistan

Department of Computer Science

(GC University, Faisalabad, Pakistan Abstract:The Internet has undoubtedly become the largest public data network, enabling and facilitating both personal and business communications worldwide. While the Internet has opened the door to an increasing number of security threats from which corporations must protect themselves. With the growth of the Internet, many applications need to securely transmit data to remote applications and computers. TCP/IP protocol suit is core part for the communication for any network, by means that TCP/IP with the collaboration of SSL/TLS provides the solid security. SSL is designed to resolve the security issues as an open standard. Secure Sockets Layer (SSL) is the Internet security protocol for point-to-point connections. This study focuses on the performance analysis of SSL/TLS with different protocols as well as it will lead us to learn about the limiting behavior of SSL/TLS in TCP/IP. Further, future extensions of SSL/TLS must be the part of this research. Keywords: Phishing, Spoofing, OTP, LDAP, SSL/TLS, TCP/IP, FTP, IMAP, POP3, HTTP

1 Introduction Securing the modern business network and IT infrastructure demands an end-to-end approach and a firm grasp of vulnerabilities and associated protective measures. Most electronic commerce (e-commerce) applications in use today employ the Secure Sockets Layer (SSL) which is now also known as the Transport Layer Security protocol (TLS), defined by the draft Internet standard RFC2246 to authenticate the server and to cryptographically protect the communication channel between the client and the server. The SSL protocol, allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection. SSL/TLS provides support for user authentication based on public key certificates. But in practice, due to the slow deployment of these certificates, user authentication usually occurs at the application layer. There are many options here; including personal

identification numbers (PINs), passwords, passphrases, as well as“strong” authentication mechanisms, such as one-time password (OTP) and challenge-response (C/R) systems. In theory, the SSL/TLS protocol is assumed to be sound and secure. In practice, however, the vast majority of SSL/TLS-based e-commerce applications, employing user authentication at the application layer, are vulnerable to phishing, Web spoofing and most importantly man-in-the-middle (MITM) attacks. SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. It was originally invented by Netscape and has become a de facto Internet standard. For the SSL 3.0 specification (also called SSL v3) in plain text form, SSL, or more specifically, the RSA public-key cryptographic operations usually used to exchange the session key at the start of a connection, is computationally intensive. It takes far more CPU time to establish an SSL connection than a normal connection. In this study the strength of SSL/TLS is proved as a greatest protocol working with TCP/IP for secure network communication

Fig. 1SSL Session Initiation between Client and Server

524


www.ijiset.com

ISSN 2348 – 7968

2 Previous Research [Homin K. Lee et al., 2007] proved the strength of SSL (Secure Socket Layer) or TLS (Transport Layer Security) as a strongest security mechanism in client server environment publically. SSL/TLS uses cryptographic algorithms to encrypt data and communication. Homin K. Lee et al. developed a mechanism for this purpose named Probing SSL Security Tool (PSST) and checked its performance on more than 19,000 public servers. This tool checks the security by varying levels of security and changing the encryption algorithms used in SSL cryptography acceptable over the larger networks including internet. The outcomes of the tool shows an encouraging use of advanced security algorithms but there is not as fast adoption as needed. [Rolf Oppliger et al., 2007] addressed the severe danger caused by Man in The Middle Attacks for SSL/TLS web application especially dealing financial transactions. Man in The Middle Attacks has no counter measure even for application running in support of SSL/TLS because those applications have no clear procedure for verification of user. Rolf Oppliger et al. demonstrated that their mechanism named “SSL/TLS session-aware user authentication” provides remedies to these problems. They make some variations in their mechanism and check it for user authentication. It begins with self-verification with passwords. After that improvements and expansions are discussed. Options for putting into practice their approach are also discussed. [Zanin et al., 2007] designed a signature protocol for distributed systems especially useful for extensive and temporary mobile networks, which used encryption based on RSA algorithms. Security constraints and structural restrictions are also presented in the protocol designed, even it is very vigorous, adoptable and for scattered networks. According to researchers performance of the designed protocol can be increased to a level if the number of participants in the network is limited. Protocol proposed by Zanin et al. is robust according to them as it worked well for limited number of nodes and allow them to create suitable encrypted digital signature. An intruder is unable to break security for chosen number of participants, hence cannot disturb the performance of network or make digital signature illegal. The characteristics of this protocol are immense as compared to the limitations of less number of nodes. [Shi qun li et al.,2008] argued the network performance degrades in the presence of SSL/TLS. Secure Socket Layer is based on encryption algorithms to encrypt data and keys. This algorithm used complex calculation which involves intensive arithmetic for keys that

degrades performance, thus making SSL/TLS snowed under and loses its power in terms of efficiency while deciphering the data and keys. When number of requests to server containing SSL/TLS increases performance decreases. Shi Qun li et al. proposed a solution by suggesting modifications in RSA algorithm called “Batched RSA decryption algorithm”. This suggested algorithm increases network efficiency by offering accountably acceptable response time. At the same time deciphering process is also enhanced and accelerated, comparative to the size of b for batch. This technique is analyzed with some variations by the researchers in this study. [Wooyoung Jung et al.,2009] worked for IPv6 security issues I wireless networks. Wooyoung Jung et al. developed a cryptographic protocol for Internet Protocol – Wireless Sensor Networks. Wireless sensor networks architecture integrating their mechanism with IPv6, are immensely used everywhere in the world. But this architecture failed to provide security, because it is a known fact that IPWSN take it as a heavy load to become accustom with cryptographic protocols of internet. These mobile networks are light Wight in hardware having RAM inn Kilobytes, and a slow processor, so it uses very light components o Secure Socket Layer (SSL) protocol. By implementing the proposed protocol in these light Wight systems, utilization of resources are low such as only 7 Kilobytes of RAM, 64 Kilobytes of flash memory for verification of user. It uses RC4 algorithm for message encryption. Session initiation of SSL handshake in this protocol take much less time and transmit a large size of data. It can be very smoothly used for domestic purposes as well as for healthcare and in army. [Fang Qi et al.,2009] introduced that the suggested SSL session initialization can be enhanced in efficiency by secret swap over algorithm.This research at first shows that several certificates are needed in earlier version of SSL which uses batch RSA that is not practical for implementation.After that it presented only one of its kind certificate, which cope with the problem of multiple certificates.The optimized approach, concentrate over public key size to get better results, which have its foundation on the constrained model taking into account the user requirements for raking of aware security . Optimized arguments usage is also introduced while combining them with consumer needs for quality of service over internet. Constancy of the system and the bearable response time are example of QoS. At the end, by analysis and simulations shows that suggested algorithm are appraised to be practical and efficient.

525


www.ijiset.com

ISSN 2348 – 7968

[Pratik Guha and Shawn Fitzgerald, 2013] claimed that overlastfewyears,anumberofvulnerabilitieshavebeendiscoveredintheTransportLayerSecurityprotocol. ThepurposeofthispaperistoserveasananalysisofrecentattacksonSSL/TLS andasareferenceforrelatedmitigationtechniques;particularlyastheyrelatetoHTTPS. [Devdatta Akhawe et al., 2013]performeda large-scale measurement study of common TLS warnings.Using a set of passive network monitors located at differentsites, they checked the population of about 300,000 users over a nine-month period. Theyidentified low-risk scenarios that consume a large chunk of theuser attention budget and make concrete recommendationsto browser vendors that helped to maintain user attentionin high-risk situations. They studied the impact on end userswith a data set much larger in scale than the data sets usedin previous TLS measurement studies. A key novelty of approach involves the use of internal browser code instead ofgeneric TLS libraries for analysis, providing more accurateand representative results.

3 Proposed Work

3.1 Testing Roadmap

1. Construction of hypothesis 2. Analyzing Test bed requirements. 3. Installing and configuring LAN

Installing and configuring Windows 2003 server on server machine

Installing and configuring Windows XP on client machines.

4. Installing and configuring network monitoring tools

5. Configuring security mechanisms. 6. Perform statistical analysis of LAN

performance

3.2 Testing Hypothesis

1. Presence of security (SSL/TLS) affects the performance of network in terms of response time, delay, bandwidth utilization and throughput.

2. Presence of security (SSL/TLS) does not affect the performance of network in terms of response time, delay, bandwidth utilization and throughput.

3.3 Testing Procedures

Testing is done to check response time of FTP, POP3 and IMAP protocols. For each protocol two cases are made, in first case reading are taken in the presence

of SSL/TLS and in second case readings are taken in the absence of SSL/TLS.

Fig.2 SSL/TLS and TCP for Secure communication

Case 1: FTP Service with Security(In the Presence of SSL/TLS)

Configuring one machine as FTP Server with Security. FTP Server IP = 172.16.0.1 255.255.0.0

Configuring other machine as FTP Client. FTP Client IP = 172.16.0.2 255.255.0.0

At server side configuring a folder for FTP sharing and copying zip files of size 20, 40, 60...4000 MB.

At client side downloading files using FileZilla and noticing response time.

Fig.3 FTP Service in Presence of SSL/TLS

Case 2: FTP Service withoutSecurity (In Absence of SSL/TLS)

Configuring one machine as FTP Server with no Security. FTP Server IP = 172.16.0.1 255.255.0.0

Configuring other machine as FTP Client. FTP Client IP = 172.16.0.2 255.255.0.0

At server side configuring a folder for FTP sharing and copying zip files of size 20, 40, 60 ...4000 MB from client.

At client side downloading files using FileZilla and noticing response time.

526


www.ijiset.com

ISSN 2348 – 7968

Fig.4 FTP Service in Absence of SSL/TLS

Case 3: IMAP Service With Security(In the Presence of SSL/TLS)

Configuring one machine as E-mail Server (IMAP) with Security.

– IMAP Server IP = 172.16.0.1 255.255.0.0

– Installing MS Outlook at server machine.

Configuring other machine as E-mail Client (IMAP).

– IMAP Client IP = 172.16.0.2 255.255.0.0

– Installing MS Outlook at client machine.

At server side sending emails to clients and attach zip files of size 20, 40, 60 ...4000 MB.

At client side configuring MS-Outlook to receive emails from server, and noting down response time.

Fig. 4 IMAP Service in Presence of SSL/TLS

Case 4: IMAP Service withoutSecurity (In the Absence of SSL/TLS)

Configuring one machine as E-mail Server (IMAP) with no Security.

– IMAP Server IP = 172.16.0.1 255.255.0.0


Configuring other machine as E-mail Client(IMAP).

– IMAP Client IP = 172.16.0.2 255.255.0.0


At server side sending emails to clients and attach zip files of size 20,40,60...4000 MB.


Fig. 5 IMAP Service in Absence of SSL/TLS

Case 5: POP3 Service withSecurity (In the Presence of SSL/TLS)

Configuring one machine as E-mail Server (POP3) with Security.

– POP3 Server IP = 172.16.0.1 255.255.0.0


Configuring other machine as E-mail Client (POP3).

– IMAP Client IP = 172.16.0.2 255.255.0.0.


At server side sending emails to clients and attach zip files of size 20, 40, 60 ...4000 MB.


Fig. 6 POP3 Service in Presence of SSL/TLS

Case 6: POP3 Service without Security(In the Absence of SSL/TLS)

Configuring one machine as E-mail Server (POP3) with no Security.

527

4

Dtitoao

So

–

–

Config(POP3

–

–

At serattach

At clreceivrespon

Fig. 7

4 Results

Data in graph sime of FTP. To show the di

and absence of of network.

Fig.8 FTP Respo

Sum of responsof security on

IJISET - Internati

POP3 Se255.255.0.0

Installing machine.

guring other 3). POP3 Cl

255.255.0.0 Installing

machine. rver side sendzip files of siz

lient side cove emails fromnse time.

7 POP3 Service in

shows that secThese values ar

fference in resf SSL/TLS. Sec

onse Time Graph f

se time is takenresponse time

ional Journal of In

erver IP =0.

MS Outlook

machine as E

lient IP = 0.

MS Outlook

ding emails toze 20, 40, 60 …onfiguring MSm server, and

Absence of SSL/T

curity increasesre taken as measponse time incurity degrades

for Data With Resp

n to see the coof FTP in the

nnovative Science,

ww

= 172.16.0.1

k at server

E-mail Client

172.16.0.2

k at client

o clients and …4000 MB. S-Outlook to noting down

TLS

s the response an of 5 values n the presence s performance

pect to Security

ollective effect e absence and

Engineering & Te

ww.ijiset.com

presensecuritime i

Tabl

Su

Graphclearly

Fig.9 S

Averaeffectand pof secsecuridecrea

Table

A

Graphmore FTP.

echnology, Vol. 1

nce of SSL/TLity on the perincreases with

le 1: Sum of Respo

No Sum 3346

h for sum of ry that how SSL

Sum of Response T

age of responst of security onpresence of SScurity on the ity response ases.

e 2: Average Resp

No Average 167

h for average clearly that ho

Issue 6, August 20

LS. This showrformance of security and ef

onse Time for FTP

Security 60

response time L degrades the

Time Graph for FT

se time is takn response timeSL/TLS. This s

performance time increas

ponse Time for FTP

Security 7.300

of response ow SSL degrad

014.

ISSN 2

ws the actual network that fficiency decre

P With Respect to

SSL/TLS33475

shows the resperformance o

TP With Respect t

ken to see thee of FTP in theshows the actu

of network tses and perf

P With Respect to

SSL/TLS167.375

time shows thdes the perform

348 – 7968

effect of response

eases.

Security

S

sult more of FTP.

to Security

e average e absence ual effect that with formance

o Security

he result mance of

528

Dtitoao

F

Sopsti

Fig.10 Average

Data in graph sime of IMAP. o show the di


Fig.11 IMAP Resp

Sum of responsof security on rpresence of SSsecurity on theime increases w

Table 3: Sum of R

Sum

IJISET - Internati

e Response Time G

Secur

shows that secThese values

fference in resf SSL/TLS. Sec

ponse Time Graph

se time is takenresponse time oSL/TLS. This e performancewith security a

Response Time fo

No Security 63597

ional Journal of In

Graph for FTP Wi

rity

curity increasesare taken mea

sponse time incurity degrades

h for Data With Re

n to see the coof IMAP in theshows the ac

e of network and efficiency d

r IMAP With Resp

SSL/T63770

nnovative Science,

ww

ith Respect to


espect to Security


ctual effect of that response decreases.

pect to Security

TLS

Engineering & Te

ww.ijiset.com

GraphclearlyIMAP

Fig

Averaeffectabseneffectwith decrea

Table

A

Graphmore IMAP

Fig.

echnology, Vol. 1

h for sum of ry that how

P.

.12 Sum of Respo

age of responst of security nce and presenct of security osecurity respoases.

4: Average Respo

No Average 317

h for average clearly that ho

P.

13 Average Respo

Issue 6, August 20

response time SSL degrades

nse Time Graph fo

Security

se time is takon response tce of SSL/TLSon the performnse time incre

onse Time for IMA

Security 7.985


onse Time Graph f

Security

014.

ISSN 2

shows the ress the perform

or IMAP With Res

ken to see thetime of IMAP

S. This shows tmance of netweases and perf

AP With Respect to

SSL/TLS318.35


for IMAP With Re

348 – 7968

sult more mance of

spect to

e average P in the the actual work that formance

o Security

he result mance of

espect to

529

Dtitoao

F

Sopsti

Gc

Data in graph sime of POP3. o show the di


Fig.14 POP3 Resp

Sum of responsof security on rpresence of SSsecurity on theime increases w

Table 5: Sum of R

Sum

Graph for sumclearly that how

IJISET - Internati

shows that secThese values fference in res

f SSL/TLS. Sec

ponse Time Graph

se time is takenresponse time SL/TLS. This e performancewith security a

Response Time fo

No Security 63595

m of response tw SSL degrade

ional Journal of In

curity increasesare taken mea

sponse time incurity degrades

for Data With Re

n to see the coof POP3 in theshows the ac

e of network and efficiency d

or POP3 With Resp

SSL/T63980

time shows thes the performa

nnovative Science,

ww


spect to Security


ctual effect of that response decreases.

pect to Security

LS

he result more ance of POP3.

Engineering & Te

ww.ijiset.com

Fig

Averaeffectabseneffectwith decrea

Table

A

Graphmore POP3

Fig.

5 C

SSL pperfortime fand pthe staby Rcompuestabl

Otherbandwstreng

echnology, Vol. 1

g.15Sum of Respon

age of responst of security nce and presenct of security osecurity respoases.

6: Average Respo

No Average 317

h for average clearly that ho.

15 Average Respo

Conclusion

provides high-rmance of thefor FTP, IMAP

performance ofart of the conn

RSA public utationally intlish SSL conne

r parameters width utilizatigth of SSL/TLS

Issue 6, August 20

nse Time Graph fo

Security

se time is takon response

ce of SSL/TLSon the performnse time incre

onse Time for IMA

Security 7.975


onse Time Graph f

Security

-level securitye network to sP and POP3 inf network degrnection of SSL

key cryptogrtensive. It takection than a no

such as deon can be cS.

014.

ISSN 2

or POP3 With Res

ken to see thetime of POP3

S. This shows tmance of netweases and perf

AP With Respect to

SSL/TLS319.9


for IMAP With Re

y, but it also some extent. Rncreased with Srades. Session

L are usually exraphy operaties more CPUormal connecti

elay, throughpchecked to pr

348 – 7968

spect to

e average 3 in the the actual work that formance

o Security

he result mance of

espect to

degrades Response SSL/TLS n keys at xchanged ion, are

U time to ion.

put and rove the

530


www.ijiset.com

ISSN 2348 – 7968

6 Future Work

The main aim behind the thesis was to check the effect of SSL/TLS on the performance of network at the cost of security. The process can be continued to check effect on other protocols like LDAP etc. Furthermore, other parameters such as delay, throughput and bandwidth utilization can be checked to prove the strength of SSL/TLS. Performance of a secure network can increase in the presence on SSL/TLS by improving the strength of SSL/TLS without degrading performance. Cryptographic algorithm with reduced key size might be used to provide maximum security, especially the size of session keys exchanged at session establishment might be reduced which is done using asymmetric encryption.

References

[1] Homin, K., Lee. Malkin, T,andNahum, E.“Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices”;New York Software Industry Association, USA, ACM 978-1-59593-908, 2007.

[2]Oppliger, R. Hauser, R. andBasin, D.” SL/TLS Session-Aware User Authentication”Proceedings of the 15th GI/ITG Conference on “Kom-munikation in Verteilten Systemen” (KiVS ’07), Berne (Switzerland), Springer-Verlag, Berlin, LNCS, 2007, 225–236.

[3] Zanin, G. Pietro, D, R. and Mancini, L.,“Robust RSA distributed signatures for large-scale long-lived ad hoc networks”, Journal of Computer Security, 15, 1, 2007, 171-196.

[4] Shi-Qun Li. Dong, Y Wu. Zhou,Y and Chen, K. A,“Practical SSL server performance improvement algorithm based on batch RSA decryption”,Journal of Shanghai Jiaotong University (Science), 13, 1, 2008, 67-70.

[5] Jung,W. Hong, S. Minkeun Ha. Kim, Y and Kim, D.,“SSL-based lightweight security of IP-based wireless sensor networks”, Korea Science and Engineering Foundation (KOSEF), Korea, 2009.

[6] Fang Qi. Tang, Z. Wang, G. and Wu, A.,“User Requirements aware Security Ranking in SSL Protocol” Mater Thesis, Department of Science and Engineering, Central South University, Changsha, China, 2009.

[7] Guha,P. S and Fitzgerald,S.,“Attacks on SSL A comprehensive study of beast, crime, time, breach, lucky” 13 & RC4 BIASES, iSEC Partners. Available at:https://www.isecpartners.com/ media/106031/ssl_attacks_survey.pdf2013.

[8] Akhawe, D. Amann, B. Vallentin, M. and Sommer, R., “Here's My Cert, So Trust Me, Maybe? Understanding TLS Errors on the Web” WWW 2013, May 13–17, 2013, Rio de Janeiro, Brazil.ACM 978-1-4503-2035-1/13/05, 2013.

531

Performance Analysis of SSL/TLS - ijiset.comijiset.com/v1s6/IJISET_V1_I6_87.pdf · IJISET -...

Documents

Transcript of Performance Analysis of SSL/TLS - ijiset.comijiset.com/v1s6/IJISET_V1_I6_87.pdf · IJISET -...