From experiment performed in section 6.1, it is clear that signature generation, verification (private key encryption, public key encryption) operations are the set of slower operations among other cryptographic operations used in SSL protocols. They cause significant amount CPU overhead. Table 6.2 shows the distribution of these operations among client and server in SSL handshake protocol.
It can be observed from Table 6.2 that server performs more private key operations and hence server is the one who has to work more in order to complete the handshake protocol as compared with client. Therefore, SSL handshake protocol is itself asymmetric in terms of work overhead especially when RSA is used as key exchange algorithm and authentication method which is the common practise in real world [47].
6.2.1 Client-Vs-Server: Computational Differences
Experiment 7. Measure the difference between computational overhead for the client and the server during SSL handshake protocol.
Explanation
This experiment intends to measure the cost of overall SSL connection establishment phase. This phase mainly consist of SSL handshake protocol and SSL change cipher spec protocol 2. The SSL connection establishment phase is the most expensive phase of the SSL protocol. This experiment is indicative of this fact and provides the practical evidence to it.
6.2.2 Set-up & Tool
To confirm the difference in computational overload, a small tool built by Vincent Bernat[48] is modified to measure the computational cost incurred during SSL handshake protocol. This tool is a simple C program. This program uses OpenSSL library to emulate server and client side. It measures the CPU time of a client and a server performing 1000 handshakes with various TLSv.1.0 [30] cipher suites and varying key sizes.
This tool is used to measure the difference between CPU time required by the client and the server when RSA and DH is used as key exchange algorithms. The standard pro- cedure of server authentication is performed. The client authentication is not performed in
2
Although, SSL session establishment phase can consist of change cipher spec protocol, alert protocol along with the SSL handshake protocol, the SSL session establishment phase will be referred as the SSL handshake protocol unless any protocol specific feature needs to be discussed.
6.2 Distribution of work overhead 59
this measurement3. The same system as described in Section 6.1.2 is used to conduct the experiment.
While generating key pairs for RSA, public exponent of value 65537 is used which is a default value for public exponent in OpenSSL. On the similar lines, while generating DH public value for the server a generator of value 2 is used. This is a default value for the generator in OpenSSL. This experiment is performed using different cipher suites available for usage in TLSv.1.0 [30]. It has been found that the different cipher suites does not make significant difference in cryptographic overhead when only SSL handshake protocol is consid- ered. Therefore, finally, TLS _RSA _WITH _AES _256 _CBC _SHA cipher suite is used for RSA key exchange method and TLS _DHE _RSA _WITH _AES _256 _CBC _SHA cipher suite is used for DH key exchange method. In both cases RSA certificates are used for authentication. These tests are performed two times each for RSA and DH. Each time using different key sizes.
Figure 6.3: Comparison of computational power needed by server and client to complete 1000 SSL handshakes
6.2.3 Result & Analysis
Figure 6.3 shows the difference in CPU overload at client and server side. The CPU power needed by the server and client is shown in red and blue color bars respectively. The X-axis denotes the CPU time needed by the server and the client to complete the 1000 handshakes. The Y-axis denotes the key exchange algorithms and key sizes used to test the performance. The observations from Figure 6.3 are summarized as below.
• Whenever RSA is used, client needs more CPU power than server as compared with DH key exchange algorithm.
• With the increase in key size the performance overhead is increased at both client and server sides.
3
• When RSA with key size of 1024 is used the difference in overhead is 130%. This difference in overhead increases with the increase in RSA key size.
• This scenario of increased overhead at server side changes when DH is used as key exchange algorithm. Client needs to perform more than server when DH is used as key exchange algorithm. With DH public value of 1024 the difference in computational overhead is−22.83% For 2048 key size the overhead on client increases even more.
The difference in overhead shown in Figure 6.3 is due to how RSA and DH works. This is explained in Appendix sections A.1 and A.2 respectively. It should be noted that these are the results of the tests conducted on virtual machine and only provides the representative data as a proof to the concept that the server has to more cryptographic overhead than the client. This is the case when RSA is used and most of the browsers and web servers prioritize only RSA key exchange algorithm. In addition, the differences in overhead on the client and the server are going to vary from platform to platform. For instance, the difference in overhead in client on a normal PC and a well configured web server with additional hardware accelerators for performing cryptographic operations (RSA private key decryption) is going to differ. The difference in the client and the server overhead is most likely to be small. This experiment is performed and results are given here just to place an idea that server needs more CPU power than client. In addition, the real web servers (on the internet) will have to provide its services to not just a single machine. There will be number of client machines those will be requesting server’s resources.
6.3
Summary
This chapter provided the introduction to the cryptographic operations performed in SSL protocol. Further the cost of different cryptographic operations are compared and heavy cryptographic operations are identified. It has been verified that the SSL handshake protocol is the most expensive protocol in SSL protocol. The cryptographic overhead between the client and the server is not balanced. The server is the one who has to perform more CPU intensive operations than the client. Such unbalanced environment provides the attacker an opportunity to request the server to complete multiple handshake protocol and spend large amount of CPU power with insignificant CPU investment himself. When the attacker uses the multiple resources to spawn the multiple SSL handshake requests for the server to complete, the impact on the server performance can be increased drastically.
Finally, this chapter provided the practical proof of concept results to highlight the im- portant cause for the SSL protocol to be the attractive basis for executing DoS attacks.
CHAPTER
7
DoS Attack Analysis: Client Authentication using RSA Certificates
T
his chapter describes number of experiments regarding the client authentication processusing RSA certificates in the SSL protocols. Irrespective of the place where certificate verification is done (at the client side or the server side), there is no difference in the overall process. However, when it is done at the server side it is an extra overhead for the server along with RSA decryption. That means, whenever certificate verification is done at the server side the server has to perform the RSA signature verification (public key operation) along with the RSA decryption (private key operation) for obtaining the pre-master secret as explained in Chapter 3. This might lead to significant degradation in the serve’s performance.This chapter investigates whether the certificate verification at the server side could be an extra computational overhead leading to the degradation of the server’s performance and hence become a possible vector for producing DoS attack. To do so, various aspects of the certificate verification are considered in this chapter.
7.1
Introduction
The SSL handshake protocol optionally authenticates the client to the server. There are several applications where client authentication is required and demanded by the server. Some of these applications are already discussed in Chapter4. Most of the times, RSA certificates are used in the process of authentication in the SSL protocol [47]. The process of RSA certificate verification consist of number of steps. The main steps can be listed as follows:
• Certificate chain construction.
• Certificate constraint verification / Integrity checking.
• Certificate Signature verification.