Performance Analysis Of Ssl/Tls

(1)

ISSN 2348 – 7968

Performance Analysis of SSL/TLS

Shazia Riaz, Shafia, Asma Sajid, Madiha Kanwal

Department of Information Technology (GC University, Faisalabad, Pakistan

Department of Computer Science (GC University, Faisalabad, Pakistan

Abstract:The Internet has undoubtedly become the largest public data network, enabling and facilitating both personal and business communications worldwide. While the Internet has opened the door to an increasing number of security threats from which corporations must protect themselves. With the growth of the Internet, many applications need to securely transmit data to remote applications and computers. TCP/IP protocol suit is core part for the communication for any network, by means that TCP/IP with the collaboration of SSL/TLS provides the solid security. SSL is designed to resolve the security issues as an open standard. Secure Sockets Layer (SSL) is the Internet security protocol for point-to-point connections. This study focuses on the performance analysis of SSL/TLS with different protocols as well as it will lead us to learn about the limiting behavior of SSL/TLS in TCP/IP. Further, future extensions of SSL/TLS must be the part of this research.

Keywords: Phishing, Spoofing, OTP, LDAP, SSL/TLS, TCP/IP, FTP, IMAP, POP3, HTTP

1 Introduction

Securing the modern business network and IT infrastructure demands an end-to-end approach and a firm grasp of vulnerabilities and associated protective measures. Most electronic commerce (e-commerce) applications in use today employ the Secure Sockets Layer (SSL) which is now also known as the Transport Layer Security protocol (TLS), defined by the draft Internet standard RFC2246 to authenticate the server and to cryptographically protect the communication channel between the client and the server. The SSL protocol, allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection. SSL/TLS provides support for user authentication based on public key certificates. But in practice, due to the slow deployment of these certificates, user authentication usually occurs at the application layer. There are many options here; including personal

identification numbers (PINs), passwords, passphrases, as well as“strong” authentication mechanisms, such as one-time password (OTP) and challenge-response (C/R) systems. In theory, the SSL/TLS protocol is assumed to be sound and secure. In practice, however, the vast majority of SSL/TLS-based e-commerce applications, employing user authentication at the application layer, are vulnerable to phishing, Web spoofing and most importantly man-in-the-middle (MITM) attacks. SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. It was originally invented by Netscape and has become a de facto Internet standard. For the SSL 3.0 specification (also called SSL v3) in plain text form, SSL, or more specifically, the RSA public-key cryptographic operations usually used to exchange the session key at the start of a connection, is computationally intensive. It takes far more CPU time to establish an SSL connection than a normal connection.

In this study the strength of SSL/TLS is proved as a greatest protocol working with TCP/IP for secure network communication

(2)

IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 1 Issue 6, August 2014.

www.ijiset.com

ISSN 2348 – 7968

2 Previous Research

[Homin K. Lee et al., 2007] proved the strength of SSL (Secure Socket Layer) or TLS (Transport Layer Security) as a strongest security mechanism in client server environment publically. SSL/TLS uses cryptographic algorithms to encrypt data and communication. Homin K. Lee et al. developed a mechanism for this purpose named Probing SSL Security Tool (PSST) and checked its performance on more than 19,000 public servers. This tool checks the security by varying levels of security and changing the encryption algorithms used in SSL cryptography acceptable over the larger networks including internet. The outcomes of the tool shows an encouraging use of advanced security algorithms but there is not as fast adoption as needed.

[Rolf Oppliger et al., 2007] addressed the severe danger caused by Man in The Middle Attacks for SSL/TLS web application especially dealing financial transactions. Man in The Middle Attacks has no counter measure even for application running in support of SSL/TLS because those applications have no clear procedure for verification of user. Rolf Oppliger et al. demonstrated that their mechanism named “SSL/TLS session-aware user authentication” provides remedies to these problems. They make some variations in their mechanism and check it for user authentication. It begins with self-verification with passwords. After that improvements and expansions are discussed. Options for putting into practice their approach are also discussed.

[Zanin et al., 2007] designed a signature protocol for distributed systems especially useful for extensive and temporary mobile networks, which used encryption based on RSA algorithms. Security constraints and structural restrictions are also presented in the protocol designed, even it is very vigorous, adoptable and for scattered networks. According to researchers performance of the designed protocol can be increased to a level if the number of participants in the network is limited. Protocol proposed by Zanin et al. is robust according to them as it worked well for limited number of nodes and allow them to create suitable encrypted digital signature. An intruder is unable to break security for chosen number of participants, hence cannot disturb the performance of network or make digital signature illegal. The characteristics of this protocol are immense as compared to the limitations of less number of nodes.

[Shi qun li et al.,2008] argued the network performance degrades in the presence of SSL/TLS. Secure Socket Layer is based on encryption algorithms to encrypt data and keys. This algorithm used complex calculation which involves intensive arithmetic for keys that

degrades performance, thus making SSL/TLS snowed under and loses its power in terms of efficiency while deciphering the data and keys. When number of requests to server containing SSL/TLS increases performance decreases. Shi Qun li et al. proposed a solution by suggesting modifications in RSA algorithm called “Batched RSA decryption algorithm”. This suggested algorithm increases network efficiency by offering accountably acceptable response time. At the same time deciphering process is also enhanced and accelerated, comparative to the size of b for batch. This technique is analyzed with some variations by the researchers in this study.

[Wooyoung Jung et al.,2009] worked for IPv6 security issues I wireless networks. Wooyoung Jung et al. developed a cryptographic protocol for Internet Protocol – Wireless Sensor Networks. Wireless sensor networks architecture integrating their mechanism with IPv6, are immensely used everywhere in the world. But this architecture failed to provide security, because it is a known fact that IPWSN take it as a heavy load to become accustom with cryptographic protocols of internet. These mobile networks are light Wight in hardware having RAM inn Kilobytes, and a slow processor, so it uses very light components o Secure Socket Layer (SSL) protocol. By implementing the proposed protocol in these light Wight systems, utilization of resources are low such as only 7 Kilobytes of RAM, 64 Kilobytes of flash memory for verification of user. It uses RC4 algorithm for message encryption. Session initiation of SSL handshake in this protocol take much less time and transmit a large size of data. It can be very smoothly used for domestic purposes as well as for healthcare and in army.

(3)

ISSN 2348 – 7968

[Pratik Guha and Shawn Fitzgerald, 2013] claimed that overlastfewyears,anumberofvulnerabilitieshavebeendisco veredintheTransportLayerSecurityprotocol.

Thepurposeofthispaperistoserveasananalysisofrecentattac ksonSSL/TLS

andasareferenceforrelatedmitigationtechniques;particular lyastheyrelatetoHTTPS.

[Devdatta Akhawe et al., 2013]performeda large-scale measurement study of common TLS warnings.Using a set of passive network monitors located at differentsites, they checked the population of about 300,000 users over a nine-month period. Theyidentified low-risk scenarios that consume a large chunk of theuser attention budget and make concrete recommendationsto browser vendors that helped to maintain user attentionin high-risk situations. They studied the impact on end userswith a data set much larger in scale than the data sets usedin previous TLS measurement studies. A key novelty of approach involves the use of internal browser code instead ofgeneric TLS libraries for analysis, providing more accurateand representative results.

3 Proposed Work

3.1 Testing Roadmap

1. Construction of hypothesis 2. Analyzing Test bed requirements. 3. Installing and configuring LAN

 Installing and configuring Windows 2003 server on server machine

 Installing and configuring Windows XP on client machines.

4. Installing and configuring network monitoring tools

5. Configuring security mechanisms.

6. Perform statistical analysis of LAN performance

3.2 Testing Hypothesis

1. Presence of security (SSL/TLS) affects the performance of network in terms of response time, delay, bandwidth utilization and throughput.

2. Presence of security (SSL/TLS) does not affect the performance of network in terms of response time, delay, bandwidth utilization and throughput.

3.3 Testing Procedures

Testing is done to check response time of FTP, POP3 and IMAP protocols. For each protocol two cases are made, in first case reading are taken in the presence

of SSL/TLS and in second case readings are taken in the absence of SSL/TLS.

Fig.2 SSL/TLS and TCP for Secure communication

Case 1: FTP Service with Security(In the Presence of SSL/TLS)

 Configuring one machine as FTP Server with Security.

FTP Server IP = 172.16.0.1 255.255.0.0

 Configuring other machine as FTP Client. FTP Client IP = 172.16.0.2 255.255.0.0

 At server side configuring a folder for FTP sharing and copying zip files of size 20, 40, 60...4000 MB.

 At client side downloading files using FileZilla and noticing response time.

Fig.3 FTP Service in Presence of SSL/TLS

Case 2: FTP Service withoutSecurity (In Absence of SSL/TLS)

 Configuring one machine as FTP Server with no Security.

FTP Server IP = 172.16.0.1 255.255.0.0

 Configuring other machine as FTP Client. FTP Client IP = 172.16.0.2 255.255.0.0

 At server side configuring a folder for FTP sharing and copying zip files of size 20, 40, 60 ...4000 MB from client.

(4)

www.ijiset.com

ISSN 2348 – 7968

Fig.4 FTP Service in Absence of SSL/TLS

Case 3: IMAP Service With Security(In the Presence of SSL/TLS)

 Configuring one machine as E-mail Server (IMAP) with Security.

– IMAP Server IP = 172.16.0.1 255.255.0.0

– Installing MS Outlook at server machine.

 Configuring other machine as E-mail Client (IMAP).

– IMAP Client IP = 172.16.0.2 255.255.0.0

– Installing MS Outlook at client machine.

 At server side sending emails to clients and attach zip files of size 20, 40, 60 ...4000 MB.

 At client side configuring MS-Outlook to receive emails from server, and noting down response time.

Fig. 4 IMAP Service in Presence of SSL/TLS

Case 4: IMAP Service withoutSecurity (In the Absence of SSL/TLS)

 Configuring one machine as E-mail Server (IMAP) with no Security.

– IMAP Server IP = 172.16.0.1 255.255.0.0

 Configuring other machine as E-mail Client(IMAP).

– IMAP Client IP = 172.16.0.2 255.255.0.0

 At server side sending emails to clients and attach zip files of size 20,40,60...4000 MB.

Fig. 5 IMAP Service in Absence of SSL/TLS

Case 5: POP3 Service withSecurity (In the Presence of SSL/TLS)

 Configuring one machine as E-mail Server (POP3) with Security.

– POP3 Server IP = 172.16.0.1 255.255.0.0

 Configuring other machine as E-mail Client (POP3).

– IMAP Client IP = 172.16.0.2 255.255.0.0.

 At server side sending emails to clients and attach zip files of size 20, 40, 60 ...4000 MB.

Fig. 6 POP3 Service in Presence of SSL/TLS

Case 6: POP3 Service without Security(In the Absence of SSL/TLS)

(5)

4

D ti to a o S o – –  Config (POP3 – –

 At ser attach

 At cl receiv respon

Fig. 7

4 Results

Data in graph s ime of FTP. T o show the di and absence of of network.

Fig.8 FTP Respo

Sum of respons of security on

POP3 Se 255.255.0.0 Installing machine. guring other 3). POP3 Cl 255.255.0.0 Installing machine. rver side send

zip files of siz lient side co ve emails from

nse time.

7 POP3 Service in

shows that sec These values ar fference in res f SSL/TLS. Sec

onse Time Graph f

se time is taken response time

erver IP = 0.

MS Outlook

machine as E

lient IP = 0.

MS Outlook

ding emails to ze 20, 40, 60 … onfiguring MS m server, and

Absence of SSL/T

curity increases re taken as mea sponse time in curity degrades

for Data With Resp

n to see the co of FTP in the

= 172.16.0.1

k at server

E-mail Client

172.16.0.2

k at client

o clients and …4000 MB.

S-Outlook to noting down

TLS

s the response an of 5 values n the presence s performance

pect to Security

ollective effect e absence and

presen securi time i Tabl Su Graph clearly Fig.9 S Avera effect and p of sec securi decrea Table A Graph more FTP.

nce of SSL/TL ity on the per increases with

le 1: Sum of Respo

No S

um 3346

h for sum of r y that how SSL

Sum of Response T

age of respons t of security on presence of SS curity on the ity response ases.

e 2: Average Resp

No

Average 167

h for average clearly that ho

LS. This show rformance of

security and ef

onse Time for FTP

Security

60

response time L degrades the

Time Graph for FT

se time is tak n response time SL/TLS. This s performance time increas

ponse Time for FTP

Security

7.300

of response ow SSL degrad

ISSN 2

ws the actual network that fficiency decre

P With Respect to

SSL/TLS

33475

shows the res performance o

TP With Respect t

ken to see the e of FTP in the shows the actu of network t ses and perf

P With Respect to

SSL/TLS

167.375

time shows th des the perform

348 – 7968

(6)

D ti to a o

F

S o p s ti

Fig.10 Average

Data in graph s ime of IMAP. o show the di and absence of of network.

Fig.11 IMAP Resp

Sum of respons of security on r presence of SS security on the ime increases w

Table 3: Sum of R

Sum

IJISET - Internati

e Response Time G

Secur

shows that sec These values fference in res f SSL/TLS. Sec

ponse Time Graph

se time is taken response time o SL/TLS. This

e performance with security a

Response Time fo

No Security

63597

ional Journal of In

Graph for FTP Wi

rity

curity increases are taken mea sponse time in curity degrades

h for Data With Re

n to see the co of IMAP in the

shows the ac e of network and efficiency d

r IMAP With Resp

SSL/T

63770

nnovative Science,

ww

ith Respect to

espect to Security

ollective effect e absence and ctual effect of that response decreases.

pect to Security

TLS

Engineering & Te

ww.ijiset.com

Graph clearly IMAP

Fig

Avera effect absen effect with decrea

Table

A

Graph more IMAP

Fig.

echnology, Vol. 1

h for sum of r y that how P.

.12 Sum of Respo

age of respons t of security nce and presenc

t of security o security respo ases.

4: Average Respo

No

Average 317

h for average clearly that ho P.

13 Average Respo

Issue 6, August 20

response time SSL degrades

nse Time Graph fo

Security

se time is tak on response t ce of SSL/TLS on the perform

nse time incre

onse Time for IMA

Security

7.985

onse Time Graph f

Security 014.

ISSN 2

shows the res s the perform

or IMAP With Res

ken to see the time of IMAP S. This shows t

mance of netw eases and perf

AP With Respect to

SSL/TLS

318.35

for IMAP With Re

348 – 7968

sult more mance of

spect to

e average P in the the actual work that

formance

o Security

he result mance of

(7)

D ti to a o F S o p s ti G c

Data in graph s ime of POP3. o show the di and absence of of network.

Fig.14 POP3 Resp

Sum of respons of security on r presence of SS security on the ime increases w

Table 5: Sum of R

Sum

Graph for sum clearly that how

shows that sec These values fference in res f SSL/TLS. Sec

ponse Time Graph

se time is taken response time SL/TLS. This

e performance with security a

Response Time fo

No Security

63595

m of response t w SSL degrade

curity increases are taken mea sponse time in curity degrades

for Data With Re

n to see the co of POP3 in the

shows the ac e of network and efficiency d

or POP3 With Resp

SSL/T

63980

time shows th es the performa

spect to Security

ollective effect e absence and ctual effect of that response decreases.

pect to Security

LS

he result more ance of POP3.

Fig Avera effect absen effect with decrea Table A Graph more POP3 Fig.

5 C

SSL p perfor time f and p the sta by R compu establ

Other bandw streng

g.15Sum of Respon

age of respons t of security nce and presenc t of security o security respo ases.

6: Average Respo

No

Average 317

h for average clearly that ho .

15 Average Respo

Conclusion

provides high-rmance of the for FTP, IMAP performance of

art of the conn RSA public

utationally int lish SSL conne

r parameters width utilizati gth of SSL/TLS

nse Time Graph fo

Security

se time is tak on response ce of SSL/TLS on the perform

nse time incre

onse Time for IMA

Security

7.975

onse Time Graph f

Security

-level security e network to s P and POP3 in f network degr nection of SSL key cryptogr tensive. It tak ection than a no

such as de on can be c S.

ISSN 2

or POP3 With Res

ken to see the time of POP3 S. This shows t

mance of netw eases and perf

AP With Respect to

SSL/TLS

319.9

for IMAP With Re

y, but it also some extent. R ncreased with S rades. Session L are usually ex raphy operati es more CPU ormal connecti

elay, throughp checked to pr

348 – 7968

spect to

e average 3 in the the actual work that formance o Security he result mance of espect to degrades Response SSL/TLS n keys at xchanged ion, are U time to

ion.

(8)

www.ijiset.com

ISSN 2348 – 7968

6 Future Work

The main aim behind the thesis was to check the effect of SSL/TLS on the performance of network at the cost of security. The process can be continued to check effect on other protocols like LDAP etc. Furthermore, other parameters such as delay, throughput and bandwidth utilization can be checked to prove the strength of SSL/TLS.

Performance of a secure network can increase in the presence on SSL/TLS by improving the strength of SSL/TLS without degrading performance. Cryptographic algorithm with reduced key size might be used to provide maximum security, especially the size of session keys exchanged at session establishment might be reduced which is done using asymmetric encryption.

References

[1] Homin, K., Lee. Malkin, T,andNahum, E.“Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices”;New York Software Industry Association, USA, ACM 978-1-59593-908, 2007.

[2]Oppliger, R. Hauser, R. andBasin, D.” SL/TLS Session-Aware User Authentication”Proceedings of the 15th GI/ITG Conference on “Kom-munikation in Verteilten Systemen” (KiVS ’07), Berne (Switzerland), Springer-Verlag, Berlin, LNCS, 2007, 225–236.

[3] Zanin, G. Pietro, D, R. and Mancini, L.,“Robust RSA distributed signatures for large-scale long-lived ad hoc networks”, Journal of Computer Security, 15, 1, 2007, 171-196.

[4] Shi-Qun Li. Dong, Y Wu. Zhou,Y and Chen, K. A,“Practical SSL server performance improvement algorithm based on batch RSA decryption”,Journal of Shanghai Jiaotong University (Science), 13, 1, 2008, 67-70.

[5] Jung,W. Hong, S. Minkeun Ha. Kim, Y and Kim, D.,“SSL-based lightweight security of IP-based wireless sensor networks”, Korea Science and Engineering Foundation (KOSEF), Korea, 2009.

[6] Fang Qi. Tang, Z. Wang, G. and Wu, A.,“User Requirements aware Security Ranking in SSL Protocol” Mater Thesis, Department of Science and Engineering, Central South University, Changsha, China, 2009.

[7] Guha,P. S and Fitzgerald,S.,“Attacks on SSL A comprehensive study of beast, crime, time, breach, lucky” 13 & RC4 BIASES, iSEC Partners. Available at:https://www.isecpartners.com/

media/106031/ssl_attacks_survey.pdf2013.