Secure Sockets Layer is a protocol designed to enable applications to transmit information back and forth securely. Applications that use the Secure Sockets Layer protocol intrinsically know how to give and receive encryption keys with other applications, as well as how to encrypt and decrypt data sent between the two
SSL Protocol is application protocol independent, an advanced level application protocol, e.g. HTTP, FTP, TELNET, etc, layer on top of the SSL, Protocol transparently. SSL Protocol negotiates an encryption algorithm and session key as well as authenticates a server before the application protocol transmits or receives its first byte of data.
SSL (Secure Sockets layer) is a protocol designed to enable secure communication across the Internet and intranet. S-HTTPS and SSL ensure Internet Security through different functionalities and can be independently or together. Standard HTTPS is the application of SSL over HTTP, which allows the encryption of all information passing between two computers through a protected and secure virtual connection, Dr Michael E. 2003.
SSL is most common Implemented to encrypt Hypertext Transfer Protocol Secure (HTTPS) traffic. However many applications and systems continue to use SSl instead of TLS (Mallery, J 2005, pg 26). Netscape developed the first requirement of SSL in 1994, but only publicly released and deployed the next version, SSLv3 followed in 1995, adding up cryptographic methods such as Diffie Hellman key agreement (DH), support for the FORTEZZA key token, and the Digital Signature Standard (DSS) respect to public key cryptography, it relies mainly on RSA encryption RSA cryptosystem and X.509-compliant certificates, to secure the channel in the Internet communication.. www.sciencedirect.com
SSL provides two layers of protocol within the TCP framework. (SSL Record Protocol and the S-HTTP as mentioned). The SSL Protocol provides basic security and communication services to the top levels of the SSL protocol stack. Standard HTTP provides the Internet communication services between the client and host (Whitman & Herbert, 2005). The SSL Record Protocol is responsible for the fragmentation, compression, encryption, and the attachment of a SSL header to the clear text prior to transmission. Received encrypted message are decrypted and reassembled for presentation to the higher levels of the protocol, Dr. Michael E. 2003. once a normal HTTP session has been established between client and a server, the client has accessed a portion of the web site that requires secure communications, the server sends a message to the client indicating that a secure connections needs to established. The client respond back by sending the public key and security parameters, the handshaking phase is completed when the server finds a public key match and responds to the client by authenticating with digital certificate, Dr Michael E. 2003. While the client must verify that the received certificate is valid and trustworthy. The benefit of the SSL Protocol is that it is independent of the application it is being used, an advanced level application protocol, i.e. HTTP, FTP, TELNET, etc, layer on top of the SSL, protocol transparently.
SSL Protocol uses an encryption algorithm and session key as well as authenticates with a server before the application protocol transmits or receives its first byte of data. The drawbacks of the basic SSL approach is that security needs to be pre configured and only predefined static information C.J Lamprecht 2008, namely the data and its location, can be utilized when making renegotiation decisions.
On the principle of PKI, it uses digital certificates to realize secure communication and provide safe services such as confidentiality, data integrity and identity authentication over Internet, Z Huawei 2009. SSL structure consists of two sub protocols, one is hand shake protocol, and the other is record protocol. Hand shake protocol is the key of SSL, and it realizes certificates exchanging, key materials exchanging and identity authentication. Function of record protocol is the use of session keys produced in hand shake protocol to encapsulate the data to be exchanged, (Rescorla, E et al 2001).
Purpose of SSL
According to Technology reporter BBC News, data centre, for all its facelessness, is responsible for ensuring confidence in the internet as a position to do business. The way this is done, through a product called an SSL, or secure sockets layer, which is a key part of the internet's security infrastructure. SSL is a protocol which was developed to transmit private documents via the internet. Its existence helps consumers guard against imposter websites by verifying and providing information about the identity of the certificate owner. For most people an SSL simply translates into either a padlock displayed at the lower right hand corner of the browser window and the change to "https" in the URL address bar.
SSL was initially designed at Netscape for its web browsers and servers, but was later standardized by IETF and is now called (TLS) Transport Layer Security. In the view of Rescorla, E et al 2001, SSL/TSL protocol gives security to the HTTP transactions using cryptographic techniques that demand computational resources. Therefore the utilization of secure connections in business sessions among two or more machines would degrade the performance of an application server, mainly, the throughput of the server would decrease and its response time would increase.
.
How SSL works
A quantity of applications that are configured to run SSL include web browsers like Internet Explorer and Firefox, email programs like Outlook, Mozilla Thunderbird, Apple Mail.app, and SFTP (secure file transfer protocol) programs, etc. These programs are automatically able to receive SSL connections. To establish a secure SSL connection, however, your application must first have an encryption key assigned to it by a Certification Authority in the form of a Certificate. Once it has a unique key of its own, you can establish a secure connection using the SSL protocol.
Causes of SSL Overhead
Encryption:
Because the information that you send has to be encrypted by the server, it takes more server resources than if the information weren't encrypted. The performance difference is only noticeable for web sites with very large numbers of visitors and can be minimized with special hardware. Drawbacks of the basic SSL approach is that security needs to be pre configured and only predefined static information C.J Lamprecht 2008, namely the data and its location, can be utilized when making renegotiation decisions. SSL guarantees that the received message is authentic and confidential in the transmission; it does not authenticate the interface between users and machines. 2008 IEEE, DOI 10.1109/ICYCS.2008.433 refer, SSL as cryptographic protocol that is broadly used in secure applications based on web browser, such as e-payment. On the principle of PKI, it uses digital certificates to realize secure communication and provide safe services such as confidentiality, data integrity and identity authentication over Internet, Z Huawei, , et al 2009.
Encapsulation:
The encapsulation is able to provide confidentiality and integrity for data. Modify hand shake protocol, SSL protocol provides "channel security" which has three basic properties, the channel is private encryption is used for all messages after a simple handshake is used to define a secret key. Symmetric cryptography is used for data encryption, DES, RC4; if the channel is authenticating the server endpoint of the conversation is always authenticated, while the client endpoint is optionally authenticated. Asymmetric cryptography is used for authentication, an interactions between e-business servers are always carried out within secure sessions commonly based on SSL connections.
Handshake:
The main overhead of SSL is the handshake, which is the costly asymmetric cryptography happens. Following negotiation, relatively efficient symmetric ciphers are used. It can be very helpful to enable SSL sessions for your HTTPS service, where many connections are made. For a long lived connection, this end effect is not as significant, and sessions aren't as useful. The main goal of an application server in a (B2B) environment is to provide its services to the maximum number of concurrent business clients. According to Aposolopoulos, G et al 2000, benchmark reviews the popular Web server in wide use in a number of large e-commerce sites. Result show that the overhead due to handshaking in SSL can make Web server slower by a couple of orders of magnitude. Reason for this deficiency by instrument the SSL protocol stack, detailed profiling of the protocol processing components. Network IEEE Aug 2000, Vol 14 Issue 4
www.instantssl.com
While there is overhead associated with all of these functions, by far the most costly is the authentication phase, because this step uses one or more public key encryptions and signatures The handshake is performed, every time the client makes a TCP connection to the server. A single page download can entail numerous connections, because most HTML documents contain a mix of multiple objects, including HTML text, JPEG/JPG/GIF/BMP pictures, QT/MOV movies, MPEG/MPG video, RAM audio, PDF documents, P. Destounis 2001.
SSL Handshake is taken place, it is more process time, which additional body or the processing, and then the exchange parameter on the bandwidth, many handshakes that take place will slow down the CPU.The SSL task that runs on the server must compete for processing time with other tasks running on the CPU. Not only does this adversely affect SSL performance, but it also severely limits the CPU capacity available to other applications running on the system. Furthermore, the additional processing burden produced by the SSL task can significantly increase the delay a client experiences when connecting to the server. Wesley Chou, 2002,
Distributed Computing:
The Distributed computing takes place in a client server model, despite advances in fault tolerance in particular, replication and load distribution server overload remains to be a key problem. In the Web context, one of the main overload factors is the direct consequence of expensive Public Key operations performed by servers as part of each SSL handshake. Because most SSL enabled servers use RSA, the burden of performing many costly decryption operations can be very detrimental to server performance.
Encryption algorithms
Both algorithms provide a superior security level than the algorithms used by the base cipher suite, RC4 for encryption/decryption of data and MD5 to generate the MAC. However, 3DES and SHA require more CPU time than RC4 and MD5, respectively, which degrade the security of the basic cipher suite using a key length of 40 bits for the RC4 algorithm, DF García et al 2007. The computational cost of public key encryption is widely understood, which led to the development of session key caching across short lived transactions as in the Web, there have been no detailed studies of the performance of key exchange in the Web Performance of the security level established firstly for the handshake phase and for the bulk data transfer phase, the handshake on performance has both increasing and decreasing the length of the key used by the RSA algorithm in the handshake phase, Kaufman et al 1995.
Data encryption and hashing:
The overhead incurred at the stage in SSL processing, lies in the session negotiation phase while small amount of data is transferred, as in banking transactions. Before a data exchanged in the session crosses over 32K bytes, the bulk data encryption phase becomes essential. The breakdown of time spent on the cryptographic operations that be classified as asymmetric encryption algorithms, symmetric encryption algorithms and hash functions. So for a typical HTTP transaction (10-15 Kbytes), the bulk of the overhead comes from the SSL handshake protocol. Each huge HTTP transactions (1Mbyte or more), the cost of the handshake is amortised over the length of the transfer, and the central part of the overhead is due to data encryption and message authentication. www.sciencedirect.com
Increased Response Time:
In the direction of assure that the difference between the responses times obtained by different lengths of the RSA keys are negligible,
CPU Utilisation
The SSL/TSL protocol gives security to the HTTP transactions using cryptographic techniques that demand computational resources. Therefore the utilization of secure connections in business sessions between two or more machines would degrade the performance of an application server, that is, the throughput of the server would decrease and its response time would increase.
SSL Operation Consumes Server CPU
The discussion made it plain, that SSL Protocol's sticking point is that encrypting and decrypting data requires a tremendous amount of CPU central processing unit processing power. The burden is especially apparent on the server side, because multiple Web clients often connect to a single Web server. For e commerce transactions, it's important to implement SSL in a way that does not overburden your Web server's CPU and slow down the entire operation, Wesley Chou, et al 200.
Overheads slow down HTTPS
Performance effects using per-transaction TCP connections for HTTP access and the proposed optimizations of avoiding per-transaction re-connection and TCP slow start restart overheads. With the performance penalties of the communication of HTTP and TCP, observations indicate that the proposed optimizations do not substantially affect Web access for the vast majority of users, who typically see end-to-end latencies of 100-250 ms and use low bandwidth lines. Below these conditions, around 1-2 packets in transit between the client and server, along with the optimizations reduce the overall transaction time by 11%. Rates over 200 Kbps are required in bid to achieve at least a 50% reduction in transaction time, resulting in a user noticeable performance enhancement.
Reduces throughput of web servers
To determined the central problem of servers using SSL to provide security based on high number of full SSL connections established, since the connections require a vast amount of computation, producing a server throughput degradation when a bundle of them are requested simultaneously. The increase of the web server throughput when individual components of the TSL protocol are eliminated, Then throughput of the server different encryption, decryption algorithms, decrease of the throughput can be respected noticeably when the3DES algorithm is used when the length of the key used by RC4 is reduced. Nevertheless, the security level established for the bulk data transfer obviously reduces the throughput of the server with 20%, and increases the response times up to 10% when a secure cipher suite is used. Coarfa 2006.
Overheads induce problems within dial-up connections
Hugh overhead degrades the server performance significantly also, affects the server scalability, consequently, improving the performance of SSL enabled network servers is critical for designing scalable and high performance data centres' Jin-Ha Kim, IEEE 2007.This could cause SSL Session Information to be lost when a Client makes numerous requests. Multiple SSL Handshakes causes bunch of overhead on the web server and the client, Chita R. Das, 2007.
Performance enhancement
The model is used to investigate the performance and signaling messages between entities in both protocols. Investigation showed a big enhancement in signaling traffic and bandwidth in the proposed protocol.
SSL handshake
The handshake permits the server to authenticate itself to the customer with public key techniques like RSA, and then allows the client and the server to cooperate in the constructing the symmetric keys used for swift encryption, decryption, and tamper detection through the session that follows. Optionally, the handshake also allows the client to authenticate itself to the server. Two similar handshake types can be distinguished: The initial handshake and the resumed handshake. Initial handshake is negotiated when a client discover a new SSL connection with the server, and requires the negotiation of the full SSL handshake. The resumed handshake is negotiated when a client establishes a new HTTP connection with the server other than using an existing SSL connection. As the SSL session ID is reused, the part of the SSL handshake negotiation can be prohibited.
Initial handshake
The customer sends a client hello message to which the server must respond with a server hello message. The client hello and server hello set up the following attributes: protocol version, session ID, cipher suite, and density method. Furthermore, two random values are generated and exchanged. Next the hello messages, the server will send its certificate. If the server is authenticated, it might request a certificate from the client. At this time the server will send the server hello done message, indicating that the hello message phase of the handshake is complete. The client key exchange message is now sent. On this point, a change cipher spec message is sent by the client and instantly sends the finished message. In reply, the server will send its personal change cipher spec message with finished message. The handshake is complete and the client and server may commence to swap application layer data.
Resumed handshake
The user sends a client hello via the Session ID of the session to be begun. The Server then checks its session cache for a match. If a match is established, and the server is willing to reinstate the connection under the specified session state, it will send a server hello with the identical Session ID value. At this position, both client and server obligation send change cipher spec messages and proceed straight to complete messages
SSL Record Protocol
SSL record layer receives incessant data from higher layers in non blank blocks of arbitrary size. The record layer fragments information blocks into SSL plain text records of 214 bytes or less. The records can be compressed with the compression algorithm defined in the existing session state. Then, a MAC (Message Authentication Code) is calculated for there cord using the hashing algorithm distinct in the Cipher-Spec negotiated in the handshake phase. The MAC is appended to the end of the record data. in the end the record data and the MAC are encrypted using the algorithm defined in the recent Cipher Spec.SSL record protocol is used to transfer any data within a session both messages and other SSL protocols i.e. the handshake protocol, including application data. When the retrieve is complete, the client and server could begin to swap application layer data. If a Session ID match is not establish, the server generates new session ID and the SSL client and server carry out a full handshake.
Summary
This research does not include the detail mathematical process to encrypt/decrypt messages, and brief explanation of how public key encryption works. To implement the security methods discussed here, except where a certificate is needed. Public key encryption is used for the implementation of the SSL protocol. Once and SSL connection has been established, ALL data transfers are encrypted with encryption key negotiated between the web server and the web browser namely 40 or 128 bit encryption key. IE and Netscape Web browser support the SSL protocol.
Recommendations
This ensures not only secure transactions between server and browser, but also restricted access to web regions spaces. In the case where limited access is necessary to view reports and login ID and passwords are stored in a database, SSL and web based login procedure would give the desired web security. This would avoid double login for secure web regions, and secure information stored in a database. If a SSL implementation is required, a third party certificate issuer is recommended due to credibility and quality of service.
Conclusions
Investigating the SSL performance insecure web transactions, It turns out that about 70% of the total processing time of an HTTPS transaction is spent in SSL processing. As a result, a more detailed understanding of the key overheads within SSL processing was required. By presenting a detailed description of the of SSL processing, we showed that the major overhead incurred during SSL processing lies in the session negotiation phase when small amount of data are transferred, as in banking transactions. Or, when the data exchanged in the session crosses over 32K bytes, the bulk data encryption phase becomes important. We then showed the breakdown of time spent on the cryptographic operations that were classified as asymmetric encryption algorithms, symmetric encryption algorithms and hash functions.
We have determined that the main problem of servers using SSL to provide security resides on the high number of full SSL connections established, because this kind of connections require a great amount of computation, producing a server throughput degradation when a lot of them are requested simultaneously. Second, we have evaluated the effect of some client behaviors relative to SSL on server performance. This evaluation has revealed that different client patterns do the clients reuse the SSL session IDs, the clients retry the erroneous requests how long do the clients wait for a server response can heavily determine the server throughput.
Ref:
Shacham H, Boneh D. "Improving SSL Handshake performance via Batching, Lecture Notes in Computer Science. 2001, 2020:28-43.
Gyu Sang Choi 2005 IEEE International Conference on Cluster Computing
D.F. Garcia, J. Garcia, M. Garcia, I. Peteira, R. Garcia, P. Valledor, Benchmarking of web services platforms, in: Proceedings of 2nd International Conference on Web Information Systems and Technologies, WEBIST 2006. Setubal (Portugal), 2006, pp. 75-80.
Li Zhao, Iyer R, Makineni S. "Anatomy and Performance of SSL"Processing. Proceedings of the IEEE International Symposium on Performance Analysis of Systems and Software.2005: 197-206.
Claude C, Einar M, Gene T "Improving Secure Server Performance by Re-balancing SSL/TLS Handshakes" Proceedings of the 2006 ACM Symposium on Information, computer and communications Security 2006.
G. Apostolopoulos, V. Peris, D. Saha, Transport layer security: how much does it really cost? in: Proceedings of the Conference on Computer Communications, INFOCOM'99. New York, USA, 1999.
Apostolopoulos, G., Peris, V., Pradhan, P. and Saha, D., Securing electronic commerce: reducing the SSL overhead. IEEE Network. v14 i4. 8-16.
V. Beltran, J. Guitart, D. Carrera, J. Torres, E. Ayguade, J. Labarta, Performance impact of using SSL on dynamic web applications, in: Proceedings of XV Jornadas de Paralelismo, JP'04. Almeria, Spain, 2004.
K. Bicakci, B. Crispo, A.S. Tanenbaum, Reversed SSL improved server performance and DoS resistance for SSL handshakes. Paper 2006/212 in the Cryptology ePrint Archive, 2006. http://eprint.iacr.org.
Boneh, D. and Shacham, H., Fast variants of RSA. Crypto Bytes Newsletter. v5 i1. 1- 9.
Eric Rescorla (2001). SSL and TLS: Designing and Building Secure Systems. United States: Addison-Wesley Pub Co. ISBN 0-201-61598-3
Andrew S. Athenaeum, Computer Networks 4thEdition, Addison-Wesley 2002/ Strategies for Implementing SSL on Embedded System
B. Laurie and P. Laurie, Apache: The Definitive Guide, Third edition, O'Reilly, 2003.
OpenSSL Toolkit - http://www.openssl.org/.
C. Chigan, L. Li and Y. Ye, "Resource-aware Self-adaptive Security Provisioning in Mobile Ad Hoc Networks", Proc. IEEE Wireless Communications and Networking Conference, pp.2118-2124, 2005.
O'Reilly, Network Security with Openssl, Addison-Wesley June 2002
Housley. RFC 2459Internet X.509 Public Key Infrastructure January 1999.
K. Bicakci, B. Crispo, A.S. Tanenbaum, Reversed SSL improved server performance and DoS resistance for SSL handshakes. Paper 2006/212 in the Cryptology ePrint Archive, 2006.
Wesley Chou, IT Professional, July-Aug. 2002, pp. 47-52)
www. portal.acm.org/citation.cfm
P. Destounis, Journal: 2001 Volume measuring the mean Web page size and its compression to limit latency and improve download time
C. Coarfa, P. Druschel, D.S. Wallach, Performance analysis of TSL web servers extended version, ACM Transactions on Computer Systems 24 (1) (2006) 39-69.
Whitman, Michael and Herbert Mattord. Principles of Information Security. 2nd Edition.Massachusetts: Thomson Course Technology, 2005.
