Upload
dalton-efurd
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
1 September 2005 MC-SSL Simulation1
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Analysis of Scalable Security – MC-SSL Simulation
Reducing excessive cryptographic processing in SSL Connections:
how much can you save?
1 September 2005 MC-SSL Simulation2
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Outline
• Introduction• MC-SSL Background• Methodology• Theoretical Results• Actual Results• Conclusion• Future Work
1 September 2005 MC-SSL Simulation3
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Introduction
• Security processing is CPU intensive• Recent developments on mobile devices
increased its security requirementsex.– Processing stock transaction– Accessing financial institutes
• Hence…the technology development does not fully meet the requires of its applications
1 September 2005 MC-SSL Simulation4
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Introduction(2)
• Similar issues plague battery life of mobile devices in that new applications drain the battery at a faster pace than before– Resolve by scalable features
– Ex. Asus notebooks feature “Asus Power4 Gear Software” that controls CPU speed, LCD brightness, and WLAN
1 September 2005 MC-SSL Simulation5
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
MC-SSL Background
• Developed by James Song – allow third-party (partially trusted) WAP proxy gateway providers– Some mobile devices cannot directly access
data from outside the service provider’s network
– Ex. IP packets need to be transformed into WAP packets before mobile devices are able to view it
1 September 2005 MC-SSL Simulation6
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
MC-SSL Background
VS
MC-SSL:Primary Channel (Confidentiality and Integrity)
MC-SSL: Secondary (Integrity Only) Channel
MC-SSL:Secondary (Clear Text) Channel
SSL Connection:Both Confidentiality and Integrity Protected
1 September 2005 MC-SSL Simulation7
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Methodology
• Java Secure Socket Extension (JSSE) API• Three Elements
– Client– SSL Web Server– Clear Text Web Server
• SSL and Clear Text Web Server on one computer, client on a separate one to avoid interference
1 September 2005 MC-SSL Simulation8
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Methodology – Web Servers
• SSL Web Server Enable Two Cipher Suites– SSL_RSA_WITH_NULL_SHA– TLS_RSA_WITH_AES_128_CBC_SHA
• Clear Text Web Server is an unmodified open-source java Web Server
• Both host MP3 files ranging from 1 to 10 Mbytes, at an interval of 1 Mbyte
1 September 2005 MC-SSL Simulation9
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Methodology – Client
• Initiates connection by enabling one of the two cipher suites offered by the Web Server
• Employs Java Native Interface (JNI) for CPU measurement– C Library
– Collects three measurements• Process’s CPU Time
• Elapsed Time
• CPU Utilization CPU Utilization =
Process CPU Time
-----------------------
Elapsed Time
1 September 2005 MC-SSL Simulation10
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Methodology – Overall
SSL Web Server
Clear Text Web Server
SSL_RSA_WITH_NULL_SHA
Clear Text Channel
TLS_RSA_WITH_AES_128_CBC_SHA
SSL Web Server
Clear Text Web Server
SSL_RSA_WITH_NULL_SHA
Clear Text Channel
TLS_RSA_WITH_AES_128_CBC_SHA
Client
1 September 2005 MC-SSL Simulation11
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Theoretical Results
020
4060
80100
0
20
40
60
80
100
0
10
20
30
40
50
60
70
80
ConfidentialityIntegrity
Savin
gs
1 September 2005 MC-SSL Simulation12
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Theoretical Results
• Based on S. Ravi et al’s “Securing Wireless Data: System Architecture Challenges”
• Assumed linear• Max: 86.5%• Intercept: 30%
3DES 535.9
AES 206.3
SHA 115.4
MD5 33.1
1 September 2005 MC-SSL Simulation13
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Actual Results
1 September 2005 MC-SSL Simulation14
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Actual Results
• Max: 76.4% [vs 86.5%]
• Linear
• Intercept ~35%
• Slope similar, low influence of connection overhead at 10 Mbyte file size
1 September 2005 MC-SSL Simulation15
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Conclusion
• Support the use of scalable secure socket layer connection when CPU capabilities are limited
• Sending large, non-confidential data using integrity only channel can save up to 50% CPU processing power
• Case Study on banking application reveals only 3.4% of data requiring both confidentiality and integrity – 37% CPU saving
1 September 2005 MC-SSL Simulation16
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Conclusion
• Issues– Reintegrating data back together from
separate channels
– Deciding what type of channel for each data
1 September 2005 MC-SSL Simulation17
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Future Work
• Vary the total file size that is transferred via the network (instead of 10Mbytes)– 8 Mbytes
– 6 Mbytes
– 4 Mbytes, …
• Need to isolate the point which the scheme is ineffective due to overhead
• Experiment on PDA devices (300 MHz, accessing 802.11b/g wireless network)