1 / 28

.Net Security and Performance

.Net Security and Performance -has security slowed down the application. By Krishnan Ganesh Madras. Content. Introduction Client Authentication Hashing Algorithms Symmetric Key Algorithms Asymmetric Key Algorithms Conclusion.

edwardwilson
Download Presentation

.Net Security and Performance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. .Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras

  2. Content • Introduction • Client Authentication • Hashing Algorithms • Symmetric Key Algorithms • Asymmetric Key Algorithms • Conclusion

  3. Has Security Slowed Down The Application? Yes, security has slowed down the application. Today, through this presentation I will be analysing the performance of various security options available in .Net. Here I will compare the relative performance of various Security options available for client authentication, hashing algorithms, symmetric and asymmetric key algorithms.

  4. Client Authentication • Various options that were checked under client authentication are • Anonymous • Basic • Basic_SSL (Secure Sockets Layer) • Kerberos • Digest • FormsAuth_AD • FormsAuth_SQL

  5. Client Authentication cont… Anonymous : No authentication is performed. Basic: Client provides credentials to the Web server, and server authenticates him. This is extremely insecure as password is sent over the network in clear text (it is base64-encoded, which is very easy to decode). Basic_SSL: Similar to Basic, but in this we use SSL, that is we now have a secure channel in which the credentials are sent.

  6. Client Authentication cont… Kerberos: The credentials given by the client are sent directly to the Ticket Granting service server, which authenticates the credentials and issues a Kerberos ticket to the client. This ticket is a temporary certificate containing information that identifies the user to the network server. Digest: The server sends a challenge to the client asking for the username and password. Hash of the password is used to encrypt, which is then sent to the server where the client gets authenticated. The password is not sent in clear text, which certainly is an advantage over Basic authentication.

  7. Client Authentication cont… FormsAuth_AD: This uses ASP.NET Forms authentication. User accounts are in Active Directory. FormsAuth_SQL: This uses ASP.NET Forms authentication. User accounts are stored in SQL Server 2000. Instead of storing passwords as clear text, hash values of them are stored for extra security.

  8. Client Authentication cont… In Basic, Basic_SSL, Kerberos, and Digest authentication, the flow of HTTP headers look like:

  9. Client Authentication cont… The flow of HTTP headers for ASP.NET Forms authentication looks like:

  10. Client Authentication cont… Anonymous has the best performance. Kerberos and Digest have similar performance. Basic and FormsAuth_SQL have similar performance. FormsAuth_AD is the slowest of all.

  11. Sample Code for Basic authentication <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> . <system.web> <authentication mode="Windows"> </authentication> <compilation debug="true"/> </system.web> </configuration> protected void Page_Load(object sender, EventArgs e) { Label1.Text = User.Identity.Name; if(User.Identity.Name==“Domain\\username") Response.Redirect(“………"); }

  12. Sample Code for Forms authentication <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> <system.web> <authentication mode="Forms"> <forms loginUrl="Login.aspx"/> </authentication> <compilation debug="true"/> </system.web> </configuration>

  13. Sample Code for Forms authentication SqlConnection conn; conn = new SqlConnection("Data Source=Domain\\SQLEXPRESS; Initial Catalog=assignment2;Integrated Security=True"); conn.Open(); SqlCommand cmd =new SqlCommand("select count(username) from login where username='"+sHashedUserName+"'and password='"+sHashedPassword+"'",conn); FormsAuthentication.RedirectFromLoginPage(Login1.UserName, false);

  14. Hashing Algorithms Hash algorithms map a piece of data of arbitrary size to a small unique value of fixed length. We will compare the SHA1, SHA512 and MD5 algorithms. MD5 produces a hash of 128 bits. SHA1 produces a hash of 160 bits. SHA512 produces a hash of 512 bits. We will also see how data size effects the performance.

  15. Hashing Algorithms cont… The performance of all the three algorithms are almost same when the data size is 4KB

  16. As data size increases we see the difference in performance of different algorithms. At 5 concurrent users, performance of MD5 is 33% faster than SHA1. Performance of SHA512 degrades with data size, it is around 55% slower than SHA1.

  17. As data size increases the performance of algorithms differ. Performance of MD5 is around 43% faster than SHA1 at 5 concurrent users and at other times it is around 20%. Performance of SHA512 is around 72% slower than SHA1.

  18. Basic sample code 1. Computing hash values using MD5: String sHashedPassword = FormsAuthentication. HashPasswordForStoringInConfigFile( String, "MD5"); 2. Computing hash values using SHA1: SHA1 sha1; byte[] b = sha1.ComputeHash(Value);

  19. Symmetric Key Algorithms Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption. The encryption key is trivially related to the decryption key, in that they may be identical or there is a simple transform to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link.

  20. Symmetric Key Algorithms cont… Performance of four algorithms are compared here, DES, 3DES, RC2,Rijndael. In System.Security.Cryptography we have implementations of DES, TripleDES, RC2, Rijndael. The performance was compared based on how these algorithms encrypts the data and then decrypts the encrypted bytes. Performance is also noted for different data size of 4KB, 100KB, 500KB to see how data size effects performance.

  21. With small data size performance of Rijndael is better than others. DES performs well, over 3DES and RC2, but is vulnerable to brute force attack due to its small key size. 3DES and RC2 perform almost in a similar fashion.

  22. By increase in data size, we see a entirely different picture in performance of these algorithms. DES is the fastest, followed by RC2 which is 20% faster than 3DES. Rijndael is slowest, 25% slower than 3DES.

  23. Asymmetric Key Algorithm Asymmetric key algorithms, is a form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key.

  24. The two common asymmetric algorithms are RSA and DSA. RSA can be used for both encryption and signature generation. On the other hand, DSA can only be used to generate signature. We compared RSA and DSA algorithms based on how fast they generate a digital signature and how fast they verify a signature. In the RSA digital signature process, the private key is used to encrypt only the message digest. The encrypted method becomes the digital signature. DSA uses special mathematical functions to generate a digital signature composed of two 160-bit numbers that are derived from the message digest and the private key.

  25. Performance of DSA is 29% faster than RSA while generating signature. When the data size is increased, DSA still remains faster than RSA.

  26. In Verifying the signature, performance of RSA is faster than DSA by about 29%. With increase in data size performance difference becomes almost negligible.

  27. Conclusion As these tests demonstrate, authentication schemes, hashing algorithms, and cryptography techniques carry varying amounts of overhead, and therefore have vastly different performance characteristics. The size of data being passed to hashing algorithms, as well to cryptography techniques, is also significant. When designing a secure system, the implementation techniques should be chosen based on threat mitigation first and performance second. For instance, basic authentication without SSL could be used for better performance, but no matter how fast it is, it would not be useful in systems that are vulnerable to threats not mitigated by it. When Combination authentication and data privacy are taken into account the over all performance varies. Performance of secure system depends on the various schemes being used.

  28. Reference http://msdn2.microsoft.com/en-us/library/ms978415.aspx http://www.ondotnet.com/pub/a/dotnet/2003/01/06/formsauthp1.html

More Related