190 likes | 343 Views
Secure Web Server Response Time Improved by Caching SSL Session Keys. Arthur Goldberg, Robert Buff, Andrew Schmitt [artg, buff, schm7136]@cs.nyu.edu Computer Science Department Courant Institute of Mathematical Science New York University. Workshop on Internet Server Performance, June 1998.
E N D
Secure Web Server Response Time Improved by Caching SSL Session Keys Arthur Goldberg, Robert Buff, Andrew Schmitt [artg, buff, schm7136]@cs.nyu.edu Computer Science Department Courant Institute of Mathematical Science New York University Workshop on Internet Server Performance, June 1998
Outline • HTTPS summary • WebPerf System • SSL Key Caching Performance • HTTPS Streaming Performance
HTTPS HTTPS SSL TCP
Establish a New SSL Connection Client Browser Web Server TCP Connect Hello Hello, Certificate SSL connect, Creating new Session Key Key exchange, Change Cipher Spec Change Cipher Spec
SSL connect, Reusing Cached Session Key Reestablish an SSL Connection Client Browser Web Server SYN TCP Connect ACK/SYN Client Hello Server Hello, Change Cipher Spec Finished
Measured Calls Socket = connect( … ); /* TCP */ SSL_struct = SSL_new(); /* create an SSL structure */ SSL_set_fd( SSL_struct, Socket ); /* bind to a socket*/ SSL_connect( SSL_struct ); ret_code = SSL_write( SSL_struct, buffer, num_bytes); o o o ret_code = SSL_read( SSL_struct, buffer_pointer, num_bytes);
WebPerf Measurement System New York University Internet Hub NT Server running 'WebPerf' robot on NT 4.0 PC Netscape Enterprise Server 3.5.1 and Microsoft IIS 4.0 NYU intranet Oracle T3 7.3.x HTTPS Servers WebPerf DB
WebPerf System • Robot browser • Supports HTTP 1.0, SSL (SSLeay 0.8.1) • Implementation • Visual C++ version 5.0, with optimization • Single-threaded • Measures millisecond resolution time with ftime() • Linked to SSLeay 0.8.1 • Winsock 2.0 TCP • RogueWave and Oracle OCI database networking • Oracle 7.3 SQL 92 Database • Experiments • Results • Other
Experimental setup • Robot PC • 100 MHz Pentium with 32 MB of RAM with a NE 2000 NIC • On 10 Mbps Ethernet • NYUnet • T3 connected to be Internet via NYSERnet
SSL create key SSL reuse key TCP connect Connect times for https://wwwus.netscape.com February, 1998
Distribution of connect times for https://www.coned.com percentage TCP connect 80 70 SSL reuse key 60 50 SSL create key 40 30 20 10 ms 25 50 75 100 125 150 175
Distribution of connect times for https://intranet.nyu.edu percentage 100 TCP connect 80 SSL reuse key 60 SSL create key 40 HTTP duration 20 ms 50 100 150 200
Decrease in Overall Response Time From Reusing Cached Session Key
Durations for Netscape Enterprise Server 3.5.1, secure (SSL) ms 300 250 200 95% 75% 150 100 50 KB 0 0 20 40 60 80 100 120
Durations for Netscape Enterprise Server 3.5.1, non-secure ms 300 250 200 95% 75% 150 100 50 KB 0 0 20 40 60 80 100 120
Linear fit for Netscape Secure: 730 bytes/ms Non-secure: 936 bytes/ms
Linear fit for IIS Secure: 689 bytes/ms Non-secure: 819 bytes/ms
Measurements of secure systems can help improve performance Future work: evaluate other keys and systems Conclusions