1 / 21

Cryptographic Execution Time for WTLS Handshakes on Palm OS Devices

This paper provides an overview of WAP browsers and handheld devices, a review of WTLS, benchmarking experiments, WTLS handshake timing estimates, and a discussion of the results. The study focuses on the security and performance of WTLS on Palm OS devices.

maureenw
Download Presentation

Cryptographic Execution Time for WTLS Handshakes on Palm OS Devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptographic Execution Time for WTLS Handshakes on Palm OS Devices Neil Daswani neil@yodlee.com September 21, 2000

  2. Overview • WAP Browsers & Handhelds • A Review of WTLS • Benchmarking Experiments • WTLS Handshake Timing Estimates • Discussion of Results • Summary / Conclusions Private and Confidential, Yodlee.com, Inc.

  3. WAP Browsers & Handhelds: What is WAP? • WAP: Wireless Application Protocol • Created by WAP Forum • Founded June 1997 by Ericsson, Motorola, Nokia, Phone.com • 500+ member companies • Goal: Bring Internet content to wireless devices • WTLS: Wireless Transport Layer Security Private and Confidential, Yodlee.com, Inc.

  4. WAP Browsers & Handhelds: What is WAP? WTLS SSL Internet WAP Gateway Web Server Private and Confidential, Yodlee.com, Inc.

  5. WAP Browsers & Handhelds: Gaining Steam • Palm OS • AU Systems • 4th Pass kBrowser • Windows/PocketPC • EZOS EzWAP • Psion • Purple Software/Dynamical Systems Research • RIM • Neomar Private and Confidential, Yodlee.com, Inc.

  6. WAP Browsers & Handhelds: Security & Performance • Secure Connections: • Too long -> affects usability • Shorter keys -> too risky • How long does the crypto take? • Using different crypto. algs. • Using different authentication methods Private and Confidential, Yodlee.com, Inc.

  7. A Review of WTLS: WTLS Goals • WTLS Goals • Authentication • Privacy • Data Integrity • Authentication: Public-Key Crypto (CPU intensive!!!) • Privacy: Symmetric Crypto • Data Integrity: MACs Private and Confidential, Yodlee.com, Inc.

  8. A Review of WTLS: Crypto Basics • Public-Key Crypto • RSA (Rivest-Shamir-Adelman) • ECC (Elliptic Curve) • Certificates • Authentication • None, Client, Server, Mutual Private and Confidential, Yodlee.com, Inc.

  9. A Review of WTLS: Server-Authentication • Server-Authentication Only ClientHello -----------> ServerHello Certificate <----------- ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished -----------> <----------- Finished Application Data <----------> Application Data 1. Verify Server Certificate 2. Establish Session Key Private and Confidential, Yodlee.com, Inc.

  10. A Review of WTLS: Server-Authentication 1. Verify Server Certificate • ECC & RSA: Verify Signature 2. Establish Session Key • ECC: Generate ECC-DH Key Pair & Multiply • RSA: Encrypt w/ Server Public Key Private and Confidential, Yodlee.com, Inc.

  11. A Review of WTLS: Mutual-Authentication • Mutual-Authentication Client Hello -----------> ServerHello Certificate CertificateRequest <----------- ServerHelloDone Certificate ClientKeyExchange (only for RSA) CertificateVerify ChangeCipherSpec Finished -----------> <----------- Finished Application Data <----------> Application Data 1. Verify Server Certificate 2. Establish Session Key 3. Generate Signature Private and Confidential, Yodlee.com, Inc.

  12. A Review of WTLS: Mutual-Authentication 1. Verify Server Certificate • ECC & RSA: Verify Signature 2. Establish Session Key • ECC: Generate ECC-DH Key Pair & Multiply • RSA: Encrypt w/ Server Public Key 3. Verify Client Certificate • ECC & RSA: Signature Generation Private and Confidential, Yodlee.com, Inc.

  13. New Palm VII (Dragonball-EZ, 20MHz, PalmOS v.3.2.5) (ms) Palm V (Dragonball-EZ, 16.6MHz, PalmOS v.3.3) (ms) Old Palm VII (Dragonball, 16.6MHz, PalmOS v. 3.1) (ms) Benchmarking Experiments ECC Benchmarks (163-bit) Key Generation 372.4 514 556 Key Expansion[1] 254.8 350 378 Diffie-Hellman Key Agreement 335.6 462 500 ECC-DSA Signature Generation 514.8 713 773 ECC-DSA Signature Verification 1254 1740 1885 RSA Benchmarks(1024-bit)[2] Signature Generation 21734 27808 29628 Sig Verify (e=3) 598 758 790 Sig Verify (e=65537) 1482 1860 1966 RSA Encrypt 622 798 834 Private and Confidential, Yodlee.com, Inc. [1] Certicom’s ECC library requires that public keys be expanded into a more efficient representation before they can be operated on. These key expansions are not necessary in an RSA-based handshake, and hence the extra time to execute these operations was also modeled in the benchmarks. [2]The decryption timing measurements for RSA were measured for both of e=3 and e=65537. It should be noted that e=65537 is more commonly used for most security applications and public decryption operations take longer to execute with e=65537.

  14. Operation Cryptographic Primitive(s) Time Required (ms) WTLS Handshake Timing Estimates Server Certificate Verification RSA Signature Verification (Public decrypt, e=3) 598 Session Key Establishment RSA Encryption (Public encrypt) 622 TOTAL 1220 • Server-Authenticated Only: RSA Private and Confidential, Yodlee.com, Inc.

  15. WTLS Handshake Timing Estimates Operation Cryptographic Primitive(s) Time Required (ms) Server Certificate Verification CA Public Key Expansion 254.8 ECC-DSA Signature Verification 1254 Session Key Establishment ECC Key Generation (DH Ephemeral Key) 372.4 Server Public Key Expansion 254.8 Key Agreement 335.6 TOTAL 2471.6 • Server-Authenticated Only: ECC The cryptographic execution time for server-authenticated 1024-bit RSA handshakes is up to 2 times as fast as the cryptographic execution time for server-authenticated 163-bit ECC handshakes on the Palm VII. Private and Confidential, Yodlee.com, Inc.

  16. Operation Cryptographic Primitive(s) Time Required (ms) WTLS Handshake Timing Estimates Server Certificate Verification RSA Signature Verification (Public decrypt, e=3) 598 Session Key Establishment RSA Encryption (Public encrypt) 622 Client Authentication RSA Signature Generation (Private encrypt) 21734 TOTAL 22954 • Mutual-Authentication: RSA Private and Confidential, Yodlee.com, Inc.

  17. Operation Cryptographic Primitive(s) Time Required (ms) WTLS Handshake Timing Estimates Server Certificate Verification CA Public Key Expansion 254.8 ECC-DSA Signature Verification 1254 Session Key Establishment Server Public Key Expansion 254.8 Key Agreement 335.6 Client Authentication ECC-DSA Signature Generation 514.8 TOTAL 2614 • Mutual-Authentication: ECC The cryptographic execution time for mutually-authenticated 163-bit ECC handshakes is at least 8.64 times as fast as the cryptographic execution time for mutually-authenticated 1024-bit RSA handshakes on the Palm VII. Private and Confidential, Yodlee.com, Inc.

  18. Discussion of Results • Strictly CPU time • Optimizations • Store Expanded Keys • Mutually authenticated handshakes could be too expensive for 1024-bit RSAon constrained microprocessors. • Issue: who will sign ECC certificates? Private and Confidential, Yodlee.com, Inc.

  19. PDA Microprocessor Speed Discussion of Results Palm, Handspring Motorola Dragonball 16.6 – 20 MHz RIM Interactive Pager Intel 386 10 MHz Compaq Aero 1530 NEC/VR4111 MIPS RISC 70 MHz HP Jornada 820 Intel/StrongARM RISC SA-1100 190 MHz Casio Cassiopeia E-100 NEC/VR4121 MIPS 131 MHz Psion Revo ARM 710 36 MHz Psion Series 5 Digital/Arm 7100 18 MHz Private and Confidential, Yodlee.com, Inc.

  20. Summary / Conclusions • Cryptographic Execution Time for WTLS handshakes on wireless devices is significant. • Server-Authenticated 1024-bit RSA can be 2x as fast as 163-bit ECC • Mutually-Authenticated 163-bit ECC is at least 8x as fast as 1024-bit RSA Private and Confidential, Yodlee.com, Inc.

  21. References & Acknowledgements • References: • WAP Forum, Wireless Application Protocol Specification Version 1.1, 4.30.1998 • WAP Forum, Wireless Transport Layer Security Specification Version 1.1, 11.2.1999 • AU-Systems WAP Browser Home Page, http://www.wapguide.com/wapguide/browser.html • EZOS EzWAP Browser Page, http://www.ezos.com/ • Psion WAP Browser Beta Page, http://wap.psion.com/ • Neomar RIM WAP Browser Page, http://www.neomar.com/ • Neomar Press Release, http://www.neomar.com/press/00.05.23certicom.html • Acknowledgements: • Tim Dierks, Rob Lambert, Chris Hawk (Certicom) • Nagendra Modadugu (Stanford) Private and Confidential, Yodlee.com, Inc.

More Related