By Sandeep Gadi 12/20/20151.  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.

Slides:



Advertisements
Similar presentations
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Advertisements

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Chapter 11: Cryptography
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Web Security for Network and System Administrators1 Chapter 4 Encryption.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Cryptography Basic (cont)
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Cryptographic Technologies
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Security 2 Distributed Systems Lecture# 15. Overview Cryptography Symmetric Assymeteric Digital Signature Secure Digest Functions Authentication.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)
TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
1 Chapter 4 Encryption. 2 Objectives In this chapter, you will: Learn the basics of encryption technology Recognize popular symmetric encryption algorithms.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.
CSCI 6962: Server-side Design and Programming
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication.
Chapter 31 Network Security
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
1 Cryptography Cryptography is a collection of mathematical techniques to ensure confidentiality of information Cryptography is a collection of mathematical.
1 Cryptography Basics. 2 Cryptography Basic terminologies Symmetric key encryption Asymmetric key encryption Public Key Infrastructure Digital Certificates.
Security. Cryptography Why Cryptography Symmetric Encryption – Key exchange Public-Key Cryptography – Key exchange – Certification.
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Remotely authenticating against the Service Framework.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Linux Networking and Security Chapter 8 Making Data Secure.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security
每时每刻 可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.
Cryptography  Why Cryptography  Symmetric Encryption  Key exchange  Public-Key Cryptography  Key exchange  Certification.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Internet-security.ppt-1 ( ) 2000 © Maximilian Riegel Maximilian Riegel Kommunikationsnetz Franken e.V. Internet Security Putting together the.
1 Information Security Practice I Lab 5. 2 Cryptography and security Cryptography is the science of using mathematics to encrypt and decrypt data.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Encryption. What is Encryption? Encryption is the process of converting plain text into cipher text, with the goal of making the text unreadable.
Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.
Public / Private Keys was a big year… DES: Adopted as an encryption standard by the US government. It was an open standard. The NSA calls it “One.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Security fundamentals Topic 4 Encryption. Agenda Using encryption Cryptography Symmetric encryption Hash functions Public key encryption Applying cryptography.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Invitation to Computer Science 5 th Edition Chapter 8 Information Security.
Security. Cryptography (1) Intruders and eavesdroppers in communication.
Web Applications Security Cryptography 1
Cryptography Why Cryptography Symmetric Encryption
Computer Communication & Networks
Secure Sockets Layer (SSL)
Cryptographic Hash Function
Security.
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Presentation transcript:

By Sandeep Gadi 12/20/20151

 Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between security vs. performance and usability. 12/20/20152

 Determine all the possible threats  Vulnerabilities  Attacks Accordingly choose the techniques to implement security based on threat mitigation first and performance second. 12/20/20153

 Throughput and latency are the key performance indicators.  For a given amount of data being returned, throughput is the number of client requests processed within a certain unit of time, typically within a second.  Latency—measured as response time using the report generated by Application Center Test for each of the tests run. 12/20/20154

 A server authenticates a client by accepting its credentials and validating those credentials against some designated authority. Get Default Page  The test included having a single ACT(Application Center Test) user send a single request to the customer. Upon requesting the page, the user was asked to authenticate itself by means of providing username and password. Once the user got authenticated, the page is returned with a simple string. 12/20/20155

6 Figure 1. Authentication modes: RPS and response time

 With all the other authentication modes, the client is required to send additional authentication messages, which takes additional round trips to the Web server. In Basic, Digest, and Kerberos authentication, the flow of HTTP headers looks like: 12/20/20157 Figure 2. Authentication header flow

 Digest and Kerberos authentication modes are very similar in performance, but different overheads associated with them.  The biggest shortcoming of Digest authentication, is that only a few browsers and Web servers support it, which limits its widespread use.  Basic authentication is extremely insecure (actually it is base64-encoded, which can very easily be decoded). 12/20/20158

9 Figure 3. Authentication header flow

 ASP.NET Forms Authentication is slower than all of the Windows authentication schemes. This could be because it involves a couple of redirection before a page can be viewed. 12/20/201510

 Cryptography techniques provide data privacy, tamper detection, and authentication by encrypting the data being transmitted between the server and client, assuming there is a pre-shared secret between them that has not been exposed. Focus on  hashing algorithms SHA1 and MD5  symmetric algorithms DES, RC2, 3DES and Rijndael  asymmetric algorithms RSA and DSA. 12/20/201511

12/20/ Figure 4. Hash algorithms (4 KB): RPS and response time

12/20/ Figure 5. Hash algorithms (135 KB): RPS and response time

 With increase in size of data, we see that the performance difference between the various algorithms has increased. At 5 concurrent users, MD5 is around 33% faster than SHA1. Although there is not yet a known method to attack MD5, there are theoretical collisions that can be exploited against it.  The performance of SHA512 has degraded with more data. It is around 55% slower than SHA1. 12/20/201514

12/20/ Figure 6. Hash algorithms (1 MB): RPS and response time

 The performance difference between the algorithms is increased even more with increase in data.  MD5 is around 43% faster than SHA1 at a user load of 5 concurrent users (at other user loads it is around 20% faster). SHA1 is around 72% faster than SHA /20/201516

 The Key and block sizes used by the algorithms to encrypt and decrypt data: 12/20/ DES, RC2, and Rijndael also support other key lengths, but for these tests, to encrypt and decrypt data with the maximum key length supported by each of them is chosen.

12/20/ Figure 7. Symmetric key algorithms (4 KB): RPS and response time

 RC2 turns out to be the slowest method when the data being encrypted is small. It has an expensive computation up front to build a key-dependent table, which apparently is high compared to the cost of encrypting small data. RC2 is a variable key-length symmetric block cipher, which is designed to be alternatives to DES. 12/20/201519

12/20/ Figure 8. Symmetric key algorithms (100 KB): RPS and response time

12/20/ Figure 9. Symmetric key algorithms (500 KB): RPS and response time

 Encryption using asymmetric key algorithms is very slow, especially when the data size is large.  For bulk encryption, symmetric algorithms should be used.  The asymmetric algorithms can be used to do key exchange. 12/20/201522

12/20/ Figure 10. Create signature (100 KB): RPS and response time

 As shown in Figure 10, DSA is around 29% faster than RSA when generating a digital signature. In the RSA digital signature process, the private key is used to encrypt only the message digest. The encrypted method becomes the digital signature.  Although similar to RSA, DSA does not encrypt message digests with the private key or decrypt the message digest with the public key. Instead, DSA uses special mathematical functions to generate a digital signature composed of two 160-bit numbers that are derived from the message digest and the private key. 12/20/201524

12/20/ Figure 11. Create signature (500 KB): RPS and response time With more data, DSA is still faster than RSA.

12/20/ Figure 12. Verify signature (100 KB): RPS and response time

12/20/ Figure 13. Verify signature (500 KB): RPS and response time With more data, the performance difference between the two algorithms has become negligible.

 When designing a secure system, the implementation techniques should be chosen based on threat mitigation first and performance second.  The performance of a secure system will vary depending on the combination of various schemes being used. 12/20/201528

 us/library/ms978415(printer).aspx us/library/ms978415(printer).aspx  Improving.NET Application Performance and Scalability: Patterns & Practicesby J.D. Meier, Srinath Vasireddy, Ashish Babbar and Alex Mackman J.D. Meier Srinath VasireddyAshish BabbarAlex Mackman  01-vb.aspx 01-vb.aspx  Programming.NET components  By Juval Löwy 12/20/201529