By Sandeep Gadi 12/20/20151
Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between security vs. performance and usability. 12/20/20152
Determine all the possible threats Vulnerabilities Attacks Accordingly choose the techniques to implement security based on threat mitigation first and performance second. 12/20/20153
Throughput and latency are the key performance indicators. For a given amount of data being returned, throughput is the number of client requests processed within a certain unit of time, typically within a second. Latency—measured as response time using the report generated by Application Center Test for each of the tests run. 12/20/20154
A server authenticates a client by accepting its credentials and validating those credentials against some designated authority. Get Default Page The test included having a single ACT(Application Center Test) user send a single request to the customer. Upon requesting the page, the user was asked to authenticate itself by means of providing username and password. Once the user got authenticated, the page is returned with a simple string. 12/20/20155
6 Figure 1. Authentication modes: RPS and response time
With all the other authentication modes, the client is required to send additional authentication messages, which takes additional round trips to the Web server. In Basic, Digest, and Kerberos authentication, the flow of HTTP headers looks like: 12/20/20157 Figure 2. Authentication header flow
Digest and Kerberos authentication modes are very similar in performance, but different overheads associated with them. The biggest shortcoming of Digest authentication, is that only a few browsers and Web servers support it, which limits its widespread use. Basic authentication is extremely insecure (actually it is base64-encoded, which can very easily be decoded). 12/20/20158
9 Figure 3. Authentication header flow
ASP.NET Forms Authentication is slower than all of the Windows authentication schemes. This could be because it involves a couple of redirection before a page can be viewed. 12/20/201510
Cryptography techniques provide data privacy, tamper detection, and authentication by encrypting the data being transmitted between the server and client, assuming there is a pre-shared secret between them that has not been exposed. Focus on hashing algorithms SHA1 and MD5 symmetric algorithms DES, RC2, 3DES and Rijndael asymmetric algorithms RSA and DSA. 12/20/201511
12/20/ Figure 4. Hash algorithms (4 KB): RPS and response time
12/20/ Figure 5. Hash algorithms (135 KB): RPS and response time
With increase in size of data, we see that the performance difference between the various algorithms has increased. At 5 concurrent users, MD5 is around 33% faster than SHA1. Although there is not yet a known method to attack MD5, there are theoretical collisions that can be exploited against it. The performance of SHA512 has degraded with more data. It is around 55% slower than SHA1. 12/20/201514
12/20/ Figure 6. Hash algorithms (1 MB): RPS and response time
The performance difference between the algorithms is increased even more with increase in data. MD5 is around 43% faster than SHA1 at a user load of 5 concurrent users (at other user loads it is around 20% faster). SHA1 is around 72% faster than SHA /20/201516
The Key and block sizes used by the algorithms to encrypt and decrypt data: 12/20/ DES, RC2, and Rijndael also support other key lengths, but for these tests, to encrypt and decrypt data with the maximum key length supported by each of them is chosen.
12/20/ Figure 7. Symmetric key algorithms (4 KB): RPS and response time
RC2 turns out to be the slowest method when the data being encrypted is small. It has an expensive computation up front to build a key-dependent table, which apparently is high compared to the cost of encrypting small data. RC2 is a variable key-length symmetric block cipher, which is designed to be alternatives to DES. 12/20/201519
12/20/ Figure 8. Symmetric key algorithms (100 KB): RPS and response time
12/20/ Figure 9. Symmetric key algorithms (500 KB): RPS and response time
Encryption using asymmetric key algorithms is very slow, especially when the data size is large. For bulk encryption, symmetric algorithms should be used. The asymmetric algorithms can be used to do key exchange. 12/20/201522
12/20/ Figure 10. Create signature (100 KB): RPS and response time
As shown in Figure 10, DSA is around 29% faster than RSA when generating a digital signature. In the RSA digital signature process, the private key is used to encrypt only the message digest. The encrypted method becomes the digital signature. Although similar to RSA, DSA does not encrypt message digests with the private key or decrypt the message digest with the public key. Instead, DSA uses special mathematical functions to generate a digital signature composed of two 160-bit numbers that are derived from the message digest and the private key. 12/20/201524
12/20/ Figure 11. Create signature (500 KB): RPS and response time With more data, DSA is still faster than RSA.
12/20/ Figure 12. Verify signature (100 KB): RPS and response time
12/20/ Figure 13. Verify signature (500 KB): RPS and response time With more data, the performance difference between the two algorithms has become negligible.
When designing a secure system, the implementation techniques should be chosen based on threat mitigation first and performance second. The performance of a secure system will vary depending on the combination of various schemes being used. 12/20/201528
us/library/ms978415(printer).aspx us/library/ms978415(printer).aspx Improving.NET Application Performance and Scalability: Patterns & Practicesby J.D. Meier, Srinath Vasireddy, Ashish Babbar and Alex Mackman J.D. Meier Srinath VasireddyAshish BabbarAlex Mackman 01-vb.aspx 01-vb.aspx Programming.NET components By Juval Löwy 12/20/201529