Presentation is loading. Please wait.

Presentation is loading. Please wait.

By Sandeep Gadi 12/20/20151.  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.

Similar presentations


Presentation on theme: "By Sandeep Gadi 12/20/20151.  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between."— Presentation transcript:

1 By Sandeep Gadi 12/20/20151

2  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between security vs. performance and usability. 12/20/20152

3  Determine all the possible threats  Vulnerabilities  Attacks Accordingly choose the techniques to implement security based on threat mitigation first and performance second. 12/20/20153

4  Throughput and latency are the key performance indicators.  For a given amount of data being returned, throughput is the number of client requests processed within a certain unit of time, typically within a second.  Latency—measured as response time using the report generated by Application Center Test for each of the tests run. 12/20/20154

5  A server authenticates a client by accepting its credentials and validating those credentials against some designated authority. Get Default Page  The test included having a single ACT(Application Center Test) user send a single request to the customer. Upon requesting the page, the user was asked to authenticate itself by means of providing username and password. Once the user got authenticated, the page is returned with a simple string. 12/20/20155

6 6 Figure 1. Authentication modes: RPS and response time

7  With all the other authentication modes, the client is required to send additional authentication messages, which takes additional round trips to the Web server. In Basic, Digest, and Kerberos authentication, the flow of HTTP headers looks like: 12/20/20157 Figure 2. Authentication header flow

8  Digest and Kerberos authentication modes are very similar in performance, but different overheads associated with them.  The biggest shortcoming of Digest authentication, is that only a few browsers and Web servers support it, which limits its widespread use.  Basic authentication is extremely insecure (actually it is base64-encoded, which can very easily be decoded). 12/20/20158

9 9 Figure 3. Authentication header flow

10  ASP.NET Forms Authentication is slower than all of the Windows authentication schemes. This could be because it involves a couple of redirection before a page can be viewed. 12/20/201510

11  Cryptography techniques provide data privacy, tamper detection, and authentication by encrypting the data being transmitted between the server and client, assuming there is a pre-shared secret between them that has not been exposed. Focus on  hashing algorithms SHA1 and MD5  symmetric algorithms DES, RC2, 3DES and Rijndael  asymmetric algorithms RSA and DSA. 12/20/201511

12 12/20/201512 Figure 4. Hash algorithms (4 KB): RPS and response time

13 12/20/201513 Figure 5. Hash algorithms (135 KB): RPS and response time

14  With increase in size of data, we see that the performance difference between the various algorithms has increased. At 5 concurrent users, MD5 is around 33% faster than SHA1. Although there is not yet a known method to attack MD5, there are theoretical collisions that can be exploited against it.  The performance of SHA512 has degraded with more data. It is around 55% slower than SHA1. 12/20/201514

15 12/20/201515 Figure 6. Hash algorithms (1 MB): RPS and response time

16  The performance difference between the algorithms is increased even more with increase in data.  MD5 is around 43% faster than SHA1 at a user load of 5 concurrent users (at other user loads it is around 20% faster). SHA1 is around 72% faster than SHA512. 12/20/201516

17  The Key and block sizes used by the algorithms to encrypt and decrypt data: 12/20/201517 3DES, RC2, and Rijndael also support other key lengths, but for these tests, to encrypt and decrypt data with the maximum key length supported by each of them is chosen.

18 12/20/201518 Figure 7. Symmetric key algorithms (4 KB): RPS and response time

19  RC2 turns out to be the slowest method when the data being encrypted is small. It has an expensive computation up front to build a key-dependent table, which apparently is high compared to the cost of encrypting small data. RC2 is a variable key-length symmetric block cipher, which is designed to be alternatives to DES. 12/20/201519

20 12/20/201520 Figure 8. Symmetric key algorithms (100 KB): RPS and response time

21 12/20/201521 Figure 9. Symmetric key algorithms (500 KB): RPS and response time

22  Encryption using asymmetric key algorithms is very slow, especially when the data size is large.  For bulk encryption, symmetric algorithms should be used.  The asymmetric algorithms can be used to do key exchange. 12/20/201522

23 12/20/201523 Figure 10. Create signature (100 KB): RPS and response time

24  As shown in Figure 10, DSA is around 29% faster than RSA when generating a digital signature. In the RSA digital signature process, the private key is used to encrypt only the message digest. The encrypted method becomes the digital signature.  Although similar to RSA, DSA does not encrypt message digests with the private key or decrypt the message digest with the public key. Instead, DSA uses special mathematical functions to generate a digital signature composed of two 160-bit numbers that are derived from the message digest and the private key. 12/20/201524

25 12/20/201525 Figure 11. Create signature (500 KB): RPS and response time With more data, DSA is still faster than RSA.

26 12/20/201526 Figure 12. Verify signature (100 KB): RPS and response time

27 12/20/201527 Figure 13. Verify signature (500 KB): RPS and response time With more data, the performance difference between the two algorithms has become negligible.

28  When designing a secure system, the implementation techniques should be chosen based on threat mitigation first and performance second.  The performance of a secure system will vary depending on the combination of various schemes being used. 12/20/201528

29  http://msdn.microsoft.com/en- us/library/ms978415(printer).aspx http://msdn.microsoft.com/en- us/library/ms978415(printer).aspx  Improving.NET Application Performance and Scalability: Patterns & Practicesby J.D. Meier, Srinath Vasireddy, Ashish Babbar and Alex Mackman J.D. Meier Srinath VasireddyAshish BabbarAlex Mackman  http://www.asp.net/Learn/Security/tutorial- 01-vb.aspx http://www.asp.net/Learn/Security/tutorial- 01-vb.aspx  Programming.NET components  By Juval Löwy 12/20/201529


Download ppt "By Sandeep Gadi 12/20/20151.  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between."

Similar presentations


Ads by Google