Title: Secure Web Server Response Time Improved by Caching SSL
1Secure Web Server Response Time Improved by
Caching SSL Session Keys
- Arthur Goldberg, Robert Buff, Andrew Schmitt
- artg, buff, schm7136_at_cs.nyu.edu
- Computer Science Department
- Courant Institute of Mathematical Science
- New York University
Workshop on Internet Server Performance, June
1998
2Outline
- HTTPS summary
- WebPerf System
- SSL Key Caching Performance
- HTTPS Streaming Performance
3HTTPS
HTTPS
SSL
TCP
4Establish a New SSL Connection
Client Browser
Web Server
TCP Connect
Hello
Hello, Certificate
SSL connect, Creating new Session Key
Key exchange, Change Cipher Spec
Change Cipher Spec
5Reestablish an SSL Connection
Client Browser
Web Server
SYN
TCP Connect
ACK/SYN
Client Hello
Server Hello, Change Cipher Spec Finished
6Measured Calls
Socket connect( ) / TCP / SSL_struct
SSL_new() / create an SSL structure
/ SSL_set_fd( SSL_struct, Socket ) / bind to a
socket/ SSL_connect( SSL_struct ) ret_code
SSL_write( SSL_struct, buffer, num_bytes) o o
o ret_code SSL_read( SSL_struct,
buffer_pointer, num_bytes)
7WebPerf Measurement System
New York University
Internet
Hub
NT Server running
'WebPerf' robot on NT 4.0 PC
Netscape Enterprise Server 3.5.1
and
Microsoft IIS 4.0
NYU intranet
Oracle
7.3.x
T3
HTTPS Servers
WebPerf DB
8WebPerf System
- Robot browser
- Supports HTTP 1.0, SSL (SSLeay 0.8.1)
- Implementation
- Visual C version 5.0, with optimization
- Single-threaded
- Measures millisecond resolution time with ftime()
- Linked to SSLeay 0.8.1
- Winsock 2.0 TCP
- RogueWave and Oracle OCI database networking
- Oracle 7.3 SQL 92 Database
- Experiments
- Results
- Other
9Experimental setup
- Robot PC
- 100 MHz Pentium with 32 MB of RAM with a NE 2000
NIC - On 10 Mbps Ethernet
- NYUnet
- T3 connected to be Internet via NYSERnet
10Connect times for https//wwwus.netscape.com
February, 1998
11Distribution of connect times for
https//www.coned.com
percentage
TCP connect
80
70
SSL reuse key
60
50
SSL create key
40
30
20
10
ms
25
50
75
100
125
150
175
12Distribution of connect times for
https//intranet.nyu.edu
percentage
100
TCP connect
80
SSL reuse key
60
SSL create key
40
HTTP duration
20
ms
50
100
150
200
13Secure Hosts Studied
14Decrease in Overall Response Time From Reusing
Cached Session Key
15Durations for Netscape Enterprise Server 3.5.1,
secure (SSL)
ms
300
250
200
75
95
150
100
50
KB
0
0
20
40
60
80
100
120
16Durations for Netscape Enterprise Server 3.5.1,
non-secure
ms
300
250
200
75
95
150
100
50
KB
0
0
20
40
60
80
100
120
17Linear fit for Netscape
Secure 730 bytes/ms
Non-secure 936 bytes/ms
18Linear fit for IIS
Secure 689 bytes/ms
Non-secure 819 bytes/ms
19Conclusions
- Measurements of secure systems can help improve
performance - Future work evaluate other keys and systems