Secure Web Server Response Time Improved by Caching SSL

1
Secure Web Server Response Time Improved by
Caching SSL Session Keys

• Arthur Goldberg, Robert Buff, Andrew Schmitt
• artg, buff, schm7136_at_cs.nyu.edu
• Computer Science Department
• Courant Institute of Mathematical Science
• New York University

Workshop on Internet Server Performance, June
1998
2
Outline

• HTTPS summary
• WebPerf System
• SSL Key Caching Performance
• HTTPS Streaming Performance

3
HTTPS
HTTPS
SSL
TCP
4
Establish a New SSL Connection
Client Browser
Web Server
TCP Connect
Hello
Hello, Certificate
SSL connect, Creating new Session Key
Key exchange, Change Cipher Spec
Change Cipher Spec
5
Reestablish an SSL Connection
Client Browser
Web Server
SYN
TCP Connect
ACK/SYN
Client Hello
Server Hello, Change Cipher Spec Finished
6
Measured Calls
Socket connect( ) / TCP / SSL_struct
SSL_new() / create an SSL structure
/ SSL_set_fd( SSL_struct, Socket ) / bind to a
socket/ SSL_connect( SSL_struct ) ret_code
SSL_write( SSL_struct, buffer, num_bytes) o o
o ret_code SSL_read( SSL_struct,
buffer_pointer, num_bytes)
7
WebPerf Measurement System
New York University
Internet
Hub
NT Server running
'WebPerf' robot on NT 4.0 PC
Netscape Enterprise Server 3.5.1
and
Microsoft IIS 4.0
NYU intranet
Oracle
7.3.x
T3
HTTPS Servers
WebPerf DB
8
WebPerf System

• Robot browser
• Supports HTTP 1.0, SSL (SSLeay 0.8.1)
• Implementation
• Visual C version 5.0, with optimization
• Single-threaded
• Measures millisecond resolution time with ftime()
• Linked to SSLeay 0.8.1
• Winsock 2.0 TCP
• RogueWave and Oracle OCI database networking
• Oracle 7.3 SQL 92 Database
• Experiments
• Results
• Other

9
Experimental setup

• Robot PC
• 100 MHz Pentium with 32 MB of RAM with a NE 2000
  NIC
• On 10 Mbps Ethernet
• NYUnet
• T3 connected to be Internet via NYSERnet

10
Connect times for https//wwwus.netscape.com
February, 1998
11
Distribution of connect times for
https//www.coned.com
percentage
TCP connect
80
70
SSL reuse key
60
50
SSL create key
40
30
20
10
ms
25
50
75
100
125
150
175
12
Distribution of connect times for
https//intranet.nyu.edu
percentage
100
TCP connect
80
SSL reuse key
60
SSL create key
40
HTTP duration
20
ms
50
100
150
200
13
Secure Hosts Studied
14
Decrease in Overall Response Time From Reusing
Cached Session Key
15
Durations for Netscape Enterprise Server 3.5.1,
secure (SSL)
ms
300
250
200
75
95
150
100
50
KB
0
0
20
40
60
80
100
120
16
Durations for Netscape Enterprise Server 3.5.1,
non-secure
ms
300
250
200
75
95
150
100
50
KB
0
0
20
40
60
80
100
120
17
Linear fit for Netscape
Secure 730 bytes/ms
Non-secure 936 bytes/ms
18
Linear fit for IIS
Secure 689 bytes/ms
Non-secure 819 bytes/ms
19
Conclusions

• Measurements of secure systems can help improve
  performance
• Future work evaluate other keys and systems