The Secure Socket Layer protocol influence on the query response time in a computer management system

Theoretical and Applied Informatics ISSN 1896 5334 Vol.21 (2009), no. 3-4 pp. 239 246 The Secure Socket Layer protocol influence on the query response time in a computer management system PIOTR PIKIEWICZ a a Academy of Business in Dąbrowa Górnicza ul. Cieplaka 1c, Dąbrowa Górnicza, Poland e-mail: ppikiewicz@wsb.edu.pl Received 17 November 2009, Revised 30 November 2009, Accepted 15 December 2009 Abstract: Information security is one of the essential issues in contemporary computer systems. One of the main risks appearing in the networks is to obtain the access to the transmitted data. There is no data encryption mechanism in the TCP/IP protocol standard. The SSL protocol is one of the known method to ensure the security of the transmitted data. Employing the SSL protocol is the universally accepted tool to grant security in the computer management systems. This paper deals with the influence of using the SSL protocol on the response time to the query sent to the computer management system by a user located in The Wide Area Network. The results of the measurement in the real environment are presented. Keywords: Security, Transmission Control Protocol, Secure Socket Layer 1. Introduction Information security is one of the essential issues in contemporary computer systems. One of the main risks appearing in the network is to obtain the access to the transmitted data. There is no data encryption mechanism in the TCP/IP protocol standard. The SSL protocol is one of the known method to ensure the security of the transmitted data. Intercepting the transmission and reading the content of the sent packets are relatively easy while using the accessible, the so called sniffers, Internet programs such as Wireshark or Tcpdump. One of the commonly used mechanisms increasing the security of transmitted data is the SSL protocol [1] (Secure Socket Layer) suggested in 1994 by the Netscape Company as a protocol fulfilling the function of the secure transmission of the enciphered data beam (in 1999 the standard TLS 1.0, which is sometimes defined as SSL 3.1 SSL, was published). SSL is the protocol of a client-server type enabling the safe connection with

240 the usage of certificates. It has been located in the TCP/IP stack between the application and transport layers (Fig. 1) and it can also use the RSA cipher algorithm [4] as well as the certificates given to servers by the organizations such as: Thawte or Verisign. The critical parameter defining the power of SSL ciphering is the length of used keys. For the asymmetrical keys, the suggested length is 1024 bites. Application Layer Application Application Application SSL layer SSL SSL SSL Transport Layer TCP UDP Internet Layer IP Network Interface Interface Fig. 1. Locating the SSL protocol in the TCP/IP protocols stack The SSL protocol establishes a connection in a different manner rather than in the case of the used in the TCP/IP protocol [2] Three-way handshake. A client sends a connection request containing, among others, the SSL protocol version, the session identifier, permitted ciphering and data compression methods as well as a random number used in keys generating (ClientHello) to a server. A server answers using the same connection request (ServerHello) containing connection parameters (Fig. 2). Next it sends its certificate to let a client check his identity (Certificate), information about his public key (ServerKeyExchange) as well as an announcement informing a client that he can precede to the next phase of establishing a connection (ServerHelloDone). A client, on the basis of previously sent 2 random numbers (his and server s), generates a session key which is used to an actual data exchange. A client sends a session key to a server using the server s public key (ClientKeyExchange), next he informs a server that he can switch to a ciphered communication (ChangeCipherSpec) and he declares his readiness to receive a ciphered data (Finished). A server informs a client about the order execution (ChangeCipherSpec) and it starts sending only the ciphered information. The first information sent via the safe channel is the confirmation of establishing a connection (Finished). Using the SSL protocol increases the security of transmited data but it can cause the lengthening of data sending time in comparison with the data transmission using the TCP/IP protocol. The SSL protocol, apart from the more complicated and demanding a

241 Fig. 2. Method of establishing a connection with a server by means of the SSL protocol bigger number of information process of establishing connection, provides ciphering of sent data. These all additional operations should cause the increase of data preparation time as well as the lengthening of sending time. 2. Researching the influence of the SSL protocol on the response time to a query sent to the computer management system Applying mechanisms increasing the security can influence the speed of sending information. In order to check how the application of the SSL protocol influences the effective speed of a transmision, the experiment, whose aim was the comparison of answer time for a client query sent to a management system in a situation when information is transmitted via a ciphered connection and when a transmission takes place without using security mechanisms, was conducted. In the article there have been presented the results of the experiments, whose aim was to assess the influence of mechanisms increasing the security of a data transmission on the response time of a management system in a Wide Area Network. The response time for a query to a system (Fig. 3) is defined by a equation: T = t1 + t2 + t3 + t4 (1)

242 where: t1 processing query time by a data base server, t2 summary time of sending a query from a WWW Server to a Database Server and an answer for a query in the opposite direction, t3 summary time of a query and a response processing by a WWW Server, t4 summary time of transmitting a query and a response of a system in the Wide Area Network. Database Query Query Database Server WWW Serwer INTERNET Client Station Database Answer Answer t1 t2 t3 t4 Fig. 3. Component elements of a total response time for an external client query to a management system In the research, the Client Station generated a query causing a transmission of 842544 bytes of data from a computer management system. The measurement was performed for the case when each query sent to a system needs establishing a new connection. A query was selected in such a way so that the amount of generated data should correspond with the most often appearing query used by system clients. The query size was selected as an average size for a computer management system described in [12]. The measured size was the data transmission time. The research station used in experiments is shown in Fig. 4. The mesurements were conducted on the Client Station located in an independent Local Area Network possessing its own Internet connection: Internet DSL 1 Mb, which was delivered by the Telekomunikacja Polska S.A. operator. A Client Station was a standard PC computer equipped with the Linux operating system and with the tcpdump [5] program used to collect the measuring data. In order to make possible to establish a connection via a secure channel, in the WWW Server there was installed the 3.1 version of the SSL protocol. The data ciphering was realized by means of the RSA algorithm with the asymmetric key of 1024 bits. The measurements were carried out in a client computer. The data was downloaded by means of the Mozilla Firefox Internet browser through sending a query to the computer management system. The data sending time was measured from the moment of sending a connection request by a Client Station to the moment of sending a confirmation of finishing a connection by the same station. The time was measured in the case of using the same query, that is for the same amount of data, both in the case of a connection with the application

243 Fig. 4. Topology of a network used in the experiment Fig. 5. Comparing the average response time for an external client query sent to a computer management system with the SSL protocol application and without security mechanisms

244 of the SSL protocol and in the case of a connection without a safe data transmission. Fig. 5 presents the obtained results. The application of the SSL protocol, as a secure data transmission mechanism in the computer management system, causes the insignificant system respond time increasing. The approximate respond time (for 20 measure trials Fig. 6) for a secure connection with the application of certificates is longer by 133 milliseconds in the comparison with the time measured for a connection without applying the SSL protocol. It gives the increase by 0.39% in relation to the time without the SSL mechanism. The situation is analogical in the case of comparing the minimal and maximal transmission time in such cases when the increase of the transmission time from 1.35% to 2.55% is observed. Fig. 6. Comparing the measurement results 3. Sumary Relatively the small difference between these values inclines to certain reflections. The SSL protocol application should increase the data transmission time. The method of establishing a connection requireing, among others, sending the server certificate, the public key and the session key, causes the necessity of transmiting a bigger amount of information than it happens in the case of a ordinary TCP connection. All sent information is ciphered using a session key, what causes the increase usage of a server s resources. Clients queries to a computer management system of a researched object often cause the transmission from 500 kb to 2,5 MB of information. While sending a bigger amount of data, the difference in the sending time between a transmission with the SSL protocol application and without this mechanism, can be different. The presented results treat only the case of the SSL protocol application in the computer management system where queries sent do not cause a transmission of a big amount of data. Conducted research will be foundation of the design of an analytical traffic model using protocols, improving data transfer security.

245 References 1. S. Thomas: SSL and TLS Essentials, Wiley and Sons 2000. 2. RFC 791 Internet Protocol, Darpa Internet Program Protocol Specyfication. IETF 1981, http://www.ietf.org/rfc/rfc791.txt. 3. RFC 793 Tramsmision Control Protocol. http://www.ietf.org/rfc/rfc793.txt. 4. H. Thomas, Cormen.: Algorytmy Teorioliczbowe we Wprowadzenie do algorytmów. Wyd. VII. Warszawa, 2005 WNT, s. 902-909. 5. Program tcpdump, http://www.tcpdump.org. 6. R. Blum: Network Performance: Open Source Toolkit, Wiley and Sons, USA 2003. 7. A. Domański, J. Domańska, T. Czachórski: Badanie mechanizmów kontroli przeciażenia w TCP zaimplementowanych w systemie operacyjnym Linux. [W]: Nowe Technologie Sieci Komputerowych, wyd. WKŁ, Warszawa 2006. 8. A. Grzywak: Bezpieczeństwo informacji w rozległych systemach zarzadzania. [W:] Techniczne i społeczne problemy zastosowania Internetu. Internet w spoleczeństwie informacyjnym. Praca zbiorowa pod red. Andrzej Grzywak, Piotr Pikiewicz, WKŁ 2005 s. 199-204. 9. M. Hassan, R. Jain: Wysoko wydajne sieci TCP/IP, wydawnictwo Helion, Gliwice 2005. 10. A. Tanenbaum: Sieci komputerowe, Wydawnictwo Helion, Gliwice 2004. 11. P. Van Mieghem: Performance Analysis of Communications Networks and Systems, Cambridge University Press, 2006. 12. P. Pikiewicz: Komputerowe systemy zarządzania szkołą wyższą analiza wydajności i bezpieczeństwa., PhD Thesis, Institut of Theoretical and Applied Informatics, Gliwice 2009. Wpływ protokołu SSL na czas odpowiedzi systemu wspomagajacego zarzadzanie Streszczenie Bezpieczeństwo przesyłania informacji jest jednym z ważniejszych zagadnień we współczesnych systemach komputerowych. Jednym z podstawowych zagrożeń występujących w sieci jest uzyskanie dostępu do przesyłanych danych przez osoby niepowołane. Protokół TCP/IP nie zawiera w standardzie żadnych mechanizmów szyfrowania danych. Jednym z powszechnie stosowanych mechanizmów zwiększających bezpieczeństwo przesyłania danych jest protokół SSL służący do bezpiecznej transmisji zaszyfrowanego strumienia danych. SSL, jest protokołem typu klient serwer umożliwiającym nawiązanie bezpiecznego połączenia z użyciem certyfikatów i będący powszechnie stosowanym narzędziem zwiększającym bezpieczeństwo systemów wspomagających zarządzanie. W artykule przedstawiono wyniki przeprowa-

246 dzonych eksperymentów, których celem było oszacowanie wpływu mechanizmów zwiększających bezpieczeństwo przesyłania informacji na czas odpowiedzi systemu wspomagającego zarządzanie w sieci rozległej. Badania przeprowadzono pomiędzy stacją klienta znajdującą się w niezależnej sieci lokalnej posiadającej własne łącze internetowe i systemem wspomagającym zarządzanie (Fig. 4), przy zastosowaniu protokołu SSL w wersji 3.1 algorytmu szyfrowania RSA z kluczem asymetrycznym o długości 1024 bity. Zastosowanie protokołu SSL, jako mechanizmu bezpiecznego przesyłania danych w systemie wspomagającym zarządzanie, powoduje nieznaczne wydłużenie czasu transmisji danych (Fig. 5, 6). Stosunkowa niewielka różnica pomiędzy tymi wartościami, skłania jednak do pewnych refleksji. Użycie protokołu SSL, w sposób oczywisty, powinno wydłużyć czas transmisji danych. Sam sposób nawiązywania połączenia, podczas którego następuje przesłanie między innymi certyfikatu serwera, klucza publicznego serwera oraz klucza sesji, powoduje konieczność przesłania większej liczby informacji, niż ma to miejsce w przypadku zwykłego połączenia TCP. Wszystkie przesyłane informacje są szyfrowane z użyciem klucza sesji, co powoduje zwiększone użycie zasobów serwera. Zapytania klientów do systemu wspomagającego zarządzanie badanego obiektu najczęściej powodują przesłanie od 500 kb do 2,5 MB (do przypadku zastosowania algorytmu SSL w konkretnym systemie wspomagającym zarządzanie).