Abstract
TLS is the protocol of choice for securing today's e-commerce and online transactions but adding TLS to a Web server imposes a significant overhead relative to an insecure Web server on the same platform. We perform a comprehensive study of the performance costs of TLS. Our methodology is to profile TLS Web servers with trace-driven workloads, replace individual components inside TLS with no-ops, and measure the observed increase in server throughput. We estimate the relative costs of each TLS processing stage, identifying the areas for which future optimizations would be worthwhile. Our results show that while the RSA operations represent the largest performance cost in TLS Web servers, they do not solely account for TLS overhead. RSA accelerators are effective for e-commerce site workloads since they experience low TLS session reuse. Accelerators appear to be less effective for sites where all the requests are handled by a TLS server because they have a higher session reuse rate. In this case, investing in a faster CPU might provide a greater boost in performance. Our experiments show that having a second CPU is at least as useful as an RSA accelerator. Our results seem to suggest that, as CPUs become faster, the cryptographic costs of TLS will become dwarfed by the CPU costs of the nonsecurity aspects of a Web server. Optimizations aimed at general purpose Web servers should continue to be a focus of research and would benefit secure Web servers as well.
- Alteon. 2002. Alteon web switching Portfolio. http://www.nortelnetworks.com/products/01/alteon/alt180/.]]Google Scholar
- Amazon.com. 2001. Amazon.Com releases 2001 first quarter results. Press Release. http://www.sec.gov/Archives/edgar/data/1018724/000095010901500823/dex991.htm.]]Google Scholar
- Anderson, E. W. and Pasquale, J. 1995. The performance of the container shipping I/O system. In Proceedings of the 15th ACM Symposium on Operating System Principles. Copper Mountain, CO, ACM, 229.]] Google Scholar
- Apostolopoulos, G., Peris, V., and Saha, D. 1999. Transport layer security, How much does it really cost? In Proceedings of the 18th Conference on Computer Communications. New York, NY.]]Google Scholar
- Banga, G. and Druschel, P. 1999. Measuring the capacity of a Web server under realistic loads. World Wide Web J. (Special Issue on World Wide Web Characterization and Performance Evaluation) 2, 1--2, 69--83.]] Google Scholar
- Banga, G., Druschel, P., and Mogul, J. C. 1998. Better operating system features for faster network servers. In Proceedings of the Workshop on Internet Server Performance. Condensed version appears in ACM SIGMETRICS Performance Evaluation Review 26, 3, 23--30.]] Google Scholar
- Banga, G. and Mogul, J. C. 1998. Scalable kernel performance for Internet servers under realistic loads. In Proceedings of the 1998 Usenix Technical Conference.]] Google Scholar
- Banga, G., Mogul, J. C., and Druschel, P. 1999. A scalable and explicit event delivery mechanism for UNIX. In Proceeding of the Usenix 1999 Annual Technical Conference. Monterey, CA.]] Google Scholar
- Banks, D. and Prudence, M. 1993. A high-performance network architecture for a pa-risc workstation. IEEE J. Selected Area Comm. 11, 2 (Feb.), 191--202.]]Google Scholar
- Bas, A., Buch, V., Vogels, W., and von Eicken, T. 1995. U-Net: A user-level network interface for parallel and distributed computing. In Proceedings of the 15th ACM Symposium on Operating System Principles. 40--53.]] Google Scholar
- Boneh, D. and Shacham, H. 2001. Improving SSL handshake performance via batching. In Proceedings of the RSA Conference. San Francisco, CA.]] Google Scholar
- Bradley, J. and Davies, N. 1995. Analysis of the SSL protocol. Tech. Rep. CSTR-95-021. University of Bristol.]] Google Scholar
- Brendan, C., Traw, S., and Smith, J. M. 1993. Hardware/software organization of a high-performance atm host interface. IEEE J. Selected Area Comm. 11, 2 (Feb.), 240--253.]]Google Scholar
- Buhler, P., Eirich, T., Steiner, M., and Waidner, M. 2000. Secure password-based cipher suite for TLS. In Proceedings of the 6th Network and Distributed Systems Security Symposium. San Diego, CA, 129--142.]]Google Scholar
- Chankhunthod, A., Danzig, P. B., Neerdaels, C., Schwartz, M. F., and Worrell, K. J. 1996. A hierarchical Internet object cache. In Proceedings of the 1996 Usenix Technical Conference.]] Google Scholar
- Chen, J. B. and Bershad, B. N. 1993. The impact of operating system structure on memory system performance. In Proceedings of the 14th ACM Symposium on Operating Systems Principles. 120--133.]] Google Scholar
- Chu, J. 1996. Zero-copy TCP in Solaris. In Proceedings of the 1996 USENIX Technical Conference. San Diego, CA.]] Google Scholar
- Compaq. 2001. The AXL300 RSA accelerator. http://www.compaq.com/products/servers/security/axl300/.]]Google Scholar
- Dean, D., Berson, T., Franklin, M., Smetters, D., and Spreitzer, M. 2001. Cryptology as a network service. In Proceedings of the 7th Network and Distributed System Security Symposium. San Diego, CA.]]Google Scholar
- Dean, D. and Stubblefield, A. 2001. Using client puzzles to protect TLS. In Proceedings of the 7th Network and Distributed System Security Symposium. San Diego, CA.]] Google Scholar
- Dierks, T. and Allen, C. 1999. The TLS Protocol, Version 1.0. Internet Engineering Task Force. RFC-2246, ftp://ftp.isi.edu/in-notes/rfc2246.txt.]] Google Scholar
- Diffie, W. and Hellman, M. E. 1976. New directions in cryptography. IEEE Trans. Inform. Theory 22, 6, 644--654.]]Google Scholar
- Druschel, P. 1994. Operating systems support for high-speed networking. Tech. Rep. TR 94-24, Department of Computer Science, University of Arizona.]]Google Scholar
- Druschel, P., Abbott, M. B., Pagels, M. A., and Peterson, L. L. 1993. Network subsystem design. IEEE Network 7, 4 (July), 8--17.]]Google Scholar
- Druschel, P., Davie, B. S., and Peterson, L. L. 1994. Experiences with a high-speed network adaptor: A software perspective. In Proceedings of the SIGCOMM 1994 Conference. London, UK, 2--13.]] Google Scholar
- Druschel, P. and Peterson, L. L. 1993. Fbufs: A high-bandwidth cross-domain transfer facility. In Proceedings of the 14th ACM Symposium on Operating Systems Principles. 189--202.]] Google Scholar
- Druschel, P., Peterson, L. L., and Hutchinson, N. C. 1992. Beyond micro-kernel design: Decoupling modularity and protection in Lipto. In Proceedings of the 12th International Conference on Distributed Computing Systems. Yokohama, Japan.]]Google Scholar
- Edwards, A., Watson, G., Lumley, J., Banks, D., Calamvokis, C., and Dalton, C. 1994. User-space protocols deliver high performance to applications on a low-cost Gb/s LAN. In Proceedings of the SIGCOMM 1994 Conference. London, UK.]] Google Scholar
- Engelschall, R. S. 2000. mm - Shared Memory Library. http://www.engelschall.com/sw/mm/.]]Google Scholar
- Fox, A., Gribble, S. D., Chawathe, Y., Brewer, E. A., and Gauthier, P. 1997. Cluster-based scalable network services. In Proceedings of the 16th ACM Symposium on Operating System Principles. San Malo, France.]] Google Scholar
- Freier, A. O., Karlton, P., and Kocher, P. C. 1996. The SSL Protocol, Version 3.0. Netscape. http://home.netscape.com/eng/ssl3/draft302.txt.]]Google Scholar
- Goldberg, A., Buff, R., and Schmitt, A. 1998. Secure Web server performance dramatically improved by caching SSL session keys. In Proceedings of the Workshop on Internet Server Performance. Madison, WI.]]Google Scholar
- Halevi, S. and Krawczyk, H. 1999. Public-key cryptography and password protocols. ACM Trans. Inform. Syst. Secur. 2, 3, 230--268.]] Google Scholar
- Hess, A., Jacobson, J., Mills, H., Wamsley, R., Seamons, K. E., and Smith, B. 2002. Advanced client/server authentication in TLS. In Proceedings of the 8th Network and Distributed System Security Symposium. San Diego, CA.]]Google Scholar
- Hu, J. C., Pyrali, I., and Schmidt, D. C. 1997. Measuring the impact of event dispatching and concurrency models on Web server performance over high-speed networks. In Proceedings of the 2nd Global Internet Conference.]]Google Scholar
- Intel. 2002. Intel(R) AAD8125Y and AAD8120Y e-Commerce Directors. http://developer.intel.com/design/network/products/security/aad812x.htm.]]Google Scholar
- Kim, H., Pai, V. S., and Rixner, S. 2002. Increasing Web server throughput with network interface data caching. In Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-X). San Jose, CA.]] Google Scholar
- Laurie, B. and Laurie, P. 1999. Apache: The Definitive Guide, 2nd Ed. O'Reilly, Cambridge, MA.]] Google Scholar
- Maltzahn, C., Richardson, K. J., and Grunwald, D. 1997. Performance issues of enterprise level Web proxies. In Proceedings of the ACM SIGMETRICS '1997 Conference. Seattle, WA.]] Google Scholar
- McGrath, R. E. 1995. Performance of several HTTP demons on an HP 735 workstation. http://www.ncsa.uiuc.edu/InformationServers/Performance/V1.4/report.html.]]Google Scholar
- McKenney, P. and Dove, K. 1992. Efficient demultiplexing of incoming TCP packets. In Proceedings of the SIGCOMM 1992 Conference. Baltimore, MD, 269--279.]] Google Scholar
- Miltchev, S. and Ioannidis, S. 2002. A study of the relative costs of network security protocols. In Proceedings of the 2002 USENIX Technical Conference. Monterey, CA.]] Google Scholar
- Mitchell, J. C. 1998. Finite-state analysis of security protocols. In Proceedings of the Computer Aided Verification. 71--76.]] Google Scholar
- Mogul, J. C. 1995. Network behavior of a busy Web server and its clients. Tech. Rep. WRL 95/5, DEC Western Research Laboratory, Palo Alto, CA.]]Google Scholar
- Montz, A. B., Mosberger, D., O'Malley, S. W., Peterson, L. L., and Proebsting, T. A. 1994. Scout: A communications-oriented operating system. Tech. Rep. TR 94-20, Department of Computer Science, University of Arizona.]]Google Scholar
- Mosberger, D., Peterson, L., Bridges, P., and O'Malley, S. 1996. Analysis of techniques to improve protocol latency. In Proceedings of the SIGCOMM '1996 Conference. Palo Alto, CA.]] Google Scholar
- Mraz, R. 2001. Secure Blue: An architecture for a high volume SSL Internet server. In Proceedings of the 17th Annual Computer Security Applications Conference. New Orleans, LA.]] Google Scholar
- Nahum, E. M., Barzilai, T., and Kandlur, D. 2002. Performance issues in WWW servers. IEEE/ACM Trans. Network. 10, 1, 2--11.]] Google Scholar
- Nahum, E. M., Rosu, M., Seshan, S., and Almeida, J. 2001. The effects of wide-area conditions on WWW server performance. In Proceedings of the ACM SIGMETRICS Conference on Measurement and Modeling of Computer Systems. Cambridge, MA.]] Google Scholar
- NetCraft. 2001. The Netcraft Secure Server Survey. http://www.netcraft.com/ssl/.]]Google Scholar
- Network Appliance, Inc. 2002. Netcache. http:/www.netapp.com/products/netcache.]]Google Scholar
- Pai, V. S., Aron, M., Banga, G., Svendsen, M., Druschel, P., Zwaenepoel, W., and Nahum, E. 1998. Locality-aware request distribution in cluster-based network servers. In Proceedings of the 8th Conference on Architectural Support for Programming Languages and Operating Systems. ACM, San Jose, CA.]] Google Scholar
- Pai, V. S., Druschel, P., and Zwaenepoel, W. 1999a. Flash: An efficient and portable Web server. In Proceeding of the Usenix 1999 Annual Technical Conference. Monterey, CA, 199--212.]] Google Scholar
- Pai, V. S., Druschel, P., and Zwaenepoel, W. 1999b. I/O-Lite: A unified I/O buffering and caching system. In Proceedings of the 3rd USENIX Symposium on Operating Systems Design and Implementation. New Orleans, LA.]] Google Scholar
- Pai, V. S., Ranganathan, P., and Adve, S. V. 1997. RSIM: An execution-driven simulator for ILP-based shared-memory multiprocessors and uniprocessors. In Proceedings of the 3rd Workshop on Computer Architecture Education.]]Google Scholar
- Paulson, L. C. 1999. Inductive analysis of the Internet protocol TLS. ACM Trans. Inform. Syst. Secu. 2, 3, 332--351.]] Google Scholar
- Poskanser, J. 2002. thhtpd. http:/www.acme.com/software/thttpd/.]]Google Scholar
- Rescorla, E. 1999. Diffie-Hellman Key Agreement Method. Internet Engineering Task Force. RFC-2631, http://www.ietf.org/rfc/rfc2631.txt.]] Google Scholar
- Rivest, R., Shamir, A., and Adleman, L. M. 1978. A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM 21, 2 (Feb.), 120--126.]] Google Scholar
- Rosenblum, M., Bugnion, E., Devine, S., and Herrod, S. 1997. Using the SimOS machine simulator to study complex computer systems. ACM Trans. Model. Comput. Simul. Special Issue on Computer Simulation 7, 1, 78--103.]] Google Scholar
- Schechte, S. E. and Sutaria, J. 1997. A study of the effects of context switching and caching on HTTP server performance. http:/www.eecs.harvard.edu/stuart/Tarantula/FirstPaper.html.]]Google Scholar
- Schneier, B. 1996. Applied Cryptography, 2nd Ed. John Wiley and Sons, New York, NY.]]Google Scholar
- Shacham, H. and Boneh, D. 2002. Fast-track session establishment for TLS. In Proceedings of the 8th Network and Distributed System Security Symposium. San Diego, CA.]]Google Scholar
- Smith, J. M. and Traw, C. B. S. 1993. Giving applications access to Gb/s networking. IEEE Network 7, 4 (July), 44--52.]]Google Scholar
- Standard Performance Evaluation Corporation. 1999. SPECWeb99. http://www.specbench.org/osg/Web99/.]]Google Scholar
- Standard Performance Evaluation Corporation. 2002. SPECWeb99_SSL. http://www.specbench.org/osg/Web99ssl/.]]Google Scholar
- Thadani, M. N. and Khalidi, Y. A. 1995. An efficient zero-copy I/O framework for UNIX. Tech. Rep. SMLI TR-95-39, Sun Microsystems Laboratories, Inc.]] Google Scholar
- Viega, J., Messier, M., and Chandra, P. 2002. Network Security with OpenSSL, 1st Ed. O'Reilly, Cambridge, MA.]] Google Scholar
- Wagner, D. and Schneier, B. 1996. Analysis of the SSL 3.0 protocol. In Proceedings of the 2nd USENIX Workshop on Electronic Commerce. Oakland, CA.]] Google Scholar
- Welsh, M., Culler, D., and Brewer, E. 2001. Seda: An architecture for well-conditioned, scalable Internet services. In Proceedings of the 18th ACM Symposium on Operating System Principles. ACM, Chateau Lake Louise, Canada.]] Google Scholar
- Wessels, D. 2002. Squid Web proxy cache. http:/www.squid-cache.org.]]Google Scholar
- Wireless Application Protocol Forum. 2001. Wireless Transport Layer Security. WAP forum. http://www1.wapforum.org/tech/terms.asp?doc=WAP-261-WTLS-20010406-a.pdf.]]Google Scholar
- Zeus Technology. 2001. Zeus performance tuning guide. http://support.zeus.com/faq/entries/ssl_tuning.html.]]Google Scholar
- Zeus Technology. 2002. Zeus Web server. http://www.zeus.co.uk/.]]Google Scholar
Index Terms
Performance analysis of TLS Web servers
Recommendations
The impact of TLS on SIP server performance
IPTComm '10: Principles, Systems and Applications of IP TelecommunicationsSecuring VoIP is a crucial requirement for its successful adoption. A key component of this is securing the signaling path, which is performed by SIP. Securing SIP is accomplished by using TLS instead of UDP as the transport protocol. However, using TLS ...
An Analysis of TLS Handshake Proxying
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01Content delivery networks (CDNs) are an essential component of modern website infrastructures: edge servers located closer to users cache content, increasing robustness and capacity while decreasing latency. However, this situation becomes complicated ...
Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS
SIGCOMM'15A significant fraction of Internet traffic is now encrypted and HTTPS will likely be the default in HTTP/2. However, Transport Layer Security (TLS), the standard protocol for encryption in the Internet, assumes that all functionality resides at the ...








Comments