skip to main content
article

Performance analysis of TLS Web servers

Published:01 February 2006Publication History
Skip Abstract Section

Abstract

TLS is the protocol of choice for securing today's e-commerce and online transactions but adding TLS to a Web server imposes a significant overhead relative to an insecure Web server on the same platform. We perform a comprehensive study of the performance costs of TLS. Our methodology is to profile TLS Web servers with trace-driven workloads, replace individual components inside TLS with no-ops, and measure the observed increase in server throughput. We estimate the relative costs of each TLS processing stage, identifying the areas for which future optimizations would be worthwhile. Our results show that while the RSA operations represent the largest performance cost in TLS Web servers, they do not solely account for TLS overhead. RSA accelerators are effective for e-commerce site workloads since they experience low TLS session reuse. Accelerators appear to be less effective for sites where all the requests are handled by a TLS server because they have a higher session reuse rate. In this case, investing in a faster CPU might provide a greater boost in performance. Our experiments show that having a second CPU is at least as useful as an RSA accelerator. Our results seem to suggest that, as CPUs become faster, the cryptographic costs of TLS will become dwarfed by the CPU costs of the nonsecurity aspects of a Web server. Optimizations aimed at general purpose Web servers should continue to be a focus of research and would benefit secure Web servers as well.

References

  1. Alteon. 2002. Alteon web switching Portfolio. http://www.nortelnetworks.com/products/01/alteon/alt180/.]]Google ScholarGoogle Scholar
  2. Amazon.com. 2001. Amazon.Com releases 2001 first quarter results. Press Release. http://www.sec.gov/Archives/edgar/data/1018724/000095010901500823/dex991.htm.]]Google ScholarGoogle Scholar
  3. Anderson, E. W. and Pasquale, J. 1995. The performance of the container shipping I/O system. In Proceedings of the 15th ACM Symposium on Operating System Principles. Copper Mountain, CO, ACM, 229.]] Google ScholarGoogle Scholar
  4. Apostolopoulos, G., Peris, V., and Saha, D. 1999. Transport layer security, How much does it really cost? In Proceedings of the 18th Conference on Computer Communications. New York, NY.]]Google ScholarGoogle Scholar
  5. Banga, G. and Druschel, P. 1999. Measuring the capacity of a Web server under realistic loads. World Wide Web J. (Special Issue on World Wide Web Characterization and Performance Evaluation) 2, 1--2, 69--83.]] Google ScholarGoogle Scholar
  6. Banga, G., Druschel, P., and Mogul, J. C. 1998. Better operating system features for faster network servers. In Proceedings of the Workshop on Internet Server Performance. Condensed version appears in ACM SIGMETRICS Performance Evaluation Review 26, 3, 23--30.]] Google ScholarGoogle Scholar
  7. Banga, G. and Mogul, J. C. 1998. Scalable kernel performance for Internet servers under realistic loads. In Proceedings of the 1998 Usenix Technical Conference.]] Google ScholarGoogle Scholar
  8. Banga, G., Mogul, J. C., and Druschel, P. 1999. A scalable and explicit event delivery mechanism for UNIX. In Proceeding of the Usenix 1999 Annual Technical Conference. Monterey, CA.]] Google ScholarGoogle Scholar
  9. Banks, D. and Prudence, M. 1993. A high-performance network architecture for a pa-risc workstation. IEEE J. Selected Area Comm. 11, 2 (Feb.), 191--202.]]Google ScholarGoogle Scholar
  10. Bas, A., Buch, V., Vogels, W., and von Eicken, T. 1995. U-Net: A user-level network interface for parallel and distributed computing. In Proceedings of the 15th ACM Symposium on Operating System Principles. 40--53.]] Google ScholarGoogle Scholar
  11. Boneh, D. and Shacham, H. 2001. Improving SSL handshake performance via batching. In Proceedings of the RSA Conference. San Francisco, CA.]] Google ScholarGoogle Scholar
  12. Bradley, J. and Davies, N. 1995. Analysis of the SSL protocol. Tech. Rep. CSTR-95-021. University of Bristol.]] Google ScholarGoogle Scholar
  13. Brendan, C., Traw, S., and Smith, J. M. 1993. Hardware/software organization of a high-performance atm host interface. IEEE J. Selected Area Comm. 11, 2 (Feb.), 240--253.]]Google ScholarGoogle Scholar
  14. Buhler, P., Eirich, T., Steiner, M., and Waidner, M. 2000. Secure password-based cipher suite for TLS. In Proceedings of the 6th Network and Distributed Systems Security Symposium. San Diego, CA, 129--142.]]Google ScholarGoogle Scholar
  15. Chankhunthod, A., Danzig, P. B., Neerdaels, C., Schwartz, M. F., and Worrell, K. J. 1996. A hierarchical Internet object cache. In Proceedings of the 1996 Usenix Technical Conference.]] Google ScholarGoogle Scholar
  16. Chen, J. B. and Bershad, B. N. 1993. The impact of operating system structure on memory system performance. In Proceedings of the 14th ACM Symposium on Operating Systems Principles. 120--133.]] Google ScholarGoogle Scholar
  17. Chu, J. 1996. Zero-copy TCP in Solaris. In Proceedings of the 1996 USENIX Technical Conference. San Diego, CA.]] Google ScholarGoogle Scholar
  18. Compaq. 2001. The AXL300 RSA accelerator. http://www.compaq.com/products/servers/security/axl300/.]]Google ScholarGoogle Scholar
  19. Dean, D., Berson, T., Franklin, M., Smetters, D., and Spreitzer, M. 2001. Cryptology as a network service. In Proceedings of the 7th Network and Distributed System Security Symposium. San Diego, CA.]]Google ScholarGoogle Scholar
  20. Dean, D. and Stubblefield, A. 2001. Using client puzzles to protect TLS. In Proceedings of the 7th Network and Distributed System Security Symposium. San Diego, CA.]] Google ScholarGoogle Scholar
  21. Dierks, T. and Allen, C. 1999. The TLS Protocol, Version 1.0. Internet Engineering Task Force. RFC-2246, ftp://ftp.isi.edu/in-notes/rfc2246.txt.]] Google ScholarGoogle Scholar
  22. Diffie, W. and Hellman, M. E. 1976. New directions in cryptography. IEEE Trans. Inform. Theory 22, 6, 644--654.]]Google ScholarGoogle Scholar
  23. Druschel, P. 1994. Operating systems support for high-speed networking. Tech. Rep. TR 94-24, Department of Computer Science, University of Arizona.]]Google ScholarGoogle Scholar
  24. Druschel, P., Abbott, M. B., Pagels, M. A., and Peterson, L. L. 1993. Network subsystem design. IEEE Network 7, 4 (July), 8--17.]]Google ScholarGoogle Scholar
  25. Druschel, P., Davie, B. S., and Peterson, L. L. 1994. Experiences with a high-speed network adaptor: A software perspective. In Proceedings of the SIGCOMM 1994 Conference. London, UK, 2--13.]] Google ScholarGoogle Scholar
  26. Druschel, P. and Peterson, L. L. 1993. Fbufs: A high-bandwidth cross-domain transfer facility. In Proceedings of the 14th ACM Symposium on Operating Systems Principles. 189--202.]] Google ScholarGoogle Scholar
  27. Druschel, P., Peterson, L. L., and Hutchinson, N. C. 1992. Beyond micro-kernel design: Decoupling modularity and protection in Lipto. In Proceedings of the 12th International Conference on Distributed Computing Systems. Yokohama, Japan.]]Google ScholarGoogle Scholar
  28. Edwards, A., Watson, G., Lumley, J., Banks, D., Calamvokis, C., and Dalton, C. 1994. User-space protocols deliver high performance to applications on a low-cost Gb/s LAN. In Proceedings of the SIGCOMM 1994 Conference. London, UK.]] Google ScholarGoogle Scholar
  29. Engelschall, R. S. 2000. mm - Shared Memory Library. http://www.engelschall.com/sw/mm/.]]Google ScholarGoogle Scholar
  30. Fox, A., Gribble, S. D., Chawathe, Y., Brewer, E. A., and Gauthier, P. 1997. Cluster-based scalable network services. In Proceedings of the 16th ACM Symposium on Operating System Principles. San Malo, France.]] Google ScholarGoogle Scholar
  31. Freier, A. O., Karlton, P., and Kocher, P. C. 1996. The SSL Protocol, Version 3.0. Netscape. http://home.netscape.com/eng/ssl3/draft302.txt.]]Google ScholarGoogle Scholar
  32. Goldberg, A., Buff, R., and Schmitt, A. 1998. Secure Web server performance dramatically improved by caching SSL session keys. In Proceedings of the Workshop on Internet Server Performance. Madison, WI.]]Google ScholarGoogle Scholar
  33. Halevi, S. and Krawczyk, H. 1999. Public-key cryptography and password protocols. ACM Trans. Inform. Syst. Secur. 2, 3, 230--268.]] Google ScholarGoogle Scholar
  34. Hess, A., Jacobson, J., Mills, H., Wamsley, R., Seamons, K. E., and Smith, B. 2002. Advanced client/server authentication in TLS. In Proceedings of the 8th Network and Distributed System Security Symposium. San Diego, CA.]]Google ScholarGoogle Scholar
  35. Hu, J. C., Pyrali, I., and Schmidt, D. C. 1997. Measuring the impact of event dispatching and concurrency models on Web server performance over high-speed networks. In Proceedings of the 2nd Global Internet Conference.]]Google ScholarGoogle Scholar
  36. Intel. 2002. Intel(R) AAD8125Y and AAD8120Y e-Commerce Directors. http://developer.intel.com/design/network/products/security/aad812x.htm.]]Google ScholarGoogle Scholar
  37. Kim, H., Pai, V. S., and Rixner, S. 2002. Increasing Web server throughput with network interface data caching. In Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-X). San Jose, CA.]] Google ScholarGoogle Scholar
  38. Laurie, B. and Laurie, P. 1999. Apache: The Definitive Guide, 2nd Ed. O'Reilly, Cambridge, MA.]] Google ScholarGoogle Scholar
  39. Maltzahn, C., Richardson, K. J., and Grunwald, D. 1997. Performance issues of enterprise level Web proxies. In Proceedings of the ACM SIGMETRICS '1997 Conference. Seattle, WA.]] Google ScholarGoogle Scholar
  40. McGrath, R. E. 1995. Performance of several HTTP demons on an HP 735 workstation. http://www.ncsa.uiuc.edu/InformationServers/Performance/V1.4/report.html.]]Google ScholarGoogle Scholar
  41. McKenney, P. and Dove, K. 1992. Efficient demultiplexing of incoming TCP packets. In Proceedings of the SIGCOMM 1992 Conference. Baltimore, MD, 269--279.]] Google ScholarGoogle Scholar
  42. Miltchev, S. and Ioannidis, S. 2002. A study of the relative costs of network security protocols. In Proceedings of the 2002 USENIX Technical Conference. Monterey, CA.]] Google ScholarGoogle Scholar
  43. Mitchell, J. C. 1998. Finite-state analysis of security protocols. In Proceedings of the Computer Aided Verification. 71--76.]] Google ScholarGoogle Scholar
  44. Mogul, J. C. 1995. Network behavior of a busy Web server and its clients. Tech. Rep. WRL 95/5, DEC Western Research Laboratory, Palo Alto, CA.]]Google ScholarGoogle Scholar
  45. Montz, A. B., Mosberger, D., O'Malley, S. W., Peterson, L. L., and Proebsting, T. A. 1994. Scout: A communications-oriented operating system. Tech. Rep. TR 94-20, Department of Computer Science, University of Arizona.]]Google ScholarGoogle Scholar
  46. Mosberger, D., Peterson, L., Bridges, P., and O'Malley, S. 1996. Analysis of techniques to improve protocol latency. In Proceedings of the SIGCOMM '1996 Conference. Palo Alto, CA.]] Google ScholarGoogle Scholar
  47. Mraz, R. 2001. Secure Blue: An architecture for a high volume SSL Internet server. In Proceedings of the 17th Annual Computer Security Applications Conference. New Orleans, LA.]] Google ScholarGoogle Scholar
  48. Nahum, E. M., Barzilai, T., and Kandlur, D. 2002. Performance issues in WWW servers. IEEE/ACM Trans. Network. 10, 1, 2--11.]] Google ScholarGoogle Scholar
  49. Nahum, E. M., Rosu, M., Seshan, S., and Almeida, J. 2001. The effects of wide-area conditions on WWW server performance. In Proceedings of the ACM SIGMETRICS Conference on Measurement and Modeling of Computer Systems. Cambridge, MA.]] Google ScholarGoogle Scholar
  50. NetCraft. 2001. The Netcraft Secure Server Survey. http://www.netcraft.com/ssl/.]]Google ScholarGoogle Scholar
  51. Network Appliance, Inc. 2002. Netcache. http:/www.netapp.com/products/netcache.]]Google ScholarGoogle Scholar
  52. Pai, V. S., Aron, M., Banga, G., Svendsen, M., Druschel, P., Zwaenepoel, W., and Nahum, E. 1998. Locality-aware request distribution in cluster-based network servers. In Proceedings of the 8th Conference on Architectural Support for Programming Languages and Operating Systems. ACM, San Jose, CA.]] Google ScholarGoogle Scholar
  53. Pai, V. S., Druschel, P., and Zwaenepoel, W. 1999a. Flash: An efficient and portable Web server. In Proceeding of the Usenix 1999 Annual Technical Conference. Monterey, CA, 199--212.]] Google ScholarGoogle Scholar
  54. Pai, V. S., Druschel, P., and Zwaenepoel, W. 1999b. I/O-Lite: A unified I/O buffering and caching system. In Proceedings of the 3rd USENIX Symposium on Operating Systems Design and Implementation. New Orleans, LA.]] Google ScholarGoogle Scholar
  55. Pai, V. S., Ranganathan, P., and Adve, S. V. 1997. RSIM: An execution-driven simulator for ILP-based shared-memory multiprocessors and uniprocessors. In Proceedings of the 3rd Workshop on Computer Architecture Education.]]Google ScholarGoogle Scholar
  56. Paulson, L. C. 1999. Inductive analysis of the Internet protocol TLS. ACM Trans. Inform. Syst. Secu. 2, 3, 332--351.]] Google ScholarGoogle Scholar
  57. Poskanser, J. 2002. thhtpd. http:/www.acme.com/software/thttpd/.]]Google ScholarGoogle Scholar
  58. Rescorla, E. 1999. Diffie-Hellman Key Agreement Method. Internet Engineering Task Force. RFC-2631, http://www.ietf.org/rfc/rfc2631.txt.]] Google ScholarGoogle Scholar
  59. Rivest, R., Shamir, A., and Adleman, L. M. 1978. A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM 21, 2 (Feb.), 120--126.]] Google ScholarGoogle Scholar
  60. Rosenblum, M., Bugnion, E., Devine, S., and Herrod, S. 1997. Using the SimOS machine simulator to study complex computer systems. ACM Trans. Model. Comput. Simul. Special Issue on Computer Simulation 7, 1, 78--103.]] Google ScholarGoogle Scholar
  61. Schechte, S. E. and Sutaria, J. 1997. A study of the effects of context switching and caching on HTTP server performance. http:/www.eecs.harvard.edu/stuart/Tarantula/FirstPaper.html.]]Google ScholarGoogle Scholar
  62. Schneier, B. 1996. Applied Cryptography, 2nd Ed. John Wiley and Sons, New York, NY.]]Google ScholarGoogle Scholar
  63. Shacham, H. and Boneh, D. 2002. Fast-track session establishment for TLS. In Proceedings of the 8th Network and Distributed System Security Symposium. San Diego, CA.]]Google ScholarGoogle Scholar
  64. Smith, J. M. and Traw, C. B. S. 1993. Giving applications access to Gb/s networking. IEEE Network 7, 4 (July), 44--52.]]Google ScholarGoogle Scholar
  65. Standard Performance Evaluation Corporation. 1999. SPECWeb99. http://www.specbench.org/osg/Web99/.]]Google ScholarGoogle Scholar
  66. Standard Performance Evaluation Corporation. 2002. SPECWeb99_SSL. http://www.specbench.org/osg/Web99ssl/.]]Google ScholarGoogle Scholar
  67. Thadani, M. N. and Khalidi, Y. A. 1995. An efficient zero-copy I/O framework for UNIX. Tech. Rep. SMLI TR-95-39, Sun Microsystems Laboratories, Inc.]] Google ScholarGoogle Scholar
  68. Viega, J., Messier, M., and Chandra, P. 2002. Network Security with OpenSSL, 1st Ed. O'Reilly, Cambridge, MA.]] Google ScholarGoogle Scholar
  69. Wagner, D. and Schneier, B. 1996. Analysis of the SSL 3.0 protocol. In Proceedings of the 2nd USENIX Workshop on Electronic Commerce. Oakland, CA.]] Google ScholarGoogle Scholar
  70. Welsh, M., Culler, D., and Brewer, E. 2001. Seda: An architecture for well-conditioned, scalable Internet services. In Proceedings of the 18th ACM Symposium on Operating System Principles. ACM, Chateau Lake Louise, Canada.]] Google ScholarGoogle Scholar
  71. Wessels, D. 2002. Squid Web proxy cache. http:/www.squid-cache.org.]]Google ScholarGoogle Scholar
  72. Wireless Application Protocol Forum. 2001. Wireless Transport Layer Security. WAP forum. http://www1.wapforum.org/tech/terms.asp?doc=WAP-261-WTLS-20010406-a.pdf.]]Google ScholarGoogle Scholar
  73. Zeus Technology. 2001. Zeus performance tuning guide. http://support.zeus.com/faq/entries/ssl_tuning.html.]]Google ScholarGoogle Scholar
  74. Zeus Technology. 2002. Zeus Web server. http://www.zeus.co.uk/.]]Google ScholarGoogle Scholar

Index Terms

  1. Performance analysis of TLS Web servers

                        Recommendations

                        Reviews

                        Amos O Olagunju

                        The analysis of performance costs of security operations in multifaceted secure Web servers is extremely odd. Is it feasible to ascertain an exact model for simulating the behaviors of secure replicated clusters of Web servers with load-balancing switches and backend databases__?__ Is it easy to discern, segregate, and gauge the unique sources of bottlenecks of secure Web servers when inputs and outputs overlap computations in convoluted ways__?__ Transport layer security (TLS) offers abstract secure sockets over transmission control protocol/Internet protocol (TCP/IP) sockets for secure applications such as secure shell connections and secure Web servers. Unfortunately, the TLS protocol supports authentication, data confidentiality, integrity, and interoperability of cryptographic parameters [1] at pricey computation overheads. However, e-commerce sites often use TLS for secure communication to avoid leaking priceless information. The authors study the performance costs of securing Web servers with the TLS protocol. Components of TLS are replaced with no-ops in trace-driven workloads of a profile TLS Web server that is used to investigate factors affecting page-serving throughput. The authors present meticulous discussions of the TLS protocol, platforms, and workload experiments used to investigate performance bottlenecks attributable to RSA operations, session cache, network connection delay, and central processing unit (CPU) latency due to cryptographic operations on packets. The throughput of a secure Web server under diverse circumstances was measured by emulating an ideal hardware accelerator, rather than by micro-benchmarking the CPU time of specific operations. The relative cost of each operation performed by the TLS Web server was projected using Amdahl's Law for speedup. The experimental results expose public key cryptography as the principal performance cost incurred by the TLS Web server. However, the addition of an RSA accelerator to surmount the TLS issues produces a remarkable performance improvement. Although the study does not fully mimic secure enterprise Web sites, the paper provides reliable evidence to endorse the use of high-performance CPUs for reducing TLS overhead, and the use of a dual CPU server (instead of a single CPU server) with an RSA accelerator for exploiting throughput. Online Computing Reviews Service

                        Access critical reviews of Computing literature here

                        Become a reviewer for Computing Reviews.

                        Comments

                        Login options

                        Check if you have access through your login credentials or your institution to get full access on this article.

                        Sign in

                        Full Access

                        PDF Format

                        View or Download as a PDF file.

                        PDF

                        eReader

                        View online with eReader.

                        eReader
                        About Cookies On This Site

                        We use cookies to ensure that we give you the best experience on our website.

                        Learn more

                        Got it!