Paper collections on performance of TLS (and some other security protocols in general)

1. D. Boneh, Hovav Shacham, and Eric Rescrola. Client side caching for TLS.
   In proceedings of the Internet Society's 2002 Symposium on Network and Distributed System Security (NDSS), pp. 195--202.
   Full paper: PDF.
   • Abstract: We propose two new mechanisms for caching handshake information on TLS clients. The "fast-track'' mechanism provides a client side cache of a server's public parameters and negotiated parameters in the course of an initial, enabling handshake. These parameters need not be resent on subsequent handshakes. Fast-track reduces both network traffic and the number of round trips, and requires no additional server state. These savings are most useful in high latency environments such as wireless networks. The "client side session cache'' mechanism allows the server to store an encrypted version of the session information on a client, allowing a server to maintain a much larger number of active sessions in a given memory footprint. Our design is fully backwards compatible with TLS: extended clients can interoperate with servers unaware of our extensions and vice versa. We have implemented our proposal to demonstrate the resulting efficiency improvements.
2. D. Boneh, and H. Shacham. Improving SSL Handshake Performance via Batching.
   In proceedings RSA'2001, Lecture Notes in Computer Science, Vol. 2020, Springer-Verlag, pp. 28--43, 2001.
   Full paper: PostScript.
   • Abstract: We present an algorithmic approach for speeding up SSL's performance on a web server. Our approach improves the performance of SSL's handshake protocol by up to a factor of 2.5 for 1024-bit RSA keys. It is designed for heavily-loaded web servers handling many concurrent SSL sessions. We improve the server's performance by batching the SSL handshake protocol. That is, we show that b SSL handshakes can be done faster as a batch than doing the b handshakes separately one after the other. Experiments show that taking b=4 leads to optimal results, namely a speedup of a factor of 2.5. Our starting point is a technique due to Fiat for batching RSA decryptions. We improve the performance of batch RSA and describe an architecture for using it in an SSL web server. We give experimental results for all the proposed techniques.
3. Modadugu, N. and Eric Rescorla, The Design and Implementation of Datagram TLS, Proceedings of NDSS 2004, February 2004. (PDF).
   • Abstract:
4. Rescorla, E., Cain, A., Korver, B., SSLACC: A Clustered SSL Accelerator, Proceedings of the 11th USENIX Security Conference, August 2002. (PDF).
   • Abstract: We describe a clustered SSL accelerator. Although current SSL acceleration solutions [1, 2] often employ multiple nodes in parallel (or in series [3]) for improved performance and resistance to single failures, the failure of any node results in all client connections to that node being torn down. Our implementation goes beyond this to provide robustness against node failures at the connection level—any proper subset of the nodes in the cluster can fail and no effect (other than possibly performance degradation) will be observed. This result is accomplished by a novel combination of tight control of TCP [4] behavior and state-sharing between cluster members. Unlike many high availability clustering systems, ours uses commodity hardware.

5. Eun-Ae Cho, Young-Gab Kim, Chang-Joo Moon, Doo-Kwon Baik, Design and Implementation of an SSL Component Based on CBD,
   Lecture Notes in Computer Science, Volume 3398, Jan 2005, Pages 478 - 486. NCA 2004.
   Full paper: PDF

   • Abstract:

    SSL is one of the most popular protocols used on the Internet for secure communications. However SSL protocol has several problems. First, SSL protocol brings considerable burden to the CPU utilization so that performance and speed of the security service is lowered during encryption transaction. Second, SSL protocol can be vulnerable for cryptanalysis due to the fixed algorithm being used. Third, it causes a problem of mutual interaction with other protocols because of the encryption export restriction policy of the U.S. Fourth, it is difficult for developers to learn and use cryptography API for SSL. To solve these problems, in this paper, we propose an SSL component based on CBD. The execution of the SSL component is supported by Confidentiality and Integrity component. It can encrypt data selectively and use various mechanisms such as SEED and HAS-160. Also, it can complement the SSL protocols problems and, at the same time, take advantage of component. Finally, in the performance analysis, we present a better result than the SSL protocol as the data size is increased.
6. George Apostolopoulos, Vinod G. J. Peris, Debanjan Saha: Transport Layer Security: How Much Does It Really Cost?
   INFOCOM 1999: 717-725.
   Full paper: PDF
   • Abstract: The last couple of years has seen a growing momentum towards using the Internet for conducting business. One of the key enablers for business applications is the ability to setup secure channels across the internet. The Secure Sockets Layer (SSL) protocol provides this capability and it is the most widely used transport layer security protocol. In this paper we investigate the performance of SSL both from a latency as well as a throughput point of view. Since SSL is primarily used to secure web transactions, we use the SPECWeb96 benchmark suitably modified for use with the SSL protocol. We benchmark two of the more more popular webservers that are in use today and find that they are a couple of orders of
     magnitude slower when it comes to serving secure web pages. We investigate the reason for this deficiency by instrumenting the SSL protocol stack with a detailed profiling of the protocol processing components. Based on our findings we suggest two modifications to the protocol that reduce the latency as well as increase the throughput at the server.
7. George Apostolopoulos, David Aubespin, Vinod Peris, Prashant Pradhan, Debanjan Saha: Design, Implementation and Performance of a Content-Based Switch,
   INFOCOM 2000,
   Full paper: PDF
   • Abstract: In this paper, we share our experience in designing and building a content based switch which we call L5. In addition to the layer 2-3-4 information available in the packet, a content based switch uses application level information to route traffic in the network. Makhg routing decisions based on information contained in the payload is not a new idea. In fact application level proxies which are functionally equivalent to a content-based switch, have been around for years. Our contribution is in combining the functionalities off an application level proxy with the data handling capabilities of a switch into a single system.
     In this paper, we describe the architecture of the L5 system along with the details of how application level information can be efficiently processed in switch hardware. We cover two specific application examples that we believe are ideal candidates for content-based switching: one is routing HTTP sessions based on Uniform Resource Locators (URL) and the other is session-aware dispatching of Secure Socket Layer (SSL) connections.
8. George Apostolopoulos, Vinod Peris, Prashant Pradhan, Debanjan Saha, Securing Electronic Commerce: Reducing the SSL Overhead,
   IEEE Network, 14, 4 (July), 8-16, 2000.
   Full paper: PDF
   • Abstract: The last couple of years have seen a growing momentum towards using the Internet for conducting business. Web based electronic commerce applications are one of the fastest growing segments of the Internet today. A key enabler for e-commerce applications is the ability to setup secure private channels over a public network. The Secure Sockets Layer (SSL) protocol provides this capability and it is the most widely used security protocol in the Internet. In this article, we take a close look at the working principles behind SSL with an eye on performance. We benchmark two of the popular web servers that are in wide use in a number of large e-commerce sites. Our results show that the overheads due to SSL can make web servers slower by a couple of orders of magnitude. We investigate the reason for this deficiency by instrumenting the SSL protocol stack with a detailed profiling of the protocol processing components. In light of our observations, we outline architectural guidelines for large-scale e-commerce sites.
9. Adam Stubblefield, Aviel D. Rubin, and Dan S. Wallach: Managing the Performance Impact of Web Security,
   Electronic Commerce Research, Volume 5, Number 1, January 2005, pp. 99-116(18).
   Full paper: PDF
   • Abstract: Security and performance are usually at odds with each other. Current implementations of security on the web have been adopted at the extreme end of the spectrum, where strong cryptographic protocols are employed at the expense of performance. The SSL protocol is not only computationally intensive, but it makes web caching impossible, thus missing out on potential performance gains. In this paper we discuss the requirements for web security and present a solution that takes into account performance impact and backwards compatibility.
10. Cristian Coarfa, Peter Druschel, Dan S. Wallach, Performance Analysis of TLS Web Servers,
    ISOC NDSS (San Diego, California), February 2002.
    Full paper: PDF
    • Abstract: TLS is the protocol of choice for securing today's e-commerce and online transactions, but adding TLS to a web server imposes a significant overhead relative to an insecure web server on the same platform. We perform a comprehensive study of the performance costs of TLS. Our methodology is to profile TLS web servers with trace-driven workloads, replacing individual components inside TLS with no-ops, and measuring the observed increase in server throughput. We estimate the relative costs of each component within TLS, predicting the areas for which future optimizations would be worthwhile. Our results we show that RSA accelerators are effective for e-commerce site workloads , because they experience low TLS session reuse. Accelerators appear to be less effective for sites where all the requests are handled by a TLS server, thus having higher session reuse rate; investing in a faster CPU might prove more effective.
11. Cristian Coarfa, Peter Druschel and Dan S. Wallach. Performance Analysis of TLS Web Servers.
    To be published in ACM Transactions on Computer Systems.
    Full paper: PDF
    • Abstract: TLS is the protocol of choice for securing today’s e-commerce and online transactions, but adding TLS to a web server imposes a significant overhead relative to an insecure web server on the same platform. We perform a comprehensive study of the performance costs of TLS. Our methodology is to profile TLS web servers with tracedriven workloads, replace individual components inside TLS with no-ops and measure the observed increase in server throughput. We estimate the relative costs of each TLS processing stage, identifying the areas for which future optimizations would be worthwhile. Our results show that while the RSA operations represent the largest performance cost in TLS web servers, they do not solely account for TLS overhead. RSA accelerators are effective for e-commerce site workloads since they experience low TLS session reuse. Accelerators appear to be less effective for sites where all the requests are handled by a TLS server, because they have a higher session reuse rate. In this case investing in a faster CPU might provide a greater boost in performance. Our experiments show that having a second CPU is at least as useful as an RSA accelerator. Our results seem to suggest that, as CPUs become faster, the cryptographic costs of TLS will become dwarfed by the CPU costs of the non-security aspects of a web server. Optimizations aimed at general-purpose web servers should continue to be a focus of research and would benefit secure web servers as well.
12. Xiaodong Lin, Johnny W. Wong, Weidong Kou, Performance Analysis of Secure Web Server Based on SSL,
    Lecture Notes in Computer Science, Volume 1975, Jan 2000, Page 249, ISW 2000.
    Full paper: PDF
    • Abstract: In recent years, protocols have been developed to ensure secure communications over the Internet, e.g., the secure sockets layer
      (SSL) and secure electronic transaction (SET). Deployment of these protocols incurs additional resource requirements at the client and server.
      This may have a negative impact on system performance. In this paper, we consider a scenario where users request information pages stored
      on a web server, and some of the requests require secure communication. An analytic model is developed to study the performance of a web
      server based on SSL. In our model, the details of the client-server interactions found in a typical SSL session are represented explicitly. Input
      parameters to this model are obtained by measuring an existing SSL implementation. Numerical examples on the performance characteristics of
      SSL are presented.

13. Claude Castelluccia, Einar Mykletun, Gene Tsudik, Improving Secure Server Performance by Re-balancing SSL/TLS Handshakes,
    Cryptology ePrint Archive No. 2005/037
    Full paper: PDF

    • Abstract: Much of today's distributed computing takes place in a client/server model. Despite advances in fault tolerance -- in particular, replication and load distribution -- server overload remains to be a major problem. In the Web context, one of the main overload factors is the direct consequence of expensive Public Key operations performed by servers as part of each SSL handshake. Since most SSL-enabled servers use RSA, the burden of performing many costly decryption operations can be very detrimental to server performance. This paper examines a promising technique for re-balancing RSA-based client/server handshakes. This technique facilitates more favorable load distribution by requiring clients to perform more work (as part of encryption) and servers to perform commensurately less work, thus resulting in better SSL throughput. Proposed techniques are based on careful adaptation of variants of Server-Aided RSA originally constructed by Matsumoto, et al. [1]. Experimental results demonstrate that suggested methods (termed Client-Aided RSA) can speed up processing by a factor of between 11 to 19, depending on the RSA key size. This represents a considerable improvement. Furthermore, proposed techniques can be a useful companion tool for SSL Client Puzzles in defense against DoS and DDoS attacks.

14. Santosh Bag, Performance Impact of Security Protocols,
    Bachelor Thesis, IIT Bombay.
    Full paper: PostScript

    • Abstract: Never before was the so much concern for e-security as in this age of pervasive internet. Particularly with businesses and transactions going online there has been much, but valid hoopla about the reliability and safety of such online dealings. Numerous security measures cropped up to achieve safety. Many security protocols have been designed for the various layers of the network stack, each specializing and effectively protecting the service provided by that layer. Cryptography is an essential component in these protocols but is also notorious for hogging CPU time, which takes a toll on the service which it intends to protect. There are also other factors which inhibit the performance, forcing security engineers to take a performance perspective of these protocols to achieve a balance between safety and performance. This report specially looks at the two protocols TLS and IPsec and their structure to dig out their limiting factors and analyze their performance.

15. Varsha Mainkar (AT&T Labs), Performance Implications of Security Protocols, 
    Presentation at the 5th INFORMS Telecom Conference, March 2000
    Full presentation: PDF

16. Peter Gutmann, Performance Characteristics of Application-level Security Protocols,
    work in progress.
    Full paper: PDF

    • Abstract: Comparisons of the most popular application-level security protocols, PGP and S/MIME for independent message protection and SSH and SSL/TLS for communications session protection, are usually made at the political rather than the technical level. This paper provides a detailed breakdown and analysis of the performance characteristics of the different protocols, identifying potential performance problem areas and providing guidance for protocol designers and implementers.

17. AbdelNasir Alshamsi and Takamichi Saito, A Technical Comparison of IPSec and SSL,
    AINA 2005.
    Full paper: PDF ePrint Archive 2004/314

    • Abstract: IPsec (IP Security) and SSL (Secure Socket Layer) have been the most robust and most potential tools available for securing communications over the Internet. Both IPsec and SSL have advantages and shortcomngs. Yet no paper has been found comparing the two protocols in terms of charateristics and functionality. Our objective is to present an analysis of security and performance properties for IPsec and SSL.

18. Yijun Zeng and Omar Cherkaoui (University of Quebec), Performance Study of COPS over TLS and IPsec Secure Session,
    DSOM 2002, LNCS 2506.
    Full paper: PDF

    • Abstract. This paper evaluates the performance of COPS over secure TLS and IPsec connections. For large size data, when we apply authentication and encryption, the throughput degrades compared with the throughput without authentication or encryption. COPS has native security mechanisms, but it also has limitations. As defined in RFC 2478, COPS includes no standard key management and no data privacy hop-by-hop security. To be deployed, it needs to support access control models. Based on our comparison of the performance of the implementation of COPS, COPS over TLS and COPS over IPsec, we propose a strategic approach to secure COPS.

19. Michael Steiner, Peter Buhler, Thomas Eirich and Michael Waidner, Secure password-based cipher suite for TLS,
    ACM Transactions on Information and System Security (TISSEC), 4(2): 134-157, 2001
    Full paper: PDF

    • Abstract: SSL is the de facto standard today for securing end-to-end transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, for example, in web banking. However, the adoption of password-based key-exchange protocols can overcome some of these problems. We propose the integration of such a protocol (DH-EKE) in the TLS protocol, the standardization of SSL by IETF. The resulting protocol provides secure mutual authentication and key establishment over an insecure channel. It does not have to resort to a PKI or keys and certificates stored on the users computer. Additionally, its integration in TLS is as minimal and non-intrusive as possible.

20. Dirk Balfanz, Glenn Durfee, Narendar Shankar, Diana Smetters, Jessica Staddon, Hao-Chi Wong, Secret Handshakes from Pairing-Based Key Agreements,
    IEEE Symposium on Security and Privacy (SP'03).
    Full paper: PDF

    • Abstract: Consider a CIA agent who wants to authenticate herself to a server, but does not want to reveal her CIA credentials unless the server is a genuine CIA outlet. Consider also that the CIA server does not want to reveal its CIA credentials to anyone but CIA agents – not even to other CIA servers.
      In this paper we first show how pairing-based cryptography can be used to implement such secret handshakes. We then propose a formal definition for secure secret handshakes, and prove that our pairing-based schemes are secure under the Bilinear Diffie-Hellman assumption. Our protocols support role-based group membership authentication, traceability, indistinguishability to eavesdroppers, unbounded collusion resistance, and forward repudiability.
      Our secret-handshake scheme can be implemented as a TLS cipher suite. We report on the performance of our preliminary Java implementation.

21. Patroklos G. Argyroudis, Raja Verma, Hitesh Tewari and Donal O’Mahony: Performance Analysis of Cryptographic Protocols on Handheld Devices,
    NCA 2004.
    Full paper: PDF

    • Abstract: The past few years have witnessed an explosive growth in the use of wireless mobile handheld devices as the enabling technology for accessing Internetbased services, as well as for personal communication needs in ad hoc networking environments. Most studies indicate that it is impossible to utilize strong cryptographic functions for implementing security protocols on handheld devices. Our work refutes this. Specifically, we present a performance analysis focused on three of the most commonly used security protocols for networking applications, namely SSL, S/MIME and IPsec. Our results show that the time taken to perform cryptographic functions is small enough not to significantly impact real-time mobile transactions and that there is no obstacle to the use of quite sophisticated cryptographic protocols on handheld mobile devices.

22. Avesh K. Agarwal  and Wenye Wang: Measuring Performance Impact of Security Protocols in Wireless Local Area Networks,
    International Conference on Broadband Networks -- Broadband Wireless Networking Symposium 2005.
    Full paper: PDF

    • Abstract: In this paper, we study and quantify the impact of the most widely used security protocols, such as 802.1x, EAP, IPSEC, SSL and RADIUS, in wireless local area networks (WLANs). Based on the measurements in a wireless network testbed, we present quantitative, realistic findings with regards to both security functions as well as network performance. First, we describe experimental setup including system configuration and protocol stack. Then, we consider a variety of individual and hybrid security policies in order to capture the impact of security services at different network layers. Moreover, depending upon mobile nodes’ current location, user mobility is categorized into non-roaming and roaming scenarios. In addition, we define several performance metrics such as authentication delay, authentication messages, response time, throughput to measure the overhead associated with security policies on system performance. Comprehensive experimental measurements and analysis are provided for TCP/UDP traffic streams and network variations to demonstrate the impact of security protocols in wireless local area networks.

23. Albert Levi, Erkay Savas, Performance Evaluation of Public-Key Cryptosystem Operations in WTLS Protocol,
    ISCC 2003.
    Full paper: PDF

    • Abstract: WTLS (Wireless Transport Layer Security) is an important standard protocol for secure wireless access to Internet services. WTLS employs public-key cryptosystems during the handshake between mobile client and WAP gateway (server). Several cryptosystems at different key strengths can be used in WTLS. The trade-off is security versus processing and transmission time. In this paper, an analytical performance model for public-key cryptosystem operations in WTLS protocol is developed. Different handshake protocols, different cryptosystems and key sizes are considered. Public-key cryptosystems are implemented using state-of-the–art performance improvement techniques, yielding actual
      performance figures for individual cryptosystems. These figures and the analytical model are used to calculate the cost of using public-key cryptosystems in WTLS. Results for different cryptosystems and handshake protocols are comparatively depicted and interpreted. It has been observed that ECC (Elliptic Curve Cryptography) performs better than its rival RSA cryptosystem in WTLS. Performance of some stronger ECC curves, which are not considered in WTLS standard, is also analyzed. Results showed that some of those curves could be used in WTLS for high security applications with an acceptable degradation in performance.

1. L. C. Paulson. Inductive analysis of the Internet protocol TLS.
   ACM Transactions on Computer and System Security 2 3 (1999), 332–351.
   Full paper: PDF

   • Abstract: Internet browsers use security protocols to protect sensitive messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higher-order logic and make no assumptions concerning beliefs or finiteness. All the obvious security goals can be proved; session resumption appears to be secure even if old session keys have been compromised. The proofs suggest minor changes to simplify the analysis.
     TLS, even at an abstract level, is much more complicated than most protocols that researchers have verified. Session keys are negotiated rather than distributed, and the protocol has many optional parts. Nevertheless, the resources needed to verify TLS are modest: six man-weeks of e®ort and three minutes of processor time.

2. N. Ferguson and B. Schneier, A Cryptographic Evaluation of IPsec,
   Unpublished manuscript, 1999.
   Full paper: PDF

   • Abstract: We perform a cryptographic review of the IPsec protocol, as described in the November 1998 RFCs. Even though the protocol is a disappointment--our primary complaint is with its complexity--it is the best IP security protocol available at the moment. 

3. O. Elkeelany, M. M. Matalgah, K. P. Sheikh, M. Thaker, G. Chaudhry, D. Medhi and J. Qaddour: Performance analysis of IPSec protocol: Encryption and authentication,
   ICC 2002 - IEEE International Conference on Communications, vol. 25, no. 1, April 2002, pp. 1164 - 1168
   Full paper: (unavailable)

   • Abstract: IPSec provides two types of security algorithms, symmetric encryption algorithms (e.g. Data Encryption Standard DES) for encryption, and one-way hash functions (e.g., Message Digest MD5 and Secured Hash Algorithm SHA1) for authentication. This paper presents performance analysis and comparisons between these algorithms in terms of time complexity and space complexity. Parameters considered are processing power and input size. The analysis results revealed that HMAC-MD5 can be sufficient for the authentication purposes rather than using the more complicated HMAC-SHA1 algorithm. In encryption applications, authentication should be combined with DES.

4. S. Miltchev, S. Ioannidis, A. Keromytis, A Study of the Relative Costs of Network Security Protocols,
   USENIX  2002 Freenix Track.
   Full paper: PostScript

   • Abstract: While the benefits of using IPsec to solve a significant number of network security problems are well-known and its adoption is gaining ground, very little is known about the communication overhead that it introduces. Quantifying this overhead will make users aware of the price of the added security, and will assist them in making well-informed IPsec deployment decisions.
     In this paper, we investigate the performance of IPsec using micro- and macro-benchmarkings. Our tests explore how the various modes of operation and encryption algorithms affect its performance and the benefits of using cryptographic hardware to accelerate IPsec processing. Finally, we compare against other secure data transfer mechanisms, such as SSL, scp(1) and sftp(1).

5. George Hadjichristofi, Nathaniel Davis, IV and Scott Midkiff, IPSec Overhead in Wireline and Wireless Networks for Web and Email Applications,
   IEEE IPCCC 2003.
   Full paper: PDF

   • Abstract: This paper focuses on characterizing the overhead of IP security (IPSec) for email and Web applications using a set of test bed configurations. The different configurations are implemented using both wireline and wireless network links. The testing considers different combinations of authentication algorithms and authentication protocols. Authentication algorithms include Hashed Message Authentication Code-Message Digest 5 (HMAC-MD5) and Hashed Message Authentication Code-Secure Hash Algorithm 1 (HMAC-SHA1). Authentication protocols include Encapsulating Security Payload (ESP) and Authentication Header (AH) protocols. Triple Digital Encryption Standard (3DES) is used for encryption. Overhead is examined for scenarios using no encryption and no authentication, authentication and no encryption, and authentication and encryption. A variety of different file sizes are considered when measuring the overhead The results present a thorough analysis of the overhead of different IPSec configurations and provide practical guidance for choosing the IPSec configuration needed in a network environment.

6. Nobuo Okabe, Shoichi Sakane et al: A Study of Security Architecture for Control Networks over IP,
   INSS 2004.
   Full paper: PDF

   • Abstract: There are many kinds of control networks which have been used in various non-IP network areas, such as in buildings, plants and vehicles. These do not incorporate reasonable security mechanisms as they have been mainly used for closed networks. Recently the security of control networks is becoming important because of the popularization of the Internet, the deployment of wireless technologies and the security requirements of such infrastructures. One of the important issues is that the small embedded devices commonly used in control networks for security mechanisms might become overloaded because of their performance limitations. This paper shows security mechanisms which can suit small devices in control networks, assuming that IP is applied to the control networks.
     (The protocols studied performance in this paper included RSA, DH exchange and IPsec ESP)

7. Heng Yin, Haining Wang, Building an Application-aware IPsec Policy System,
   USENIX 2005,
   Full paper: PDF

   • Abstract: As a security mechanism at the network-layer, the IP security protocol (IPsec) has been available for years, but its usage is limited to Virtual Private Networks (VPNs). The end-to-end security services provided by IPsec have not been widely used. To bring the IPsec services into wide usage, a standard IPsec API is a potential solution. However, the realization of a user-friendly IPsec API involves many modifications on the current IPsec and Internet Key Exchange (IKE) implementations. An alternative approach is to configure application-specific IPsec policies, but the current IPsec policy system lacks the knowledge of the context of applications running at upper layers, making it infeasible to configure applicationspecific policies in practice.
     In this paper, we propose an application-aware IPsec policy system on the existing IPsec/IKE infrastructure, in which a socket monitor running in the application context reports the socket activities to the application policy engine. In turn, the engine translates the application policies into the underlying security policies, and then writes them into the IPsec Security Policy Database (SPD) via the existing IPsec policy management interface. We implement a prototype in Linux (Kernel 2.6) and evaluate it in our testbed. The experimental results show that the overhead of policy translation is insignificant, and the overall system performance of the enhanced IPsec is comparable to those of security mechanisms at upper layers. Configured with the application-aware IPsec policies, both secured applications at upper layers and legacy applications can transparently obtain IP security enhancements.

8. Jin-Cherng Lin , Ching-Tien Chang and Wei-Tao Chung, Design, Implementation and Performance Evaluation of IP-VPN,
   AINA 2003.
   Full paper: PDF

   • Abstract: Network security has always been a significant issue, but a recognized priority today due to the popular of internet. The issue is not if security should be implemented on a network; rather, the question to ask is if security has been implemented properly and the interoperability with today’s network architecture. Although there are various ways to perform a secure network environment, but the most popular and the most progressive network security mechanism is Security Architecture for IP (IPSec), offered by IETF (Internet Engineering Task Force). In this paper, we will discuss the problems when combine IPSec into current TCP/IP module by porting an IPSec shareware (FreeS/WAN) into a router. Finally, in order to understand the impact on router’s performance when using various services and hash/encryption algorithms provided by IPSec, we testing the throughput of the router before and after applying IPSec.

9. Jirka Klaue, and Andreas Hess, On the Impact of IPsec on Interactive Communications,
   IPDPS 2005.
   Full paper: PDF

   • Abstract: Interactive communication services as telephony and video-conferences use the infrastructure of existing LANs and the Internet more and more. The advantages are obvious. For example phone charges could be reduced significantly. But what about security? And if the communications are protected, can the quality of service be maintained? It is widely assumed that IPsec is inappropriate for the protection of real-time multimedia flows due to its not negligible computational and protocolary overhead. To address this issue we measured the performance of voice and video communications in a LAN including a wireless hop. The data transmissions over the wireless hop alternately occurred via IPsec (tunnel mode and encapsulated security payload ESP) or via plain IP. We evaluated the measurements in terms of network parameters like loss, delay, and jitter and with respect to perceived quality. In this paper we show that IPsec can be used to secure multimedia communications over a wireless link without noticeably degrading the perceived quality.

10. John Ronan, Steven Davy, Paul Malone, Micheal O Foghlu, Performance Implications of IPsec Deployment,
    Full paper: PDF

    • Abstract: Virtual Private Networks (VPNs) use the Internet or other data network service as a backbone to provide a secure
      connection across a potentially hostile WAN. Such security guarantees provide the motivation for VPN deployment. This security does, however, come at a performance cost brought about by the increased processing overhead. This paper presents an investigation into these overheads. In particular, this investigation will consider different user resource availability in addition to router type and encryption algorithms.

11. Stephen Kent, Charles Lynn, and Karen Seo, Secure Border Gateway Protocol (S-BGP),
    JSAC 2000.
    Full paper: PDF

    • Abstract—The Border Gateway Protocol (BGP), which is used to distribute routing information between autonomous systems (ASes), is a critical component of the Internet's routing infrastructure. It is highly vulnerable to a variety of malicious attacks, due to the lack of a secure means of verifying the authenticity and legitimacy of BGP control traffic. This paper describes a secure, scalable, deployable architecture (S-BGP) for an authorization and authentication system that addresses most of the security problems associated with BGP. The paper discusses the vulnerabilities
      and security requirements associated with BGP, describes the S-BGP countermeasures, and explains how they address these vulnerabilities and requirements. In addition, this paper provides a comparison of this architecture to other approaches that have been proposed, analyzes the performance implications of the proposed countermeasures, and addresses operational issues.

12. D. Boneh, and M. Franklin. Efficient generation of shared RSA keys.
    Journal of the ACM (JACM), Vol. 48, Issue 4, pp. 702--722, July 2001. Extended abstract in Proceedings Crypto' 97, Lecture Notes in Computer Science, Vol. 1233, Springer-Verlag, pp. 425--439, 1997.
    Full paper: PostScript.
    • Abstract: We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N=pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication.
13. Gene Tsudik and Shouhuai Xu, A Flexible Framework for Secret Handshakes,
    Cryptology ePrint Archive. 2005/034
    Full paper: PDF
    • Abstract:  In the society increasingly concerned with the erosion of privacy, privacy-preserving techniques are becoming very important. Secret handshakes offer anonymous and unobservable authentication and serve as an important tool in the arsenal of privacy-preserving techniques. Relevant prior research focused on 2-party secret handshakes with one-time credentials, whereby two parties establish a secure, anonymous and unobservable communication channel only if they are members of the same group.
      This paper breaks new ground on two accounts: (1) it shows how to obtain secure and efficient secret handshakes with reusable credentials, and (2) it provides the first treatment of multi-party secret handshakes, whereby m>=2 parties establish a secure, anonymous and unobservable communication channel only if they all belong to the same group. An interesting new issue encountered in multi-party secret handshakes is the need to ensure that all parties are distinct. (This is a real challenge since the parties cannot expose their identities.) We tackle this and other challenging issues in constructing GCD -- a flexible secret handshake framework -- can be viewed as a "compiler" that transforms three main building blocks: (1) a Group signature scheme, (2) a Centralized group key distribution scheme, and (3) a Distributed group key agreement scheme, into a secure multi-party secret handshake scheme.
      The proposed framework lends itself to multiple practical instantiations, and offers several novel and appealing features such as self-distinction and strong anonymity with reusable credentials. In addition to describing the motivation and step-by-step construction of the framework, this paper provides a security analysis and illustrates several concrete framework instantiations.

14. Ran Canetti and Hugo Krawczyk, Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels,
    Cryptology ePrint Archive 2001/040
    Full paper: PostScript

    • Abstract: We present a formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any key-exchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels; and (ii) the definition allows for simple modular proofs of security: one can design and prove security of key-exchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversary-controlled links. We exemplify the usability of our results by applying them to obtain the proof of two main classes of key-exchange protocols, Diffie-Hellman and key-transport, authenticated via symmetric or asymmetric techniques.
      Further contributions of the paper include the formalization of "secure channels'' in the context of key-exchange protocols, and establishing sufficient conditions on the symmetric encryption and authentication functions to realize these channels.

15. Y. Amir, Y. Kim, C. Nita-Rotaru and G. Tsudik, On the Performance of Group Key Agreement Protocols,
    ACM Transactions on Information Systems Security, Vol. 7, No. 3, pp. 457-488, August 2004.
    Full paper: PDF

    • Abstract: Group key agreement is a fundamental building block for secure peer group communication systems. Several group key management techniques were proposed in the last decade, all assuming the existence of an underlying group communication infrastructure to provide reliable and ordered message delivery as well as group membership information. Despite analysis, implementation, and deployment of some of these techniques, the actual costs associated with group key management have been poorly understood so far. This resulted in an undesirable tendency: on the one hand, adopting suboptimal security for reliable group communication, while, on the other hand, constructing excessively costly group key management protocols.
      This paper presents a thorough performance evaluation of five notable distributed key management techniques (for collaborative peer groups) integrated with a reliable group communication system. An in-depth comparison and analysis of the five techniques is presented based on experimental results obtained in actual local- and wide-area networks. The extensive performance measurement experiments conducted for all methods offer insights into their scalability and practicality. Furthermore, our analysis of the experimental results highlights several observations that are not obvious from the theoretical analysis.

16. Y. Amir, Y. Kim, C. Nita-Rotaru, and G. Tsudik, On the Performance of Group Key Agreement Protocols.
    IEEE ICDCS'2002, July 2002.
    Full paper: PDF

17. Yuh-Min Tseng, Efficient authenticated key agreement protocols resistant to a denial-of-service attack.
    Int. J. Netw. Manag. 15, 3 (May. 2005), 193-202.
    Full paper: PDF

    • Abstract: Malicious intruders may launch as many invalid requests as possible without establishing a server connection to bring server service to a standstill. This is called a denial-of-service (DoS) or distributed DoS (DDoS) attack. Until now, there has been no complete solution to resisting a DoS/DDoS attack. Therefore, it is an important network security issue to reduce the impact of a DoS/DDoS attack. A resource-exhaustion attack on a server is one kind of denial-of-service attack. In this article we address the resource-exhaustion problem in authentication and key agreement protocols. The resource-exhaustion attack consists of both the CPU-exhaustion attack and the storage-exhaustion attack. In 2001, Hirose and Matsuura proposed an authenticated key agreement protocol (AKAP) that was the first protocol simultaneously resistant to both the CPU-exhaustion attack and the storage-exhaustion attack. However, their protocol is time-consuming for legal users in order to withstand the DoS attack. Therefore, in this paper, we propose a slight modification to the Hirose-Matsuura protocol to reduce the computation cost. Both the Hirose-Matsuura and the modified protocols provide implicit key confirmation. Also, we propose another authenticated key agreement protocol with explicit key confirmation. The new protocol requires less computation cost. Because DoS/DDoS attacks come in a variety of forms, the proposed protocols cannot fully disallow a DoS/DDoS attack. However, they reduce the effect of such an attack and thus make it more difficult for the attack to succeed.

18. John Canny, Stephen Sorkin, Practical Large-Scale Distributed Key Generation,
    Eurocrypt 2004
    Full paper: PDF

19. Burkhard Springer and Liam Kihmartin, Performance Evaluation of the Internet Key Exchange Protocol under Dynamic VoIP Network Conditions,
    ISSC 2003, Limerick.
    Full paper: PDF

20. M. Bellare, J. Garay, R. Hauser, A. Herzberg, H. Krawczyk, M. Steiner, G. Tsudik, E. Van Herreweghen, and M. Waidner: Design, Implementation and Deployment of a Secure Account-Based Electronic Payment System.
    IEEE JSAC, special issue on Secure Communication, May 2000.
    Full paper: PDF

21. C. Castelluccia, S. Jarecki and G. Tsudik: Secret Handshakes from CA-oblivious Encryption,
    Proc. IACR AsiaCrypt'04. December 2004.
    Full paper: PDF

22. N. Saxena, G. Tsudik and J. Yi: Admission Control in Peer-to-Peer: Design and Performance Evaluation,
    ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN '03), November 2003.
    Full paper: PDF

    • Abstract: Peer-to-Peer (P2P) applications and services are very common in today’s computing. The popularity of the P2P paradigm prompts
      the need for specialized security services which makes P2P security an important and challenging research topic. Most prior work in P2P security focused on authentication, key management and secure communication. However, an important pre-requisite for many P2P security services is secure admission, or how one becomes a peer in a P2P setting. This issue has been heretofore largely untouched.
      This paper builds upon some recent work [11] which constructed a peer group admission control framework based on different policies and corresponding cryptographic techniques. Our central goal is to assess the practicality of these techniques. To this end, we construct and evaluate concrete P2P admission mechanisms based on various cryptographic techniques. Although our analysis focuses primarily on performance, we also consider other important features, such as: anonymity, unlinkability and accountability. Among other things, our experimental results demonstrate that, unfortunately, advanced cryptographic constructs (such as verifiable threshold signatures) are not yet ready for prime time.

23. Alan Harbitter, and Daniel A Menascé. 2002. A methodology for analyzing the performance of authentication protocols.
    ACM Trans. Inf. Syst. Secur. 5, 4 (Nov. 2002), 458-491.
    Full paper: PDF

24. Alan Harbitter, Daniel A. Menascé: Performance of Public-Key-Enabled Kerberos Authentication in Large Networks.
    IEEE Symposium on Security and Privacy 2001: 170-183
    Full: Paper: PDF

25. Alan Harbitter, and Menascé, D. A. 2001. The performance of public key-enabled kerberos authentication in mobile computing applications.
    In Proceedings of the 8th ACM Conference on Computer and Communications Security (Philadelphia, PA, USA, Nov 2001. pp. 78-85.
    Full paper: PDF

26. Jongkyung Kim, Hyuncheol Kim, Seong-Jin Ahn, Jin-Wook Chung: The Authentication and Processing Performance of Session Initiation Protocol (SIP) Based Multi-party Secure Closed Conference System.
    ISPA 2004: 725-729 LNCS 3358
    Full paper: PDF

27. Georgios Kambourakis, Angelos Rouskas, Dimitris Gritzalis: Performance Evaluation of Certificate Based Authentication in Integrated Emerging 3G and Wi-Fi Networks.
    EuroPKI 2004: 287-296 LNCS 3093
    Full paper: PDF

1. Thomas Y. C. Woo, Simon S. Lam: A Framework for Distributed Authorization.
   ACM Conference on Computer and Communications Security 1993: 112-118
   Full paper: PDF

2. Jon Howell, David Kotz: End-to-End Authorization.
   OSDI 2000: 151-164
   Full paper: PDF

3. Thomas Ziebermayr, Stefan Probst: Web Service Authorization Framework.
   ICWS 2004: 614-621
   Full paper: PDF

4. Sarath Indrakanti, Vijay Varadharajan, Michael Hitchens: Authorization Service for Web Services and its Implementation.
   ICWS 2004: 774-777
   Full paper: PDF

5. Jeff Hayes: Policy-based Authentication and Authorization: Secure Access to the Network Infrastructure.
   IEEE ACSAC 2000: 328-333
   Full paper: PDF

   • Abstract: A gaping hole in many of today's networks is the weak security surrounding the network devices themselves-the routers, the switches and the access servers. In all public networks and in some private networks, the network devices are shared virtually among different user communities. Access to the configuration schemes and command lines is most often an “all or nothing” proposition-the network administrator gets either read-only privileges or read/write privileges. In this case, authentication equals authorization. Herein lies the problem. Security policies may mandate that certain administrators have read-only capabilities for all device parameters and read/write capabilities for a certain subset of commands. Each administrator may have a unique access profile. Authentication verifies identity; authorization verifies privileges. This paper addresses the value of using a centralized, provisioned management structure that disseminates network policies and administration privileges to all the devices that make up the network infrastructure

6. Ramaswamy Chandramouli: A Policy Validation Framework for Enterprise Authorization Specification.
   IEEE ACSAC 2003: 319-329
   Full paper: PDF

   • Abstract: The validation of enterprise authorization specification (that contains access control requirements for the various enterprise IT resources) for conformance to enterprise policies requires an out-of-band framework in many situations since the enforcing access control mechanism does not provide this feature. In this paper we describe one such framework. The framework uses XML to encode the enterprise authorization specification and XML Schema to specify the underlying access control model. The policy requirements are encoded in a constraint specification language called Schematron. The XML Schema of the RBAC model is then augmented with these constraint specifications using an annotation feature that is provided as part of the XML Schema language specification. The conformance of the XML-encoded enterprise authorization specification to the structure of the RBAC model (specified through XML Schema) as well as the policy requirements (specified through constraints in Schematron) are verified through a Schematron Validator tool. The scope for extending the framework to augment the capabilities of the enforcing access control mechanism to enforce dynamic constraints is also discussed.

7. Sanjay Raman, Dwaine E. Clarke, Matt Burnside, Srinivas Devadas, Ronald L. Rivest: Access-Controlled Resource Discovery for Pervasive Networks. SAC 2003: 338-345
   Full paper: PDF

8. Antonio Corradi, Rebecca Montanari, Daniela Tibaldi: Context-Based Access Control Management in Ubiquitous Environments.
   NCA 2004: 253-260
   Full paper: PDF

   • Abstract: Wireless connectivity and the widespread diffusion of portable devices raise new challenges for ubiquitous service provisioning. Mobility of users causes frequent and unpredictable changes in user location and in consequently available resources. Access control to resources is crucial to leverage the provision of ubiquitous services and calls for novel solutions based on various context information, e.g., user location, device properties, user needs, local resource visibility. This work presents a novel access control model that proposes the adoption of context as a first-class design principle to rule access to resources. The paper proposes a context-centric access control middleware, called UbiCOSM, that dynamically determines the contexts of mobile users and effectively rules the access to them, by taking into account different types of metadata: user profiles and system/user-level authorization policies. The paper also presents a context-dependent movie-info service to evaluate the functioning of UbiCOSM.

9. Damian G. Cholewka, Reinhardt A. Botha, Jan H. P. Eloff: A Context-Sensitive Access Control Model and Prototype Implementation.
   IFIP SEC 2000: 341-350
   Full paper: PDF

10.