.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras

Introduction Client Authentication Hashing Algorithms Symmetric Key Algorithms Asymmetric Key Algorithms Conclusion Content

Has Security Slowed Down The Application? Yes, security has slowed down the application. Today, through this presentation I will be analysing the performance of various security options available in.Net. Here I will compare the relative performance of various Security options available for client authentication, hashing algorithms, symmetric and asymmetric key algorithms.

Client Authentication Various options that were checked under client authentication are Anonymous Basic Basic_SSL (Secure Sockets Layer) Kerberos Digest FormsAuth_AD FormsAuth_SQL

Client Authentication cont… Anonymous : No authentication is performed. Basic: Client provides credentials to the Web server, and server authenticates him. This is extremely insecure as password is sent over the network in clear text (it is base64-encoded, which is very easy to decode). Basic_SSL: Similar to Basic, but in this we use SSL, that is we now have a secure channel in which the credentials are sent.

Client Authentication cont… Kerberos: The credentials given by the client are sent directly to the Ticket Granting service server, which authenticates the credentials and issues a Kerberos ticket to the client. This ticket is a temporary certificate containing information that identifies the user to the network server. Digest: The server sends a challenge to the client asking for the username and password. Hash of the password is used to encrypt, which is then sent to the server where the client gets authenticated. The password is not sent in clear text, which certainly is an advantage over Basic authentication.

Client Authentication cont… FormsAuth_AD: This uses ASP.NET Forms authentication. User accounts are in Active Directory. FormsAuth_SQL: This uses ASP.NET Forms authentication. User accounts are stored in SQL Server Instead of storing passwords as clear text, hash values of them are stored for extra security.

Client Authentication cont… In Basic, Basic_SSL, Kerberos, and Digest authentication, the flow of HTTP headers look like:

Client Authentication cont… The flow of HTTP headers for ASP.NET Forms authentication looks like:

Client Authentication cont… Anonymous has the best performance. Kerberos and Digest have similar performance. Basic and FormsAuth_SQL have similar performance. FormsAuth_AD is the slowest of all.

Sample Code for Basic authentication. protected void Page_Load(object sender, EventArgs e) { Label1.Text = User.Identity.Name; if(User.Identity.Name==“Domain\\username") Response.Redirect(“………"); }

Sample Code for Forms authentication

SqlConnection conn; conn = new SqlConnection("Data Source=Domain\\SQLEXPRESS; Initial Catalog=assignment2;Integrated Security=True"); conn.Open(); SqlCommand cmd =new SqlCommand("select count(username) from login where username='"+sHashedUserName+"'and password='"+sHashedPassword+"'",conn); FormsAuthentication.RedirectFromLoginPage(Login1.UserName, false); Sample Code for Forms authentication

Hashing Algorithms Hash algorithms map a piece of data of arbitrary size to a small unique value of fixed length. We will compare the SHA1, SHA512 and MD5 algorithms. MD5 produces a hash of 128 bits. SHA1 produces a hash of 160 bits. SHA512 produces a hash of 512 bits. We will also see how data size effects the performance.

The performance of all the three algorithms are almost same when the data size is 4KB Hashing Algorithms cont…

As data size increases we see the difference in performance of different algorithms. At 5 concurrent users, performance of MD5 is 33% faster than SHA1. Performance of SHA512 degrades with data size, it is around 55% slower than SHA1.

As data size increases the performance of algorithms differ. Performance of MD5 is around 43% faster than SHA1 at 5 concurrent users and at other times it is around 20%. Performance of SHA512 is around 72% slower than SHA1.

1. Computing hash values using MD5: String sHashedPassword = FormsAuthentication. HashPasswordForStoringInConfigFile( String, "MD5"); 2. Computing hash values using SHA1: SHA1 sha1; byte[] b = sha1.ComputeHash(Value); Basic sample code

Symmetric Key Algorithms Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption. The encryption key is trivially related to the decryption key, in that they may be identical or there is a simple transform to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link.

Performance of four algorithms are compared here, DES, 3DES, RC2,Rijndael. In System.Security.Cryptography we have implementations of DES, TripleDES, RC2, Rijndael. The performance was compared based on how these algorithms encrypts the data and then decrypts the encrypted bytes. Performance is also noted for different data size of 4KB, 100KB, 500KB to see how data size effects performance. Symmetric Key Algorithms cont…

With small data size performance of Rijndael is better than others. DES performs well, over 3DES and RC2, but is vulnerable to brute force attack due to its small key size. 3DES and RC2 perform almost in a similar fashion.

By increase in data size, we see a entirely different picture in performance of these algorithms. DES is the fastest, followed by RC2 which is 20% faster than 3DES. Rijndael is slowest, 25% slower than 3DES.

Asymmetric Key Algorithm Asymmetric key algorithms, is a form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key.

The two common asymmetric algorithms are RSA and DSA. RSA can be used for both encryption and signature generation. On the other hand, DSA can only be used to generate signature. We compared RSA and DSA algorithms based on how fast they generate a digital signature and how fast they verify a signature. In the RSA digital signature process, the private key is used to encrypt only the message digest. The encrypted method becomes the digital signature. DSA uses special mathematical functions to generate a digital signature composed of two 160-bit numbers that are derived from the message digest and the private key.

Performance of DSA is 29% faster than RSA while generating signature. When the data size is increased, DSA still remains faster than RSA.

In Verifying the signature, performance of RSA is faster than DSA by about 29%. With increase in data size performance difference becomes almost negligible.

As these tests demonstrate, authentication schemes, hashing algorithms, and cryptography techniques carry varying amounts of overhead, and therefore have vastly different performance characteristics. The size of data being passed to hashing algorithms, as well to cryptography techniques, is also significant. When designing a secure system, the implementation techniques should be chosen based on threat mitigation first and performance second. For instance, basic authentication without SSL could be used for better performance, but no matter how fast it is, it would not be useful in systems that are vulnerable to threats not mitigated by it. When Combination authentication and data privacy are taken into account the over all performance varies. Performance of secure system depends on the various schemes being used. Conclusion

Reference