Performance Evaluation of SSL with New Client Authentication

Transcription

1 University of Aizu, Grauation hesis. March, 2005 s Performance Evaluation of SSL with New Client Authentication akuya Yahagi s Supervise by iroshi oyoizumi Abstract he purpose of this paper is to fin effective use of Secure Socket Layer(SSL) with Feige-Fiat-Shamir Ientification Protocol for client authentication, which prove one s ientity without its knowlege. his protocol has 50% chance of fining malicious user per one trial, an it becomes better by increasing the number of trials. In this paper, we fin most effective point of number of trials by trae-off between probability of fining malicious user an processing time. 1 Introuction Many people connect PC to Internet an communicate information. When we communicate information on the Internet, there is a anger of eavesropping, spoofing, an so on. For example when a client who is mail user receives mail from a server who provies mail service, the client sens user name an passwor. he eavesropper is able to know the user name an passwor easily. When the client sens mail, the server oesn t certify the sener s ientity. It means that any person can use others mail aress. In fact, phishing mail, spam, an some kin of virus mail use others mail aress or nonexistent mail aress. For example, phishing mail is sent by an other host using well-known bank s, creit car company s, an Internet shopping site s mail aress. Cryptography protects information from such anger. Secure Socket Layer(SSL) [2] provies cryptography communication for mail, WWW, an so on. SSL has three steps to begin cryptography communication: authentication, key exchange, an encrypting. First, the client checks the server s ientification in the authentication step, Secon, the client exchanges key which is use to encipher message. Finally the client an the server begin to communicate using cryptography. In the authentication step, SSL uses Digital Signature to certify. Digital Signature contains personal information, so this metho is usually use to certify the server an not goo to certify the client. But if there is no client authentication, a malicious person may try to spoof, an use your mail aress. So it requires client authentication. Sener ID [5] is a metho for preventing spoofing mail by checking sener s mail aress an IP aress. Sener ID asks omain part of mail aress for Domain Name System(DNS), an then checks returne IP aress is same as sener s IP aress. If IP aress is not same, mail is rejecte. his metho is base on the integrity of IP aress, but if IP aress is also forge, this metho can t prevent spoofing. Some methos for client authentication such as Rivest Shamir Aleman (RSA) authentication, Challenge anshake Authentication Protocol (CAP), an so on are available, but we use Feige-Fiat-Shamir Ientification Protocol [6]. his metho can prove ientity via emonstration of knowlege of secret without revealing even a single bit of secret. owever, when some malicious person tries to be an authenticate user, this Protocol has a 50% chance of fining an malicious user per one trial. Increasing the number of trials, the probability of fining the malicious user becomes larger, while time for confirmation gets longer. So it is necessary to fin most effectual number of trials. he purpose of this research is to evaluate performance of SSL with Feige-Fiat-Shamir Ientification Protocol. In this paper, we moel SSL with authentication using M/G/1 queue to calculate the waiting time an fin effectual metho for its use by trae-off between probability of fining malicious user an waiting time. 2 SSL SSL is use for cipher communication. For example, there are two entities, a server who provies mail service, an a client who wants to sen mail using the cryptography. o begin cryptography communication, client an server have to ecie specification of cryptography such as cryptography algorithms, an metho of key exchange. In SSL, the client an server sen some messages to ecie specification(see figure 1). First, the client sens Client hello (1) which contains ranom values an available encryption algorithms list, key exchange algorithms list an so on to server. he server respons Server hello (2) which contains ranom values an selecte algorithm, an also sens Server certificate an Server hello one to the client. Client verifies server s ientification by checking the Server certificate. he server certificate contains a public key which is necessary to exchange common key. Messages after Server certificate are encrypte using public key an sent to server. If there is no public key in Server certificate or the server oesn t sen Server cer-

2 University of Aizu, Grauation hesis. March, 2005 s tificate, server sens Server key exchange to create public key. hen server sens Server hello one to finish ello phase. In ello phase, the server sens certificate to prove his ientity, but the client oesn t prove ientity. Next, client sens Client key exchange (3) incluing premaster secret which is to create common key, Change cipher spec (4) an Finishe. Change cipher spec is signal transition in ciphering strategies. Server also sens Change cipher spec an Finishe an begins to communicate encrypte application ata. In this case, server oesn t check ientification of client. here is the possibility that a malicious person tries to spoof. So it requires client authentication. Client Client hello (1) Client Certificate Server hello Server Certificate(2) Server hello one Client key exchange Change cipher spec Finishe (3) Change cipher spec Finishe (4) Server Figure 1: SSL with no client authentication 3 Authentication Metho One of the authentication methos is Arbitrate Protocols. Arbitrate Protocols is suite for ientification of owner of a creit car, ID car, or computer account. In the Arbitrate Protocols, Feige-Fiat-Shamir Ientification Protocol [6] can prove ientity via emonstration of knowlege of secret such as Personal Ientification Number(PIN) or passwor without revealing even a single bit of secret. 3.1 Feige-Fiat-Shamir Ientification Protocol Suppose that there are two persons, Alice an Bob, an Alice wants to prove her ientification by proving that she knows a secret to Bob. his metho checks that she can calculate some value base on secret number. She has secret number an opens remainer of square of secret number ivie by n, where n is large number. Bob checks she can calculate value or not using this open value. e can t fin secret number from open value. Before Alice proves her ientification to Bob, they nee to register their secrets to truste a thir person, rent. Registration stage is following: (1) rent chooses a moulus l = pq, where p an q are large prime an roughly same size numbers to be kept secret an number of trials n. (2) Alice an Bob respectively ranomly select secret natural numbers s A an s B l 1 with gc(s A s B, l) = 1. (3) Alice an Bob compute respectively the smallest natural numbers t A an t B such that t A = s 2 A mo l an t B = s 2 B mo l an resister secrets s A an s B with rent t A an t B on t nee to be kept secret After Registration stage, to prove ientification of Alice to Bob, they implement following steps: (1) Alice selects an m, such that m l 1 an sens w = m 2 mo l to Bob (2) Bob chooses c = 0 or 1 an sens it to Alice (3) Alice computes r = ms c A mo l an sens it to Bob (4) Bob computes r 2 mo l (a) If r 2 = wt c A then i. if n = 0 then terminates this protocol an accepts Alice. ii. else n = n 1 an go to step (1) (b) If r 2 wt c A then terminates this protocol an rejects Alice Figure 2 shows the example of this protocol, when p an q are 17 an 13 an l = 221. Preliminarily, Alice an Bob chooses s A = 16 an s B = 15 an calculates t A = 16 2 mo 221 = 35 an t B = 15 2 mo 221 = 4. Alice chooses m = 219 an calculates w = mo 221 = 4, an then sens w = 4 to Bob. Bob chooses c = 1 an sens it to Alice. Alice calculates r = mo 221 = 189 an respons it to Bob. Bob calculates mo 221 = 140 an wt c A = = 140, an then checks that r 2 mo l equals wt c A or not. In this case r 2 mo l = wt c A, an Alice passes this trial.

3 Z Z Y X X Z / ' # = " <! c h h f h? DC > > I? e M S > Ž { Œ z ˆ { µ ± ± ² ² ² { { z University of Aizu, Grauation hesis. March, 2005 s Y A JW > NLO JW EFG E*FG MM 6 / 354 # $&% #% 87 (-)+. #, 2 /10 (*)&+ 95:; '&' f ] blc_*`a ] b [ _`a \\^] E*FG E*FG JILK NLO&P Q&R EF&G E*FGMM MM VU JILK NLO JILK EFG EFG MM MM EFG ikj l lmnlo pqmr ² L ª * ³ ««^ sutlvkwlx y y v v ~ ƒ - } Œ* Š Lž L ŸŸ ŸŸ Lž L L L ŸŸ ŸŸ š œ Figure 2: Feige-Fiat-Shamir Ientification Protocol example 3.2 Spoofing Metho Suppose a malicious person Mallory tries to spoof Alice, an oesn t know s A. hough, he has a chance of passing this trial with following steps: e selects an m such that 0 < m < l 1 an sens: (1) w = m 2, if he guesses that Bob will sen c = 0 (a) If Bob chooses c = 0, then Mallory sens r = m Bob computes r 2 = m 2 = wt 0 A mo l an accepts Mallory (b) If Bob chooses c = 1, then Mallory can t sen r = ms c A an Bob rejects Mallory (2) w = m 2 t 1 A, if he guesses that Bob will sen c = 1 (a) If Bob chooses c = 0, then Mallory can t sen r such that r 2 = wt c A an Bob rejects Mallory (b) If Bob chooses c = 1, then Mallory sens r = m Bob computes r 2 = m 2 = wt 1 A t1 A = wt1 A mo l an accepts Mallory his means that Mallory has a 50% chance of passing this Protocol per one trial [6]. Figure 3 shows example spoofing when Mallory guesses that Bob will sen c = 1 an hits his guess. Mallory selects m = 70, calculates w = = 140 an sens it to Bob. Bob selects c = 1 as he expecte. Mallory respons r = m = 70. Bob calculates r 2 mo l = 38 an wt c A mo l = 38. hen Mallory can pass this trial without s A. 4 Moeling Figure 3: Spoofing example he probability of fining Mallory becomes larger by increasing the number of trials, but it takes a great eal of time. So we have to think the trae-off between the probability of fining an waiting time. In this section, we calculate probability of fining, moel SSL an SSL with authentication protocol using M/G/1 queue an then obtain these waiting time to compare an evaluate waiting time of SSL with SSL with authentication. 4.1 Data capture o calculate waiting time of SSL, we nee to know service time of SSL s S S L. We buil a simple network which consists of client an mail server applie SSL to obtain service time of SSL. Client reserves mail from server an capture these packets using Sniffer [8]. hen we check time of each packet arrives to client. Figure 4 shows service time of each section of SSL. 4.2 Waiting time of SSL We consier the mean waiting time of SSL. Figure 5 shows SSL service an its waiting time of each client. First client C1 comes to server an receives SSL service. Before completion C1 s SSL communication, C2 comes to server an he has to wait until C1 finishes service. After C1 leaves server, C2 begins to receive service an also C3 comes to server in the mile of C2 s service. We efine time from client arrives server to leaves as waiting time of SSL. o be serve client an server always sen same number of messages, so we suppose that service time of SSL is same. Let N S S L be a number of client, λ be a rate of incoming client an 1 µ be a service time of SSL. By Pollaczek-Khinchin formula [9] for M/G/1 queues, expectation value of number of SSL clients is

4 ) University of Aizu, Grauation hesis. March, 2005 s º» ¹ º»½¼-¾ ÃÅÄ Æ Ç½ÈÀÉËÊ Ç Ä ÄÍÌ ÎÐÏ^ÑLÒ Ï^ÑÐÓ ÏÕÔ ÔLÖ Ï ÑØ&ÙÚ Ù Û Ü Ø Ï ÎÐÏÕÑÒ Ï^ÑÐÓ ÏÕÔ ÔLÖÞÝ Ö ß Ï àåá â ãõäæåç ã^è ãõéê½ë*ì ä í ã à ëì ä í ã ê â î ë ãõïñð î ã ê ò â ä â ð ë ã5ó ôöõø ^ùøúëûü½ýuþ õ û^ÿ þ û ü ý ù ý õ û À»½ÁLÂÀ»½Á Figure 4: Service time of SSL 4.3 Waiting ime of SSL with Authentication Next, we consier the mean waiting time of SSL with authentication. As section 4.2, service time of SSL is always same, but service time of authentication changes by number of trials up to fin Mallory. First we fin expectation an variance of number of trials. Let N M be a Mallory s number of trials, N A be a Alice s number of trials, x be a probability of fining Mallory per one trial which is 50% in section 3, an n be a number of trials. Expectation value of Mallory s number of trials is E[N M ] = = an the variance is n kx(1 x) k 1 + n(1 x) n k=1 1 (1 x)n, (3) x where E[N S S L ] = ρ + ρ2 + λ 2 σ 2 2(1 ρ), (1) ρ = λ µ. Since service time of SSL is always same, variance of service time σ 2 = 0, then by Little s formula [9], we obtain expectation of waiting time of SSL by E[Y S S L ] = 2 ρ 2µ(1 ρ), (2) where Y S S L represents waiting time of SSL. "# "$ ) )! ) %! "+* "-,./1032 ) * ) A*3&/1BDC&.EF/ 2G. :;/=<3>? &@ &% "! "$% "(' Figure 5: State of each client receives SSL service ) ' ' Var[N M ] = n k 2 x(1 x) k 1 + (E[N M ]) 2 k=1 = 1 x x 2 (2n 1)x(1 x)n x 2 (1 x)2n x 2. (4) Since Alice always passes this trial, Alice s mean number of trials E[N A ] is n, an variance Var[N A ] is 0. hen expectation value an variance of Mallory s service time of SSL with authentication are an E[S M ] = s auth E[N M ] + s S S L, (5) Var[S M ] = s auth Var[N M ], (6) where s auth an s S S L are service time of trial an SSL, an S M represents Mallory s service time of SSL with authentication. Similarly, expectation value an variance of Alice s whole service time are an E[S A ] = s auth E[N A ] + s S S L, (7) Var[S A ] = s auth Var[N A ] = 0, (8) where S A is Alice s service time of SSL with authentication. Next, we fin whole service time. Let α% are Mallory in all users, 1 µ be a average of service time an σ2 be a

5 University of Aizu, Grauation hesis. March, 2005 s variance of service time. Whole expectation value an variance of service time are following: 1 µ = (αe[s M] + (1 α)e[s A ]) + S S S L, (9) σ 2 = αvar[s M ] + (1 α)var[s A ] +α(e[s M ]) 2 + (1 α)(e[s A ]) 2 αe[s M ] + (1 α)e[s A ]) 2. (10) By Pollaczek-Khinchin formula, expectation value of number of clients is E[N auth ] = ρ + ρ2 + λ 2 σ 2 2(1 ρ), (11) where ρ = λ µ, an N auth is number of client. By Little s formula, expectation value of waiting time of SSL with authentication is obtaine by E[Y auth ] = E[N auth], (12) λ where Y auth is waiting time of SSL with authentication. 4.4 Probability of missing Mallory Also we consier the probability of missing Mallory. he probability of failing to fin Mallory per one trial is represente by 1 x then probability of missing Mallory in n trials is 5 Results p(n) = (1 x) n. (13) Figure 6 shows graphs of the mean waiting time of SSL an SSL with authentication with number of trials n = 5, n = 15, an n = 20, when x = 0.5, α = 0.01, s S S L = , an s auth = using equation (2) an (12). Figure 7 shows graphs of probability of missing Mallory with x = 0.5 represente by (13). Probability of missing Mallory when n = 5 is , n = 15 is an n = 20 is Capacity of server applie SSL an authentication with n = 5 is large, on the other han probability of miss when n = 5 has %. When n = 20, probability of miss is enough small, but capacity of server is not sufficient. SSL with authentication when n = 15 is effective with waiting time an probability of fining point of view. Waiting time Λ No auth n 5 n 15 n 20 Figure 6: hese graphs are waiting time of SSL with no authentication, SSL with authentication n = 5, n = 15 an n = 20 the orer from the right p n Figure 7: Probability of missing Mallory 6 Conclusion an Future Works We fin effective point of number of trials n = 15 by trae of between probability of fining Malloy an waiting time. Riing on the feature of this authentication which can prove ientity without sening any personal information to server, client can use client authentication more securely. Further, this metho is solution to IP aress spoofing which is problem of Sener ID. Using this metho, server can apply client authentication to SSL effectively an securely. owever, service time of authentication s Auth an probability of incoming Mallory α is not accurate value. We nee to capture these ata in the future. Acknowlegement I woul like to thank Prof. iroshi oyoizumi for his avice on this research, an Prof. Martha Clark Cummings for her help with the writing of this paper. Also I woul like to thank member of Performance Evaluation Laboratory for their help. n

6 University of Aizu, Grauation hesis. March, 2005 s References [1] CNE Japan, 0, , ,00.htm,. [2] A. O. Freier, P. Karlton, an P. C. Kocher, he SSL Protocol Version 3.0, [4] M. Lentczner an M. Wong, Sener Policy Framework: Authorizing Use of Dmains in MAIL FROM raft-lentczner-spf-00, Internet-Draft,. [5] J. Lyon an M. Wong, Sener ID: Authenticating , Internet-Draft,. [6] R. A. Mollin, Rsa an Public-Key Cryptography(Discrete Mathematics an Its Applications), Chapman & all, [7] S. M. Ross, Applie Probability Moels With Optimization Applications, Dover Pubns, [8] Sniffer echnologies, [9]. oyoizumi, Performance Evaluation, toyo/lectures/pe/pe-ex.htm..