SSL Splitting Christopher Lesniewski-Laas and M. Frans Kaashoek { - - PowerPoint PPT Presentation

SSL Splitting

Christopher Lesniewski-Laas and M. Frans Kaashoek

{ctl,kaashoek}@mit.edu

MIT LCS

USENIX Security 2003 – p.

Bandwidth Offloading

‘GET /tux.png’

Client Client Server Mirror

mirrors.kernel.org mypenguin.org

(DSL) (OC12)

USENIX Security 2003 – p.

Bandwidth Offloading

‘GET /tux.png’

Client

daemonporn.com

Mirror Client Client Server Mirror

mirrors.kernel.org mypenguin.org

(DSL) (OC12)

USENIX Security 2003 – p.

Secure Bandwidth Offloading

σ σ σ = Sign(tux.png)

‘GET /tux.png’

Client

daemonporn.com

Mirror Client Client Server Mirror

mirrors.kernel.org mypenguin.org

(DSL) (OC12)

USENIX Security 2003 – p.

Secure Bandwidth Offloading

σ σ σ = Sign(tux.png)

‘GET /tux.png’

Client

daemonporn.com

Mirror Client Client Server Mirror

mirrors.kernel.org mypenguin.org

(DSL) (OC12)

!

USENIX Security 2003 – p.

Existing Solutions Aren’t Practica

• Force users to install specialized browser
• Ex: S-HTTP

, SFSRO, BitTorrent, RPM+PGP

• Operates at the channel level, not file level
• Ex: SSL

USENIX Security 2003 – p.

SSL’s Authentication Layer

Client Server

Handshak Request File transf

X =MACk( ) X’=MACk( )

Check:X = X’?

Hello Certificate Negotiate shared secret Done

(knows shared secret k) (knows shared secret k)

G E T / t u x . p n g A

X Y

USENIX Security 2003 – p.

When All You Have Is A Hammer...

Client Serve

X X =MACk( ) X’=MACk( ) Check:X = X’?

USENIX Security 2003 – p.

SSL Splitting

Client Serve Proxy

‘tux.png(1/2)’ X X X =MACk( ) X’=MACk( ) Check:X = X’? = Cache(‘tux.png(1/2)’)

USENIX Security 2003 – p.

SSL Splitting

Connect

• 1. Connect

Proxy Server Client

USENIX Security 2003 – p. 1

SSL Splitting

Connect Connect

• 1. Connect

Proxy Server Client

USENIX Security 2003 – p. 1

SSL Splitting

• 1. Connect
• 2. Handshake

(knows k) (knows k) (cannot learn k) Negotiate shared key k

Proxy Server Client

USENIX Security 2003 – p. 1

SSL Splitting

• 2. Handshake

GET /tux.png

• 3. Request
• 1. Connect

Proxy Server Client

USENIX Security 2003 – p. 1

SSL Splitting: Cache Hit

• 3. Request

ID=SHA−1(tux.png), ID X=MAC (tux.png)

k

• 4. Stub record
• 2. Handshake
• 1. Connect

Proxy Server Client Cache

USENIX Security 2003 – p. 1

SSL Splitting: Cache Hit

, X Check MAC X

• 4. Stub record
• 5. Spliced record
• 3. Request
• 2. Handshake
• 1. Connect

Proxy Server Client Cache

USENIX Security 2003 – p. 1

SSL Splitting: Cache Miss

ID=SHA−1(tux.png), X=MAC (tux.png)

k

ID miss!

Proxy Server Client Cache

USENIX Security 2003 – p. 1

SSL Splitting: Cache Miss

Get(ID) ID miss!

Proxy Server Client Cache

USENIX Security 2003 – p. 1

SSL Splitting: Cache Miss

Get(ID) ID miss!

Proxy Server Client Cache

USENIX Security 2003 – p. 1

SSL Splitting: Cache Miss

, X Check MAC X Insert Get(ID)

Proxy Server Client Cache

USENIX Security 2003 – p. 1

Caveats

• No end-to-end confidentiality
• Only distributes bandwidth load, not CPU

USENIX Security 2003 – p. 2

Implementation

• Server
• Unmodified Apache
• Modified OpenSSL library
• Proxy: Perl and C
• Splicing is not a cryptographic operation
• Client: Netscape, IE, w3m...

USENIX Security 2003 – p. 2

Performance Questions

• How much data do we send over the

server-proxy link?

• How does overhead vary with file size?
• How much overhead with realistic file size

distributions?

USENIX Security 2003 – p. 2

Experiments

• Client replayed prerecorded request patterns
• Measured bytes over server interfaces
• Key performance metric is "rate" r:

r = wire bytes sent by server total size of files received by clients

• Smaller is better
• If no caching, r = 1 + % overhead

USENIX Security 2003 – p. 2

Experimental Setup

• Server: 160 kbps upstream, 500 MHz AMD
• CPU could push ≈ 4 Mbps using HTTPS
• Client: 100 Mbps LAN, 1.2 GHz Athlon
• Proxy: 100 Mbps LAN, 700 MHz P3

USENIX Security 2003 – p. 2

Single File Microbenchmark

10 B 100 B 1 KB 10 KB 100 KB 1 MB 10 MB

File size (bytes)

0.001 0.01 0.1 1 10 100

Rate

HTTP HTTPS Uncached

USENIX Security 2003 – p. 2

Large Files Compress Well

10 B 100 B 1 KB 10 KB 100 KB 1 MB 10 MB

File size (bytes)

0.001 0.01 0.1 1 10 100

Rate

Ideal SSL splitting performance HTTP HTTPS Uncached Cached

USENIX Security 2003 – p. 2

Some Apache Quirks

10 B 100 B 1 KB 10 KB 100 KB 1 MB 10 MB

File size (bytes)

0.001 0.01 0.1 1 10 100

Rate

Apache puts HTTP headers into separate record Apache bug: record size halved HTTP HTTPS Uncached Cached

USENIX Security 2003 – p. 2

Understanding Single File Results

• Model: r = f(file size)
• Constant 1.5 KB overhead per file
• Uncached: 5% overhead per byte
• Cached: 62 bytes sent per 16 KB record
• 8 KB records for files > 4 MB

USENIX Security 2003 – p. 2

Real Workloads

• Do real access patterns benefit from SSL

splitting?

• 7-month web traces taken from

www.lcs.mit.edu and amsterdam.lcs.mit.edu

USENIX Security 2003 – p. 2

How The Simulator Works

• Input: list of file requests and sizes
• Use microbenchmark results to predict

number of bytes sent by server

• Infinite cache

USENIX Security 2003 – p. 3

Simulation Accuracy

• 2 hours, 10 MB transferred, 4.43 MB of files

HTTP HTTPS Ideal cold cache SSL splitting cold cache SSL splittin 100% cache

0.0 0.5 1.0 1.5

Rate

1 . 6 1 . 1 3 . 4 4 . 5 6 . 1 1 . 6 1 . 1 3 . 5 2 . 1

Simulate Measure

USENIX Security 2003 – p. 3

Long-Term Savings ≈ 83%

• 7 months, 109 GB transferred, 10.6 GB of files

HTTP HTTPS Ideal cold cache SSL splitting cold cache SSL splittin 100% cache

0.0 0.5 1.0 1.5

Rate

1 . 5 1 . 1 . 1 . 1 8 . 8

Simulate

USENIX Security 2003 – p. 3

Summary

• SSL Splitting does not:
• Provide confidentiality
• Reduce server CPU load
• SSL Splitting does:
• Reduce server bandwidth use by 25–90%
• Guarantee end-to-end data integrity
• Work with normal Web browsers!
• You might use it if: you’re a Web site admin

and you’re not sure you trust your mirrors.

USENIX Security 2003 – p. 3

Availability

http://pdos.lcs.mit.edu/barnraising/

USENIX Security 2003 – p. 3