Summary of Results. NGINX SSL Performance



Similar documents
Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Overview. SSL Cryptography Overview CHAPTER 1

Is Your SSL Website and Mobile App Really Secure?

, ) I Transport Layer Security

NetScaler 2048-bit SSL Performance

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

SSL/TLS: The Ugly Truth

Zeus Traffic Manager VA Performance on vsphere 4

ZEN NETWORKS 3300 PERFORMANCE BENCHMARK SOFINTEL IT ENGINEERING, S.L.

Communication Security for Applications

Dashlane Security Whitepaper

ZVA64EE PERFORMANCE BENCHMARK SOFINTEL IT ENGINEERING, S.L.

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Proto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL.

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

SSL Report: ebfl.srpskabanka.rs ( )

Three attacks in SSL protocol and their solutions

Savitribai Phule Pune University

CS z/os Application Enhancements: Introduction to Advanced Encryption Standards (AES)

Chapter 7 Transport-Level Security

HTTPS is Fast and Hassle-free with CloudFlare

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

SECURE SOCKETS LAYER (SSL) SECURE SOCKETS LAYER (SSL) SSL ARCHITECTURE SSL/TLS DIFFERENCES SSL ARCHITECTURE. INFS 766 Internet Security Protocols

Lecture 7: Transport Level Security SSL/TLS. Course Admin

Whitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

Riverbed Stingray Traffic Manager VA Performance on vsphere 4 WHITE PAPER

TLS/SSL in distributed systems. Eugen Babinciuc

Einführung in SSL mit Wireshark

Communication Systems SSL

Version Highlights. CertainT 100 SSL Accelerator. Version International. New hardware and software version. North America

CRYPTOGRAPHY IN NETWORK SECURITY

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Transport Level Security

[SMO-SFO-ICO-PE-046-GU-

Security Protocols/Standards

SSL Server Rating Guide

Learning Network Security with SSL The OpenSSL Way

Using BroadSAFE TM Technology 07/18/05

White Paper. Enhancing Website Security with Algorithm Agility

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

CRYPTOGRAPHY AS A SERVICE

Improving OpenSSL* Performance

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

2014 IBM Corporation

Complying with PCI Data Security

Chapter 17. Transport-Level Security

Network Security Essentials Chapter 5

SSL: Secure Socket Layer

SSL A discussion of the Secure Socket Layer

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

SSL BEST PRACTICES OVERVIEW

AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition

Security Policy for Oracle Advanced Security Option Cryptographic Module

The Secure Sockets Layer (SSL)

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Installation and usage of SSL certificates: Your guide to getting it right

Cut Network Security Cost in Half Using the Intel EP80579 Integrated Processor for entry-to mid-level VPN

Properties of Secure Network Communication

Applying Cryptography as a Service to Mobile Applications

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

SSL VPN vs. IPSec VPN

Web Security Considerations

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Secure Sockets Layer

U.S. Federal Information Processing Standard (FIPS) and Secure File Transfer

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

TLS and SRTP for Skype Connect. Technical Datasheet

Security Policy Revision Date: 23 April 2009

Introduction. Haroula Zouridaki Mohammed Bin Abdullah Waheed Qureshi

As enterprises conduct more and more

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Application Note: Onsight Device VPN Configuration V1.1

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Transport Layer Security Protocols

Configuring SSL Termination

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Lab 7. Answer. Figure 1

Upsurge in Encrypted Traffic Drives Demand for Cost-Efficient SSL Application Delivery

Software Engineering 4C03 Research Project. An Overview of Secure Transmission on the World Wide Web. Sean MacDonald

SECURE SOCKETS LAYER (SSL)

4 Delivers over 20,000 SSL connections per second (cps), which

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Key Management (Distribution and Certification) (1)

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Cornerstones of Security

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Transcription:

NGINX SSL NGINX is commonly used to terminate encrypted SSL and TLS connections on behalf of upstream web and application servers. SSL termination at the edge of an application reduces the load on internal servers, simplifies certificate management and reduces certificate costs. However, because it is extremely CPU-intensive, it can create a scalability bottleneck that may limit growth. This paper investigates the performance of NGINX s SSL termination under a range of traffic types and ciphers. It seeks to establish a correlation between OpenSSL benchmarks and NGINX performance, to enable users to rapidly estimate the capacity of selected hardware or virtual machines. Summary of Results A single virtualized Intel core can typically perform up to 35 full 248-bit SSL handshake operations per second, using modern cryptographic ciphers. This equates to several hundred new users of your service per second per core. NGINX s SSL performance scales with the number of cores available on the host server, until other limits (typically bandwidth) are met, so an 8-core virtual machine could accept traffic from over 1, new users per second and still have resources to spare. Older, less compute-intensive ciphers can give significantly better performance in some benchmarks, but the benefits are outweighed by the security improvements of modern SSL and TLS ciphers.

Interpreting the Results some background on SSL SSL connections are complex to analyze because there are many variables that affect performance the server key size, the key exchange protocol, the bulk cipher and the quantity of data transferred down that SSL connection. Furthermore, the industry standards for SSL and TLS operations have changed in the last 3 years in response to developments in encryption-breaking technology and concerns about government snooping on traffic. Server Key size 124 or 248-bit? An SSL connection will begin with an authentication step, where the server presents an identifying public certificate and the client verifies the server owns the corresponding RSA private key. In this step, the client encrypts some random data using the server s public key (in the public certificate) and the server then decrypts it using the private key. Both parties must agree on the value of the client s random data for the SSL handshake to proceed successfully. What has changed? Until recently, 124-bit RSA private keys were common, but industry standards have now fully migrated to 248-bit keys. In general, operations using 248-bit keys are 5 times slower than 124-bit keys. Key Agreement - RSA or Perfect Forward Secrecy The client and server then need to negotiate a shared master secret that is used to derive the encryption key for the SSL connection. The results of the RSA operation used in the authentication step can be used to generate the shared secret, or an additional key-exchange step can be used. What has changed? Many published benchmarks select an SSL cipher that uses the RSA operation in the authentication step to generate the shared secret. However, RSA-encrypted session keys can be decrypted if the RSA key is compromised in the future. Modern SSL implementations favor Perfect Forward Secrecy methods 1. This involves an additional step in the SSL handshake where the server generates an ephemeral (temporary) key pair for the connection. A shared secret is negotiated securely using this ephemeral key, and the ephemeral key is then destroyed. However, improved security comes at the cost of greater computation on behalf of the server, and a corresponding performance impact. 1 http://vincent.bernat.im/en/blog/211-ssl-perfect-forward-secrecy.html

Bulk Ciphers RC4 or AES? Once the shared secret is determined, both parties must negotiate a stream or block cipher (to encrypt the data) and signing method (to generate message authentication codes) for data transmission. The shared secret is used to derive the encryption and signing keys. What has changed? The RC4 bulk cipher is now regarded as weak and now the slower AES128 cipher is preferred. MD5 and SHA-1 signing methods have now been replaced with SHA-256 or other more secure but more expensive signing methods. SSL Session Reuse The expensive authentication and key negotiation operations in an SSL handshake do not need be performed for every HTTP request. Clients are extremely efficient at using single HTTPS connections for multiple GETs and reusing SSL session credentials across multiple SSL connections. The number of RSA operations per second that a server can perform provides an upper limit on the number of new clients per second, not a limit on the number of individual requests per second the server can perform. Summary It is very difficult to compare SSL performance benchmarks from different sources or vendors without knowing the precise details of the SSL ciphers used. In this study, we will consider two cipher combinations: TLS_RSA_WITH_RC4_128_SHA illustrates legacy performance ; TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 gives a more representative measure of contemporary performance. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (or a related cipher) is necessary to score an A on Qualys SSL Server Test. 2 It s even more difficult to infer real-world performance from benchmark results. The aim of this study is to help you make some good judgements, but it s no substitute for evaluating performance on your own hardware, with your own content, applications and users. 2 https://www.ssllabs.com/ssltest/

System Under Test NGINX 1.7.2 was tested on Ubuntu 14.4 on a range of virtual machine sizes from DigitalOcean. No operating system or NGINX tuning was applied, other than to increase NGINX s worker_processes to match the number of cores in each virtual machine. CPU cores Network (MBs) 248 RSA ops per second RC4 throughput (MBs) Server-1 1 112 619.5 516 175 Server-2 2 111 112 111 46 Server-3 4 111 238.4 2352 861 Server-4 8 11 444.8 43 1575 AES throughput (MBs) Network throughput was measured using ab (apachebench) to transfer large files from client to server using HTTP. 111 MBs application-layer throughput is consistent with a 1 GbE network, and this should be regarded as the peak possible application network performance. Cryptographic speed tests were taken using openssl speed. This is an easy-to-run process, and this study investigates the correlations between openssl speed results and the benchmark results: RSA operations per second measured using openssl speed rsa (signatures per second with 248-bit keys). RC4 throughput measured using openssl speed rc4 (bulk encryption with 124-byte block size). AES throughput measured using openssl speed aes, (128-bit key, 124-byte block sizes). OpenSSL speed results are multiplied by the number of cores in the server to get total server capacity.

Results Requests per second and Bandwidth TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_RC4_128_SHA 3. Requests per Second 25. 2. 15. 1. 5.. 1k 1k 1k 1m File size (bytes) 1k 1k 1k 1m File size (bytes) 1 core 2 cores 4 cores 8 cores TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_RC4_128_SHA 12. Bandwidth (MBs) 1. 8. 6. 4. 2.. 1k 1k 1k 1m File size (bytes) 1k 1k 1k 1m File size (bytes) 1 core 2 cores 4 cores 8 cores For small requests, where the performance is dominated by the handshake, the additional ECDHA key exchange step reduces the performance of the ECDHA-RSA cipher to approximately 85% the performance of the simple RSA cipher. For larger requests, where the performance is dominated by the bulk cipher, the AES-based ciphers are approximately 35% the performance of the RC4 ciphers. Where performance is dominated by available bandwidth, both ciphers are then limited by network bandwidth.

Correlating with other measurements Performing full benchmark tests is complex and error prone. It s useful to determine if there is a strong correlation between easy-to-measure performance metrics (e.g. openssl speed) and SSL performance. Estimating Requests per Second 25 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Requests per Second 2 15 1 5 1 2 3 4 5 RSA speed test * cores k 1k 1k 1k 1m The strongest correlation for Requests per Second for small files is against the RSA speed test: Number of cores RSA speed bytes RPS Ratio 1k RPS Ratio 1 core 619.5 379.7.61 371.4.6 2 cores 112 663.2.59 636.7.57 4 cores 238.4 123.8.52 1218.5.51 8 cores 444.8 212.5.48 2169.4.49 giving a rough approximation that requests per second for small files is between 5% and 6% of the RSA speed, tailing off for more powerful machines where other factors (e.g. interrupt handing) begin to affect performance.

Estimating Bandwidth - AES TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Throughtput (MB/second) 14 12 1 8 6 4 2 5 1 15 2 AES speed test * cores 1k 1k 1k 1m Determining a correlation between bandwidth and AES speed is more challenging because the test network was only 1GbE-capable (approx. 111MB/s effective throughput), and because bulk ciphers such as AES are relatively efficient; the performance of the cipher does not have a significant bearing on the performance of the system. Number of cores AES speed (MB/s) (1K files) Ratio (1M files) Ratio 1 core 175 19.9.11 43..25 2 cores 46 3..7 46.1.11 4 cores 861 7.5.8 19.3.13 8 cores 1575 95.6.6 11.7.7 The sweet spot is clearly on low-powered machines (where bandwidth limits cannot be met), with very large files (where the very-expensive RSA operation has less effect). We saw a peak throughput of 25% the theoretical AES speed, but overall throughput limits quickly dominated. Because the cipher is relatively lightweight, there is not a strong correlation between theoretical speed and actual speed.

Estimating Bandwidth RC4 (MB/second) 12 1 8 6 4 2 TLS_RSA_WITH_RC4_128_SHA 1 2 3 4 5 RC4 speed test * cores 1k 1k 1k 1m Note that even the low-powered machines in the test quickly saturated the 1 GbE network when using the RC4 bulk cipher. Number of cores RC4 speed (MB/s) (1K files) Ratio (1M files) Ratio 1 core 516 31.6.6 91.2.18 2 cores 111 59.6.5 16.9.1 4 cores 2352 82.2.3 11.8.5 8 cores 43 16.7.2 111..3 AES Acceleration with AES-NI AES-NI is a set of instructions on modern Intel processors that accelerates the encryption speed of the AES algorithm. The virtual machines used in these tests were not AES-NI-capable. Informal reports indicate that AES-NI is between 4-8x the performance of AES, so one would expect that the performance difference against RC4 would be significantly reduced or eliminated.

Conclusions NGINX software can handle large volumes of SSL traffic on a modern 8-core or beyond server. Scalability is very cost-effective; NGINX leverages general-purpose physical or virtual hardware and SSL connections-per-second scales linearly with the number of cores, up to other limitations in the hardware or operating system. A single virtualized Intel core can typically perform up to 35 full 248-bit SSL handshake operations per second; this equates to several hundred new users of your service per second per core. NGINX s SSL performance scales with the number of cores available on the host server, until other limits (typically bandwidth) are met, so an 8-core virtual machine could accept traffic from over 1, new users per second and still have resources to spare. For other hardware, you can use openssl tests to determine approximately what the SSL capacity could be. Specialized hardware devices exist that can perform many thousands of RSA operations per second. You should consider whether the cost of these devices (acquisition, support, upgrades) is merited given the traffic levels you need to terminate, and the corresponding cost of an NGINXbased solution.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information