Influence of the TCP packet setting and encryption for data transfer in medical applications VLADIMÍR SCHINDLER Department of Telecommunications,Faculty of Electrical Engineering and Communication Brno University of Technology Technická 12, 616 00 Brno CZECH REPUBLIC xschin02@stud.feec.vutbr.cz http://www.vutbr.cz ALEŠ ROČEK Technical Support Department,Institute of Computer Science Masaryk University, Botanická 554/68a, 602 00 Brno CZECH REPUBLIC rocek@ics.muni.cz http://www.muni.cz Abstract: The Requirements for thespeedtransmissionwith adequatesecurity of transmittedinformationin medical applicationsare prerequisites for theproposed solution that has the following specificrequirementsto meet.especiallyforensuring thesecureaccess fromworkstationswithslower connectionis requiredoptimizationandencryption optionso that the userdid not feeltoo muchdiscomfort. Possibilities how tooptimize theparameters ofthe transmitted dataandismoresuitablecombinationscanachieve betterresults thanthe normalsetting of activenetwork elements.it is alsoimportant to choose asuitable type ofencryptionin orderto meetdemands forsafe transmissionof sensitivemedical information as well asthe volume of thetransferred dataconsiderablyincreased. Key-Words:MSS, Medical applications, MeDiMed, MTU, IPsec, Iperf, PACS 1 Introduction Privacy and data security is a key point of many computer applications. transport over public data network (Internet) should be protected via encrypted tunnels. Tunneling protocols together with encryption algorithms bring some additional overhead which decrease the bandwidth available for the real data transport. The aim of this paper is to analyze protocol overhead introduced by both the IPSEC protocol itself and data encryption algorithm. We intend to fine tune TCP (Transmission Control Protocol) parameters to maximize data throughput when the TCP stream is transported over an IPSEC tunnel. The results of this measurement will be taken into consideration when optimizing the design solution for connecting a small healthcare institution and workstations within the project MeDiMed, which uses the system PACS (Picture Archiving and Communications System) for work with a medical data. 1.1 PACS and MeDiMed PACS is a currently used procedure and methodology for processing medical multimedia data obtained from picture acquisition machines like computer tomography, ultrasound, x-ray etc. Multimedia medicine data obtained from these machines - in PACS terminology called modalities - are stored in central PACS server. The Shared Regional PACS project MeDiMed started as a collaborative effort among Brno hospitals to process medical multimedia data. Masaryk University is the coordinator of this project ensuring that the demands and requirements of radiology departments are met, overseeing the changing legislative standards and the practical limitations of technology. The new goal for the MeDiMed project is to offer PACS system to small institutions. Small healthcare institutions and private doctor's offices usually have limited Internet connectivity and data network availability in general [1]. ISBN: 978-960-474-341-4 96
The aim of the InstantPACS project is to develop a maintenance-free PACS system suitable for small and mid-sized healthcare institutions. This PACS system should offer a user amenity obvious in hospitals including e.g. automatic backup of medicine data. The most important properties are user friendliness, maintenance free operation and pricing acceptable for private doctor's offices. This project is an integral part of the MeDiMed shared regional PACS server overlaying project. As small healthcare institutions and private doctor's offices are being more and more equipped with diagnostics devices like CT, X-ray, ultrasound etc. we expect demand for medicine picture data processing capabilities and services. Our intention is to offer PACS services also to these new perspective medicine users. The specific property of PACS or any ICT services in small healthcare institution is limited bandwidth available for medicine picture data transport. The main intention of this work is optimization of networking protocol's parameters to maximize bandwidth utilization. [1] 1.2 MSS MSS (Maximum Segment Size) indicates the largest amount of TCP data that can be sent in TCP segment. The resulting IP datagram is still about 40 octets longer (IP and TCP s), encapsulation TCP segment to the IP diagram is shown in Fig. 1. Theoretically the MSS can be 65.495 bytes long, but practically is used MTU (maximum transmission unit) value of outgoing interface reduced by 40 octets (e.g. for Ethernet would be MSS 1500B 40B = 1460B) Typical size of the MSS is just 1460 bytes. In case the TCP segment is longer than 1460 bytes, there may happens further fragmentation by a network layer in IP protocol. The MSS is not a value that the devices negotiate during establishing a connection with each other. Any device may use the optional opportunity to inform its peer about the MSS which expect, but it is not required. If the information about MSS is missing, it is set to default value of 536 octets. The network performance can be degraded by using either extremely large or extremely short segments. Each segment contains at least 40 octets of the IP and the TCP except separate data. [11] The number of bits: 20 20 less or equal than MSS TCP TCP data 1.3IPsec The term IPsec (IP Security Protocol) adds security mechanism to the network layer. IPsec defines two security mechanisms. The first mechanism is authentication, which ensures the authenticity of transmitted data. The receiver can verify that the received IP packet was originate from the sender. Adding an AH (Authentication Header) to the IPv4 transport mode is shown in Fig. 2 and in tunnel mode in Fig. 3. [10] The second mechanism is encryption, where everything except the of the packet is encrypted using a pre-agreed algorithm. The recipient must agree in advance with the sender, which type of encryption will be used. Using (Encapsulating Security Payload) in transport mode is shown in Fig. 4 and in tunnel mode in Fig. 5. [10] IPsec is independent of the upper layer protocols. The application need not support any special communication methods to transmit over IPsec. It is possible to create an encrypted tunnel (VPN) or encrypt only communication between two computers. New - Before applying AH - - After applying AH - AH Fig. 2.AH in transport mode in IPv4. AH - Before applying AH - - After applying AH - Authenticated (except for the mutable fields in the new ) Fig. 3.AH in tunnel mode in IPv4. Fig. 1.Encapsulation TCP segment to the IP diagram. ISBN: 978-960-474-341-4 97
- Before applying - environment is also positioned firewall Cisco ASA 5505, which encrypts traffic on the client side. MeDiMed SERVER IP - After applying - (Upper layer protocol trailer Encrypted (confidentially) Authenticated Authentication data Firewall ASA 5505 Switch Catalyst 3550 Fig. 4. in transport mode in IPv4. New IP - Before applying - - After applying - (Upper layer protocol) IP Encrypted (confidentially) Authenticated Fig. 5. in tunnel mode in IPv4. trailer Authentication data Network Switch Catalyst 3550 Firewall ASA 5505 Client 2 Research environment This method is based on comparing of delays necessary for transferring 500MB file between server and client using different combinations of ciphers and hash functions. From these measurements is selected one combination of the cipher and the hash function. With this combination are performed further measurements. Firstly, the influence of window size on the transmission delay, is shown. Secondly the effect of buffer size settings, to the transmission delay is measured. The last measurements again examine transmission delay influenced by the size MSS (Maximum Segment Size) at TCP packet. The scheme of research environment is shown in Fig. 6. It consists of a rackmount server, which is configured by aiperf program as a server. To this server is connected firewall Cisco ASA 5505, at which is set encryption, hash function and the size TCPMSS. Two Cisco Catalyst 3550 switches, which simulate ISP (internet service provider) terminals, are connected in addition to the measuring environment. They reduce maximal network speed to 10Mbps to better match the average speed of an internet provider. On the opposite side of research Fig. 6.Research environment 2.1Parameters of used computers Server rackmount server RedHat EL 5 Intel Xeon 2,8GHz 4 GB RAM, 80GB SSD HDD Iperf 2.0.5, rel. 1.el5 Client Notebook HP-6730b Win7 Prof. SP1 v 2009 32b Intel Core2 Duo CPU T9400@2,53GHz 4GB RAM, 60GB HDD Iperf 1.7.0, Jperf 2.0.2 Wireshark 1.6.7 (SVN Rev 41973 from/trunk- 1.6) 2.2 Program Iperf a Jperf This utility is a simple application that tests throughput of the data link. Extension Jperf simplifies operation and parameters settings. Instead of using text commands can be simply entered the criteria in the graphical interface. On the server was ISBN: 978-960-474-341-4 98
installed Iperf 2.0.5. rel 1.el5. On the client PC was installed Iperf 1.7.0 and Jperf 2.0.2. 2.3Application Wireshark Wireshark is one of the most widely used protocol analyzers. It is used to analyze and debug problems in computers networks. The application was installed on the client PC to monitor network traffic. Wireshark was used for transfer delay measuring of 500 megabytes file. 3 Measurement of a transmission speed 3.1 Comparing file transfer speed with different combinations of ciphers and hash functions On the both Cisco ASA 5505 firewalls were gradually set encryption and hashing parameters of transfer the 500MB file. The results of these measurements show the table 1 and graph 1. There it is compared five types of encryption. Starting from the simplest and unreliable DES ( Encryption Standard), through its improved version of 3DES (Triple DES) to the currently most widely used symmetric block cipher AES (Advanced Encryption Standard) with 128, 192, and 256-bit keys. The chart also shows how the transfer rate depends on a combination of encryption and hash functions. The MD5 (Message-Digest) and SHA (Secure Hash Algorithm) were chosen as a representatives of hash functions. For comparison of the measurements results were taken the values without hash function. Firewalls unfortunately don t allow set up transfer data without encryption and hash at the same time. The differences between the lowest and highest values within one used hash functions were very small and varied in a few kbps. The difference between the slowest transmission speed with a combination of encryption AES-256 with SHA and the highest speed of transmission with combination AES-256 without hash was about 19 kbps, which corresponds to 1.7%. For this reason was selected the combinations of a parameters, which were used for the additional measurements. It is an AES-256 and hash SHA. This combination is currently the strongest commonly used solution in the transmission of sensitive medical information. CRYPT HASH Speed[MBps] DES MD5 1,13221 3DES MD5 1,13264 AES-128 MD5 1,12542 AES-192 MD5 1,12357 AES-256 MD5 1,12345 NONE MD5 1,13596 DES SHA 1,12960 3DES SHA 1,12978 AES-128 SHA 1,12335 AES-192 SHA 1,12358 AES-256 SHA 1,12256 NONE SHA 1,13575 DES NO HASH 1,13930 3DES NO HASH 1,14154 AES-128 NO HASH 1,13408 AES-192 NO HASH 1,13438 AES-256 NO HASH 1,14163 NONE NO HASH 0 Tab. 1.File transfer speed of different combinations ofciphersandhash functions Graph. 1.File transfer speedof different combinations ofciphersandhash functions 3.2 Comparison of a file transfer speeds with different sizes of window size The transmission times of transmitting 500MB file, which were achieved by setting different sizes of window size in the TCP packet in Iperf are recorded in Chart 2. We set up the cipher AES-256 and SHA hash functions. Size of the buffer was 2 megabytes. The chart shows, that the highest speed was achieved in window with size 64kB. ISBN: 978-960-474-341-4 99
Graph. 2.File transfer speedwith different size of window size Graph. 4. File transfer rate of different MSS size 3.3 Comparison of a file transfer speeds with different buffer sizes The chart 3 shows the speed of transmission, which were achieved when we set up different TCP packet buffer size in application Iperf. Again, we set up cipher AES-256 and SHA hash function. The highest transfer rates were achieved in the buffer size 1 MB. Graph. 3.File transferspeed with different size of buffer size 4 Conclusion By optimizing the MTU can be partially improved the usage of data link. We have studied properties of TCP streams transported over IPSEC tunnel. Fine tuning of the TCP MSS according to used encryption algorithm can improve the data throughput. As expected, the bigger TCP MSS offers better data throughput in general. This is caused by less data units (packets) needed to transport the required amount of data. In case of AES-256 encryption algorithm, the best results were obtained when the TCP MSS is a multiple of 16 Bytes. E.g. if the TCP MSS must be below 1400 bytes due to properties of used transport technology (e.g. ADSL), the best data transfer rate will be achieved by setting the TCP MSS to 1396 B. The gain of this TCP MSS optimization is about 1.5%. It doesn t seems to be so much, but for lines with limited bandwidth (e.g. ADSL or 3G) may be helpful every even small throughput improvement. 3.4 Comparison of a file transfer speeds with different TCP MSS size To measure the effect of setting the MSS at the TCP packet were set up at firewalls following values: Size of the buffer 2MB Window size 64kB AES 256-bit key Hash function SHA. The graph 4 shows how with increasing size of the MSS increases the data transfer rate. Acknowledgements This work is supported by Czech Technology Agency fund project number TA01010268 - "Maintenance-free PACS system for small and midsized healthcare institutions". References: [1] SLAVÍČEK, K., JAVORNÍK, M., DOSTÁL, O., Extension of the Shared Regional PACS Center MeDiMed to Smaller Healthcare Institutions. In The Eleventh International Conference on Networks. Saint Gilles, Reunion Island : IARIA, 2012. ISBN 978-1-61208-183- 0, s. 83-87. 2012, Saint Gilles, Reunion Island. ISBN: 978-960-474-341-4 100
[2] JAVORNÍK, M., DOSTÁL, O., SLAVÍČEK, K., Regional Medical Imaging System. World Academy of Science, Engineering and Technology, France. ISSN 2010-376X, 2011, vol. 7, no. 79, s. 389-393. [3] SLAVÍČEK, K., DOSTÁL, O., JAVORNÍK, M., DRDLA, M., MEDIMED - Regional Centre for Medicine Image Processing. InKnowledge Discovery and Mining. Published. 2010. USA : IEEE Computer Society, 2010. ISBN 978-0-7695-3923-2, s. 310-313. 2010, Phuket, Thailand. [4] SLAVÍČEK, K., JAVORNÍK, M., DOSTÁL, O., Redundancy in Processing of Medical Image. InFourth International Conference on Computer Sciences and Convergence Information Technology. Seoul, Korea : IEEE Computer Society Conference Publishing Services, 2009. ISBN 978-1-4244-5244-6, s. 519-523. [5] SLAVÍČEK, K., NOVÁK, V., Introduction of Alien Wavelength into Cesnet DWDM Backbone. InSixth International Conference on Information, Communications and Signal Processing.Singapore : IEEE, 2007. ISBN 978-1-4244-0982-2, s. 977-981. Singapore. [6] SLAVÍČEK, K., Maximum Frame Size in Large Layer 2 Networks. Lecture Notes in Computer Science, Germany. ISSN 0302-9743, 2007, vol. 4712, no. 1, s. 409-418. [7] DOSTÁL, O., SLAVÍČEK, K., Wireless Technology in Medicine Applications. InPersonal Wireless Communications. Published. 2007. Praha : Springer Verlag, 2007. ISBN 978-0-387-74158-1, s. 316-324. 2007, Praha. [8] DOSTÁL, O., SLAVÍČEK, K., JAVORNÍK, M., PKI Utilisation for PACS Users Authentication. InICN 2006.Mauritius : IEEE Computer Society, 2006. ISBN 0-7695-2552-0, s. 151-156. 2006, Mauritius. [9] DOSTÁL, O., JAVORNÍK, M., SLAVÍČEK, K., PETRENKO, M., MEDIMED-Regional Centre for Archiving and Interhospital Exchange of Medicine Multimedia. In Proceedings of the Second IASTED International Conference on Communications, Internet, and Information Technology.Scottsdale, Arizona, USA : International Association of Science and Technology for Development- IASTED, 2003. ISBN 0-88986-398-9, s. 609-614. 2003, Scottsdale Arizona USA. [10] RFC4302 IP Authentication Header, BBN Technologies, December 2005. The Internet Society [11] PUŽMANOVÁ, R., TCP/IP v kostce. 2nd ed. ČeskéBudějovice: KOPP, 2009. ISBN 978-80- 7232-388-3 [12] Federal information processing standards publication (FIPS 197). Advanced Encryption Standard (AES), 2001. ISBN: 978-960-474-341-4 101