Cryptology ePrint Archive: Report 2005/037

Improving Secure Server Performance by Re-balancing SSL/TLS Handshakes

Claude Castelluccia and Einar Mykletun and Gene Tsudik

Abstract: Much of today's distributed computing takes place in a client/server model. Despite advances in fault tolerance -- in particular, replication and load distribution -- server overload remains to be a major problem. In the Web context, one of the main overload factors is the direct consequence of expensive Public Key operations performed by servers as part of each SSL handshake. Since most SSL-enabled servers use RSA, the burden of performing many costly decryption operations can be very detrimental to server performance. This paper examines a promising technique for re-balancing RSA-based client/server handshakes. This technique facilitates more favorable load distribution by requiring clients to perform more work (as part of encryption) and servers to perform commensurately less work, thus resulting in better SSL throughput. Proposed techniques are based on careful adaptation of variants of Server-Aided RSA originally constructed by Matsumoto, et al. Experimental results demonstrate that suggested methods (termed Client-Aided RSA) can speed up processing by a factor of between 11 to 19, depending on the RSA key size. This represents a considerable improvement. Furthermore, proposed techniques can be a useful companion tool for SSL Client Puzzles in defense against DoS and DDoS attacks.

Category / Keywords: public-key cryptography / SSL, RSA, Client-aided

Publication Info: In submission

Date: received 10 Feb 2005, last revised 8 Apr 2005

Contact author: mykletun at ics uci edu

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Note: Contrary to ``popular belief'', our proposed solution is not subject to the meet-in-the-middle attack proposed during private communication with David Wagner.

Version: 20050415:054857 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]