Performance and Security Aspects of Client-Side SSL/TLS Processing on Mobile Devices

  • Johann Großschädl
  • Ilya Kizhvatov
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6467)


The SSL/TLS protocol is the de-facto standard for secure Internet communications, and supported by virtually all modern e-mail clients and Web browsers. With more and more PDAs and cell phones providing wireless e-mail and Web access, there is an increasing demand for establishing secure SSL/TLS connections on devices that are relatively constrained in terms of computational resources. In addition, the cryptographic primitives executed on the client side need to be protected against side-channel analysis since, for example, an attacker may be able to monitor electromagnetic emanations from a mobile device. Using an RSA-based cipher suite has the advantage that all modular exponentiations on the client side are carried out with public exponents, which is uncritical regarding performance and side-channel leakage. However, the current migration to AES-equivalent security levels makes a good case for using an Elliptic Curve Cryptography (ECC)-based cipher suite. We show in this paper that, for high security levels, ECC-based cipher suites outperform their RSA counterparts on the client side, even though they require the integration of diverse countermeasures against side-channel attacks. Furthermore, we propose a new countermeasure to protect the symmetric encryption of messages (i.e. “bulk data”) against Differential Power Analysis (DPA) attacks. This new countermeasure, which we call Inter-Block Shuffling (IBS), is based on an “interleaved” encryption of a number of data blocks using a non-feedback mode of operation (such as counter mode), and randomizes the order in which the individual rounds of the individual blocks are executed. Our experimental results indicate that IBS is a viable countermeasure as it provides good DPA-protection at the expense of a slight degradation in performance.


Block Cipher Elliptic Curve Cryptography Secure Socket Layer Transport Layer Security Handshake Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Atasu, K., Breveglieri, L., Macchetti, M.: Efficient AES implementations for ARM based platforms. In: Proceedings of the 19th ACM Symposium on Applied Computing (SAC 2004), pp. 841–845. ACM Press, New York (2004)Google Scholar
  2. 2.
    Blake, I.F., Seroussi, G., Smart, N.P.: Elliptic Curves in Cryptography. Cambridge University Press, Cambridge (1999)CrossRefzbMATHGoogle Scholar
  3. 3.
    Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., Möller, B.: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). Internet Engineering Task Force, Network Working Group, RFC 4492 (May 2006)Google Scholar
  4. 4.
    Bogdanov, A., Kizhvatov, I., Pyshkin, A.: Algebraic methods in side-channel collision attacks and practical collision detection. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 251–265. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Clavier, C., Coron, J.-S., Dabbous, N.: Differential power analysis in the presence of hardware countermeasures. In: Koç, Ç.K., Paar, C. (eds.) CHES 2000. LNCS, vol. 1965, pp. 252–263. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Dierks, T., Rescorla, E.K.: The transport layer security (TLS) protocol version 1.2. Internet Engineering Task Force, Network Working Group, RFC 5246 (August 2008)Google Scholar
  7. 7.
    Dworkin, M.: Recommendation for block cipher modes of operation: Galois/Counter mode and GMAC. NIST Special Publication 800-38D (November 2007),
  8. 8.
    Freier, A.O., Karlton, P., Kocher, P.C.: The SSL Protocol Version 3.0. Internet Draft (November 1996),
  9. 9.
    Gebotys, C.H., Ho, S.C., Tiu, C.C.: EM analysis of Rijndael and ECC on a wireless Java-based PDA. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 250–264. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Guajardo, J., Mennink, B.: Towards side-channel resistant block cipher usage or can we encrypt without side-channel countermeasures? Cryptology ePrint Archive, Report 2010/015 (2010),
  11. 11.
    Gupta, V., Gupta, S., Chang Shantz, S., Stebila, D.: Performance analysis of elliptic curve cryptography for SSL. In: Proceedings of the 3rd ACM Workshop on Wireless Security (WiSe 2002), pp. 87–94. ACM Press, New York (2002)CrossRefGoogle Scholar
  12. 12.
    Gupta, V., Stebila, D., Fung, S., Chang Shantz, S., Gura, N., Eberle, H.: Speeding up secure Web transactions using elliptic curve cryptography. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS 2004), pp. 231–239. Internet Society, San Diego (2004)Google Scholar
  13. 13.
    Hankerson, D.R., Menezes, A.J., Vanstone, S.A.: Guide to Elliptic Curve Cryptography. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  14. 14.
    Hanley, N., Tunstall, M., Marnane, W.P.: Unknown plaintext template attacks. In: Youm, H.Y., Yung, M. (eds.) WISA 2009. LNCS, vol. 5932, pp. 148–162. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Herbst, C., Oswald, E., Mangard, S.: An AES smart card implementation resistant to power analysis attacks. In: Zhou, J., Yung, M., Bao, F. (eds.) ACNS 2006. LNCS, vol. 3989, pp. 239–252. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Jaffe, J.: A first-order DPA attack against AES in counter mode with unknown initial counter. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 1–13. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Karatsuba, A.A., Ofman, Y.P.: Multiplication of multidigit numbers on automata. Soviet Physics - Doklady 7(7), 595–596 (1963)Google Scholar
  18. 18.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Kaufman, C., Perlman, R., Speciner, M.: Network Security: Private Communication in a Public World. Prentice Hall, Englewood Cliffs (2002)Google Scholar
  20. 20.
    Knuth, D.E.: Seminumerical Algorithms, 3rd edn. The Art of Computer Programming, vol. 2. Addison-Wesley, Reading (1998)zbMATHGoogle Scholar
  21. 21.
    Koç, Ç.K., Acar, T., Kaliski, B.S.: Analyzing and comparing Montgomery multiplication algorithms. IEEE Micro. 16(3), 26–33 (1996)CrossRefGoogle Scholar
  22. 22.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  23. 23.
    Koschuch, M., Großschädl, J., Payer, U., Hudler, M., Krüger, M.: Workload characterization of a lightweight SSL implementation resistant to side-channel attacks. In: Franklin, M.K., Hui, L.C., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 349–365. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  24. 24.
    Mangard, S.: Hardware countermeasures against DPA – A statistical analysis of their effectiveness. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 222–235. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  26. 26.
    Marsaglia, G.: Xorshift RNGs. Journal of Statistical Software 8(14), 1–6 (2003)CrossRefGoogle Scholar
  27. 27.
    McEvoy, R., Tunstall, M., Murphy, C.C., Marnane, W.P.: Differential power analysis of HMAC based on SHA-2, and countermeasures. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 317–332. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  28. 28.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  29. 29.
    Meynard, O., Guilley, S., Danger, J.-L., Sauvage, L.: Far correlation-based EMA with a precharacterized leakage model. In: Proceedings of the 13th Conference on Design, Automation and Test in Europe (DATE 2010), pp. 977–980. IEEE Computer Society Press, Los Alamitos (2010)Google Scholar
  30. 30.
    Mills, E.: Leaking crypto keys from mobile devices. CNET News (October 2009),
  31. 31.
    Modadugu, N., Rescorla, E.K.: AES Counter Mode Cipher Suites for TLS and DTLS. Internet draft (June 2006),
  32. 32.
    National Institute of Standards and Technology (NIST). Recommendation for Key Management – Part 1: General (Revised). Special Publication 800-57 (March 2007),
  33. 33.
    OpenSSL Project. OpenSSL 0.9.7k (September 2006),
  34. 34.
    PeerSec Networks, Inc. MatrixSSL 1.7.1 (September 2005),
  35. 35.
    Rivain, M., Prouff, E., Doget, J.: Higher-order masking and shuffling for software implementations of block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 171–188. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  36. 36.
    Salowey, J.A., Choudhury, A.K., McGrew, D.A.: AES Galois Counter Mode (GCM) Cipher Suites for TLS. Internet Engineering Task Force, Network Working Group, RFC 5288 (August 2008)Google Scholar
  37. 37.
    Thomas, S.A.: SSL and TLS Essentials: Securing the Web. John Wiley & Sons, Inc., Chichester (2000)Google Scholar
  38. 38.
    Tillich, S., Herbst, C.: Attacking state-of-the-art software countermeasures – A case study for AES. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 228–243. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  39. 39.
    Tillich, S., Herbst, C., Mangard, S.: Protecting AES software implementations on 32-bit platforms against power analysis. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 141–157. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  40. 40.
    Tirtea, R., Deconinck, G.: Specifications overview for counter mode of operation. Security aspects in case of faults. In: Proceedings of the 12th IEEE Mediterranean Electrotechnical Conference (MELECON 2004), vol. 2, pp. 769–773. IEEE, Los Alamitos (2004)Google Scholar
  41. 41.
    VeriSign, Inc. Secure Wireless E-Commerce with PKI from VeriSign. White paper (January 2000),
  42. 42.
    Zhang, M., Carroll, C., Chan, A.: The software-oriented stream cipher SSC2. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 31–48. Springer, Heidelberg (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Johann Großschädl
    • 1
  • Ilya Kizhvatov
    • 1
  1. 1.Laboratory of Algorithmics, Cryptology and Security (LACS)University of LuxembourgLuxembourgLuxembourg

Personalised recommendations