W. David Shambroom, Ph.D.                  E-mail:  DShambroom@gte.com
Senior Technologist                             Phone:  (781) 466-2584
GTE Laboratories Incorporated                     Fax:  (781) 466-3339
PGP key:  1024/09CC2121  fingerprint=68A47DA6FF484189 97B5B4C8DFF8B443"Performance Impact of a CORBA Security Implementation
Using SSL and Interceptors"

We have developed software components to provide authentication and
authorization services for some of our custom-built client-server
CORBA applications.  Clients access server object implementations
through a gateway system.  Connections between clients and the gateway
employ the SSL V3 protocol with bi-directional authentication
(server-to-client and client-to-server) using X.509 digital
certificates and associated private keys.  Interceptors installed
in the gateway use the client's X.500 distinguished name associated
with the authenticated connection to make authorization decisions
for each CORBA request message, at the module/interface/operation
level of granularity.  In order to measure the computational overhead
that this system imposes on a supported distributed application,
a carefully designed series of measurements was made in a controlled
environment.  For each distinct component involved in providing the
security services (the gateway, the encryption and decryption engines
used by the SSL record layer protocol, and the interceptors), the
overhead per message and per kilobyte of application data traffic
was isolated.  We will describe the measurement and data analysis
methodologies in detail, present the results, and show how these
results can be used to estimate maximum traffic-handling capacity
in a given deployment configuration.
(In the course of this investigation we discovered that certain
network software configurations can result in drastically reduced
performance.  We will describe the underlying cause of this problem
and the necessary conditions for its avoidance.)