Peter,

Yes, of course. I will find the Kerberos / PKI comparison documents on Internet and post the URLs for all to see.

Cheers,

Tim

>

> Tim, 
> 
> could you please support your claims regarding Kerberos vs. X.509 performance with any data?
> 
> Peter

In past years I have seen many documents which compare these mechanisms, and I cannot find them all, but just did a quick search using google and found some which may be of interest:

If you look at http://www.netmode.ntua.gr/papers/amoral/PID383108.pdf you will see a performance comparison, and Kerberos is showing a 28% packet throughput improvement when compared with x.509. As described in the conclusions section, this is mostly due to use of symmetric algorithm usage.

In the document at http://workshop.openafs.org/afsbpw06/talks/kouril.pdf it says Perforance as the biggest difference between Kerberos and PKI. There are no %ages mention in this document.

In the document at http://www.netmode.ntua.gr/papers/amoral/Ingrid_2007.pdf it says "...symmetric Key Cryptography approach has lower computational complexity than Public Key Cryptography. Therefore, it allows the overall service to offer lower response time and better performance compared to alternative Public Key Cryptography approaches. This performance improvement reflects to our measurements and shows clear advantage in overloaded servers"

So, hopefully you will see that there are many places on Internet where it is clear that Kerberos is able to perform better than x.509 / pki mechanisms, mainly due to use of only symmetric cryptography, whereas pki / x.509 requires use of asymmetric cryptography, which is not so goood when performance is needed.

About 10 years ago I found a reference to a report where somebody claimed that asymmetric crypto is hundreds ot times less efficient than symmetric, but I cannot find that reference with the limited searching I have just done.

If you search yourself you will find many referneces to performance comparisons and make your own judgements. I don't think it is necessary to discuss the differences in this forum, as the differences in the crypto performance are clearly well known.

Thanks,

Tim

Kan,

I think my s-user id has changed, which is why you had problems earlier.

Anyway, you say you are using the SAP SNC library - which one ? e.g. what is the name of the library ?

Thanks,

Tim

Michael,

You make a good point, which is true if we are just comparing the network traffic encryption aspect, but when SNC is used (e.g. there is also "mutual authentication" and "data integrity" and the authentication requires asymmetric key exchange, which I beleive is done using diffie helman when x.509 is used ? The initial exchange between client and server (e.g. SAP server) also requires asymmetric key crypto in order to get the symmetric key from client to server so the client and server are using the same symmetric key to encrypt/decrypt the network traffic. This additional asymmetric processing adds a not insignificant overhead, which is why the x.509 mech is not as good from a performance point of view, compared to Kerberos which is 100% symmetric key based.

I hope this helps ?

Thanks,

Tim

>

> Ken,
> 
> if you plan to use SAPcryptlib for SNC between SAP servers, then you should use a SAPcryptolib-compatible solution for the SNC communication between SAPGUI and SAP server, and there is only one vendor who can provide this. Let me know, if you need help finding it. My contact information is in my SDN business card.
Just so Kan is clear - It is not legal to use the SAP cryptolib provided by SAP for SNC between SAP GUI and SAP servers, so if x.509 is the desired mechanism you need to purchase additional software from the company which Peter works for to provide SAP GUI SNC-based SSO. I think instead, Kan might be using the free SAP supplied SNC Kerberos library, which is why I asked him to confirm this in my last post. I doubt he is interested to buy any third party software.
 
> As to the performance discussion: first of all, yes, there will be a small performance impact if SNC is used (no matter which type or implementation), but from our experience with many actual SNC implementations, I can state that this is practically not relevant. It is not noticeable by users. There were never any performance discussions with customers. See also SAP Note 1043694.
I agree with this - the performance impact is not noticed by users, but the system managers who look after the servers where SAP is installed, and the team responsible for the network need to be aware of any differences (if any) when SNC is turned on and when SNC is turned off. I think this is why Kan is asking these questions, not because he is concerned about users noticing any difference when they logon to SAP.
> Just a first quick comment on certain statements above: Tim's arguments for proving his overall statement are not conclusive from my perspective. Nor do I think his overall statement itself is correct.
The facts I mentioned are well known facts, e.g. symmetric crypto is far better from performance point of view than asymmetric. I know the examples I have shown which I found when doing a quick google search were not conclusive, but they were shown as initial examples, not necessarily the best examples. This is why I specifically mentioned that if you search in google yourself you will see many more references where comparisons are done between Kerberos (e.g. symmatric) compared with PKI (e.g. asymmetric).
> First of all, he only selects one aspect of performance - CPU impact of encryption algorithms. 
No, I didn't. Some of the examples I referred to also discuss other differences. I also mentioend other differences such as memory and what protection level is used when configuring SNC.
> But for a true comparison, you'd have to look at all relevant aspects (latency, network overhead, ...). 
Yes, I agree. No doubts here.
>Network performance overhead is usuallly worse with Kerberos than with PKI. 
This is not true. When SAP is using SNC, the GSS-API standard is used and so the only network communication involves SAP software sending a standard GSS token from the workstation to the SAP server, and this GSS token is often about the same size, regardless of which mechanism is used, so any network performance differences are not related to the mechanism, but more related to the complexity of the cryptography used on each end (mostly on the server side).
>Second, you need to look at the specific usage scenario. For example, the first report referenced by Tim is an analysis about different Token Profile mechanism for WS Security, for one specific implementation. This does not allow to draw any conclusion for the SNC use case in general, and for sure not for a specific implemenation. It does not take the overhead for the encryption of the message content into account. Third, Tim associates PKI exclusively with asymmetric encryption. Yes, it is well known that asymmetric algorithms are slower than symmetric ones, but it is also well known that the encryption of the message content (by far the majority of the data) happens with symmetric encryption algorithms in the PKI scenario. With PKI-based SNC, you can even select a symmetric algorithm and use a more performant one that the ones that Kerberos prescribes. 
Kerberos works with many different symmetric algorithms as well, so mentioning that the alg is selectable is not relavent to any comparison.
> To summarize, I will try and collect facts that will support the opposite point of view. From our practical experience, the performance overhead is not relevant, and criteria like consistency with SAPcryptolib, strength of security, ease of administration, choice of authentication and encryption mechanism, etc. are much more important.
> 
> Peter

Kan,

Sorry for any confusion.

There are two SNC libraries available from SAP, and summarised below:

1. A SAP Cryptolib is used for SNC between SAP servers. This library is a library which uses x.509 / PKI mechanism for securing the connection. This library is free and available on all platforms, but it is NOT LEGAL to use this library for SAP GUI -> SAP SNC security. If you want to use same technology as used by this library you need to contact the company Peter works for to buy their product.

2. If your SAP server is running on Windows Server, there is an SNC library provided by SAP (and free) which uses Kerberos protocol. This works well if you are using Microsoft Active Directory because Active Directory also uses Kerberos to authenticate a user when they logon to the domain - it uses the fact they have already authenticated at workstation to provide Secure SSO to SAP application server.

3. If your SAP server is running on UNIX or Linux and you are looking for a solution similar to the free library mentioned in 2 (above) then you need to buy a SNC SAP certified product from a SAP partner that uses Kerberos protocol. You can find complete list of vendors who provide SNC libraries by looking at http://www.sap.com/eapcatalog and searching for Kerberos SNC in the search box provided.

I hope this clears up any confusion and helps you with your needs.

I must admit I was thinking you were already using an SNC library. If I had known you were not using one at moment I would have given different answer when I first posted to this thread.

Thanks,

Tim

>

> Ken,
> 
> Tim mentioned that you could use a pure Windows Kerberos solution without involving any third party software if both your SAP servers and all user workstations run Windows/AD. Although correct you should be aware of the fact that the current Kerberos implementation of Microsoft supports DES-56 as its "strongest" algorithm.
> 
> If you intention is to protect data in transit I strongly recommend not using DES because it's weak and can be cracked relatively easy. I recommend AES-128/256 and I guess Tim would agree.
> 
> best regards
> 
> Michael

This is NOT TRUE. The default encryption used by Active Directory on Windows Server 2003 and also on Windows 2000 is RC4. To be precise it is using a cipher suite known as RC4-HMAC-MD5 and most modern Kerberos implementations use this encryption key type, which is 128-bit, and is not DES-56 as you suggest.

The fact is that if you are using the SAP Kerberos library (if SAP server is on Windows) or if you are using a third-party SNC library to support SAP on UNIX or Linux, the encryption will likely be minimum of 128-bt RC4, and possibly AES-256 if Windows Server 2008 is used to host Active Directory domain.

If Active Directory on Windows Server 2008 is used, AES-128/256 can be used for the authentication keys and encryption of network communications.

Thanks,

Tim

Michael,

We could spend many days/weeks/months discussing the differences, and arguing the minor details, but I don't think that is good use of our valuable time, or good use of this SDN forum

I know that the SAP Cryptolib supports AES and this is considered the preferred alg for encryption from performance point of view and also from a security point of view. I made it clear in my last post that Kerberos also supports AES, and this is for the same reasons, and NOT just DES-56 as you suggested was the case. It is also the case the RC4 is widely used in Active Directory deployments because Active Directory on Windows Server 2003 uses RC4 for authentication purposes, and it is considered secure - perhaps not as secure as AES, but still secure and MUCH better than DES-56.

This is my last post on this matter since I think we are in danger of confusing Kan (his name is not Ken) and not adding any more value. It is clear that he wanted to know if when chosing an SNC solution if performance was important, and I think we have colectively given him that information.

Thanks again,

Tim