In the consulting work I’ve been doing for Simplified Logic, they’ve had me working on a new Encryption-only version of Nitro-LM for Flex and AIR. In the past year, they’ve had a number of customers who say something like, “The licensing and everything is really cool, but I’ve already coded my own simple username/password system and I really would just like to encrypt my application.”

For the past few months, I’ve been working on a solution for this. Instead of being username/password based for authentication like Nitro-LM is, I’ve stripped down the API to a 52kb SWC file that uses key-based authentication. If you request a decryption key from the server, as long as you encrypt that request using your application’s public key (embedded in your swf), then you’re good to go.

Having a solution for this brings about some interesting potential problems for Nitro-LM. First off, applications using this encryption-only solution will likely have a MUCH larger install base than a licensed application. For example, games, websites, and other small things where licensing isn’t really needed could be a candidate for the encryption-only solution. These types of applications also have a higher potential for going viral and slamming the Nitro-LM servers with tons of traffic.

To prepare for this potential onslaught of traffic, I did a couple of things. First, the encryption-only client SWC will cache the decryption key in a secure format for 30 days without hitting the server again. The other thing was to push out a trimmed down server instance to the SLI cloud. The encryption-only solution will push the traffic through the cloud first so it can take the brunt of the load.

To test this high-volume scenario, I setup a worst-case scenario test script through BrowserMob. They’re a great company that allows you to define and schedule load tests over the Internet. Patrick from BrowserMob was very responsive to my needs and even added a special API call that would allow me to do binary data POSTs from the service. I wanted to really stress our cloud to see what would happen if someone using our encryption service went totally viral. At the high-side, I was pushing through around 400 transactions-per-second before the cloud provider shut off my application. My guess is that it appeared like a denial-of-service attack since I was sending many identical transactions from the BrowserMob servers.

In any case, I believe the test was very successful. The new Nitro-LM service should be able to handle over 700 million transactions per month as a conservative estimate based on this testing (300 tx/sec over 30 days). I hope to be able to show some of this new Encryption-only stuff in my 360|Flex presentation. Register soon for 360|Flex, I’ve heard they’re filling up quickly.

Post to Twitter

Posted by Andrew, filed under 360 Flex, Flex, security. Date: May 1, 2009, 3:30 pm | No Comments »

Leave a Comment

Your comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.