Microsoft KB Archive/256630

= MSMQ overhead when you use message security features =

Article ID: 256630

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Message Queuing 3.0
 * Microsoft Message Queuing 2.0
 * Microsoft Message Queue Server 1.0

-



This article was previously published under Q256630



SUMMARY
When you use the Microsoft Message Queue (MSMQ) security features with an MSMQ Message, additional overhead is added to both the message size and the processing of the message.



MORE INFORMATION
Note You may want to consider the benefits of using Message Queuing security features before you consider the overhead that these features add. The benefits of using Message Queuing security features include the following:
 * Message authentication guarantees that no one has tampered with the message or changed its content.
 * Message encryption guarantees that the body of the message is kept encrypted from the moment it leaves the source queue manager to the moment it reaches its destination queue manager.
 * Security descriptors guarantee that only authorized users can perform such actions as creating, deleting, and opening queues. (Users must perform these actions when they send messages to or read messages from queues.)
 * With auditing services, you can audit access operations for the queues in your Message Queuing enterprise.
 * Hardened Message Queuing mode enhances the security of Message Queuing 3.0 computers that are running on the Internet by supporting scenarios that use only HTTP (SRMP) messages.

For more information about Message Queuing security services, visit the following Microsoft Developer Network (MSDN) Web site:

http://windowssdk.msdn.microsoft.com/en-us/library/ms705295.aspx

When you add security to an MSMQ Message, the result is a larger message size. The following is a list of multiple security features, and the overhead that they add.
 * When you send authenticated messages, the signature and certificate are added to the message. The signature adds several tens of bytes in size to the message. An internal MSMQ certificate is approximately 500 bytes in size, while an external certificate is at least 1 kilobyte (K) in size. The minimal overhead for an authenticated message is approximately 600 bytes.
 * When you send encrypted messages, the encrypted session key is added to the packet. This encrypted session key is 70 bytes in size.
 * The security identifier (SID), usually 70 bytes or less in size, is included in the message packet, unless you specify that the PROPID_M_SENDERID_TYPE property has the value MQMSG_SENDERID_TYPE_NONE. The SID is not included in the message packet if you are in Workgroup mode (Workgroup mode is only available in MSMQ 2.0).
 * When you specify the provider of authentication (PROPID_M_PROV_NAME), you add size to the message. By default, authentication uses the 40 bit Microsoft base crypto provider. You can change this if you use a corresponding certificate that support a provider by supplying the (PROPID_M_PROV_NAME) property. (This is a string that is usually ten characters in length).

There following are additional considerations when you use encryption and authentication in MSMQ:
 * Both the encryption and the authentication operations are CPU intensive. When you send transactional or recoverable messages, the disk input/output (I/O) is the primary bottleneck, the CPU overhead is not an issue in this situation.
 * On the sending computer, the overhead of authenticating a message delays the act of sending a message. The encryption is done by the MSMQ service on the sending computer, while the authentication is done by the sending application.
 * The receiving Queue Manager (QM) always incurs the performance overhead on the receiving computer. The receiving QM accepts the message, and then both validates the signature for authenticated messages and decrypts any encrypted messages. The message is then stored in clear text in the target queue. MQReceiveMessage does not take longer for such a message, it only takes longer for the message to appear in the queue when it is received by the MSMQ service from the network.
 * Both authentication and encryption access the MSMQ Directory Service (DS) at some point. Any problems with slow or overloaded DS servers may add to the overhead.

