Secure channel establishment in disadvantaged networks: optimizing TLS using intercepting proxies
October 31, 2010
Transport Layer Security (TLS) is a secure communication protocol that is used in many secure electronic applications. In order to establish a TLS connection, a client and server engage in a handshake, which usually involves the transmission of digital certificates. In this paper we present a practical speedup of TLS handshakes over bandwidth-constrained, high-latency (i .e. disadvantaged) links by reducing the communication overhead associated with the transmission of digital certificates. This speedup is achieved by deploying two specialized TLS proxies across such links. Working in tandem, one proxy replaces certificate data in packets being sent across the disadvantaged link with a short reference, while the proxy on the other side of the link restores the certificate data in the packet. Local or remote caches supply the certificate data. Our solution preserves the end-to-end security of TLS and is designed to be transparent to third-party applications, and will thus facilitate rapid deployment by removing the need to modify existing installations of TLS clients and TLS servers. Testing shows that this technique can reduce the overall bandwidth used during a handshake by 50% in test emulation and by over 20% of TLS session volume in practice. In addition, it can reduce the time required to establish a secure channel by over 40% across Iridium, a widely used satellite link in practice.