Subscribe to RSS Add to Technorati Faves Digg This Page Send to Stumble Upon Bookmark on Delicious

Transport Layer Security - a novel approach

posted by Cheryl Miller on October 19, 2009

Transport Layer Security (TLS) is widely used in Secure Internet communication, especially for securing Web / HTTP traffic. TLS is a replacement for the Secure Sockets Layer (SSL) protocol, which provides similar protections. TLS provides cryptographic services to application traffic payloads in the form of data authenticity and optionally data confidentiality. Each pairwise (P2P) secure session maintains independent cryptographic state for that session, which can aggregate to a large amount of state held on TLS terminators / servers, when millions of TLS connections are terminating at the same destination or domain (e.g. ecommerce / banks / eBay /etc.). Furthermore because TLS operates at the application layer, all cryptographic operations are performed on large application buffers, which require reassembly of all network packet fragments before operating on that buffer. This results in the need to provision expensive TLS aggregators at the front of each domain providing secure web communications and the solution does not scale well with increase in demand.

In this video, researchers from Intel Labs demonstrate a novel approach for providing a cryptographic scale free TLS solution, which can scale with increase demand. This is achieved by using a cryptographic key derivation technique, where using a ‘master key’ and some identifiers located in the packet, we can dynamically compute unique session keys on a per packet basis, instead of storing individual session keys for each and every session. The technique essentially trades compute for storage, thus allowing a larger number of TLS connections to be supported to a given server / domain. Furthermore, by providing the cryptographic operations on a per-network-packet basis (instead of operating on application payload buffers), it allows early validation of data integrity, allowing bad packets to be rejected without having to wait until the application buffer is reconstructed and applying the crypto operations / buffer validation at a later stage of the network pipeline.

Comments (0)
del.icio.us StumbleUpon Digg It
tagged: , , , ,

Post Your Comment





Comment Policy: We welcome your comments, however all comments are moderated. Offensive, off-topic or fraudulent comments will be deleted and not displayed. By submitting a comment to an Intel Blog, you agree to our legal information and privacy policy terms, including having your name displayed with your comment and that you are 13 years old or older. Your name and personal information will not be used for any other purpose, and your e-mail address will not be published.

Disclaimer: Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, and do not necessarily reflect the views of Intel. All Intel names and trademarks are the property of Intel Corporation or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.