Skip to main content
SpringerLink
Log in

Optimizing TLS for Low Bandwidth Environments

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8930))

Included in the following conference series:

Abstract

This paper explores alternatives to minimize the overhead of Transport Layer Security (TLS) towards making it usable in bandwidth-constrained environments. Several areas are identified where overhead can be reduced while remaining fully compatible with standard Transport Layer Security. The most relevant one consists of moving to Elliptic Curve Cryptography (ECC) from RSA in the certificates, which reduces the overhead of the TLS handshake between 22 % and 60 % depending on the chosen security level.

We also propose two TLS extensions that further reduce the size of the handshake: using a more compact certificate format and certificate caching. Using compact certificates instead of ECC based X.509 certificates reduces the overhead of the handshake between 11 % and 20 % depending on the security level. Using certificate caching avoids exchanging certificates more than once irrespective of the number of times that the handshake is performed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Note that in the case of Table 2a and b, the signature of the certificate uses a key of the size indicated in the first column of the next row. In Table 3a that is not the case. Particularly, the key of the certificate and the one used to sign the certificate have the same size because the whole CVC chain is expected to use the same curve.

  2. 2.

    Unless the Pre-Shared Keys (PSK) extension is used, cf. Sect. 4.

  3. 3.

    The last two used in conjunction with Digital Signature Standard (DSS) [22].

  4. 4.

    Strictly speaking, the ChangeCipherSpec is not a message but a protocol. However, for the purposes of this description, it can be seen a message sent during the handshake.

References

  1. Apache: Apache Module mod_ssl, January 2014. http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

  2. Barisani, A., Bianco, D., Laurie, A., Franken, Z.: Chip & PIN is definitely broken. In: Presentation at CanSecWest Applied Security Conference, Vancouver 2011 (2011). Slides available at http://dev.inversepath.com/download/emv/emv_2011.pdf

  3. Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., Moeller, B.: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). RFC 4492 (Informational), May 2006. http://www.ietf.org/RFC/RFC4492.txt, updated by RFCs 5246, 7027

  4. Blom, A., de Koning Gans, G., Poll, E., de Ruiter, J., Verdult, R.: Designed to fail: a USB-connected reader for online banking. In: Jøsang, A., Carlsson, B. (eds.) NordSec 2012. LNCS, vol. 7617, pp. 1–16. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  5. Bundesamt für Sicherheit in der Informationstechnik : Schutzprofil für die Kommunikationseinheit eines intelligenten Messsystems für Stoff- und Energiemengen, March 2013

    Google Scholar 

  6. Codenomicon: The Heartbleed Bug, April 2014. http://heartbleed.com/

  7. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (Proposed Standard), May 2008. http://www.ietf.org/RFC/RFC5280.txt, updated by RFC 6818

  8. Deutsch, P.: DEFLATE Compressed Data Format Specification version 1.3. RFC 1951 (Informational), May 1996. http://www.ietf.org/RFC/RFC1951.txt

  9. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), August 2008. http://www.ietf.org/RFC/RFC5246.txt, updated by RFCs 5746, 5878, 6176

  10. Digital Security group Radboud University Nijmegen, et al.: JMRTD: An Open Source Java Implementation of Machine Readable Travel Documents, January 2014. http://jmrtd.org/index.shtml

  11. Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to fail: card readers for online banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  12. Entrust: Consolidated Certificate Issuance and Management, January 2014. http://www.entrust.com/solutions/certificate-management/

  13. Eronen, P., Tschofenig, H.: Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). RFC 4279 (Proposed Standard), December 2005. http://www.ietf.org/RFC/RFC4279.txt

  14. GlobalPlatform: Card Specification, January 2001

    Google Scholar 

  15. Gutmann, P.: X.509 Style Guide (2000). https://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt

  16. Hankerson, D., Menezes, A.J., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer, Heidelberg (2004)

    MATH  Google Scholar 

  17. Hollenbeck, S.: Transport Layer Security Protocol Compression Methods. RFC 3749 (Proposed Standard), May 2004. http://www.ietf.org/RFC/RFC3749.txt

  18. Advanced Security Mechanisms for Machine Readable Travel Documents-Part 3, Technical report, Bundesamt für Sicherheit in der Informationstechnik: Advanced Security Mechanisms for Machine Readable Travel Documents - Part 3 July 2013

    Google Scholar 

  19. ISO/IEC: ISO 7816-8. Identification cards Integrated circuit cards Part 8: Commands for security operations (2004)

    Google Scholar 

  20. ISO/IEC: ISO/IEC 9594-1:2005, Information technology - Open Systems Interconnection - The Directory: overview of concepts, models and services (2005)

    Google Scholar 

  21. ISO/IEC: ISO 18013-3. Information technology Personal identification ISO-compliant driving licence. Part 3: Access Control, authentication and integrity validation (2009)

    Google Scholar 

  22. National Institute of Standards and Technology: FIPS PUB 186-4 – Digital Signature Standard (DSS), July 2013

    Google Scholar 

  23. Ortiz-Yepes, D., Hermann, R., Steinauer, H., Buhler, P.: Bringing strong authentication and transaction security to the realm of mobile devices. IBM J. Res. Dev. Cybersecurity Smarter Planet 58(1), 4:1–4:11 (2014)

    Article  Google Scholar 

  24. Polk, T., McKay, T., Chokhani, S.: NIST Special Publication 800-52 - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, April 2014

    Google Scholar 

  25. PrimeKey: EJBCA - Open Source PKI Certificate Authority, January 2014. http://www.ejbca.org/

  26. Rescorla, E.: SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, Reading (2000)

    Google Scholar 

  27. Rizzo, J., Duong, T.: The CRIME attack. In: Ekoparty (2012)

    Google Scholar 

  28. Salowey, J., Zhou, H., Eronen, P., Tschofenig, H.: Transport Layer Security (TLS) Session Resumption without Server-Side State. RFC 5077 (Proposed Standard), January 2008. http://www.ietf.org/RFC/RFC5077.txt

  29. Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960 (Proposed Standard), June 2013. http://www.ietf.org/RFC/RFC6960.txt

  30. Scheier, B.: The Internet of Things Is Wildly Insecure And Often Unpatchable. Wired (2014). http://www.wired.com/opinion/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/

  31. Szikora, J.P., Teuwen, P.: Banques en ligne: à la découverte d’EMV-CAP. MISC (Multi-System & Internet Security Cookbook) 56, 50–62 (2011)

    Google Scholar 

  32. Weigold, T., Kramp, T., Hermann, R., Höring, F., Buhler, P., Baentsch, M.: The Zurich Trusted information channel – an efficient defence against man-in-the-middle and malicious software attacks. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 75–91. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  33. Zoller, T.: TLS/SSL hardening and compatibility report 2011 (2011)

    Google Scholar 

Download references

Acknowlegements

The author wishes to thank Michael Kuyper for the pointer to EAP certificates; Tamas Visegrady, Erik Poll, Peter Schwabe and Reto Hermann for providing feedback and suggestions based on draft versions of this paper.

Author information

Authors and Affiliations

  1. IBM Research – Zurich Laboratory, Säumerstrasse 4, 8803, Rüschlikon, Switzerland

    Diego A. Ortiz-Yepes

  2. Digital Security Group, Institute for Computing and Information Sciences, Radboud University Nijmegen, Nijmegen, The Netherlands

    Diego A. Ortiz-Yepes

Authors
  1. Diego A. Ortiz-Yepes
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Diego A. Ortiz-Yepes .

Editor information

Editors and Affiliations

  1. TELECOM Bretagne, Cesson Sévigné, France

    Frédéric Cuppens

  2. TELECOM SudParis, Evry, France

    Joaquin Garcia-Alfaro

  3. Dalhousie University, Halifax, Nova Scotia, Canada

    Nur Zincir Heywood

  4. University of Calgary, Calgary, Canada

    Philip W. L. Fong

A Transport Layer Security (TLS)

A Transport Layer Security (TLS)

The TLS protocol suite, specified in RFC 5426 [9], aims at providing confidentiality and integrity between a client and a server—the end points—communicating over an untrusted network.

This appendix summarizes the most important elements of TLS for the purposes of this paper. Focus will be given to the latest version (i.e. TLS v. 1.2). We refer to [9, 26] for more authoritative and detailed descriptions of TLS.

1.1 A.1 TLS Goals

End Point Authentication. The client can authenticate the server to make sure that it is not communicating with a third party trying to impersonate the server. This authentication takes place using an X.509 [7] public key certificate provided by the server, which the client must validate. Once the client has validated the server certificate, it authenticates the server by requesting it to prove possession of the associated private key. The server may request the client to authenticate using an analogous mechanism.

The roots of trust for end point authentication are the trusted Certification Authorities (CAs), whose certificates must be provisioned to each end point. These trusted certificates need to be distributed or configured by some offline means. Additional intermediate certificates in the certificate chain can be either provisioned using the same means, or sent during the handshake (cf. Appendix A.4).

End point authentication is not mandatory in TLS. It is possible—albeit rare—to find anonymous TLS connections providing only confidentiality and integrity (but not entity authentication). Usually in TLS the client authenticates the server. The connection is said to be mutually authenticated when both client and the server have authenticated to one another.

Data Confidentiality and Integrity. Once established, TLS protects the integrity and confidentiality of the application data exchanged between the end points. This is achieved by encrypting the application data exchanged using the record protocol (cf. Appendix A.5) and adding a Hash-based Message Authentication Code (HMAC), using key material derived during the handshake (cf. Appendix A.4).

The secure tunnel that TLS provides not only guarantees integrity of the individual messages exchanged, but also of the session, i.e. the sequence of messages. This is an important benefit, as weaknesses in security protocols due to so-called Man-in-the-Middle attacks where an attacker replays, reorders, or manipulates some individual messages are not uncommon, even in security-critical protocols used for financial transactions, e.g. see [2, 4, 11, 31].

1.2 A.2 TLS Requirements

To use TLS a bidirectional, reliable link is required. If the link is not reliable, then TLS can be used only on top of a protocol ensuring reliability. Additionally, the end points must be able to perform cryptographic operations, including public key cryptography. If they do not have resources to perform such operations, then “traditional” TLS is not suitableFootnote 2.

1.3 A.3 Benefits of Using TLS

Using TLS is advantageous because there are existing and well maintained implementations. In addition, these implementations and the protocol itself receive wide scrutiny from the security community. TLS is very flexible regarding the security levels that can be achieved. There are known attacks, e.g. [6, 24], but most of them can be avoided by fine tuning the implementations and enabling only essential extensions. In the case of Machine-to-Machine (M2M) communication, the focus of this paper, Man In The Middle (MITM) and impersonation attacks can be prevented by having certificate checks strictly and automatically enforced.

1.4 A.4 TLS Handshake

Execution of the TLS handshake achieves the following three goals: the end points (1) agree on a cipher suite, (2) calculate a master secret, and (3) may have authenticated to each other.

A cipher suite is a combination of the following four algorithms:

  • Key exchange used by the end points to agree on the pre-master secret, a shared bit string only known by the end points. There are fundamentally three key exchange mechanisms: RSA, Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH)Footnote 3. The pre-master secret is used in conjunction with random values generated by the end points to generate the master secret, which is then used to derive the keys that will subsequently be used to encrypt the application layer data and generate the HMAC to protect its integrity.

  • Server authentication used by the server to authenticate to the client. The most frequent are RSA and DSS.

  • Bulk encryption used to encrypt the application layer data, e.g. RC4, 3DES-EDE, Advanced Encryption Standard (AES).

  • Digest used to hash the application layer data, e.g. MD5, SHA1.

A full handshake is illustrated in Fig. 2a. It is initiated by the client, who sends the ClientHello message to the server. This message lists the cipher suites and extensions supported by the client. It also includes a client-generated random value.

Upon receiving the ClientHello, the server responds with a ServerHello message. This message selects the cipher suite and a subset of the extensions that shall be used during the rest of the session, along with a server-generated random value and a server-assigned session identifier (Session ID). If the server is to authenticate to the client (which is usually the case), it sends its X.509 public key certificate in a Certificate message. It may send more than one certificate in the chain to allow the client to properly validate its certificate. The server sends a ServerKeyExchange message to provide the client with its public key to be used for deriving the pre-master secret. This message is only sent when (EC)DH is used for key exchange. The key included in the ServerKeyExchange message is signed by the server using the private key associated to the public key included in the server certificate that was sent to the client. If the server requires the client to also authenticate (to the server), then it sends the CertificateRequest message. The server signals the end of its messages by sending a ServerHelloDone message.

Fig. 2.
figure 2

TLS handshake.

Full size image

The client checks the messages received from the server. It makes sure that the cipher suite and extensions are actually supported and that the server certificate is valid. If the server sent a ServerKeyExchange message, it checks that the signature of the server’s public key is valid. If the server requested the client to authenticate, then the client sends its X.509 certificate in a Certificate message. The client then sends the ClientKeyExchange message. If RSA is used for key exchange, this client generates a random bit string (the pre-master secret) and encrypts it using the server public key included in the server certificate. Then it includes the result of the encryption operation in the ClientKeyExchange message. If (EC)DH is used, it just sends its DH public key to the server using this message. Upon receiving the ClientKeyExchange message, in the RSA case, the server can decrypt the pre-master secret (thus implicitly proving possession of its private key). In the (EC)DH case, the server can simply use the client public key to derive the shared secret, which is then used as the pre-master secret. In either case, after receiving this message, the client and the server share the pre-master secret, which can then be used to derive the master secret, and subsequently the shared key material that is later to be used to protect the application layer data. If client authentication takes place, the client sends a CertificateVerify message to the server. This message includes a signature (using the client’s private key) of all the handshake messages exchanged so far. The client sends the ChangeCipherSpec messageFootnote 4 to the server, to signal that from this point forth the negotiated cipher and derived keys shall be used. The client notifies the server that it has finished the handshake by sending the Finished message. This is the first message to be actually encrypted and includes a Message Authentication Code (MAC) of all handshake messages up to and including the ChangeCipherSpec.

To terminate the handshake, the server sends the ChangeCipherSpec followed by the Finished message to the client. These messages have the converse semantics as the ones received from the client.

Once the server initiated Finished message is received by the client (and its MAC has been validated), the end points can start exchanging application data using the record protocol, as described in Appendix A.5.

Resumed Handshake and Rehandshake. A full handshake (as described so far) marks the beginning of a new session. A session may span several connections between the client and the server. For example, when accessing a web site using HTTP on top of TLS (HTTPS), each object is fetched using a different connection, but most of these connections belong to the same session.

When a new connection is established, the client may indicate to the server its willingness to reuse an existing session by including the Session ID field in the ClientHello message. If the server accepts, it echoes the same Session ID in the ServerHello message. In this case a resumed handshake as illustrated in Fig. 2b takes place.

The resumed handshake reuses the master secret that has been previously calculated, but uses the new random values exchanged in the *Hello messages to calculate new session keys. Clearly, the resumed handshake is much more efficient than the full handshake because neither certificates are exchanged nor public key operations are performed.

When the client wants to negotiate a new cipher suite or refresh the session keys, it can request a rehandshake by simply sending a ClientHello to the server. Conversely, if the server decides to initiate the rehandshake, it may do so by sending a HelloRequest message to the client. Whether the subsequent handshake is full or resumed depends on the Session ID being present in the *Hello messages.

1.5 A.5 TLS Record Protocol

Application layer data is split into fragments by the TLS record protocol. Each of these fragments is appended with an HMAC, which is used to protect the integrity of the fragment and the stream. The fragment payload and the HMAC are then encrypted in order to ensure confidentiality (cf. Appendix A.1). A record is then built by prepending a header (record type = application data, protocol version, length) to the encrypted fragment. Once assembled, the record is handled to the lower (transport) layer for delivery to the receiving end point.

1.6 A.6 TLS Alert Protocol

Whenever an anomaly is detected by one of the end points, the alert protocol is used to signal it to the other one. The alert protocol builds on the record layer and includes a level (warning or fatal) and an alert code. If the level is fatal, the connection must be terminated.

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Ortiz-Yepes, D.A. (2015). Optimizing TLS for Low Bandwidth Environments. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science(), vol 8930. Springer, Cham. https://doi.org/10.1007/978-3-319-17040-4_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-17040-4_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-17039-8

  • Online ISBN: 978-3-319-17040-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation