|
SSL Splitting and Barnraising: Cooperative Caching with Authenticity Guarantees
Chris Lesniewski-Laas
Submitted to the Department of Electrical Engineering and Computer Science
in partial fulfillment of the requirements for the degree of
Master of Engineering in Electrical Engineering and Computer Science
at the
Massachusetts Institute of Technology,
February 2003
Thesis Supervisor: M. Frans Kaashoek
Abstract
SSL splitting is a cryptographic technique to guarantee that public data served
by caching Web proxies is endorsed by the originating server. When a client
makes a request, the trusted server generates a stream of authentication
records and sends them to the untrusted proxy, which combines them with a
stream of data records retrieved from its local cache. The combined stream is
relayed to the client, a standard Web browser, which verifies the data's integrity. Since
the combined stream simulates a normal Secure Sockets Layer (SSL) connection,
SSL splitting works with unmodified browsers; however, since it does not
provide confidentiality, it is appropriate for applications that require only
authentication. The server must be linked to a patched version of the
industry-standard OpenSSL library; no other server modifications are necessary.
In experiments replaying two-hour access.log traces taken from LCS Web
sites over a DSL link, SSL splitting reduces bandwidth consumption of the
server by between 25% and 90% depending on the warmth of the cache and the
redundancy of the trace. Uncached requests forwarded through the proxy exhibit
latencies within approximately 5% of those of an unmodified SSL server.
|
|
