We propose mdTLS protocol to improve performance based on the middlebox-aware TLS (maTLS), one of the most secure TLS protocols. We found out that the computational complexity of mdTLS is about twice as low as that of maTLS.
Server generates its certificate as in original TLS.
- Server sends Certificate Signing Request (CSR) to Certificate Authority (CA).
- CA verifies CSR, creates pre-certificates, and submits to CT Log server to get Signed Certificate Timestamps (SCT).
- CA issues certificate to the server with SCTs from CT Log servers.
- In mdTLS, middlebox is a proxy signer of server. Therefore, delegation process is required.
- Since middlebox, generates its certificate by proxy signing server's certificate, we excluded MT Log server and CA for middlebox which were described in maTLS. This makes certificate generation and verification more efficient.
- Client has to verify two types of signature, one is original signature and the other is proxy signature. In order to verify proxy signature, client needs proxy public keys, which are generated according to the proxy signature verification method.
- Proxy signature is also used in Security Parameter Blocks by middlebox.
- Client and server sends request and response with Modification Log, as maTLS, to check whether payload has been changed while being transmission.
We verified that our proposal meets newly defined security goals as well as those verified by maTLS by using Tamarin prover. Verification results and experiment environment are shown in below.
- Amazon Elastic Compute Cloud(Amazon EC2)
- Ubuntu 22.04 LTS
- 96 vCPUs
- 192 GiB Memories