Predictive Eviction: A Novel Policy for Optimizing TLS Session Cache Performance

Abstract

Transport Layer Security (TLS) is the most commonly used security protocol to encrypt web traffic. TLS connections are computationally expensive to set up, so the TLS protocol supports session resumption, where previously negotiated connection parameters can be used to short-circuit the TLS handshake. The server assigns new sessions a session identifier (ID) and caches each session by its ID so it can be retrieved later. As clients come and go, sessions in the server’s cache will have to be evicted according to the server’s eviction policy. We find that first-in-first-out (FIFO) and least-recentlyused (LRU) are the most common session cache eviction policies among popular TLS libraries, however, for applications whose clients connect at regular intervals, such as mobile advertising, the performance of these policies may be far worse than randomly evicting policies from the cache. To handle this, we propose a novel eviction policy for TLS session caches, predictive eviction, that relies on the server knowing the next time each client will connect again. Using a real-world application of such a policy, Android in-application advertising, we build a client that is able to simulate the behavior of a large number of devices requesting mobile advertisements over TLS. We use this simulated client to benchmark the hit rate of the predictive policy compared with eviction policies found in popular TLS library implementations. In addition, we demonstrate that our policy can be implemented efficiently by benchmarking its performance in transactions per second compared with OpenSSL’s session cache implementation, and compared with TLS session tickets (an alternative to session caching for resuming TLS sessions). We find that our policy has better hit rate performance than other eviction policies, and can achieve comparable performance to session tickets. To the best of our knowledge, this is the first study of the performance of TLS session resumption strategies.

DOI: 10.1109/GLOCOM.2014.7417274

Extracted Key Phrases

4 Figures and Tables

Cite this paper

@inproceedings{Stevens2015PredictiveEA, title={Predictive Eviction: A Novel Policy for Optimizing TLS Session Cache Performance}, author={Ryan Stevens and Hao Chen}, booktitle={GLOBECOM}, year={2015} }