Field of the Invention
Embodiments of the present invention relate generally to computer security and, more particularly, to efficient start-up for secured connections and related services.
Description of the Related Art
Machines within a computer network typically employ various techniques to exchange secure messages when those machines communicate with one another in an effort to prevent third-parties from reading or tampering with the exchanged messages and potentially engaging in illegal or undesirable activities such as identity theft, corporate espionage, or stealing or compromising services. Conventional techniques to secure computer communications usually include mechanisms that ensure that a given received message originated from an appropriate machine within the computer network and that the content associated with a given received message was not tampered with or marginalized after being transmitted by an appropriate machine within the computer network.
Exemplary approaches for exchanging secure messages include Transport Layer Security (TLS) and predecessor Secure Sockets Layer (SSL). TSL and SSL are cryptographic protocols designed to provide communications security over a computer network for various purposes, including web browsing, email, Internet faxing, instant messaging, and voice-over-IP (VoIP). In general, TLS and SSL can be used to secure all communications between server machines offering various online services and client machines that access such online services. The TLS and SSL protocols provide privacy and data integrity during message exchange between two or more communicating computer applications executing on two or more different machines.
One such technique involves encrypting messages prior to transmitting those messages from one machine within the computer network to another. In a typical implementation, an originating machine transmits a security “certificate” to other computing machines within the computer network. The security certificate includes information setting forth the manner in which a message needs to be encrypted in order for the machine transmitting the certificate to be able to decrypt the message.
A typical approach for establishing secure communications between a client and a server begins with the client issuing a request for a secure session to a server. The server responds by transmitting a certificate to the client that contains the server's public key. The client then verifies the authenticity of the certificate by issuing authentication requests to one or more authentication servers associated with certification authorities. One or more of the authentication servers transmits an authentication response to the client indicating whether the certificate is valid or has been revoked or otherwise compromised. If the client determines, from the authentication responses, that the certificate is valid, then the client generates a key, encrypts the key using the certificate, and transmits the encrypted key to the server. The client and server can then securely exchange one or more data messages, also referred to as payload data, where the data messages are encrypted with the key.
One drawback to the above approach is that large numbers of messages are typically sent among the client, server, and authentication servers before any actual data messages may be securely exchanged. As a result, a significant amount of time can pass before a client and server are actually able to securely exchange data messages. For example, up to eleven pairs of messages could be exchanged to establish secure communications before any data messages can be securely exchanged. Another drawback to the above approach is that the time and bandwidth devoted to establishing secure communications between the client and server may be relatively high compared to the time and bandwidth devoted to transmitting actual data between the client and server. As a result, the overall efficiency of the communication channel between the client and server may be negatively impacted.
As the foregoing illustrates, what is needed in the art is more efficient way to initiate secure communications between a client and a server or other set of network connected entities in a computer network.