The case for ubiquitous transport-level encryption

Size: px

Start display at page:

Download "The case for ubiquitous transport-level encryption"

Rosa Allen
6 years ago
Views:

1 1/25 The case for ubiquitous transport-level encryption Andrea Bittau, Michael Hamburg, Mark Handley, David Mazières, and Dan Boneh Stanford and UCL November 18, 2010

2 Goals 2/25 What would it take to encrypt the vast majority of TCP traffic? 1. Fast enough to enable by default on almost all servers. 2 End-point authentication. Leverage certificates, cookies, passwords, etc., to achieve best possible security for any given setting. 3 Compatibility. Works in existing networks. Works with legacy apps.

3 today can be pretty bad 3/25 Connections/s ,156 TCP server 737 SSL server Biggest problem: cost of public key cryptography. Worst case: SSL can be 82x slower than TCP...

4 today can be pretty bad 3/25 Connections/s ,156 TCP server 19,153 server 737 SSL server Biggest problem: cost of public key cryptography. Worst case: SSL can be 82x slower than TCP... Worst case: only 3x slower than TCP!

5 Problem today: app-level auth divorced from transport 4/25 1 SSL encrypts + server auth. SSL. Authenticate server using certificates

6 Problem today: app-level auth divorced from transport 4/25 1 SSL encrypts + server auth. 2 App auths client. SSL. Authenticate server using certificates Username: Andrea Password: w00t SSL. Authenticate server using certificates If step 1 fails, step 2 doesn t help in fact, it harms.

7 What s the best we can do? Level of security against a network attacker depends on scenario. 5/25 Preconfiguration Use case Today s security Possible security None None No passive eavesdropping

8 What s the best we can do? Level of security against a network attacker depends on scenario. 5/25 Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth

9 What s the best we can do? Level of security against a network attacker depends on scenario. 5/25 Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret (cookie) no SSL None Mutual auth

10 What s the best we can do? Level of security against a network attacker depends on scenario. 5/25 Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret (cookie) no SSL Shared secret and SSL None Mutual auth if cert and pass OK Mutual auth Mutual auth if password OK

11 What s the best we can do? Level of security against a network attacker depends on scenario. 5/25 Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret (cookie) no SSL Shared secret and SSL None Mutual auth if cert and pass OK Mutual auth Mutual auth if password OK

Server auth Server auth Shared secret (cookie)

12 What s the best we can do? Level of security against a network attacker depends on scenario. goal with Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret (cookie) no SSL Shared secret and SSL None Mutual auth if cert and pass OK Mutual auth Mutual auth if password OK 5/25

13 Backwards compatibility issues 6/25 Two prevalent ways of encrypting network traffic: 1 At application layer (e.g., SSL). Works over almost all networks. Need to modify applications. Application protocol may not allow incremental deployment. 2 At network layer (e.g., IPSec). Works with all applications. Breaks NAT. Can t leverage user authentication. Ubiquitous encryption requires best of both worlds.

14 : transport-layer encryption 7/25 : a TCP option for encryption. 1 High server performance: push complexity to clients. 2 Allow applications to authenticate end points. 3 Backwards compatibility: all TCP apps, all networks, all authentication settings.

15 overview 8/25 Extend TCP in a compatible way using TCP options. Applications use standard BSD socket API. New getsockopt for authentication. Encryption automatically enabled if both end points support.

16 Push expensive operations to clients Public key operations expensive, but not all equally expensive. RSA-exp performance: 9/25 Operation Latency (ms) Decrypt Encrypt 0.26 Have client do decrypt Generate ephemeral key pair public key enc pubk (master key) Generate random master key client server Without server authentication, have client decrypt. Lets servers accept connections at 36x rate of SSL.

17 Link app auth to transport auth 10/25 Session ID: hook linking to app-level authentication. New getsockopt returns non-secret Session ID value. Unique for every connection (if one endpoint honest). If same on both ends, no man-in-the-middle. Password based Authentication of user & sess ID Session ID Session ID Authenticating the Session ID authenticates the end point.

18 Auth example: batch signing Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. RSA op. A Signed by amazon.com SID A 11/25

19 Auth example: batch signing Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. RSA op. A Signed by amazon.com SID A 11/25 SID B B RSA op. Signed by amazon.com

20 Auth example: batch signing Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. 11/25 SID A SID B SID C SID D RSA op. A, B, C, D Signed by amazon.com

21 Auth example: batch signing Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. 11/25 SID A SID B SID C SID D A, B, C, D RSA op. Signed by amazon.com SSL servers must RSA decrypt each client s secret. RSA op. enc(secret A) enc(secret B) RSA op. RSA op. enc(secret C) enc(secret D) RSA op.

22 Key exchange overview 12/25 Do you support? Yes, and I support RSA RSA public key enc pubk (master key) Generate random master key client server Clients periodically generate ephemeral public keys.

23 key exchange 13/25 SYN SYN ACK ACK

24 key exchange 13/25 SYN - CRYPT(HELLO) probe SYN ACK ACK negotiation encoded in TCP options.

25 key exchange 13/25 SYN - CRYPT(HELLO) probe SYN ACK - CRYPT(PKCONF) public key ciphers and key sizes list ACK - CRYPT(INIT1) symmetric ciphers and MACs list, nonce, public key ACK - CRYPT(INIT2) encrypted client and server nonce (master key) crypto on negotiation encoded in TCP options. INIT1 and INIT2 too long: sent as data invisible to apps.

26 Key scheduling Master key is hash of: Server and client nonces. Public key used and negotiated parameters. 14/25 Master key hash (HMAC) RX MAC key TX MAC key RX enc. key TX enc. key Session ID

27 Key scheduling Master key is hash of: Server and client nonces. Public key used and negotiated parameters. 14/25 RX MAC key TX MAC key hash (HMAC) Master key RX enc. key TX enc. key Next master key MAC enc SID Session ID Session caching, like in SSL: on reconnect, establish new keys without explicit key exchange.

28 Session caching 15/25 SYN - NEXTK1 New session based on session with ID X SYN ACK - NEXTK2 OK! crypto on ack Low latency: completes within TCP handshake.

29 TCP MAC and encryption 16/25 src port seq no. ack no. dst port MACed Encrypted (64-bit seq) (64-bit ack) d.off. flags window checksum urg. ptr. options (e.g., SACK) MAC option data TCP length Allow NATs: do not MAC ports. Prevent replay: MAC extended (implicit) seq. no. Prevent truncation / extension: MAC length.

30 Implementation 17/25 1 Linux kernel implementation: 4,500 LoC. 2 Portable userspace divert socket implementation: 7,000 LoC. Tested on Windows (required implementing divert sockets), Mac OS, Linux and FreeBSD. Packet flow in divert socket implementation. 3 4 Network Kernel 1 2 application d 3 Binary compatible OpenSSL library that attempts with batch-signing or falls back to SSL.

31 overview 18/25 considerations when turning encryption on: 1 Does encryption sacrifice request handling throughput? E.g., how many web requests / second can a server handle? 2 Is request latency harmed? E.g., How long does a client need to wait before a web page is displayed? 3 Is data throughput high? What s the bitrate when downloading? Hardware: 8-core, 2.66GHz Xeon (2008-era). Software: Linux kernel implementation.

32 High connection rate on servers 19/25 Connections/s ,434 TCP 27,070 server No sessions cached 754 SSL server

33 High connection rate on servers 19/25 Connections/s ,434 TCP 70,044 server 27,070 No sessions cached All sessions cached 39, SSL server

34 Low authentication cost 20/25 Connections/s ,070 26,395 no auth 18,790 1, shared secret certificates weak password SSL 25x faster than SSL when batch signing

35 Web-serve up to 25x faster than SSL 21/25 Connection rate (conn/s) ,156 TCP 42,440 Apache serving a 44 byte static file. server 19,153 No sessions cached All sessions cached 19,787 No server authentication with : fair comparison would make slower. SSL 737

36 Lower connect latency than SSL 22/25 Protocol LAN connect time (ms) TCP 0.2 cached 0.3 not cached 11.3 SSL cached 0.7 SSL not cached 11.6 batch sign 11.2 CMAC 11.4 PAKE 15.2

37 Lower connect latency than SSL 22/25 Protocol LAN connect time (ms) TCP 0.2 cached 0.3 not cached 11.3 SSL cached 0.7 SSL not cached 11.6 batch sign 11.2 CMAC 11.4 PAKE 15.2

38 Lower connect latency than SSL 22/25 Protocol LAN connect time (ms) Batch signing TCP does not add latency 0.2 cached 0.3 not cached 11.3 SSL cached 0.7 SSL not cached 11.6 SYN - HELLO SYN ACK - PKCONF ACK - INIT1 batch sign 11.2 RSA sign start CMAC 11.4 RSA decrypt start PAKE 15.2 ACK - INIT2 Signature connection ready

39 Gigabit encryption possible 23/ ,954 Transfer rate (Mbit/s) ,968 3,692 0 TCP AES SHA1 SSL AES SHA1

40 Gigabit encryption possible 23/25 Transfer rate (Mbit/s) ,954 8,835 AES-NI 3.33GHz i5 3,968 3,692 0 TCP AESNI UMAC AES SHA1 SSL AES SHA1 New CPUs (Westmere) with special AES instructions can saturate 9 Gbit/s networks while encrypting.

41 Related work 24/25 1 Network layer solutions: IPSec, Better Than Nothing Security. Hard to integrate with application-level authentication. Network compatibility issues: NATs. 2 Application layer solutions: SSL, Opportunistic encryption [Langley]. Poor server-side performance. Requires changes to apps and possibly protocol. 3 SSL performance improvements: SSL batching [Shacham & Boneh]: requires different public keys. SSL rebalancing [Castelluccia, Mykletun & Tsudik]: does not leverage app-level authentication.

42 25/25 1 High server performance makes encryption a realistic default. 2 Let applications leverage to maximize communication security in every setting. 3 Incrementally deployable, compatible with legacy apps, TCP and NATs. Install and help encrypt the Internet!

The case for ubiquitous transport level encryption. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

The case for ubiquitous transport level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford. What would it take to encrypt all the traffic on the Internet,