mctls: enabling secure in-network functionality in TLS

Transcription

1 mctls: enabling secure in-network functionality in TLS David Naylor Kyle Schomp Matteo Varvello Ilias Leontiadis Jeremy Blackburn Diego Lopez Dina Papagiannaki Pablo Rodriguez Rodriguez Peter Steenkiste

2 60 Residential ISP, Europe % HTT Dr 2012 DHc HS 2013 Jun 2014 OBSERVATION 1: Use of Encryption is Increasing

3 CACHING COMPRESSION PARENTAL FILTER VIRUS SCANNER PACKET PACING OBSERVATION 2: In-Network Functionality is Widespread

4 GOAL: Encryption & In-Network Functionality

5 Value-Added Services Opt-in services that benefit end users. Administrator-Mandated Help the company/network; for users, just a fact of life. Unauthorized Not necessary for network & not beneficial for user.

6 Value-Added Services Opt-in services that benefit end users. Administrator-Mandated Help the company/network; for users, just a fact of life. Unauthorized Not necessary for network & not beneficial for user.

7 GOAL: Encryption & In-Network Functionality

8 mctls Encryption & In-Network Functionality

9 TLS + Middleboxes mctls Encryption & In-Network Functionality mctls Design Ideas mctls Handshake Performance Evaluation

10 TLS + Middleboxes mctls Encryption & In-Network Functionality mctls Design Ideas mctls Handshake Performance Evaluation

11 TLS Handshake Protocol for session setup CONSISTS OF: & Record Protocol for data transfer Entity Authentication AND GIVES US THREE SECURITY PROPERTIES: Payload Secrecy Payload Integrity

12 TLS + middleboxes is broken 1 Company installs root cert on client Company 2 Firewall fabricates a cert for foo.com foo.com TLS TLS 3 Client accepts fake cert because it s signed by company s root cert Company Firewall foo.com 4 Firewall opens separate TLS connection to foo.com

13 TLS was designed for 2 parties No mechanism to authenticate middleboxes. Client has no security guarantees past middlebox. Middleboxes have full read/write access.

14 TLS + Middleboxes mctls Encryption & In-Network Functionality mctls Design Ideas mctls Handshake Performance Evaluation

15 TLS + Middleboxes mctls Encryption & In-Network Functionality mctls Design Ideas mctls Handshake Performance Evaluation

16 Design requirements for mctls MAINTAIN TLS SECURITY PROPERTIES: Entity Authentication Payload Secrecy PLUS TWO NEW ONES: 4 5 Visibility & Control Least Privilege Payload Integrity

17 Design requirements for mctls MAINTAIN TLS SECURITY PROPERTIES: Entity Authentication Payload Secrecy PLUS TWO NEW ONES: 4 5 Visibility & Control Least Privilege Payload Integrity

18 Most middleboxes do not need read/write access to all data HTTP Request HTTP Response Headers Body Headers Body Parental Filter Packet Pacer IDS WAN Optimizer Caching Compression Access all data Write access = read only = read/write

19 Idea #1: Encryption Contexts (for access control) send(data, context) Context 1: Request Headers Context 2: Request Body Context 3: Response Headers Context 4: Response Body Read-Only: Read-Only: Read-Only: Read-Only: Read/Write: Read/Write: Read/Write: Read/Write:

20 Idea #1: Encryption Contexts (for access control) TLS uses one key for encryption and MAC: K encrypt MAC DATA MAC

21 Idea #1: Encryption Contexts (for access control) mctls uses three keys to separate read-only and read/write access: K readers K writers K endpoints encrypt MAC MAC MAC DATA MAC MAC MAC Readers, Writers, & Endpoints check to detect 3 rd party changes Writers & Endpoints check to detect reader changes Endpoints check to detect writer changes

22 Idea #1: Encryption Contexts (for access control) Each context has a read key and a write key: K readers K writers K endpoints K readers K writers K endpoints DATA MAC MAC MAC DATA MAC MAC MAC Context 1: Request Headers Read: Write: Context 2: Request Body Read: Write:

23 Encryption contexts example Context 1: Request Headers Context 2: Request Body Context 3: Response Headers Context 4: Response Body Endpoints Read: Read: Read: Read: Write: Write: Write: Write:

24 Design requirements for mctls MAINTAIN TLS SECURITY PROPERTIES: Entity Authentication Visibility & Control Payload Secrecy PLUS TWO NEW ONES: 4 5 Multiple Least Privilege Payload Integrity Encryption Contexts

25 Design requirements for mctls MAINTAIN TLS SECURITY PROPERTIES: Entity Authentication Payload Secrecy PLUS TWO NEW ONES: Payload Integrity 4 Visibility & Control 5 Multiple Encryption Contexts Least Privilege

26 Idea #1: Contributory Context Keys (for endpoint agreement) Client and server generate part of each context key: CLIENT MIDDLEBOX SERVER Middlebox only learns key if client and server agree on its permissions

27 Design requirements for mctls MAINTAIN TLS SECURITY PROPERTIES: Entity Authentication Payload Secrecy PLUS TWO NEW ONES: Payload Integrity Contributory Context Keys 4 Visibility & Control 5 Multiple Encryption Contexts Least Privilege

28 TLS + Middleboxes mctls Encryption & In-Network Functionality mctls Design Ideas mctls Handshake Performance Evaluation

29 TLS + Middleboxes mctls Encryption & In-Network Functionality mctls Design Ideas mctls Handshake Performance Evaluation

30 Handshake Goals TLS Authenticate server mctls Authenticate server Authenticate middlebox Establish session key Distribute context keys

31 CLIENT MIDDLEBOX SERVER Hello List of middleboxes, contexts, and permissions

32 Auth server CLIENT MIDDLEBOX SERVER Auth mbox Hello Hello + Cert Hello + Cert Middlebox Key Exchange Middlebox Hello Done Server Key Exchange Server Hello Done

33 Auth server CLIENT MIDDLEBOX SERVER Auth mbox Hello Client Key Exchange Client Context Secrets Change Cipher Spec Finished Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Server Key Exchange Server Hello Done

34 Auth server CLIENT MIDDLEBOX SERVER Auth mbox Hello Client Key Exchange Client Context Secrets Change Cipher Spec Finished Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Server Key Exchange Server Hello Done

35 Auth server CLIENT MIDDLEBOX SERVER Auth mbox K Endpoints K Endpoints Hello Client Key Exchange Client Context Secrets Change Cipher Spec Finished Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Server Key Exchange Server Hello Done

36 Auth server CLIENT MIDDLEBOX SERVER Auth mbox K Endpoints K Client-Mbox K Client-Mbox K Endpoints Hello Client Key Exchange Client Context Secrets Change Cipher Spec Finished Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Server Key Exchange Server Hello Done

37 Auth server CLIENT MIDDLEBOX SERVER Auth mbox K Endpoints K Client-Mbox K Client-Mbox K Endpoints client secrets client secrets client secrets Hello Client Key Exchange Client Context Secrets Change Cipher Spec Finished Hello + Cert Middlebox Middlebox Key Exchange Middlebox Hello Done Context 1: Context 2: Client Context Secrets Hello + Cert Server Key Exchange read secret Server write Hello secret Done read secret K Client-Mbox Server Context 1: Context 2: read secret read secret write secret write secret K Endpoints

38 Auth server CLIENT MIDDLEBOX SERVER Auth mbox K Endpoints K Client-Mbox K Client-Mbox K Endpoints client secrets client secrets client secrets Hello Client Key Exchange Client Context Secrets Change Cipher Spec Finished Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Server Key Exchange Server Hello Done

39 Auth server CLIENT MIDDLEBOX SERVER Auth mbox Authenticate middlebox K Endpoints K Client-Mbox K Client-Mbox K Endpoints client secrets client secrets client secrets Hello Client Key Exchange Client Context Secrets Change Cipher Spec Finished Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Server Key Exchange Server Hello Done

40 Auth server CLIENT MIDDLEBOX SERVER Auth mbox Authenticate middlebox K Endpoints K Client-Mbox K Client-Mbox K Server-Mbox K Server-Mbox K Endpoints client secrets client secrets client secrets Hello Client Key Exchange Client Context Secrets Change Cipher Spec Finished Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Server Key Exchange Server Hello Done

41 Auth server CLIENT MIDDLEBOX SERVER Auth mbox Authenticate middlebox K Endpoints K Client-Mbox K Client-Mbox K Server-Mbox K Server-Mbox K Endpoints client secrets server secrets client secrets server secrets client secrets server secrets Hello Client Key Exchange Client Context Secrets Change Cipher Spec Finished Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Middlebox Key Exchange Middlebox Hello Done Hello + Cert Server Key Exchange Server Hello Done Server Context Secrets Change Cipher Spec Finished

42 Client Key Exchange Client Auth server Context Secrets Auth mbox K Endpoints Middlebox Key Exchange Middlebox Hello Done Server Hello Done CLIENT MIDDLEBOX SERVER K Client-Mbox K Client-Mbox K Server-Mbox Authenticate middlebox K Server-Mbox Change Cipher Spec Hello + Cert client secrets Finished server secrets client secrets server secrets client secrets server secrets Middlebox Compute Key Context Exchange Compute Context Keys Keys Server Compute Context Context Secrets Keys Middlebox Hello Done Change Cipher Spec Finished K Endpoints For each context: client read secret + server read secret client random + server random reader keys client write secret + server write secret client random + server random writer keys PRF PRF read key block write key block

43 TLS + Middleboxes mctls Encryption & In-Network Functionality mctls Design Ideas mctls Handshake Performance Evaluation

44 TLS + Middleboxes mctls Encryption & In-Network Functionality mctls Design Ideas mctls Handshake Performance Evaluation

45 mctls adds functionality to TLS. Does it add overhead? Data Overhead context key material + certificates CPU Overhead context key generation + key exchange Time Overhead handshake duration

46 mctls increases handshake size mc7l6 7L6 6Lze (kb) Ctxts: 1 0box: 0 Ctxts: 4 0box: 0 Ctxts: 8 0box: 0 Ctxts: 4 0box: 1 Ctxts: 4 0box: 2

47 mctls can increase server load mctl6 TL6 400 ConnectLons Ser 6econd umber of Contexts

48 mctls does not increase time to first byte TLPe to )Lrst Byte (Ps) uPber of Contexts PFTL6 TL6 TC3

49 TLS + Middleboxes mctls Encryption & In-Network Functionality mctls Design Ideas mctls Handshake Performance Evaluation

50 TLS + Middleboxes mctls Encryption & In-Network Functionality mctls Design Ideas mctls Handshake Performance Evaluation

51 In the Paper crypto details threat model using encryption contexts application use cases detailed performance evaluation future work

52 mctls.org

53 mctls: enabling secure in-network functionality in TLS David Naylor Kyle Schomp Matteo Varvello Ilias Leontiadis Jeremy Blackburn Diego Lopez Dina Papagiannaki Pablo Rodriguez Rodriguez Peter Steenkiste