David Naylor Carnegie Mellon And Then There Were More: Secure Communication for More Than Two Parties Richard Li University of Utah Christos Gkantsidis Microsoft Research Thomas Karagiannis Microsoft Research Peter Steenkiste Carnegie Mellon
In most networks, # middleboxes # routers Web Cache Compression Proxy Intrusion Detection System Virus Scanner Parental Filter Load Balancer [Making Middleboxes Someone Else s Problem. SIGCOMM 12]
In most networks, # middleboxes # routers Encryption blinds middleboxes.
Encryption blinds middleboxes. Goal: Encryption + Middleboxes
Goal: Encryption + Middleboxes 1 2 Design Space mbtls For secure, multi-entity communication protocols A deployable protocol for outsourced middleboxes.
There s a big design space for secure, multi-entity communication protocols
There s a big design space for secure, multi-entity communication protocols 1 Extend TLS Security Properties 2 3 New Security Other Properties Properties
1 Extend TLS Security Properties 2 1 Data Secrecy Data Authentication 3 Entity Authentication
1 Extend TLS Security Properties Definition of Party vs Granularity of Data Access Definition of Identity Headers Body vs Headers vs
1 2 Extend TLS Security Properties New Security Properties 3 Other Properties Granularity of Data Access Headers Body vs Headers Definition of Party vs Definition of Identity vs
2 New Security Properties Path Integrity 1 3 2 Authorization Data Change Secrecy
1 Extend TLS Security Properties 2 New Security Properties 3 Other Properties Granularity of Data Access Path Integrity Headers Body vs Headers 1 2 3 Definition of Party Data Change Secrecy vs Definition of Identity Authorization vs
3 Other Properties Legacy Endpoints Computation v1.2 Arbitrary vs Limited In-Band Discovery
1 Extend TLS Security Properties 2 New Security Properties 3 Other Properties Granularity of Data Access Path Integrity Legacy Endpoints Headers Body vs Headers 1 2 3 v1.2 Definition of Party vs Data Change Secrecy In-Band Discovery Definition of Identity vs Authorization Computation vs Arbitrary Limited
There s a big design space for secure, multi-entity communication protocols 1 Extend TLS Security Properties 2 New Security Properties 3 Other Properties
There s a big design space for secure, multi-entity communication protocols There is no one-size-fits-all solution.
There s a big design space for secure, multi-entity communication protocols There is no one-size-fits-all solution. Supporting one property often precludes another.
Supporting one property often precludes another. TLS interception with custom root certificates Supports two legacy endpoints Prevents endpoint authentication (owner or code) v1.2 vs
Supporting one property often precludes another. Multi-Context TLS (mctls) [SIGCOMM 15] Supports fine-grained data access Prevents legacy support Headers Body vs Headers v1.2
Supporting one property often precludes another. BlindBox [SIGCOMM 15] Supports functional crypto (minimal data access) Prevents arbitrary computation Headers Body vs Headers Arbitrary vs Limited
There s a big design space for secure, multi-entity communication protocols There is no one-size-fits-all solution. Supporting one property often precludes another.
There s a big design space for secure, multi-entity communication protocols There is no one-size-fits-all solution. Supporting one property often precludes another.
Goal: Encryption + Middleboxes 1 2 Design Space mbtls For secure, multi-entity communication protocols A deployable protocol for outsourced middleboxes.
mbtls targets two commoncase, real-world needs 1 Immediate deployability Interoperate with one legacy endpoint 2 Protection for outsourced middleboxes Protect session data from middlebox infrastructure (in addition to traditional network attackers)
mbtls targets two commoncase, real-world needs 2 Outsourced Middlebox Server-Side Proxy Residential ISP Upgraded Server Legacy Clients 1 Legacy Endpoint
mbtls targets two commoncase, real-world needs 1 Legacy Endpoint 2 Outsourced Middlebox Upgraded Client Client-Side Proxy Cloud Compute Provider Legacy Servers
mbtls targets two commoncase, real-world needs 1 Immediate deployability Interoperate with one legacy endpoint 2 Protection for outsourced middleboxes Protect session data from middlebox infrastructure (in addition to traditional network attackers)
2 Protection for outsourced middleboxes Protect session data from middlebox infrastructure (in addition to traditional network attackers) Middlebox Software R/W access Client R/W access Middlebox Infrastructure No access Server R/W access Everyone Else No access
mbtls targets two commoncase, real-world needs 1 Immediate deployability Interoperate with one legacy endpoint 2 Protection for outsourced middleboxes Protect session data from middlebox infrastructure (in addition to traditional network attackers)
A first approach: pass primary session key over secondary TLS session Primary TLS Connection Supports legacy endpoints Secondary TLS Connection Data and keys visible in RAM
An aside: Intel SGX 1 Secure Execution Environment Program code, data, and stack encrypted. 2 Remote Attestation Prove to remote party that 1 is working.
A first approach: pass primary session key over secondary TLS session Primary TLS Connection Supports legacy endpoints Secondary TLS Connection Data and keys visible in RAM
mbtls protects session data and keys using SGX Primary TLS Connection SGX Enclave TLS Handshake + Attestation Supports legacy endpoints Data and keys encrypted in RAM
On-path middleboxes can be discovered on-the-fly ClientHello + MiddleboxSupportExtension ServerHello MiddleboxAnnouncement MbtlsEncap[ ] + MboxHello
Per-hop keys provide path integrity and data change secrecy Original session key bridges client- and server-side middleboxes.
Evaluation 1 What overheads does mbtls introduce? From SGX? From crypto? 2 Is mbtls immediately deployable? Will existing network devices drop mbtls handshake messages?
SGX doesn t have much impact on I/O+compute-intensive workloads 10 8 No Enclave Enclave Throughput (Gbps) 6 4 2 0 512 1K 2K 4K 8K 12K Record Size (Bytes)
mbtls adds some handshake CPU overhead on the server 2.5 2.0 Server 1.5 Computation Time (ms) 1.0 TLS (no mbox) mbtls (1 serve mbtls (2 serve mbtls (3 serve 0.5 0.0 TLS mbtls Server mbtls mbtls no mbox 1 mbox 2 mbox 3 mbox
mbtls handshake protocol changes are deployable today?? Drop handshake? 6 enterprise networks 34 residential networks 2 mobile networks No handshakes were dropped. 11 university networks 35 colocation networks 1 public network 56 hosting networks 19 data center networks 77 unlabeled networks
David Naylor Carnegie Mellon And Then There Were More: Secure Communication for More Than Two Parties Richard Li University of Utah Christos Gkantsidis Microsoft Research Thomas Karagiannis Microsoft Research Peter Steenkiste Carnegie Mellon