tcpcrypt: real transport-level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

Similar documents
The case for ubiquitous transport level encryption. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

The case for ubiquitous transport-level encryption

The case for ubiquitous transport-level encryption

SSL/TLS. How to send your credit card number securely over the internet

Introduction to IPsec. Charlie Kaufman

Transport Level Security

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

What is Secure. Authenticated I know who I am talking to. Our communication is Encrypted

Network Security: IPsec. Tuomas Aura

Internet security and privacy

Configuring SSL Security

CS 494/594 Computer and Network Security

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

SPDY - A Web Protocol. Mike Belshe Velocity, Dec 2009

CPSC 467: Cryptography and Computer Security

Wedge: Splitting Applications into Reduced-Privilege Compartments

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

It Just (Net)works. The Truth About ios' Multipeer Connectivity Framework. Alban

Configuring OpenVPN on pfsense

Configuring SSL CHAPTER

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Certificate Enrollment for the Atlas Platform

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Real-time protocol. Chapter 16: Real-Time Communication Security

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Configuring SSL. SSL Overview CHAPTER

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Transport Layer Security

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Understanding Traffic Decryption

Auth. Key Exchange. Dan Boneh

review of the potential methods

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Implementing Cisco Network Security (IINS) 3.0

Internet security and privacy

CSE543 Computer and Network Security Module: Network Security

McAfee Next Generation Firewall 5.9.1

IP Mobility vs. Session Mobility

Implementation Guide - VPN Network with Static Routing

IP Security IK2218/EP2120

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Cisco Next Generation Firewall Services

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

VIRTUAL PRIVATE NETWORK

DPI-SSL. DPI-SSL Overview

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Apache Security with SSL Using FreeBSD

Developing ILNP. Saleem Bhatti, University of St Andrews, UK FIRE workshop, Chania. (C) Saleem Bhatti.

Configuring SSL. SSL Overview CHAPTER

MTAT Applied Cryptography

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

COSC4377. Chapter 8 roadmap

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

Solving HTTP Problems With Code and Protocols NATASHA ROONEY

Defeating All Man-in-the-Middle Attacks

SSH. Partly a tool, partly an application Features:

Deploying DDS on a WAN and the GIG: The DDS Routing Service. Gerardo Pardo-Castellote, Ph.D. The Real-Time Middleware Experts

Protocol Layers, Security Sec: Application Layer: Sec 2.1 Prof Lina Battestilli Fall 2017

Hillstone IPSec VPN Solution

NFSv4 Open Source Project Update

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

TLS 1.1 Security fixes and TLS extensions RFC4346

WHITE PAPER. Good Mobile Intranet Technical Overview

ESP Egocentric Social Platform

Real-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund

Security Fundamentals

E-commerce security: SSL/TLS, SET and others. 4.1

VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment

System Requirements. Network Administrator Guide

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Application Layer Introduction; HTTP; FTP

Tableau Server Security in Depth

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Firepower Threat Defense Site-to-site VPNs

Securing Internet Communication

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Security Association Creation

More Attacks on Cryptography 3/12/2010

Performance implication of elliptic curve TLS

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

Network Access Flows APPENDIXB

Citrix NetScaler 10.5 Essentials and Networking (CNS-205)

Performance Implications of Security Protocols

CS November 2018

TLSkex: Harnessing virtual machine introspection for decrypting TLS communication

Designing a Resource Pooling Transport Protocol

Security: Focus of Control. Authentication

JXTA TM Technology for XML Messaging

RSA SecurID Implementation

anonymous routing and mix nets (Tor) Yongdae Kim

Host Identity Protocol

Citrix NetScaler 10.5 Essentials for ACE Migration (CNS-208)

Microsoft Architecting Microsoft Azure Solutions.

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Transcription:

tcpcrypt: real transport-level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

What would it take to encrypt the vast majority of TCP traffic? Performance Fast enough to enable by default on almost all servers. Authentication Leverage certificates, cookies, passwords, etc., to give best possible security for any given setting. Compatibility Works in existing networks Works with unmodified legacy applications

An observation on layering of crypto n Encryption is a generic function. o Independent of the semantics of the application. n Integrity Protection is a generic function. o What arrives should be what is sent. n Authentication is strongly application-specific. o Depends on the semantics of the application.

An observation on layering of crypto Observation: Encryption and Integrity Protection are lower-layer functions than Authentication. n Encryption and Integrity Protection are natural transport-layer functions. o Cannot integrity-protect transport protocol from above it. o Different transport sessions have different security requirements so cannot share encryption keys. n Authentication is application-layer.

Tcpcrypt

Tcpcrypt uses TCP options to provide deployable transport-level encryption. n High server performance - push complexity to clients n Allow applications to authenticate endpoints. n Backwards compatibility: all TCP apps, all networks, all authentication settings.

Tcpcrypt overview n Extend TCP in a compatible way using TCP options. n Existing applications use standard socket API, just like regular TCP. o Encryption automatically enabled if both end points support Tcpcrypt. n Extended applications can use a new getsockopt() for authentication.

Push expensive operations to the client Initial handshake: Public-key No operations authentication. can be quite assymetric. Client decrypts. RSA-exp3-2048 performance: Lets servers accept connections 36x faster than SSL Perform decrypt on the client: Operation Encrypt Decrypt Latency 0.26ms 10.42ms Generate emphemeral key pair: public key enc pub_k (master_key) Generate random master key client server

After initial handshake, tcpcrypt s Session ID provides the hook to link application authentication to the session. n New getsockopt() returns non-secret Session ID value. n Unique for every connection. n If same on both ends, guaranteed there s no man-in-the-middle.

How to check the Session ID? n Out-of-band: e.g., phone call, other secure protocol. n PKI: server signs Session ID. n Pre-shared secret: send CMAC of Session ID, keyed with Pre-shared secret.

Authentication Example: Password-based Mutual Authentication n Whenever a user knows a password, mutual authentication should be used. o Does not rely on user to spot spurious URLs. Authenticating the session ID authenticates the endpoint session ID password-based auth of user and session ID tcpcrypt session ID

Authentication Example: Password-based Mutual Authentication

Authentication Example: Signing a batch of session IDs to amortize RSA costs A, signed by amazon.com RSA op session ID: A B, signed by amazon.com RSA op session ID: B

Authentication Example: Signing a batch of session IDs to amortize RSA costs session ID: A session ID: C A,B,C,D signed by amazon.com session ID: B A,B,C,D signed RSA op by amazon.com session ID: D

session ID: A session ID: C A,B,C,D signed A,B,C,D signed by amazon.com RSA op by amazon.com session ID: B session ID: D SSL servers RSA decrypt each client s secret: RSA op RSA op enc(secret A) enc(secret C) RSA op enc(secret B) RSA op enc(secret D)

Tcpcrypt in detail

Outline of Tcpcrypt key exchange

Key exchange is performed in the TCP connection setup handshake.

Key Scheduling

Tcpcrypt in TCP Packets

Crypto state can be cached. Subsequent connections between the same endpoints get similar latency to regular TCP.

Key Scheduling 2

Tcpcrypt Performance

Tcpcrypt implementations n Linux kernel implementation: 4,500 lines of code n Portable divert-socket implementation: 7000 LoC o Tested on Windows, MacOS, Linux, FreeBSD tcpcryptd application Network kernel n Binary compatible OpenSSL library that attempts tcpcrypt with batch-signing or falls back to SSL.

Apache using tcpcrypt performs well. Hardware: 8-core, 2.66GHz Xeon (2008-era). Software: Linux kernel implementation.

Authentication over Tcpcrypt is fast.

What would it take to encrypt all the traffic on the Internet, by default, all the time?

Why tcpcrypt? n Want to protect TCP packet headers. o Defend against insertion attacks, etc. o But still traverse NATs, firewalls that rewrite sequence numbers. n Want on-by-default encryption for existing unmodified apps to protect against passive easesdropping. o Fast enough to enable on all servers by default. o Won t break - downgrades to TCP if necessary. n Easy incremental deployment story due to negotiation in TCP handshake.

Why tcpcrypt? n Want to enable and encourage appropriate authentication above tcpcrypt. o Cert-based, mutual auth, PAKE, etc, as appropriate. o Eg. can support connectbyname() in a shim library, and leverage DANE for auth. n Separation of layering provides flexibility. o Eg. allows corporate firewall to do encryption and app to still do authentication, so corporate IDS still works. tcpcryptd on firewall RPC to get session ID.

Summary: tcpcrypt can enable ubiquitous transport level encryption n High server performance makes encryption a realistic default. n Applications can leverage Tcpcrypt to maximize communication security in every setting. n Incrementally deployable, compatible with legacy apps, TCP and NATs. http://tcpcrypt.org"

Spare slides

Connection setup latency is slightly increased due to client-side RSA decrypt. Protocol LAN connect time (ms) TCP 0.2 tcpcrypt cached 0.3 tcpcrypt not cached 11.3 SSL cached 0.7 SSL not cached 11.6 tcpcrypt batch sign 11.2 tcpcrypt CMAC 11.4 tcpcrypt PAKE 15.2

Most authentication can be done very cheaply, once the Tcpcrypt session is established. Protocol LAN connect time (ms) TCP 0.2 tcpcrypt cached 0.3 tcpcrypt not cached 11.3 SSL cached 0.7 SSL not cached 11.6 tcpcrypt batch sign 11.2 tcpcrypt CMAC 11.4 tcpcrypt PAKE 15.2

Batch signing does not add additional latency

Data encryption is very fast on today s CPUs

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback