The case for ubiquitous transport level encryption. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

Similar documents
tcpcrypt: real transport-level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

The case for ubiquitous transport-level encryption

The case for ubiquitous transport-level encryption

Is it Still Possible to Extend TCP?

SSL/TLS. How to send your credit card number securely over the internet

Configuring SSL. SSL Overview CHAPTER

Transport Level Security

Configuring SSL CHAPTER

Introduction to IPsec. Charlie Kaufman

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Understanding Traffic Decryption

Configuring SSL Security

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Configuring SSL. SSL Overview CHAPTER

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Performance implication of elliptic curve TLS

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

TLS 1.1 Security fixes and TLS extensions RFC4346

Auditing IoT Communications with TLS-RaR

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

What is Secure. Authenticated I know who I am talking to. Our communication is Encrypted

CS 494/594 Computer and Network Security

Certificate Enrollment for the Atlas Platform

Securing Internet Communication: TLS

L13. Reviews. Rocky K. C. Chang, April 10, 2015

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Securing Internet Communication

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

MTAT Applied Cryptography

On the Internet, nobody knows you re a dog.

CSE543 Computer and Network Security Module: Network Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Real-time protocol. Chapter 16: Real-Time Communication Security

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Developing ILNP. Saleem Bhatti, University of St Andrews, UK FIRE workshop, Chania. (C) Saleem Bhatti.

Performance Implications of Security Protocols

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

SPDY - A Web Protocol. Mike Belshe Velocity, Dec 2009

Distributed Systems Exam 1 Review Paul Krzyzanowski. Rutgers University. Fall 2016

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Transport Layer Security

Wedge: Splitting Applications into Reduced-Privilege Compartments

Introduction to Computer Security

Deployment Guide AX Series with Oracle E-Business Suite 12

Application Layer Introduction; HTTP; FTP

DPI-SSL. DPI-SSL Overview

Auth. Key Exchange. Dan Boneh

Structured Streams: A New Transport Abstraction

MPTCP: Design and Deployment. Day 11

VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment

Information Security CS 526

And Then There Were More:

Network Security: IPsec. Tuomas Aura

Exploring Alternative Routes Using Multipath TCP

Configuring OpenVPN on pfsense

Nigori: Storing Secrets in the Cloud. Ben Laurie

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CPSC 467: Cryptography and Computer Security

AD FS v3. Deployment Guide

Configuring the CSS for Device Management

Configuring CWMP Service

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v9.x with Microsoft IIS 7.0 and 7.5

Numerics. Index 1. SSH See SSH. connection inactivity time 2-3 console, for configuring authorized IP managers 11-5 DES 6-3, 7-3

SSH Bulk Transfer Performance. Allan Jude --

SSL VPN - IPv6 Support

Implementing Cisco Network Security (IINS) 3.0

Handout 20 - Quiz 2 Solutions

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Experimental Evaluation of Transport Services CoAP, HTTP and SPDY for Internet of Things

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

AT&T Cloud Web Security Service

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Initial connection setup. Adding subflow setup. Three-way handshake with MP_CAPABLE Exchange 64 bit key(key-a, Key-B)

SSL VPN - IPv6 Support

Secure Internet Communication

Network Control, Con t

Cisco Passguide Exam Questions & Answers

Schahin Rajab TCP or QUIC Which protocol is most promising for the future of the internet?

Transport Layer Security

Corrigendum 3. Tender Number: 10/ dated

1. What is a Computer Network? interconnected collection of autonomous computers connected by a communication technology

ELEC5616 COMPUTER & NETWORK SECURITY

Firewalls, Tunnels, and Network Intrusion Detection

Implementing Secure Socket Layer

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

IP Mobility vs. Session Mobility

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

CSCE 715: Network Systems Security

CSE 123A Computer Netwrking

Designing a Resource Pooling Transport Protocol

Linux Systems Security. Access Control and Authentication NETS1028 Fall 2016

CSE 127: Computer Security Cryptography. Kirill Levchenko

Identity Firewall. About the Identity Firewall

Apache Security with SSL Using FreeBSD

System Requirements. Network Administrator Guide

Understanding Traffic Decryption

Transcription:

The case for ubiquitous transport level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

What would it take to encrypt all the traffic on the Internet, by default, all the time?

Crypto 101 Encryption without authentication is useless.

Encryption without authentication is like meeting a stranger in a dark alley. Whatever happens, there will be no witnesses.

True, if you need military-grade security False, in many practical situations. Crypto 101 Encryption without authentication is useless.

True, if you need military-grade security False, in many practical situations. Crypto 101 Encryption without authentication is useless. The perfect is the enemy of the good As dogma, leads to flawed security architectures.

What would it take to encrypt the vast majority of TCP traffic? Performance Fast enough to enable by default on almost all servers. Authentication Leverage certificates, cookies, passwords, etc., to give best possible security for any given setting. Compatibility Works in existing networks Works with unmodified legacy applications

Performance is still pretty poor today, unless expensive crypto hardware is used. Main cost is public key cryptography on the server during session establishment. SSL ~80x slower than a regular TCP session.

Performance is still pretty poor today, unless expensive crypto hardware is used. Main cost is public key cryptography on the server during session establishment. SSL ~80x slower than a regular TCP session. Worst case: Tcpcrypt is 3x slower than TCP

Authentication at the application level is divorced from authentication at the transport level. Step 1. Authenticate server using certificates SSL Step 2. Authenticate user using password Username: mjh Passwd: abc123 SSL If Step 1. fails, Step 2. doesn t help - in fact it harms.

In pretty much all cases, it s possible to provide better security than we do today. Preconfiguration Use case Today s security Possible security None None No passive eavesdropping

In pretty much all cases, it s possible to provide better security than we do today. Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth

In pretty much all cases, it s possible to provide better security than we do today. Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret (cookie), no SSL None Mutual auth

In pretty much all cases, it s possible to provide better security than we do today. Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret (cookie), no SSL None Mutual auth Shared secret and SSL Mutual auth if cert and pwd OK Mutual auth if password OK Today s Security Our goals

An observation on layering of crypto Encryption is a generic function. Independent of the semantics of the application. Integrity Protection is a generic function. What arrives should be what is sent. Authentication is strongly application-specific. Depends on the semantics of the application.

An observation on layering of crypto Observation: Encryption and Integrity Protection are lower-layer functions than Authentication. Encryption and Integrity Protection are transport-layer functions. Cannot integrity-protect transport protocol from above it. Different transport sessions have different security requirements so cannot share encryption keys. Authentication is application-layer.

Tcpcrypt

Tcpcrypt uses TCP options to provide deployable transport-level encryption. High server performance - push complexity to clients Allow applications to authenticate endpoints. Backwards compatibility: all TCP apps, all networks, all authentication settings.

Tcpcrypt overview Extend TCP in a compatible way using TCP options. Existing applications use standard socket API, just like regular TCP. Encryption automatically enabled if both end points support Tcpcrypt. Extended applications can use a new getsockopt() for authentication.

Push expensive operations to the client Initial handshake: Public-key No operations authentication. can be quite assymetric. Client decrypts. RSA-exp3-2048 performance: Lets servers accept connections 36x faster than SSL Perform decrypt on the client: Operation Encrypt Decrypt Latency 0.26ms 10.42ms Generate emphemeral key pair: public key enc pub_k (master_key) Generate random master key client server

After initial handshake, tcpcrypt s Session ID provides the hook to link application authentication to the session. New getsockopt() returns non-secret Session ID value. Unique for every connection. If same on both ends, guaranteed there s no man-in-the-middle.

How to check the Session ID? Out-of-band: e.g., phone call, other secure protocol. PKI: server signs Session ID. Pre-shared secret: send CMAC of Session ID, keyed with Pre-shared secret.

Authentication Example 1: Password-based Mutual Authentication Whenever a user knows a password, mutual authentication should be used. Does not rely on user to spot spurious URLs. Authenticating the session ID authenticates the endpoint session ID password-based auth of user and session ID tcpcrypt session ID

Authentication Example 1: Password-based Mutual Authentication

Authentication Example 2: Equivalent security to SSL using a PKI A, signed by amazon.com RSA op tcpcrypt session session ID: A B, signed by amazon.com RSA op session ID: B Problem: no faster than SSL because signing is expensive

Authentication Example: Signing a batch of session IDs to amortize RSA costs A,B,C,D signed by amazon.com session ID: A A,B,C,D signed by amazon.com session ID: B session ID: C A,B,C,D signed by amazon.com A,B,C,D signed RSA op by amazon.com session ID: D

A,B,C,D signed by amazon.com session ID: A session ID: C A,B,C,D signed by amazon.com A,B,C,D signed A,B,C,D signed RSA op by amazon.com by amazon.com session ID: B session ID: D SSL servers must RSA decrypt each client s secret: RSA op RSA op enc(secret A) enc(secret C) RSA op enc(secret B) RSA op enc(secret D)

Tcpcrypt in detail

Outline of Tcpcrypt key exchange

Key exchange is performed in the TCP connection setup handshake.

Key Scheduling

Tcpcrypt in TCP Packets

Crypto state can be cached. Subsequent connections between the same endpoints get similar latency to regular TCP.

Key Scheduling 2

Tcpcrypt Performance

Tcpcrypt implementations Linux kernel implementation: 4,500 lines of code Portable divert-socket implementation: 7000 LoC Tested on Windows, MacOS, Linux, FreeBSD tcpcryptd application Network kernel Binary compatible OpenSSL library that attempts tcpcrypt with batch-signing or falls back to SSL.

Performance Questions Does enabling encryption reduce the request rate a server can handle? Is request latency increased? Is data throughput high? Hardware: 8-core, 2.66GHz Xeon (2008-era). Software: Linux kernel implementation.

Tcpcrypt supports high rates of connection setup

Apache using tcpcrypt performs well.

Authentication over Tcpcrypt is fast.

Connection setup latency is slightly increased due to client-side RSA decrypt. Protocol TCP tcpcrypt cached tcpcrypt not cached SSL cached SSL not cached tcpcrypt batch sign tcpcrypt CMAC tcpcrypt PAKE LAN connect time (ms) 0.2 0.3 11.3 0.7 11.6 11.2 11.4 15.2

Most authentication can be done very cheaply, once the Tcpcrypt session is established. Protocol TCP tcpcrypt cached tcpcrypt not cached SSL cached SSL not cached tcpcrypt batch sign tcpcrypt CMAC tcpcrypt PAKE LAN connect time (ms) 0.2 0.3 11.3 0.7 11.6 11.2 11.4 15.2

Batch signing does not add additional latency

Data encryption is very fast on today s CPUs

Tcpcrypt Deployability

Can you actually deploy changes to TCP in today s Internet? Forget what you learned about ISO reference models and layered stacks - it s a jungle out there. Many middleboxes that play with TCP. If you want to extend TCP, need to know what precisely will get through today s Internet?

Can you actually deploy changes to TCP in today s Internet? We studied 142 access networks in 24 countries. Ran tests to measure what actually happened to TCP. Are new options actually permitted? Does resegmentation occur in the network? Are sequence numbers modified? Do middleboxes proactively ack?

Middleboxes and new TCP Options in SYN Middleboxes that remove unknown options are not so rare, especially on port 80

Does other bizarre middlebox behaviour break Tcpcrypt? Rewrote sequence numbers: 10% of paths (18% on port 80) Tcpcrypt can MAC sequence offsets from start of connection. Resegmented data: 3% of paths (13% on port 80) Proxy Ack: 3% of paths (7% on port 80) But all of these paths also removed new options from the SYN, so Tcpcrypt would not have negotiated. Aside: 26% of paths (33% on port 80) do strange things if you send an ack for data not yet sent.

What would it take to encrypt all the traffic on the Internet, by default, all the time?

Split Encryption from Authentication. Do each at the appropriate layer.

Devise appropriate user interfaces for authentication in web browsers

Summary: the case for ubiquitous transport level encryption High server performance makes encryption a realistic default. Applications can leverage Tcpcrypt to maximize communication security in every setting. Incrementally deployable, compatible with legacy apps, TCP and NATs. http://tcpcrypt.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback