The case for ubiquitous transport-level encryption

Similar documents
The case for ubiquitous transport level encryption. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

tcpcrypt: real transport-level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

The case for ubiquitous transport-level encryption

SSL/TLS. How to send your credit card number securely over the internet

Transport Level Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Internet security and privacy

Encryption. INST 346, Section 0201 April 3, 2018

Securing Internet Communication

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Chapter 4: Securing TCP connections

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

IP Security IK2218/EP2120

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Auditing IoT Communications with TLS-RaR

CSCE 715: Network Systems Security

Securing Internet Communication: TLS

Authenticated Encryption

Real-time protocol. Chapter 16: Real-Time Communication Security

CS 494/594 Computer and Network Security

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

CSE543 Computer and Network Security Module: Network Security

Network Security: IPsec. Tuomas Aura

Initial connection setup. Adding subflow setup. Three-way handshake with MP_CAPABLE Exchange 64 bit key(key-a, Key-B)

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN. Berry Hoekstra Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef

Transport Layer Security

COSC4377. Chapter 8 roadmap

Data Security and Privacy. Topic 14: Authentication and Key Establishment

SSH Bulk Transfer Performance. Allan Jude --

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Auth. Key Exchange. Dan Boneh

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Parallelizing IPsec: switching SMP to On is not even half the way

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

MTAT Applied Cryptography

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Firewalls, Tunnels, and Network Intrusion Detection

Internet security and privacy

CSE 127: Computer Security Cryptography. Kirill Levchenko

E-commerce security: SSL/TLS, SET and others. 4.1

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Information Security CS 526

Chapter 8 Network Security

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

(2½ hours) Total Marks: 75

Cryptography and Network Security

On the Internet, nobody knows you re a dog.

Introduction to IPsec. Charlie Kaufman

Findings for

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Virtual Private Network

PROTECTING CONVERSATIONS

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

SSL Accelerating Test Bench SSL accelerating Test Method

Introduction to Computer Security

1.264 Lecture 28. Cryptography: Asymmetric keys

Solving HTTP Problems With Code and Protocols NATASHA ROONEY

Cipher Suite Configuration Mode Commands

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Performance Implications of Security Protocols

Performance implication of elliptic curve TLS

Comparison of SSL/TLS libraries based on Algorithms/languages supported, Platform, Protocols and Performance. By Akshay Thorat

FIPS Non-Proprietary Security Policy

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

CS Computer Networks 1: Authentication

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Cubro Network Security Series

CPSC 467: Cryptography and Computer Security

Authenticated Encryption in TLS

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

CS November 2018

Kerberos and Active Directory symmetric cryptography in practice COSC412

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

David Wetherall, with some slides from Radia Perlman s security lectures.

Uses of Cryptography

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

ESP Egocentric Social Platform

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

AIT 682: Network and Systems Security

Chapter 8 Web Security

Displaying SSL Configuration Information and Statistics

CSCE 715: Network Systems Security

Transport Layer Security

Transcription:

1/25 The case for ubiquitous transport-level encryption Andrea Bittau, Michael Hamburg, Mark Handley, David Mazières, and Dan Boneh Stanford and UCL November 18, 2010

Goals 2/25 What would it take to encrypt the vast majority of TCP traffic? 1. Fast enough to enable by default on almost all servers. 2 End-point authentication. Leverage certificates, cookies, passwords, etc., to achieve best possible security for any given setting. 3 Compatibility. Works in existing networks. Works with legacy apps.

today can be pretty bad 3/25 Connections/s 70000 60000 50000 40000 30000 20000 10000 0 60,156 TCP server 737 SSL server Biggest problem: cost of public key cryptography. Worst case: SSL can be 82x slower than TCP...

today can be pretty bad 3/25 Connections/s 70000 60000 50000 40000 30000 20000 10000 0 60,156 TCP server 19,153 server 737 SSL server Biggest problem: cost of public key cryptography. Worst case: SSL can be 82x slower than TCP... Worst case: only 3x slower than TCP!

Problem today: app-level auth divorced from transport 4/25 1 SSL encrypts + server auth. SSL. Authenticate server using certificates

Problem today: app-level auth divorced from transport 4/25 1 SSL encrypts + server auth. 2 App auths client. SSL. Authenticate server using certificates Username: Andrea Password: w00t SSL. Authenticate server using certificates If step 1 fails, step 2 doesn t help in fact, it harms.

What s the best we can do? Level of security against a network attacker depends on scenario. 5/25 Preconfiguration Use case Today s security Possible security None None No passive eavesdropping

What s the best we can do? Level of security against a network attacker depends on scenario. 5/25 Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth

What s the best we can do? Level of security against a network attacker depends on scenario. 5/25 Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret (cookie) no SSL None Mutual auth

What s the best we can do? Level of security against a network attacker depends on scenario. 5/25 Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret (cookie) no SSL Shared secret and SSL None Mutual auth if cert and pass OK Mutual auth Mutual auth if password OK

What s the best we can do? Level of security against a network attacker depends on scenario. 5/25 Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret (cookie) no SSL Shared secret and SSL None Mutual auth if cert and pass OK Mutual auth Mutual auth if password OK

What s the best we can do? Level of security against a network attacker depends on scenario. goal with Preconfiguration Use case Today s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret (cookie) no SSL Shared secret and SSL None Mutual auth if cert and pass OK Mutual auth Mutual auth if password OK 5/25

Backwards compatibility issues 6/25 Two prevalent ways of encrypting network traffic: 1 At application layer (e.g., SSL). Works over almost all networks. Need to modify applications. Application protocol may not allow incremental deployment. 2 At network layer (e.g., IPSec). Works with all applications. Breaks NAT. Can t leverage user authentication. Ubiquitous encryption requires best of both worlds.

: transport-layer encryption 7/25 : a TCP option for encryption. 1 High server performance: push complexity to clients. 2 Allow applications to authenticate end points. 3 Backwards compatibility: all TCP apps, all networks, all authentication settings.

overview 8/25 Extend TCP in a compatible way using TCP options. Applications use standard BSD socket API. New getsockopt for authentication. Encryption automatically enabled if both end points support.

Push expensive operations to clients Public key operations expensive, but not all equally expensive. RSA-exp3-2048 performance: 9/25 Operation Latency (ms) Decrypt 10.42 Encrypt 0.26 Have client do decrypt Generate ephemeral key pair public key enc pubk (master key) Generate random master key client server Without server authentication, have client decrypt. Lets servers accept connections at 36x rate of SSL.

Link app auth to transport auth 10/25 Session ID: hook linking to app-level authentication. New getsockopt returns non-secret Session ID value. Unique for every connection (if one endpoint honest). If same on both ends, no man-in-the-middle. Password based Authentication of user & sess ID Session ID Session ID Authenticating the Session ID authenticates the end point.

Auth example: batch signing Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. RSA op. A Signed by amazon.com SID A 11/25

Auth example: batch signing Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. RSA op. A Signed by amazon.com SID A 11/25 SID B B RSA op. Signed by amazon.com

Auth example: batch signing Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. 11/25 SID A SID B SID C SID D RSA op. A, B, C, D Signed by amazon.com

Auth example: batch signing Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. 11/25 SID A SID B SID C SID D A, B, C, D RSA op. Signed by amazon.com SSL servers must RSA decrypt each client s secret. RSA op. enc(secret A) enc(secret B) RSA op. RSA op. enc(secret C) enc(secret D) RSA op.

Key exchange overview 12/25 Do you support? Yes, and I support RSA RSA public key enc pubk (master key) Generate random master key client server Clients periodically generate ephemeral public keys.

key exchange 13/25 SYN SYN ACK ACK

key exchange 13/25 SYN - CRYPT(HELLO) probe SYN ACK ACK negotiation encoded in TCP options.

key exchange 13/25 SYN - CRYPT(HELLO) probe SYN ACK - CRYPT(PKCONF) public key ciphers and key sizes list ACK - CRYPT(INIT1) symmetric ciphers and MACs list, nonce, public key ACK - CRYPT(INIT2) encrypted client and server nonce (master key) crypto on negotiation encoded in TCP options. INIT1 and INIT2 too long: sent as data invisible to apps.

Key scheduling Master key is hash of: Server and client nonces. Public key used and negotiated parameters. 14/25 Master key hash (HMAC) RX MAC key TX MAC key RX enc. key TX enc. key Session ID

Key scheduling Master key is hash of: Server and client nonces. Public key used and negotiated parameters. 14/25 RX MAC key TX MAC key hash (HMAC) Master key RX enc. key TX enc. key Next master key MAC enc SID Session ID Session caching, like in SSL: on reconnect, establish new keys without explicit key exchange.

Session caching 15/25 SYN - NEXTK1 New session based on session with ID X SYN ACK - NEXTK2 OK! crypto on ack Low latency: completes within TCP handshake.

TCP MAC and encryption 16/25 src port seq no. ack no. dst port MACed Encrypted (64-bit seq) (64-bit ack) d.off. flags window checksum urg. ptr. options (e.g., SACK) MAC option data TCP length Allow NATs: do not MAC ports. Prevent replay: MAC extended (implicit) seq. no. Prevent truncation / extension: MAC length.

Implementation 17/25 1 Linux kernel implementation: 4,500 LoC. 2 Portable userspace divert socket implementation: 7,000 LoC. Tested on Windows (required implementing divert sockets), Mac OS, Linux and FreeBSD. Packet flow in divert socket implementation. 3 4 Network Kernel 1 2 application d 3 Binary compatible OpenSSL library that attempts with batch-signing or falls back to SSL.

overview 18/25 considerations when turning encryption on: 1 Does encryption sacrifice request handling throughput? E.g., how many web requests / second can a server handle? 2 Is request latency harmed? E.g., How long does a client need to wait before a web page is displayed? 3 Is data throughput high? What s the bitrate when downloading? Hardware: 8-core, 2.66GHz Xeon (2008-era). Software: Linux kernel implementation.

High connection rate on servers 19/25 Connections/s 120000 100000 80000 60000 40000 20000 0 98,434 TCP 27,070 server No sessions cached 754 SSL server

High connection rate on servers 19/25 Connections/s 120000 100000 80000 60000 40000 20000 0 98,434 TCP 70,044 server 27,070 No sessions cached All sessions cached 39,785 754 SSL server

Low authentication cost 20/25 Connections/s 35000 30000 25000 20000 15000 10000 5000 0 27,070 26,395 no auth 18,790 1,418 754 shared secret certificates weak password SSL 25x faster than SSL when batch signing

Web-serve up to 25x faster than SSL 21/25 Connection rate (conn/s) 70000 60000 50000 40000 30000 20000 10000 0 60,156 TCP 42,440 Apache serving a 44 byte static file. server 19,153 No sessions cached All sessions cached 19,787 No server authentication with : fair comparison would make slower. SSL 737

Lower connect latency than SSL 22/25 Protocol LAN connect time (ms) TCP 0.2 cached 0.3 not cached 11.3 SSL cached 0.7 SSL not cached 11.6 batch sign 11.2 CMAC 11.4 PAKE 15.2

Lower connect latency than SSL 22/25 Protocol LAN connect time (ms) TCP 0.2 cached 0.3 not cached 11.3 SSL cached 0.7 SSL not cached 11.6 batch sign 11.2 CMAC 11.4 PAKE 15.2

Lower connect latency than SSL 22/25 Protocol LAN connect time (ms) Batch signing TCP does not add latency 0.2 cached 0.3 not cached 11.3 SSL cached 0.7 SSL not cached 11.6 SYN - HELLO SYN ACK - PKCONF ACK - INIT1 batch sign 11.2 RSA sign start CMAC 11.4 RSA decrypt start PAKE 15.2 ACK - INIT2 Signature connection ready

Gigabit encryption possible 23/25 14000 12,954 Transfer rate (Mbit/s) 12000 10000 8000 6000 4000 2000 3,968 3,692 0 TCP AES SHA1 SSL AES SHA1

Gigabit encryption possible 23/25 Transfer rate (Mbit/s) 14000 12000 10000 8000 6000 4000 2000 12,954 8,835 AES-NI 3.33GHz i5 3,968 3,692 0 TCP AESNI UMAC AES SHA1 SSL AES SHA1 New CPUs (Westmere) with special AES instructions can saturate 9 Gbit/s networks while encrypting.

Related work 24/25 1 Network layer solutions: IPSec, Better Than Nothing Security. Hard to integrate with application-level authentication. Network compatibility issues: NATs. 2 Application layer solutions: SSL, Opportunistic encryption [Langley]. Poor server-side performance. Requires changes to apps and possibly protocol. 3 SSL performance improvements: SSL batching [Shacham & Boneh]: requires different public keys. SSL rebalancing [Castelluccia, Mykletun & Tsudik]: does not leverage app-level authentication.

25/25 1 High server performance makes encryption a realistic default. 2 Let applications leverage to maximize communication security in every setting. 3 Incrementally deployable, compatible with legacy apps, TCP and NATs. Install and help encrypt the Internet! http://.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback