Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tcpcrypt: real transport-level encryption UCL and Stanford. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh.

Published byEsther Wingrove Modified over 9 years ago

Similar presentations

Presentation on theme: "Tcpcrypt: real transport-level encryption UCL and Stanford. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh."— Presentation transcript:

1 tcpcrypt: real transport-level encryption UCL and Stanford. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh.

2 What would it take to encrypt the vast majority of TCP traffic? Performance Fast enough to enable by default on almost all servers. Authentication Leverage certificates, cookies, passwords, etc., to give best possible security for any given setting. Compatibility Works in existing networks Works with unmodified legacy applications

3 An observation on layering of crypto Encryption is a generic function.  Independent of the semantics of the application. Integrity Protection is a generic function.  What arrives should be what is sent. Authentication is strongly application-specific.  Depends on the semantics of the application.

4 An observation on layering of crypto Observation: Encryption and Integrity Protection are lower- layer functions than Authentication. Encryption and Integrity Protection are natural transport- layer functions.  Cannot integrity-protect transport protocol from above it.  Different transport sessions have different security requirements so cannot share encryption keys. Authentication is application-layer.

5 Tcpcrypt

6 Tcpcrypt uses TCP options to provide deployable transport-level encryption. High server performance - push complexity to clients Allow applications to authenticate endpoints. Backwards compatibility: all TCP apps, all networks, all authentication settings.

7 Tcpcrypt overview Extend TCP in a compatible way using TCP options. Existing applications use standard socket API, just like regular TCP.  Encryption automatically enabled if both end points support Tcpcrypt. Extended applications can use a new getsockopt() for authentication.

8 Push expensive operations to the client Public-key operations can be quite assymetric. RSA-exp3-2048 performance: OperationLatency Encrypt0.26ms Decrypt10.42ms Perform decrypt on the client: Generate emphemeral key pair: Generate random master key public key enc pub_k (master_key) clientserver Initial handshake: No authentication. Client decrypts. Lets servers accept connections 36x faster than SSL Initial handshake: No authentication. Client decrypts. Lets servers accept connections 36x faster than SSL

9 After initial handshake, tcpcrypt’s Session ID provides the hook to link application authentication to the session. New getsockopt() returns non-secret Session ID value. Unique for every connection. If same on both ends, guaranteed there’s no man-in-the- middle.

10 How to check the Session ID? Out-of-band: e.g., phone call, other secure protocol. PKI: server signs Session ID. Pre-shared secret: send CMAC of Session ID, keyed with Pre-shared secret.

11 session ID session ID tcpcrypt Authentication Example: Password-based Mutual Authentication Whenever a user knows a password, mutual authentication should be used.  Does not rely on user to spot spurious URLs. Authenticating the session ID authenticates the endpoint password-based auth of user and session ID

12 Authentication Example: Password-based Mutual Authentication

13 Authentication Example: Signing a batch of session IDs to amortize RSA costs session ID: A “A”, signed by amazon.com RSA op session ID: B “B”, signed by amazon.com RSA op

14 Authentication Example: Signing a batch of session IDs to amortize RSA costs session ID: A session ID: B session ID: D session ID: C “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com RSA op

15 SSL servers RSA decrypt each client’s secret: session ID: A session ID: B session ID: D session ID: C “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com RSA op enc(Secret A)enc(Secret C) enc(Secret D)enc(Secret B) RSA op

16 Tcpcrypt in detail

17 Outline of Tcpcrypt key exchange

18 Key exchange is performed in the TCP connection setup handshake.

19 Key Scheduling

20 Tcpcrypt in TCP Packets

21 Crypto state can be cached. Subsequent connections between the same endpoints get similar latency to regular TCP.

22 Key Scheduling 2

23 Tcpcrypt Performance

24 Tcpcrypt implementations Linux kernel implementation: 4,500 lines of code Portable divert-socket implementation: 7000 LoC  Tested on Windows, MacOS, Linux, FreeBSD Binary compatible OpenSSL library that attempts tcpcrypt with batch-signing or falls back to SSL. kernel tcpcryptd application Network

25 Apache using tcpcrypt performs well. Hardware: 8-core, 2.66GHz Xeon (2008-era). Software: Linux kernel implementation.

26 Authentication over Tcpcrypt is fast.

27 What would it take to encrypt all the traffic on the Internet, by default, all the time?

28 Why tcpcrypt? Want to protect TCP packet headers.  Defend against insertion attacks, etc.  But still traverse NATs, firewalls that rewrite sequence numbers. Want on-by-default encryption for existing unmodified apps to protect against passive easesdropping.  Fast enough to enable on all servers by default.  Won’t break - downgrades to TCP if necessary. Easy incremental deployment story due to negotiation in TCP handshake.

29 Why tcpcrypt? Want to enable and encourage appropriate authentication above tcpcrypt.  Cert-based, mutual auth, PAKE, etc, as appropriate.  Eg. can support connectbyname() in a shim library, and leverage DANE for auth. Separation of layering provides flexibility.  Eg. allows corporate firewall to do encryption and app to still do authentication, so corporate IDS still works. tcpcryptd on firewall RPC to get session ID.

30 Summary: tcpcrypt can enable ubiquitous transport level encryption High server performance makes encryption a realistic default. Applications can leverage Tcpcrypt to maximize communication security in every setting. Incrementally deployable, compatible with legacy apps, TCP and NATs. http://tcpcrypt.org

31 Spare slides

32 Connection setup latency is slightly increased due to client-side RSA decrypt. Protocol LAN connect time (ms) TCP0.2 tcpcrypt cached0.3 tcpcrypt not cached 11.3 SSL cached0.7 SSL not cached11.6 tcpcrypt batch sign11.2 tcpcrypt CMAC11.4 tcpcrypt PAKE15.2

33 Most authentication can be done very cheaply, once the Tcpcrypt session is established. Protocol LAN connect time (ms) TCP0.2 tcpcrypt cached0.3 tcpcrypt not cached 11.3 SSL cached0.7 SSL not cached11.6 tcpcrypt batch sign11.2 tcpcrypt CMAC11.4 tcpcrypt PAKE15.2

34 Batch signing does not add additional latency

35 Data encryption is very fast on today’s CPUs

Download ppt "Tcpcrypt: real transport-level encryption UCL and Stanford. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

Similar presentations

Ads by Google