Tcpcrypt: real transport-level encryption UCL and Stanford. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
SCSC 455 Computer Security Virtual Private Network (VPN)
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Guide to Network Defense and Countermeasures Second Edition
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Protected Extensible Authentication Protocol
IEEE Wireless Local Area Networks (WLAN’s).
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Internet Protocol Security (IPSec)
Host Identity Protocol
Secure Sockets Layer 1 / 99  SSL is perhaps the widest used security protocol on the Internet today.  Together with DC enables secure communication.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
OPeNDAP Hyrax Back-End Server (BES) Authentication and Authorization Patrick West
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Chapter 13 – Network Security
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Abdullah Alshalan Garrett Drown Team 3 CSE591: Virtualization and Cloud Computing.
Unit 1: Protection and Security for Grid Computing Part 2
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
SSL/TLS How to send your credit card number securely over the internet.
Securing Data with Internet Protocol Security (IPSec) Designing IPSec Policies Planning IPSec Deployment.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Lecture 24 Wireless Network Security
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Chapter 14 Network Encryption
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Cryptography CSS 329 Lecture 13:SSL.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Skype.
The Secure Sockets Layer (SSL) Protocol
Secure Sockets Layer (SSL)
Tcpcrypt The case for ubiquitous transport level encryption
Using SSL – Secure Socket Layer
The Secure Sockets Layer (SSL) Protocol
NFD Tunnel Authentication
Presentation transcript:

tcpcrypt: real transport-level encryption UCL and Stanford. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh.

What would it take to encrypt the vast majority of TCP traffic? Performance Fast enough to enable by default on almost all servers. Authentication Leverage certificates, cookies, passwords, etc., to give best possible security for any given setting. Compatibility Works in existing networks Works with unmodified legacy applications

An observation on layering of crypto Encryption is a generic function.  Independent of the semantics of the application. Integrity Protection is a generic function.  What arrives should be what is sent. Authentication is strongly application-specific.  Depends on the semantics of the application.

An observation on layering of crypto Observation: Encryption and Integrity Protection are lower- layer functions than Authentication. Encryption and Integrity Protection are natural transport- layer functions.  Cannot integrity-protect transport protocol from above it.  Different transport sessions have different security requirements so cannot share encryption keys. Authentication is application-layer.

Tcpcrypt

Tcpcrypt uses TCP options to provide deployable transport-level encryption. High server performance - push complexity to clients Allow applications to authenticate endpoints. Backwards compatibility: all TCP apps, all networks, all authentication settings.

Tcpcrypt overview Extend TCP in a compatible way using TCP options. Existing applications use standard socket API, just like regular TCP.  Encryption automatically enabled if both end points support Tcpcrypt. Extended applications can use a new getsockopt() for authentication.

Push expensive operations to the client Public-key operations can be quite assymetric. RSA-exp performance: OperationLatency Encrypt0.26ms Decrypt10.42ms Perform decrypt on the client: Generate emphemeral key pair: Generate random master key public key enc pub_k (master_key) clientserver Initial handshake: No authentication. Client decrypts. Lets servers accept connections 36x faster than SSL Initial handshake: No authentication. Client decrypts. Lets servers accept connections 36x faster than SSL

After initial handshake, tcpcrypt’s Session ID provides the hook to link application authentication to the session. New getsockopt() returns non-secret Session ID value. Unique for every connection. If same on both ends, guaranteed there’s no man-in-the- middle.

How to check the Session ID? Out-of-band: e.g., phone call, other secure protocol. PKI: server signs Session ID. Pre-shared secret: send CMAC of Session ID, keyed with Pre-shared secret.

session ID session ID tcpcrypt Authentication Example: Password-based Mutual Authentication Whenever a user knows a password, mutual authentication should be used.  Does not rely on user to spot spurious URLs. Authenticating the session ID authenticates the endpoint password-based auth of user and session ID

Authentication Example: Password-based Mutual Authentication

Authentication Example: Signing a batch of session IDs to amortize RSA costs session ID: A “A”, signed by amazon.com RSA op session ID: B “B”, signed by amazon.com RSA op

Authentication Example: Signing a batch of session IDs to amortize RSA costs session ID: A session ID: B session ID: D session ID: C “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com RSA op

SSL servers RSA decrypt each client’s secret: session ID: A session ID: B session ID: D session ID: C “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com “A,B,C,D” signed by amazon.com RSA op enc(Secret A)enc(Secret C) enc(Secret D)enc(Secret B) RSA op

Tcpcrypt in detail

Outline of Tcpcrypt key exchange

Key exchange is performed in the TCP connection setup handshake.

Key Scheduling

Tcpcrypt in TCP Packets

Crypto state can be cached. Subsequent connections between the same endpoints get similar latency to regular TCP.

Key Scheduling 2

Tcpcrypt Performance

Tcpcrypt implementations Linux kernel implementation: 4,500 lines of code Portable divert-socket implementation: 7000 LoC  Tested on Windows, MacOS, Linux, FreeBSD Binary compatible OpenSSL library that attempts tcpcrypt with batch-signing or falls back to SSL. kernel tcpcryptd application Network

Apache using tcpcrypt performs well. Hardware: 8-core, 2.66GHz Xeon (2008-era). Software: Linux kernel implementation.

Authentication over Tcpcrypt is fast.

What would it take to encrypt all the traffic on the Internet, by default, all the time?

Why tcpcrypt? Want to protect TCP packet headers.  Defend against insertion attacks, etc.  But still traverse NATs, firewalls that rewrite sequence numbers. Want on-by-default encryption for existing unmodified apps to protect against passive easesdropping.  Fast enough to enable on all servers by default.  Won’t break - downgrades to TCP if necessary. Easy incremental deployment story due to negotiation in TCP handshake.

Why tcpcrypt? Want to enable and encourage appropriate authentication above tcpcrypt.  Cert-based, mutual auth, PAKE, etc, as appropriate.  Eg. can support connectbyname() in a shim library, and leverage DANE for auth. Separation of layering provides flexibility.  Eg. allows corporate firewall to do encryption and app to still do authentication, so corporate IDS still works. tcpcryptd on firewall RPC to get session ID.

Summary: tcpcrypt can enable ubiquitous transport level encryption High server performance makes encryption a realistic default. Applications can leverage Tcpcrypt to maximize communication security in every setting. Incrementally deployable, compatible with legacy apps, TCP and NATs.

Spare slides

Connection setup latency is slightly increased due to client-side RSA decrypt. Protocol LAN connect time (ms) TCP0.2 tcpcrypt cached0.3 tcpcrypt not cached 11.3 SSL cached0.7 SSL not cached11.6 tcpcrypt batch sign11.2 tcpcrypt CMAC11.4 tcpcrypt PAKE15.2

Most authentication can be done very cheaply, once the Tcpcrypt session is established. Protocol LAN connect time (ms) TCP0.2 tcpcrypt cached0.3 tcpcrypt not cached 11.3 SSL cached0.7 SSL not cached11.6 tcpcrypt batch sign11.2 tcpcrypt CMAC11.4 tcpcrypt PAKE15.2

Batch signing does not add additional latency

Data encryption is very fast on today’s CPUs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.