Upload File

an analysis of tls handshake proxying

40
An Analysis of TLS Handshake Proxying Nick Sullivan (@grittygrease) Douglas Stebila (@dstebila) IEEE TrustCom August 20, 2015 CloudFlare Inc. Queensland University of Technology

Upload: nick-sullivan

Post on 19-Feb-2017

1.355 views

Category:

Technology


2 download

Report

TRANSCRIPT

Page 1: An analysis of TLS handshake proxying

An Analysis of TLS Handshake ProxyingNick Sullivan (@grittygrease) Douglas Stebila (@dstebila)

IEEE TrustCom August 20, 2015

CloudFlare Inc. Queensland University of Technology

Page 2: An analysis of TLS handshake proxying

Two competing goals on the web• Performance

• Security & Privacy

2

Page 3: An analysis of TLS handshake proxying

Performance on the Web

Improving performance by reducing latency

3

Page 4: An analysis of TLS handshake proxying

Web performance• Fundamentally bound by the speed of light

• Content Delivery Networks (CDNs) provide distributed global load balancing and caching

4

Page 5: An analysis of TLS handshake proxying

Reverse Proxy

5

Page 6: An analysis of TLS handshake proxying

Traditional traffic routing

6

Page 7: An analysis of TLS handshake proxying

Routing with reverse proxy

7

Page 8: An analysis of TLS handshake proxying

Security & Privacy on the Web

HTTPS and key compromise risks

8

Page 9: An analysis of TLS handshake proxying

HTTPS/TLS• Point-to-point authentication and encryption

• Visualized in lock icon in your browser address bar

9

Page 10: An analysis of TLS handshake proxying

HTTPS/TLS• client-server model

• Private key operation in handshake proves ownership of the certificate

• Client validates certificate via PKI

• Handshake establishes session keys

10

Page 11: An analysis of TLS handshake proxying

Private key compromise risks• Most cryptography is written in memory-unsafe languages like C

• Private keys are read from disk, used in memory

• Web servers (nginx, Apache) use OpenSSL

11

Page 12: An analysis of TLS handshake proxying

12

HEARTBLEED

Page 13: An analysis of TLS handshake proxying

Private key compromise consequences• Private key disclosure breaks TLS trust model

• Server impersonation

• Retroactive decryption of sessions with RSA handshake

13

Page 14: An analysis of TLS handshake proxying

Keys on the edge

Combining HTTPS and Reverse Proxies

14

Page 15: An analysis of TLS handshake proxying

TLS with reverse proxies• TLS needs to be terminated at caching layer

• Private keys need to be distributed to the edge

• Financial institutions are highly regulated — no sharing with third parties

• This is why banks do not use CDNs — yet

15

Page 16: An analysis of TLS handshake proxying

Reverse Proxy With HTTPS

🔒 🔑

🔒

Private Key

Page 17: An analysis of TLS handshake proxying

Location of TLS Terminators

17

Page 18: An analysis of TLS handshake proxying

Two contradictory goals• Global load balancing of TLS

• Reducing private key attack surface

18

Page 19: An analysis of TLS handshake proxying

Keyless SSL

19

Private Key

Page 20: An analysis of TLS handshake proxying

TLS Handshake Proxying

Combining HTTPS and Reverse Proxies

20

Page 21: An analysis of TLS handshake proxying

TLS Handshake Proxying• Compromise between key security and performance

• Split the handshake geographically

• Private key operation performed at site owner’s facility (in HSM, etc)

• Rest of handshake performed at the edge

• Communicate to key server over secure tunnel

21

Page 22: An analysis of TLS handshake proxying

TLS in RSA mode

22

Private Key

Page 23: An analysis of TLS handshake proxying

TLS in RSA mode with remote private key

23

Private Key

Page 24: An analysis of TLS handshake proxying

TLS Handshake Proxying• Private key stored in trusted location

• Mutually-authenticated TLS tunnel from edge

• TLS session resumption

• All static assets served over TLS from the edge

• Dynamic assets served from origin through reverse proxy

24

Page 25: An analysis of TLS handshake proxying

Also…• Fully implemented and live!

25

Page 26: An analysis of TLS handshake proxying

Performance Analysis

26

Page 27: An analysis of TLS handshake proxying

Geography of TLS

27

Page 28: An analysis of TLS handshake proxying

28

Geography of TLS With Proxy

Page 29: An analysis of TLS handshake proxying

29

Geography of TLS Handshake Proxy

Page 30: An analysis of TLS handshake proxying

Performance estimate• Triangle inequality for the internet topology

30

Page 31: An analysis of TLS handshake proxying

Performance measurement

31

Page 32: An analysis of TLS handshake proxying

Additional Performance Notes• Persistent connection between Edge and Key Server is already established

• Otherwise the first connection will be slower

• Session resumption is even more improved

• No need to connect to key server if resumption data is present

32

Page 33: An analysis of TLS handshake proxying

Security Analysis

33

Page 34: An analysis of TLS handshake proxying

Security goals of TLS• Server-to-client authentication

• Channel security

34

Page 35: An analysis of TLS handshake proxying

Security goals of TLS Handshake Proxying• Key-server-to-client authentication

• Edge-server-to-client authentication

• Channel security

• Optional: Forward Security

35

Page 36: An analysis of TLS handshake proxying

Security of the key server• Dedicated TLS connection between key server and edge

• TLS client authentication with Private CA

• Timing side-channel protection

• Message size side-channel protection

36

Page 37: An analysis of TLS handshake proxying

Security of the edge server• Session ID-based resumption

• no claims about shared local session state

• sessions expiry determines forward secrecy

• Session Ticket-based resumption

• sharing state among all edge servers can result in confusion (rely on Host header)

• sessions ticket decryption secret lifetime determines forward-secrecy

37

Page 38: An analysis of TLS handshake proxying

Conclusions

38

Page 39: An analysis of TLS handshake proxying

TLS Handshake Proxying• Balances two contradictory goals

• Global load balancing of TLS

• Private key security

• Improved performance

• Strong security guarantees

39

Page 40: An analysis of TLS handshake proxying

An Analysis of TLS Handshake ProxyingNick Sullivan (@grittygrease) Douglas Stebila (@dstebila)

IEEE TrustCom August 20, 2015

CloudFlare Inc. Queensland University of Technology


Post-quantum TLS without handshake signatures · 2020-05-07 · Post-quantum TLS without handshake signatures 0 2 4 6 8 10 0 50 100 150 200 RSA-2048 + X25519 min incl. int. cert

Post-quantum TLS without handshake signatures · Post-quantum TLS without handshake signatures Full version, May 7, 2020 Peter Schwabe Radboud University [email protected] Douglas

Cryptography – SSL/TLS · • Public-key cryptography during initial handshake to authenticate and exchange session keys – PKI (X.509 Certificates) • Symmetric key cryptography

Accountable Proxying over TLS · TLS KEY USAGE API Server partially trusts middlebox to terminate TLS but does not hand over its private key Clients CDN (TLS terminator) Key Server

Implementing and Proving the TLS 1.3 Record Layer. In TLS 1.2, CCS messages signal key changes; in TLS 1.3 this function is taken over by handshake messages. Related Work Since the

Lazy Loading and Object Proxying Shenangians

Client Side Caching for TLS - hovav.net · The resume handshake protocol is used to reinstate a previously negotiated TLS session between a client and a server. Compared to a full

Proving the TLS Handshake Secure (as it is) ·  · 2018-01-04Proving the TLS Handshake Secure ... In theory, only very restrictive con gurations have been proved secure. ... servers

Part III TLS 1.3 and other Protocolscyber.biu.ac.il/.../uploads/2018/02/MF_Part_III_TLS.pdf · 2018. 2. 12. · TLS 1.3: (EC)DHE-Handshake (Crypto Details) CH CKS SH SKS {ation*}

Advances in Storage Security Standards - SNIA · Advances in Storage Security Standards Jason Cox Intel Corporation . ... Core Spec Addendum: Secure Messaging Maps TLS v1.2 handshake

A Tutorial Introduction to DANEslides.lacnic.net/wp-content/themes/slides/docs/lacnic24... · 2016. 4. 22. · TLS Handshake ClientHello ServerHello ServerCertificate ServerKeyExchange

20110701 zsc2011-advanced proxying-formatted

Security Analysis of Network ProtocolsMany Protocols Authentication • Kerberos Key Exchange • SSL/TLS handshake, IKE, JFK, IKEv2, Wireless and mobile computing • Mobile IP, WEP,

A Modular Security Analysis of the TLS Handshake Protocol · A Modular Security Analysis of the TLS Handshake Protocol P. Morrissey, N.P. Smart, and B. Warinschi Department Computer

TLS Handshake Proxying - From theory to reality

Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,

Handshake for Students - Augustana College Handshake User...Handshake for Students Welcome to Handshake! Handshake continually personalizes career recommendations based on your interests

TLS 1.3 and RIOT-OSsummit.riot-os.org/2018/wp-content/uploads/sites/10/2018/...2018/09/03  · TLS Handshake now requires only one RTT instead of two Client can start sending data

A Formal TLS Handshake Model in LNTconvecs.inria.fr/doc/publications/Bozic-Marsso-Mateescu-Wotawa-18… · Transport Layer Security (TLS) [9] is a widely used security protocol. TLS

Cryptographic Analysis of TLS Kenny Paterson• Method used is negotiated along with key exchange method during the Handshake Protocol itself. – Specified in ciphersuites. • Most

A Cryptographic Analysis of the TLS 1.3 Handshake …...A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates Benjamin Dowling Electrical Engineering and Computer Science

15-440 Distributed Systems - Synergy Labs · Setup Channel with TLS “Handshake” 15 Handshake Steps: 1)Clients and servers negotiate exact cryptographic protocols 2)Client’s

Universally Composable Security Analysis of TLS| Secure ... · Universally Composable Security Analysis of TLS| Secure Sessions with Handshake and Record Layer Protocols Sebastian

The Transport Layer Security (TLS) Protocol - » RFC … · Handshake Protocol Overview .....33 7.4. Handshake Protocol ... Implementation Pitfalls ... Security of Composite Cipher

A Formal Treatment of Accountable Proxying over TLS · A Formal Treatment of Accountable Proxying over TLS Karthikeyan Bhargavan1, Ioana Boureanu2, Antoine Delignat-Lavaud3, Pierre-Alain

Proxying - Haifux

Client Side Caching for TLS - Stanford Universitydabo/papers/fasttrack.pdf · mechanisms: a full handshake, and a resume handshake protocol. The re-sume handshake protocol is used

Slitheen: Perfectly imitated decoy routing through traffic ...cacr.uwaterloo.ca/techreports/2016/cacr2016-05.pdfplication data after the completion of the TLS handshake. Domain fronting

A Comprehensive Empirical Analysis of TLS Handshake and Record Layer on IoT …bdezfouli/publication/MSWIM2019_SCU... · 2019. 9. 10. · Empirical Analysis of TLS Handshake and Record

Cryptography Application TLS / SSLSSL Operations • Application calls SSL connect routines to set up channel. • Public Key cryptography is used during handshake to authenticate

Was ist neu bei TLS 1.3? - FRAOSUG · • TLS 1.3 protects the negotiated data as soon as it is possible during the handshake. • ’Early’ Application Data can be transmitted

Introduction to Proxying and Squid

Sullivan handshake proxying-ieee-sp_2014

Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 … · 2017. 2. 2. · Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates Marc Fischlin

Proxying - Haifux · Proxying Œ p.3/24. HTTP Proxying Proxying Œ p.4/24. What is HTTP HTTP, or Hyper Text Transfer Protocol, is the standard protocol used to access web pages, and