TLS Handshake Proxying - From theory to reality

TLS Handshake ProxyingFrom theory to reality

IEEE S&P April 20, 2014 Nick Sullivan

@grittygrease

Two competing goals on the web• Security & Privacy

• Performance

Privacy: SSL/TLS• Point-to-point authentication and encryption

• The little lock icon in your browser

• Browser-server model

• Server certificate bound to a public key, signed by a Certificate Authority

• Private key provides authentication of server to client

• Session key established with handshake

Private Key

Problem with TLS• Web servers (nginx, apache, ISS) read private keys from disk, use in

memory

• Private key disclosure allows

• Server impersonation

• Retroactive decryption of sessions with RSA handshake

Private key security - protection• Process memory disclosure

• Secure allocation

• Separate process for private key

• Machine DMA attack

• Encrypted memory

• Hardware: HSM or TPM

• Machine compromise or theft

• ???

Web performance• The web is changing — consolidation at the edge of the network

• CDNs provide distributed global load balancing

• TLS needs to be terminated at caching layer

• Private keys need to be distributed to the edge

• This is why banks do not use CDNs — yet

Traditional traffic routing

Anycast routing with reverse proxy

Two contradictory goals• Global load balancing of TLS

• Private key security

Keyless SSL• Compromise between key security and performance

• Split the state machine geographically

• Private key operation performed at site owner’s facility (in HSM, etc)

• Rest of handshake performed at the edge

• Communicate to signing server over secure tunnel

Keyless SSL

Keyless SSL• All static assets served over TLS from the edge

• Dynamic assets served from origin through reverse proxy

Private Key

Keyless SSL - In Production

• This is not an academic exercise or proof of concept

• Based on modified nginx/OpenSSL

• Customers include

• Top Wall Street investment bank

• Top Silicon Valley Internet company

Keyless SSL - Security

• Formal proof of security: joint work with Douglas Stebila

• Code audit by iSEC partners

TLS Handshake ProxyingFrom theory to reality

IEEE S&P April 20, 2014 Nick Sullivan

@grittygrease

TLS Handshake Proxying - From theory to reality

Software

Transcript of TLS Handshake Proxying - From theory to reality

Part III TLS 1.3 and other Protocolscyber.biu.ac.il/.../uploads/2018/02/MF_Part_III_TLS.pdf · 2018. 2. 12. · TLS 1.3: (EC)DHE-Handshake (Crypto Details) CH CKS SH SKS {ation*}

A Formal Treatment of Accountable Proxying over TLS · A Formal Treatment of Accountable Proxying over TLS Karthikeyan Bhargavan1, Ioana Boureanu2, Antoine Delignat-Lavaud3, Pierre-Alain

A Formal TLS Handshake Model in LNTconvecs.inria.fr/doc/publications/Bozic-Marsso-Mateescu-Wotawa-18… · Transport Layer Security (TLS) [9] is a widely used security protocol. TLS

A Modular Security Analysis of the TLS Handshake Protocol · A Modular Security Analysis of the TLS Handshake Protocol P. Morrissey, N.P. Smart, and B. Warinschi Department Computer

Analysing the EAP-TLS Handshake and the 4-Way Handshake of ... · Analysing the EAP-TLS Handshake and the 4-Way Handshake of the 802.11i Standard. Abdullah Alabdulatif1, Xiaoqi Ma2.

The Transport Layer Security (TLS) Protocol Version 1 · Handshake Protocol . . . . . . . . . . . . . . . . . . . 123 ... Implementation Pitfalls ... Appendix E. Overview of Security

Webpage Proxying

Universally Composable Security Analysis of TLS| Secure ... · Universally Composable Security Analysis of TLS| Secure Sessions with Handshake and Record Layer Protocols Sebastian

Analysing the EAP-TLS Handshake and the 4-Way Handshake of …infonomics-society.org/wp-content/uploads/ijisr/... · 2015-09-25 · transient key (PTK). The PMK is not used directly

Slitheen: Perfectly imitated decoy routing through trafﬁc ...cacr.uwaterloo.ca/techreports/2016/cacr2016-05.pdfplication data after the completion of the TLS handshake. Domain fronting

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol ... · full TLS-DHE (ACCE)[JKSS]2012 veriﬁed MITLS impl.[BFK+]2013 TLS-DH, TLS-RSA-CCA[KSS] ... game-based model, “provable

A Cryptographic Analysis of the TLS 1.3 Handshake …...A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates Benjamin Dowling Electrical Engineering and Computer Science

Sullivan handshake proxying-ieee-sp_2014

Information Session for the Master-Seminar Sensor Nodes ... · Securing Communications between Multiple Entities Using a Single TLS Session (NTMS 2011) • Adapting TLS Handshake

A Comprehensive Empirical Analysis of TLS Handshake and Record Layer on IoT …bdezfouli/publication/MSWIM2019_SCU... · 2019. 9. 10. · Empirical Analysis of TLS Handshake and Record

Proxying - Haifux

15-440 Distributed Systems - Synergy Labs · Setup Channel with TLS “Handshake” 15 Handshake Steps: 1)Clients and servers negotiate exact cryptographic protocols 2)Client’s

A Tutorial Introduction to DANEslides.lacnic.net/wp-content/themes/slides/docs/lacnic24... · 2016. 4. 22. · TLS Handshake ClientHello ServerHello ServerCertificate ServerKeyExchange

TLS 1.3: A Collision of Implementation, Standards, and ... · Stebila. A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol, 2016. [JSS15]Tibor

Post-quantum TLS without handshake signatures · 2020-05-07 · Post-quantum TLS without handshake signatures 0 2 4 6 8 10 0 50 100 150 200 RSA-2048 + X25519 min incl. int. cert.