The Trusted Cloud Transfer Protocol (TCTP)
-
Upload
mathias-slawik -
Category
Technology
-
view
179 -
download
4
description
Transcript of The Trusted Cloud Transfer Protocol (TCTP)
![Page 1: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/1.jpg)
Service-centric Networking, Telekom Innovation Laboratories Public private partnership of Technische Universität Berlin and Deutsche Telekom
Mathias Slawik, Technische Universität Berlin
The Trusted Cloud Transfer Protocol
![Page 2: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/2.jpg)
Topics
• Motivation • TCTP and the State-of-the-Art • Evaluation
The Trusted Cloud Transfer Protocol 2
![Page 3: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/3.jpg)
TCTP in a nutshell
• End-to-end HTTP security • Secure communication
through cloud proxies • Encapsulation of TLS in HTTP • Related work challenges
The Trusted Cloud Transfer Protocol 3
![Page 4: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/4.jpg)
TCTP Motivation
To proxy or not to proxy...
The Trusted Cloud Transfer Protocol 4
![Page 5: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/5.jpg)
![Page 6: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/6.jpg)
The Trusted Cloud Transfer Protocol 6
![Page 7: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/7.jpg)
HTTP proxy challenge
a) Relay TLS? b) Act as TLS Server?
The Trusted Cloud Transfer Protocol 7
![Page 8: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/8.jpg)
a) Relay TLS?
Plaintext confidentiality
HTTP management
The Trusted Cloud Transfer Protocol 8
![Page 9: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/9.jpg)
b) Act as TLS server?
HTTP management
Plaintext confidentiality
The Trusted Cloud Transfer Protocol 9
![Page 10: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/10.jpg)
Loss of plaintext confidentiality
• Privacy risks • More security effort • Violation of legal obligations • Risk of unauthorized access
The Trusted Cloud Transfer Protocol 10
![Page 11: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/11.jpg)
c) ?
The Trusted Cloud Transfer Protocol 11
![Page 12: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/12.jpg)
HTTP Messages
The Trusted Cloud Transfer Protocol 12
POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ ↩ {↩ "name" : "John Doe",↩ "status" : "therapy",↩ "reason" : "broken leg"↩ }
Less confidential Needed for HTTP mgmt.
Often confidential Not needed for HTTP mgmt.
![Page 13: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/13.jpg)
c) Entity body encryption
Entity body confidentiality
HTTP management
The Trusted Cloud Transfer Protocol 13
![Page 14: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/14.jpg)
F*****g TCTP, how does it work?
The Trusted Cloud Transfer Protocol 14
![Page 15: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/15.jpg)
TCTP: Process
1. End-to-end key exchange 2. HTTP entity body encryption 3. ? 4. Profit
The Trusted Cloud Transfer Protocol 15
![Page 16: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/16.jpg)
TCTP
• Encapsulation of TLS
• Key exchange: TLS Handshake protocol
• Body encryption: TLS Records
The Trusted Cloud Transfer Protocol 16
![Page 17: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/17.jpg)
Key exchange
The Trusted Cloud Transfer Protocol 17
![Page 18: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/18.jpg)
HALEC
• HTTP Application Layer Encryption Channel
• Persists TLS session state • Required for multiple connections • Identified by URL
The Trusted Cloud Transfer Protocol 18
![Page 19: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/19.jpg)
Body encryption
The Trusted Cloud Transfer Protocol 19
POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ Content-Encoding: encrypted↩ ↩ /halecs/1Mfjk941xkFe↩
¤«ÙÖ�n�iz®Ë¤|w��,ñ ¯_)SÊ(@oüÊÊÈÚ» næG�_ÔÊQ %"�ÂN¬�¹Îïú&i
Unencrypted header fields allow HTTP management
Encrypted TLS Records contain HTTP body
HALEC URL
![Page 20: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/20.jpg)
TCTP Novelties
The Trusted Cloud Transfer Protocol 20
Why another protocol?
![Page 21: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/21.jpg)
State-of-the-Art
• S/MIME • XML Encryption / Signature • HTTPSec • (S-HTTP) • (Any tinkered solution)
The Trusted Cloud Transfer Protocol 21
![Page 22: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/22.jpg)
Analysis
![Page 23: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/23.jpg)
Message-flow protection
The Trusted Cloud Transfer Protocol 23
![Page 24: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/24.jpg)
Streaming capabilities
The Trusted Cloud Transfer Protocol 24
![Page 25: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/25.jpg)
Discovery mechanism
The Trusted Cloud Transfer Protocol 25
![Page 26: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/26.jpg)
Easily implemented (Basis: TLS)
The Trusted Cloud Transfer Protocol 26
![Page 27: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/27.jpg)
TCTP does not ...
... fix the broken CA system.
... prevent information disclosure through URLs
The Trusted Cloud Transfer Protocol 27
![Page 28: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/28.jpg)
Evaluation
The Trusted Cloud Transfer Protocol 28
![Page 29: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/29.jpg)
TCTP Prototype
29
TCTP Middleware
Webserver (Thin)
Lorem Ipsum App
TCTP Library
TCTP Client script
Secure webserver
access.
Reusable TCTP library.
TCTP for any Ruby web application.
Test data generation for benchmark.
![Page 30: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/30.jpg)
TCTP Overhead
Conceptual Overhead • Discovery & handshake round trip
Technical Overhead
• Handshake, Encryption, Processing
The Trusted Cloud Transfer Protocol 30
![Page 31: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/31.jpg)
Impacts on performance
• Network latency • Hardware performance • TLS library efficiency • Framework overhead • TCTP software efficiency
The Trusted Cloud Transfer Protocol 31
![Page 32: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/32.jpg)
Benchmarks
The Trusted Cloud Transfer Protocol 32
![Page 33: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/33.jpg)
Processing Overhead
The Trusted Cloud Transfer Protocol 33
Hardware: Intel Core i7-3520M, Windows 8.1, Ruby 2.0
4,63 % 4,94 %
1,50 %
11,38 %
2,08 %
0
5
10
15
20
1 kB 2.5 kB 5 kB 7.5 kB 10 kB
![Page 34: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/34.jpg)
Combined overhead
The Trusted Cloud Transfer Protocol 34
1 req 10 req 100 req 1k req50 ms 133,77% 40,66% 9,21% 5,30%100 ms 103,36% 30,87% 7,97% 5,18%250 ms 82,94% 24,83% 7,22% 5,10%
0%
50%
100%
150%
![Page 35: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/35.jpg)
What‘s next?
• Implementation of TCTP enabled proxy (ongoing) • Watch our Github!
• Application of TCTP in TRESOR
The Trusted Cloud Transfer Protocol 35
![Page 36: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/36.jpg)
Summary
The Trusted Cloud Transfer Protocol 36
![Page 37: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/37.jpg)
To sum up...
TCTP: end-to-end HTTP security TCTP: addresses challenges Preliminary results: Promising
The Trusted Cloud Transfer Protocol 37
![Page 38: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/38.jpg)
Thank you. Fork me.
The Trusted Cloud Transfer Protocol 38
https://github.com/TU-Berlin-SNET/tctp-rack
![Page 39: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/39.jpg)
Backup
The Trusted Cloud Transfer Protocol 39
![Page 40: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/40.jpg)
Efficient presentation
• Minimize transmitted data • XML: XML, S/MIME: Base64 • TCTP: Binary, compressed TLS
records
The Trusted Cloud Transfer Protocol 40
![Page 41: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/41.jpg)
Efficient presentation
The Trusted Cloud Transfer Protocol 41
![Page 42: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/42.jpg)
Capability discovery
• Discover • What resources need protection? • Where to perform the handshake?
• Related work: None • TCTP: Discovery mechanism
The Trusted Cloud Transfer Protocol 42
![Page 43: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/43.jpg)
Capability discovery
43
OPTIONS * HTTP/1.1↩ Accept: text/prs.tctp-discovery↩ ↩
HTTP/1.1 200 OK↩ Content-Type: text/prs.tctp-discovery↩ Content-Length: 81↩ ↩ /:↩ /(service(.+?))?:↩ /(service(.+?)/)?static.*:↩ /(service(.+?)/)?.*:/\1/halecs
![Page 44: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/44.jpg)
Secure key exchange
• XML Enc/Sig & S/MIME • None specified • Normally out of band
• TCTP • TLS handshaking protocol
The Trusted Cloud Transfer Protocol 44
![Page 45: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/45.jpg)
TLS Handshake
The Trusted Cloud Transfer Protocol 45
Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
![Page 46: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/46.jpg)
First client request
The Trusted Cloud Transfer Protocol 46
POST /halecs HTTP/1.1↩ Content-Length: 211↩ ↩ Î ÊR��[ñ�l�Kf¢u¹§ê:çñtÃ�xÛd8ãÐ}U \ÀÀ 9 8 � �ÀÀ 5 �ÀÀ ÀÀ ÀÀ 3 2 � � E DÀÀ / � A ÀÀÀÀ ÿ D
4 2 #
POST on discovered HALEC creation URL.
TLS Record client_hello
![Page 47: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/47.jpg)
Server response
The Trusted Cloud Transfer Protocol 47
HTTP/1.1 200 OK↩ Content-Length: 1050↩ Location: /halecs/Adaw7VXdVpu↩ ↩ 5 1R��[ym�9¥_z-Ôc�N½>É°_�õE4prÏ 9 ÿ # �� �0��0�� 000131120095643Z131120105643Z0,10Utctp-server10�&��ò,dtctp0�"0*�H�÷ � 0��·Â "!��º}�ÿ��Aî)ád±óµó�)ßn...
URL of new HALEC
TLS Records: ServerHello, Certificate, ServerKeyExchange, ServerHelloDone
![Page 48: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/48.jpg)
Second client request
The Trusted Cloud Transfer Protocol 48
POST /halecs/Adaw7VXdVpu HTTP/1.1↩ Content-Length: 198↩ ↩ � � �äZ�«EÕ)UÿØ3Ô6á�� ,Ý4�Ê<e>�_ùßó{¹5¨AæP¬/3��yàDÔÖÃZ!q}ög�hV*ÁM³Yoÿì|.w�Í×3ø<7MJúÑ!¢.=æÜ�m3ÂgÍ)IH�Ë¡iê\±��¶Tù 06Fnq#ã§ebðÚ H�v�Ãv�Fäw´ñ¥mF�?ø?[iqi�_�Ø`ìarJQ
POST on newly created HALEC URL.
TLS Records: ClientKeyExchange, ChangeCipherSpec, Finished
![Page 49: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/49.jpg)
Server response
The Trusted Cloud Transfer Protocol 49
HTTP/1.1 200 OK↩ Content-Length: 266↩ ↩ Ê Æ ÀÁGú�®ëA½²¸ �øí°�qAó0N&�»R¨tX"äWà�IdÚ û/C]Ð?×ÔèÆü#Ūë{ *YÊ´GòD� e.ÐÑ{+!Í`MöÄ�×�{ýÚâà� �h1�ÔWq7g¸à Lù½jÕLÌExµÇë��RdB¦ÅÉ��*§õez\`&üvæ͸å=°6½VØ%tY}PÞÊöF�Î"�¿~¸O÷·à�V',©�Ô±UÊ0Ú¹\ÐeÌ�ÿÓù$�å½Ì&;d¸õ¹æÖ¶ù0/×/YUE";üø�9�Áóàtõ
TLS Records: ChangeCipherSpec, Finished
![Page 50: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/50.jpg)
Algorithm negotiation
• XML Enc/Sig, S/MIME • None
• TCTP • TLS Handshaking Protocol
functionality
The Trusted Cloud Transfer Protocol 50
![Page 51: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/51.jpg)
Implementation support
• XML Enc/Sig, S/MIME • Many frameworks available
• TCTP • TLS / Web frameworks available • Prototype (complete) • Proxy (ongoing)
The Trusted Cloud Transfer Protocol 51
![Page 52: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/52.jpg)
Message-flow protection
• Prevent proxies from replaying encrypted data
• Related work does only consider single messages
• TCTP: TLS HMAC prevents replay by proxies
The Trusted Cloud Transfer Protocol 52
![Page 53: The Trusted Cloud Transfer Protocol (TCTP)](https://reader033.fdocument.pub/reader033/viewer/2022042607/558536e6d8b42a9b388b539b/html5/thumbnails/53.jpg)
Streaming capability
• Large downloads and media stream challenges
• Related work: adaptation needed • TCTP: TLS record protocol
fragments data into 16.384 byte (2^14) parts
The Trusted Cloud Transfer Protocol 53