Top Banner
An Analysis of TLS Handshake Proxying Nick Sullivan (@grittygrease) Douglas Stebila (@dstebila) IEEE TrustCom August 20, 2015 CloudFlare Inc. Queensland University of Technology
40

An analysis of TLS handshake proxying

Feb 19, 2017

Download

Technology

Nick Sullivan
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: An analysis of TLS handshake proxying

An Analysis of TLS Handshake ProxyingNick Sullivan (@grittygrease) Douglas Stebila (@dstebila)

IEEE TrustCom August 20, 2015

CloudFlare Inc. Queensland University of Technology

Page 2: An analysis of TLS handshake proxying

Two competing goals on the web• Performance

• Security & Privacy

2

Page 3: An analysis of TLS handshake proxying

Performance on the Web

Improving performance by reducing latency

3

Page 4: An analysis of TLS handshake proxying

Web performance• Fundamentally bound by the speed of light

• Content Delivery Networks (CDNs) provide distributed global load balancing and caching

4

Page 5: An analysis of TLS handshake proxying

Reverse Proxy

5

Page 6: An analysis of TLS handshake proxying

Traditional traffic routing

6

Page 7: An analysis of TLS handshake proxying

Routing with reverse proxy

7

Page 8: An analysis of TLS handshake proxying

Security & Privacy on the Web

HTTPS and key compromise risks

8

Page 9: An analysis of TLS handshake proxying

HTTPS/TLS• Point-to-point authentication and encryption

• Visualized in lock icon in your browser address bar

9

Page 10: An analysis of TLS handshake proxying

HTTPS/TLS• client-server model

• Private key operation in handshake proves ownership of the certificate

• Client validates certificate via PKI

• Handshake establishes session keys

10

Page 11: An analysis of TLS handshake proxying

Private key compromise risks• Most cryptography is written in memory-unsafe languages like C

• Private keys are read from disk, used in memory

• Web servers (nginx, Apache) use OpenSSL

11

Page 12: An analysis of TLS handshake proxying

12

HEARTBLEED

Page 13: An analysis of TLS handshake proxying

Private key compromise consequences• Private key disclosure breaks TLS trust model

• Server impersonation

• Retroactive decryption of sessions with RSA handshake

13

Page 14: An analysis of TLS handshake proxying

Keys on the edge

Combining HTTPS and Reverse Proxies

14

Page 15: An analysis of TLS handshake proxying

TLS with reverse proxies• TLS needs to be terminated at caching layer

• Private keys need to be distributed to the edge

• Financial institutions are highly regulated — no sharing with third parties

• This is why banks do not use CDNs — yet

15

Page 16: An analysis of TLS handshake proxying

Reverse Proxy With HTTPS

🔒 🔑

🔒

Private Key

Page 17: An analysis of TLS handshake proxying

Location of TLS Terminators

17

Page 18: An analysis of TLS handshake proxying

Two contradictory goals• Global load balancing of TLS

• Reducing private key attack surface

18

Page 19: An analysis of TLS handshake proxying

Keyless SSL

19

Private Key

Page 20: An analysis of TLS handshake proxying

TLS Handshake Proxying

Combining HTTPS and Reverse Proxies

20

Page 21: An analysis of TLS handshake proxying

TLS Handshake Proxying• Compromise between key security and performance

• Split the handshake geographically

• Private key operation performed at site owner’s facility (in HSM, etc)

• Rest of handshake performed at the edge

• Communicate to key server over secure tunnel

21

Page 22: An analysis of TLS handshake proxying

TLS in RSA mode

22

Private Key

Page 23: An analysis of TLS handshake proxying

TLS in RSA mode with remote private key

23

Private Key

Page 24: An analysis of TLS handshake proxying

TLS Handshake Proxying• Private key stored in trusted location

• Mutually-authenticated TLS tunnel from edge

• TLS session resumption

• All static assets served over TLS from the edge

• Dynamic assets served from origin through reverse proxy

24

Page 25: An analysis of TLS handshake proxying

Also…• Fully implemented and live!

25

Page 26: An analysis of TLS handshake proxying

Performance Analysis

26

Page 27: An analysis of TLS handshake proxying

Geography of TLS

27

Page 28: An analysis of TLS handshake proxying

28

Geography of TLS With Proxy

Page 29: An analysis of TLS handshake proxying

29

Geography of TLS Handshake Proxy

Page 30: An analysis of TLS handshake proxying

Performance estimate• Triangle inequality for the internet topology

30

Page 31: An analysis of TLS handshake proxying

Performance measurement

31

Page 32: An analysis of TLS handshake proxying

Additional Performance Notes• Persistent connection between Edge and Key Server is already established

• Otherwise the first connection will be slower

• Session resumption is even more improved

• No need to connect to key server if resumption data is present

32

Page 33: An analysis of TLS handshake proxying

Security Analysis

33

Page 34: An analysis of TLS handshake proxying

Security goals of TLS• Server-to-client authentication

• Channel security

34

Page 35: An analysis of TLS handshake proxying

Security goals of TLS Handshake Proxying• Key-server-to-client authentication

• Edge-server-to-client authentication

• Channel security

• Optional: Forward Security

35

Page 36: An analysis of TLS handshake proxying

Security of the key server• Dedicated TLS connection between key server and edge

• TLS client authentication with Private CA

• Timing side-channel protection

• Message size side-channel protection

36

Page 37: An analysis of TLS handshake proxying

Security of the edge server• Session ID-based resumption

• no claims about shared local session state

• sessions expiry determines forward secrecy

• Session Ticket-based resumption

• sharing state among all edge servers can result in confusion (rely on Host header)

• sessions ticket decryption secret lifetime determines forward-secrecy

37

Page 38: An analysis of TLS handshake proxying

Conclusions

38

Page 39: An analysis of TLS handshake proxying

TLS Handshake Proxying• Balances two contradictory goals

• Global load balancing of TLS

• Private key security

• Improved performance

• Strong security guarantees

39

Page 40: An analysis of TLS handshake proxying

An Analysis of TLS Handshake ProxyingNick Sullivan (@grittygrease) Douglas Stebila (@dstebila)

IEEE TrustCom August 20, 2015

CloudFlare Inc. Queensland University of Technology


Related Documents
Information Session for the Master-Seminar Sensor Nodes ... · Securing Communications between Multiple Entities Using a Single TLS Session (NTMS 2011) • Adapting TLS Handshake

Information Session for the Master-Seminar Sensor Nodes...

Category: Documents
HTTPS com TLS em Modo RSA · 2020. 8. 16. · HTTPS: Inicialização • Cliente (HTTP/TLS) abre conexão com o Servidor e envia o ClientHello para iniciar o handshake do TLS. Negocia

HTTPS com TLS em Modo RSA · 2020. 8. 16. · HTTPS:...

Category: Documents
Crypto Application: TLS / SSL4 SSL/TLS Operations •Client connects to the server –To access a resource •Public-key cryptography during initial handshake to authenticate and exchange

Crypto Application: TLS / SSL4 SSL/TLS Operations •Client....

Category: Documents
Cryptography – SSL/TLS · • Public-key cryptography during initial handshake to authenticate and exchange session keys – PKI (X.509 Certificates) • Symmetric key cryptography

Cryptography – SSL/TLS · • Public-key cryptography...

Category: Documents
Universally Composable Security Analysis of TLS| Secure ... · Universally Composable Security Analysis of TLS| Secure Sessions with Handshake and Record Layer Protocols Sebastian

Universally Composable Security Analysis of TLS| Secure...

Category: Documents
Analysing the EAP-TLS Handshake and the 4-Way Handshake of ... · Analysing the EAP-TLS Handshake and the 4-Way Handshake of the 802.11i Standard. Abdullah Alabdulatif1, Xiaoqi Ma2.

Analysing the EAP-TLS Handshake and the 4-Way Handshake of.....

Category: Documents
Lazy Loading and Object Proxying Shenangians

Lazy Loading and Object Proxying Shenangians

Category: Technology
Proving the TLS Handshake Secure (as it is)Proving the TLS Handshake Secure (as it is) Karthikeyan Bhargavan C edric Fournet y Markulf Kohlweiss z Alfredo Pironti x Pierre-Yves Strub

Proving the TLS Handshake Secure (as it is)Proving the TLS.....

Category: Documents
TLS Handshake Proxying - From theory to reality

TLS Handshake Proxying - From theory to reality

Category: Software
Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,

Overview of TLS v1 - OWASP · • During Handshake –...

Category: Documents
Was ist neu bei TLS 1.3? - FRAOSUG · • TLS 1.3 protects the negotiated data as soon as it is possible during the handshake. • ’Early’ Application Data can be transmitted

Was ist neu bei TLS 1.3? - FRAOSUG · • TLS 1.3 protects....

Category: Documents
TLS 1.3 and RIOT-OSsummit.riot-os.org/2018/wp-content/uploads/sites/10/2018/...2018/09/03  · TLS Handshake now requires only one RTT instead of two Client can start sending data

TLS 1.3 and...

Category: Documents