the trusted cloud transfer protocol (tctp)

Service-centric Networking, Telekom Innovation Laboratories Public private partnership of Technische Universität Berlin and Deutsche Telekom

Mathias Slawik, Technische Universität Berlin

The Trusted Cloud Transfer Protocol

Topics

• Motivation • TCTP and the State-of-the-Art • Evaluation

The Trusted Cloud Transfer Protocol 2

TCTP in a nutshell

• End-to-end HTTP security • Secure communication

through cloud proxies • Encapsulation of TLS in HTTP • Related work challenges

The Trusted Cloud Transfer Protocol 3

TCTP Motivation

To proxy or not to proxy...

The Trusted Cloud Transfer Protocol 4

The Trusted Cloud Transfer Protocol 6

HTTP proxy challenge

a) Relay TLS? b) Act as TLS Server?

The Trusted Cloud Transfer Protocol 7

a) Relay TLS?

Plaintext confidentiality

HTTP management

The Trusted Cloud Transfer Protocol 8

b) Act as TLS server?

HTTP management

Plaintext confidentiality

The Trusted Cloud Transfer Protocol 9

Loss of plaintext confidentiality

• Privacy risks • More security effort • Violation of legal obligations • Risk of unauthorized access

The Trusted Cloud Transfer Protocol 10

c) ?

The Trusted Cloud Transfer Protocol 11

HTTP Messages

The Trusted Cloud Transfer Protocol 12

POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ ↩ {↩ "name" : "John Doe",↩ "status" : "therapy",↩ "reason" : "broken leg"↩ }

Less confidential Needed for HTTP mgmt.

Often confidential Not needed for HTTP mgmt.

c) Entity body encryption

Entity body confidentiality

HTTP management

The Trusted Cloud Transfer Protocol 13

F*****g TCTP, how does it work?

The Trusted Cloud Transfer Protocol 14

TCTP: Process

1. End-to-end key exchange 2. HTTP entity body encryption 3. ? 4. Profit

The Trusted Cloud Transfer Protocol 15

TCTP

• Encapsulation of TLS

• Key exchange: TLS Handshake protocol

• Body encryption: TLS Records

The Trusted Cloud Transfer Protocol 16

Key exchange

The Trusted Cloud Transfer Protocol 17

HALEC

• HTTP Application Layer Encryption Channel

• Persists TLS session state • Required for multiple connections • Identified by URL

The Trusted Cloud Transfer Protocol 18

Body encryption

The Trusted Cloud Transfer Protocol 19

POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ Content-Encoding: encrypted↩ ↩ /halecs/1Mfjk941xkFe↩

¤«ÙÖ�n�iz®Ë¤|w��,ñ ¯_)SÊ(@oüÊÊÈÚ» næG�_ÔÊQ %"�ÂN¬�¹Îïú&i

Unencrypted header fields allow HTTP management

Encrypted TLS Records contain HTTP body

HALEC URL

TCTP Novelties

The Trusted Cloud Transfer Protocol 20

Why another protocol?

State-of-the-Art

• S/MIME • XML Encryption / Signature • HTTPSec • (S-HTTP) • (Any tinkered solution)

The Trusted Cloud Transfer Protocol 21

Analysis

Message-flow protection

The Trusted Cloud Transfer Protocol 23

Streaming capabilities

The Trusted Cloud Transfer Protocol 24

Discovery mechanism

The Trusted Cloud Transfer Protocol 25

Easily implemented (Basis: TLS)

The Trusted Cloud Transfer Protocol 26

TCTP does not ...

... fix the broken CA system.

... prevent information disclosure through URLs

The Trusted Cloud Transfer Protocol 27

Evaluation

The Trusted Cloud Transfer Protocol 28

TCTP Prototype

29

TCTP Middleware

Webserver (Thin)

Lorem Ipsum App

TCTP Library

TCTP Client script

Secure webserver

access.

Reusable TCTP library.

TCTP for any Ruby web application.

Test data generation for benchmark.

TCTP Overhead

Conceptual Overhead • Discovery & handshake round trip

Technical Overhead

• Handshake, Encryption, Processing

The Trusted Cloud Transfer Protocol 30

Impacts on performance

• Network latency • Hardware performance • TLS library efficiency • Framework overhead • TCTP software efficiency

The Trusted Cloud Transfer Protocol 31

Benchmarks

The Trusted Cloud Transfer Protocol 32

Processing Overhead

The Trusted Cloud Transfer Protocol 33

Hardware: Intel Core i7-3520M, Windows 8.1, Ruby 2.0

4,63 % 4,94 %

1,50 %

11,38 %

2,08 %

0

5

10

15

20

1 kB 2.5 kB 5 kB 7.5 kB 10 kB

Combined overhead

The Trusted Cloud Transfer Protocol 34

1 req 10 req 100 req 1k req50 ms 133,77% 40,66% 9,21% 5,30%100 ms 103,36% 30,87% 7,97% 5,18%250 ms 82,94% 24,83% 7,22% 5,10%

0%

50%

100%

150%

What‘s next?

• Implementation of TCTP enabled proxy (ongoing) • Watch our Github!

• Application of TCTP in TRESOR

The Trusted Cloud Transfer Protocol 35

Summary

The Trusted Cloud Transfer Protocol 36

To sum up...

TCTP: end-to-end HTTP security TCTP: addresses challenges Preliminary results: Promising

The Trusted Cloud Transfer Protocol 37

Thank you. Fork me.

The Trusted Cloud Transfer Protocol 38

https://github.com/TU-Berlin-SNET/tctp-rack

Backup

The Trusted Cloud Transfer Protocol 39

Efficient presentation

• Minimize transmitted data • XML: XML, S/MIME: Base64 • TCTP: Binary, compressed TLS

records

The Trusted Cloud Transfer Protocol 40

Efficient presentation

The Trusted Cloud Transfer Protocol 41

Capability discovery

• Discover • What resources need protection? • Where to perform the handshake?

• Related work: None • TCTP: Discovery mechanism

The Trusted Cloud Transfer Protocol 42

Capability discovery

43

OPTIONS * HTTP/1.1↩ Accept: text/prs.tctp-discovery↩ ↩

HTTP/1.1 200 OK↩ Content-Type: text/prs.tctp-discovery↩ Content-Length: 81↩ ↩ /:↩ /(service(.+?))?:↩ /(service(.+?)/)?static.*:↩ /(service(.+?)/)?.*:/\1/halecs

Secure key exchange

• XML Enc/Sig & S/MIME • None specified • Normally out of band

• TCTP • TLS handshaking protocol

The Trusted Cloud Transfer Protocol 44

TLS Handshake

The Trusted Cloud Transfer Protocol 45

Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data

First client request

The Trusted Cloud Transfer Protocol 46

POST /halecs HTTP/1.1↩ Content-Length: 211↩ ↩ Î ÊR��[ñ�l�Kf¢u¹§ê:çñtÃ�xÛd8ãÐ}U \ÀÀ 9 8 � �ÀÀ 5 �ÀÀ ÀÀ ÀÀ 3 2 � � E DÀÀ / � A ÀÀÀÀ ÿ D

4 2 #

POST on discovered HALEC creation URL.

TLS Record client_hello

Server response

The Trusted Cloud Transfer Protocol 47

HTTP/1.1 200 OK↩ Content-Length: 1050↩ Location: /halecs/Adaw7VXdVpu↩ ↩ 5 1R��[ym�9¥_z-Ôc�N½>É°_�õE4prÏ 9 ÿ # �� �0��0�� 000131120095643Z131120105643Z0,10Utctp-server10�&��ò,dtctp0�"0*�H�÷ � 0��·Â "!��º}�ÿ��Aî)ád±óµó�)ßn...

URL of new HALEC

TLS Records: ServerHello, Certificate, ServerKeyExchange, ServerHelloDone

Second client request

The Trusted Cloud Transfer Protocol 48

POST /halecs/Adaw7VXdVpu HTTP/1.1↩ Content-Length: 198↩ ↩ � � �äZ�«EÕ)UÿØ3Ô6á�� ,Ý4�Ê<e>�_ùßó{¹5¨AæP¬/3��yàDÔÖÃZ!q}ög�hV*ÁM³Yoÿì|.w�Í×3ø<7MJúÑ!¢.=æÜ�m3ÂgÍ)IH�Ë¡iê\±��¶Tù 06Fnq#ã§ebðÚ H�v�Ãv�Fäw´ñ¥mF�?ø?[iqi�_�Ø`ìarJQ

POST on newly created HALEC URL.

TLS Records: ClientKeyExchange, ChangeCipherSpec, Finished

Server response

The Trusted Cloud Transfer Protocol 49

HTTP/1.1 200 OK↩ Content-Length: 266↩ ↩ Ê Æ ÀÁGú�®ëA½²¸ �øí°�qAó0N&�»R¨tX"äWà�IdÚ û/C]Ð?×ÔèÆü#Ūë{ *YÊ´GòD� e.ÐÑ{+!Í`MöÄ�×�{ýÚâà� �h1�ÔWq7g¸à Lù½jÕLÌExµÇë��RdB¦ÅÉ��*§õez\`&üvæ͸å=°6½VØ%tY}PÞÊöF�Î"�¿~¸O÷·à�V',©�Ô±UÊ0Ú¹\ÐeÌ�ÿÓù$�å½Ì&;d¸õ¹æÖ¶ù0/×/YUE";üø�9�Áóàtõ

TLS Records: ChangeCipherSpec, Finished

Algorithm negotiation

• XML Enc/Sig, S/MIME • None

• TCTP • TLS Handshaking Protocol

functionality

The Trusted Cloud Transfer Protocol 50

Implementation support

• XML Enc/Sig, S/MIME • Many frameworks available

• TCTP • TLS / Web frameworks available • Prototype (complete) • Proxy (ongoing)

The Trusted Cloud Transfer Protocol 51

Message-flow protection

• Prevent proxies from replaying encrypted data

• Related work does only consider single messages

• TCTP: TLS HMAC prevents replay by proxies

The Trusted Cloud Transfer Protocol 52

Streaming capability

• Large downloads and media stream challenges

• Related work: adaptation needed • TCTP: TLS record protocol

fragments data into 16.384 byte (2^14) parts

The Trusted Cloud Transfer Protocol 53