personalized pseudonyms for servers in the cloud
play

Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao - PowerPoint PPT Presentation

Nov 17, 2023 •377 likes •1.04k views

Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.) Ba Backg kground Servers identity is not well protected with the normal HTTPS connection.

  1. Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.)

  2. Ba Backg kground Server’s identity is not well protected with the normal HTTPS connection. DNS query Query name: www.example.com IP TCP Encrypted payload TLS/SSL SNI: example.com Certificate subject name: example.com Pub key: E58B2C78….. IP address: 111.111.111.111 1

  3. Ba Backg kground Server’s identity is not well protected with the normal HTTPS connection. DNS query Query name: www.example.com IP TCP Encrypted payload TLS/SSL SNI: example.com Certificate subject name: example.com Pub key: E58B2C78….. IP address: 111.111.111.111 1

  4. Ba Backg kground Real-world adversaries compromise user’s privacy. 2

  5. Ba Backg kground Real-world adversaries compromise user’s privacy. 2

  6. Ba Backg kground Real-world adversaries compromise user’s privacy. 2

  7. Ex Exis istin ing solu lutio ions VPN tunneling • - Encrypt and tunnel user’s traffic through proxy server 3

  8. Ex Exis istin ing solu lutio ions Tor • - Route encrypted packets through multiple Tor relays 4

  9. Ex Exis istin ing solu lutio ions Cloud and CDN based solutions • - CloudTransport [1] - Domain fronting [2] - CacheBrowser [3] 1. Cloud-Transport: Using cloud storage for censorship-resistant networking, PETS 2014 2. Blocking-resistant communication through domain fronting, PETS 2015 3. CacheBrowser: Bypassing Chinese censorship without proxies using cached content, CCS 2015 5

  10. Ex Exis istin ing solu lutio ions Cloud and CDN based solutions • - CloudTransport [1] non-cooperative cloud provider - Domain fronting [2] - CacheBrowser [3] 1. Cloud-Transport: Using cloud storage for censorship-resistant networking, PETS 2014 2. Blocking-resistant communication through domain fronting, PETS 2015 3. CacheBrowser: Bypassing Chinese censorship without proxies using cached content, CCS 2015 5

  11. Ex Exis istin ing solu lutio ions Cloud and CDN based solutions • - CloudTransport [1] - Domain fronting [2] - CacheBrowser [3] Domain name is visible in TLS SNI field 1. Cloud-Transport: Using cloud storage for censorship-resistant networking, PETS 2014 2. Blocking-resistant communication through domain fronting, PETS 2015 3. CacheBrowser: Bypassing Chinese censorship without proxies using cached content, CCS 2015 5

  12. Our solution Ou Personalized Pseudonym for a Server in the Cloud (PoPSiCl) DNS query Query name: www.example.com IP TCP Encrypted payload TLS/SSL SNI: example.com Certificate subject name: example.com Pub key: E58B2C78….. IP address: 111.111.111.111 6

  13. Our solution Ou Personalized Pseudonym for a Server in the Cloud (PoPSiCl) DNS query Query name: www.example.com IP TCP Encrypted payload TLS/SSL SNI: example.com Certificate subject name: example.com Pub key: E58B2C78….. IP address: 111.111.111.111 6

  14. Our solution Ou Personalized Pseudonym for a Server in the Cloud (PoPSiCl) DNS query Query name: x…x.popsicls.com IP TCP Encrypted payload TLS/SSL SNI: x…x.popsicls.com Certificate subject name: x…x.popsicls.com Pub key: AGJ46DM….. IP address: 124.132.215.121 6

  15. Our solution Ou Personalized Pseudonym for a Server in the Cloud (PoPSiCl) DNS query Query name: x…x.popsicls.com IP TCP Encrypted payload TLS/SSL SNI: x…x.popsicls.com Certificate subject name: x…x.popsicls.com Pub key: AGJ46DM….. No extra client application! IP address: 124.132.215.121 6

  16. Our solution Ou Personalized Pseudonym for a Server in the Cloud (PoPSiCl) DNS query Query name: x…x.popsicls.com No proxy! IP TCP Encrypted payload TLS/SSL SNI: x…x.popsicls.com Certificate subject name: x…x.popsicls.com Pub key: AGJ46DM….. No extra client application! IP address: 124.132.215.121 6

  17. Thr Threa eat t model del In the context of a client-server interaction … • What is trusted • Client computer • Cloud infrastructure (including the server computer) • What is not trusted • The network between the client and the cloud • Other clients and other servers 7

  18. Po PoPSiCl re registration www.example.com 8

  19. Po PoPSiCl re registration www.example.com 9

  20. Po PoPSiCl re registration VM VM VM VM DNS server VM VM PoPSiCl store Cl Cloud SDN controller 10

  21. Po PoPSiCl re registration VM VM VM VM DNS server VM VM PoPSiCl store Registration request Cl Cloud SDN controller 10

  22. Po PoPSiCl re registration PoPSiCl VM VM Pseudo IP VM VM DNS server VM VM PoPSiCl store Cl Cloud SDN controller 10

  23. PoPSiCl Po PoPSiCl re registration Pseudo IP PoPSiCl VM VM Tenant server ID VM VM DNS server VM VM PoPSiCl store Cl Cloud SDN controller 10

  24. PoPSiCl Po PoPSiCl re registration Pseudo IP Client Cert Server Cert VM VM Client PriKey Server PriKey VM VM DNS server VM VM PoPSiCl PoPSiCl store Tenant server ID Cl Cloud SDN controller 10

  25. PoPSiCl Po PoPSiCl re registration Pseudo IP Sign Cloud PriKey Client Cert Server Cert VM VM Client PriKey Server PriKey VM VM DNS server VM VM PoPSiCl PoPSiCl store Tenant server ID Cl Cloud SDN controller 10

  26. PoPSiCl Po PoPSiCl re registration Pseudo IP Sign Server PriKey Client Cert Server Cert VM VM Client PriKey VM VM DNS server VM VM PoPSiCl PoPSiCl store Tenant server ID Cl Cloud SDN controller 10

  27. PoPSiCl Po PoPSiCl re registration Pseudo IP PoPSiCl PoPSiCl Client Cert Server Cert VM VM Client PriKey Server PriKey VM VM DNS server VM VM PoPSiCl PoPSiCl store Tenant server ID Cl Cloud SDN controller 10

  28. PoPSiCl PoPSiCl Po PoPSiCl re registration Server Cert Pseudo IP PoPSiCl Server PriKey Client Cert VM VM Client PriKey VM VM DNS server VM VM PoPSiCl PoPSiCl store Tenant server ID Cl Cloud SDN controller 10

  29. PoPSiCl PoPSiCl Po PoPSiCl re registration Server Cert Pseudo IP Server PriKey PoPSiCl VM VM VM VM DNS server Client Cert VM VM PoPSiCl Client PriKey PoPSiCl store Tenant server ID Cl Cloud SDN controller 10

  30. PoPSiCl Pseudo IP Po PoPSiCl ac access ss VM VM VM VM VM VM DNS server PoPSiCl Server Cert PoPSiCl Server PriKey Client Cert Client PriKey SDN switch PoPSiCl Tenant server ID Cl Cloud 11 SDN controller

  31. PoPSiCl Pseudo IP Po PoPSiCl ac access ss VM VM VM VM VM VM (1) DNS query: DNS server PoPSiCl PoPSiCl Server Cert PoPSiCl Server PriKey Client Cert Client PriKey SDN switch PoPSiCl Tenant server ID Cl Cloud 11 SDN controller

  32. PoPSiCl Pseudo IP Po PoPSiCl ac access ss VM VM VM VM VM VM (1) DNS query: DNS server PoPSiCl PoPSiCl Server Cert PoPSiCl (2) DNS response: Server PriKey Client Cert Pseudo IP Client PriKey SDN switch PoPSiCl Tenant server ID Cl Cloud 11 SDN controller

  33. PoPSiCl Pseudo IP Po PoPSiCl ac access ss VM VM VM VM VM VM (1) DNS query: DNS server PoPSiCl PoPSiCl Server Cert PoPSiCl (2) DNS response: Server PriKey Client Cert Pseudo IP Client PriKey (3) Pseudo IP SDN switch PoPSiCl Tenant server ID Cl Cloud 11 SDN controller

  34. PoPSiCl Pseudo IP Po PoPSiCl ac access ss VM VM VM VM VM VM (1) DNS query: DNS server PoPSiCl PoPSiCl Server Cert PoPSiCl (2) DNS response: Server PriKey Client Cert Pseudo IP Client PriKey (3) Pseudo IP SDN switch (4) Forward PoPSiCl Tenant server ID Cl Cloud 11 SDN controller

  35. PoPSiCl Pseudo IP Po PoPSiCl ac access ss VM VM VM VM VM VM (1) DNS query: DNS server PoPSiCl PoPSiCl Server Cert PoPSiCl (2) DNS response: Server PriKey Client Cert Pseudo IP Client PriKey (3) Pseudo IP SDN switch (4) Forward PoPSiCl (5) Establish TCP Tenant server ID Cl Cloud (via SDN switch) 11 SDN controller

  36. PoPSiCl Pseudo IP Po PoPSiCl ac access ss VM VM VM VM VM VM (1) DNS query: DNS server PoPSiCl PoPSiCl Server Cert PoPSiCl (2) DNS response: Server PriKey Client Cert Pseudo IP Client PriKey Get PoPSiCl from the SNI field (3) Pseudo IP SDN switch (4) Forward in TLS ClientHello message. PoPSiCl (5) Establish TCP Tenant server ID Cl Cloud (via SDN switch) 11 SDN controller

  37. PoPSiCl Pseudo IP Po PoPSiCl ac access ss VM VM VM VM VM VM (1) DNS query: DNS server PoPSiCl PoPSiCl Server Cert PoPSiCl (2) DNS response: Server PriKey Client Cert Pseudo IP Client PriKey (3) Pseudo IP SDN switch (4) Forward (6) Rule update PoPSiCl (5) Establish TCP Tenant server ID Cl Cloud (via SDN switch) 11 SDN controller

  38. PoPSiCl Pseudo IP Po PoPSiCl ac access ss VM VM VM VM MATCH ACTION VM VM Source IP Source port Destination IP Destination port Client-IP Client-port Pseudo-IP Server-port Drop (1) DNS query: Tenant-IP Server-port Client-IP Client-port Change source IP to Pseudo-IP DNS server PoPSiCl PoPSiCl Server Cert PoPSiCl (2) DNS response: Server PriKey Client Cert Pseudo IP Client PriKey (3) Pseudo IP SDN switch (4) Forward (6) Rule update PoPSiCl (5) Establish TCP Tenant server ID Cl Cloud (via SDN switch) 11 SDN controller

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Pseudonyms in Cost Sharing Paolo Penna Riccardo Silvestri Peter Widmayer Florian

Pseudonyms in Cost Sharing Paolo Penna Riccardo Silvestri Peter Widmayer Florian

Pseudonyms in Cost Sharing Paolo Penna Riccardo Silvestri Peter Widmayer Florian Schoppmann Pseudonyms What makes mechanisms immune to fake identities ? fschopp@stanford.edu fschopp@uni-paderborn.de 1 Pseudonyms What

427 views • 29 slides
Distributed Systems CS6421 Cloud Computing: Servers and Virtualization Prof. Tim Wood

Distributed Systems CS6421 Cloud Computing: Servers and Virtualization Prof. Tim Wood

Distributed Systems CS6421 Cloud Computing: Servers and Virtualization Prof. Tim Wood Amazons Cloud Amazon built its cloud platform so that other people could pay for its infrastructure during the rest of the year Now its cloud users

1.28k views • 79 slides
Cloud Index Tracking: Enabling Predictable Costs in Cloud Spot Markets Supreeth Shastri and David

Cloud Index Tracking: Enabling Predictable Costs in Cloud Spot Markets Supreeth Shastri and David

Cloud Index Tracking: Enabling Predictable Costs in Cloud Spot Markets Supreeth Shastri and David Irwin University of Massachusetts Amherst Spot Servers are gaining significance in the cloud Servers that may terminate anytime after an advance

979 views • 54 slides
Microsofts Production Configurable Cloud Derek Chiou Microsoft Azure Cloud Silicon UT Austin

Microsofts Production Configurable Cloud Derek Chiou Microsoft Azure Cloud Silicon UT Austin

Microsofts Production Configurable Cloud Derek Chiou Microsoft Azure Cloud Silicon UT Austin H2RC Nov 14, 2016 1 Todays Data Centers O(100K) servers/data center Very dense, maximize number of servers Tens of MegaWatts

472 views • 28 slides
Dominant Resource Fairness in Cloud Computing Systems with Heterogeneous Servers Wei Wang ,

Dominant Resource Fairness in Cloud Computing Systems with Heterogeneous Servers Wei Wang ,

Dominant Resource Fairness in Cloud Computing Systems with Heterogeneous Servers Wei Wang , Baochun Li, Ben Liang Department of Electrical and Computer Engineering University of Toronto April 30, 2014 Introduction Cloud computing system

424 views • 40 slides
What is the Cloud? Simply put, Cloud Computing is the delivery of computing services,

What is the Cloud? Simply put, Cloud Computing is the delivery of computing services,

What is the Cloud? Simply put, Cloud Computing is the delivery of computing services, including Servers, Storage, Databases, Networking, Software, Analytics and Intelligence over the Internet (The Cloud) to offer faster innovation,

338 views • 13 slides
OpenShift on you own cloud Troy Dawson OpenShift Engineer, Red Hat tdawson@redhat.com November

OpenShift on you own cloud Troy Dawson OpenShift Engineer, Red Hat tdawson@redhat.com November

OpenShift on you own cloud Troy Dawson OpenShift Engineer, Red Hat tdawson@redhat.com November 1, 2013 2 Infrastructure-as-a-Service Servers in the Cloud You must build and manage everything (OS, App Servers, DB, App, etc.) How do I use

662 views • 50 slides
Personalized Production Personalized Production Janani Viswanathan, Dawn Tilbury, S. Jack Hu, Z.

Personalized Production Personalized Production Janani Viswanathan, Dawn Tilbury, S. Jack Hu, Z.

Cloud Computing Cyberinfrastructure Enabling Cyberinfrastructure Enabling Personalized Production Personalized Production Janani Viswanathan, Dawn Tilbury, S. Jack Hu, Z. Morley Mao Mechanical Engineering and Computer Science University of

489 views • 24 slides
HotSpot: Automated Server Hopping in Cloud Spot Markets Supreeth Shastri and David Irwin

HotSpot: Automated Server Hopping in Cloud Spot Markets Supreeth Shastri and David Irwin

HotSpot: Automated Server Hopping in Cloud Spot Markets Supreeth Shastri and David Irwin Transient Servers are Ubiquitous in the Cloud Servers that may terminate anytime after an advance warning period Internal Use : Resource Spot Instances :

304 views • 17 slides
Changing the Face of Database Cloud Services with Personalized Service Level Agreements Jennifer

Changing the Face of Database Cloud Services with Personalized Service Level Agreements Jennifer

Changing the Face of Database Cloud Services with Personalized Service Level Agreements Jennifer Ortiz, Victor Teixeira de Almeida, Magdalena Balazinska University of Washington, Computer Science and Engineering PETROBRAS S.A., Rio de Janerio,

1.57k views • 66 slides
Goksin Bakir Microsoft What Is The Cloud? A set of connected servers On which developers

Goksin Bakir Microsoft What Is The Cloud? A set of connected servers On which developers

[TITLE LE] Windows Azure overview and Fundamentals Goksin Bakir Microsoft What Is The Cloud? A set of connected servers On which developers can: Install and run services Store and retrieve data What Is Windows Azure?

632 views • 19 slides
Power Characterization of Servers in Heterogeneous Cloud Environments Mascha Kurpicz, Anita Sobe,

Power Characterization of Servers in Heterogeneous Cloud Environments Mascha Kurpicz, Anita Sobe,

Power Characterization of Servers in Heterogeneous Cloud Environments Mascha Kurpicz, Anita Sobe, Pascal Felber Universit de Neuchtel This project and the research leading to these results has received funding from the European Community's

622 views • 23 slides
DC-DRF : Adaptive Multi- Resource Sharing at Public Cloud Scale ACM Symposium on Cloud

DC-DRF : Adaptive Multi- Resource Sharing at Public Cloud Scale ACM Symposium on Cloud

DC-DRF : Adaptive Multi- Resource Sharing at Public Cloud Scale ACM Symposium on Cloud Computing 2018 Ian A Kash, Greg OShea, Stavros Volos 1 Public Cloud DC hosting enterprise customers O(100K) servers, mostly small tenants 2

1.21k views • 87 slides
@ Building the Caribbean Cloud Concepts, Progress and Priorities OVERVIEW Defining Accessing

@ Building the Caribbean Cloud Concepts, Progress and Priorities OVERVIEW Defining Accessing

@ Building the Caribbean Cloud Concepts, Progress and Priorities OVERVIEW Defining Accessing Building the Cloud the Cloud the Cloud WHAT IS THE CLOUD? Is the cloud... Hosted servers? Virtualization? Virtualized platform

379 views • 22 slides
h-DDSS: Heterogeneous Dynamic Dedicated Servers Scheduling in Cloud Computing Husnu S aner Narman

h-DDSS: Heterogeneous Dynamic Dedicated Servers Scheduling in Cloud Computing Husnu S aner Narman

h-DDSS: Heterogeneous Dynamic Dedicated Servers Scheduling in Cloud Computing Husnu S aner Narman Md. Shohrab Hossain Mohammed Atiquzzaman School of Computer Science University of Oklahoma, USA. atiq@ou.edu www.cs.ou.edu/~atiq June 2014

707 views • 37 slides
Large databases lots of servers on premises in the cloud GET THEM ALL! Flavio Gurgel pgDay

Large databases lots of servers on premises in the cloud GET THEM ALL! Flavio Gurgel pgDay

Large databases lots of servers on premises in the cloud GET THEM ALL! Flavio Gurgel pgDay Paris 2019 DBA leboncoin Mars 12, 2019 A common stack The Internet Border, DMZ http Application Replication Master Standby A common stack

849 views • 37 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

1 The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit Eindhoven 2 The Domain Name System tue.nl wants to see http://www.ru.nl . Browser at tue.nl The web

1.39k views • 124 slides
Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Who Is Answering My Queries? Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao and MinYang Presenter: Zhou Li (UC Irvine EECS) 1 DNS Resolution

496 views • 34 slides
Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke Tian, Steve T.K. Jan , Hang Hu, Danfeng Yao, Gang Wang Computer Science, Virginia Tech Phishing is a Big Th Threat Phishing: fraudulent attempt

411 views • 30 slides
Encapsulation End-to-End Argument Source Transport Saltzer, Reed & Clark, 1981 src &

Encapsulation End-to-End Argument Source Transport Saltzer, Reed & Clark, 1981 src &

Encapsulation End-to-End Argument Source Transport Saltzer, Reed & Clark, 1981 src & dst ports + Network src & dst IP addresses + message M Application src & dst MAC addresses Link segment H T M Transport datagram H N

354 views • 6 slides
Networking: UDP & DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9

Networking: UDP & DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Networking: UDP & DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9 Due by Apr 4 th 5:00am Lab 9 Network

349 views • 31 slides
Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI Networks Seminar jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 1 / 26 A Review of the DNS Lookup Process jtk (jtk@depaul.edu) ORs and

626 views • 26 slides
P4DNS: In-Network DNS Jackson Woodruff, Murali Ramanujam, Noa Zilberman University of Cambridge

P4DNS: In-Network DNS Jackson Woodruff, Murali Ramanujam, Noa Zilberman University of Cambridge

P4DNS: In-Network DNS Jackson Woodruff, Murali Ramanujam, Noa Zilberman University of Cambridge September 23, 2019 1 / 9 Introduction Networks continue to increase bandwidths without achieving much latency reduction. Latency is

496 views • 13 slides
Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian

Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian

Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian Weimer Passive DNS Replication FIRST 2005 1 / 25 Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and

166 views • 13 slides

More recommend