Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao - - PowerPoint PPT Presentation

personalized pseudonyms for servers in the cloud
SMART_READER_LITE
LIVE PREVIEW

Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao - - PowerPoint PPT Presentation

Nov 17, 2023 377 likes •1.04k views

Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.) Ba Backg kground Servers identity is not well protected with the normal HTTPS connection.

slide-1
SLIDE 1

Personalized Pseudonyms for Servers in the Cloud

Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.)

slide-2
SLIDE 2

Ba Backg kground

Server’s identity is not well protected with the normal HTTPS connection.

DNS query

Query name: www.example.com

IP TCP TLS/SSL Encrypted payload

IP address: 111.111.111.111 SNI: example.com Certificate subject name: example.com Pub key: E58B2C78…..

1

slide-3
SLIDE 3

Ba Backg kground

Server’s identity is not well protected with the normal HTTPS connection.

DNS query

Query name: www.example.com

IP TCP TLS/SSL Encrypted payload

IP address: 111.111.111.111 SNI: example.com Certificate subject name: example.com Pub key: E58B2C78…..

1

slide-4
SLIDE 4

Ba Backg kground

Real-world adversaries compromise user’s privacy.

2

slide-5
SLIDE 5

Ba Backg kground

Real-world adversaries compromise user’s privacy.

2

slide-6
SLIDE 6

Ba Backg kground

Real-world adversaries compromise user’s privacy.

2

slide-7
SLIDE 7

Ex Exis istin ing solu lutio ions

  • VPN tunneling
  • Encrypt and tunnel user’s traffic through proxy server

3

slide-8
SLIDE 8

Ex Exis istin ing solu lutio ions

  • Tor
  • Route encrypted packets through multiple Tor relays

4

slide-9
SLIDE 9

Ex Exis istin ing solu lutio ions

  • Cloud and CDN based solutions
  • CloudTransport[1]
  • Domain fronting[2]
  • CacheBrowser[3]
  • 1. Cloud-Transport: Using cloud storage for censorship-resistant networking, PETS 2014
  • 2. Blocking-resistant communication through domain fronting, PETS 2015
  • 3. CacheBrowser: Bypassing Chinese censorship without proxies using cached content, CCS 2015

5

slide-10
SLIDE 10

Ex Exis istin ing solu lutio ions

  • Cloud and CDN based solutions
  • CloudTransport[1]
  • Domain fronting[2]
  • CacheBrowser[3]
  • 1. Cloud-Transport: Using cloud storage for censorship-resistant networking, PETS 2014
  • 2. Blocking-resistant communication through domain fronting, PETS 2015
  • 3. CacheBrowser: Bypassing Chinese censorship without proxies using cached content, CCS 2015

non-cooperative cloud provider

5

slide-11
SLIDE 11

Ex Exis istin ing solu lutio ions

  • Cloud and CDN based solutions
  • CloudTransport[1]
  • Domain fronting[2]
  • CacheBrowser[3]
  • 1. Cloud-Transport: Using cloud storage for censorship-resistant networking, PETS 2014
  • 2. Blocking-resistant communication through domain fronting, PETS 2015
  • 3. CacheBrowser: Bypassing Chinese censorship without proxies using cached content, CCS 2015

Domain name is visible in TLS SNI field

5

slide-12
SLIDE 12

DNS query

Query name: www.example.com

IP TCP TLS/SSL Encrypted payload

IP address: 111.111.111.111 SNI: example.com Certificate subject name: example.com Pub key: E58B2C78…..

Ou Our solution

Personalized Pseudonym for a Server in the Cloud (PoPSiCl)

6

slide-13
SLIDE 13

DNS query

Query name: www.example.com

IP TCP TLS/SSL Encrypted payload

IP address: 111.111.111.111 SNI: example.com Certificate subject name: example.com Pub key: E58B2C78…..

Ou Our solution

Personalized Pseudonym for a Server in the Cloud (PoPSiCl)

6

slide-14
SLIDE 14

DNS query

Query name: x…x.popsicls.com

IP TCP TLS/SSL Encrypted payload

IP address: 124.132.215.121 SNI: x…x.popsicls.com Certificate subject name: x…x.popsicls.com Pub key: AGJ46DM…..

Ou Our solution

Personalized Pseudonym for a Server in the Cloud (PoPSiCl)

6

slide-15
SLIDE 15

DNS query

Query name: x…x.popsicls.com

IP TCP TLS/SSL Encrypted payload

IP address: 124.132.215.121 SNI: x…x.popsicls.com Certificate subject name: x…x.popsicls.com Pub key: AGJ46DM…..

Ou Our solution

Personalized Pseudonym for a Server in the Cloud (PoPSiCl) No extra client application!

6

slide-16
SLIDE 16

DNS query

Query name: x…x.popsicls.com

IP TCP TLS/SSL Encrypted payload

IP address: 124.132.215.121 SNI: x…x.popsicls.com Certificate subject name: x…x.popsicls.com Pub key: AGJ46DM…..

Ou Our solution

Personalized Pseudonym for a Server in the Cloud (PoPSiCl) No extra client application! No proxy!

6

slide-17
SLIDE 17

Thr Threa eat t model del

In the context of a client-server interaction …

  • What is trusted
  • Client computer
  • Cloud infrastructure (including the server computer)
  • What is not trusted
  • The network between the client and the cloud
  • Other clients and other servers

7

slide-18
SLIDE 18

Po PoPSiCl re registration

www.example.com

8

slide-19
SLIDE 19

Po PoPSiCl re registration

www.example.com

9

slide-20
SLIDE 20

Po PoPSiCl re registration

VM VM VM VM VM VM

PoPSiCl store DNS server SDN controller

Cl Cloud

10

slide-21
SLIDE 21

Cl Cloud Po PoPSiCl re registration

VM VM VM VM VM VM

PoPSiCl store DNS server SDN controller Registration request

10

slide-22
SLIDE 22

Cl Cloud Po PoPSiCl re registration

VM VM VM VM VM VM

PoPSiCl store DNS server SDN controller PoPSiCl Pseudo IP

10

slide-23
SLIDE 23

Cl Cloud Po PoPSiCl re registration

VM VM VM VM VM VM

PoPSiCl store DNS server SDN controller PoPSiCl Tenant server ID PoPSiCl Pseudo IP

10

slide-24
SLIDE 24

Cl Cloud Po PoPSiCl re registration

VM VM VM VM VM VM

PoPSiCl store DNS server SDN controller PoPSiCl Tenant server ID Server Cert Server PriKey Client Cert Client PriKey PoPSiCl Pseudo IP

10

slide-25
SLIDE 25

Cl Cloud Po PoPSiCl re registration

VM VM VM VM VM VM

PoPSiCl store DNS server SDN controller PoPSiCl Tenant server ID Server Cert Server PriKey Client Cert Client PriKey Cloud PriKey Sign PoPSiCl Pseudo IP

10

slide-26
SLIDE 26

Cl Cloud Po PoPSiCl re registration

VM VM VM VM VM VM

PoPSiCl store DNS server SDN controller PoPSiCl Tenant server ID Server Cert Server PriKey Client Cert Client PriKey Sign PoPSiCl Pseudo IP

10

slide-27
SLIDE 27

Cl Cloud Po PoPSiCl re registration

VM VM VM VM VM VM

PoPSiCl store DNS server SDN controller PoPSiCl Tenant server ID Client Cert Client PriKey PoPSiCl Server Cert Server PriKey PoPSiCl PoPSiCl Pseudo IP

10

slide-28
SLIDE 28

Po PoPSiCl re registration

VM VM VM VM VM VM

PoPSiCl store DNS server SDN controller PoPSiCl Tenant server ID Client Cert Client PriKey PoPSiCl Server Cert Server PriKey PoPSiCl PoPSiCl Pseudo IP

Cl Cloud

10

slide-29
SLIDE 29

Po PoPSiCl re registration

VM VM VM VM VM VM

PoPSiCl store DNS server SDN controller PoPSiCl Tenant server ID Client Cert Client PriKey PoPSiCl Server Cert Server PriKey PoPSiCl PoPSiCl Pseudo IP

Cl Cloud

10

slide-30
SLIDE 30

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP Tenant server ID PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

Cl Cloud

11

slide-31
SLIDE 31

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP Tenant server ID PoPSiCl

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

Cl Cloud

11

slide-32
SLIDE 32

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP Tenant server ID PoPSiCl

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(2) DNS response: Pseudo IP

Cl Cloud

11

slide-33
SLIDE 33

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP Tenant server ID PoPSiCl

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(2) DNS response: Pseudo IP (3) Pseudo IP

Cl Cloud

11

slide-34
SLIDE 34

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP Tenant server ID PoPSiCl

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(2) DNS response: Pseudo IP (3) Pseudo IP (4) Forward

Cl Cloud

11

slide-35
SLIDE 35

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP Tenant server ID PoPSiCl

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(2) DNS response: Pseudo IP (3) Pseudo IP (4) Forward (5) Establish TCP (via SDN switch)

Cl Cloud

11

slide-36
SLIDE 36

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP Tenant server ID PoPSiCl

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(2) DNS response: Pseudo IP (3) Pseudo IP (4) Forward (5) Establish TCP (via SDN switch)

Get PoPSiCl from the SNI field in TLS ClientHello message.

Cl Cloud

11

slide-37
SLIDE 37

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP Tenant server ID PoPSiCl

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(2) DNS response: Pseudo IP (3) Pseudo IP (4) Forward (5) Establish TCP (via SDN switch) (6) Rule update

Cl Cloud

11

slide-38
SLIDE 38

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP Tenant server ID PoPSiCl

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(2) DNS response: Pseudo IP (3) Pseudo IP (4) Forward (5) Establish TCP (via SDN switch) (6) Rule update MATCH ACTION Source IP Source port Destination IP Destination port Client-IP Client-port Pseudo-IP Server-port Drop Tenant-IP Server-port Client-IP Client-port Change source IP to Pseudo-IP

Cl Cloud

11

slide-39
SLIDE 39

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(2) DNS response: Pseudo IP (3) Pseudo IP (4) Forward (5) Establish TCP (via SDN switch) (6) Rule update

Tenant server ID PoPSiCl

(7) TCP hand-off

Cl Cloud

11

slide-40
SLIDE 40

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(2) DNS response: Pseudo IP (3) Pseudo IP (4) Forward (5) Establish TCP (via SDN switch) (6)(8) Rule update (7) TCP hand-off

Tenant server ID PoPSiCl

Cl Cloud

11

slide-41
SLIDE 41

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(2) DNS response: Pseudo IP (3) Pseudo IP (4) Forward (5) Establish TCP (via SDN switch) (6)(8) Rule update (7) TCP hand-off

Tenant server ID PoPSiCl

MATCH ACTION Source IP Source port Destination IP Destination port Client-IP Client-port Pseudo-IP Server-port Change destination IP to Tenant-IP Tenant-IP Server-port Client-IP Client-port Change source IP to Pseudo-IP

Cl Cloud

11

slide-42
SLIDE 42

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP

(1) DNS query: PoPSiCl

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(2) DNS response: Pseudo IP (3) Pseudo IP (4) Forward (5) Establish TCP (via SDN switch) (6)(8) Rule update (7) TCP hand-off

Tenant server ID PoPSiCl

MATCH ACTION Source IP Source port Destination IP Destination port Client-IP Client-port Pseudo-IP Server-port Change destination IP to Tenant-IP Tenant-IP Server-port Client-IP Client-port Change source IP to Pseudo-IP

Cl Cloud

11

slide-43
SLIDE 43

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP

(1) DNS query: PoPSiCl (2) DNS response: Pseudo IP

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(3) Pseudo IP (4) Forward (5) Establish TCP (via SDN switch) (6)(8) Rule update (9) TLS (via SDN switch) (7) TCP hand-off

Tenant server ID PoPSiCl

Cl Cloud

11

slide-44
SLIDE 44

Po PoPSiCl ac access ss

DNS server SDN controller PoPSiCl Client Cert Client PriKey PoPSiCl Pseudo IP

(1) DNS query: PoPSiCl (2) DNS response: Pseudo IP

VM VM VM VM VM VM

PoPSiCl Server Cert Server PriKey SDN switch

(3) Pseudo IP (4) Forward (5) Establish TCP (via SDN switch) (6)(8) Rule update (9) TLS (via SDN switch) (7) TCP hand-off

Tenant server ID PoPSiCl Accept the connection only if the user can present a valid Client Cert

Cl Cloud

11

slide-45
SLIDE 45

Im Implementation

  • n

Cloud

  • OpenStack-based IaaS cloud deployed in CloudLab testbed
  • PoPSiCl store and SDN controller are implemented in C and C++
  • Open vSwitch as the SDN switch in each physical machine

Tenant server

  • A Linux kernel module for TCP state transfer
  • Each PoPSiCl is mapped to a virtual host in Nginx server

12

slide-46
SLIDE 46

La Laten ency cy

13

slide-47
SLIDE 47

La Laten ency cy

13

slide-48
SLIDE 48

La Laten ency cy

13

slide-49
SLIDE 49

La Laten ency cy

13

slide-50
SLIDE 50

La Laten ency cy

4.1s 4.5s 17.8s 13

slide-51
SLIDE 51

Th Throughput

14

slide-52
SLIDE 52

Th Throughput

14

slide-53
SLIDE 53

Th Throughput

14

slide-54
SLIDE 54

Th Throughput

14

slide-55
SLIDE 55

Th Throughput

490.5 450.9 325.8 14

slide-56
SLIDE 56

Sc Scalability: : Through ghput per er retrieved ed object ect size

15

slide-57
SLIDE 57

Scalability: Throughput per retrieved object size

15

slide-58
SLIDE 58

Scalability: Throughput per retrieved object size

15

slide-59
SLIDE 59

Scalability: Latency per # switch rules

16

slide-60
SLIDE 60

Scalability: Latency per # switch rules

16

slide-61
SLIDE 61

Scalability: Latency per # switch rules

16

slide-62
SLIDE 62

Scalability: Latency per # PoPSiCls for one server

17

slide-63
SLIDE 63

Scalability: Latency per # PoPSiCls for one server

17

slide-64
SLIDE 64

Scalability: Latency per # PoPSiCls for one server

17

slide-65
SLIDE 65

Q& Q&A