Reliable client-server connections Making Telnet secure Thijs - - PowerPoint PPT Presentation

reliable client server connections
SMART_READER_LITE
LIVE PREVIEW

Reliable client-server connections Making Telnet secure Thijs - - PowerPoint PPT Presentation

Sep 11, 2023 1.15k likes •1.39k views

Reliable client-server connections Making Telnet secure Thijs Rozekrans Ren e Klomp thijs.rozekrans@os3.nl rene.klomp@os3.nl System and Network Engineering University of Amsterdam July 3, 2013 Thijs Rozekrans, Ren e Klomp (UvA)

slide-1
SLIDE 1

Reliable client-server connections

Making Telnet secure Thijs Rozekrans Ren´ e Klomp thijs.rozekrans@os3.nl rene.klomp@os3.nl

System and Network Engineering University of Amsterdam

July 3, 2013

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 1 / 16

slide-2
SLIDE 2

Introduction

  • Authentication of both clients and servers
  • Decentralised
  • Based on TLS
  • Proof of concept

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 2 / 16

slide-3
SLIDE 3

Introduction

How can current techniques be used to validate the identity of both client and server, using a TLS connection, in a decentralised way?

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 3 / 16

slide-4
SLIDE 4

Motivation

  • Increase usage of certificate by clients and servers
  • Eliminate the need for certificate authorities
  • Diginotar debacle
  • Foreign governments
  • Centralized
  • Techniques are available
  • Currently no implementations exist

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 4 / 16

slide-5
SLIDE 5

Design considerations

  • PGP or X.509 (CA’s)
  • Validating certificates
  • Daemon or Library
  • Programming language

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 5 / 16

slide-6
SLIDE 6

PGP or X.509

  • X.509
  • Widely adapted
  • Validation of certificate is done by CA
  • PGP
  • Certificates are managed by users
  • Decentralized design (web-of-trust)

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 6 / 16

slide-7
SLIDE 7

Validating certificates

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 7 / 16

slide-8
SLIDE 8

Daemon or Library

  • Library
  • Existing GnuTLS library
  • Daemon
  • Forwarding mechanism
  • Caching
  • Access to private keys
  • Multiple programming languages

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 8 / 16

slide-9
SLIDE 9

Programming Language

  • Performance
  • Future extension

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 9 / 16

slide-10
SLIDE 10

Implementation

  • Daemon
  • Python
  • PyGnuTLS Library
  • Pass file descriptor of existing connection

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 10 / 16

slide-11
SLIDE 11

Implementation

Client Library Daemon Server Library Daemon

TCP Handshake Encrypted

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 11 / 16

slide-12
SLIDE 12

Implementation

  • Based on certificate UID
  • LDAP
  • DANE
  • Flags to disable certain checks
  • DNSSEC
  • Reponds with:
  • OK + id
  • ERR + code + message

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 12 / 16

slide-13
SLIDE 13

Implementation

  • Forwarding mechanism
  • Telnet application as an example
  • Possible with every other application

Telnet TCP-Forwarder Library Daemon Telnetd TCP-Forwarder Library Daemon

TCP Handshake Encrypted

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 13 / 16

slide-14
SLIDE 14

Conclusion

How can current techniques be used to validate the identity of both client and server using a TLS connection in a decentralised way?

  • By creating a daemon it is possible!
  • Easily implemented using single call to library
  • It does work with an existing application (Telnet)
  • https://github.com/OS3/rp2_68

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 14 / 16

slide-15
SLIDE 15

Future work

  • (D)TLS for UDP and SCTP
  • (Soft)HSM
  • Caching
  • Certificate Pinning
  • Libraries in other languages

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 15 / 16

slide-16
SLIDE 16

Questions

Are there any questions? made possible by

Thijs Rozekrans, Ren´ e Klomp (UvA) Reliable client-server connections July 3, 2013 16 / 16