the case for ubiquitous transport level encryption
play

The case for ubiquitous transport-level encryption Andrea Bittau, - PowerPoint PPT Presentation

Jan 26, 2023 •183 likes •615 views

Introduction tcpcrypt Performance Conclusion 1/25 The case for ubiquitous transport-level encryption Andrea Bittau, Michael Hamburg, Mark Handley, David Mazi` eres, and Dan Boneh Stanford and UCL August 13, 2010 Goals Introduction

  1. Introduction tcpcrypt Performance Conclusion 1/25 The case for ubiquitous transport-level encryption Andrea Bittau, Michael Hamburg, Mark Handley, David Mazi` eres, and Dan Boneh Stanford and UCL August 13, 2010

  2. Goals Introduction tcpcrypt Performance Conclusion 2/25 What would it take to encrypt the vast majority of TCP traffic? 1 Performance. Fast enough to enable by default on almost all servers. 2 End-point authentication. Leverage certificates, cookies, passwords, etc., to achieve best possible security for any given setting. 3 Compatibility. Works in existing networks. Works with legacy apps.

  3. Performance today can be pretty bad Introduction tcpcrypt Performance Conclusion 3/25 70000 60,156 60000 Connections/s 50000 40000 30000 20000 10000 737 0 TCP SSL server server Biggest problem: cost of public key cryptography. Worst case: SSL can be 82x slower than TCP. . .

  4. Performance today can be pretty bad Introduction tcpcrypt Performance Conclusion 3/25 70000 60,156 60000 Connections/s 50000 40000 30000 19,153 20000 10000 737 0 TCP tcpcrypt SSL server server server Biggest problem: cost of public key cryptography. Worst case: SSL can be 82x slower than TCP. . . Worst case: tcpcrypt only 3x slower than TCP!

  5. Problem today: Introduction tcpcrypt app-level auth divorced from transport Performance Conclusion 4/25 1 SSL encrypts + server auth. SSL. Authenticate server using certificates

  6. Problem today: Introduction tcpcrypt app-level auth divorced from transport Performance Conclusion 4/25 1 SSL encrypts + server auth. 2 App auths client. Username: Andrea SSL. Password: w00t Authenticate server using certificates SSL. Authenticate server using certificates If step 1 fails, step 2 doesn’t help—in fact, it harms.

  7. What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping

  8. What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping Server certificate Server auth Server auth

  9. What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping Server certificate Server auth Server auth Shared secret None Mutual auth (cookie) no SSL

  10. What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping Server certificate Server auth Server auth Shared secret None Mutual auth (cookie) no SSL Mutual auth if Shared secret Mutual auth if password OK and SSL cert and pass OK

  11. What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping Server certificate Server auth Server auth Shared secret None Mutual auth (cookie) no SSL Mutual auth if Shared secret Mutual auth if password OK and SSL cert and pass OK

  12. What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. goal with tcpcrypt Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping Server certificate Server auth Server auth Shared secret None Mutual auth (cookie) no SSL Mutual auth if Shared secret Mutual auth if password OK and SSL cert and pass OK

  13. Backwards compatibility issues Introduction tcpcrypt Performance Conclusion 6/25 Two prevalent ways of encrypting network traffic: 1 At application layer ( e.g., SSL). √ Works over almost all networks. × Need to modify applications. × Application protocol may not allow incremental deployment. 2 At network layer ( e.g., IPSec). √ Works with all applications. × Breaks NAT. × Can’t leverage user authentication. Ubiquitous encryption requires best of both worlds.

  14. tcpcrypt: transport-layer encryption Introduction tcpcrypt Performance Conclusion 7/25 tcpcrypt: a TCP option for encryption. 1 High server performance: push complexity to clients. 2 Allow applications to authenticate end points. 3 Backwards compatibility: all TCP apps, all networks, all authentication settings.

  15. tcpcrypt overview Introduction tcpcrypt Performance Conclusion 8/25 Extend TCP in a compatible way using TCP options. Applications use standard BSD socket API. New getsockopt for authentication. Encryption automatically enabled if both end points support tcpcrypt.

  16. Push expensive operations to clients Introduction tcpcrypt Performance Conclusion 9/25 Public key operations expensive, but not all equally expensive. RSA-exp3-2048 performance: Operation Latency (ms) Decrypt 10.42 Encrypt 0.26 Have client do decrypt Generate ephemeral key pair public key enc pubk (master key) Generate random master key server client Without server authentication, have client decrypt. Lets servers accept connections at 36x rate of SSL.

  17. Link app auth to transport auth Introduction tcpcrypt Performance Conclusion 10/25 Session ID: hook linking tcpcrypt to app-level authentication. New getsockopt returns non-secret Session ID value. Unique for every connection (if one endpoint honest). If same on both ends, no man-in-the-middle. Password based Authentication of user & sess ID Session ID Session ID tcpcrypt Authenticating the Session ID authenticates the end point.

  18. Auth example: batch signing Introduction tcpcrypt Performance Conclusion 11/25 Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. “A” RSA op. Signed by amazon.com SID A

  19. Auth example: batch signing Introduction tcpcrypt Performance Conclusion 11/25 Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. “A” RSA op . Signed by amazon.com SID A SID B “B” Signed by amazon.com RSA op.

  20. Auth example: batch signing Introduction tcpcrypt Performance Conclusion 11/25 Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. SID C SID A SID B SID D “A, B, C, D” RSA op. Signed by amazon.com

  21. Auth example: batch signing Introduction tcpcrypt Performance Conclusion 11/25 Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. SID C SID A SID B SID D “A, B, C, D” RSA op. Signed by amazon.com SSL servers must RSA decrypt each client’s secret. RSA op. RSA op. enc(secret A) enc(secret C) enc(secret B) enc(secret D) RSA op. RSA op.

  22. Key exchange overview Introduction tcpcrypt Performance Conclusion 12/25 Do you support tcpcrypt? Yes, and I support RSA RSA public key enc pubk (master key) Generate random master key server client Clients periodically generate ephemeral public keys.

  23. tcpcrypt key exchange Introduction tcpcrypt Performance Conclusion 13/25 SYN SYN ACK ACK

  24. tcpcrypt key exchange Introduction tcpcrypt Performance Conclusion 13/25 SYN - CRYPT(HELLO) probe tcpcrypt SYN ACK ACK tcpcrypt negotiation encoded in TCP options.

  25. tcpcrypt key exchange Introduction tcpcrypt Performance Conclusion 13/25 SYN - CRYPT(HELLO) probe tcpcrypt SYN ACK - CRYPT(PKCONF) public key ciphers and key sizes list ACK - CRYPT(INIT1) symmetric ciphers and MACs list, nonce, public key ACK - CRYPT(INIT2) encrypted client and server nonce (master key) crypto on tcpcrypt negotiation encoded in TCP options. INIT1 and INIT2 too long: sent as data invisible to apps.

  26. Key scheduling Introduction tcpcrypt Performance Conclusion 14/25 Master key is hash of: Server and client nonces. Public key used and negotiated parameters. Master key ) C A M H ( h s a h RX MAC key RX enc. key Session ID TX MAC key TX enc. key

  27. Key scheduling Introduction tcpcrypt Performance Conclusion 14/25 Master key is hash of: Server and client nonces. Public key used and negotiated parameters. Master key Next master key ) C A M enc MAC SID H ( h s a h RX MAC key RX enc. key Session ID TX MAC key TX enc. key Session caching, like in SSL: on reconnect, establish new keys without explicit key exchange.

  28. Session caching Introduction tcpcrypt Performance Conclusion 15/25 SYN - NEXTK1 New session based on session with ID X SYN ACK - NEXTK2 OK! crypto on ack Low latency: completes within TCP handshake.

  29. TCP MAC and encryption Introduction tcpcrypt Performance Conclusion 16/25 MACed src port dst port Encrypted seq no. (64-bit seq) (64-bit ack) ack no. urg. ptr. flags d.off. window checksum options ( e.g., SACK) MAC option TCP length data Allow NATs: do not MAC ports. Prevent replay: MAC extended (implicit) seq. no. Prevent truncation / extension: MAC length.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The case for ubiquitous transport level encryption Andrea Bittau, Mike Hamburg, Mark Handley,

The case for ubiquitous transport level encryption Andrea Bittau, Mike Hamburg, Mark Handley,

The case for ubiquitous transport level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford. What would it take to encrypt all the traffic on the Internet, by default, all the time? Crypto 101

728 views • 55 slides
UbiBus: Ubiquitous Computing to Help Blind People in Public Transport M.Bantre, P.Couderc,

UbiBus: Ubiquitous Computing to Help Blind People in Public Transport M.Bantre, P.Couderc,

UbiBus: Ubiquitous Computing to Help Blind People in Public Transport M.Bantre, P.Couderc, J.Pauty and M.Becus INRIA Rennes (France) Ambient Computing and Embedded Systems Group Goal Ubiquitous computing to provide spontaneous

452 views • 6 slides
Domestic Robots a case study on security in ubiquitous computing Thomas Knell Ubiquitous

Domestic Robots a case study on security in ubiquitous computing Thomas Knell Ubiquitous

Domestic Robots a case study on security in ubiquitous computing Thomas Knell Ubiquitous Computing Seminar 15.4.2014 Defining Robot There exists no universally accepted definition of a robot Any automatically operated machine that replaces

866 views • 53 slides
Levenmouth Sustainable Transport Study Initial Appraisal: Case for Change 30 November 2018

Levenmouth Sustainable Transport Study Initial Appraisal: Case for Change 30 November 2018

Levenmouth Sustainable Transport Study Initial Appraisal: Case for Change 30 November 2018 Welcome and Introduction Fiona Brown Lead Client, Transport Scotland Strategic Transport Planning Branch Transport Strategy & Analysis

471 views • 32 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Ubiquitous and Mobile Computing CS 525M: An Empirical Approach to Smartphone Energy Level

Ubiquitous and Mobile Computing CS 525M: An Empirical Approach to Smartphone Energy Level

Ubiquitous and Mobile Computing CS 525M: An Empirical Approach to Smartphone Energy Level Prediction Qian He (Steve) Computer Science Dept. Worcester Polytechnic Institute (WPI) Overview Introduction Related Work Data Collection

390 views • 36 slides
transport, a case study of Yokohama Kyoto University ITS Lab 1 Background Public transport

transport, a case study of Yokohama Kyoto University ITS Lab 1 Background Public transport

2017/10/14 The 16 th Summer School on Behavioral Modelling Evaluating the equity of public transport, a case study of Yokohama Kyoto University ITS Lab 1 Background Public transport is an important backbone of sustainable urban

356 views • 14 slides
Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of Ammonia Ammonia A A i i Ne w Me thod Validate d F ollowing E PA Guidanc e AT AT P Case #: N08 0004 P Case #: N08-0004 E dwa rd F Aske w

551 views • 32 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
Transport & Vehicles Savings Project High Level Findings & Recommendations Brian Cotter

Transport & Vehicles Savings Project High Level Findings & Recommendations Brian Cotter

Transport & Vehicles Savings Project High Level Findings & Recommendations Brian Cotter October 2014 Agenda Scope of review Total cost of transport High level findings and recommendations Fleet Social Services

455 views • 18 slides
Roadmap Applicat ion Layer (User level) 16: Applicat ion, Transport , Transport Layer

Roadmap Applicat ion Layer (User level) 16: Applicat ion, Transport , Transport Layer

Roadmap Applicat ion Layer (User level) 16: Applicat ion, Transport , Transport Layer (OS) Net work and Link Layers Net work Layer (OS) Link Layer (Device Driver, Adapt er Card) Last Modif ied: 7/ 3/ 2004 1:46:53 PM -1 -2

374 views • 9 slides
PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches

PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches

Marc Langheinrich: Privacy in Ubiquitous Computing 5/29/2010 Todays Menu PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches COMPUTING Definitions Challenges 1. History and legal aspects 1.

264 views • 13 slides
Lit Motors & A New Power in Personal Transport Case Study Jackson Wahl, Dhanush Madabusi

Lit Motors & A New Power in Personal Transport Case Study Jackson Wahl, Dhanush Madabusi

Lit Motors & A New Power in Personal Transport Case Study Jackson Wahl, Dhanush Madabusi & Scout Stohrer By submitting this deck of case slides, the members of our team affirm that we all participated in the analysis of the case and the

609 views • 4 slides
On Using Existing Time - Use Study Data for Ubiquitous Computing Data for Ubiquitous Computing

On Using Existing Time - Use Study Data for Ubiquitous Computing Data for Ubiquitous Computing

On Using Existing Time - Use Study Data for Ubiquitous Computing Data for Ubiquitous Computing Applications Kurt Partridge, Philippe Golle Presented by: Minh Huynh CS525 CS525m Mobile and M bil d Ubiquitous Computing Introduction

721 views • 19 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
HP Use Cases for the Ubiquitous Web Presented at The Ubiquitous Web Workshop Tokyo, Japan

HP Use Cases for the Ubiquitous Web Presented at The Ubiquitous Web Workshop Tokyo, Japan

HP Use Cases for the Ubiquitous Web Presented at The Ubiquitous Web Workshop Tokyo, Japan March 9, 2006 Melinda Grant Gerrie Shults Imaging and Printing Group Hewlett-Packard, Co. Introduction The Webs Problem Today It enables

410 views • 14 slides
Interstitial lung disease: diagnosis and testing Professor Joanna Porter, Consultant in

Interstitial lung disease: diagnosis and testing Professor Joanna Porter, Consultant in

RCGP accredited until 1 st April 2020 RCN accredited until 2 nd July 2020 Accreditation applies only to the educational content and not to any product RCN cannot confirm competence of any practitioner Interstitial lung disease: diagnosis and

320 views • 12 slides
How to get all women involved: communica2on and outreach

How to get all women involved: communica2on and outreach

How to get all women involved: communica2on and outreach Diane M Harper, MD, MPH, MS Director, Gynecologic Cancer Preven2on Research Group Professor,

499 views • 26 slides
Search for Majorana neutrinos and double beta decay experiments Xavier Sarazin Laboratoire de

Search for Majorana neutrinos and double beta decay experiments Xavier Sarazin Laboratoire de

Search for Majorana neutrinos and double beta decay experiments Xavier Sarazin Laboratoire de lAcclrateur Linaire (CNRS-IN2P3, Univ. Paris-Sud 11) Majorana Neutrino Neutrino is the only fermion with Q = 0 Neutrino might be a

660 views • 40 slides
DUNE: The Deep Underground Neutrino Experiment Mark Thomson University of Cambridge &

DUNE: The Deep Underground Neutrino Experiment Mark Thomson University of Cambridge &

DUNE: The Deep Underground Neutrino Experiment Mark Thomson University of Cambridge & co-spokesperson of DUNE Birmingham HEP Seminar: 4 th May 2016 Topic Slides 1: Context: The 2012 Revolution 1 2: Why are neutrinos so important 2

1.16k views • 104 slides
Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

slides from presentation at Real World Crypto 2019 Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai Duong with contributions by Haris Andrianakis , Thanh Bui , Thomas Holenstein , Charles Lee , Erhan

657 views • 38 slides
Cryptanalysis of the Knapsack Generator Simon Knellwolf Willi Meier FHNW, Switzerland FSE 2011,

Cryptanalysis of the Knapsack Generator Simon Knellwolf Willi Meier FHNW, Switzerland FSE 2011,

Cryptanalysis of the Knapsack Generator Simon Knellwolf Willi Meier FHNW, Switzerland FSE 2011, February 14-16, Lyngby, Denmark. 1 / 15 Knapsack Generator n -bit integers w 0 , . . . , w n 1 ( weights ) n -bit LFSR sequence u 0 , u 1 , u 2

337 views • 15 slides
CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record

CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record

Implementing scalable CAN Security with CANcrypt by Olaf Pfeiffer CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record and re-play messages Can trigger desired actions Re-engineering

320 views • 21 slides
Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen Gauravaram 1 , Ga eten Leurent 2 , Florian Mendel 3 , Mar a Naya-Plasencia 4 , Thomas Peyrin 5 , Christian Rechberger 6 , Martin Schl affer 3 , 1

822 views • 45 slides

More recommend