the case for ubiquitous transport level encryption
play

The case for ubiquitous transport level encryption Andrea Bittau, - PowerPoint PPT Presentation

Feb 02, 2024 •164 likes •728 views

The case for ubiquitous transport level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford. What would it take to encrypt all the traffic on the Internet, by default, all the time? Crypto 101

  1. The case for ubiquitous transport level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

  2. What would it take to encrypt all the traffic on the Internet, by default, all the time?

  3. Crypto 101 Encryption without authentication is useless.

  4. Encryption without authentication is like meeting a stranger in a dark alley. Whatever happens, there will be no witnesses.

  5. True, if you need military-grade security False, in many practical situations. Crypto 101 Encryption without authentication is useless.

  7. True, if you need military-grade security False, in many practical situations. Crypto 101 Encryption without authentication is useless. The perfect is the enemy of the good As dogma, leads to flawed security architectures.

  8. What would it take to encrypt the vast majority of TCP traffic? Performance • Fast enough to enable by default on almost all servers. Authentication • Leverage certificates, cookies, passwords, etc., to give best possible security for any given setting. Compatibility • Works in existing networks • Works with unmodified legacy applications

  9. Performance is still pretty poor today, unless expensive crypto hardware is used.  Main cost is public key cryptography on the server during session establishment.  SSL ~80x slower than a regular TCP session.

  10. Performance is still pretty poor today, unless expensive crypto hardware is used.  Main cost is public key cryptography on the server during session establishment.  SSL ~80x slower than a regular TCP session. Worst case: Tcpcrypt is 3x slower than TCP

  11. Authentication at the application level is divorced from authentication at the transport level. Step 1. Authenticate server using SSL certificates Step 2. Username: mjh Passwd: abc123 Authenticate user using SSL password If Step 1. fails, Step 2. doesn’t help - in fact it harms.

  12. In pretty much all cases, it’s possible to provide better security than we do today. Preconfiguration Use case Today’s security Possible security None None No passive eavesdropping

  13. In pretty much all cases, it’s possible to provide better security than we do today. Preconfiguration Use case Today’s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth

  14. In pretty much all cases, it’s possible to provide better security than we do today. Preconfiguration Use case Today’s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret None Mutual auth (cookie), no SSL

  15. In pretty much all cases, it’s possible to provide better security than we do today. Preconfiguration Use case Today’s security Possible security None None No passive eavesdropping Server certificate Server auth Server auth Shared secret None Mutual auth (cookie), no SSL Shared secret and Mutual auth if cert Mutual auth if SSL and pwd OK password OK Today’s Security Our goals

  16. An observation on layering of crypto  Encryption is a generic function.  Independent of the semantics of the application.  Integrity Protection is a generic function.  What arrives should be what is sent.  Authentication is strongly application-specific.  Depends on the semantics of the application.

  17. An observation on layering of crypto Observation: Encryption and Integrity Protection are lower-layer functions than Authentication .  Encryption and Integrity Protection are transport-layer functions.  Cannot integrity-protect transport protocol from above it.  Different transport sessions have different security requirements so cannot share encryption keys.  Authentication is application-layer.

  18. Tcpcrypt

  19. Tcpcrypt uses TCP options to provide deployable transport-level encryption.  High server performance - push complexity to clients  Allow applications to authenticate endpoints.  Backwards compatibility: all TCP apps, all networks, all authentication settings.

  20. Tcpcrypt overview  Extend TCP in a compatible way using TCP options.  Existing applications use standard socket API, just like regular TCP.  Encryption automatically enabled if both end points support Tcpcrypt.  Extended applications can use a new getsockopt() for authentication.

  21. Push expensive operations to the client Initial handshake: Public-key operations can be No authentication. Operation Latency quite assymetric. Client decrypts. Encrypt 0.26ms RSA-exp3-2048 performance: Decrypt 10.42ms Lets servers accept connections 36x faster than SSL Perform decrypt on the client: Generate emphemeral key pair: p u b l i c k e y ) e y k Generate random master key r _ e s t a m ( c pub_k n e client server

  22. After initial handshake, tcpcrypt’s Session ID provides the hook to link application authentication to the session.  New getsockopt() returns non-secret Session ID value.  Unique for every connection.  If same on both ends, guaranteed there’s no man-in-the-middle.

  23. How to check the Session ID?  Out-of-band: e.g., phone call, other secure protocol.  PKI: server signs Session ID.  Pre-shared secret: send CMAC of Session ID, keyed with Pre-shared secret.

  25. Authentication Example 1: Password-based Mutual Authentication  Whenever a user knows a password, mutual authentication should be used.  Does not rely on user to spot spurious URLs. password-based auth of user and session ID Authenticating the session ID session session authenticates the ID ID endpoint tcpcrypt

  26. Authentication Example 1: Password-based Mutual Authentication

  27. Authentication Example 2: Equivalent security to SSL using a PKI “A”, signed by amazon.com RSA op Problem: no faster tcpcrypt session session ID: A than SSL because signing is expensive “B”, signed by amazon.com RSA op session ID: B

  28. Authentication Example: Signing a batch of session IDs to amortize RSA costs “A,B,C,D” signed session ID: A session ID: C d e n g i by amazon.com m s ” o D c . , n C o , B z a , A m “ a “A,B,C,D” signed “A,B,C,D” signed y b RSA op by amazon.com by amazon.com session ID: B session ID: D

  29. “A,B,C,D” signed d session ID: A session ID: C e n g i by amazon.com m s ” o D c . , n C o , B z a , A m “ a “A,B,C,D” signed “A,B,C,D” signed y b RSA op by amazon.com by amazon.com session ID: B session ID: D SSL servers must RSA decrypt each client’s secret: RSA op RSA op enc(Secret A) enc(Secret C) RSA op RSA op enc(Secret B) enc(Secret D)

  30. Tcpcrypt in detail

  31. Outline of Tcpcrypt key exchange

  32. Key exchange is performed in the TCP connection setup handshake.

  33. Key Scheduling

  34. Tcpcrypt in TCP Packets

  35. Crypto state can be cached. Subsequent connections between the same endpoints get similar latency to regular TCP.

  36. Key Scheduling 2

  37. Tcpcrypt Performance

  38. Tcpcrypt implementations  Linux kernel implementation: 4,500 lines of code  Portable divert-socket implementation: 7000 LoC  Tested on Windows, MacOS, Linux, FreeBSD tcpcryptd application Network kernel  Binary compatible OpenSSL library that attempts tcpcrypt with batch-signing or falls back to SSL.

  39. Performance Questions  Does enabling encryption reduce the request rate a server can handle?  Is request latency increased?  Is data throughput high? Hardware: 8-core, 2.66GHz Xeon (2008-era). Software: Linux kernel implementation.

  40. Tcpcrypt supports high rates of connection setup

  41. Apache using tcpcrypt performs well.

  42. Authentication over Tcpcrypt is fast.

  43. Connection setup latency is slightly increased due to client-side RSA decrypt. LAN connect Protocol time (ms) TCP 0.2 tcpcrypt cached 0.3 tcpcrypt not cached 11.3 SSL cached 0.7 SSL not cached 11.6 tcpcrypt batch sign 11.2 tcpcrypt CMAC 11.4 tcpcrypt PAKE 15.2

  44. Most authentication can be done very cheaply, once the Tcpcrypt session is established. LAN connect Protocol time (ms) TCP 0.2 tcpcrypt cached 0.3 tcpcrypt not cached 11.3 SSL cached 0.7 SSL not cached 11.6 tcpcrypt batch sign 11.2 tcpcrypt CMAC 11.4 tcpcrypt PAKE 15.2

  45. Batch signing does not add additional latency

  46. Data encryption is very fast on today’s CPUs

  47. Tcpcrypt Deployability

  48. Can you actually deploy changes to TCP in today’s Internet?  Forget what you learned about ISO reference models and layered stacks - it’s a jungle out there.  Many middleboxes that play with TCP.  If you want to extend TCP, need to know what precisely will get through today’s Internet?

  49. Can you actually deploy changes to TCP in today’s Internet?  We studied 142 access networks in 24 countries.  Ran tests to measure what actually happened to TCP.  Are new options actually permitted?  Does resegmentation occur in the network?  Are sequence numbers modified?  Do middleboxes proactively ack?

  50. Middleboxes and new TCP Options in SYN  Middleboxes that remove unknown options are not so rare, especially on port 80

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The case for ubiquitous transport-level encryption Andrea Bittau, Michael Hamburg, Mark Handley,

The case for ubiquitous transport-level encryption Andrea Bittau, Michael Hamburg, Mark Handley,

Introduction tcpcrypt Performance Conclusion 1/25 The case for ubiquitous transport-level encryption Andrea Bittau, Michael Hamburg, Mark Handley, David Mazi` eres, and Dan Boneh Stanford and UCL August 13, 2010 Goals Introduction

615 views • 42 slides
UbiBus: Ubiquitous Computing to Help Blind People in Public Transport M.Bantre, P.Couderc,

UbiBus: Ubiquitous Computing to Help Blind People in Public Transport M.Bantre, P.Couderc,

UbiBus: Ubiquitous Computing to Help Blind People in Public Transport M.Bantre, P.Couderc, J.Pauty and M.Becus INRIA Rennes (France) Ambient Computing and Embedded Systems Group Goal Ubiquitous computing to provide spontaneous

452 views • 6 slides
Domestic Robots a case study on security in ubiquitous computing Thomas Knell Ubiquitous

Domestic Robots a case study on security in ubiquitous computing Thomas Knell Ubiquitous

Domestic Robots a case study on security in ubiquitous computing Thomas Knell Ubiquitous Computing Seminar 15.4.2014 Defining Robot There exists no universally accepted definition of a robot Any automatically operated machine that replaces

866 views • 53 slides
Levenmouth Sustainable Transport Study Initial Appraisal: Case for Change 30 November 2018

Levenmouth Sustainable Transport Study Initial Appraisal: Case for Change 30 November 2018

Levenmouth Sustainable Transport Study Initial Appraisal: Case for Change 30 November 2018 Welcome and Introduction Fiona Brown Lead Client, Transport Scotland Strategic Transport Planning Branch Transport Strategy & Analysis

471 views • 32 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Ubiquitous and Mobile Computing CS 525M: An Empirical Approach to Smartphone Energy Level

Ubiquitous and Mobile Computing CS 525M: An Empirical Approach to Smartphone Energy Level

Ubiquitous and Mobile Computing CS 525M: An Empirical Approach to Smartphone Energy Level Prediction Qian He (Steve) Computer Science Dept. Worcester Polytechnic Institute (WPI) Overview Introduction Related Work Data Collection

390 views • 36 slides
transport, a case study of Yokohama Kyoto University ITS Lab 1 Background Public transport

transport, a case study of Yokohama Kyoto University ITS Lab 1 Background Public transport

2017/10/14 The 16 th Summer School on Behavioral Modelling Evaluating the equity of public transport, a case study of Yokohama Kyoto University ITS Lab 1 Background Public transport is an important backbone of sustainable urban

356 views • 14 slides
Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of Ammonia Ammonia A A i i Ne w Me thod Validate d F ollowing E PA Guidanc e AT AT P Case #: N08 0004 P Case #: N08-0004 E dwa rd F Aske w

551 views • 32 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
Transport & Vehicles Savings Project High Level Findings & Recommendations Brian Cotter

Transport & Vehicles Savings Project High Level Findings & Recommendations Brian Cotter

Transport & Vehicles Savings Project High Level Findings & Recommendations Brian Cotter October 2014 Agenda Scope of review Total cost of transport High level findings and recommendations Fleet Social Services

455 views • 18 slides
Roadmap Applicat ion Layer (User level) 16: Applicat ion, Transport , Transport Layer

Roadmap Applicat ion Layer (User level) 16: Applicat ion, Transport , Transport Layer

Roadmap Applicat ion Layer (User level) 16: Applicat ion, Transport , Transport Layer (OS) Net work and Link Layers Net work Layer (OS) Link Layer (Device Driver, Adapt er Card) Last Modif ied: 7/ 3/ 2004 1:46:53 PM -1 -2

374 views • 9 slides
PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches

PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches

Marc Langheinrich: Privacy in Ubiquitous Computing 5/29/2010 Todays Menu PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches COMPUTING Definitions Challenges 1. History and legal aspects 1.

264 views • 13 slides
Lit Motors & A New Power in Personal Transport Case Study Jackson Wahl, Dhanush Madabusi

Lit Motors & A New Power in Personal Transport Case Study Jackson Wahl, Dhanush Madabusi

Lit Motors & A New Power in Personal Transport Case Study Jackson Wahl, Dhanush Madabusi & Scout Stohrer By submitting this deck of case slides, the members of our team affirm that we all participated in the analysis of the case and the

609 views • 4 slides
On Using Existing Time - Use Study Data for Ubiquitous Computing Data for Ubiquitous Computing

On Using Existing Time - Use Study Data for Ubiquitous Computing Data for Ubiquitous Computing

On Using Existing Time - Use Study Data for Ubiquitous Computing Data for Ubiquitous Computing Applications Kurt Partridge, Philippe Golle Presented by: Minh Huynh CS525 CS525m Mobile and M bil d Ubiquitous Computing Introduction

721 views • 19 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
HP Use Cases for the Ubiquitous Web Presented at The Ubiquitous Web Workshop Tokyo, Japan

HP Use Cases for the Ubiquitous Web Presented at The Ubiquitous Web Workshop Tokyo, Japan

HP Use Cases for the Ubiquitous Web Presented at The Ubiquitous Web Workshop Tokyo, Japan March 9, 2006 Melinda Grant Gerrie Shults Imaging and Printing Group Hewlett-Packard, Co. Introduction The Webs Problem Today It enables

410 views • 14 slides
Ubiquitous Machine Learning Prof. Dr. Stefan Wrobel Ubiquitous Machine Learning Fraunhofer IAIS:

Ubiquitous Machine Learning Prof. Dr. Stefan Wrobel Ubiquitous Machine Learning Fraunhofer IAIS:

Ubiquitous Machine Learning Prof. Dr. Stefan Wrobel Ubiquitous Machine Learning Fraunhofer IAIS: Intelligent Analysis and Information Systems 230 people: scientists, project engineers, technical and administrative staff, students

754 views • 20 slides
For Quantum and Reversible From Interval . . . Computing, Intervals Are Case of Fuzzy

For Quantum and Reversible From Interval . . . Computing, Intervals Are Case of Fuzzy

Need for Quantum . . . Need for Reversible . . . Need to Take . . . When Is This Data . . . For Quantum and Reversible From Interval . . . Computing, Intervals Are Case of Fuzzy Uncertainty Intervals are Ubiquitous More Appropriate Than A

446 views • 29 slides
Personal Privacy in Ubiquitous Personal Privacy in Ubiquitous Computing Marc Langheinrich

Personal Privacy in Ubiquitous Personal Privacy in Ubiquitous Computing Marc Langheinrich

Personal Privacy in Ubiquitous Personal Privacy in Ubiquitous Computing Marc Langheinrich Institute for Pervasive Computing Institute for Pervasive Computing ETH Zurich, Switzerland Approaches to Ubicomp Privacy Disappearing Computer

794 views • 45 slides
From Resilience-Building to Resilience-Scaling Technologies Michel Bantre Content ! Resilient

From Resilience-Building to Resilience-Scaling Technologies Michel Bantre Content ! Resilient

From Resilience-Building to Resilience-Scaling Technologies Michel Bantre Content ! Resilient building technologies ! Ubiquity ! One example ! The scaling challenge ! Conclusion 2 Resilience-Building Technologies (1) Current state !

349 views • 13 slides
International Workshop / Special Session on Adaptivity and Personalization in Ubiquitous

International Workshop / Special Session on Adaptivity and Personalization in Ubiquitous

International Workshop / Special Session on Adaptivity and Personalization in Ubiquitous Learning System s Sabine Graf Kinshuk National Central University Athabasca University Taiwan Canada sabine.graf@ieee.org kinshuk@ieee.org Schedule

830 views • 18 slides
C ONSISTENT M ANAGEMENT OF C ONTEXT I NFORMATION IN U BIQUITOUS S YSTEMS Gabriel

C ONSISTENT M ANAGEMENT OF C ONTEXT I NFORMATION IN U BIQUITOUS S YSTEMS Gabriel

C ONSISTENT M ANAGEMENT OF C ONTEXT I NFORMATION IN U BIQUITOUS S YSTEMS Gabriel Guerrero-Contreras gjguerrero@ugr.es Jos Luis Garrido jgarrido@ugr.es Carlos Rodrguez-Domnguez carlosrodriguez@ugr.es Sara Balderas-Daz

549 views • 27 slides
Design and Evaluation of Scalable Ubiquitous Discovery System Tomohiro NAKAGAWA Takashi

Design and Evaluation of Scalable Ubiquitous Discovery System Tomohiro NAKAGAWA Takashi

Design and Evaluation of Scalable Ubiquitous Discovery System Tomohiro NAKAGAWA Takashi YOSHIKAWA Ken OHTA Hiroshi INAMURA Shoji KURAKAKE NTT DoCoMo, Inc., Japan 2004/8/10 ASWN2004 Outline Background, Goal, Scenario Sensor

460 views • 20 slides
Towards the Ubiquitous Web Dr. Philipp Hoschka, W3C Ubiquitous Web Domain Leader This work is

Towards the Ubiquitous Web Dr. Philipp Hoschka, W3C Ubiquitous Web Domain Leader This work is

Towards the Ubiquitous Web Dr. Philipp Hoschka, W3C Ubiquitous Web Domain Leader This work is partially funded by the European Union through the Seventh Framework Programme (FP7/2010-2012) under grant agreement n257800 - Mobile Web

356 views • 10 slides

More recommend