the trusted cloud transfer protocol (tctp)
DESCRIPTION
The presentation of the Trusted Cloud Transfer Protocol (TCTP) at Cloud Com 2013 in Bristol, UK.TRANSCRIPT
Service-centric Networking, Telekom Innovation Laboratories Public private partnership of Technische Universität Berlin and Deutsche Telekom
Mathias Slawik, Technische Universität Berlin
The Trusted Cloud Transfer Protocol
Topics
• Motivation • TCTP and the State-of-the-Art • Evaluation
The Trusted Cloud Transfer Protocol 2
TCTP in a nutshell
• End-to-end HTTP security • Secure communication
through cloud proxies • Encapsulation of TLS in HTTP • Related work challenges
The Trusted Cloud Transfer Protocol 3
TCTP Motivation
To proxy or not to proxy...
The Trusted Cloud Transfer Protocol 4
The Trusted Cloud Transfer Protocol 6
HTTP proxy challenge
a) Relay TLS? b) Act as TLS Server?
The Trusted Cloud Transfer Protocol 7
a) Relay TLS?
Plaintext confidentiality
HTTP management
The Trusted Cloud Transfer Protocol 8
b) Act as TLS server?
HTTP management
Plaintext confidentiality
The Trusted Cloud Transfer Protocol 9
Loss of plaintext confidentiality
• Privacy risks • More security effort • Violation of legal obligations • Risk of unauthorized access
The Trusted Cloud Transfer Protocol 10
c) ?
The Trusted Cloud Transfer Protocol 11
HTTP Messages
The Trusted Cloud Transfer Protocol 12
POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ ↩ {↩ "name" : "John Doe",↩ "status" : "therapy",↩ "reason" : "broken leg"↩ }
Less confidential Needed for HTTP mgmt.
Often confidential Not needed for HTTP mgmt.
c) Entity body encryption
Entity body confidentiality
HTTP management
The Trusted Cloud Transfer Protocol 13
F*****g TCTP, how does it work?
The Trusted Cloud Transfer Protocol 14
TCTP: Process
1. End-to-end key exchange 2. HTTP entity body encryption 3. ? 4. Profit
The Trusted Cloud Transfer Protocol 15
TCTP
• Encapsulation of TLS
• Key exchange: TLS Handshake protocol
• Body encryption: TLS Records
The Trusted Cloud Transfer Protocol 16
Key exchange
The Trusted Cloud Transfer Protocol 17
HALEC
• HTTP Application Layer Encryption Channel
• Persists TLS session state • Required for multiple connections • Identified by URL
The Trusted Cloud Transfer Protocol 18
Body encryption
The Trusted Cloud Transfer Protocol 19
POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ Content-Encoding: encrypted↩ ↩ /halecs/1Mfjk941xkFe↩
¤«ÙÖ�n�iz®Ë¤|w��,ñ ¯_)SÊ(@oüÊÊÈÚ» næG�_ÔÊQ %"�ÂN¬�¹Îïú&i
Unencrypted header fields allow HTTP management
Encrypted TLS Records contain HTTP body
HALEC URL
TCTP Novelties
The Trusted Cloud Transfer Protocol 20
Why another protocol?
State-of-the-Art
• S/MIME • XML Encryption / Signature • HTTPSec • (S-HTTP) • (Any tinkered solution)
The Trusted Cloud Transfer Protocol 21
Analysis
Message-flow protection
The Trusted Cloud Transfer Protocol 23
Streaming capabilities
The Trusted Cloud Transfer Protocol 24
Discovery mechanism
The Trusted Cloud Transfer Protocol 25
Easily implemented (Basis: TLS)
The Trusted Cloud Transfer Protocol 26
TCTP does not ...
... fix the broken CA system.
... prevent information disclosure through URLs
The Trusted Cloud Transfer Protocol 27
Evaluation
The Trusted Cloud Transfer Protocol 28
TCTP Prototype
29
TCTP Middleware
Webserver (Thin)
Lorem Ipsum App
TCTP Library
TCTP Client script
Secure webserver
access.
Reusable TCTP library.
TCTP for any Ruby web application.
Test data generation for benchmark.
TCTP Overhead
Conceptual Overhead • Discovery & handshake round trip
Technical Overhead
• Handshake, Encryption, Processing
The Trusted Cloud Transfer Protocol 30
Impacts on performance
• Network latency • Hardware performance • TLS library efficiency • Framework overhead • TCTP software efficiency
The Trusted Cloud Transfer Protocol 31
Benchmarks
The Trusted Cloud Transfer Protocol 32
Processing Overhead
The Trusted Cloud Transfer Protocol 33
Hardware: Intel Core i7-3520M, Windows 8.1, Ruby 2.0
4,63 % 4,94 %
1,50 %
11,38 %
2,08 %
0
5
10
15
20
1 kB 2.5 kB 5 kB 7.5 kB 10 kB
Combined overhead
The Trusted Cloud Transfer Protocol 34
1 req 10 req 100 req 1k req50 ms 133,77% 40,66% 9,21% 5,30%100 ms 103,36% 30,87% 7,97% 5,18%250 ms 82,94% 24,83% 7,22% 5,10%
0%
50%
100%
150%
What‘s next?
• Implementation of TCTP enabled proxy (ongoing) • Watch our Github!
• Application of TCTP in TRESOR
The Trusted Cloud Transfer Protocol 35
Summary
The Trusted Cloud Transfer Protocol 36
To sum up...
TCTP: end-to-end HTTP security TCTP: addresses challenges Preliminary results: Promising
The Trusted Cloud Transfer Protocol 37
Thank you. Fork me.
The Trusted Cloud Transfer Protocol 38
https://github.com/TU-Berlin-SNET/tctp-rack
Backup
The Trusted Cloud Transfer Protocol 39
Efficient presentation
• Minimize transmitted data • XML: XML, S/MIME: Base64 • TCTP: Binary, compressed TLS
records
The Trusted Cloud Transfer Protocol 40
Efficient presentation
The Trusted Cloud Transfer Protocol 41
Capability discovery
• Discover • What resources need protection? • Where to perform the handshake?
• Related work: None • TCTP: Discovery mechanism
The Trusted Cloud Transfer Protocol 42
Capability discovery
43
OPTIONS * HTTP/1.1↩ Accept: text/prs.tctp-discovery↩ ↩
HTTP/1.1 200 OK↩ Content-Type: text/prs.tctp-discovery↩ Content-Length: 81↩ ↩ /:↩ /(service(.+?))?:↩ /(service(.+?)/)?static.*:↩ /(service(.+?)/)?.*:/\1/halecs
Secure key exchange
• XML Enc/Sig & S/MIME • None specified • Normally out of band
• TCTP • TLS handshaking protocol
The Trusted Cloud Transfer Protocol 44
TLS Handshake
The Trusted Cloud Transfer Protocol 45
Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
First client request
The Trusted Cloud Transfer Protocol 46
POST /halecs HTTP/1.1↩ Content-Length: 211↩ ↩ Î ÊR��[ñ�l�Kf¢u¹§ê:çñtÃ�xÛd8ãÐ}U \ÀÀ 9 8 � �ÀÀ 5 �ÀÀ ÀÀ ÀÀ 3 2 � � E DÀÀ / � A ÀÀÀÀ ÿ D
4 2 #
POST on discovered HALEC creation URL.
TLS Record client_hello
Server response
The Trusted Cloud Transfer Protocol 47
HTTP/1.1 200 OK↩ Content-Length: 1050↩ Location: /halecs/Adaw7VXdVpu↩ ↩ 5 1R��[ym�9¥_z-Ôc�N½>É°_�õE4prÏ 9 ÿ # �� �0��0�� 000131120095643Z131120105643Z0,10Utctp-server10�&��ò,dtctp0�"0*�H�÷ � 0��·Â "!��º}�ÿ��Aî)ád±óµó�)ßn...
URL of new HALEC
TLS Records: ServerHello, Certificate, ServerKeyExchange, ServerHelloDone
Second client request
The Trusted Cloud Transfer Protocol 48
POST /halecs/Adaw7VXdVpu HTTP/1.1↩ Content-Length: 198↩ ↩ � � �äZ�«EÕ)UÿØ3Ô6á�� ,Ý4�Ê<e>�_ùßó{¹5¨AæP¬/3��yàDÔÖÃZ!q}ög�hV*ÁM³Yoÿì|.w�Í×3ø<7MJúÑ!¢.=æÜ�m3ÂgÍ)IH�Ë¡iê\±��¶Tù 06Fnq#ã§ebðÚ H�v�Ãv�Fäw´ñ¥mF�?ø?[iqi�_�Ø`ìarJQ
POST on newly created HALEC URL.
TLS Records: ClientKeyExchange, ChangeCipherSpec, Finished
Server response
The Trusted Cloud Transfer Protocol 49
HTTP/1.1 200 OK↩ Content-Length: 266↩ ↩ Ê Æ ÀÁGú�®ëA½²¸ �øí°�qAó0N&�»R¨tX"äWà�IdÚ û/C]Ð?×ÔèÆü#Ūë{ *YÊ´GòD� e.ÐÑ{+!Í`MöÄ�×�{ýÚâà� �h1�ÔWq7g¸à Lù½jÕLÌExµÇë��RdB¦ÅÉ��*§õez\`&üvæ͸å=°6½VØ%tY}PÞÊöF�Î"�¿~¸O÷·à�V',©�Ô±UÊ0Ú¹\ÐeÌ�ÿÓù$�å½Ì&;d¸õ¹æÖ¶ù0/×/YUE";üø�9�Áóàtõ
TLS Records: ChangeCipherSpec, Finished
Algorithm negotiation
• XML Enc/Sig, S/MIME • None
• TCTP • TLS Handshaking Protocol
functionality
The Trusted Cloud Transfer Protocol 50
Implementation support
• XML Enc/Sig, S/MIME • Many frameworks available
• TCTP • TLS / Web frameworks available • Prototype (complete) • Proxy (ongoing)
The Trusted Cloud Transfer Protocol 51
Message-flow protection
• Prevent proxies from replaying encrypted data
• Related work does only consider single messages
• TCTP: TLS HMAC prevents replay by proxies
The Trusted Cloud Transfer Protocol 52
Streaming capability
• Large downloads and media stream challenges
• Related work: adaptation needed • TCTP: TLS record protocol
fragments data into 16.384 byte (2^14) parts
The Trusted Cloud Transfer Protocol 53