The Trusted Cloud Transfer Protocol (TCTP)
Upcoming SlideShare
Loading in...5
×
 

The Trusted Cloud Transfer Protocol (TCTP)

on

  • 37 views

The presentation of the Trusted Cloud Transfer Protocol (TCTP) at Cloud Com 2013 in Bristol, UK.

The presentation of the Trusted Cloud Transfer Protocol (TCTP) at Cloud Com 2013 in Bristol, UK.

Statistics

Views

Total Views
37
Views on SlideShare
37
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    The Trusted Cloud Transfer Protocol (TCTP) The Trusted Cloud Transfer Protocol (TCTP) Presentation Transcript

    • Service-centric Networking, Telekom Innovation Laboratories Public private partnership of Technische Universität Berlin and Deutsche Telekom Mathias Slawik, Technische Universität Berlin The Trusted Cloud Transfer Protocol
    • Topics • Motivation • TCTP and the State-of-the-Art • Evaluation The Trusted Cloud Transfer Protocol 2
    • TCTP in a nutshell • End-to-end HTTP security • Secure communication through cloud proxies • Encapsulation of TLS in HTTP • Related work challenges The Trusted Cloud Transfer Protocol 3
    • TCTP Motivation To proxy or not to proxy... The Trusted Cloud Transfer Protocol 4
    • The Trusted Cloud Transfer Protocol 6
    • HTTP proxy challenge a) Relay TLS? b) Act as TLS Server? The Trusted Cloud Transfer Protocol 7
    • a) Relay TLS?  Plaintext confidentiality  HTTP management The Trusted Cloud Transfer Protocol 8
    • b) Act as TLS server?  HTTP management  Plaintext confidentiality The Trusted Cloud Transfer Protocol 9
    • Loss of plaintext confidentiality • Privacy risks • More security effort • Violation of legal obligations • Risk of unauthorized access The Trusted Cloud Transfer Protocol 10
    • c) ? The Trusted Cloud Transfer Protocol 11
    • HTTP Messages The Trusted Cloud Transfer Protocol 12 POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ ↩ {↩ "name" : "John Doe",↩ "status" : "therapy",↩ "reason" : "broken leg"↩ } Less confidential Needed for HTTP mgmt. Often confidential Not needed for HTTP mgmt.
    • c) Entity body encryption  Entity body confidentiality  HTTP management The Trusted Cloud Transfer Protocol 13
    • F*****g TCTP, how does it work? The Trusted Cloud Transfer Protocol 14
    • TCTP: Process 1. End-to-end key exchange 2. HTTP entity body encryption 3. ? 4. Profit The Trusted Cloud Transfer Protocol 15
    • TCTP • Encapsulation of TLS • Key exchange: TLS Handshake protocol • Body encryption: TLS Records The Trusted Cloud Transfer Protocol 16
    • Key exchange The Trusted Cloud Transfer Protocol 17
    • HALEC • HTTP Application Layer Encryption Channel • Persists TLS session state • Required for multiple connections • Identified by URL The Trusted Cloud Transfer Protocol 18
    • Body encryption The Trusted Cloud Transfer Protocol 19 POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ Content-Encoding: encrypted↩ ↩ /halecs/1Mfjk941xkFe↩ ¤«ÙÖ�n�iz®Ë¤|w�,ñ ¯_)SÊ(@oüÊÊÈÚ» næG�_ÔÊQ %"�ÂN¬�¹Îïú&i Unencrypted header fields allow HTTP management Encrypted TLS Records contain HTTP body HALEC URL
    • TCTP Novelties The Trusted Cloud Transfer Protocol 20 Why another protocol?
    • State-of-the-Art • S/MIME • XML Encryption / Signature • HTTPSec • (S-HTTP) • (Any tinkered solution) The Trusted Cloud Transfer Protocol 21
    • Analysis
    • Message-flow protection The Trusted Cloud Transfer Protocol 23
    • Streaming capabilities The Trusted Cloud Transfer Protocol 24
    • Discovery mechanism The Trusted Cloud Transfer Protocol 25
    • Easily implemented (Basis: TLS) The Trusted Cloud Transfer Protocol 26
    • TCTP does not ... ... fix the broken CA system. ... prevent information disclosure through URLs The Trusted Cloud Transfer Protocol 27
    • Evaluation The Trusted Cloud Transfer Protocol 28
    • TCTP Prototype 29 TCTP Middleware Webserver (Thin) Lorem Ipsum App TCTP Library TCTP Client script Secure webserver access. Reusable TCTP library. TCTP for any Ruby web application. Test data generation for benchmark.
    • TCTP Overhead Conceptual Overhead • Discovery & handshake round trip Technical Overhead • Handshake, Encryption, Processing The Trusted Cloud Transfer Protocol 30
    • Impacts on performance • Network latency • Hardware performance • TLS library efficiency • Framework overhead • TCTP software efficiency The Trusted Cloud Transfer Protocol 31
    • Benchmarks The Trusted Cloud Transfer Protocol 32
    • Processing Overhead The Trusted Cloud Transfer Protocol 33 Hardware: Intel Core i7-3520M, Windows 8.1, Ruby 2.0 4,63 % 4,94 % 1,50 % 11,38 % 2,08 % 0 5 10 15 20 1 kB 2.5 kB 5 kB 7.5 kB 10 kB
    • Combined overhead The Trusted Cloud Transfer Protocol 34 1 req 10 req 100 req 1k req 50 ms 133,77% 40,66% 9,21% 5,30% 100 ms 103,36% 30,87% 7,97% 5,18% 250 ms 82,94% 24,83% 7,22% 5,10% 0% 50% 100% 150%
    • What‘s next? • Implementation of TCTP enabled proxy (ongoing) • Watch our Github! • Application of TCTP in TRESOR The Trusted Cloud Transfer Protocol 35
    • Summary The Trusted Cloud Transfer Protocol 36
    • To sum up... TCTP: end-to-end HTTP security TCTP: addresses challenges Preliminary results: Promising The Trusted Cloud Transfer Protocol 37
    • Thank you. Fork me. The Trusted Cloud Transfer Protocol 38 https://github.com/TU-Berlin-SNET/tctp-rack
    • Backup The Trusted Cloud Transfer Protocol 39
    • Efficient presentation • Minimize transmitted data • XML: XML, S/MIME: Base64 • TCTP: Binary, compressed TLS records The Trusted Cloud Transfer Protocol 40
    • Efficient presentation The Trusted Cloud Transfer Protocol 41
    • Capability discovery • Discover • What resources need protection? • Where to perform the handshake? • Related work: None • TCTP: Discovery mechanism The Trusted Cloud Transfer Protocol 42
    • Capability discovery 43 OPTIONS * HTTP/1.1↩ Accept: text/prs.tctp-discovery↩ ↩ HTTP/1.1 200 OK↩ Content-Type: text/prs.tctp-discovery↩ Content-Length: 81↩ ↩ /:↩ /(service(.+?))?:↩ /(service(.+?)/)?static.*:↩ /(service(.+?)/)?.*:/1/halecs
    • Secure key exchange • XML Enc/Sig & S/MIME • None specified • Normally out of band • TCTP • TLS handshaking protocol The Trusted Cloud Transfer Protocol 44
    • TLS Handshake The Trusted Cloud Transfer Protocol 45 Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
    • First client request The Trusted Cloud Transfer Protocol 46 POST /halecs HTTP/1.1↩ Content-Length: 211↩ ↩ Î ÊR��[ñ�l� Kf¢u¹§ê:çñtÃ�xÛd8ãÐ}U ÀÀ 9 8 � �ÀÀ 5 �ÀÀ ÀÀ ÀÀ 3 2 � � E DÀÀ / � A ÀÀÀÀ ÿ D 4 2 # POST on discovered HALEC creation URL. TLS Record client_hello
    • Server response The Trusted Cloud Transfer Protocol 47 HTTP/1.1 200 OK↩ Content-Length: 1050↩ Location: /halecs/Adaw7VXdVpu↩ ↩ 5 1R��[ym�9¥_z- Ôc�N½>É°_�õE4prÏ 9 ÿ # � �0�0�� 000131120095643Z131 120105643Z0,10Utctp- server10�&��ò,dtctp0�"0*�H�÷ � 0��·Â "!��º}�ÿ�Aî)ád±óµó�)ßn... URL of new HALEC TLS Records: ServerHello, Certificate, ServerKeyExchange, ServerHelloDone
    • Second client request The Trusted Cloud Transfer Protocol 48 POST /halecs/Adaw7VXdVpu HTTP/1.1↩ Content-Length: 198↩ ↩ � � �äZ�«EÕ)UÿØ3Ô6á� ,Ý4�Ê<e>�_ùßó{¹5¨AæP¬/3��yàDÔÖà Z!q}ög�hV*ÁM³Yoÿì|.w�Í×3ø<7MJúÑ !¢.=æÜ�m3ÂgÍ)IH�Ë¡iê±��¶Tù 06Fnq#ã§ebðÚ H�v�Ãv�Fäw´ñ¥mF�?ø?[iqi�_Ø`ìar JQ POST on newly created HALEC URL. TLS Records: ClientKeyExchange, ChangeCipherSpec, Finished
    • Server response The Trusted Cloud Transfer Protocol 49 HTTP/1.1 200 OK↩ Content-Length: 266↩ ↩ Ê Æ ÀÁGú�®ëA½²¸ øí°� qAó0N&�»R¨tX"äWà�IdÚ û/C]Ð?×ÔèÆü#Ūë{ *YÊ´GòD� e.ÐÑ{+!Í`MöÄ�×�{ýÚâà� �h1�Ô Wq7g¸à Lù½jÕLÌExµÇë�� RdB¦ÅÉ��*§õez`&üvæ͸å=°6½V Ø%tY}PÞÊöF�Î"¿~¸O÷·à�V',©� Ô±UÊ0Ú¹ÐeÌ�ÿÓù$�å½Ì&;d¸õ¹æ Ö¶ù0/×/YUE";üø�9Áóàtõ TLS Records: ChangeCipherSpec, Finished
    • Algorithm negotiation • XML Enc/Sig, S/MIME • None • TCTP • TLS Handshaking Protocol functionality The Trusted Cloud Transfer Protocol 50
    • Implementation support • XML Enc/Sig, S/MIME • Many frameworks available • TCTP • TLS / Web frameworks available • Prototype (complete) • Proxy (ongoing) The Trusted Cloud Transfer Protocol 51
    • Message-flow protection • Prevent proxies from replaying encrypted data • Related work does only consider single messages • TCTP: TLS HMAC prevents replay by proxies The Trusted Cloud Transfer Protocol 52
    • Streaming capability • Large downloads and media stream challenges • Related work: adaptation needed • TCTP: TLS record protocol fragments data into 16.384 byte (2^14) parts The Trusted Cloud Transfer Protocol 53