The Trusted Cloud Transfer Protocol (TCTP)

Service-centric Networking, Telekom Innovation Laboratories
Public private partnership of Technische Universität Berlin and Deutsche Telekom
Mathias Slawik,
Technische Universität Berlin
The Trusted Cloud
Transfer Protocol

Topics
• Motivation
• TCTP and the State-of-the-Art
• Evaluation
The Trusted Cloud Transfer Protocol 2

TCTP in a nutshell
• End-to-end HTTP security
• Secure communication
through cloud proxies
• Encapsulation of TLS in HTTP
• Related work challenges

TCTP Motivation
To proxy or not to proxy...

HTTP proxy challenge
a) Relay TLS?
b) Act as TLS
Server?

a) Relay TLS?
 Plaintext confidentiality
 HTTP management

b) Act as TLS server?
 HTTP management
 Plaintext confidentiality

Loss of plaintext confidentiality
• Privacy risks
• More security effort
• Violation of legal obligations
• Risk of unauthorized access

c) ?

HTTP Messages
POST /patients HTTP/1.1↩
Content-Type: text/json↩
Content-Length: 81↩
↩
{↩
"name" : "John Doe",↩
"status" : "therapy",↩
"reason" : "broken leg"↩
}
Less confidential
Needed for HTTP mgmt.
Often confidential
Not needed for HTTP mgmt.

c) Entity body encryption
 Entity body confidentiality
 HTTP management

F*****g TCTP,
how does it work?

TCTP: Process
1. End-to-end key exchange
2. HTTP entity body encryption
3. ?
4. Profit

TCTP
• Encapsulation of TLS
• Key exchange:
TLS Handshake protocol
• Body encryption:
TLS Records

Key exchange

HALEC
• HTTP Application Layer
Encryption Channel
• Persists TLS session state
• Required for multiple connections
• Identified by URL

Body encryption
POST /patients HTTP/1.1↩
Content-Type: text/json↩
Content-Encoding: encrypted↩
↩
/halecs/1Mfjk941xkFe↩
¤«ÙÖ�n�iz®Ë¤|w�,ñ
¯_)SÊ(@oüÊÊÈÚ» næG�_ÔÊQ
%"�ÂN¬�¹Îïú&i
Unencrypted header fields
allow HTTP management
Encrypted TLS Records
contain HTTP body
HALEC URL

TCTP Novelties
Why another protocol?

State-of-the-Art
• S/MIME
• XML Encryption / Signature
• HTTPSec
• (S-HTTP)
• (Any tinkered solution)

Message-flow protection

Streaming capabilities

Discovery mechanism

Easily implemented
(Basis: TLS)

TCTP does not ...
... fix the broken CA system.
... prevent information disclosure
through URLs

Evaluation

TCTP Prototype
29
TCTP Middleware
Webserver (Thin)
Lorem Ipsum App
TCTP
Library
TCTP
Client script
Secure
webserver
access.
Reusable
TCTP library.
TCTP for any
Ruby web
application.
Test data
generation for
benchmark.

TCTP Overhead
Conceptual Overhead
• Discovery & handshake round trip
Technical Overhead
• Handshake, Encryption, Processing

Impacts on performance
• Network latency
• Hardware performance
• TLS library efficiency
• Framework overhead
• TCTP software efficiency

Benchmarks

Processing Overhead
Hardware: Intel Core i7-3520M, Windows 8.1, Ruby 2.0
4,63 % 4,94 %
1,50 %
11,38 %
2,08 %
0
5
10
15
20
1 kB 2.5 kB 5 kB 7.5 kB 10 kB

Combined overhead
1 req 10 req 100 req 1k req
50 ms 133,77% 40,66% 9,21% 5,30%
100 ms 103,36% 30,87% 7,97% 5,18%
250 ms 82,94% 24,83% 7,22% 5,10%
0%
50%
100%
150%

What‘s next?
• Implementation of TCTP
enabled proxy (ongoing)
• Watch our Github!
• Application of TCTP in TRESOR

Summary

To sum up...
TCTP: end-to-end HTTP security
TCTP: addresses challenges
Preliminary results: Promising

Thank you.
Fork me.
https://github.com/TU-Berlin-SNET/tctp-rack

Backup

Efficient presentation
• Minimize transmitted data
• XML: XML, S/MIME: Base64
• TCTP: Binary, compressed TLS
records

Efficient presentation

Capability discovery
• Discover
• What resources need protection?
• Where to perform the handshake?
• Related work: None
• TCTP: Discovery mechanism

Capability discovery
43
OPTIONS * HTTP/1.1↩
Accept: text/prs.tctp-discovery↩
↩
HTTP/1.1 200 OK↩
Content-Type: text/prs.tctp-discovery↩
↩
/:↩
/(service(.+?))?:↩
/(service(.+?)/)?static.*:↩
/(service(.+?)/)?.*:/1/halecs

Secure key exchange
• XML Enc/Sig & S/MIME
• None specified
• Normally out of band
• TCTP
• TLS handshaking protocol

TLS Handshake
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data

First client request
POST /halecs HTTP/1.1↩
↩
Î ÊR��[ñ�l�
Kf¢u¹§ê:çñtÃ�xÛd8ãÐ}U ÀÀ
9 8 � �ÀÀ 5 �ÀÀ ÀÀ ÀÀ 3
2 � � E DÀÀ / � A ÀÀÀÀ
ÿ D
4 2
#
POST on discovered HALEC
creation URL.
TLS Record
client_hello

Server response
HTTP/1.1 200 OK↩
Location: /halecs/Adaw7VXdVpu↩
↩
5 1R��[ym�9¥_z-
Ôc�N½>É°_�õE4prÏ 9 ÿ #
�
�0�0�� 000131120095643Z131
120105643Z0,10Utctp-
server10�&��ò,dtctp0�"0*�H�÷
� 0��·Â
"!��º}�ÿ�Aî)ád±óµó�)ßn...
URL of new HALEC
TLS Records:
ServerHello, Certificate,
ServerKeyExchange,
ServerHelloDone

Second client request
POST /halecs/Adaw7VXdVpu HTTP/1.1↩
↩
� � �äZ�«EÕ)UÿØ3Ô6á�
,Ý4�Ê<e>�_ùßó{¹5¨AæP¬/3��yàDÔÖÃ
Z!q}ög�hV*ÁM³Yoÿì|.w�Í×3ø<7MJúÑ
!¢.=æÜ�m3ÂgÍ)IH�Ë¡iê±��¶Tù
06Fnq#ã§ebðÚ
H�v�Ãv�Fäw´ñ¥mF�?ø?[iqi�_Ø`ìar
JQ
POST on newly created
HALEC URL.
TLS Records:
ClientKeyExchange,
ChangeCipherSpec,
Finished

Server response
HTTP/1.1 200 OK↩
↩
Ê Æ ÀÁGú�®ëA½²¸ øí°�
qAó0N&�»R¨tX"äWà�IdÚ
û/C]Ð?×ÔèÆü#Åªë{ *YÊ´GòD�
e.ÐÑ{+!Í`MöÄ�×�{ýÚâà� �h1�Ô
Wq7g¸à Lù½jÕLÌExµÇë��
RdB¦ÅÉ��*§õez`&üvæÍ¸å=°6½V
Ø%tY}PÞÊöF�Î"¿~¸O÷·à�V',©�
Ô±UÊ0Ú¹ÐeÌ�ÿÓù$�å½Ì&;d¸õ¹æ
Ö¶ù0/×/YUE";üø�9Áóàtõ
TLS Records:
ChangeCipherSpec,
Finished

Algorithm negotiation
• XML Enc/Sig, S/MIME
• None
• TCTP
• TLS Handshaking Protocol
functionality

Implementation
support
• XML Enc/Sig, S/MIME
• Many frameworks available
• TCTP
• TLS / Web frameworks available
• Prototype (complete)
• Proxy (ongoing)

Message-flow protection
• Prevent proxies from replaying
encrypted data
• Related work does only
consider single messages
• TCTP: TLS HMAC prevents
replay by proxies

Streaming capability
• Large downloads and media
stream challenges
• Related work: adaptation needed
• TCTP: TLS record protocol
fragments data into 16.384 byte
(2^14) parts

The Trusted Cloud Transfer Protocol (TCTP)

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (9)

Semelhante a The Trusted Cloud Transfer Protocol (TCTP)

Semelhante a The Trusted Cloud Transfer Protocol (TCTP) (20)

Último

Último (20)

The Trusted Cloud Transfer Protocol (TCTP)