SlideShare uma empresa Scribd logo

The Trusted Cloud Transfer Protocol (TCTP)

Mathias Slawik
Mathias Slawik

The presentation of the Trusted Cloud Transfer Protocol (TCTP) at Cloud Com 2013 in Bristol, UK.

Tecnologia
1 de 53
Baixar para ler offline
Service-centric Networking, Telekom Innovation Laboratories Public private partnership of Technische Universität Berlin and Deutsche Telekom Mathias Slawik, Technische Universität Berlin The Trusted Cloud Transfer Protocol
Topics • Motivation • TCTP and the State-of-the-Art • Evaluation The Trusted Cloud Transfer Protocol 2
TCTP in a nutshell • End-to-end HTTP security • Secure communication through cloud proxies • Encapsulation of TLS in HTTP • Related work challenges The Trusted Cloud Transfer Protocol 3
TCTP Motivation To proxy or not to proxy... The Trusted Cloud Transfer Protocol 4
The Trusted Cloud Transfer Protocol 6
HTTP proxy challenge a) Relay TLS? b) Act as TLS Server? The Trusted Cloud Transfer Protocol 7
a) Relay TLS?  Plaintext confidentiality  HTTP management The Trusted Cloud Transfer Protocol 8
b) Act as TLS server?  HTTP management  Plaintext confidentiality The Trusted Cloud Transfer Protocol 9
Loss of plaintext confidentiality • Privacy risks • More security effort • Violation of legal obligations • Risk of unauthorized access The Trusted Cloud Transfer Protocol 10
c) ? The Trusted Cloud Transfer Protocol 11
HTTP Messages The Trusted Cloud Transfer Protocol 12 POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ ↩ {↩ "name" : "John Doe",↩ "status" : "therapy",↩ "reason" : "broken leg"↩ } Less confidential Needed for HTTP mgmt. Often confidential Not needed for HTTP mgmt.
c) Entity body encryption  Entity body confidentiality  HTTP management The Trusted Cloud Transfer Protocol 13
F*****g TCTP, how does it work? The Trusted Cloud Transfer Protocol 14
TCTP: Process 1. End-to-end key exchange 2. HTTP entity body encryption 3. ? 4. Profit The Trusted Cloud Transfer Protocol 15
TCTP • Encapsulation of TLS • Key exchange: TLS Handshake protocol • Body encryption: TLS Records The Trusted Cloud Transfer Protocol 16
Key exchange The Trusted Cloud Transfer Protocol 17
HALEC • HTTP Application Layer Encryption Channel • Persists TLS session state • Required for multiple connections • Identified by URL The Trusted Cloud Transfer Protocol 18
Body encryption The Trusted Cloud Transfer Protocol 19 POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ Content-Encoding: encrypted↩ ↩ /halecs/1Mfjk941xkFe↩ ¤«ÙÖ�n�iz®Ë¤|w�,ñ ¯_)SÊ(@oüÊÊÈÚ» næG�_ÔÊQ %"�ÂN¬�¹Îïú&i Unencrypted header fields allow HTTP management Encrypted TLS Records contain HTTP body HALEC URL
TCTP Novelties The Trusted Cloud Transfer Protocol 20 Why another protocol?
State-of-the-Art • S/MIME • XML Encryption / Signature • HTTPSec • (S-HTTP) • (Any tinkered solution) The Trusted Cloud Transfer Protocol 21
Analysis
Message-flow protection The Trusted Cloud Transfer Protocol 23
Streaming capabilities The Trusted Cloud Transfer Protocol 24
Discovery mechanism The Trusted Cloud Transfer Protocol 25
Easily implemented (Basis: TLS) The Trusted Cloud Transfer Protocol 26
TCTP does not ... ... fix the broken CA system. ... prevent information disclosure through URLs The Trusted Cloud Transfer Protocol 27
Evaluation The Trusted Cloud Transfer Protocol 28
TCTP Prototype 29 TCTP Middleware Webserver (Thin) Lorem Ipsum App TCTP Library TCTP Client script Secure webserver access. Reusable TCTP library. TCTP for any Ruby web application. Test data generation for benchmark.
TCTP Overhead Conceptual Overhead • Discovery & handshake round trip Technical Overhead • Handshake, Encryption, Processing The Trusted Cloud Transfer Protocol 30
Impacts on performance • Network latency • Hardware performance • TLS library efficiency • Framework overhead • TCTP software efficiency The Trusted Cloud Transfer Protocol 31
Benchmarks The Trusted Cloud Transfer Protocol 32
Processing Overhead The Trusted Cloud Transfer Protocol 33 Hardware: Intel Core i7-3520M, Windows 8.1, Ruby 2.0 4,63 % 4,94 % 1,50 % 11,38 % 2,08 % 0 5 10 15 20 1 kB 2.5 kB 5 kB 7.5 kB 10 kB
Combined overhead The Trusted Cloud Transfer Protocol 34 1 req 10 req 100 req 1k req 50 ms 133,77% 40,66% 9,21% 5,30% 100 ms 103,36% 30,87% 7,97% 5,18% 250 ms 82,94% 24,83% 7,22% 5,10% 0% 50% 100% 150%
What‘s next? • Implementation of TCTP enabled proxy (ongoing) • Watch our Github! • Application of TCTP in TRESOR The Trusted Cloud Transfer Protocol 35
Summary The Trusted Cloud Transfer Protocol 36
To sum up... TCTP: end-to-end HTTP security TCTP: addresses challenges Preliminary results: Promising The Trusted Cloud Transfer Protocol 37
Thank you. Fork me. The Trusted Cloud Transfer Protocol 38 https://github.com/TU-Berlin-SNET/tctp-rack
Backup The Trusted Cloud Transfer Protocol 39
Efficient presentation • Minimize transmitted data • XML: XML, S/MIME: Base64 • TCTP: Binary, compressed TLS records The Trusted Cloud Transfer Protocol 40
Efficient presentation The Trusted Cloud Transfer Protocol 41
Capability discovery • Discover • What resources need protection? • Where to perform the handshake? • Related work: None • TCTP: Discovery mechanism The Trusted Cloud Transfer Protocol 42
Capability discovery 43 OPTIONS * HTTP/1.1↩ Accept: text/prs.tctp-discovery↩ ↩ HTTP/1.1 200 OK↩ Content-Type: text/prs.tctp-discovery↩ Content-Length: 81↩ ↩ /:↩ /(service(.+?))?:↩ /(service(.+?)/)?static.*:↩ /(service(.+?)/)?.*:/1/halecs
Secure key exchange • XML Enc/Sig & S/MIME • None specified • Normally out of band • TCTP • TLS handshaking protocol The Trusted Cloud Transfer Protocol 44
TLS Handshake The Trusted Cloud Transfer Protocol 45 Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
First client request The Trusted Cloud Transfer Protocol 46 POST /halecs HTTP/1.1↩ Content-Length: 211↩ ↩ Î ÊR��[ñ�l� Kf¢u¹§ê:çñtÃ�xÛd8ãÐ}U ÀÀ 9 8 � �ÀÀ 5 �ÀÀ ÀÀ ÀÀ 3 2 � � E DÀÀ / � A ÀÀÀÀ ÿ D 4 2 # POST on discovered HALEC creation URL. TLS Record client_hello
Server response The Trusted Cloud Transfer Protocol 47 HTTP/1.1 200 OK↩ Content-Length: 1050↩ Location: /halecs/Adaw7VXdVpu↩ ↩ 5 1R��[ym�9¥_z- Ôc�N½>É°_�õE4prÏ 9 ÿ # � �0�0�� 000131120095643Z131 120105643Z0,10Utctp- server10�&��ò,dtctp0�"0*�H�÷ � 0��·Â "!��º}�ÿ�Aî)ád±óµó�)ßn... URL of new HALEC TLS Records: ServerHello, Certificate, ServerKeyExchange, ServerHelloDone
Second client request The Trusted Cloud Transfer Protocol 48 POST /halecs/Adaw7VXdVpu HTTP/1.1↩ Content-Length: 198↩ ↩ � � �äZ�«EÕ)UÿØ3Ô6á� ,Ý4�Ê<e>�_ùßó{¹5¨AæP¬/3��yàDÔÖà Z!q}ög�hV*ÁM³Yoÿì|.w�Í×3ø<7MJúÑ !¢.=æÜ�m3ÂgÍ)IH�Ë¡iê±��¶Tù 06Fnq#ã§ebðÚ H�v�Ãv�Fäw´ñ¥mF�?ø?[iqi�_Ø`ìar JQ POST on newly created HALEC URL. TLS Records: ClientKeyExchange, ChangeCipherSpec, Finished
Server response The Trusted Cloud Transfer Protocol 49 HTTP/1.1 200 OK↩ Content-Length: 266↩ ↩ Ê Æ ÀÁGú�®ëA½²¸ øí°� qAó0N&�»R¨tX"äWà�IdÚ û/C]Ð?×ÔèÆü#Ūë{ *YÊ´GòD� e.ÐÑ{+!Í`MöÄ�×�{ýÚâà� �h1�Ô Wq7g¸à Lù½jÕLÌExµÇë�� RdB¦ÅÉ��*§õez`&üvæ͸å=°6½V Ø%tY}PÞÊöF�Î"¿~¸O÷·à�V',©� Ô±UÊ0Ú¹ÐeÌ�ÿÓù$�å½Ì&;d¸õ¹æ Ö¶ù0/×/YUE";üø�9Áóàtõ TLS Records: ChangeCipherSpec, Finished
Algorithm negotiation • XML Enc/Sig, S/MIME • None • TCTP • TLS Handshaking Protocol functionality The Trusted Cloud Transfer Protocol 50
Implementation support • XML Enc/Sig, S/MIME • Many frameworks available • TCTP • TLS / Web frameworks available • Prototype (complete) • Proxy (ongoing) The Trusted Cloud Transfer Protocol 51
Message-flow protection • Prevent proxies from replaying encrypted data • Related work does only consider single messages • TCTP: TLS HMAC prevents replay by proxies The Trusted Cloud Transfer Protocol 52
Streaming capability • Large downloads and media stream challenges • Related work: adaptation needed • TCTP: TLS record protocol fragments data into 16.384 byte (2^14) parts The Trusted Cloud Transfer Protocol 53

Recomendados

wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3vpnmentor
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 
The missing signalling layer for WebRTC
The missing signalling layer for WebRTCThe missing signalling layer for WebRTC
The missing signalling layer for WebRTCWebRTCConferenceJapan
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 

Recomendados

wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3vpnmentor
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 
The missing signalling layer for WebRTC
The missing signalling layer for WebRTCThe missing signalling layer for WebRTC
The missing signalling layer for WebRTCWebRTCConferenceJapan
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyPriyanka Aash
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
Scaling Push Messaging for Millions of Devices @Netflix
Scaling Push Messaging for Millions of Devices @NetflixScaling Push Messaging for Millions of Devices @Netflix
Scaling Push Messaging for Millions of Devices @NetflixC4Media
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App FirewallBrian A. McHenry
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15Brian A. McHenry
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
QUIC
QUICQUIC
QUICApache Traffic Server
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS SecurityAaron Zauner
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSDr Anjan Krishnamurthy
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?hannob
 
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...Aaron Zauner
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
TLS
TLSTLS
TLSDaniel Stenberg
 
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...markmcclain
 
Securing Your Data In The Cloud
Securing Your Data In The CloudSecuring Your Data In The Cloud
Securing Your Data In The CloudOmer Trajman
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsCloudMask inc.
 

Mais conteúdo relacionado

Mais procurados

Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyPriyanka Aash
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
Scaling Push Messaging for Millions of Devices @Netflix
Scaling Push Messaging for Millions of Devices @NetflixScaling Push Messaging for Millions of Devices @Netflix
Scaling Push Messaging for Millions of Devices @NetflixC4Media
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS SecurityAaron Zauner
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?hannob
 
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...Aaron Zauner
 
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...markmcclain
 

Mais procurados (20)

Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecy
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
 
Scaling Push Messaging for Millions of Devices @Netflix
Scaling Push Messaging for Millions of Devices @NetflixScaling Push Messaging for Millions of Devices @Netflix
Scaling Push Messaging for Millions of Devices @Netflix
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App Firewall
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
QUIC
QUICQUIC
QUIC
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS Security
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Traffic
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?
 
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
 
TLS
TLSTLS
TLS
 
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
 

Destaque

Securing Your Data In The Cloud
Securing Your Data In The CloudSecuring Your Data In The Cloud
Securing Your Data In The CloudOmer Trajman
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsCloudMask inc.
 
Ensuring secure transfer, access and storage over the cloud storage
Ensuring secure transfer, access and storage over the cloud storageEnsuring secure transfer, access and storage over the cloud storage
Ensuring secure transfer, access and storage over the cloud storageeSAT Journals
 
A Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
A Detailed Analysis of the Issues and Solutions for Securing Data in CloudA Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
A Detailed Analysis of the Issues and Solutions for Securing Data in CloudIOSR Journals
 
Is The Cloud Secure Enough For Your Data?
Is The Cloud Secure Enough For Your Data?Is The Cloud Secure Enough For Your Data?
Is The Cloud Secure Enough For Your Data?OSIbeyond
 
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...OneLogin
 
Quality of Service Control Mechanisms in Cloud Computing Environments
Quality of Service Control Mechanisms in Cloud Computing EnvironmentsQuality of Service Control Mechanisms in Cloud Computing Environments
Quality of Service Control Mechanisms in Cloud Computing EnvironmentsSoodeh Farokhi
 
System z Mainframe Data with Amazon S3 and Amazon Glacier (ENT107) | AWS re:I...
System z Mainframe Data with Amazon S3 and Amazon Glacier (ENT107) | AWS re:I...System z Mainframe Data with Amazon S3 and Amazon Glacier (ENT107) | AWS re:I...
System z Mainframe Data with Amazon S3 and Amazon Glacier (ENT107) | AWS re:I...Amazon Web Services
 
AWS Data Transfer Services: Accelerating Large-Scale Data Ingest Into the AWS...
AWS Data Transfer Services: Accelerating Large-Scale Data Ingest Into the AWS...AWS Data Transfer Services: Accelerating Large-Scale Data Ingest Into the AWS...
AWS Data Transfer Services: Accelerating Large-Scale Data Ingest Into the AWS...Amazon Web Services
 

Destaque (9)

Securing Your Data In The Cloud
Securing Your Data In The CloudSecuring Your Data In The Cloud
Securing Your Data In The Cloud
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law Firms
 
Ensuring secure transfer, access and storage over the cloud storage
Ensuring secure transfer, access and storage over the cloud storageEnsuring secure transfer, access and storage over the cloud storage
Ensuring secure transfer, access and storage over the cloud storage
 
A Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
A Detailed Analysis of the Issues and Solutions for Securing Data in CloudA Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
A Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
 
Is The Cloud Secure Enough For Your Data?
Is The Cloud Secure Enough For Your Data?Is The Cloud Secure Enough For Your Data?
Is The Cloud Secure Enough For Your Data?
 
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
 
Quality of Service Control Mechanisms in Cloud Computing Environments
Quality of Service Control Mechanisms in Cloud Computing EnvironmentsQuality of Service Control Mechanisms in Cloud Computing Environments
Quality of Service Control Mechanisms in Cloud Computing Environments
 
System z Mainframe Data with Amazon S3 and Amazon Glacier (ENT107) | AWS re:I...
System z Mainframe Data with Amazon S3 and Amazon Glacier (ENT107) | AWS re:I...System z Mainframe Data with Amazon S3 and Amazon Glacier (ENT107) | AWS re:I...
System z Mainframe Data with Amazon S3 and Amazon Glacier (ENT107) | AWS re:I...
 
AWS Data Transfer Services: Accelerating Large-Scale Data Ingest Into the AWS...
AWS Data Transfer Services: Accelerating Large-Scale Data Ingest Into the AWS...AWS Data Transfer Services: Accelerating Large-Scale Data Ingest Into the AWS...
AWS Data Transfer Services: Accelerating Large-Scale Data Ingest Into the AWS...
 

Semelhante a The Trusted Cloud Transfer Protocol (TCTP)

Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityMiguel Pardal
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 
Innovation is back in the transport and network layers
Innovation is back in the transport and network layersInnovation is back in the transport and network layers
Innovation is back in the transport and network layersOlivier Bonaventure
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfNiharikaDubey17
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
TCP Over Wireless
TCP Over WirelessTCP Over Wireless
TCP Over WirelessFarooq Khan
 
Juglouvain http revisited
Juglouvain http revisitedJuglouvain http revisited
Juglouvain http revisitedmarctritschler
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Positive Hack Days
 
Application Layer and Protocols
Application Layer and ProtocolsApplication Layer and Protocols
Application Layer and ProtocolsRubal Sagwal
 

Semelhante a The Trusted Cloud Transfer Protocol (TCTP) (20)

Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer Security
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
 
Part 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCPPart 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCP
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
Fit project
Fit projectFit project
Fit project
 
Innovation is back in the transport and network layers
Innovation is back in the transport and network layersInnovation is back in the transport and network layers
Innovation is back in the transport and network layers
 
tor
tortor
tor
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
 
TCPLS presentation @ietf 109
TCPLS presentation @ietf 109TCPLS presentation @ietf 109
TCPLS presentation @ietf 109
 
Future Internet protocols
Future Internet protocolsFuture Internet protocols
Future Internet protocols
 
SSL overview
SSL overviewSSL overview
SSL overview
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
TCP Over Wireless
TCP Over WirelessTCP Over Wireless
TCP Over Wireless
 
Juglouvain http revisited
Juglouvain http revisitedJuglouvain http revisited
Juglouvain http revisited
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
Application Layer and Protocols
Application Layer and ProtocolsApplication Layer and Protocols
Application Layer and Protocols
 

Último

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Último (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

The Trusted Cloud Transfer Protocol (TCTP)

  • 1. Service-centric Networking, Telekom Innovation Laboratories Public private partnership of Technische Universität Berlin and Deutsche Telekom Mathias Slawik, Technische Universität Berlin The Trusted Cloud Transfer Protocol
  • 2. Topics • Motivation • TCTP and the State-of-the-Art • Evaluation The Trusted Cloud Transfer Protocol 2
  • 3. TCTP in a nutshell • End-to-end HTTP security • Secure communication through cloud proxies • Encapsulation of TLS in HTTP • Related work challenges The Trusted Cloud Transfer Protocol 3
  • 4. TCTP Motivation To proxy or not to proxy... The Trusted Cloud Transfer Protocol 4
  • 5.
  • 6. The Trusted Cloud Transfer Protocol 6
  • 7. HTTP proxy challenge a) Relay TLS? b) Act as TLS Server? The Trusted Cloud Transfer Protocol 7
  • 8. a) Relay TLS?  Plaintext confidentiality  HTTP management The Trusted Cloud Transfer Protocol 8
  • 9. b) Act as TLS server?  HTTP management  Plaintext confidentiality The Trusted Cloud Transfer Protocol 9
  • 10. Loss of plaintext confidentiality • Privacy risks • More security effort • Violation of legal obligations • Risk of unauthorized access The Trusted Cloud Transfer Protocol 10
  • 11. c) ? The Trusted Cloud Transfer Protocol 11
  • 12. HTTP Messages The Trusted Cloud Transfer Protocol 12 POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ ↩ {↩ "name" : "John Doe",↩ "status" : "therapy",↩ "reason" : "broken leg"↩ } Less confidential Needed for HTTP mgmt. Often confidential Not needed for HTTP mgmt.
  • 13. c) Entity body encryption  Entity body confidentiality  HTTP management The Trusted Cloud Transfer Protocol 13
  • 14. F*****g TCTP, how does it work? The Trusted Cloud Transfer Protocol 14
  • 15. TCTP: Process 1. End-to-end key exchange 2. HTTP entity body encryption 3. ? 4. Profit The Trusted Cloud Transfer Protocol 15
  • 16. TCTP • Encapsulation of TLS • Key exchange: TLS Handshake protocol • Body encryption: TLS Records The Trusted Cloud Transfer Protocol 16
  • 17. Key exchange The Trusted Cloud Transfer Protocol 17
  • 18. HALEC • HTTP Application Layer Encryption Channel • Persists TLS session state • Required for multiple connections • Identified by URL The Trusted Cloud Transfer Protocol 18
  • 19. Body encryption The Trusted Cloud Transfer Protocol 19 POST /patients HTTP/1.1↩ Content-Type: text/json↩ Content-Length: 81↩ Content-Encoding: encrypted↩ ↩ /halecs/1Mfjk941xkFe↩ ¤«ÙÖ�n�iz®Ë¤|w�,ñ ¯_)SÊ(@oüÊÊÈÚ» næG�_ÔÊQ %"�ÂN¬�¹Îïú&i Unencrypted header fields allow HTTP management Encrypted TLS Records contain HTTP body HALEC URL
  • 20. TCTP Novelties The Trusted Cloud Transfer Protocol 20 Why another protocol?
  • 21. State-of-the-Art • S/MIME • XML Encryption / Signature • HTTPSec • (S-HTTP) • (Any tinkered solution) The Trusted Cloud Transfer Protocol 21
  • 23. Message-flow protection The Trusted Cloud Transfer Protocol 23
  • 24. Streaming capabilities The Trusted Cloud Transfer Protocol 24
  • 25. Discovery mechanism The Trusted Cloud Transfer Protocol 25
  • 26. Easily implemented (Basis: TLS) The Trusted Cloud Transfer Protocol 26
  • 27. TCTP does not ... ... fix the broken CA system. ... prevent information disclosure through URLs The Trusted Cloud Transfer Protocol 27
  • 28. Evaluation The Trusted Cloud Transfer Protocol 28
  • 29. TCTP Prototype 29 TCTP Middleware Webserver (Thin) Lorem Ipsum App TCTP Library TCTP Client script Secure webserver access. Reusable TCTP library. TCTP for any Ruby web application. Test data generation for benchmark.
  • 30. TCTP Overhead Conceptual Overhead • Discovery & handshake round trip Technical Overhead • Handshake, Encryption, Processing The Trusted Cloud Transfer Protocol 30
  • 31. Impacts on performance • Network latency • Hardware performance • TLS library efficiency • Framework overhead • TCTP software efficiency The Trusted Cloud Transfer Protocol 31
  • 32. Benchmarks The Trusted Cloud Transfer Protocol 32
  • 33. Processing Overhead The Trusted Cloud Transfer Protocol 33 Hardware: Intel Core i7-3520M, Windows 8.1, Ruby 2.0 4,63 % 4,94 % 1,50 % 11,38 % 2,08 % 0 5 10 15 20 1 kB 2.5 kB 5 kB 7.5 kB 10 kB
  • 34. Combined overhead The Trusted Cloud Transfer Protocol 34 1 req 10 req 100 req 1k req 50 ms 133,77% 40,66% 9,21% 5,30% 100 ms 103,36% 30,87% 7,97% 5,18% 250 ms 82,94% 24,83% 7,22% 5,10% 0% 50% 100% 150%
  • 35. What‘s next? • Implementation of TCTP enabled proxy (ongoing) • Watch our Github! • Application of TCTP in TRESOR The Trusted Cloud Transfer Protocol 35
  • 36. Summary The Trusted Cloud Transfer Protocol 36
  • 37. To sum up... TCTP: end-to-end HTTP security TCTP: addresses challenges Preliminary results: Promising The Trusted Cloud Transfer Protocol 37
  • 38. Thank you. Fork me. The Trusted Cloud Transfer Protocol 38 https://github.com/TU-Berlin-SNET/tctp-rack
  • 39. Backup The Trusted Cloud Transfer Protocol 39
  • 40. Efficient presentation • Minimize transmitted data • XML: XML, S/MIME: Base64 • TCTP: Binary, compressed TLS records The Trusted Cloud Transfer Protocol 40
  • 41. Efficient presentation The Trusted Cloud Transfer Protocol 41
  • 42. Capability discovery • Discover • What resources need protection? • Where to perform the handshake? • Related work: None • TCTP: Discovery mechanism The Trusted Cloud Transfer Protocol 42
  • 43. Capability discovery 43 OPTIONS * HTTP/1.1↩ Accept: text/prs.tctp-discovery↩ ↩ HTTP/1.1 200 OK↩ Content-Type: text/prs.tctp-discovery↩ Content-Length: 81↩ ↩ /:↩ /(service(.+?))?:↩ /(service(.+?)/)?static.*:↩ /(service(.+?)/)?.*:/1/halecs
  • 44. Secure key exchange • XML Enc/Sig & S/MIME • None specified • Normally out of band • TCTP • TLS handshaking protocol The Trusted Cloud Transfer Protocol 44
  • 45. TLS Handshake The Trusted Cloud Transfer Protocol 45 Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
  • 46. First client request The Trusted Cloud Transfer Protocol 46 POST /halecs HTTP/1.1↩ Content-Length: 211↩ ↩ Î ÊR��[ñ�l� Kf¢u¹§ê:çñtÃ�xÛd8ãÐ}U ÀÀ 9 8 � �ÀÀ 5 �ÀÀ ÀÀ ÀÀ 3 2 � � E DÀÀ / � A ÀÀÀÀ ÿ D 4 2 # POST on discovered HALEC creation URL. TLS Record client_hello
  • 47. Server response The Trusted Cloud Transfer Protocol 47 HTTP/1.1 200 OK↩ Content-Length: 1050↩ Location: /halecs/Adaw7VXdVpu↩ ↩ 5 1R��[ym�9¥_z- Ôc�N½>É°_�õE4prÏ 9 ÿ # � �0�0�� 000131120095643Z131 120105643Z0,10Utctp- server10�&��ò,dtctp0�"0*�H�÷ � 0��·Â "!��º}�ÿ�Aî)ád±óµó�)ßn... URL of new HALEC TLS Records: ServerHello, Certificate, ServerKeyExchange, ServerHelloDone
  • 48. Second client request The Trusted Cloud Transfer Protocol 48 POST /halecs/Adaw7VXdVpu HTTP/1.1↩ Content-Length: 198↩ ↩ � � �äZ�«EÕ)UÿØ3Ô6á� ,Ý4�Ê<e>�_ùßó{¹5¨AæP¬/3��yàDÔÖà Z!q}ög�hV*ÁM³Yoÿì|.w�Í×3ø<7MJúÑ !¢.=æÜ�m3ÂgÍ)IH�Ë¡iê±��¶Tù 06Fnq#ã§ebðÚ H�v�Ãv�Fäw´ñ¥mF�?ø?[iqi�_Ø`ìar JQ POST on newly created HALEC URL. TLS Records: ClientKeyExchange, ChangeCipherSpec, Finished
  • 49. Server response The Trusted Cloud Transfer Protocol 49 HTTP/1.1 200 OK↩ Content-Length: 266↩ ↩ Ê Æ ÀÁGú�®ëA½²¸ øí°� qAó0N&�»R¨tX"äWà�IdÚ û/C]Ð?×ÔèÆü#Ūë{ *YÊ´GòD� e.ÐÑ{+!Í`MöÄ�×�{ýÚâà� �h1�Ô Wq7g¸à Lù½jÕLÌExµÇë�� RdB¦ÅÉ��*§õez`&üvæ͸å=°6½V Ø%tY}PÞÊöF�Î"¿~¸O÷·à�V',©� Ô±UÊ0Ú¹ÐeÌ�ÿÓù$�å½Ì&;d¸õ¹æ Ö¶ù0/×/YUE";üø�9Áóàtõ TLS Records: ChangeCipherSpec, Finished
  • 50. Algorithm negotiation • XML Enc/Sig, S/MIME • None • TCTP • TLS Handshaking Protocol functionality The Trusted Cloud Transfer Protocol 50
  • 51. Implementation support • XML Enc/Sig, S/MIME • Many frameworks available • TCTP • TLS / Web frameworks available • Prototype (complete) • Proxy (ongoing) The Trusted Cloud Transfer Protocol 51
  • 52. Message-flow protection • Prevent proxies from replaying encrypted data • Related work does only consider single messages • TCTP: TLS HMAC prevents replay by proxies The Trusted Cloud Transfer Protocol 52
  • 53. Streaming capability • Large downloads and media stream challenges • Related work: adaptation needed • TCTP: TLS record protocol fragments data into 16.384 byte (2^14) parts The Trusted Cloud Transfer Protocol 53