From Event to Action: Accelerate Your Decision Making with Real-Time Automation
The Trusted Cloud Transfer Protocol (TCTP)
1. Service-centric Networking, Telekom Innovation Laboratories
Public private partnership of Technische Universität Berlin and Deutsche Telekom
Mathias Slawik,
Technische Universität Berlin
The Trusted Cloud
Transfer Protocol
3. TCTP in a nutshell
• End-to-end HTTP security
• Secure communication
through cloud proxies
• Encapsulation of TLS in HTTP
• Related work challenges
The Trusted Cloud Transfer Protocol 3
7. HTTP proxy challenge
a) Relay TLS?
b) Act as TLS
Server?
The Trusted Cloud Transfer Protocol 7
8. a) Relay TLS?
Plaintext confidentiality
HTTP management
The Trusted Cloud Transfer Protocol 8
9. b) Act as TLS server?
HTTP management
Plaintext confidentiality
The Trusted Cloud Transfer Protocol 9
10. Loss of plaintext confidentiality
• Privacy risks
• More security effort
• Violation of legal obligations
• Risk of unauthorized access
The Trusted Cloud Transfer Protocol 10
29. TCTP Prototype
29
TCTP Middleware
Webserver (Thin)
Lorem Ipsum App
TCTP
Library
TCTP
Client script
Secure
webserver
access.
Reusable
TCTP library.
TCTP for any
Ruby web
application.
Test data
generation for
benchmark.
42. Capability discovery
• Discover
• What resources need protection?
• Where to perform the handshake?
• Related work: None
• TCTP: Discovery mechanism
The Trusted Cloud Transfer Protocol 42
44. Secure key exchange
• XML Enc/Sig & S/MIME
• None specified
• Normally out of band
• TCTP
• TLS handshaking protocol
The Trusted Cloud Transfer Protocol 44
45. TLS Handshake
The Trusted Cloud Transfer Protocol 45
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
46. First client request
The Trusted Cloud Transfer Protocol 46
POST /halecs HTTP/1.1↩
Content-Length: 211↩
↩
Î ÊR��[ñ�l�
Kf¢u¹§ê:çñtÃ�xÛd8ãÐ}U ÀÀ
9 8 � �ÀÀ 5 �ÀÀ ÀÀ ÀÀ 3
2 � � E DÀÀ / � A ÀÀÀÀ
ÿ D
4 2
#
POST on discovered HALEC
creation URL.
TLS Record
client_hello
47. Server response
The Trusted Cloud Transfer Protocol 47
HTTP/1.1 200 OK↩
Content-Length: 1050↩
Location: /halecs/Adaw7VXdVpu↩
↩
5 1R��[ym�9¥_z-
Ôc�N½>É°_�õE4prÏ 9 ÿ #
�
�0�0�� 000131120095643Z131
120105643Z0,10Utctp-
server10�&��ò,dtctp0�"0*�H�÷
� 0��·Â
"!��º}�ÿ�Aî)ád±óµó�)ßn...
URL of new HALEC
TLS Records:
ServerHello, Certificate,
ServerKeyExchange,
ServerHelloDone
48. Second client request
The Trusted Cloud Transfer Protocol 48
POST /halecs/Adaw7VXdVpu HTTP/1.1↩
Content-Length: 198↩
↩
� � �äZ�«EÕ)UÿØ3Ô6á�
,Ý4�Ê<e>�_ùßó{¹5¨AæP¬/3��yàDÔÖÃ
Z!q}ög�hV*ÁM³Yoÿì|.w�Í×3ø<7MJúÑ
!¢.=æÜ�m3ÂgÍ)IH�Ë¡iê±��¶Tù
06Fnq#ã§ebðÚ
H�v�Ãv�Fäw´ñ¥mF�?ø?[iqi�_Ø`ìar
JQ
POST on newly created
HALEC URL.
TLS Records:
ClientKeyExchange,
ChangeCipherSpec,
Finished
50. Algorithm negotiation
• XML Enc/Sig, S/MIME
• None
• TCTP
• TLS Handshaking Protocol
functionality
The Trusted Cloud Transfer Protocol 50
51. Implementation
support
• XML Enc/Sig, S/MIME
• Many frameworks available
• TCTP
• TLS / Web frameworks available
• Prototype (complete)
• Proxy (ongoing)
The Trusted Cloud Transfer Protocol 51
52. Message-flow protection
• Prevent proxies from replaying
encrypted data
• Related work does only
consider single messages
• TCTP: TLS HMAC prevents
replay by proxies
The Trusted Cloud Transfer Protocol 52
53. Streaming capability
• Large downloads and media
stream challenges
• Related work: adaptation needed
• TCTP: TLS record protocol
fragments data into 16.384 byte
(2^14) parts
The Trusted Cloud Transfer Protocol 53