Introduction tcpcrypt Performance Conclusion 1/25 The case for ubiquitous transport-level encryption Andrea Bittau, Michael Hamburg, Mark Handley, David Mazi` eres, and Dan Boneh Stanford and UCL August 13, 2010
Goals Introduction tcpcrypt Performance Conclusion 2/25 What would it take to encrypt the vast majority of TCP traffic? 1 Performance. Fast enough to enable by default on almost all servers. 2 End-point authentication. Leverage certificates, cookies, passwords, etc., to achieve best possible security for any given setting. 3 Compatibility. Works in existing networks. Works with legacy apps.
Performance today can be pretty bad Introduction tcpcrypt Performance Conclusion 3/25 70000 60,156 60000 Connections/s 50000 40000 30000 20000 10000 737 0 TCP SSL server server Biggest problem: cost of public key cryptography. Worst case: SSL can be 82x slower than TCP. . .
Performance today can be pretty bad Introduction tcpcrypt Performance Conclusion 3/25 70000 60,156 60000 Connections/s 50000 40000 30000 19,153 20000 10000 737 0 TCP tcpcrypt SSL server server server Biggest problem: cost of public key cryptography. Worst case: SSL can be 82x slower than TCP. . . Worst case: tcpcrypt only 3x slower than TCP!
Problem today: Introduction tcpcrypt app-level auth divorced from transport Performance Conclusion 4/25 1 SSL encrypts + server auth. SSL. Authenticate server using certificates
Problem today: Introduction tcpcrypt app-level auth divorced from transport Performance Conclusion 4/25 1 SSL encrypts + server auth. 2 App auths client. Username: Andrea SSL. Password: w00t Authenticate server using certificates SSL. Authenticate server using certificates If step 1 fails, step 2 doesn’t help—in fact, it harms.
What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping
What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping Server certificate Server auth Server auth
What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping Server certificate Server auth Server auth Shared secret None Mutual auth (cookie) no SSL
What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping Server certificate Server auth Server auth Shared secret None Mutual auth (cookie) no SSL Mutual auth if Shared secret Mutual auth if password OK and SSL cert and pass OK
What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping Server certificate Server auth Server auth Shared secret None Mutual auth (cookie) no SSL Mutual auth if Shared secret Mutual auth if password OK and SSL cert and pass OK
What’s the best we can do? Introduction tcpcrypt Performance Conclusion 5/25 Level of security against a network attacker depends on scenario. goal with tcpcrypt Preconfiguration Use case Today’s security Possible security No passive None None eavesdropping Server certificate Server auth Server auth Shared secret None Mutual auth (cookie) no SSL Mutual auth if Shared secret Mutual auth if password OK and SSL cert and pass OK
Backwards compatibility issues Introduction tcpcrypt Performance Conclusion 6/25 Two prevalent ways of encrypting network traffic: 1 At application layer ( e.g., SSL). √ Works over almost all networks. × Need to modify applications. × Application protocol may not allow incremental deployment. 2 At network layer ( e.g., IPSec). √ Works with all applications. × Breaks NAT. × Can’t leverage user authentication. Ubiquitous encryption requires best of both worlds.
tcpcrypt: transport-layer encryption Introduction tcpcrypt Performance Conclusion 7/25 tcpcrypt: a TCP option for encryption. 1 High server performance: push complexity to clients. 2 Allow applications to authenticate end points. 3 Backwards compatibility: all TCP apps, all networks, all authentication settings.
tcpcrypt overview Introduction tcpcrypt Performance Conclusion 8/25 Extend TCP in a compatible way using TCP options. Applications use standard BSD socket API. New getsockopt for authentication. Encryption automatically enabled if both end points support tcpcrypt.
Push expensive operations to clients Introduction tcpcrypt Performance Conclusion 9/25 Public key operations expensive, but not all equally expensive. RSA-exp3-2048 performance: Operation Latency (ms) Decrypt 10.42 Encrypt 0.26 Have client do decrypt Generate ephemeral key pair public key enc pubk (master key) Generate random master key server client Without server authentication, have client decrypt. Lets servers accept connections at 36x rate of SSL.
Link app auth to transport auth Introduction tcpcrypt Performance Conclusion 10/25 Session ID: hook linking tcpcrypt to app-level authentication. New getsockopt returns non-secret Session ID value. Unique for every connection (if one endpoint honest). If same on both ends, no man-in-the-middle. Password based Authentication of user & sess ID Session ID Session ID tcpcrypt Authenticating the Session ID authenticates the end point.
Auth example: batch signing Introduction tcpcrypt Performance Conclusion 11/25 Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. “A” RSA op. Signed by amazon.com SID A
Auth example: batch signing Introduction tcpcrypt Performance Conclusion 11/25 Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. “A” RSA op . Signed by amazon.com SID A SID B “B” Signed by amazon.com RSA op.
Auth example: batch signing Introduction tcpcrypt Performance Conclusion 11/25 Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. SID C SID A SID B SID D “A, B, C, D” RSA op. Signed by amazon.com
Auth example: batch signing Introduction tcpcrypt Performance Conclusion 11/25 Tcpcrypt: server signs multiple session IDs at once to amortize RSA cost. SID C SID A SID B SID D “A, B, C, D” RSA op. Signed by amazon.com SSL servers must RSA decrypt each client’s secret. RSA op. RSA op. enc(secret A) enc(secret C) enc(secret B) enc(secret D) RSA op. RSA op.
Key exchange overview Introduction tcpcrypt Performance Conclusion 12/25 Do you support tcpcrypt? Yes, and I support RSA RSA public key enc pubk (master key) Generate random master key server client Clients periodically generate ephemeral public keys.
tcpcrypt key exchange Introduction tcpcrypt Performance Conclusion 13/25 SYN SYN ACK ACK
tcpcrypt key exchange Introduction tcpcrypt Performance Conclusion 13/25 SYN - CRYPT(HELLO) probe tcpcrypt SYN ACK ACK tcpcrypt negotiation encoded in TCP options.
tcpcrypt key exchange Introduction tcpcrypt Performance Conclusion 13/25 SYN - CRYPT(HELLO) probe tcpcrypt SYN ACK - CRYPT(PKCONF) public key ciphers and key sizes list ACK - CRYPT(INIT1) symmetric ciphers and MACs list, nonce, public key ACK - CRYPT(INIT2) encrypted client and server nonce (master key) crypto on tcpcrypt negotiation encoded in TCP options. INIT1 and INIT2 too long: sent as data invisible to apps.
Key scheduling Introduction tcpcrypt Performance Conclusion 14/25 Master key is hash of: Server and client nonces. Public key used and negotiated parameters. Master key ) C A M H ( h s a h RX MAC key RX enc. key Session ID TX MAC key TX enc. key
Key scheduling Introduction tcpcrypt Performance Conclusion 14/25 Master key is hash of: Server and client nonces. Public key used and negotiated parameters. Master key Next master key ) C A M enc MAC SID H ( h s a h RX MAC key RX enc. key Session ID TX MAC key TX enc. key Session caching, like in SSL: on reconnect, establish new keys without explicit key exchange.
Session caching Introduction tcpcrypt Performance Conclusion 15/25 SYN - NEXTK1 New session based on session with ID X SYN ACK - NEXTK2 OK! crypto on ack Low latency: completes within TCP handshake.
TCP MAC and encryption Introduction tcpcrypt Performance Conclusion 16/25 MACed src port dst port Encrypted seq no. (64-bit seq) (64-bit ack) ack no. urg. ptr. flags d.off. window checksum options ( e.g., SACK) MAC option TCP length data Allow NATs: do not MAC ports. Prevent replay: MAC extended (implicit) seq. no. Prevent truncation / extension: MAC length.
Recommend
More recommend