tcpcrypt: real transport-level encryption
description
Transcript of tcpcrypt: real transport-level encryption
![Page 1: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/1.jpg)
tcpcrypt:real transport-level encryption
UCL and Stanford.
Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh.
![Page 2: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/2.jpg)
What would it take to encrypt the vast majority of TCP traffic?
Performance• Fast enough to enable by default on almost all
servers.Authentication
• Leverage certificates, cookies, passwords, etc., to give best possible security for any given setting.
Compatibility• Works in existing networks• Works with unmodified legacy applications
![Page 3: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/3.jpg)
An observation on layering of crypto
Encryption is a generic function. Independent of the semantics of the
application. Integrity Protection is a generic function.
What arrives should be what is sent. Authentication is strongly application-specific.
Depends on the semantics of the application.
![Page 4: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/4.jpg)
An observation on layering of crypto
Observation: Encryption and Integrity Protection are lower-layer functions than Authentication.
Encryption and Integrity Protection are natural transport-layer functions. Cannot integrity-protect transport protocol from
above it. Different transport sessions have different security
requirements so cannot share encryption keys. Authentication is application-layer.
![Page 5: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/5.jpg)
Tcpcrypt
![Page 6: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/6.jpg)
Tcpcrypt uses TCP options to provide deployable transport-level encryption.
High server performance - push complexity to clients
Allow applications to authenticate endpoints.
Backwards compatibility: all TCP apps, all networks, all authentication settings.
![Page 7: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/7.jpg)
Tcpcrypt overview
Extend TCP in a compatible way using TCP options.
Existing applications use standard socket API, just like regular TCP. Encryption automatically enabled if both end
points support Tcpcrypt.
Extended applications can use a new getsockopt() for authentication.
![Page 8: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/8.jpg)
Push expensive operations to the client
Public-key operations can be quite assymetric.RSA-exp3-2048 performance:
Operation
Latency
Encrypt 0.26msDecrypt 10.42ms
Perform decrypt on the client:Generate emphemeral key pair:
Generate random master key
public key
encpub_k(master_key)
client server
Initial handshake:No authentication.
Client decrypts.
Lets servers accept connections36x faster than SSL
![Page 9: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/9.jpg)
After initial handshake, tcpcrypt’s Session ID provides the hook to link application authentication to the session. New getsockopt() returns non-secret Session ID value. Unique for every connection. If same on both ends, guaranteed there’s no man-
in-the-middle.
![Page 10: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/10.jpg)
How to check the Session ID?
Out-of-band: e.g., phone call, other secure protocol.
PKI: server signs Session ID. Pre-shared secret: send CMAC of Session ID,
keyed with Pre-shared secret.
![Page 11: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/11.jpg)
QuickTime™ and a decompressor
are needed to see this picture.
sessionID
sessionID
tcpcrypt
Authentication Example:Password-based Mutual Authentication
Whenever a user knows a password, mutual authentication should be used. Does not rely on user to spot spurious URLs.
Authenticating the session ID authenticates the endpoint
password-based auth of user
and session ID
![Page 12: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/12.jpg)
Authentication Example:Password-based Mutual Authentication
![Page 13: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/13.jpg)
Authentication Example:Signing a batch of session IDs to amortize RSA costs
QuickTime™ and a decompressor
are needed to see this picture.
session ID: A
“A”, signed by amazon.comRSA op
session ID: B
“B”, signed by amazon.comRSA op
![Page 14: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/14.jpg)
Authentication Example:Signing a batch of session IDs to amortize RSA costs
QuickTime™ and a decompressor
are needed to see this picture.
session ID: A
session ID: B session ID: D
session ID: C“A,B,C,D” signed
by amazon.com “A,B,C,D” signed
by amazon.com
“A,B,C,D” signed by amazon.com
“A,B,C,D” signed by amazon.comRSA op
![Page 15: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/15.jpg)
SSL servers RSA decrypt each client’s secret:
QuickTime™ and a decompressor
are needed to see this picture.
session ID: A
session ID: B session ID: D
session ID: C“A,B,C,D” signed
by amazon.com “A,B,C,D” signed
by amazon.com
“A,B,C,D” signed by amazon.com
“A,B,C,D” signed by amazon.comRSA op
QuickTime™ and a decompressor
are needed to see this picture.
enc(Secret A) enc(Secret C)
enc(Secret D)enc(Secret B)
RSA op
RSA op RSA op
RSA op
![Page 16: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/16.jpg)
Tcpcryptin detail
![Page 17: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/17.jpg)
Outline of Tcpcrypt key exchange
![Page 18: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/18.jpg)
Key exchange is performed in the TCP connection setup handshake.
![Page 19: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/19.jpg)
Key Scheduling
![Page 20: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/20.jpg)
Tcpcrypt in TCP Packets
![Page 21: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/21.jpg)
Crypto state can be cached.Subsequent connections between the same endpoints get similar latency to regular TCP.
![Page 22: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/22.jpg)
Key Scheduling 2
![Page 23: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/23.jpg)
TcpcryptPerformance
![Page 24: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/24.jpg)
Tcpcrypt implementations
Linux kernel implementation: 4,500 lines of code Portable divert-socket implementation: 7000 LoC
Tested on Windows, MacOS, Linux, FreeBSD
Binary compatible OpenSSL library that attempts tcpcrypt with batch-signing or falls back to SSL.
kernel
tcpcryptd applicationNetwork
![Page 25: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/25.jpg)
Apache using tcpcrypt performs well.
Hardware: 8-core, 2.66GHz Xeon (2008-era). Software: Linux kernel implementation.
![Page 26: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/26.jpg)
Authentication over Tcpcrypt is fast.
![Page 27: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/27.jpg)
What would it take to encrypt all the traffic on the Internet, by default, all the
time?
![Page 28: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/28.jpg)
Why tcpcrypt?
Want to protect TCP packet headers. Defend against insertion attacks, etc. But still traverse NATs, firewalls that rewrite sequence
numbers. Want on-by-default encryption for existing unmodified
apps to protect against passive easesdropping. Fast enough to enable on all servers by default. Won’t break - downgrades to TCP if necessary.
Easy incremental deployment story due to negotiation in TCP handshake.
![Page 29: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/29.jpg)
Why tcpcrypt?
Want to enable and encourage appropriate authentication above tcpcrypt. Cert-based, mutual auth, PAKE, etc, as appropriate. Eg. can support connectbyname() in a shim library,
and leverage DANE for auth.
Separation of layering provides flexibility. Eg. allows corporate firewall to do encryption and app
to still do authentication, so corporate IDS still works.• tcpcryptd on firewall• RPC to get session ID.
![Page 30: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/30.jpg)
Summary: tcpcrypt can enable ubiquitous transport level encryption High server performance makes encryption
a realistic default. Applications can leverage Tcpcrypt to
maximize communication security in every setting.
Incrementally deployable, compatible with legacy apps, TCP and NATs.
http://tcpcrypt.org
![Page 31: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/31.jpg)
Spare slides
![Page 32: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/32.jpg)
Connection setup latency is slightly increased due to client-side RSA decrypt.
ProtocolLAN
connect time (ms)
TCP 0.2tcpcrypt cached 0.3tcpcrypt not cached 11.3SSL cached 0.7SSL not cached 11.6tcpcrypt batch sign 11.2tcpcrypt CMAC 11.4tcpcrypt PAKE 15.2
![Page 33: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/33.jpg)
Most authentication can be done very cheaply, once the Tcpcrypt session is established.
ProtocolLAN
connect time (ms)
TCP 0.2tcpcrypt cached 0.3tcpcrypt not cached 11.3SSL cached 0.7SSL not cached 11.6tcpcrypt batch sign 11.2tcpcrypt CMAC 11.4tcpcrypt PAKE 15.2
![Page 34: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/34.jpg)
Batch signing does not add additional latency
![Page 35: tcpcrypt: real transport-level encryption](https://reader031.fdocuments.net/reader031/viewer/2022011717/568160f3550346895dd02cc1/html5/thumbnails/35.jpg)
Data encryption is very fast on today’s CPUs