tls handshake proxying - from theory to reality
DESCRIPTION
In this talk we look into new techniques to help reduce latency for transport layer encryption (TLS) session establishment through delegation to a third party while also limiting the amount of trust given to that third party. The proposed solution is to combine TLS with a globally distributed network by splitting the TLS state machine geographically using a private key proxy service.TRANSCRIPT
TLS Handshake ProxyingFrom theory to reality
IEEE S&P April 20, 2014 Nick Sullivan
@grittygrease
Two competing goals on the web• Security & Privacy
• Performance
2
Privacy: SSL/TLS• Point-to-point authentication and encryption
• The little lock icon in your browser
!
• Browser-server model
• Server certificate bound to a public key, signed by a Certificate Authority
• Private key provides authentication of server to client
• Session key established with handshake
3
4
Private Key
Problem with TLS• Web servers (nginx, apache, ISS) read private keys from disk, use in
memory
• Private key disclosure allows
• Server impersonation
• Retroactive decryption of sessions with RSA handshake
5
Private key security - protection• Process memory disclosure
• Secure allocation
• Separate process for private key
• Machine DMA attack
• Encrypted memory
• Hardware: HSM or TPM
• Machine compromise or theft
• ???
6
Web performance• The web is changing — consolidation at the edge of the network
• CDNs provide distributed global load balancing
• TLS needs to be terminated at caching layer
• Private keys need to be distributed to the edge
!
• This is why banks do not use CDNs — yet
7
Traditional traffic routing
8
Anycast routing with reverse proxy
9
Two contradictory goals• Global load balancing of TLS
• Private key security
10
Keyless SSL• Compromise between key security and performance
!
• Split the state machine geographically
• Private key operation performed at site owner’s facility (in HSM, etc)
• Rest of handshake performed at the edge
• Communicate to signing server over secure tunnel
11
Keyless SSL
12
Keyless SSL• All static assets served over TLS from the edge
• Dynamic assets served from origin through reverse proxy
13
14
Private Key
15
Private Key
Keyless SSL - In Production
• This is not an academic exercise or proof of concept
• Based on modified nginx/OpenSSL
• Customers include
• Top Wall Street investment bank
• Top Silicon Valley Internet company
16
Keyless SSL - Security
• Formal proof of security: joint work with Douglas Stebila
• Code audit by iSEC partners
17
TLS Handshake ProxyingFrom theory to reality
IEEE S&P April 20, 2014 Nick Sullivan
@grittygrease