DOCSLIB.ORG

Performance Study of Kernel TLS Handshakes

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Performance Study of Kernel TLS Handshakes Performance study of kernel TLS handshakes 1st Alexander Krizhanovsky, 2nd Ivan Koveshnikov Tempesta Technologies, Inc. Seattle, USA [email protected], [email protected] Abstract Tempesta TLS [17] is a high performance TLS implemen- tation and is the part of Tempesta FW project. Tempesta TLS Tempesta TLS, a part of Tempesta FW, implements TLS hand- is a Linux kernel module and at the moment is tightly coupled shakes in the Linux kernel and focuses on performance to filter with the main Tempesta FW module. However, in this paper out application layer DDoS attacks. We started development from the fork of mbed TLS library, but it took significant ef- we discuss required changes of the module to include it into fort to make it fast, so we ended up with full reworking of the the main Linux kernel tree. library. The design of Tempesta TLS was discussed in our pre- In this work we evaluate how much performance we can vious work [17]. get by moving TLS handshake into the kernel space. While The main focus of this paper is to explore how much perfor- our development work is still in progress we see that Tem- mance we can get for TLS handshake itself and the whole ap- pesta TLS establish 40-80% more TLS connections per sec- plication, on example of HTTPS server, by moving TLS hand- ond in comparison with OpenSSL/Nginx. We also cover the shake into the kernel space. While performance optimization modern research and CPU technologies, which are still not of the TLS handshakes mathematics is still in progress, we employed in TLS libraries such as OpenSSL or WolfSSL, but observed that Tempesta TLS can establish 40-80% more TLS can significantly improve TLS handshakes performance. connections per second than OpenSSL/Nginx and provide up to x4 lower latency in some tests. Besides higher performance, the kernel TLS handshake implementation allows to separate the management of private In this paper we study software optimizations of server-side keys and certificates from a web accelerator working process. full TLS 1.2 handshakes using ECDHE and ECDSA on the NIST P-256 curve as well as abbreviated TLS 1.2 handshakes. In this scheme the worker process doesn’t have access to the We conclude the paper with the architecture and the user space security sensitive data stored in the kernel space. A sepa- API proposals for the Linux kernel upstream. rate, privileged, process can be introduced to load and man- age TLS keys and certificates in the Linux kernel. This is a best practice for large secure web clusters [8], but it is still un- Keywords available for small installations without loss of performance. TLS, Linux kernel, fast computations on elliptic curves KPTI impact on performance User space TLS handshakes KPTI (Kernel Page Table Isolation) is a mitigation technol- TLS handshake is one of the slowest part of an HTTPS trans- ogy against recent Meltdown [27] vulnerability. Two sets of action on a web accelerator or a load balancer. TLS 1.2 ses- address space page tables are maintained in the kernel. One sion resumption and 0-rtt mode of TLS 1.3 solve the problem is ”full” and contains both the kernel and the user space ad- for returning users, but new users still cause significant load dresses. The other contains user space addresses and only the onto a server. Moreover, some modes, e.g. RSA handshakes minimal set of kernel-space mappings. Every syscall or in- or TLS 1.2 session resumption, require move intensive com- terrupt switches the minimal user space page table to ”full” putations on the server side than on the client side. These two kernel copy and switches them back on returning to the user factors make TLS handshakes an attractive target for asym- space [16]. This causes a notable overhead for syscall-heavy metric application level DDoS attacks [17]. and interrupt-heavy workloads [22, 30]. Tempesta FW [18] is an open source hybrid of a web ac- An in-kernel TLS handshake implementation does not celerator and an application level firewall embedded into the need to switch between the kernel and user spaces, so KPTI Linux TCP/IP stack to reach maximum performance and flex- is not involved. Our goal was to see how performance of a ibility. The main target for Tempesta FW is to provide an user-space HTTPS server suffers from KPTI. open source alternative to proprietary solutions like F5 BIG- We expected to see high KPTI impact on the performance IP and cloud based software stacks like CloudFlare. Such due to many network I/O system calls and a lot of memory solutions must efficiently process massive legitimate traffic allocations. But our measurements showed less than 4% per- as well as to filter out various DDoS and web attacks. formance drop on system with security mitigations enabled. TLS w/o KPTI w/ KPTI Delta The kernel and TLS versions impact on 1.2 8’735 8’401 -3.82% performance 1.3 7’734 7’473 -3.37% TLS handshake involves not so many network I/O system As Tempesta TLS was initially based on Linux kernel 4.14 calls, so the performance impact was not very high. All the and will be ported on the next LTS release after Linux 5.7, hottest functions are related to cryptographic operations and we also compared TLS handshake performance on that ker- memory allocations. Network I/O is not very high. Glibc nel versions. All mitigations available in both kernels was caches memory allocations to reduce the number of system switched on. Kernel Handshakes/s 95P Latency, ms calls. Thus, the overall kernel overhead was not high enough to cause a severe performance gap. Web server functions are TLS 1.2 New sessions also not noticeable in the perf report since no HTTP message 4.14 7’624 498 exchange happens in this scenario. At the below is CPU util- 5.7 7’284 466 isation by the hottest functions. -4.5% -6.4% TLS 1.2 Session Resumption Functions Overhead 4.14 19’203 246 libcrypto.so: 30.7% 5.7 17’452 112 ecp nistz256 mul montx, -9% -54% ecp nistz256 sqr montx, sha256 block data order avx2, TLS 1.3 New sessions ecp nistz256 avx2 gather w7, 4.14 7’147 315 OPENSSL cleanse, 5.7 6’811 466 ecp nistz256 ord sqr montx, -4.7% +47% ecp nistz256 point doublex, TLS 1.3 Session Resumption ecp nistz256 sub fromx, 4.14 6’472 287 ecp nistz256 mul by 2x, 5.7 6’183 342 ecp nistz256 point addx, -4.4% +19% ecp nistz256 point add affinex, The 5.7 kernel in all tests makes 4.5-9% less handshakes aesni ecb encrypt, in second than the 4.14 kernel. It’s also interesting that the BN num bits word, latency on TLS 1.2 is significantly lower on 5.7 kernel while EVP MD CTX reset TLS 1.3 shows the opposite picture. libc.so: int malloc, int free, 13.2% As only handshake performance is evaluated, no applica- malloc, malloc consolidate, cfree, tion data is sent and RTT between our servers is too small for memmove avx unaligned erms, real life scenario, TLS 1.3 can’t benefit from 0-RTT capabil- memset avx2 unaligned erms ity in this test. Moreover, TLS 1.3 handshake performance kernel: do syscall 64, en- 4.5% is always lower than TLS 1.2 for 7% in our tests. This hap- try SYSCALL 64, pre- pens because TLS 1.3 performs more encryption/decryption pare exit to usermode, and hashing operations. Also TLS 1.3 doesn’t show signifi- syscall return via sysret, com- cant performance boost on session resumption, instead it even mon interrupt loses 9%. Unlike in TLS 1.2, the master key is not directly nginx:- 0% reused in TLS 1.3, instead a unique shared secret is generated Since performance drop for the user-space HTTPS server and combined with the master key [35]. This performance is not high in this scenario, user-space HTTPS server can not trade-off allows forward secrecy and saves TLS 1.3 connec- benefit a lot by disabling KPTI. tion from the master key compromission. FPU state manipulations SRBDS impact on performance The Linux kernel provides kTLS [34] acceleration of TLS Mitigation against the special register buffer data sampling AES-GCM encryption and decryption: now sendfile() can (SRBDS) attack [12] can be applied only as a microcode up- transfer encrypted TLS payload without going to the user date. The mitigation affects RDRAND processor operation space for encryption. The implementation uses x86-64 CPU performance which is used in the handshake processing. Per- extensions involving the FPU, which is responsible for SIMD formance impact is higher for TLS 1.3 protocol, telling that CPU extensions and which is usually unavailable for the RDRAND operation is used in TLS 1.3 more frequently than Linux kernel code. To use the extensions the FPU state must in TLS 1.2. be saved with kernel fpu begin() function and then restored TLS w/o SRBDS w/ SRBDS Delta with kernel fpu end(). 1.2 8’735 8’281 -5.20% The FPU state manipulations aren’t cheap. In our previous 1.3 7’734 6’605 -14.60% work [17] we evaluated the cost of the FPU manipulations Both the user-space and kernel-space TLS handshakes suf- using a micro-benchmark [19]: copying of 1500 bytes with fer from SRBDS mitigation, unlike KPTI there is no possibil- the proper FPU state saving and restoring takes x4.78 more ity to avoid extra overhead by moving code to the kernel.
Load more

Recommended publications
  • Effective Cryptography What’S Wrong with All These Crypto Apis?
    Effective Cryptography What’s Wrong With All These Crypto APIs? Thorsten Groetker, CTO Utimaco, Inc. Utimaco IS Business Unit· Aachen, Germany · ©2015 Page 1 Outline § What I mean by Effective Cryptography § Crypto APIs § Security § Ease of Use § Runtime Performance § Predictions § CryptoScript in a Nutshell § Outlook Utimaco IS Business Unit· Aachen, Germany · ©2015 Page 2 Effective Cryptography Definition in a Nutshell Cryptography is effective if it is Li lingues es membres del sam familie. Lor separat existentie es 1. Secure unJCE/JCA myth. Por scientie, musica , sport etc, litot li sam vocabular. Li lingues differe solmen in li grammaticaOpenSSL, li pronunciation e li pluEVP commun vocabules. Omnicos directe al desirabilite de un nov lingua franca: On refusa continuar payar custosi traductores. At solmen va esser necessi 2. Efficient far uniform grammaticaPKCS#11, pronunciation e plu sommun paroles. Ma quande lingues coalesce, li grammatica del resultant lingue es plu CAPIsimplic e regulari quam ti del coalescent lingues. Li nov lingua CNG a. Time to Result franca va esser plu simplic e regulari quam li existent Bouncy linguesCastle. I b. Performance What’s wrong with all these crypto APIs? (Focused on Hardware Security Modules) Utimaco IS Business Unit· Aachen, Germany · ©2015 Page 3 Problem #1: Security PKCS#11 § Numerous key extraction attacks known § Jolyon Clulow “On the Security of PKCS#11” § Tookan project (e.g., “Attacking and Fixing PKCS#11 Security Tokens”) § CVE entries (not necessarily sporting “PKCS#11” in the text)
    [Show full text]
  • Using Frankencerts for Automated Adversarial Testing of Certificate
    Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker ∗ y Suman Janay Baishakhi Rayz Sarfraz Khurshidy Vitaly Shmatikovy ∗Google yThe University of Texas at Austin zUniversity of California, Davis Abstract—Modern network security rests on the Secure Sock- many open-source implementations of SSL/TLS are available ets Layer (SSL) and Transport Layer Security (TLS) protocols. for developers who need to incorporate SSL/TLS into their Distributed systems, mobile and desktop applications, embedded software: OpenSSL, NSS, GnuTLS, CyaSSL, PolarSSL, Ma- devices, and all of secure Web rely on SSL/TLS for protection trixSSL, cryptlib, and several others. Several Web browsers against network attacks. This protection critically depends on include their own, proprietary implementations. whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. In this paper, we focus on server authentication, which We design, implement, and apply the first methodology for is the only protection against man-in-the-middle and other large-scale testing of certificate validation logic in SSL/TLS server impersonation attacks, and thus essential for HTTPS implementations. Our first ingredient is “frankencerts,” synthetic and virtually any other application of SSL/TLS. Server authen- certificates that are randomly mutated from parts of real cer- tication in SSL/TLS depends entirely on a single step in the tificates and thus include unusual combinations of extensions handshake protocol. As part of its “Server Hello” message, and constraints. Our second ingredient is differential testing: if the server presents an X.509 certificate with its public key.
    [Show full text]
  • Libressl Presentatie2
    Birth of LibreSSL and its current status Frank Timmers Consutant, Snow B.V. Background What is LibreSSL • A fork of OpenSSL 1.0.1g • Being worked on extensively by a number of OpenBSD developers What is OpenSSL • OpenSSL is an open source SSL/TLS crypto library • Currently the de facto standard for many servers and clients • Used for securing http, smtp, imap and many others Alternatives • Netscape Security Services (NSS) • BoringSSL • GnuTLS What is Heartbleed • Heartbleed was a bug leaking of private data (keys) from both client and server • At this moment known as “the worst bug ever” • Heartbeat code for DTLS over UDP • So why was this also included in the TCP code? • Not the reason to create a fork Why did this happen • Nobody looked • Or at least didn’t admit they looked Why did nobody look • The code is horrible • Those who did look, quickly looked away and hoped upstream could deal with it Why was the code so horrible • Buggy re-implementations of standard libc functions like random() and malloc() • Forces all platforms to use these buggy implementations • Nested #ifdef, #ifndefs (up to 17 layers deep) through out the code • Written in “OpenSSL C”, basically their own dialect • Everything on by default Why was it so horrible? crypto_malloc • Never frees memory (Tools like Valgrind, Coverity can’t spot bugs) • Used LIFO recycling (Use after free?) • Included debug malloc by default, logging private data • Included the ability to replace malloc/free at runtime #ifdef trees • #ifdef, #elif, #else trees up to 17 layers deep • Throughout the complete source • Some of which could never be reached • Hard to see what is or not compiled in 1.
    [Show full text]
  • Hannes Tschofenig
    Securing IoT applications with Mbed TLS Hannes Tschofenig Part#2: Public Key-based authentication March 2018 © 2018 Arm Limited Munich Agenda • For Part #2 of the webinar we are moving from Pre-Shared Secrets (PSKs) to certificated-based authentication. • TLS-PSK ciphersuites have • great performance, • low overhead, • small code size. • Drawback is the shared key concept. • Public key cryptography was invented to deal with this drawback (but itself has drawbacks). 2 © 2018 Arm Limited Public Key Infrastructure and certificate configuration © 2018 Arm Limited Public Key Infrastructure Various PKI deployments in existence Structure of our PKI The client has to store: self-signed • Client certificate plus corresponding private key. CA cert • CA certificate, which serves as the trust anchor. The server has to store: Signed by CA Signed by CA • Server certificate plus corresponding private key. Client cert Server cert (Some information for authenticating the client) 4 © 2018 Arm Limited Generating certificates (using OpenSSL tools) • When generating certificates you will be prompted to enter info. You are about to be asked to enter information that will be • The CA cert will end up in the trust incorporated into your certificate request. What you are about to enter is what is called a Distinguished anchor store of the client. Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, • The Common Name used in the server If you enter '.', the field will be left blank. ----- cert needs to be resolvable via DNS Country Name (2 letter code) [AU]:.
    [Show full text]
  • Notices Openssl/Open SSL Project
    Notices The following notices pertain to this software license. OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]). License Issues The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected]. OpenSSL License: Copyright © 1998-2007 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”. 4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].
    [Show full text]
  • Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019
    Revisiting and Evaluating Software Side-channel Vulnerabilities and Countermeasures in Cryptographic Applications Tianwei Zhang Jun Jiang Yinqian Zhang Nanyang Technological University Two Sigma Investments, LP The Ohio State University [email protected] [email protected] [email protected] Abstract—We systematize software side-channel attacks with three questions: (1) What are the common and distinct a focus on vulnerabilities and countermeasures in the cryp- features of various vulnerabilities? (2) What are common tographic implementations. Particularly, we survey past re- mitigation strategies? (3) What is the status quo of cryp- search literature to categorize vulnerable implementations, tographic applications regarding side-channel vulnerabili- and identify common strategies to eliminate them. We then ties? Past work only surveyed attack techniques and media evaluate popular libraries and applications, quantitatively [20–31], without offering unified summaries for software measuring and comparing the vulnerability severity, re- vulnerabilities and countermeasures that are more useful. sponse time and coverage. Based on these characterizations This paper provides a comprehensive characterization and evaluations, we offer some insights for side-channel of side-channel vulnerabilities and countermeasures, as researchers, cryptographic software developers and users. well as evaluations of cryptographic applications related We hope our study can inspire the side-channel research to side-channel attacks. We present this study in three di- community to discover new vulnerabilities, and more im- rections. (1) Systematization of literature: we characterize portantly, to fortify applications against them. the vulnerabilities from past work with regard to the im- plementations; for each vulnerability, we describe the root cause and the technique required to launch a successful 1.
    [Show full text]
  • Secure Industrial Device Connectivity with Low-Overhead TLS
    Secure Industrial Device Connectivity with Low-Overhead TLS Tuesday, October 3, 2017 1:10PM-2:10PM Chris Conlon - Engineering Manager, wolfSSL - B.S. from Montana State University (Bozeman, MT) - Software engineer at wolfSSL (7 years) Contact Info: - Email: [email protected] - Twitter: @c_conlon A. – B. – C. – D. – E. F. ● ● ● ○ ● ○ ● ○ ● Original Image Encrypted using ECB mode Modes other than ECB ● ○ ● ○ ● ● ● ● ○ ● ● ● ● ○ ● ○ ○ ○ ○ ● ○ ● ● ● ● ○ ● ● ○ By Original schema: A.J. Han Vinck, University of Duisburg-EssenSVG version: Flugaal - A.J. Han Vinck, Introduction to public key cryptography, p. 16, Public Domain, https://commons.wikimedia.org/w/index.php?curid=17063048 ● ○ ● ○ ■ ■ ■ ● ○ ■ ● ● ● ● ● ○ ● ● ● ● ● ● ● ○ ○ ○ ○ ● “Progressive” is a subjective term ● These slides talk about crypto algorithms that are: ○ New, modern ○ Becoming widely accepted ○ Have been integrated into SSL/TLS with cipher suites ● ChaCha20 ● Poly1305 ● Curve25519 ● Ed25519 Created by Daniel Bernstein a research professor at the University of Illinois, Chicago Chacha20-Poly1305 AEAD used in Google over HTTPS Ed25519 and ChaCha20-Poly1305 AEAD used in Apple’s HomeKit (iOS Security) ● Fast stream cipher ● Based from Salsa20 stream cipher using a different quarter-round process giving it more diffusion ● Can be used for AEAD encryption with Poly1305 ● Was published by Bernstein in 2008 Used by ● Google Chrome ● TinySSH ● Apple HomeKit ● wolfSSL ● To provide authenticity of messages (MAC) ● Extremely fast in comparison to others ● Introduced by a presentation given from Bernstein in 2002 ● Naming scheme from using polynomial-evaluation MAC (Message Authentication Code) over a prime field Z/(2^130 - 5) Used by ● Tor ● Google Chrome ● Apple iOS ● wolfSSL Generic Montgomery curve. Reference 5 Used by ● Tera Term ● GnuPG ● wolfSSL Generic Twisted Edwards Curve.
    [Show full text]
  • Black-Box Security Analysis of State Machine Implementations Joeri De Ruiter
    Black-box security analysis of state machine implementations Joeri de Ruiter 18-03-2019 Agenda 1. Why are state machines interesting? 2. How do we know that the state machine is implemented correctly? 3. What can go wrong if the implementation is incorrect? What are state machines? • Almost every protocol includes some kind of state • State machine is a model of the different states and the transitions between them • When receiving a messages, given the current state: • Decide what action to perform • Which message to respond with • Which state to go the next Why are state machines interesting? • State machines play a very important role in security protocols • For example: • Is the user authenticated? • Did we agree on keys? And if so, which keys? • Are we encrypting our traffic? • Every implementation of a protocol has to include the corresponding state machine • Mistakes can lead to serious security issues! State machine example Confirm transaction Verify PIN 0000 Failed Init Failed Verify PIN 1234 OK Verified Confirm transaction OK State machines in specifications • Often specifications do not explicitly contain a state machine • Mainly explained in lots of prose • Focus usually on happy flow • What to do if protocol flow deviates from this? Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
    [Show full text]
  • Securing Mysql with a Focus on SSL
    Securing MySQL! With a Focus on SSL http://www.yassl.com (206) 369-4800 About Me Chris Conlon So#ware Developer at yaSSL Bozeman, MT © Copyright 2011 FishEyeGuyPhotography © Copyright 2011 yaSSL SSL Statistics Ivan Ristic: Internet SSL Survey 2010 http://www.ssllabs.com SSL Survey 2010 Valid SSL – 0.42% •" Sample of 119 Million Domain Names 0.60%, Certificate Name Matches 0.42%, Counting only valid ones Alexa Top 1M •" Alexa Top 1M Sites Use SSL – 12% 120,000 Use SSL (12%) © Copyright 2011 yaSSL Presentation Outline Part I: MySQL Security 1." Common Attacks & Vulnerabilities 2." Good Security Practices for MySQL Part II: SSL/TLS 1." Overview of SSL and TLS 2." Configuring and Building MySQL with SSL 3." MySQL SSL Command Options 4." SSL Certificate Creation 5." Performance Comparison Part III: Additional Security Concerns 1." Data Storage and Encryption Part IV: Wrap-Up 1." Licensing 2." yaSSL 3." Conclusion © Copyright 2011 yaSSL MySQL Updates Part I Account Passwords Test Databases mysqld MySQL Security Privileges © Copyright 2011 yaSSL Common Attacks and Vulnerabilities Do we really need to secure our MySQL database? YES! MySQL is Susceptible to Many Attacks: - Basic Attacks (empty password, etc.) - SQL Injection Attacks - Known MySQL Bugs and Vulnerabilities - Trojanning MySQL © Copyright 2011 yaSSL Good Security Practices for MySQL A. Keeping MySQL Version Up to Date An easy way to stay better protected: - New MySQL Patches, Bug Fixes, etc. - You should take advantage of updates © Copyright 2011 yaSSL Good Security Practices for MySQL 'MySQL' Vulnerabili1es By Year cvedetails.com (nvd.nist.gov) 16 2000 14 2001 2002 11 2003 10 2004 9 2005 8 2006 7 2007 6 6 6 2008 5 2009 3 2010 2011 © Copyright 2011 yaSSL Good Security Practices for MySQL •" yaSSL Vulnerabilities affecting MySQL in the past: CVE-2005-3731 Certificate Chain Processing CVE-2008-0227 Denial of Service (crash) CVE-2008-0226 Allowed Execution of Arbitrary Code CVE-2009-4484 Allowed Execution of Arbitrary Code, Denial of Service Possible © Copyright 2011 yaSSL Good Security Practices for MySQL B.
    [Show full text]
  • No.Ntnu:Inspera:2546742.Pdf (10.61Mb)
    Krishna Shingala An alternative to the Public Key Krishna Shingala Infrastructure for the Internet of Things Master’s thesis in Communication Technology Supervisor: Danilo Gligoroski, Katina Kralevska, Torstein Heggebø Master’s thesis Master’s June 2019 An alternative to PKI for IoT PKI for to An alternative NTNU Engineering Communication Technology Communication Department of Information Security and Department of Information Faculty of Information Technology and Electrical Technology of Information Faculty Norwegian University of Science and Technology of Science University Norwegian An alternative to the Public Key Infras- tructure for the Internet of Things Krishna Shingala Submission date: June 2019 Responsible professor: Danilo Gligoroski, IIK, NTNU Supervisor: Danilo Gligoroski, IIK, NTNU Co-Supervisor: Katina Kralevska, IIK, NTNU Co-Supervisor: Torstein Heggebø, Nordic Semiconductor ASA Norwegian University of Science and Technology Department of Information Technology and Electrical Engineering Title: An alternative to the Public Key Infrastructure for the Internet of Things Student: Krishna Shingala Problem description: Internet of Things(IoT) enables participation of constrained devices on the Internet. Limited resources, bandwidth, and power on the devices have led to new protocols. Some examples of IoT driven and driving protocols are: – MQTT, CoAP that are application protocols for IoT; – 6LoWPAN enables efficient support of IPv6 on low power lossy networks; – CBOR enables concise data formatting; and – DTLS enables secure channel establishment over unreliable transport like the UDP. Security is one of the key factors for the success of IoT. TLS/DTLS secures the channel between the servers and the devices. Confidentiality is an important aspect of such a secure channel. Establishing the identity of an entity another.
    [Show full text]
  • Vetting SSL Usage in Applications with SSLINT
    2015 IEEE Symposium on Security and Privacy Vetting SSL Usage in Applications with SSLINT Boyuan He1, Vaibhav Rastogi2, Yinzhi Cao3, Yan Chen2, V.N. Venkatakrishnan4, Runqing Yang1, and Zhenrui Zhang1 1Zhejiang University 2Northwestern University 3Columbia University 4University of Illinois, Chicago [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] Abstract—Secure Sockets Layer (SSL) and Transport Layer In particular, we ask the following research question: Is it Security (TLS) protocols have become the security backbone of possible to design scalable techniques that detect incorrect use the Web and Internet today. Many systems including mobile of APIs in applications using SSL/TLS libraries? This question and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused poses the following challenges: by incorrect use of SSL/TLS APIs have been uncovered in recent • Defining and representing correct use. Given an SSL years. Such vulnerabilities, many of which are caused due to poor library, how do we model correct use of the API to API design and inexperience of application developers, often lead to confidential data leakage or man-in-the-middle attacks. In this facilitate detection? paper, to guarantee code quality and logic correctness of SSL/TLS • Analysis techniques for incorrect usage in software. applications, we design and implement SSLINT, a scalable, Given a representation of correct usage, how do we de- automated, static analysis system for detecting incorrect use sign techniques for analyzing programs to detect incorrect of SSL/TLS APIs.
    [Show full text]
  • How Secure Is Textsecure?
    How Secure is TextSecure? Tilman Frosch∗y, Christian Mainkay, Christoph Badery, Florian Bergsmay,Jorg¨ Schwenky, Thorsten Holzy ∗G DATA Advanced Analytics GmbH firstname.lastname @gdata.de f g yHorst Gortz¨ Institute for IT-Security Ruhr University Bochum firstname.lastname @rub.de f g Abstract—Instant Messaging has gained popularity by users without providing any kind of authentication. Today, many for both private and business communication as low-cost clients implement only client-to-server encryption via TLS, short message replacement on mobile devices. However, until although security mechanisms like Off the Record (OTR) recently, most mobile messaging apps did not protect confi- communication [3] or SCIMP [4] providing end-to-end con- dentiality or integrity of the messages. fidentiality and integrity are available. Press releases about mass surveillance performed by intelli- With the advent of smartphones, low-cost short-message gence services such as NSA and GCHQ motivated many people alternatives that use the data channel to communicate, to use alternative messaging solutions to preserve the security gained popularity. However, in the context of mobile ap- and privacy of their communication on the Internet. Initially plications, the assumption of classical instant messaging, fueled by Facebook’s acquisition of the hugely popular mobile for instance, that both parties are online at the time the messaging app WHATSAPP, alternatives claiming to provide conversation takes place, is no longer necessarily valid. secure communication experienced a significant increase of new Instead, the mobile context requires solutions that allow for users. asynchronous communication, where a party may be offline A messaging app that claims to provide secure instant for a prolonged time.
    [Show full text]