LURK-T: Limited Use of Remote Keys With Added Trust in TLS 1.3

IF 6.7 2区 计算机科学 Q1 ENGINEERING, MULTIDISCIPLINARY IEEE Transactions on Network Science and Engineering Pub Date : 2024-07-23 DOI:10.1109/TNSE.2024.3432836
Behnam Shobiri;Sajjad Pourali;Daniel Migault;Ioana Boureanu;Stere Preda;Mohammad Mannan;Amr Youssef
{"title":"LURK-T: Limited Use of Remote Keys With Added Trust in TLS 1.3","authors":"Behnam Shobiri;Sajjad Pourali;Daniel Migault;Ioana Boureanu;Stere Preda;Mohammad Mannan;Amr Youssef","doi":"10.1109/TNSE.2024.3432836","DOIUrl":null,"url":null,"abstract":"In many web applications, such as Content Delivery Networks (CDNs), TLS credentials are shared, e.g., between the website's TLS origin server and the CDN's edge servers, which can be distributed around the globe. To enhance the security and trust for TLS 1.3 in such scenarios, we propose LURK-T, a provably secure framework which allows for limited use of remote keys with added trust in TLS 1.3. We efficiently decouple the server side of TLS 1.3 into a LURK-T Crypto Service (\n<inline-formula><tex-math>$\\mathit {CS}$</tex-math></inline-formula>\n) and a LURK-T Engine (\n<inline-formula><tex-math>$\\mathit {E}$</tex-math></inline-formula>\n). \n<inline-formula><tex-math>$\\mathit {CS}$</tex-math></inline-formula>\n executes all cryptographic operations in a Trusted Execution Environment (TEE), upon \n<inline-formula><tex-math>$\\mathit {E}$</tex-math></inline-formula>\n’s requests. \n<inline-formula><tex-math>$\\mathit {CS}$</tex-math></inline-formula>\n and \n<inline-formula><tex-math>$\\mathit {E}$</tex-math></inline-formula>\n together provide the whole TLS-server functionality. A major benefit of our construction is that it is application agnostic; the LURK-T Crypto Service could be collocated with the LURK-T Engine, or it could run on different machines. Thus, our design allows for in situ attestation and protection of the cryptographic side of the TLS server, as well as for all setups of CDNs over TLS. To support such a generic decoupling, we provide a full Application Programming Interface (API) for LURK-T. To this end, we implement our LURK-T Crypto Service using Intel SGX and integrate it with OpenSSL. We also test LURK-T's efficiency and show that, from a TLS-client's perspective, HTTPS servers using LURK-T instead a traditional TLS-server have no noticeable overhead when serving files greater than 1 MB. In addition, we provide cryptographic proofs and formal security verification using ProVerif.","PeriodicalId":54229,"journal":{"name":"IEEE Transactions on Network Science and Engineering","volume":"11 6","pages":"6313-6327"},"PeriodicalIF":6.7000,"publicationDate":"2024-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Network Science and Engineering","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10607961/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"ENGINEERING, MULTIDISCIPLINARY","Score":null,"Total":0}
引用次数: 0

Abstract

In many web applications, such as Content Delivery Networks (CDNs), TLS credentials are shared, e.g., between the website's TLS origin server and the CDN's edge servers, which can be distributed around the globe. To enhance the security and trust for TLS 1.3 in such scenarios, we propose LURK-T, a provably secure framework which allows for limited use of remote keys with added trust in TLS 1.3. We efficiently decouple the server side of TLS 1.3 into a LURK-T Crypto Service ( $\mathit {CS}$ ) and a LURK-T Engine ( $\mathit {E}$ ). $\mathit {CS}$ executes all cryptographic operations in a Trusted Execution Environment (TEE), upon $\mathit {E}$ ’s requests. $\mathit {CS}$ and $\mathit {E}$ together provide the whole TLS-server functionality. A major benefit of our construction is that it is application agnostic; the LURK-T Crypto Service could be collocated with the LURK-T Engine, or it could run on different machines. Thus, our design allows for in situ attestation and protection of the cryptographic side of the TLS server, as well as for all setups of CDNs over TLS. To support such a generic decoupling, we provide a full Application Programming Interface (API) for LURK-T. To this end, we implement our LURK-T Crypto Service using Intel SGX and integrate it with OpenSSL. We also test LURK-T's efficiency and show that, from a TLS-client's perspective, HTTPS servers using LURK-T instead a traditional TLS-server have no noticeable overhead when serving files greater than 1 MB. In addition, we provide cryptographic proofs and formal security verification using ProVerif.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
LURK-T:TLS 1.3 中增加信任的远程密钥的有限使用
在许多网络应用(如内容分发网络(CDN))中,TLS 凭证是共享的,例如在网站的 TLS 源服务器和 CDN 边缘服务器之间共享,而 CDN 边缘服务器可能分布在全球各地。为了提高 TLS 1.3 在这种情况下的安全性和信任度,我们提出了 LURK-T,这是一个可证明安全的框架,允许有限地使用远程密钥,并增加 TLS 1.3 的信任度。我们将 TLS 1.3 的服务器端有效地解耦为 LURK-T Crypto Service($\mathit {CS}$)和 LURK-T Engine($\mathit {E}$)。根据$\mathit {E}$的请求,$\mathit {CS}$在可信执行环境(TEE)中执行所有加密操作。$\mathit {CS}$ 和 $\mathit {E}$ 共同提供整个 TLS 服务器功能。我们的结构的一个主要优点是与应用程序无关;LURK-T 加密服务可以与 LURK-T 引擎放在一起,也可以在不同的机器上运行。因此,我们的设计允许对 TLS 服务器的加密侧进行现场验证和保护,也适用于通过 TLS 建立的 CDN 的所有设置。为了支持这种通用解耦,我们为 LURK-T 提供了完整的应用编程接口(API)。为此,我们使用英特尔 SGX 实现了 LURK-T Crypto 服务,并将其与 OpenSSL 集成。我们还测试了 LURK-T 的效率,结果表明,从 TLS 客户端的角度来看,使用 LURK-T 代替传统 TLS 服务器的 HTTPS 服务器在提供超过 1 MB 的文件时没有明显的开销。此外,我们还使用 ProVerif 提供了加密证明和正式安全验证。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
IEEE Transactions on Network Science and Engineering
IEEE Transactions on Network Science and Engineering Engineering-Control and Systems Engineering
CiteScore
12.60
自引率
9.10%
发文量
393
期刊介绍: The proposed journal, called the IEEE Transactions on Network Science and Engineering (TNSE), is committed to timely publishing of peer-reviewed technical articles that deal with the theory and applications of network science and the interconnections among the elements in a system that form a network. In particular, the IEEE Transactions on Network Science and Engineering publishes articles on understanding, prediction, and control of structures and behaviors of networks at the fundamental level. The types of networks covered include physical or engineered networks, information networks, biological networks, semantic networks, economic networks, social networks, and ecological networks. Aimed at discovering common principles that govern network structures, network functionalities and behaviors of networks, the journal seeks articles on understanding, prediction, and control of structures and behaviors of networks. Another trans-disciplinary focus of the IEEE Transactions on Network Science and Engineering is the interactions between and co-evolution of different genres of networks.
期刊最新文献
Table of Contents Guest Editorial: Introduction to the Special Section on Aerial Computing Networks in 6G Guest Editorial: Introduction to the Special Section on Research on Power Technology, Economy and Policy Towards Net-Zero Emissions Temporal Link Prediction via Auxiliary Graph Transformer Load Balancing With Traffic Splitting for QoS Enhancement in 5G HetNets
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1