Abstract
Recently, many organizations have been installing middleboxes in their networks in large numbers to provide various services to their customers. Although middleboxes have the advantage of not being dependent on specific hardware and being able to provide a variety of services, they can become a new attack target for hackers. Therefore, many researchers have proposed security-enchanced TLS protocols, but their results have some limitations. In this paper, we proposed a middlebox-delegated TLS (mdTLS) protocol that not only achieves the same security level but also requires relatively less computation compared to recent research results. mdTLS is a TLS protocol designed based on the proxy signature scheme, which requires about 39% less computation than middlebox-aware TLS (maTLS), which is the best in security and performance among existing research results. In order to substantiate the enhanced security of mdTLS, we conducted a formal verification using the Tamarin. Our verification demonstrates that mdTLS not only satisfies the security properties set forth by maTLS but also complies with the essential security properties required for proxy signature scheme (All of the formal models and lemmas are open to the public through the following url https://github.com/HackProof/mdTLS).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Apple’s Certificate Transparency policy Homepage. https://support.apple.com/en-ng/HT205280. Accessed 21 May 2023
Certificate Transparency Homepage. https://certificate.transparency.dev. Accessed 21 May 2023
Chrome Certificate Transparency Policy Homepage. https://googlechrome.github.io/CertificateTransparency/ct_policy.html. Accessed 21 May 2023
Hackproof Github Homepage. https://github.com/HackProof/mdTLS. Accessed 26 May 2023
Anderson, B.: Detecting encrypted malware traffic (without decryption). https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption. Accessed 26 Sept 2023
Boldyreva, A., Palacio, A., Warinschi, B.: Secure proxy signature schemes for delegation of signing rights. J. Cryptol. 25, 57–115 (2012)
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X. 509 public key infrastructure certificate and certificate revocation list (CRL) profile (2008). https://www.rfc-editor.org/rfc/rfc5280.txt. Accessed 23 Sept 2023
Cortier, V., Delaune, S., Dreier, J.: Automatic generation of sources lemmas in Tamarin: towards automatic proofs of security protocols. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12309, pp. 3–22. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0_1
Dang, Q.H.: Secure hash standard (2015). https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf. Accessed 23 Sept 2023
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2 (2008). https://www.rfc-editor.org/rfc/rfc5246.txt. Accessed 23 Sept 2023
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Elaine, B.: Recommendation for key management: part 1 - general (2020). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf. Accessed 23 Sept 2023
Fielding, R., et al.: Hypertext transfer protocol-HTTP/1.1 (1999). https://www.rfc-editor.org/rfc/rfc2616.txt. Accessed 23 Sept 2023
Gallagher, S.: Nearly half of malware now use TLS to conceal communications. https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications. Accessed 23 Sept 2023
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM (JACM) 33(4), 792–807 (1986)
Goltzsche, D., et al.: EndBox: scalable middlebox functions using client-side trusted execution. In: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 386–397. IEEE (2018)
Google: Google Transparency Homepage. https://transparencyreport.google.com/overview?hl=en. Accessed 9 May 2023
Han, J., Kim, S., Ha, J., Han, D.: SGX-box: enabling visibility on encrypted traffic using a secure middlebox module. In: Proceedings of the First Asia-Pacific Workshop on Networking, pp. 99–105 (2017)
Heron, S.: Advanced encryption standard (AES). Netw. Secur. 2009(12), 8–12 (2009)
Jarmoc, J., Unit, D.: SSL/TLS interception proxies and transitive trust. Black Hat Europe (2012)
Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1, 36–63 (2001)
Kim, S., Park, S., Won, D.: Proxy signatures, revisited. In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 223–232. Springer, Heidelberg (1997). https://doi.org/10.1007/bfb0028478
Laurie, B., Langley, A., Kasper, E.: RFC 6962: certificate transparency (2013). https://www.rfc-editor.org/rfc/rfc6962.txt. Accessed 23 Sept 2023
Lee, H., et al.: maTLS: how to make TLS middlebox-aware? In: NDSS (2019)
Mambo, M., Usuda, K., Okamoto, E.: Proxy signatures: delegation of the power to sign messages. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 79(9), 1338–1354 (1996)
Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48
Microsoft: Microsoft Azure firewall Homepage. https://learn.microsoft.com/ko-kr/azure/firewall/premium-features. Accessed 9 May 2023
Miller, J.: Telegeography homepage. https://blog.telegeography.com/2021-global-internet-map-tracks-global-capacity-traffic-and-cloud-infrastructure. Accessed 9 May 2023
National Institute of Standards and Technology: Digital Signature Standard (DSS) (2023). https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf. Accessed 23 Sept 2023
National Security Agency: Cybersecurity and Infrastructure Security Agency Homepage. https://www.us-cert.gov/ncas/current-activity/2019/11/19/nsa-releases-cyber-advisory-managing-risk-transport-layer-security. Accessed 9 May 2023
Naylor, D., Li, R., Gkantsidis, C., Karagiannis, T., Steenkiste, P.: And then there were more: secure communication for more than two parties. In: Proceedings of the 13th International Conference on emerging Networking EXperiments and Technologies, pp. 88–100 (2017)
Naylor, D., et al.: Multi-context TLS (mcTLS): enabling secure in-network functionality in TLS. ACM SIGCOMM Comput. Commun. Rev. 45(4), 199–212 (2015)
O’Neill, M., Ruoti, S., Seamons, K., Zappala, D.: TLS inspection: how often and who cares? IEEE Internet Comput. 21(3), 22–29 (2017)
Panetta, K.: Gartner homepage. https://www.gartner.com/smarterwithgartner/gartner-top-10-strategic-technology-trends-for-2019. Accessed 9 May 2023
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13, 361–396 (2000)
Rescorla, E.: HTTP over TLS (2000). https://www.rfc-editor.org/rfc/rfc2818.txt. Accessed 23 Sept 2023
Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of Diffie-Hellman protocols and advanced security properties. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 78–94. IEEE (2012)
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Sherry, J., Hasan, S., Scott, C., Krishnamurthy, A., Ratnasamy, S., Sekar, V.: Making middleboxes someone else’s problem: network processing as a cloud service. ACM SIGCOMM Comput. Commun. Rev. 42(4), 13–24 (2012)
The-Tamarin-Team: Tamarin-Prover Manual. https://tamarin-prover.github.io/manual/master/tex/tamarin-manual.pdf. Accessed 17 May 2023
Trach, B., Krohmer, A., Gregor, F., Arnautov, S., Bhatotia, P., Fetzer, C.: ShieldBox: secure middleboxes using shielded execution. In: Proceedings of the Symposium on SDN Research, pp. 1–14 (2018)
Wei, C., Li, J., Li, W., Yu, P., Guan, H.: STYX: a trusted and accelerated hierarchical SSL key management and distribution system for cloud based CDN application. In: Proceedings of the 2017 Symposium on Cloud Computing, pp. 201–213 (2017)
Acknowledgements
This work was partly supported by Institute of Information communications Technology Planning Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2018-0-00532, Development of High-Assurance (EAL6) Secure Microkernel, 100) and supported by Korea University.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Ahn, T., Kwak, J., Kim, S. (2024). mdTLS: How to Make Middlebox-Aware TLS More Efficient?. In: Seo, H., Kim, S. (eds) Information Security and Cryptology – ICISC 2023. ICISC 2023. Lecture Notes in Computer Science, vol 14562. Springer, Singapore. https://doi.org/10.1007/978-981-97-1238-0_3
Download citation
DOI: https://doi.org/10.1007/978-981-97-1238-0_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-97-1237-3
Online ISBN: 978-981-97-1238-0
eBook Packages: Computer ScienceComputer Science (R0)