SpringerLink
Log in

mdTLS: How to Make Middlebox-Aware TLS More Efficient?

  • Conference paper
  • First Online:
Information Security and Cryptology – ICISC 2023 (ICISC 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14562))

Included in the following conference series:

  • 94 Accesses

Abstract

Recently, many organizations have been installing middleboxes in their networks in large numbers to provide various services to their customers. Although middleboxes have the advantage of not being dependent on specific hardware and being able to provide a variety of services, they can become a new attack target for hackers. Therefore, many researchers have proposed security-enchanced TLS protocols, but their results have some limitations. In this paper, we proposed a middlebox-delegated TLS (mdTLS) protocol that not only achieves the same security level but also requires relatively less computation compared to recent research results. mdTLS is a TLS protocol designed based on the proxy signature scheme, which requires about 39% less computation than middlebox-aware TLS (maTLS), which is the best in security and performance among existing research results. In order to substantiate the enhanced security of mdTLS, we conducted a formal verification using the Tamarin. Our verification demonstrates that mdTLS not only satisfies the security properties set forth by maTLS but also complies with the essential security properties required for proxy signature scheme (All of the formal models and lemmas are open to the public through the following url https://github.com/HackProof/mdTLS).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Germany)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 48.14
Price includes VAT (Germany)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 62.05
Price includes VAT (Germany)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Apple’s Certificate Transparency policy Homepage. https://support.apple.com/en-ng/HT205280. Accessed 21 May 2023

  2. Certificate Transparency Homepage. https://certificate.transparency.dev. Accessed 21 May 2023

  3. Chrome Certificate Transparency Policy Homepage. https://googlechrome.github.io/CertificateTransparency/ct_policy.html. Accessed 21 May 2023

  4. Hackproof Github Homepage. https://github.com/HackProof/mdTLS. Accessed 26 May 2023

  5. Anderson, B.: Detecting encrypted malware traffic (without decryption). https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption. Accessed 26 Sept 2023

  6. Boldyreva, A., Palacio, A., Warinschi, B.: Secure proxy signature schemes for delegation of signing rights. J. Cryptol. 25, 57–115 (2012)

    Article  MathSciNet  Google Scholar 

  7. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X. 509 public key infrastructure certificate and certificate revocation list (CRL) profile (2008). https://www.rfc-editor.org/rfc/rfc5280.txt. Accessed 23 Sept 2023

  8. Cortier, V., Delaune, S., Dreier, J.: Automatic generation of sources lemmas in Tamarin: towards automatic proofs of security protocols. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12309, pp. 3–22. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0_1

    Chapter  Google Scholar 

  9. Dang, Q.H.: Secure hash standard (2015). https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf. Accessed 23 Sept 2023

  10. Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2 (2008). https://www.rfc-editor.org/rfc/rfc5246.txt. Accessed 23 Sept 2023

  11. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    Article  MathSciNet  Google Scholar 

  12. Elaine, B.: Recommendation for key management: part 1 - general (2020). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf. Accessed 23 Sept 2023

  13. Fielding, R., et al.: Hypertext transfer protocol-HTTP/1.1 (1999). https://www.rfc-editor.org/rfc/rfc2616.txt. Accessed 23 Sept 2023

  14. Gallagher, S.: Nearly half of malware now use TLS to conceal communications. https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications. Accessed 23 Sept 2023

  15. Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM (JACM) 33(4), 792–807 (1986)

    Article  MathSciNet  Google Scholar 

  16. Goltzsche, D., et al.: EndBox: scalable middlebox functions using client-side trusted execution. In: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 386–397. IEEE (2018)

    Google Scholar 

  17. Google: Google Transparency Homepage. https://transparencyreport.google.com/overview?hl=en. Accessed 9 May 2023

  18. Han, J., Kim, S., Ha, J., Han, D.: SGX-box: enabling visibility on encrypted traffic using a secure middlebox module. In: Proceedings of the First Asia-Pacific Workshop on Networking, pp. 99–105 (2017)

    Google Scholar 

  19. Heron, S.: Advanced encryption standard (AES). Netw. Secur. 2009(12), 8–12 (2009)

    Article  Google Scholar 

  20. Jarmoc, J., Unit, D.: SSL/TLS interception proxies and transitive trust. Black Hat Europe (2012)

    Google Scholar 

  21. Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1, 36–63 (2001)

    Article  Google Scholar 

  22. Kim, S., Park, S., Won, D.: Proxy signatures, revisited. In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 223–232. Springer, Heidelberg (1997). https://doi.org/10.1007/bfb0028478

    Chapter  Google Scholar 

  23. Laurie, B., Langley, A., Kasper, E.: RFC 6962: certificate transparency (2013). https://www.rfc-editor.org/rfc/rfc6962.txt. Accessed 23 Sept 2023

  24. Lee, H., et al.: maTLS: how to make TLS middlebox-aware? In: NDSS (2019)

    Google Scholar 

  25. Mambo, M., Usuda, K., Okamoto, E.: Proxy signatures: delegation of the power to sign messages. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 79(9), 1338–1354 (1996)

    Google Scholar 

  26. Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48

    Chapter  Google Scholar 

  27. Microsoft: Microsoft Azure firewall Homepage. https://learn.microsoft.com/ko-kr/azure/firewall/premium-features. Accessed 9 May 2023

  28. Miller, J.: Telegeography homepage. https://blog.telegeography.com/2021-global-internet-map-tracks-global-capacity-traffic-and-cloud-infrastructure. Accessed 9 May 2023

  29. National Institute of Standards and Technology: Digital Signature Standard (DSS) (2023). https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf. Accessed 23 Sept 2023

  30. National Security Agency: Cybersecurity and Infrastructure Security Agency Homepage. https://www.us-cert.gov/ncas/current-activity/2019/11/19/nsa-releases-cyber-advisory-managing-risk-transport-layer-security. Accessed 9 May 2023

  31. Naylor, D., Li, R., Gkantsidis, C., Karagiannis, T., Steenkiste, P.: And then there were more: secure communication for more than two parties. In: Proceedings of the 13th International Conference on emerging Networking EXperiments and Technologies, pp. 88–100 (2017)

    Google Scholar 

  32. Naylor, D., et al.: Multi-context TLS (mcTLS): enabling secure in-network functionality in TLS. ACM SIGCOMM Comput. Commun. Rev. 45(4), 199–212 (2015)

    Article  Google Scholar 

  33. O’Neill, M., Ruoti, S., Seamons, K., Zappala, D.: TLS inspection: how often and who cares? IEEE Internet Comput. 21(3), 22–29 (2017)

    Article  Google Scholar 

  34. Panetta, K.: Gartner homepage. https://www.gartner.com/smarterwithgartner/gartner-top-10-strategic-technology-trends-for-2019. Accessed 9 May 2023

  35. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13, 361–396 (2000)

    Article  Google Scholar 

  36. Rescorla, E.: HTTP over TLS (2000). https://www.rfc-editor.org/rfc/rfc2818.txt. Accessed 23 Sept 2023

  37. Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of Diffie-Hellman protocols and advanced security properties. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 78–94. IEEE (2012)

    Google Scholar 

  38. Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22

    Chapter  Google Scholar 

  39. Sherry, J., Hasan, S., Scott, C., Krishnamurthy, A., Ratnasamy, S., Sekar, V.: Making middleboxes someone else’s problem: network processing as a cloud service. ACM SIGCOMM Comput. Commun. Rev. 42(4), 13–24 (2012)

    Article  Google Scholar 

  40. The-Tamarin-Team: Tamarin-Prover Manual. https://tamarin-prover.github.io/manual/master/tex/tamarin-manual.pdf. Accessed 17 May 2023

  41. Trach, B., Krohmer, A., Gregor, F., Arnautov, S., Bhatotia, P., Fetzer, C.: ShieldBox: secure middleboxes using shielded execution. In: Proceedings of the Symposium on SDN Research, pp. 1–14 (2018)

    Google Scholar 

  42. Wei, C., Li, J., Li, W., Yu, P., Guan, H.: STYX: a trusted and accelerated hierarchical SSL key management and distribution system for cloud based CDN application. In: Proceedings of the 2017 Symposium on Cloud Computing, pp. 201–213 (2017)

    Google Scholar 

Download references

Acknowledgements

This work was partly supported by Institute of Information communications Technology Planning Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2018-0-00532, Development of High-Assurance (EAL6) Secure Microkernel, 100) and supported by Korea University.

Author information

Authors and Affiliations

  1. School of Cybersecurity, Korea University, Seoul, 02841, South Korea

    Taehyun Ahn, Jiwon Kwak & Seungjoo Kim

Authors
  1. Taehyun Ahn
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jiwon Kwak
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Seungjoo Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Seungjoo Kim .

Editor information

Editors and Affiliations

  1. Hansung University, Seoul, Korea (Republic of)

    Hwajeong Seo

  2. Sungshin Women's University, Seoul, Korea (Republic of)

    Suhri Kim

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ahn, T., Kwak, J., Kim, S. (2024). mdTLS: How to Make Middlebox-Aware TLS More Efficient?. In: Seo, H., Kim, S. (eds) Information Security and Cryptology – ICISC 2023. ICISC 2023. Lecture Notes in Computer Science, vol 14562. Springer, Singapore. https://doi.org/10.1007/978-981-97-1238-0_3

Download citation

  • DOI: https://doi.org/10.1007/978-981-97-1238-0_3

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-97-1237-3

  • Online ISBN: 978-981-97-1238-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation