maTLS: How to Make TLS middlebox-aware?

Lee, Hyun–Woo; Smith, Zach; Lim, Junghwan; Choi, Gyeongjae; Chun, Selin; Chung, Tae-Sun; Kwon, Ted Taekyoung

doi:10.14722/ndss.2019.23547

Cited by 24 publications

(11 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Fett et al [16]- [19] proved the security for a single signon (SSO) system. Lee et al [20] proposed middlebox-aware TLS, which allows middleboxes to participate in TLS in a visible and accountable fashion. These works are similar to our work in the sense that the web is modeled and verified in platform levels, but they do not consider a cache mechanism and they use different utilization tools and approaches.…”

Section: Related Work 1) Formal Methods For the Webmentioning

confidence: 99%

Towards Further Formal Foundation of Web Security: Expression of Temporal Logic in Alloy and Its Application to a Security Model With Cache

et al. 2019

View full text Add to dashboard Cite

Security analysis of a web system is complicated, and thus analysis using formal methods to describe system specification mathematically has attracted attention. Some previous studies have adopted formal methods, but their models cannot express parallel communication completely. This limitation gives rise to problems where web functions, such as a cache that stores contents, cannot be defined and attacks that forge contents cannot be analyzed. These problems are present in the Alloy-based implementations of current models that do not have the ability to express temporal logic. Therefore, we design implementation and evaluation of temporal logic in Alloy to express time series and parallel computation for web security analysis. In doing so, state transitions in the web can be expressed by fitting them in our proposed syntax. As concrete applications, we describe a web security model that includes caches and show that our proposed syntax can analyze state-of-the-art attacks, such as unauthorized access to users' account pages via caches. The source code of our proposed model in Alloy is publicly available.INDEX TERMS Alloy, cache, formal methods, security model, temporal logic, web security. I. INTRODUCTION A. BACKGROUND

show abstract

Section: Related Work 1) Formal Methods For the Webmentioning

confidence: 99%

Towards Further Formal Foundation of Web Security: Expression of Temporal Logic in Alloy and Its Application to a Security Model With Cache

et al. 2019

View full text Add to dashboard Cite

show abstract

“…The use of middlebox certificates eliminates the insecure practice of installing custom root certificates or servers sharing their private keys with third parties. Furthermore, the middlebox-aware TLS (maTLS) protocol enables auditing the security behaviors of middleboxes [19].…”

Section: Tls Interceptionmentioning

confidence: 99%

Chuchotage: In-line Software Network Protocol Translation for (D)TLS

Bideh

Paladi

2022

Information and Communications Security

View full text Add to dashboard Cite

The growing diversity of connected devices leads to complex network deployments, often made up of endpoints that implement incompatible network application protocols. Communication between heterogeneous network protocols was traditionally enabled by hardware translators or gateways. However, such solutions are increasingly unfit to address the security, scalability, and latency requirements of modern software-driven deployments. To address these shortcomings we propose Chuchotage, a protocol translation architecture for secure and scalable machine-to-machine communication. Chuchotage enables in-line TLS interception and confidential protocol translation for software-defined networks. Translation is done in ephemeral, flow-specific Trusted Execution Environments and scales with the number of network flows. Our evaluation of Chuchotage implementing an HTTP to CoAP translation indicates a minimal transmission and translation overhead, allowing its integration with legacy or outdated deployments.

show abstract

“…In particular, if the user relies on a public DNS server (such as CloudFlare's 1.1.1.1 or Google's 8.8.8.8), and if one of the company operating the name server also operates map servers, then the privacy implications of fetching proofs directly are limited (assuming a secure channel is established between the client and the map server). Another approach would be to use a middlebox (instead of updating the web server) to staple proofs by having the middlebox detect new connections and append relevant data to the TLS handshake (which is in plain text) [58], [42].…”

Section: Fetching Via Dnsmentioning

confidence: 99%

F-PKI: Enabling Innovation and Trust Flexibility in the HTTPS Public-Key Infrastructure

Chuat¹,

Krähenbühl²,

Mittal³

et al. 2022

Proceedings 2022 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

We present F-PKI, an enhancement to the HTTPS public-key infrastructure (or web PKI) that gives trust flexibility to both clients and domain owners, and enables certification authorities (CAs) to enforce stronger security measures. In today's web PKI, all CAs are equally trusted, and security is defined by the weakest link. We address this problem by introducing trust flexibility in two dimensions: with F-PKI, each domain owner can define a domain policy (specifying, for example, which CAs are authorized to issue certificates for their domain name) and each client can set or choose a validation policy based on trust levels. F-PKI thus supports a property that is sorely needed in today's Internet: trust heterogeneity. Different parties can express different trust preferences while still being able to verify all certificates. In contrast, today's web PKI only allows clients to fully distrust suspicious/misbehaving CAs, which is likely to cause collateral damage in the form of legitimate certificates being rejected. Our contribution is to present a system that is backward compatible, provides sensible security properties to both clients and domain owners, ensures the verifiability of all certificates, and prevents downgrade attacks. Furthermore, F-PKI provides a ground for innovation, as it gives CAs an incentive to deploy new security measures to attract more customers, without having these measures undercut by vulnerable CAs.

show abstract

maTLS: How to Make TLS middlebox-aware?

Cited by 24 publications

References 17 publications

Towards Further Formal Foundation of Web Security: Expression of Temporal Logic in Alloy and Its Application to a Security Model With Cache

Towards Further Formal Foundation of Web Security: Expression of Temporal Logic in Alloy and Its Application to a Security Model With Cache

Chuchotage: In-line Software Network Protocol Translation for (D)TLS

F-PKI: Enabling Innovation and Trust Flexibility in the HTTPS Public-Key Infrastructure

Contact Info

Product

Resources

About