This presentation presents a summary of the work done on the Work Package 1 of the SafeCloud project. The main results are vulnerability-tolerant channels, protected channels with port knocking, multi-path communication and route monitoring.
This is joint work between INESC-ID, Portugal and TUM, Germany.
2. Outline
• Objectives and summary
• Secure communication solutions
• Achievements
WP1 — 2018-09 » 2
3. WP1 — objectives and summary
• Provide middleware services to improve the
privacy and security of cloud communications in
the SafeCloud platform
• Protect data when downloading (and uploading)
from the cloud
• Provide same properties as secure channels:
confidentiality, integrity, authenticity
• But assuming more powerful adversaries that may break
some assumptions that make existing channels secure
WP1 — 2018-09 » 3
4. Standard secure channel
• The most adopted protocol is SSL/TLS
• HTTPS = HTTP overTLS
WP1 — 2018-09 » 4
5. How can aTLS channel become insecure
1. A vulnerability appears in one component
2. An old vulnerability in one of the components is
not fixed
3.There is an unknown (0-day) vulnerability in one of
the components
4.There is a vulnerability that seems to be
impossible to exploit, but that can be exploited by a
strong adversary, e.g., a nation state
WP1 — 2018-09 » 5
6. Specific threats
• Weak cryptographic components
• DES, RC4, MD5, SHA-1
• Service identification
• Well-known ports are vulnerable to port scanning and
fingerprinting
• Route attacks
• Man-in-the-middle attacks
• Attacker intercepts communication
• Route hijacking
• Traffic may be deviated and then eavesdropped
WP1 — 2018-09 » 6
7. Summary of security requirements
• For the attacker to break the confidentiality,
privacy or integrity of a secure channel, he must:
(i) find a vulnerability in the channel
(ii) gain access to the endpoint machines
(iii) intercept communication path
WP1 — 2018-09 » 7
9. Middleware requirements
• Two forms of communication:
• Machine-to-cloud and
• Cloud-to-cloud
• Unicast communication between two endpoints
• Endpoints: clients, machines in clouds
• We do not envisage the need to protect data privacy in multicast,
anycast or broadcast communications
• Connection-oriented
• Similar to protocols likeTLS overTCP
• Implemented at application layer of the OSI model
• Difficult to deploy mechanisms at lower layers in the Internet
WP1 — 2018-09 » 9
16. Addressing security requirements
with SafeCloud communication solutions
Attacker must:
SC1:
vulnerability-
tolerant channels
SC2:
protected
channels
SC3:
route-aware
channels
(i) find a vulnerability in
the channel
(ii) gain access to the
endpoint machines
(iii) intercept
communication flow
SC – Secure Communication
solution
24. All tasks completed
• T1.1 — Communication architecture [M1-M6]
• T1.2 —Vulnerability-tolerant channels [M1-30]
• T1.3 — Protected service provisioning [M1-30]
• T1.4 — Route monitoring [M1-30]
• T1.5 — Multi-path communication [M1-30]
WP1 — 2018-09 » 24
25. All deliverables completed
• D1.1 — Private communication middleware
architecture [M6; IN-ID]
• D1.2 — First version of the private communication
middleware components [M18; IN-ID]
• D1.3 — Final version of the private communication
middleware [M30; IN-ID]
WP1 — 2018-09 » 25
26. Scientific work
• Graduations
• 5 students at INESC-ID
• 10 students atTUM
• Publications
• 4 conference papers
• 2 workshop papers
• Credit to the students for all their great work!
WP1 — 2018-09 » 26
27. • SC1: vulnerability-tolerant channels
• vtTLS evaluation
• Evaluated: handshake, data transfer overhead
• SC2: protected channels
• sKnock
• Evaluated: latency, scalability
• SC3: route-aware channels
• Premium (Machete + Darshana)
• Evaluated: best number of multiple paths, multi-homing
• Evaluated: thresholds, false positives, false negatives
Testing and Evaluation
WP1 — 2018-09 » 27
30. Conclusion
• SafeCloud made secure channels more robust by
leveraging diversity in multiple ways
• Solutions can be combined
• Better security:
• Between endpoints and clouds
• Between people and the services they use
• Both for personal and corporate data
WP1 — 2018-09 » 30