Short-Lived Forward-Secure Delegation for TLS

  • Lukas Alber (Speaker)
  • More, S. J. (Contributor)
  • Sebastian Ramacher (Contributor)

Activity: Talk or presentationTalk at conference or symposiumScience to science


On today's Internet, combining the end-to-end security of TLS with Content Delivery Networks (CDNs) while ensuring the authenticity of connections results in a challenging delegation problem. When CDN servers provide content, they have to authenticate themselves as the origin server to establish a valid end-to-end TLS connection with the client. In standard TLS, the latter requires access to the secret key of the server. To curb this problem, multiple workarounds exist to realize a delegation of the authentication.

In this paper, we present a solution that renders key sharing unnecessary and reduces the need for workarounds. By adapting identity-based signatures to this setting, our solution offers short-lived delegations. Additionally, by enabling forward-security, existing delegations remain valid even if the server's secret key leaks. We provide an implementation of the scheme and discuss integration into a TLS stack. In our evaluation, we show that an efficient implementation incurs less overhead than a typical network round trip. Thereby, we propose an alternative approach to current delegation practices on the web.
Period9 Nov 2020
Event titleThe ACM Cloud Computing Security Workshop in conjunction with the ACM Conference on Computer and Communications Security: CCS 2020
Event typeWorkshop
LocationVirtuell, United StatesShow on map
Degree of RecognitionInternational