Short-Lived Forward-Secure Delegation for TLS

Lukas Alber; Stefan More; Sebastian Ramacher

doi:10.1145/3411495.3421362

Short-Lived Forward-Secure Delegation for TLS

Lukas Alber^*, Stefan More^*, Sebastian Ramacher^*

^*Corresponding author for this work

Institute of Applied Information Processing and Communications (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

On today's Internet, combining the end-to-end security of TLS with Content Delivery Networks (CDNs) while ensuring the authenticity of connections results in a challenging delegation problem. When CDN servers provide content, they have to authenticate themselves as the origin server to establish a valid end-to-end TLS connection with the client. In standard TLS, the latter requires access to the secret key of the server. To curb this problem, multiple workarounds exist to realize a delegation of the authentication. In this paper, we present a solution that renders key sharing unnecessary and reduces the need for workarounds. By adapting identity-based signatures to this setting, our solution offers short-lived delegations. Additionally, by enabling forward-security, existing delegations remain valid even if the server's secret key leaks. We provide an implementation of the scheme and discuss integration into a TLS stack. In our evaluation, we show that an efficient implementation incurs less overhead than a typical network round trip. Thereby, we propose an alternative approach to current delegation practices on the web.

Original language	English
Title of host publication	CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop
Place of Publication	Virtual Event, USA
Pages	119-132
Number of pages	14
ISBN (Electronic)	9781450380843
DOIs	https://doi.org/10.1145/3411495.3421362
Publication status	Published - 9 Nov 2020
Event	The ACM Cloud Computing Security Workshop: in conjunction with the ACM Conference on Computer and Communications Security (CCS) - Virtual Event, Virtuell, United States Duration: 9 Nov 2020 → … https://ccsw.io/

Publication series

Name	CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop

Workshop

Workshop	The ACM Cloud Computing Security Workshop
Abbreviated title	CCSW'20
Country/Territory	United States
City	Virtuell
Period	9/11/20 → …
Internet address	https://ccsw.io/

Keywords

delegated credentials
identity-based signatures

ASJC Scopus subject areas

Computer Science(all)
Computer Networks and Communications

Fields of Expertise

Information, Communication & Computing

Access to Document

10.1145/3411495.3421362

Cite this

Short-Lived Forward-Secure Delegation for TLS. / Alber, Lukas; More, Stefan; Ramacher, Sebastian.
CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop. Virtual Event, USA, 2020. p. 119-132 (CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Alber, L, More, S & Ramacher, S 2020, Short-Lived Forward-Secure Delegation for TLS. in CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop. CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop, Virtual Event, USA, pp. 119-132, The ACM Cloud Computing Security Workshop, Virtuell, United States, 9/11/20. https://doi.org/10.1145/3411495.3421362

@inproceedings{21c6cb9ac15f4c6a8b07d70ebb472f5e,

title = "Short-Lived Forward-Secure Delegation for TLS",

abstract = "On today's Internet, combining the end-to-end security of TLS with Content Delivery Networks (CDNs) while ensuring the authenticity of connections results in a challenging delegation problem. When CDN servers provide content, they have to authenticate themselves as the origin server to establish a valid end-to-end TLS connection with the client. In standard TLS, the latter requires access to the secret key of the server. To curb this problem, multiple workarounds exist to realize a delegation of the authentication. In this paper, we present a solution that renders key sharing unnecessary and reduces the need for workarounds. By adapting identity-based signatures to this setting, our solution offers short-lived delegations. Additionally, by enabling forward-security, existing delegations remain valid even if the server's secret key leaks. We provide an implementation of the scheme and discuss integration into a TLS stack. In our evaluation, we show that an efficient implementation incurs less overhead than a typical network round trip. Thereby, we propose an alternative approach to current delegation practices on the web.",

keywords = "delegated credentials, identity-based signatures",

author = "Lukas Alber and Stefan More and Sebastian Ramacher",

year = "2020",

month = nov,

day = "9",

doi = "10.1145/3411495.3421362",

language = "English",

isbn = "978-1-4503-8084-3/20/11",

series = "CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop",

pages = "119--132",

booktitle = "CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop",

note = "The ACM Cloud Computing Security Workshop : in conjunction with the ACM Conference on Computer and Communications Security (CCS), CCSW'20 ; Conference date: 09-11-2020",

url = "https://ccsw.io/",

}

TY - GEN

T1 - Short-Lived Forward-Secure Delegation for TLS

AU - Alber, Lukas

AU - More, Stefan

AU - Ramacher, Sebastian

PY - 2020/11/9

Y1 - 2020/11/9

N2 - On today's Internet, combining the end-to-end security of TLS with Content Delivery Networks (CDNs) while ensuring the authenticity of connections results in a challenging delegation problem. When CDN servers provide content, they have to authenticate themselves as the origin server to establish a valid end-to-end TLS connection with the client. In standard TLS, the latter requires access to the secret key of the server. To curb this problem, multiple workarounds exist to realize a delegation of the authentication. In this paper, we present a solution that renders key sharing unnecessary and reduces the need for workarounds. By adapting identity-based signatures to this setting, our solution offers short-lived delegations. Additionally, by enabling forward-security, existing delegations remain valid even if the server's secret key leaks. We provide an implementation of the scheme and discuss integration into a TLS stack. In our evaluation, we show that an efficient implementation incurs less overhead than a typical network round trip. Thereby, we propose an alternative approach to current delegation practices on the web.

AB - On today's Internet, combining the end-to-end security of TLS with Content Delivery Networks (CDNs) while ensuring the authenticity of connections results in a challenging delegation problem. When CDN servers provide content, they have to authenticate themselves as the origin server to establish a valid end-to-end TLS connection with the client. In standard TLS, the latter requires access to the secret key of the server. To curb this problem, multiple workarounds exist to realize a delegation of the authentication. In this paper, we present a solution that renders key sharing unnecessary and reduces the need for workarounds. By adapting identity-based signatures to this setting, our solution offers short-lived delegations. Additionally, by enabling forward-security, existing delegations remain valid even if the server's secret key leaks. We provide an implementation of the scheme and discuss integration into a TLS stack. In our evaluation, we show that an efficient implementation incurs less overhead than a typical network round trip. Thereby, we propose an alternative approach to current delegation practices on the web.

KW - delegated credentials

KW - identity-based signatures

UR - http://arxiv.org/abs/2009.02137

UR - http://www.scopus.com/inward/record.url?scp=85097427437&partnerID=8YFLogxK

U2 - 10.1145/3411495.3421362

DO - 10.1145/3411495.3421362

M3 - Conference paper

SN - 978-1-4503-8084-3/20/11

T3 - CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop

SP - 119

EP - 132

BT - CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop

CY - Virtual Event, USA

T2 - The ACM Cloud Computing Security Workshop

Y2 - 9 November 2020

ER -

Short-Lived Forward-Secure Delegation for TLS

Abstract

Publication series

Workshop

Keywords

ASJC Scopus subject areas

Fields of Expertise

Access to Document

Other files and links

EU - KRAKEN - Brokerage and market platform for personal data