maTLS: How to Make TLS middlebox-aware?

2019-09-18 tls web

maTLS: How to Make TLS middlebox-aware?

  • Hyunwoo Lee, Zach Smith, Junghwan Lim†, Gyeongjae Choi, Selin Chun, Taejoong Chung, Ted “Taekyoung” Kwon

  • Network and Distributed Systems Security (NDSS) Symposium 2019

Current Solution

MITM:

  • Client: fake root certificate
  • Server: CDNs request server private keys.
=> Increased risks in MITM attack
=> How to work honestly?
    1. encryption-based
    2. TEE-based
    3. TLS extension-based

SplitTLS:

  • authentication: client can not authenticate the intend server
  • Confidentiality: weak ciphersuite
  • Integrity:Not behaved Middlebox

maTLS:

  1. authenticate all middleboxes
  2. audit all middleboxes
  3. security parameter verification
  4. valid modification checks

Middlebox transparency (MT): MT system targets middlebox certificates, it logs certificates, which can be publicly mon- itored and audited by any interested parties.

/images/3.png

How to do

An extension in middlebox’ X509 Certificates indicates the access of this middlebox.

/images/5.png