Proxying over TLS: Breaking and Fixing CloudFlare's Keyless SSL


Séminaire Modèles et Algorithmes Déterministes: CASYS

15/12/2016 - 09:30 Mme Cristina Onete Salle 106 - Batiment IMAG

One of the fundamental goals of cryptography is enabling parties to communicate securely over an insecure channel. This functionality is required in our everyday use of the Internet, for secure Internet browsing, secure emailing, messaging, and even Voice over IP conversations. 

In order to construct a secure channel between two parties (usually a client and a server), the participants execute an authenticated key exchange protocol (AKE), which enables them, starting from some initial long-term data, to establish fresh, session-specific keys. This first step is also called a handshake. In a second step, the session keys are use to authenticate and encrypt the data exchanged by the two parties, thus essentially constructing that secure channel.

TLS/SSL is one of the most widely used protocols today, ensuring secure-channel establishment over the Internet. Though a subject of debate for many years, the TLS 1.2 protocol was proved secure under a series of assumptions. However, in real-world applications, TLS is not used in the way it was designed, namely, between the client and the server directly. Instead, cloud-based content delivery network architectures (CDN) have introduced a three-party handshake, such that the client obliviously connects to a cloud provider, which caches and delivers the server's content. In this talk we show that one type of CDN, namely CloudFlare's Keyless SSL, proxies TLS in a way that breaks the protocol's security in various ways. We will also show how to fix their Keyless protocol design, with the surprising result that our novel Keyless TLS 1.3 (i.e. using the newly designed TLS 1.3 version) is in fact much more efficient than the fixed Keyless TLS 1.2, whilst attaining the same properties.