Abstract
Increasingly fine-grained cloud billing creates incentives to review the software execution footprint in virtual environments. For example, virtual execution environments move towards lower overhead: from virtual machines to containers, unikernels, and serverless cloud computing. However, the execution footprint of security components in virtualized environments has either remained the same or even increased. We present Flowrider, a novel key provisioning mechanism for cloud networks that unlocks scalable use of symmetric keys and significantly reduces the related computational load on network endpoints. We describe the application of Flowrider to common transport security protocols, the results of its formal verification, and its prototype implementation. Our evaluation shows that Florwider uses up to an order of magnitude less CPU to establish a TLS session while preventing by construction some known attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
See Amazon Lambda, Google Cloud Functions, Azure Functions, Salesforce Evergreen, etc.
- 2.
- 3.
As a possible optimization, the network controller may have generated in advance a number of symmetric keys, which would thus be immediately available to distribute.
- 4.
ProVerif scripts available at https://anonymous.4open.science/r/8e9da3de-6ccd-4f49-b925-389fbcc9bca6/.
- 5.
Implementation code available at https://anonymous.4open.science/r/8e9da3de-6ccd-4f49-b925-389fbcc9bca6/.
References
Greenberg, A., et al.: A clean slate 4D approach to network control and management. SIGCOMM Comput. Commun. Rev. 35(5), 41–54 (2005). https://doi.org/10.1145/1096536.1096541
Langley, A., Hamburg, M., Turner, S.: Elliptic Curves for Security. RFC 7748, January 2016
Blanchet, B.: ProVerif: Cryptographic protocol verifier in the formal model (2020). https://prosecco.gforge.inria.fr/personal/bblanche/proverif/
Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1773–1788. Association for Computing Machinery, New York (2017)
Lin, C.-L., Sun, H.-M., Steiner, M., Hwang, T.: Three-party encrypted key exchange without server public-keys. IEEE Commun. Lett. 5(12), 497–499 (2001)
Lin, C.-L., Sun, H.-M., Hwang, T.: Three-party encrypted key exchange: attacks and a solution. ACM SIGOPS Operat. Syst. Rev. 34(4), 12–20 (2000)
Liu, C., Zheng, Z., Jia, K., You, Q.: Provably secure three-party password-based authenticated key exchange from RLWE. In: Heng, S.-H., Lopez, J. (eds.) ISPEC 2019. LNCS, vol. 11879, pp. 56–72. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34339-2_4
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (Proposed Standard), May 2008. https://doi.org/10.17487/RFC5280, https://www.rfc-editor.org/rfc/rfc5280.txt, updated by RFC 6818
Danny, D., Andrew, C.Y.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Dodgson, D.S., Farina, R., Fontana, J.A., Johnson, R.A., Maw, D., Narisi, A.: Automated provisioning of virtual machines, January 2014, US Patent App. 13/547,148
Weerasiri, D., Barukh, M.C., Benatallah, B., Sheng, Q.Z., Ranjan, R.: A taxonomy and survey of cloud resource orchestration techniques. ACM Comput. Surv. 50(2) (May 2017). https://doi.org/10.1145/3054177
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (Aug 2008). https://doi.org/10.17487/RFC5246, https://www.rfc-editor.org/rfc/rfc5246.txt, updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919
Drucker, N., Gueron, S.: Selfie: reflections on TLS 1.3 with PSK. J. Cryptol. 34(3), 1–18 (2021). https://doi.org/10.1007/s00145-021-09387-y
Brewer, E.A.: Kubernetes and the path to cloud native. In: Proceedings of the Sixth ACM Symposium on Cloud Computing, SoCC 2015, p. 167. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2806777.2809955
Crockett, E., Paquin, C., Stebila, D.: Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH. In: NIST 2nd Post-Quantum Cryptography Standardization Conf. 2019, pp. 1–24. NIST, Gaithersburg (2019)
Moret, E., Hubbard, R., Watsen, K.A., Murthy, M., Beauchesne, N.: Systems and methods for provisioning network devices (April 2013), uS Patent 8,429,403
Rescorla, E., Tschofenig, H., Modadugu, N.: The Datagram Transport Layer Security (DTLS) Protocol Version 1.3, April 2021. https://tools.ietf.org/html/draft-ietf-tls-dtls13-43, work in Progress
Eric Rescorla: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Aug 2018). https://doi.org/10.17487/RFC8446
Eronen, P., Tschofenig, H.: Pre-shared key ciphersuites for transport layer security (TLS). RFC 4279 (Proposed Standard), December 2005. https://doi.org/10.17487/RFC4279. https://www.rfc-editor.org/rfc/rfc4279.txt
European Telecommunications Standards Institute: ETSI GS NFV-SEC 014 V3.1.1 (2018–04) - Network Functions Virtualisation (NFV) Release 3; NFV Security; Security Specification for MANO Components and Reference points (2018)
Selander, G.: WO/2015/002581 Key establishment for constrained resource devices (2015)
Yeh, H.-T., Sun, H.-M., Hwang, T.: Efficient three-party authentication and key agreement protocols resistant to password guessing attacks. J. Inf. Sci. Eng. 19(6), 1059–1070 (2003)
Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749 (Proposed Standard), October 2012. https://doi.org/10.17487/RFC6749. https://www.rfc-editor.org/rfc/rfc6749.txt, updated by RFC 8252
Baldini, I.: Serverless computing: current trends and open problems, pp. 1–20. Springer, Singapore (2017)
Damgård, I., Jakobsen, T.P., Nielsen, J.B., Pagter, J.I.: Secure key management in the cloud. In: Stam, M. (ed.) Cryptography and Coding, pp. 270–289. Springer, Heidelberg (2013)
Ding, J., Alsayigh, S., Lancrenon, J., Saraswathy, R.V., Snook, M.: Provably secure password authenticated key exchange based on RLWE for the post-quantum world. In: Cryptographers’ Track at the RSA Conf. pp. 183–204. Springer, Cham (2017)
Sood, K., Shaw, J.B., Fastabend, J.R.: Technologies for secure inter-virtual network function communication, 2 August 2016, US Patent 9,407,612
Tamas, K., et al.: Micado, a microservice-based cloud application-level dynamic orchestrator. Future Gener. Comput. Syst. 94, 937–946 (2019). https://doi.org/10.1016/j.future.2017.09.050
Thimmaraju, K., Schmid, S.: Towards Fine-Grained Billing For Cloud Networking (2020)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational), February 1997. https://doi.org/10.17487/RFC2104, https://www.rfc-editor.org/rfc/rfc2104.txt, updated by RFC 6151
Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: Proceedings of the Twenty-Seventh Annual ACM Symposium on Theory of Computing, STOC 1995, pp. 57–66, Association for Computing Machinery, New York (1995)
Steiner, M., Tsudik, G., Waidner, M.: Refinement and extension of encrypted key exchange. ACM SIGOPS Operating Syst. Rev. 29(3), 22–30 (1995)
Tiloca, M., Gehrmann, C., Seitz, L.: On improving resistance to denial of service and key provisioning scalability of the DTLS handshake. Int. J. Inf. Secur. 16(2), 173–193 (2017)
Mavrogiannopoulos, N., et al.: GnuTLS Reference Manual. Samurai Media Ltd., London (2015)
Neuman, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos Network Authentication Service (V5). RFC 4120 (Proposed Standard), July 2005. https://doi.org/10.17487/RFC4120, https://www.rfc-editor.org/rfc/rfc4120.txt, updated by RFCs 4537, 5021, 5896, 6111, 6112, 6113, 6649, 6806, 7751, 8062, 8129
Open Networking Foundation: OpenFlow Switch Specification. Technical report ONF TS-025, Open Networking Foundation (March 2015), vol 1.5.1
Open vSwitch: Open vSwitch with SSL (2019). http://docs.openvswitch.org/en/latest/howto/ssl/
Paladi, N., Tiloca, M., Bideh, P.N., Hell, M.: On-demand key distribution for cloud networks. In: 2021 24th Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN), pp. 80–82 (2021). https://doi.org/10.1109/ICIN51074.2021.9385528
Bifulco, R., Boite, J., Bouet, M., Schneider, F.: Improving SDN with InSPired switches. In: Proceedings of the Symposium on SDN Research, SOSR 2016, pp. 11:1–11:12. ACM, New York (2016). https://doi.org/10.1145/2890955.2890962
Rescorla, E., Modadugu, N.: Datagram Transport Layer Security Version 1.2. RFC 6347 (Proposed Standard), January 2012. https://doi.org/10.17487/RFC6347, https://www.rfc-editor.org/rfc/rfc6347.txt, updated by RFCs 7507, 7905
Bellovin, S., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: IEEE Symposium on Security and Privacy 0, 72, April 1992. https://doi.org/10.1109/RISP.1992.213269
Jain, S., et al.: B4: Experience with a globally-deployed software defined WAN. In: Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM, SIGCOMM 2013, pp. 3–14. ACM, New York (2013). https://doi.org/10.1145/2486001.2486019
Martinelli, S., Nash, H., Topol, B.: Identity, Authentication, and Access Management in OpenStack: Implementing and Deploying Keystone. O’Reilly Media Inc, Sebastopol (2015)
Krishnan, S.P.T., Gonzalez, J.L.U.: Google Compute Engine, pp. 53–91. Apress, Berkeley (2015). https://doi.org/10.1007/978-1-4842-1004-8
Seedorf, J., Burger, E.: Application-Layer Traffic Optimization (ALTO) Problem Statement. RFC 5693 (Informational), October 2009. https://doi.org/10.17487/RFC5693, https://www.rfc-editor.org/rfc/rfc5693.txt
Selander, G., Paladi, N., Tiloca, M.: Security for distributed networking. World Intellectual Property Organization - PCT/EP2019/051456, July 2020
Lee, T.-F., Liu, J.-L., Sung, M.-J., Yang, S.-B., Chen, C.-M.: Communication-efficient three-party protocols for authentication and key agreement. Comput. Math. Appl. 58(4), 641–648 (2009)
Chang, T.-Y., Hwang, M.S., Yang, W.-P.: A communication-efficient three-party password authenticated key exchange protocol. Inf. Sci. 181(1), 217–226 (2011)
Binz, Ts., Breitenbücher, U., Kopp, O., Leymann, F.: TOSCA: portable automated deployment and management of cloud applications, pp. 527–549. Springer, New York (2014). https://doi.org/10.1007/978-1-4614-7535-4
Wang, H., Zhao, Y., Nag, A.: Quantum-key-distribution (qkd) networks enabled by software-defined networks (sdn). Appl. Sci. 9(10), 2081 (2019)
Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., Kivinen, T.: Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). RFC 7250 (Proposed Standard), June 2014. https://doi.org/10.17487/RFC7250. https://www.rfc-editor.org/rfc/rfc7250.txt
Ding, Y., Horster, P.: Undetectable on-line password guessing attacks. ACM SIGOPS Operat. Syst. Rev. 29(4), 77–86 (1995)
Zhu, Y., Ma, J., An, B., Cao, D.: Monitoring and billing of a lightweight cloud system based on linux container. In: 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW), pp. 325–329. IEEE, New York (2017)
Acknowledgments
This work was financially supported in part by the Swedish Foundation for Strategic Research, with the grant RIT17-0035; by the H2020 project SIFIS-Home (Grant agreement 952652); VINNOVA and the CelticNext project CRITISEC and by the Wallenberg AI, Autonomous Systems and Software Program (WASP).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Paladi, N., Tiloca, M., Nikbakht Bideh, P., Hell, M. (2021). Flowrider: Fast On-Demand Key Provisioning for Cloud Networks. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds) Security and Privacy in Communication Networks. SecureComm 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 399. Springer, Cham. https://doi.org/10.1007/978-3-030-90022-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-90022-9_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90021-2
Online ISBN: 978-3-030-90022-9
eBook Packages: Computer ScienceComputer Science (R0)