Skip to main content
SpringerLink
Log in

Flowrider: Fast On-Demand Key Provisioning for Cloud Networks

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2021)

  • 885 Accesses

Abstract

Increasingly fine-grained cloud billing creates incentives to review the software execution footprint in virtual environments. For example, virtual execution environments move towards lower overhead: from virtual machines to containers, unikernels, and serverless cloud computing. However, the execution footprint of security components in virtualized environments has either remained the same or even increased. We present Flowrider, a novel key provisioning mechanism for cloud networks that unlocks scalable use of symmetric keys and significantly reduces the related computational load on network endpoints. We describe the application of Flowrider to common transport security protocols, the results of its formal verification, and its prototype implementation. Our evaluation shows that Florwider uses up to an order of magnitude less CPU to establish a TLS session while preventing by construction some known attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    See Amazon Lambda, Google Cloud Functions, Azure Functions, Salesforce Evergreen, etc.

  2. 2.

    https://rancher.com/.

  3. 3.

    As a possible optimization, the network controller may have generated in advance a number of symmetric keys, which would thus be immediately available to distribute.

  4. 4.

    ProVerif scripts available at https://anonymous.4open.science/r/8e9da3de-6ccd-4f49-b925-389fbcc9bca6/.

  5. 5.

    Implementation code available at https://anonymous.4open.science/r/8e9da3de-6ccd-4f49-b925-389fbcc9bca6/.

References

  1. Greenberg, A., et al.: A clean slate 4D approach to network control and management. SIGCOMM Comput. Commun. Rev. 35(5), 41–54 (2005). https://doi.org/10.1145/1096536.1096541

    Article  Google Scholar 

  2. Langley, A., Hamburg, M., Turner, S.: Elliptic Curves for Security. RFC 7748, January 2016

    Google Scholar 

  3. Blanchet, B.: ProVerif: Cryptographic protocol verifier in the formal model (2020). https://prosecco.gforge.inria.fr/personal/bblanche/proverif/

  4. Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1773–1788. Association for Computing Machinery, New York (2017)

    Google Scholar 

  5. Lin, C.-L., Sun, H.-M., Steiner, M., Hwang, T.: Three-party encrypted key exchange without server public-keys. IEEE Commun. Lett. 5(12), 497–499 (2001)

    Article  Google Scholar 

  6. Lin, C.-L., Sun, H.-M., Hwang, T.: Three-party encrypted key exchange: attacks and a solution. ACM SIGOPS Operat. Syst. Rev. 34(4), 12–20 (2000)

    Article  Google Scholar 

  7. Liu, C., Zheng, Z., Jia, K., You, Q.: Provably secure three-party password-based authenticated key exchange from RLWE. In: Heng, S.-H., Lopez, J. (eds.) ISPEC 2019. LNCS, vol. 11879, pp. 56–72. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34339-2_4

    Chapter  Google Scholar 

  8. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (Proposed Standard), May 2008. https://doi.org/10.17487/RFC5280, https://www.rfc-editor.org/rfc/rfc5280.txt, updated by RFC 6818

  9. Danny, D., Andrew, C.Y.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    Article  MathSciNet  Google Scholar 

  10. Dodgson, D.S., Farina, R., Fontana, J.A., Johnson, R.A., Maw, D., Narisi, A.: Automated provisioning of virtual machines, January 2014, US Patent App. 13/547,148

    Google Scholar 

  11. Weerasiri, D., Barukh, M.C., Benatallah, B., Sheng, Q.Z., Ranjan, R.: A taxonomy and survey of cloud resource orchestration techniques. ACM Comput. Surv. 50(2) (May 2017). https://doi.org/10.1145/3054177

  12. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (Aug 2008). https://doi.org/10.17487/RFC5246, https://www.rfc-editor.org/rfc/rfc5246.txt, updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919

  13. Drucker, N., Gueron, S.: Selfie: reflections on TLS 1.3 with PSK. J. Cryptol. 34(3), 1–18 (2021). https://doi.org/10.1007/s00145-021-09387-y

    Article  MathSciNet  Google Scholar 

  14. Brewer, E.A.: Kubernetes and the path to cloud native. In: Proceedings of the Sixth ACM Symposium on Cloud Computing, SoCC 2015, p. 167. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2806777.2809955

  15. Crockett, E., Paquin, C., Stebila, D.: Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH. In: NIST 2nd Post-Quantum Cryptography Standardization Conf. 2019, pp. 1–24. NIST, Gaithersburg (2019)

    Google Scholar 

  16. Moret, E., Hubbard, R., Watsen, K.A., Murthy, M., Beauchesne, N.: Systems and methods for provisioning network devices (April 2013), uS Patent 8,429,403

    Google Scholar 

  17. Rescorla, E., Tschofenig, H., Modadugu, N.: The Datagram Transport Layer Security (DTLS) Protocol Version 1.3, April 2021. https://tools.ietf.org/html/draft-ietf-tls-dtls13-43, work in Progress

  18. Eric Rescorla: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Aug 2018). https://doi.org/10.17487/RFC8446

  19. Eronen, P., Tschofenig, H.: Pre-shared key ciphersuites for transport layer security (TLS). RFC 4279 (Proposed Standard), December 2005. https://doi.org/10.17487/RFC4279. https://www.rfc-editor.org/rfc/rfc4279.txt

  20. European Telecommunications Standards Institute: ETSI GS NFV-SEC 014 V3.1.1 (2018–04) - Network Functions Virtualisation (NFV) Release 3; NFV Security; Security Specification for MANO Components and Reference points (2018)

    Google Scholar 

  21. Selander, G.: WO/2015/002581 Key establishment for constrained resource devices (2015)

    Google Scholar 

  22. Yeh, H.-T., Sun, H.-M., Hwang, T.: Efficient three-party authentication and key agreement protocols resistant to password guessing attacks. J. Inf. Sci. Eng. 19(6), 1059–1070 (2003)

    Google Scholar 

  23. Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749 (Proposed Standard), October 2012. https://doi.org/10.17487/RFC6749. https://www.rfc-editor.org/rfc/rfc6749.txt, updated by RFC 8252

  24. Baldini, I.: Serverless computing: current trends and open problems, pp. 1–20. Springer, Singapore (2017)

    Google Scholar 

  25. Damgård, I., Jakobsen, T.P., Nielsen, J.B., Pagter, J.I.: Secure key management in the cloud. In: Stam, M. (ed.) Cryptography and Coding, pp. 270–289. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  26. Ding, J., Alsayigh, S., Lancrenon, J., Saraswathy, R.V., Snook, M.: Provably secure password authenticated key exchange based on RLWE for the post-quantum world. In: Cryptographers’ Track at the RSA Conf. pp. 183–204. Springer, Cham (2017)

    Google Scholar 

  27. Sood, K., Shaw, J.B., Fastabend, J.R.: Technologies for secure inter-virtual network function communication, 2 August 2016, US Patent 9,407,612

    Google Scholar 

  28. Tamas, K., et al.: Micado, a microservice-based cloud application-level dynamic orchestrator. Future Gener. Comput. Syst. 94, 937–946 (2019). https://doi.org/10.1016/j.future.2017.09.050

    Article  Google Scholar 

  29. Thimmaraju, K., Schmid, S.: Towards Fine-Grained Billing For Cloud Networking (2020)

    Google Scholar 

  30. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational), February 1997. https://doi.org/10.17487/RFC2104, https://www.rfc-editor.org/rfc/rfc2104.txt, updated by RFC 6151

  31. Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: Proceedings of the Twenty-Seventh Annual ACM Symposium on Theory of Computing, STOC 1995, pp. 57–66, Association for Computing Machinery, New York (1995)

    Google Scholar 

  32. Steiner, M., Tsudik, G., Waidner, M.: Refinement and extension of encrypted key exchange. ACM SIGOPS Operating Syst. Rev. 29(3), 22–30 (1995)

    Article  Google Scholar 

  33. Tiloca, M., Gehrmann, C., Seitz, L.: On improving resistance to denial of service and key provisioning scalability of the DTLS handshake. Int. J. Inf. Secur. 16(2), 173–193 (2017)

    Article  Google Scholar 

  34. Mavrogiannopoulos, N., et al.: GnuTLS Reference Manual. Samurai Media Ltd., London (2015)

    Google Scholar 

  35. Neuman, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos Network Authentication Service (V5). RFC 4120 (Proposed Standard), July 2005. https://doi.org/10.17487/RFC4120, https://www.rfc-editor.org/rfc/rfc4120.txt, updated by RFCs 4537, 5021, 5896, 6111, 6112, 6113, 6649, 6806, 7751, 8062, 8129

  36. Open Networking Foundation: OpenFlow Switch Specification. Technical report ONF TS-025, Open Networking Foundation (March 2015), vol 1.5.1

    Google Scholar 

  37. Open vSwitch: Open vSwitch with SSL (2019). http://docs.openvswitch.org/en/latest/howto/ssl/

  38. Paladi, N., Tiloca, M., Bideh, P.N., Hell, M.: On-demand key distribution for cloud networks. In: 2021 24th Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN), pp. 80–82 (2021). https://doi.org/10.1109/ICIN51074.2021.9385528

  39. Bifulco, R., Boite, J., Bouet, M., Schneider, F.: Improving SDN with InSPired switches. In: Proceedings of the Symposium on SDN Research, SOSR 2016, pp. 11:1–11:12. ACM, New York (2016). https://doi.org/10.1145/2890955.2890962

  40. Rescorla, E., Modadugu, N.: Datagram Transport Layer Security Version 1.2. RFC 6347 (Proposed Standard), January 2012. https://doi.org/10.17487/RFC6347, https://www.rfc-editor.org/rfc/rfc6347.txt, updated by RFCs 7507, 7905

  41. Bellovin, S., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: IEEE Symposium on Security and Privacy 0, 72, April 1992. https://doi.org/10.1109/RISP.1992.213269

  42. Jain, S., et al.: B4: Experience with a globally-deployed software defined WAN. In: Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM, SIGCOMM 2013, pp. 3–14. ACM, New York (2013). https://doi.org/10.1145/2486001.2486019

  43. Martinelli, S., Nash, H., Topol, B.: Identity, Authentication, and Access Management in OpenStack: Implementing and Deploying Keystone. O’Reilly Media Inc, Sebastopol (2015)

    Google Scholar 

  44. Krishnan, S.P.T., Gonzalez, J.L.U.: Google Compute Engine, pp. 53–91. Apress, Berkeley (2015). https://doi.org/10.1007/978-1-4842-1004-8

  45. Seedorf, J., Burger, E.: Application-Layer Traffic Optimization (ALTO) Problem Statement. RFC 5693 (Informational), October 2009. https://doi.org/10.17487/RFC5693, https://www.rfc-editor.org/rfc/rfc5693.txt

  46. Selander, G., Paladi, N., Tiloca, M.: Security for distributed networking. World Intellectual Property Organization - PCT/EP2019/051456, July 2020

    Google Scholar 

  47. Lee, T.-F., Liu, J.-L., Sung, M.-J., Yang, S.-B., Chen, C.-M.: Communication-efficient three-party protocols for authentication and key agreement. Comput. Math. Appl. 58(4), 641–648 (2009)

    Article  MathSciNet  Google Scholar 

  48. Chang, T.-Y., Hwang, M.S., Yang, W.-P.: A communication-efficient three-party password authenticated key exchange protocol. Inf. Sci. 181(1), 217–226 (2011)

    Article  MathSciNet  Google Scholar 

  49. Binz, Ts., Breitenbücher, U., Kopp, O., Leymann, F.: TOSCA: portable automated deployment and management of cloud applications, pp. 527–549. Springer, New York (2014). https://doi.org/10.1007/978-1-4614-7535-4

  50. Wang, H., Zhao, Y., Nag, A.: Quantum-key-distribution (qkd) networks enabled by software-defined networks (sdn). Appl. Sci. 9(10), 2081 (2019)

    Article  Google Scholar 

  51. Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., Kivinen, T.: Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). RFC 7250 (Proposed Standard), June 2014. https://doi.org/10.17487/RFC7250. https://www.rfc-editor.org/rfc/rfc7250.txt

  52. Ding, Y., Horster, P.: Undetectable on-line password guessing attacks. ACM SIGOPS Operat. Syst. Rev. 29(4), 77–86 (1995)

    Article  Google Scholar 

  53. Zhu, Y., Ma, J., An, B., Cao, D.: Monitoring and billing of a lightweight cloud system based on linux container. In: 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW), pp. 325–329. IEEE, New York (2017)

    Google Scholar 

Download references

Acknowledgments

This work was financially supported in part by the Swedish Foundation for Strategic Research, with the grant RIT17-0035; by the H2020 project SIFIS-Home (Grant agreement 952652); VINNOVA and the CelticNext project CRITISEC and by the Wallenberg AI, Autonomous Systems and Software Program (WASP).

Author information

Authors and Affiliations

  1. Lund University, Lund, Sweden

    Nicolae Paladi, Pegah Nikbakht Bideh & Martin Hell

  2. RISE Research Institutes of Sweden - RISE Cybersecurity, Stockholm, Sweden

    Nicolae Paladi & Marco Tiloca

Authors
  1. Nicolae Paladi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marco Tiloca
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pegah Nikbakht Bideh
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Martin Hell
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nicolae Paladi .

Editor information

Editors and Affiliations

  1. Télécom SudParis, Institut Polytechnique de Paris, Palaiseau, France

    Joaquin Garcia-Alfaro

  2. University of Kent Canterbury, Canterbury, Kent, UK

    Shujun Li

  3. University of Washington, Seattle, WA, USA

    Radha Poovendran

  4. Télécom SudParis, Institut Polytechnique de Paris, Palaiseau, France

    Hervé Debar

  5. Google Inc., New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Paladi, N., Tiloca, M., Nikbakht Bideh, P., Hell, M. (2021). Flowrider: Fast On-Demand Key Provisioning for Cloud Networks. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds) Security and Privacy in Communication Networks. SecureComm 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 399. Springer, Cham. https://doi.org/10.1007/978-3-030-90022-9_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-90022-9_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-90021-2

  • Online ISBN: 978-3-030-90022-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation