1 / 8

TLS Multiplexing < draft-badra-hajjeh-mtls-00.txt>

TLS Multiplexing < draft-badra-hajjeh-mtls-00.txt>. M. Badra I. Hajjeh. Goals and design. Provides secure VPN at the transport layer over UDP or TCP (actual version) SSL VPN: applications through HTTP/HTML over TCP is it sufficient for streaming, video, audio, news, etc.

denver
Download Presentation

TLS Multiplexing < draft-badra-hajjeh-mtls-00.txt>

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TLS Multiplexing <draft-badra-hajjeh-mtls-00.txt> M. Badra I. Hajjeh

  2. Goals and design • Provides secure VPN at the transport layer • over UDP or TCP (actual version) • SSL VPN: applications through HTTP/HTML over TCP • is it sufficient for streaming, video, audio, news, etc. • Reduces the cryptographic times and the round trip number • associate a single TLS session for several applications • Transparent to the client and protects against inference • New sub-protocol and extension type • de-multiplexer • applications to be secured over a single session

  3. data_multiplexing extension Struct { ApplicationLayerProtocol alp_list<0..2^20-1>; } data_multiplexing; struct { ApplicationpProtocolName apn; select (Version) case { 3, 1 } or { 3, 2 }:// TLS Version 1.0 or 1.1 TCPPort tcp_port; case { 254, 255 }:// Datagram TLS Version 1.0 UDPPort udp_port; } ApplicationLayerProtocol; opaque TCPPort[2]; opaque UDPPort[2]; opaque ApplicationpProtocolName<1..16>;

  4. mtls sub-protocol • New content type • Encapsulates application data and distinguishes it using source and destination ports and the data length 2-byte source port 2-byte destination port 2-byte length Data app n app 1 6-byte header Handshake Alert CCS MTLS Record

  5. Discussion • If the server supports at least one application proposed by the client • Does the server respond with all the applications it supports • Stream ID instead of port numbers • not all applications support it • Working Group item? • Development in progress

  6. TLS Sign draft-hajjeh-tls-sign-01.txt M. Badra (badra@enst.fr) I. Hajjeh (ibrahim.hajjeh@esrgroups.org)

  7. Goals and design • More secure e-business transactions • Minimizing the development tasks • A transparent signature solution for applications and developers • Integrate a “standard” signature functionalities in the TLS API: PKCS7, CMS, XML_DSIG, etc. • Offering a generic non repudiation service • The non repudiation service can be negotiated defining a TLS Extension • Two types of non repudiation: • non repudiation with proof of origin • non repudiation without proof of origin

  8. Example: Non repudiation of an order • Scenario • When the client arrive to the payment site, the non repudiation service is negotiated • Client use ssl_sign_write OpenSSL fucntion to sign the order. Fd = socket( …) Bind(fd) Connect(fd) SSL_library_init() meth=[SSL|v2|v23|v3] | TLSv1]_client_method Ctx=SSL_set_cipher_list(ctx,cipher) SSL_CTX_load_verify_locations(ctx, CA_FILE,0) SSL_CTX_set_verify(ctx,SSL_VEIFY_PEER, NULL) Ssl=SSL_new(ctx) SSL_set_fd(ssl,fd) SSL_connect() SSL_write | SSL_read | SSL_sign_write | SSL_sign_read | ssl_audit SSL_shutdown(ssl) Close(fd) SSL_free(ssl) SSL_CTX_free(ctx)

More Related