80 likes | 192 Views
TLS Multiplexing < draft-badra-hajjeh-mtls-00.txt>. M. Badra I. Hajjeh. Goals and design. Provides secure VPN at the transport layer over UDP or TCP (actual version) SSL VPN: applications through HTTP/HTML over TCP is it sufficient for streaming, video, audio, news, etc.
E N D
TLS Multiplexing <draft-badra-hajjeh-mtls-00.txt> M. Badra I. Hajjeh
Goals and design • Provides secure VPN at the transport layer • over UDP or TCP (actual version) • SSL VPN: applications through HTTP/HTML over TCP • is it sufficient for streaming, video, audio, news, etc. • Reduces the cryptographic times and the round trip number • associate a single TLS session for several applications • Transparent to the client and protects against inference • New sub-protocol and extension type • de-multiplexer • applications to be secured over a single session
data_multiplexing extension Struct { ApplicationLayerProtocol alp_list<0..2^20-1>; } data_multiplexing; struct { ApplicationpProtocolName apn; select (Version) case { 3, 1 } or { 3, 2 }:// TLS Version 1.0 or 1.1 TCPPort tcp_port; case { 254, 255 }:// Datagram TLS Version 1.0 UDPPort udp_port; } ApplicationLayerProtocol; opaque TCPPort[2]; opaque UDPPort[2]; opaque ApplicationpProtocolName<1..16>;
mtls sub-protocol • New content type • Encapsulates application data and distinguishes it using source and destination ports and the data length 2-byte source port 2-byte destination port 2-byte length Data app n app 1 6-byte header Handshake Alert CCS MTLS Record
Discussion • If the server supports at least one application proposed by the client • Does the server respond with all the applications it supports • Stream ID instead of port numbers • not all applications support it • Working Group item? • Development in progress
TLS Sign draft-hajjeh-tls-sign-01.txt M. Badra (badra@enst.fr) I. Hajjeh (ibrahim.hajjeh@esrgroups.org)
Goals and design • More secure e-business transactions • Minimizing the development tasks • A transparent signature solution for applications and developers • Integrate a “standard” signature functionalities in the TLS API: PKCS7, CMS, XML_DSIG, etc. • Offering a generic non repudiation service • The non repudiation service can be negotiated defining a TLS Extension • Two types of non repudiation: • non repudiation with proof of origin • non repudiation without proof of origin
Example: Non repudiation of an order • Scenario • When the client arrive to the payment site, the non repudiation service is negotiated • Client use ssl_sign_write OpenSSL fucntion to sign the order. Fd = socket( …) Bind(fd) Connect(fd) SSL_library_init() meth=[SSL|v2|v23|v3] | TLSv1]_client_method Ctx=SSL_set_cipher_list(ctx,cipher) SSL_CTX_load_verify_locations(ctx, CA_FILE,0) SSL_CTX_set_verify(ctx,SSL_VEIFY_PEER, NULL) Ssl=SSL_new(ctx) SSL_set_fd(ssl,fd) SSL_connect() SSL_write | SSL_read | SSL_sign_write | SSL_sign_read | ssl_audit SSL_shutdown(ssl) Close(fd) SSL_free(ssl) SSL_CTX_free(ctx)