An SDN-based approach to enhance the end-to-end security: SSL/TLS case study

Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium

Volumn , Issue , 2016, Pages 281-288

  Ranjbar, Alireza ^a   Komu, Miika ^a   Salmela, Patrik ^a   Aura, Tuomas ^b  

^a ERICSSON RESEARCH   (Finland)

^b AALTO UNIVERSITY   (Finland)

Author keywords

Centralized policy management; Flow verification; Handshake analysis; Software Defined Networking; SSL TLS

Indexed keywords

NETWORK SECURITY; SOFTWARE DEFINED NETWORKING; VERIFICATION;

ENCRYPTION ALGORITHMS; ENCRYPTION SOFTWARE; END-TO-END ENCRYPTION; END-TO-END SECURITY; HANDSHAKE ANALYSIS; POLICY MANAGEMENT; SECURITY PARAMETERS; SSL/TLS;

CRYPTOGRAPHY;

EID: 84979787975     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/NOMS.2016.7502823     Document Type: Conference Paper

References (38)

1. Pcworld: Next-gen http 2.0 protocol will require https encryption," Available: http://www.pcworld.com/article/2061189/next-gen-http-2-0-protocol-will-require-https-encryption-most-of-The-time-.html
2. Symantec: Facebook implements always on ssl," Available: http://www.symantec.com/connect/blogs/facebookimplements-always-ssl
3. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2," RFC 5246 (Proposed Standard), IETF, Aug. 2008
4. C. Brubaker, S. Jana, B. Ray, S. Khurshid, and V. Shmatikov, "Using frankencerts for automated adversarial testing of certificate validation in ssl/tls implementations," in Security and Privacy (SP), 2014 IEEE Symposium on, May 2014, pp. 114-129
5. L. Zhang et al., "Analysis of ssl certificate reissues and revocations in the wake of heartbleed," in Proceedings of the 2014 Conference on Internet Measurement Conference, ser. IMC '14. ACM, 2014, pp. 489-502
6. N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman, "Mining your ps and qs: Detection of widespread weak keys in network devices," in Presented as part of the 21st USENIX Security Symposium (USENIX Security 12). Bellevue, WA: USENIX, 2012, pp. 205-220
7. Sdn architecture," Issue 1.0, TR-502, June 2014, Open Networking Foundation, Available at https://www.opennetworking.org/images/stories/downloads/sdn-resources/technical-reports/TR SDN ARCH 1.0 06062014.pdf
8. E. Rescorla and N. Modadugu, "Datagram Transport Layer Security Version 1.2," RFC 6347 (Proposed Standard), IETF, Jan. 2012
9. T. Ylonen and C. Lonvick, "The Secure Shell (SSH) Transport Layer Protocol," RFC 4253 (Proposed Standard), IETF, Jan. 2006
10. E. Rescorlar, "The Transport Layer Security (TLS) Protocol Version 1.3," (Standards Track), Internet Engineering Task Force, Jul. 2015. [Online]. Available: https://tools.ietf.org/html/draft-ietf-tls-tls13-07
11. Y. Sheffer, R. Holz, and P. Saint-Andre, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)," RFC 7525 (Best Current Practice), IETF, May 2015
12. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor, "Crying wolf: An empirical study of ssl warning effectiveness," in Proceedings of the 18th Conference on USENIX Security Symposium, ser. SSYM'09. USENIX Association, 2009, pp. 399-416
13. R. Holz, L. Braun, N. Kammenhuber, and G. Carle, "The ssl landscape: A thorough analysis of the x.509 pki using active and passive measurements," in Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, ser. IMC '11. ACM, 2011, pp. 427-444
14. A. Bates et al., "Securing ssl certificate verification through dynamic linking," in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS '14. ACM, 2014, pp. 394-405
15. A. Arnbak, H. Asghari, M. Van Eeten, and N. Van Eijk, "Security collapse in the https market," Queue, vol. 12, no. 8, pp. 30:30-30:43, Aug. 2014
16. E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "Transport Layer Security (TLS) Renegotiation Indication Extension," RFC 5746 (Proposed Standard), IETF, Feb. 2010
17. Osgi," Available: http://www.osgi.org
18. B. Lantz, B. Heller, and N. McKeown, "A network in a laptop: Rapid prototyping for software-defined networks," in Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, ser. Hotnets-IX. ACM, 2010, pp. 19:1-19:6
19. Httping," Available: http://linux.die.net/man/1/httping
20. Ab apache," Available: http://httpd.apache.org/docs/2.2/programs/ab.html
21. J. Jarmoc, "Ssl/tls interception proxies and transitive trust," Presentation at Black Hat Europe, March 2012
22. J. Salowey, H. Zhou, P. Eronen, and H. Tschofenig, "Transport Layer Security (TLS) Session Resumption without Server-Side State," RFC 4507 (Proposed Standard), IETF, May 2006
23. M. Casado, T. Koponen, S. Shenker, and A. Tootoonchian, "Fabric: A retrospective on evolving sdn," in Proceedings of the First Workshop on Hot Topics in Software Defined Networks, ser. HotSDN '12. ACM, 2012, pp. 85-90
24. Z. Caor, "Analysis of SDN Controller Cluster in Large-scale Production Networks," Informational, Internet Engineering Task Force, Jul. 2013. [Online]. Available: http://tools.ietf.org/html/draft-zcao-sdnrg-controller-00.html
25. K. Agarwal, C. Dixon, E. Rozner, and J. Carter, "Shadow macs: Scalable label-switching for commodity ethernet," in Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, ser. HotSDN '14. ACM, 2014, pp. 157-162
26. B. Pfaff et al., "The design and implementation of open vswitch," in 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15). Oakland, CA: USENIX Association, May 2015, pp. 117-130
27. Y. Sheffer, R. Holz, and P. Saint-Andre, "Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)," RFC 7457 (Informational), IETF, Feb. 2015
28. T. Heer and S. Varjonen, "Host Identity Protocol Certificates," RFC 6253 (Experimental), IETF, May 2011
29. T. Henderson and A. Gurtov, "The Host Identity Protocol (HIP) Experiment Report," RFC 6538 (Informational), IETF, Mar. 2012
30. J. Rosenberg et al., "SIP: Session Initiation Protocol," RFC 3261 (Proposed Standard), IETF, Jun. 2002
31. Floodlight project," Available: http://www.projectfloodlight.org
32. J. Wang, Y. Wang, H. Hu, Q. Sun, H. Shi, and L. Zeng, "Towards a security-enhanced firewall application for openflow networks," in Cyberspace Safety and Security-5th International Symposium, November 2013, pp. 92-103
33. H. Hu, W. Han, G.-J. Ahn, and Z. Zhao, "Flowguard: Building robust firewalls for software-defined networks," in Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, ser. HotSDN '14. ACM, 2014, pp. 97-102
34. E. Hoz et al., "Detecting and defeating advanced man-in-themiddle attacks against tls," in Cyber Conflict (CyCon 2014), 2014 6th International Conference On, June 2014, pp. 209-221
35. Snort manual," Available: http://manual.snort.org
36. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P. Strub, "Implementing tls with verified cryptographic security," in Security and Privacy (SP), 2013 IEEE Symposium on, May 2013, pp. 445-459
37. S. Chaki and A. Datta, "Aspier: An automated framework for verifying security protocol implementations," in Computer Security Foundations Symposium, 2009. CSF '09. 22nd IEEE, July 2009, pp. 172-185
38. K. Bhargavan, C. Fournet, R. Corin, and E. ZǍlinescu, "Verified cryptographic implementations for tls," ACM Trans. Inf. Syst. Secur., vol. 15, no. 1, pp. 3:1-3:32, Mar. 2012