TLS Multiplexing <draft-badra-hajjeh-mtls-00.txt>

1
TLS Multiplexing ltdraft-badra-hajjeh-mtls-00.txtgt

• M. Badra
• I. Hajjeh

2
Goals and design

• Provides secure VPN at the transport layer
• over UDP or TCP (actual version)
• SSL VPN applications through HTTP/HTML over TCP
• is it sufficient for streaming, video, audio,
  news, etc.
• Reduces the cryptographic times and the round
  trip number
• associate a single TLS session for several
  applications
• Transparent to the client and protects against
  inference
• New sub-protocol and extension type
• de-multiplexer
• applications to be secured over a single session

3
data_multiplexing extension

• Struct
• ApplicationLayerProtocol
  alp_listlt0..220-1gt
• data_multiplexing
• struct
• ApplicationpProtocolName apn
• select (Version)
• case 3, 1 or 3, 2 // TLS
  Version 1.0 or 1.1
• TCPPort tcp_port
• case 254, 255 // Datagram TLS
  Version 1.0
• UDPPort udp_port
• ApplicationLayerProtocol
• opaque TCPPort2
• opaque UDPPort2
• opaque ApplicationpProtocolNamelt1..16gt

4
mtls sub-protocol

• New content type
• Encapsulates application data and distinguishes
  it using source and destination ports and the
  data length

2-byte source port
2-byte destination port
2-byte length
Data
app n
app 1
6-byte header
Handshake
Alert
CCS
MTLS
Record
5
Discussion

• If the server supports at least one application
  proposed by the client
• Does the server respond with all the applications
  it supports
• Stream ID instead of port numbers
• not all applications support it
• Working Group item?
• Development in progress

6
TLS Sign

• draft-hajjeh-tls-sign-01.txt
• M. Badra (badra_at_enst.fr)
• I. Hajjeh (ibrahim.hajjeh_at_esrgroups.org)

7
Goals and design

• More secure e-business transactions
• Minimizing the development tasks
• A transparent signature solution for applications
  and developers
• Integrate a standard signature functionalities
  in the TLS API PKCS7, CMS, XML_DSIG, etc.
• Offering a generic non repudiation service
• The non repudiation service can be negotiated
  defining a TLS Extension
• Two types of non repudiation
• non repudiation with proof of origin
• non repudiation without proof of origin

8
signature extension

• enum pkcs7(0), smime(1), xmldsig(2), (255)
  ContentFormat
• struct ContentFormat content_format
• SignMethod sign_meth
  SignType_sign_type
• signature_request
• enum ssl_client_auth_cert(0),
  ssl_client_auth_cert_url(1), (255) SignMethod
• opaque Signature_typelt1..216-1gt

9
Example Non repudiation of an order

• Scenario
• When the client arrive to the payment site, the
  non repudiation service is negotiated
• Client use ssl_sign_write OpenSSL fucntion to
  sign the order.

Fd socket( ) Bind(fd) Connect(fd) SSL_library_i
nit() methSSLv2v23v3 TLSv1_client_method
CtxSSL_set_cipher_list(ctx,cipher) SSL_CTX_load_v
erify_locations(ctx, CA_FILE,0) SSL_CTX_set_verify
(ctx,SSL_VEIFY_PEER, NULL) SslSSL_new(ctx) SSL_se
t_fd(ssl,fd) SSL_connect() SSL_write SSL_read
SSL_sign_write SSL_sign_read
ssl_audit SSL_shutdown(ssl) Close(fd) SSL_free(ss
l) SSL_CTX_free(ctx)