Paper 2020/1366

LURK: Server-Controlled TLS Delegation

Ioana Boureanu and Daniel Migault and Stere Preda and Hyame Assem Alamedine and Sanjay Mishra and Frederic Fieau and Mohammad Mannan

Abstract

By design, TLS (Transport Layer Security) is a 2-party, end-to-end protocol. Yet, in practice, TLS delegation is often deployed: that is, middlebox proxies inspect and even modify TLS traffic between the endpoints. Recently, industry-leaders (e.g., Akamai, Cloudflare, Telefonica, Ericcson), standardization bodies (e.g., IETF, ETSI), and academic researchers have proposed numerous ways of achieving safer TLS delegation. We present LURK the LURK (Limited Use of Remote Keys) extension for TLS~1.2, a suite of designs for TLS delegation, where the TLS-server is aware of the middlebox. We implement and test LURK. We also cryptographically prove and formally verify, in Proverif, the security of LURK. Finally, we comprehensively analyze how our designs balance (provable) security and competitive performance.

Note: This paper is an extended version of our IEEE TrustCom 2020 paper [a]. We are making this version available in order to have more clear results and discussions in comparison to its short version. [a] Ioana Boureanu and Daniel Migault and Stere Preda and Hyame Assem Alamedine and Sanjay Mishra and Frederic Fieau and Mohammad Mannan “LURK: Server-Controlled TLS Delegation”, in Proceedings of the 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom 2020), Guangzhou, China, December 29, 2020 - January 1, 2021