Paper 2023/094

Portunus: Re-imagining access control in distributed systems

Watson Ladd, Akamai (United States)
Tanya Verma, Cloudflare
Marloes Venema, University of Wuppertal, Radboud University Nijmegen
Armando Faz Hernandez, Cloudflare
Brendan McMillion
Avani Wildani, Cloudflare
Nick Sullivan, Cloudflare

TLS termination, which is essential to network and security infrastructure providers, is an extremely latency sensitive operation that benefits from access to sensitive key material close to the edge. However, increasing regulatory concerns prompt customers to demand sophisticated controls on where their keys may be accessed. While traditional access-control solutions rely on a highly available centralized process to enforce access, the round-trip latency and decreased fault tolerance make this approach unappealing. Furthermore, the desired level of customer control is at odds with customizing the distribution process for each key. To solve this dilemma, we have designed and implemented Portunus, a cryptographic storage and access control system built using a variant of public-key cryptography called attribute-based encryption (ABE). Using Portunus, TLS keys are protected using ABE under a policy chosen by the customer. Each server is issued unique ABE keys based on its attributes, allowing it to decrypt only the TLS keys for which it satisfies the policy. Thus, the encrypted keys can be stored at the edge, with access control enforced passively through ABE. If a server receives a TLS connection but is not authorized to decrypt the necessary TLS key, the request is forwarded directly to the nearest authorized server, further avoiding the need for a centralized coordinator. In comparison, a trivial instantiation of this system using standard public-key cryptography might wrap each TLS key with the key of every authorized data center. This strategy, however, multiplies the storage overhead by the number of data centers. We have deployed Portunus on Cloudflare's global network of over 400 data centers. Our measurements indicate that we can handle millions of requests per second globally, making it one of the largest deployments of ABE.

Note: Revised author order to match pdf

Available format(s)
Publication info
Published elsewhere. ATC
ABEpairingsCP-ABElarge systems
Contact author(s)
watsonbladd @ gmail com
tverma @ cloudflare com
mvenemacrypto @ gmail com
2023-06-14: last of 3 revisions
2023-01-25: received
See all versions
Short URL
Creative Commons Attribution-NonCommercial-NoDerivs


      author = {Watson Ladd and Tanya Verma and Marloes Venema and Armando Faz Hernandez and Brendan McMillion and Avani Wildani and Nick Sullivan},
      title = {Portunus: Re-imagining access control in distributed systems},
      howpublished = {Cryptology ePrint Archive, Paper 2023/094},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.