Related papers: LURK-T: Limited Use of Remote Keys With Added Trust in TLS 1.3

LURK-T: Limited Use of Remote Keys With Added Trust in TLS 1.3

URL: http://arxiv.org/abs/2506.12026v1
Date: Wed, 21 May 2025 15:23:17 GMT
Title: LURK-T: Limited Use of Remote Keys With Added Trust in TLS 1.3
Authors: Behnam Shobiri, Sajjad Pourali, Daniel Migault, Ioana Boureanu, Stere Preda, Mohammad Mannan, Amr Youssef,
Abstract summary: LURK-T is a provably secure framework which allows for limited use of remote keys with added trust in TLS 1.3.<n>We efficiently decouple the server side of TLS 1.3 into a LURK-T Crypto Service (CS) and a LURK-T Engine (E)<n>CS executes all cryptographic operations in a Trusted Execution Environment (TEE)<n>We show that, from a TLS-client's perspective, HTTPS servers using LURK-T instead a traditional TLS-server have no noticeable overhead when serving files greater than 1MB.
Score: 6.262801814917709
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: In many web applications, such as Content Delivery Networks (CDNs), TLS credentials are shared, e.g., between the website's TLS origin server and the CDN's edge servers, which can be distributed around the globe. To enhance the security and trust for TLS 1.3 in such scenarios, we propose LURK-T, a provably secure framework which allows for limited use of remote keys with added trust in TLS 1.3. We efficiently decouple the server side of TLS 1.3 into a LURK-T Crypto Service (CS) and a LURK-T Engine (E). CS executes all cryptographic operations in a Trusted Execution Environment (TEE), upon E's requests. CS and E together provide the whole TLS-server functionality. A major benefit of our construction is that it is application agnostic; the LURK-T Crypto Service could be collocated with the LURK-T Engine, or it could run on different machines. Thus, our design allows for in situ attestation and protection of the cryptographic side of the TLS server, as well as for all setups of CDNs over TLS. To support such a generic decoupling, we provide a full Application Programming Interface (API) for LURK-T. To this end, we implement our LURK-T Crypto Service using Intel SGX and integrate it with OpenSSL. We also test LURK-T's efficiency and show that, from a TLS-client's perspective, HTTPS servers using LURK-T instead a traditional TLS-server have no noticeable overhead when serving files greater than 1MB. In addition, we provide cryptographic proofs and formal security verification using ProVerif.

Related papers

Lightweight, Secure and Stateful Serverless Computing with PSL [43.025002382616066]
We present Function-as-a-Serivce (F) framework for Trusted Execution Environments (TEEs) The framework provides rich programming language support on heterogeneous TEE hardware for statically compiled binaries and/or WebAssembly (WASM) bytecodes. It achieves near-native execution speeds by utilizing the dynamic memory mapping capabilities of Intel SGX2.
arXiv Detail & Related papers (2024-10-25T23:17:56Z)
A Comprehensive Review of TLSNotary Protocol [0.0]
We investigate the TLSNotary protocol, which aim to enable the Client to obtain proof of provenance for data from TLS session. To achieve such proofs without any Server-side adjustments or permissions, the power of secure multi-party computation (MPC) together with zero knowledge proofs is used.
arXiv Detail & Related papers (2024-09-26T09:28:51Z)
An Efficient TLS 1.3 Handshake Protocol with VC Certificate Type [0.0]
The paper presents a step forward in the design and implementation of a Transport Layer Security (TLS) handshake protocol.<n>It enables the use of Verifiable Credential (VC) while maintaining full compliance with RFC-8446 and preserving all the security features of TLS 1.3.<n>Results pave the way for the adoption of Self-Sovereign Identity in large-scale Internet of Things (IoT) systems.
arXiv Detail & Related papers (2024-07-17T13:18:16Z)
HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
arXiv Detail & Related papers (2024-01-17T00:56:23Z)
On the Integration of Self-Sovereign Identity with TLS 1.3 Handshake to Build Trust in IoT Systems [0.0]
Self-Sovereign Identity (SSI) is a decentralised option that reduces the need for human intervention. This paper contributes to the adoption of SSI in large-scale IoT systems by addressing, for the first time, the extension of the original TLS 1.3 handshake.
arXiv Detail & Related papers (2023-11-01T09:22:31Z)
SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes. SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices. We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
arXiv Detail & Related papers (2023-09-26T08:11:38Z)
GPT-4 Is Too Smart To Be Safe: Stealthy Chat with LLMs via Cipher [85.18213923151717]
Experimental results show certain ciphers succeed almost 100% of the time to bypass the safety alignment of GPT-4 in several safety domains. We propose a novel SelfCipher that uses only role play and several demonstrations in natural language to evoke this capability.
arXiv Detail & Related papers (2023-08-12T04:05:57Z)
InviCloak: An End-to-End Approach to Privacy and Performance in Web Content Distribution [7.8017281332931665]
InviCloak is a system that protects the confidentiality and integrity of a user and a website's private communications without changing TLS or upgrading a CDN.<n>InviCloak builds a lightweight but secure and practical key distribution mechanism using the existing DNS infrastructure.
arXiv Detail & Related papers (2022-09-04T06:38:27Z)
LAMDA-SSL: Semi-Supervised Learning in Python [56.14115592683035]
LAMDA-SSL is open-sourced on GitHub and its detailed usage documentation is available at https://ygzwqzd.github.io/LAMDA-SSL/. This documentation greatly reduces the cost of familiarizing users with LAMDA-SSL toolkit and SSL algorithms.
arXiv Detail & Related papers (2022-08-09T09:06:48Z)
ESPnet-SLU: Advancing Spoken Language Understanding through ESPnet [95.39817519115394]
ESPnet-SLU is a project inside end-to-end speech processing toolkit, ESPnet. It is designed for quick development of spoken language understanding in a single framework.
arXiv Detail & Related papers (2021-11-29T17:05:49Z)
Adaptive Webpage Fingerprinting from TLS Traces [13.009834690757614]
In webpage fingerprinting, an adversary infers the specific webpage loaded by a victim user by analysing the patterns in the encrypted TLS traffic exchanged between the user's browser and the website's servers. This work studies modern webpage fingerprinting adversaries against the TLS protocol. We introduce a TLS-specific model that: 1) scales to an unprecedented number of target webpages, 2) can accurately classify thousands of classes it never encountered during training, and 3) has low operational costs even in scenarios of frequent page updates.
arXiv Detail & Related papers (2020-10-19T15:13:07Z)

This list is automatically generated from the titles and abstracts of the papers in this site.