Please enable JavaScript.
Coggle requires JavaScript to display documents.
LOCKS, M. Bierma, A. Brown, T. M. Kroeger, H. Poston, T. Delano, “Locally…
LOCKS
Final Thoughts
Did not share what kind of asymmetric LOCKS uses in sending the session key to IDS
Requires custom version of SSL Library to support LOCKS and needs to be updated for every browser's released
Seems like LOCKS method of sharing session key from browser to escrow server is used in threat analysis
Architecture
High-level Workflow
3) Generate session key and share it with the LOCKS registrar installed in the web browser
4) Keys will be stored in LOCKS database and will be forwarded to the IDS using asymmetric encryption
2) TCP handshake established
5) IDS will use this to decrypt and perform necessary actions
1) Client initiates SSL connection to Server
SSL Session Key Sharing
Cooperative Key Sharing - which uses asymmetric encryption
Selective-Providing Keys - where in there is list of sensitive assets for users to be aware of the consequences of sending session keys from these assets
SSL Flow Regulation - when should decryption happens
Firewall - drops encrypted network traffic until session keys are shared
Only block encrypted traffic from malicious/suspicious domains but this causes delay since it will inspect the network traffic first by then the client already received the malicious traffic
Inline monitoring will cause performance issue as well since it will check and send the packets at the same time but the advantage here is it can drop the packet the moment it was verified malicious
Let all traffic through until the session key had been shared in the LOCKS database. This way IDS can decrypt data and stops the malicious traffic once verified. There will be a delay in sending but it guarantees faster response time if packets are to be dropped.
Preferred by the authors
Striking Lines
"These protocols should be thoroughly analyzed by the security community before they are safely deployed in an operation setting."
GOAL
SSL connection must be completely intact but still able to check the payload of the network traffic
Evaluation
Goal
Show Communication Latency
Setup and Metrics
Ran 100 tests to download 100KB~10MB files via local web server and from a hosted web server and ran five (5) worst values as outliers
Blue Coat IDS with MITM vs Blue Coat IDS with LOCKS
Measures the difference of the timestamps of SYN packet and ACK packet
Result
LOCKS perform a little better than MITM but the differences are just little
Usability Tesing
Setup and Metrics
Provided questionnaire about how easy to setup LOCKS
more than 68 is above average and less than 68 is below average
Result
LOCKS achieved 85.6%
Performance
Setup and Metrics
Machine running Squid Proxy and Bro, and a web server
Uses traffic shaping tools in Linux for various bandwidth and ran multiple browser instances simultaneously
Bro IDS with SSL decryption enabled vs Bro IDS without SSL decryption enabled
Use capture loss facility to measure the effect of decryption
Result
LOCKS made Bro IDS packet loss rate increased than its usual
M. Bierma, A. Brown, T. M. Kroeger, H. Poston, T. Delano, “Locally Operated Cooperative Key Sharing
(LOCKS)”, In International Conference on Computing Network and Communications, 2017.
Reference: