An SDN-based approach to enhance the end-to-end security: SSL/TLS case study

Abstract

End-to-end encryption is becoming the norm for many applications and services. While this improves privacy of individuals and organizations, the phenomenon also raises new kinds of challenges. For instance, with the increase of devices using encryption, the volumes of outdated, exploitable encryption software also increases. This may create some distrust amongst the users against security unless its quality is enforced in some ways. Unfortunately, deploying new mechanisms at the end-points of the communication is challenging due to the sheer volume of devices, and modifying the existing services may not be feasible either. Hence, we propose a novel method for improving the quality of the secure sessions in a centralized way based on the SDN architecture. Instead of inspecting the encrypted traffic, our approach enhances the quality of secure sessions by analyzing the plaintext handshake messages exchanged between a client and server. We exploit the fact that many of today's security protocols negotiate the security parameters such as the protocol version, encryption algorithms or certificates in plaintext in a protocol handshake before establishing a secure session. By verifying the negotiated information in the handshake, our solution can improve the security level of SSL/TLS sessions. While the approach can be extended to many other protocols, we focus on the SSL/TLS protocol in this paper because of its wide-spread use. We present our implementation for the OpenDaylight controller and evaluate its overhead to SSL/TLS session establishment in terms of latency.