Saved in:
Bibliographic Details
Main Authors: Shobiri, Behnam, Pourali, Sajjad, Migault, Daniel, Boureanu, Ioana, Preda, Stere, Mannan, Mohammad, Youssef, Amr
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2506.12026
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915342937227264
author Shobiri, Behnam
Pourali, Sajjad
Migault, Daniel
Boureanu, Ioana
Preda, Stere
Mannan, Mohammad
Youssef, Amr
author_facet Shobiri, Behnam
Pourali, Sajjad
Migault, Daniel
Boureanu, Ioana
Preda, Stere
Mannan, Mohammad
Youssef, Amr
contents In many web applications, such as Content Delivery Networks (CDNs), TLS credentials are shared, e.g., between the website's TLS origin server and the CDN's edge servers, which can be distributed around the globe. To enhance the security and trust for TLS 1.3 in such scenarios, we propose LURK-T, a provably secure framework which allows for limited use of remote keys with added trust in TLS 1.3. We efficiently decouple the server side of TLS 1.3 into a LURK-T Crypto Service (CS) and a LURK-T Engine (E). CS executes all cryptographic operations in a Trusted Execution Environment (TEE), upon E's requests. CS and E together provide the whole TLS-server functionality. A major benefit of our construction is that it is application agnostic; the LURK-T Crypto Service could be collocated with the LURK-T Engine, or it could run on different machines. Thus, our design allows for in situ attestation and protection of the cryptographic side of the TLS server, as well as for all setups of CDNs over TLS. To support such a generic decoupling, we provide a full Application Programming Interface (API) for LURK-T. To this end, we implement our LURK-T Crypto Service using Intel SGX and integrate it with OpenSSL. We also test LURK-T's efficiency and show that, from a TLS-client's perspective, HTTPS servers using LURK-T instead a traditional TLS-server have no noticeable overhead when serving files greater than 1MB. In addition, we provide cryptographic proofs and formal security verification using ProVerif.
format Preprint
id arxiv_https___arxiv_org_abs_2506_12026
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle LURK-T: Limited Use of Remote Keys With Added Trust in TLS 1.3
Shobiri, Behnam
Pourali, Sajjad
Migault, Daniel
Boureanu, Ioana
Preda, Stere
Mannan, Mohammad
Youssef, Amr
Cryptography and Security
In many web applications, such as Content Delivery Networks (CDNs), TLS credentials are shared, e.g., between the website's TLS origin server and the CDN's edge servers, which can be distributed around the globe. To enhance the security and trust for TLS 1.3 in such scenarios, we propose LURK-T, a provably secure framework which allows for limited use of remote keys with added trust in TLS 1.3. We efficiently decouple the server side of TLS 1.3 into a LURK-T Crypto Service (CS) and a LURK-T Engine (E). CS executes all cryptographic operations in a Trusted Execution Environment (TEE), upon E's requests. CS and E together provide the whole TLS-server functionality. A major benefit of our construction is that it is application agnostic; the LURK-T Crypto Service could be collocated with the LURK-T Engine, or it could run on different machines. Thus, our design allows for in situ attestation and protection of the cryptographic side of the TLS server, as well as for all setups of CDNs over TLS. To support such a generic decoupling, we provide a full Application Programming Interface (API) for LURK-T. To this end, we implement our LURK-T Crypto Service using Intel SGX and integrate it with OpenSSL. We also test LURK-T's efficiency and show that, from a TLS-client's perspective, HTTPS servers using LURK-T instead a traditional TLS-server have no noticeable overhead when serving files greater than 1MB. In addition, we provide cryptographic proofs and formal security verification using ProVerif.
title LURK-T: Limited Use of Remote Keys With Added Trust in TLS 1.3
topic Cryptography and Security
url https://arxiv.org/abs/2506.12026