TLS Cross Credential (TLS-CC) for Authentication in Delegated Networks

Abstract

Nowadays, most of the content providers such as media and entertainment companies use the Content Delivery Network (CDN) services for faster delivery and higher availability. Using a globally distributed server infrastructure to absorb the network traffic, CDNs are believed to offer faster experience to the end-users and a degree of protection from Distributed Denial of Service (DDoS) attacks. However, despite the benefits of such features, there are several drawbacks related to the authentication of the third party edge networks of CDN. Current mechanisms either trust the CDN providers with the private keys or allow a certification authority to issue the CDN a certificate. Both mechanisms are undesirable in terms of attack space expansion due to the sharing of private keys or in terms of domain confusion and complicated revocation process of the CDNs certificate. This paper proposes an authentication mechanism in CDN edge networks which does not require trusting the CDN or allowing the certification authority to issue a shared certificate to CDN. Using an object called a cross credential (CC) which can prove the delegated relationship between the CDN edge and the origin server, the proposed mechanism offers efficient solution to the above security concerns with extremely low latency and computation overhead compared to the existing solutions. We implemented our proposed mechanism by extending the standard Transport Layer Security (TLS) protocol to create the CC in the back-end channel and verify the CC in the front-end channel for edge server authentication.