Keyless SSL makes it possible for organizations that cannot share their private keys to move to the cloud while maintaining SSL/TLS encryption.
After reading this article you will be able to:
Copy article link
Keyless SSL is a service for companies that use a cloud vendor for SSL encryption. Usually this would mean that the cloud vendor has to know the company's private key, but keyless SSL is a way to circumvent that. For regulatory reasons many organizations cannot share their private keys. With keyless SSL, these organizations are still able to use TLS and leverage the cloud while keeping the key secure.
SSL, more accurately known as TLS, is a protocol for authenticating and encrypting communications over a network. SSL/TLS requires the use of what's called a public key and a private key, and in the case of a company using the protocol to secure traffic to and from their website (see HTTPS), the private key typically remains in the company's possession. But when a company moves to the cloud and a vendor provides TLS encryption, the vendor has the private key instead.
By moving the part of the handshake involving the private key off of the vendor's server, the private key can remain securely in the company's possession. Instead of using the private key directly to authenticate the vendor's server, the cloud vendor forwards data to and receives data from the company's server to accomplish this. This communication occurs over a secure, encrypted channel. Thus, a private key is still used, but it is not shared with anyone outside the company.
For instance, suppose that Acme Co. implements TLS. Acme Co. will securely store their private key on a server that they own and control. If Acme Co. moves to the cloud and uses a cloud service provider for web hosting, that vendor will then have the private key. However, if Acme Co. moves to the cloud with a vendor that implements keyless SSL/TLS instead, the private key can stay on the server that Acme Co. owns and controls, as in the non-cloud TLS implementation.
Keyless SSL is based on the fact that there is only one time when the private key is used during the TLS handshake, which occurs at the beginning of a TLS communication session. Keyless SSL works by splitting the steps of the TLS handshake up geographically. A cloud vendor offering keyless SSL moves the private key part of the process to another server, usually a server that the customer keeps on premises.
When the private key becomes necessary during the handshake for decrypting or signing data, the vendor's server forwards the necessary data to the customer's private key server. The private key decrypts or signs the data on the customer's server, the customer's server sends the data back to the vendor's server, and the TLS handshake continues like usual.
Keyless SSL is only "keyless" from the cloud vendor's point of view: they never see their customer's private key, but the customer still has and uses it. Meanwhile, the public key is still used on the client side like normal.
In an RSA handshake, the steps in a TLS handshake are as follows:
Keyless SSL comes into play in step 4. With keyless SSL, instead of decrypting the premaster secret themselves, the cloud vendor sends it in encrypted form over a secure channel to a server that the customer hosts or controls. The customer's private key decrypts the premaster secret, and then the decrypted premaster secret is sent back to the cloud vendor. The cloud vendor's server uses this to derive the session keys, and TLS communications continue as normal.
An ephemeral Diffie-Hellman (DHE) handshake ("ephemeral" because the same key is never used twice) generates session keys using the Diffie-Hellman algorithm, a way of exchanging keys over an unsecure channel. With this kind of TLS handshake, private key authentication is a separate process from session key generation.
The main difference between the DHE handshake and an RSA handshake, aside from the algorithms used, is how the premaster secret is generated. In an RSA handshake, the premaster secret is made up of randomized data generated by the client; in a DHE handshake, the client and the server use agreed-upon parameters to calculate the same premaster secret separately.
The private key is only used in step 2, and this is where keyless SSL becomes relevant. At this point, the SSL/TLS vendor sends the client random, server random, and server's DH parameter to the customer-controlled server that has the private key. This information is used to generate the server's digital signature and is sent back to the cloud vendor, who passes it on to the client. The client is able to verify this signature with the public key, and the handshake proceeds. This way, the cloud vendor does not need to touch the private key.
Ephemeral Diffie-Hellman handshakes, although they take slightly longer than RSA handshakes, have the advantage of something called forward secrecy. Because the private key is only used for authentication, an attacker cannot use it to discover any given session key.
A session key is a symmetric key used by both sides of a secure communication over TLS, after the TLS handshake is completed. Once the two sides agree upon a set of session keys, there is no need to use the public and private keys anymore. TLS generates different session keys for each unique session.
Forward secrecy ensures that encrypted data stays encrypted even if the private key is exposed. This is also known as "perfect forward secrecy." Forward secrecy is possible if a unique session key is used for each communication session, and if the session key is generated separately from the private key. If a single session key is compromised, only that session can be decrypted by an attacker; all other sessions will remain encrypted.
In a protocol set up for forward secrecy, the private key is used for authentication during an initial handshake process, and otherwise it is not used. The ephemeral Diffie-Hellman handshake generates session keys separately from the private key and therefore has forward secrecy.
In contrast, RSA does not have forward secrecy; with the private key compromised, an attacker could determine session keys for past conversations, because they can decrypt the premaster secret and the client randoms and server randoms are in plaintext. By combining these three, the attacker can derive any given session key.
Cloudflare was the first cloud vendor to release keyless SSL, allowing enterprises facing tight security restrictions, such as banks, to move to the cloud. Cloudflare supports both RSA and Diffie-Hellman handshakes (as well as TLS 1.3 handshakes), so that companies can incorporate forward secrecy and protect against the possibility of an attacker decrypting their data after stealing their private key.
All communications between Cloudflare servers and the private key servers take place over a secure, encrypted channel. Additionally, Cloudflare has found that keyless SSL has a negligible impact on performance despite the extra trips to the private key server.
For more technical details on how keyless SSL works, take a look at this blog post. For more on keyless SSL from Cloudflare, explore the details of our keyless SSL service.
Learning Center Navigation