Abstract
With the advent of cloud computing and the Internet, the commercialized website becomes capable of providing more web services, such as software as a service (SaaS) or function as a service (FaaS), for great user experiences. Undoubtedly, web services have been thriving in popularity that will continue growing to serve modern human life. As expected, there came the ineluctable need for preserving privacy, enhancing security, and building trust. However, HTTPS alone cannot provide a remote attestation for building trust with web services, which remains lacking in trust. At the same time, cloud computing is actively adopting the use of TEEs and will demand a web-based protocol for remote attestation with ease of use. Here, we propose HTTPA/2 as an upgraded version of HTTP-Attestable (HTTPA) by augmenting existing HTTP to enable end-to-end trusted communication between endpoints at layer 7 (L7). HTTPA/2 allows for L7 message protection without relying on TLS. In practice, HTTPA/2 is designed to be compatible with the in-network processing of the modern cloud infrastructure, including L7 gateway, L7 load balancer, caching, etc. We envision that HTTPA/2 will further enable trustworthy web services and trustworthy AI applications in the future, accelerating the transformation of the web-based digital world to be more trustworthy.
G. King and H. Wang—Both authors contributed equally to this work.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Execution environments
Innovative technology for CPU based attestation and sealing
Remote attestation
Roots of trust (RoT)
Backman, A., Richer, J., Sporny, M.: HTTP message signatures draft-ietf-httpbis-message-signatures-08. Technical report, Internet-Draft. IETF (2019). https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-08.html
Banks, A.S., Kisiel, M., Korsholm, P.: Remote attestation: a literature review. CoRR, abs/2105.02466 (2021)
Bhargavan, K., Brzuska, C., Fournet, C., Green, M., Kohlweiss, M., Zanella-Béguelin, S.: Downgrade resilience in key-exchange protocols. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 506–525. IEEE (2016)
Birkholz, H., Thaler, D., Richardson, M., Pan, W., Smith, N.: Remote attestation procedures architecture draft-ietf-rats-architecture-12. Technical report, Internet-Draft. IETF (2021). https://www.ietf.org/archive/id/draft-ietf-rats-architecture-12.html
Fielding, R.T., Reschke, J.: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. RFC 7230, June 2014
Fielding, R.T., Reschke, J.: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. RFC 7231, June 2014
Helble, S.C., Kretz, I.D., Loscocco, P.A., Ramsdell, J.D., Rowe, P.D., Alexander, P.: Flexible mechanisms for remote attestation. ACM Trans. Priv. Secur. 24(4), 1–23 (2021)
Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security (HSTS). RFC 6797, November 2012
Jauernig, P., Sadeghi, A.-R., Stapf, E.: Trusted execution environments: properties, applications, and challenges. IEEE Secur. Priv. 18(2), 56–60 (2020)
King, G., Wang, H.: HTTPA: HTTPS attestable protocol (2021)
Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869, May 2010
Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_24
Langley, A., Hamburg, M., Turner, S.: Elliptic Curves for Security. RFC 7748, January 2016
McGrew, D.: An Interface and Algorithms for Authenticated Encryption. RFC 5116, January 2008
Ménétrey, J., Göttel, C., Pasin, M., Felber, P., Schiavoni, V.: An exploratory study of attestation mechanisms for trusted execution environments (2022)
Nir, Y., Josefsson, S., Pégourié-Gonnard, M.: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier. RFC 8422, August 2018
Nottingham, M., Kamp, P.-H.: Structured Field Values for HTTP. RFC 8941, February 2021
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018
Selander, G., Mattsson, J.P., Palombini, F., Seitz, L.: Object Security for Constrained RESTful Environments (OSCORE). RFC 8613, July 2019
Acknowledgments
We would like to acknowledge the support from the HTTPA workgroup members, including our partners and reviewers. We thank their valuable feedback and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
King, G., Wang, H. (2023). HTTPA/2: A Trusted End-to-End Protocol for Web Services. In: Arai, K. (eds) Advances in Information and Communication. FICC 2023. Lecture Notes in Networks and Systems, vol 652. Springer, Cham. https://doi.org/10.1007/978-3-031-28073-3_55
Download citation
DOI: https://doi.org/10.1007/978-3-031-28073-3_55
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-28072-6
Online ISBN: 978-3-031-28073-3
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)