igbuend/encrypted-tunnel-pattern

Encrypted Tunnel Security Pattern

Entities set up a communication channel where ALL exchanges are encrypted. The channel infrastructure handles encryption transparently. Common implementations: TLS and SSH.

Problem Addressed

Leak action request or data in transit: Any data transmitted over the channel could be observed. Encrypt everything at the channel level.

Core Components

| Role | Type | Responsibility | |------|------|----------------| | Sender | Entity | Initiates communication | | Receiver | Entity | Receives communication | | EndpointS | Entity | Manages sending end of tunnel | | EndpointR | Entity | Manages receiving end of tunnel | | CryptographerS | Cryptographic Primitive | Encrypts for Sender | | CryptographerR | Cryptographic Primitive | Decrypts for Receiver | | EndpointManagerS | Entity | Configures sender endpoint | | EndpointManagerR | Entity | Configures receiver endpoint |

Data Elements

• action/data: Plaintext communication
• {x}_k: Encrypted communication
• config: Cipher configuration, certificates, keys

Pattern Flow

Setup Phase

EndpointManagerS → [initialise(config)] → EndpointS
EndpointManagerR → [initialise(config)] → EndpointR

Communication Phase

Sender → [action/data] → EndpointS
EndpointS ↔ EndpointR: [negotiate cipher/key] (if needed)
EndpointS → [encrypt] → CryptographerS → [{x}_k] → EndpointS
EndpointS → [{x}_k] → EndpointR (over channel)
EndpointR → [decrypt] → CryptographerR → [data] → EndpointR
EndpointR → [action/data] → Receiver

Key Characteristics

Transparent Encryption

• Sender/Receiver don't manage encryption directly
• Endpoints handle cryptographic operations
• Application sees plaintext

All-or-Nothing

• Everything through the tunnel is encrypted
• No selective encryption at this level
• Simpler mental model

Infrastructure Managed

• TLS libraries handle complexity
• Standardized protocols
• Well-tested implementations

TLS Implementation (Most Common)

Configuration Options

• Protocol version: TLS 1.2 minimum, TLS 1.3 preferred
• Cipher suites: Modern, authenticated encryption
• Certificate validation: Enable and configure properly

Mozilla SSL Configuration Generator

Use for safe defaults: https://ssl-config.mozilla.org/

TLS 1.3 Benefits

• Simplified handshake
• Stronger cipher suites only
• Forward secrecy required
• Removed vulnerable options

Security Considerations

Never Implement Custom Protocols

• Use TLS/SSH, not custom encryption
• Use established libraries (OpenSSL, BoringSSL, etc.)
• Never implement your own handshake

Certificate Validation

Critical: Always validate certificates

• Verify certificate chain
• Check certificate not expired
• Verify hostname matches
• Check revocation status (OCSP, CRL)

Disabling certificate validation defeats TLS security.

Cipher Suite Selection

• Disable weak ciphers (RC4, DES, export ciphers)
• Prefer authenticated encryption (GCM modes)
• Prefer forward secrecy (ECDHE, DHE)
• Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1

Private Key Protection

• Protect server private key
• Restrict file permissions
• Consider HSM for high-security applications
• Rotate keys periodically

Certificate Management

• Use certificates from trusted CAs
• Automate renewal (Let's Encrypt)
• Monitor expiration
• Implement certificate pinning for mobile apps (carefully)

HSTS (HTTP Strict Transport Security)

For web applications:

• Force HTTPS connections
• Prevent downgrade attacks
• Include subdomains
• Consider preloading

Comparison with Selective Encryption

| Aspect | Encrypted Tunnel | Selective Encryption | |--------|-----------------|---------------------| | Scope | All communication | Specific data | | Control | Infrastructure | Application | | Complexity | Lower for application | Higher for application | | Flexibility | Less | More |

Recommendation: Use encrypted tunnel (TLS) as baseline. Add selective encryption for data that needs additional protection (e.g., encrypted at rest AND in transit).

Implementation Checklist

• [ ] TLS 1.2+ (prefer 1.3)
• [ ] Strong cipher suites only
• [ ] Certificate validation enabled
• [ ] Hostname verification enabled
• [ ] Certificate from trusted CA
• [ ] Private key protected
• [ ] HSTS enabled (web apps)
• [ ] Automatic certificate renewal
• [ ] No custom protocol implementation
• [ ] Forward secrecy enabled

Common Misconfigurations

| Misconfiguration | Risk | |-----------------|------| | Certificate validation disabled | MITM attacks | | Old TLS versions enabled | Protocol downgrade | | Weak cipher suites | Cryptographic attacks | | Expired certificates | Connection failures, user warnings | | Self-signed certs in production | Trust issues |

Related Patterns

• Selective encrypted transmission (alternative: selective encryption)
• Encryption (underlying operations)
• Cryptographic key management (certificate/key handling)

References

• Source: https://securitypatterns.distrinet-research.be/patterns/06_01_002__encrypted_tunnel/
• Mozilla SSL Configuration Generator
• OWASP TLS Cheat Sheet