Cloud router security

Introduction

Robust Security Despite Exposure to Threats: Designed for internet accessibility, the cloud router operates under the assumption that it could be compromised. This perspective has shaped its security architecture to ensure that users remain protected, even if control over the router is lost. By employing layered security measures and encryption, the cloud router is built to safeguard communication and data integrity, maintaining a secure environment despite its inherent vulnerabilities.

TLS/SSL Security

TLS/SSL in Cloud Routers: Cloud routers use TLS (Transport Layer Security) and SSL (Secure Sockets Layer) for secure data transmission. These protocols encrypt and ensure the integrity of data exchanges between applications.

Certificate-Based Authentication and Access Control: Nodes authenticate with the cloud router using TLS, with certificates issued by the domain controller of each domain. These certificates grant access to domain-specific data and routing information. Without the appropriate certificate, a node is unable to access or route any information related to that domain, allowing the domain controller to control the security and integrity of its network.

Message Encryption

Diffie-Hellman Key Exchange for Ephemeral Key Generation: Nodes establish ephemeral keys using a Diffie-Hellman key exchange to secure their communications, creating temporary encryption keys without a pre-shared secret.

Role of Ephemeral Keys in Traffic Encryption and Security: These keys encrypt traffic between nodes. The cloud router, handling routing, accesses only necessary metadata like target address and TTL. The content, encrypted by these keys, remains confidential, ensuring security even if a router is compromised.

Message Filtering and Inspection

Service Information

Service Lists and Their Composition: The cloud router maintains lists of services provided by each domain, including encrypted and unencrypted parts. Access to the encrypted sections requires keys from the respective domain controller.

Access Control Based on TLS Authentication: Upon receiving a service information request, the cloud router checks the TLS connection and provides service lists corresponding to the certificates used.

Route Information

Access Control for Routing Information: The cloud router shares routing information based on the TLS certificates in the connection, allowing domain controllers to regulate access to their routing data.

Routing

Certificate-Based Routing Verification: When routing a message, the cloud router compares the incoming and outgoing sockets’ certificates. Messages are routed only if these sockets have a matching domain certificate, ensuring that communication to and from the domain network is authorized and secure.

Authentication and Authorization

Certificate-Based Authentication: All authentication in the cloud router environment is based on the validation of certificates. The cloud router uses these certificates to authenticate nodes, ensuring that all connections and data transmissions are with entities that are recognized and authorized based on their certificate validity.

Authorization Based on Certificates: Authorization within the cloud router is directly tied to the certificates issued for specific domains. The behavior and access a node is authorized for in a given domain are determined by the certificates it possesses.

Domain Controllers and Certificate Signing: Domain controllers receive certificates signed by dbWatch, validating their authority over a given domain. This central validation by dbWatch is crucial, as it establishes the trust needed for the cloud router and other nodes in the network to honor the certificates issued by the domain controllers.

← Cloud router / File Structure →