Practical Defense-in-depth Solution for Microservice Systems

Microservices are a widely deployed pattern for implementing large-scale distributed systems. However, in order to harden the overall system and when crossing datacenter boundaries, the authenticity and confidentiality of microservice calls have to be secured even for internal calls. In practice, however, in many cases no internal security mechanisms are employed mainly due to the increased complexity on backend side. This complexity arises as result of standard security mechanisms like TLS requiring secrets for each involved microservice. Building on previous work [19], in this paper we present a novel communication architecture based on roles that on the one hand guarantees a high level of security and on the other hand remains easy to manage. The approach provides encryption, forward secrecy and protection against replay attacks even for out-of-order communication.

[1]  Michael Hamburg,et al.  Ed448-Goldilocks, a new elliptic curve , 2015, IACR Cryptol. ePrint Arch..

[2]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[3]  Kai Jander,et al.  Defense-in-depth and Role Authentication for Microservice Systems , 2018, ANT/SEIT.

[4]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[5]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[6]  Ken Klingenstein,et al.  Federated Security: The Shibboleth Approach , 2004 .

[7]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[8]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[9]  Mark Brown,et al.  Transport Layer Security (TLS) Authorization Extensions , 2010, RFC.

[10]  Feng Hao,et al.  Password Authenticated Key Exchange by Juggling , 2008, Security Protocols Workshop.

[11]  Kai Jander,et al.  JadexCloud - An Infrastructure for Enterprise Cloud Applications , 2011, MATES.

[12]  Roy Fielding,et al.  Architectural Styles and the Design of Network-based Software Architectures"; Doctoral dissertation , 2000 .

[13]  Eric Rescorla,et al.  HTTP Over TLS , 2000, RFC.

[14]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[15]  Donald A. Norman,et al.  THE WAY I SEE ITWhen security gets in the way , 2009, INTR.

[16]  Dan Harkins Secure Password Ciphersuites for Transport Layer Security (TLS) , 2019, RFC.

[17]  Michael B. Jones,et al.  JSON Web Token (JWT) , 2015, RFC.

[18]  Lars Braubach,et al.  Developing Distributed Systems with Active Components and Jadex , 2012, Scalable Comput. Pract. Exp..

[19]  Alexey Melnikov,et al.  The WebSocket Protocol , 2011, RFC.