Solving HTTP Problems With Code and Protocols
0 likes79 views
The document discusses HTTP and protocols related to transporting data over the internet. It describes the layered model including the physical, network, transport, and application layers. It then focuses on protocols like HTTP/1, SPDY, HTTP/2 and QUIC that operate at the application layer, with the goal of improving performance by reducing latency through techniques like header compression, multiplexing, and avoiding head-of-line blocking. It also discusses how QUIC aims to solve issues with TCP by operating over UDP while providing encryption, reliability and other features normally provided by TCP.
![@thisNatasha
Handshake Flow
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Key Exchange
Authentication Algorithm Strength Mode
Cipher MAC or PRF
TLS/HandshakeCheatSheet Key Exchange Method: creates the pre master secret.
Premaster secret is combined with PRF to create master
secret
RSA, DHE_RSA,
ECDHE_RSA,
ECDHE_ECDSA
Authentication Method: Uses public key crypto and
certificates public key together. Once certificate is
validated the client can used public key.
RSA or ECDSA
Certs: X.509, ASN.1
DER encoding.
Server
Hello,
Certificate
- Server selects cipher & compression
method
- Server send certificate
- Client authenticates
Key Exchange Pre-master secret exchanged between
client & server, client validates certificate
Master
Secret
Client & Server can compute Master Secret.
MAC Server verifies MAC, returns to client to
verify also.
Finished Handshake complete.
Client Hello Client sends TLS Version, Ciphersuites,
Compression methods
Ciphers, Standards and Terms
Encryption
3DES, AES, ARIA,
CAMELLIA, RC4, and
SEED
[1] Steam: adds MAC [2]
Block: adds IV and
padding after encryption
[3] Encryption (AEAD):
encryption and integrity
validation, using nonce,
no padding, no IV.
Master Secret
Pre-master secret:
combines params to
help client and server
create master secret.
Master Secret: both
server and client create
this from pre-master
secret to symmetrically
encrypt
Integrity Validation
PRF: Pseudorandom
Function. Takes a
secret, a seed, and a
unique label. TLS1.2
suites use PRF based
on HMAC and SHA256
MAC: used for integrity
validation in handshake
and record.](https://image.slidesharecdn.com/qcon-190728183538/85/Solving-HTTP-Problems-With-Code-and-Protocols-101-320.jpg)
![@thisNatasha
[1] Client Hello
Cli-ant Ser-ver
Server Hello [2]
Certificate [3]
Server Key Exchange [4]
Server Hello Done [5]
[6] Client Key Exchange
[7] (Change Cipher Spec)
[8] Finished
(Change Cipher Spec) [9]
Finished [10]
TLS Handshake](https://image.slidesharecdn.com/qcon-190728183538/85/Solving-HTTP-Problems-With-Code-and-Protocols-102-320.jpg)
![@thisNatasha
Cli-ant Ser-ver
TCP and TLS with Session Tickets
TCP Fast Open Handshake
[1] Client Hello
Server Hello [2]
(Change Cipher Spec) [3]
Finished [4]
[5] (Change Cipher Spec)
[6] Finished](https://image.slidesharecdn.com/qcon-190728183538/85/Solving-HTTP-Problems-With-Code-and-Protocols-103-320.jpg)
Solving HTTP Problems With Code and Protocols
- 1. @thisNatasha Solving HTTP Problems With Code and Protocols NATASHA ROONEY
- 2. @thisNatasha 7. Application Data HTTP / IMAP 6. Data Presentation, Encryption SSL / TLS 5. Session and connection management - 4. Transport of packets and streams TCP / UDP 3. Routing and delivery of datagrams on the Network IP / IPSec 2. Local Data Connection Ethernet 1. Physical data connection (cables) CAT5 HTTP TLS TCP IP Web
- 9. @thisNatasha Only one way! And as the crow flies...
- 13. @thisNatasha Mobile Network (not wifi) The Internet
- 15. @thisNatasha
- 16. @thisNatasha
- 17. @thisNatasha
- 18. @thisNatasha
- 19. @thisNatasha@thisNatasha Speed & Distance Capped by Speed of Light Amount of Data >100 objects per site 800k to 2.5mb data >50 resources on same domain
- 20. @thisNatasha RTs are Evil Mostly because of physics. Not much you can do about that.
- 25. @thisNatasha
- 26. @thisNatasha
- 30. @thisNatasha
- 35. @thisNatasha HTTP/1 TLS TCP IP HTTP/1 TLS TCP TCP Setup TLS Setup HTTP Request/Response
- 40. @thisNatasha@thisNatasha SPDY A Protocol by Google 2009 Header Compression Parallel Connections Multiplexing Priority Marking Server Push TLS (to work)
- 41. @thisNatasha@thisNatasha SPDY A Protocol by Google Header Compression
- 42. @thisNatasha
- 43. @thisNatasha
- 44. @thisNatasha
- 45. @thisNatasha
- 47. @thisNatasha “Idea was to maintain HTTP semantics but change how it is transported.” Daniel Stenberg https://daniel.haxx.se/blog/
- 51. @thisNatasha@thisNatasha HTTP2 A Protocol by IETF (SDPY base) Binary Header Compression Multiplexing Server Push TLS...
- 52. @thisNatasha@thisNatasha HTTP2 A Protocol by IETF (SDPY base)
- 53. @thisNatasha
- 54. @thisNatasha@thisNatasha Stats Gimme gimme 35% Requests 70% HTTPS Connections 13% Top 1,000,000 Sites 29% Top 1000 Sites “90% your site”
- 55. @thisNatasha 2% packet loss HTTP1 is better.
- 56. @thisNatasha Head of line blocking
- 61. @thisNatasha TCP issue (Can happen on any protocol with in-order delivery)
- 63. @thisNatasha “Idea was to maintain HTTP semantics but change how it is transported.” Daniel Stenberg https://daniel.haxx.se/blog/
- 65. @thisNatasha@thisNatasha TCP Suffers from Head of Line Blocking UDP Can work...with help. Transport Layer
- 66. @thisNatasha “We want QUIC to work on today’s internet” Jana Iyengar QUIC Editor, Google
- 68. @thisNatasha Why TCP or UDP only?
- 72. @thisNatasha@thisNatasha QUIC A Protocol by Google Goo
- 73. @thisNatasha HTTP/2 TLS 1.2+ TCP IP HTTP over QUIC QUIC UDP TLS 1.3
- 74. @thisNatasha “A "stream" is an independent, bidirectional sequence of frames exchanged between the client and server within an HTTP/2 connection… A single HTTP/2 connection can contain multiple concurrently open streams…” Hypertext Transfer Protocol Version 2 (HTTP/2), RFC7540
- 75. @thisNatasha Image source: High Performance Browser Networking https://hpbn.co/http2/
- 76. @thisNatasha IP HTTP over QUIC QUIC UDP TLS 1.3 HTTP over QUIC QUIC UDP TLS 1.3
- 77. @thisNatasha IP HTTP over QUIC QUIC UDP TLS 1.3 HTTP over QUIC QUIC UDP TLS 1.3
- 78. @thisNatasha IP HTTP over QUIC QUIC UDP TLS 1.3 HTTP over QUIC QUIC UDP TLS 1.3
- 79. @thisNatasha IP HTTP over QUIC QUIC UDP TLS 1.3 HTTP over QUIC QUIC UDP TLS 1.3 Head of Line Blocking!
- 80. @thisNatasha RTs are Evil Mostly because of physics. Not much you can do about that.
- 81. @thisNatasha IP HTTP over QUIC QUIC UDP TLS 1.3 HTTP over QUIC QUIC UDP TLS 1.3 0RTT: Setup + Data 2RTT: If QUIC version negotiation needed 1RTT: New Crypto Keys
- 83. @thisNatasha
- 84. @thisNatasha
- 85. @thisNatasha 7% Internet Traffic 35% Google Egress Traffic
- 86. @thisNatasha How does this affect me?
- 87. @thisNatasha Abstraction Is a computer scientist’s friend / fiend
- 89. @thisNatasha 7. Application Data HTTP / IMAP 6. Data Presentation, Encryption SSL / TLS 5. Session and connection management - 4. Transport of packets and streams TCP / UDP 3. Routing and delivery of datagrams on the Network IP / IPSec 2. Local Data Connection Ethernet 1. Physical data connection (cables) CAT5 HTTP TLS TCP IP Web
- 90. @thisNatasha@thisNatasha Some things If you have to do something... Manage your resources logically Detect on upgrade header and adapt Measure Remember Physics!
- 91. @thisNatasha@thisNatasha Recap We made it! RTTs, Physics, Data SPDY, HTTP2, QUIC Header compression Multiplexing & Streams Head of Line Blocking Make protocols for today’s internet
- 92. @thisNatasha 3
- 93. @thisNatasha
- 94. @thisNatasha
- 95. @thisNatasha
- 96. @thisNatasha Thank-you People: Martin Thomson, Mark Nottingham, Jana Iyengar, Mike Bishop, Eric Rescola, Ian Swett
- 97. @thisNatasha
- 98. @thisNatasha
- 99. @thisNatasha
- 100. @thisNatasha 7. Application Data HTTP / IMAP 6. Data Presentation, Encryption SSL / TLS 5. Session and connection management - 4. Transport of packets and streams TCP / UDP 3. Routing and delivery of datagrams on the Network IP / IPSec 2. Local Data Connection Ethernet 1. Physical data connection (cables) CAT5 OSI Model
- 101. @thisNatasha Handshake Flow TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Key Exchange Authentication Algorithm Strength Mode Cipher MAC or PRF TLS/HandshakeCheatSheet Key Exchange Method: creates the pre master secret. Premaster secret is combined with PRF to create master secret RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA Authentication Method: Uses public key crypto and certificates public key together. Once certificate is validated the client can used public key. RSA or ECDSA Certs: X.509, ASN.1 DER encoding. Server Hello, Certificate - Server selects cipher & compression method - Server send certificate - Client authenticates Key Exchange Pre-master secret exchanged between client & server, client validates certificate Master Secret Client & Server can compute Master Secret. MAC Server verifies MAC, returns to client to verify also. Finished Handshake complete. Client Hello Client sends TLS Version, Ciphersuites, Compression methods Ciphers, Standards and Terms Encryption 3DES, AES, ARIA, CAMELLIA, RC4, and SEED [1] Steam: adds MAC [2] Block: adds IV and padding after encryption [3] Encryption (AEAD): encryption and integrity validation, using nonce, no padding, no IV. Master Secret Pre-master secret: combines params to help client and server create master secret. Master Secret: both server and client create this from pre-master secret to symmetrically encrypt Integrity Validation PRF: Pseudorandom Function. Takes a secret, a seed, and a unique label. TLS1.2 suites use PRF based on HMAC and SHA256 MAC: used for integrity validation in handshake and record.
- 102. @thisNatasha [1] Client Hello Cli-ant Ser-ver Server Hello [2] Certificate [3] Server Key Exchange [4] Server Hello Done [5] [6] Client Key Exchange [7] (Change Cipher Spec) [8] Finished (Change Cipher Spec) [9] Finished [10] TLS Handshake
- 103. @thisNatasha Cli-ant Ser-ver TCP and TLS with Session Tickets TCP Fast Open Handshake [1] Client Hello Server Hello [2] (Change Cipher Spec) [3] Finished [4] [5] (Change Cipher Spec) [6] Finished
- 104. @thisNatasha