Encrypted Tunnel Security Pattern

Entities set up a communication channel where ALL exchanges are encrypted. The channel infrastructure handles encryption transparently. Common implementations: TLS and SSH.

Problem Addressed

Leak action request or data in transit: Any data transmitted over the channel could be observed. Encrypt everything at the channel level.

Core Components

Data Elements

• action/data: Plaintext communication
• {x}_k: Encrypted communication
• config: Cipher configuration, certificates, keys

Pattern Flow

Setup Phase

EndpointManagerS → [initialise(config)] → EndpointS
EndpointManagerR → [initialise(config)] → EndpointR

Communication Phase

Sender → [action/data] → EndpointS
EndpointS ↔ EndpointR: [negotiate cipher/key] (if needed)
EndpointS → [encrypt] → CryptographerS → [{x}_k] → EndpointS
EndpointS → [{x}_k] → EndpointR (over channel)
EndpointR → [decrypt] → CryptographerR → [data] → EndpointR
EndpointR → [action/data] → Receiver

Key Characteristics

Transparent Encryption

• Sender/Receiver don't manage encryption directly
• Endpoints handle cryptographic operations
• Application sees plaintext

All-or-Nothing

• Everything through the tunnel is encrypted
• No selective encryption at this level
• Simpler mental model

Infrastructure Managed

• TLS libraries handle complexity
• Standardized protocols
• Well-tested implementations

TLS Implementation (Most Common)

Configuration Options

• Protocol version: TLS 1.2 minimum, TLS 1.3 preferred
• Cipher suites: Modern, authenticated encryption
• Certificate validation: Enable and configure properly

Mozilla SSL Configuration Generator

Use for safe defaults: https://ssl-config.mozilla.org/

TLS 1.3 Benefits

• Simplified handshake
• Stronger cipher suites only
• Forward secrecy required
• Removed vulnerable options

Security Considerations

Never Implement Custom Protocols

• Use TLS/SSH, not custom encryption
• Use established libraries (OpenSSL, BoringSSL, etc.)
• Never implement your own handshake

Certificate Validation

Critical: Always validate certificates

• Verify certificate chain
• Check certificate not expired
• Verify hostname matches
• Check revocation status (OCSP, CRL)

Disabling certificate validation defeats TLS security.

Cipher Suite Selection

• Disable weak ciphers (RC4, DES, export ciphers)
• Prefer authenticated encryption (GCM modes)
• Prefer forward secrecy (ECDHE, DHE)
• Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1

Private Key Protection

• Protect server private key
• Restrict file permissions
• Consider HSM for high-security applications
• Rotate keys periodically

Certificate Management

• Use certificates from trusted CAs
• Automate renewal (Let's Encrypt)
• Monitor expiration
• Implement certificate pinning for mobile apps (carefully)

HSTS (HTTP Strict Transport Security)

For web applications:

• Force HTTPS connections
• Prevent downgrade attacks
• Include subdomains
• Consider preloading

Comparison with Selective Encryption

Recommendation: Use encrypted tunnel (TLS) as baseline. Add selective encryption for data that needs additional protection (e.g., encrypted at rest AND in transit).

Implementation Checklist

• TLS 1.2+ (prefer 1.3)
• Strong cipher suites only
• Certificate validation enabled
• Hostname verification enabled
• Certificate from trusted CA
• Private key protected
• HSTS enabled (web apps)
• Automatic certificate renewal
• No custom protocol implementation
• Forward secrecy enabled

Common Misconfigurations

Related Patterns

• Selective encrypted transmission (alternative: selective encryption)
• Encryption (underlying operations)
• Cryptographic key management (certificate/key handling)

References

• Source: https://securitypatterns.distrinet-research.be/patterns/06_01_002__encrypted_tunnel/
• Mozilla SSL Configuration Generator
• OWASP TLS Cheat Sheet