encrypted-tunnel-pattern
Encrypted Tunnel Security Pattern
Entities set up a communication channel where ALL exchanges are encrypted. The channel infrastructure handles encryption transparently. Common implementations: TLS and SSH.
Problem Addressed
Leak action request or data in transit: Any data transmitted over the channel could be observed. Encrypt everything at the channel level.
Core Components
| Role | Type | Responsibility |
|---|---|---|
| Sender | Entity | Initiates communication |
| Receiver | Entity | Receives communication |
| EndpointS | Entity | Manages sending end of tunnel |
| EndpointR | Entity | Manages receiving end of tunnel |
| CryptographerS | Cryptographic Primitive | Encrypts for Sender |
| CryptographerR | Cryptographic Primitive | Decrypts for Receiver |
| EndpointManagerS | Entity | Configures sender endpoint |
| EndpointManagerR | Entity | Configures receiver endpoint |
Data Elements
- action/data: Plaintext communication
- {x}_k: Encrypted communication
- config: Cipher configuration, certificates, keys
Pattern Flow
Setup Phase
EndpointManagerS → [initialise(config)] → EndpointS
EndpointManagerR → [initialise(config)] → EndpointR
Communication Phase
Sender → [action/data] → EndpointS
EndpointS ↔ EndpointR: [negotiate cipher/key] (if needed)
EndpointS → [encrypt] → CryptographerS → [{x}_k] → EndpointS
EndpointS → [{x}_k] → EndpointR (over channel)
EndpointR → [decrypt] → CryptographerR → [data] → EndpointR
EndpointR → [action/data] → Receiver
Key Characteristics
Transparent Encryption
- Sender/Receiver don't manage encryption directly
- Endpoints handle cryptographic operations
- Application sees plaintext
All-or-Nothing
- Everything through the tunnel is encrypted
- No selective encryption at this level
- Simpler mental model
Infrastructure Managed
- TLS libraries handle complexity
- Standardized protocols
- Well-tested implementations
TLS Implementation (Most Common)
Configuration Options
- Protocol version: TLS 1.2 minimum, TLS 1.3 preferred
- Cipher suites: Modern, authenticated encryption
- Certificate validation: Enable and configure properly
Mozilla SSL Configuration Generator
Use for safe defaults: https://ssl-config.mozilla.org/
TLS 1.3 Benefits
- Simplified handshake
- Stronger cipher suites only
- Forward secrecy required
- Removed vulnerable options
Security Considerations
Never Implement Custom Protocols
- Use TLS/SSH, not custom encryption
- Use established libraries (OpenSSL, BoringSSL, etc.)
- Never implement your own handshake
Certificate Validation
Critical: Always validate certificates
- Verify certificate chain
- Check certificate not expired
- Verify hostname matches
- Check revocation status (OCSP, CRL)
Disabling certificate validation defeats TLS security.
Cipher Suite Selection
- Disable weak ciphers (RC4, DES, export ciphers)
- Prefer authenticated encryption (GCM modes)
- Prefer forward secrecy (ECDHE, DHE)
- Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
Private Key Protection
- Protect server private key
- Restrict file permissions
- Consider HSM for high-security applications
- Rotate keys periodically
Certificate Management
- Use certificates from trusted CAs
- Automate renewal (Let's Encrypt)
- Monitor expiration
- Implement certificate pinning for mobile apps (carefully)
HSTS (HTTP Strict Transport Security)
For web applications:
- Force HTTPS connections
- Prevent downgrade attacks
- Include subdomains
- Consider preloading
Comparison with Selective Encryption
| Aspect | Encrypted Tunnel | Selective Encryption |
|---|---|---|
| Scope | All communication | Specific data |
| Control | Infrastructure | Application |
| Complexity | Lower for application | Higher for application |
| Flexibility | Less | More |
Recommendation: Use encrypted tunnel (TLS) as baseline. Add selective encryption for data that needs additional protection (e.g., encrypted at rest AND in transit).
Implementation Checklist
- TLS 1.2+ (prefer 1.3)
- Strong cipher suites only
- Certificate validation enabled
- Hostname verification enabled
- Certificate from trusted CA
- Private key protected
- HSTS enabled (web apps)
- Automatic certificate renewal
- No custom protocol implementation
- Forward secrecy enabled
Common Misconfigurations
| Misconfiguration | Risk |
|---|---|
| Certificate validation disabled | MITM attacks |
| Old TLS versions enabled | Protocol downgrade |
| Weak cipher suites | Cryptographic attacks |
| Expired certificates | Connection failures, user warnings |
| Self-signed certs in production | Trust issues |
Related Patterns
- Selective encrypted transmission (alternative: selective encryption)
- Encryption (underlying operations)
- Cryptographic key management (certificate/key handling)
References
- Source: https://securitypatterns.distrinet-research.be/patterns/06_01_002__encrypted_tunnel/
- Mozilla SSL Configuration Generator
- OWASP TLS Cheat Sheet
More from igbuend/grimbard
tikz
LaTeX TikZ/PGF package for programmatic vector graphics and diagrams. Use when helping users draw flowcharts, trees, graphs, automata, circuits, geometric figures, or any custom diagram in LaTeX.
91latex
Comprehensive LaTeX reference for document creation, formatting, mathematics, tables, figures, bibliographies, and compilation. Use when helping users write, edit, debug, or compile LaTeX documents.
37pgfplots
LaTeX pgfplots package for data visualization and plotting. Use when helping users create line plots, bar charts, scatter plots, histograms, 3D surfaces, or any scientific/data plot in LaTeX.
31biblatex
LaTeX biblatex/biber packages for modern bibliography management. Use when helping users cite references, manage .bib files, choose citation styles, or troubleshoot bibliography compilation.
24amsmath
LaTeX amsmath/amssymb/mathtools packages for mathematical typesetting. Use when helping users write equations, align math, use mathematical symbols, matrices, theorems, or any advanced math formatting.
10missing-security-headers-anti-pattern
Security anti-pattern for missing security headers (CWE-16). Use when generating or reviewing web application code, server configuration, or HTTP response handling. Detects missing CSP, HSTS, X-Frame-Options, and other protective headers.
10