Encrypted Tunnel Security Pattern
Entities set up a communication channel where ALL exchanges are encrypted. The channel infrastructure handles encryption transparently. Common implementations: TLS and SSH.
Problem Addressed
Leak action request or data in transit: Any data transmitted over the channel could be observed. Encrypt everything at the channel level.
Core Components
| Role | Type | Responsibility |
|---|---|---|
| Sender | Entity | Initiates communication |
| Receiver | Entity | Receives communication |
| EndpointS | Entity | Manages sending end of tunnel |
| EndpointR | Entity | Manages receiving end of tunnel |
| CryptographerS | Cryptographic Primitive | Encrypts for Sender |
| CryptographerR | Cryptographic Primitive | Decrypts for Receiver |
| EndpointManagerS | Entity | Configures sender endpoint |
| EndpointManagerR | Entity | Configures receiver endpoint |
Data Elements
- •action/data: Plaintext communication
- •{x}_k: Encrypted communication
- •config: Cipher configuration, certificates, keys
Pattern Flow
Setup Phase
code
EndpointManagerS → [initialise(config)] → EndpointS EndpointManagerR → [initialise(config)] → EndpointR
Communication Phase
code
Sender → [action/data] → EndpointS
EndpointS ↔ EndpointR: [negotiate cipher/key] (if needed)
EndpointS → [encrypt] → CryptographerS → [{x}_k] → EndpointS
EndpointS → [{x}_k] → EndpointR (over channel)
EndpointR → [decrypt] → CryptographerR → [data] → EndpointR
EndpointR → [action/data] → Receiver
Key Characteristics
Transparent Encryption
- •Sender/Receiver don't manage encryption directly
- •Endpoints handle cryptographic operations
- •Application sees plaintext
All-or-Nothing
- •Everything through the tunnel is encrypted
- •No selective encryption at this level
- •Simpler mental model
Infrastructure Managed
- •TLS libraries handle complexity
- •Standardized protocols
- •Well-tested implementations
TLS Implementation (Most Common)
Configuration Options
- •Protocol version: TLS 1.2 minimum, TLS 1.3 preferred
- •Cipher suites: Modern, authenticated encryption
- •Certificate validation: Enable and configure properly
Mozilla SSL Configuration Generator
Use for safe defaults: https://ssl-config.mozilla.org/
TLS 1.3 Benefits
- •Simplified handshake
- •Stronger cipher suites only
- •Forward secrecy required
- •Removed vulnerable options
Security Considerations
Never Implement Custom Protocols
- •Use TLS/SSH, not custom encryption
- •Use established libraries (OpenSSL, BoringSSL, etc.)
- •Never implement your own handshake
Certificate Validation
Critical: Always validate certificates
- •Verify certificate chain
- •Check certificate not expired
- •Verify hostname matches
- •Check revocation status (OCSP, CRL)
Disabling certificate validation defeats TLS security.
Cipher Suite Selection
- •Disable weak ciphers (RC4, DES, export ciphers)
- •Prefer authenticated encryption (GCM modes)
- •Prefer forward secrecy (ECDHE, DHE)
- •Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
Private Key Protection
- •Protect server private key
- •Restrict file permissions
- •Consider HSM for high-security applications
- •Rotate keys periodically
Certificate Management
- •Use certificates from trusted CAs
- •Automate renewal (Let's Encrypt)
- •Monitor expiration
- •Implement certificate pinning for mobile apps (carefully)
HSTS (HTTP Strict Transport Security)
For web applications:
- •Force HTTPS connections
- •Prevent downgrade attacks
- •Include subdomains
- •Consider preloading
Comparison with Selective Encryption
| Aspect | Encrypted Tunnel | Selective Encryption |
|---|---|---|
| Scope | All communication | Specific data |
| Control | Infrastructure | Application |
| Complexity | Lower for application | Higher for application |
| Flexibility | Less | More |
Recommendation: Use encrypted tunnel (TLS) as baseline. Add selective encryption for data that needs additional protection (e.g., encrypted at rest AND in transit).
Implementation Checklist
- • TLS 1.2+ (prefer 1.3)
- • Strong cipher suites only
- • Certificate validation enabled
- • Hostname verification enabled
- • Certificate from trusted CA
- • Private key protected
- • HSTS enabled (web apps)
- • Automatic certificate renewal
- • No custom protocol implementation
- • Forward secrecy enabled
Common Misconfigurations
| Misconfiguration | Risk |
|---|---|
| Certificate validation disabled | MITM attacks |
| Old TLS versions enabled | Protocol downgrade |
| Weak cipher suites | Cryptographic attacks |
| Expired certificates | Connection failures, user warnings |
| Self-signed certs in production | Trust issues |
Related Patterns
- •Selective encrypted transmission (alternative: selective encryption)
- •Encryption (underlying operations)
- •Cryptographic key management (certificate/key handling)
References
- •Source: https://securitypatterns.distrinet-research.be/patterns/06_01_002__encrypted_tunnel/
- •Mozilla SSL Configuration Generator
- •OWASP TLS Cheat Sheet