Protecting the private key is a crucial challenge for clients such as online financial services, brokers, banks and Fintech startups that deal with important data in their business. Sometimes legal or even technical obstacles prevent these clients to disclose their private key to the CDN providers.
By understanding these challenges, ArvanCloud has developed the OpenSesame solution in order to provide a secure connection based on TLS, and guaranteeing the highest security and speed for these specific clients without the need to get their Private Key.
ArvanCloud’s OpenSesame divides the TLS handshake process in a way that the major part of this process is done on ArvanCloud’s edge servers and part of this process which is related to reviewing the private key, would be referred to the origin server, where the private key is located.
As a result, by using OpenSesame, the financial and banking customers can use all of ArvanCloud services such as CDN, DDoS Protection and secure connection based on TLS without the need to disclosing their private key to ArvanCloud’s edge servers.
By implementing changes in Nginx and OpenSSL, and development of OpenSesame feature, ArvanCloud has managed to handle the Private Key review remotely, and by connecting to the origin server without the need to receive the private key from the client.
The requirement to establish a secure connection by using OpenSesame, is to create a secure connection between ArvanCloud’s and the client’s origin servers. The client’s origin server which has the private key, can give this key to any requesting person. Therefore, it is necessary to make sure that this key is not given to anyone, but just to ArvanCloud’s edge servers.
Here’s how OpenSesame feature works:
The user is connected to the closest ArvanCloud edge server by using ArvanCloud’s Anycast server and sends the encrypted pre-master secret with the public key to the edge server.
ArvanCloud’s edge server sends this message with its certificate to the origin server of the client. After receiving this message, the origin server authenticates ArvanCloud’s server, decrypts the encrypted message with the premaster secret, and sends the password to ArvanCloud’s edge server through a safe tunnel.
The edge server gets access to the pre master secret and acquires the session key. As a result a secure connection is formed between the edge server and the user.
ArvanCloud aims to accelerate websites and users’ access to websites’ content in the shortest possible time. This also applies to websites using ArvanCloud’s OpenSesame.
In other words, the speed of accessing a website’s content, which uses ArvanCloud’s OpenSesame feature, should be equal to the uploading speed of a website which is not using this feature. Geographical distribution of ArvanCloud’s servers in different data centers support this requirement. As you can see in the image below, when not using CDN services, all requests from any point in the world must be sent towards the origin server of the website, and the geographical distance between the users and the website’s origin server, critically affects the speed, or the delay in access to the website content.
When using CDN services, with website content distribution on ArvanCloud’s edge servers in several data centers, the user’s request is responded from the nearest data center. As a result, the user’s request is responded in the shortest possible delay.
The same process applies when using OpenSesame. It means the connection of website visitors is established with ArvanCloud edge servers instead of the origin servers, so the users receive the response from the nearest data center. The only delayed connection is related to the connection between ArvanCloud edge servers and the origin server of the website during the TLS Handshake.
As portrayed in the image above, when not using ArvanCloud CDN, the TLS connection between the visitor and the origin server of the website requires a roundtrip. But when using ArvanCloud’s OpenSesame, the connection between the website visitor and Arvancloud’s edge server is established in the shortest possible time and the TLS connection between ArvanCloud’s edge server and the origin server only requires one trip. As a result, the visitor’s access to the website content is done in the shortest possible time.
The reason behind one roundtrip is the permanent connection establishing between Arvancloud’s edge server and the origin server of the website. ArvanCloud’s edge server saves this connection after the first connection with the origin server for the first time, and the later website visitors requests will be established and responded through the same connection.