支持和云迁移
Remote Private Key Offloading
ArvanCloud’s “OpenSesame” is a solution for Remote Private Key offloading.
Protecting the private key is a crucial challenge for clients such as online financial services, brokers, banks, and Fintech startups who deal with essential data. Sometimes legal or even technical obstacles prevent these clients from disclosing their private keys to the CDN providers.
Understanding these challenges, ArvanCloud has developed the OpenSesame solution to provide a secure connection based on TLS to guarantee the highest security and speed for these specific clients without getting their Private Key.
ArvanCloud’s OpenSesame divides and carries out the majority of the TLS handshake process on ArvanCloud’s edge servers. That part of this process related to reviewing the private key is referred to the origin server, where the private key is located.
As a result, by using OpenSesame, the financial and banking customers can use all ArvanCloud services, including CDN, DDoS Protection, and secure connection based on TLS, without the need to disclose their private key to ArvanCloud’s edge servers.
By implementing changes in Nginx and OpenSSL and developing the OpenSesame feature, ArvanCloud has managed to handle the Private Key review remotely without the need to receive the private key from the client.
Using OpenSesame allows for establishing a secure connection between ArvanCloud’s and the client’s origin servers where the client’s private key is not shared with anyone other than our edge servers.
Here’s how the OpenSesame feature works:
The user is connected to the closest ArvanCloud edge server using ArvanCloud’s Anycast server and sends the encrypted pre-master secret with the public key to the edge server.
ArvanCloud’s edge server sends this message with its certificate to the origin server of the client, after which the origin server authenticates ArvanCloud’s server, decrypts the encrypted message with the premaster secret, and sends the password to ArvanCloud’s edge server through a safe tunnel.
The edge server can access the pre-master secret and acquire the session key; then, a secure connection is formed between the edge server and the user.
ArvanCloud accelerates websites and facilitates users’ access to online content in the shortest possible time. This also applies to websites using ArvanCloud’s OpenSesame.
In other words, the speed of accessing a website’s content, which uses ArvanCloud’s OpenSesame feature, should be equal to the uploading speed of a website without this feature. The geographical distribution of ArvanCloud’s servers in different data centers supports this requirement. As you can see in the image below, when not using CDN services, all requests from anywhere in the world are forwarded to the origin server of the website, and the geographical distance between the users and the website’s origin server critically affects the speed or the delay in access to the website content.
Using CDN services allows website content to be distributed on ArvanCloud’s edge servers in various data centers. This means that the user’s request is responded to from the data center nearest to their geolocation, significantly reducing the possibility of delay.
The same process applies when using OpenSesame. It means the connection of website visitors is established with ArvanCloud edge servers instead of the origin servers, so the users receive the response from the nearest data center. The only delayed connection is related to the connection between ArvanCloud edge servers and the website’s origin server during the TLS Handshake.
As illustrated above, in the absence of ArvanCloud CDN, a roundtrip was required in the TLS connection between the visitor and the website’s origin server. But our OpenSesame feature established the connection between the website visitor and Arvancloud’s edge server in the shortest possible time. Here, the TLS connection between ArvanCloud’s edge server and the origin server only requires one trip that substantially shortens accessing the website content.
The one roundtrip is possible because of the permanent connection established between Arvancloud’s edge server and the website’s origin server. ArvanCloud’s edge server saves this connection after its initial establishment and will continue to use it in the future.