MinimaLT: minimal-latency networking through better security

MinimaLT is a new network protocol that provides ubiquitous encryption for maximal confidentiality, including protecting packet headers. MinimaLT provides server and user authentication, extensive Denial-of-Service protections, privacy-preserving IP mobility, and fast key erasure. We describe the protocol, demonstrate its performance relative to TLS and unencrypted TCP/IP, and analyze its protections, including its resilience against DoS attacks. By exploiting the properties of its cryptographic protections, MinimaLT is able to eliminate three way handshakes and thus create connections faster than unencrypted TCP/IP.

[1]  Elaine B. Barker,et al.  SP 800-57. Recommendation for Key Management, Part 1: General (revised) , 2007 .

[2]  Daniel J. Bernstein,et al.  The Salsa20 Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[3]  William E. Burr,et al.  Recommendation for Key Management, Part 1: General (Revision 3) , 2006 .

[4]  Tanja Lange,et al.  The Security Impact of a New Cryptographic Library , 2012, LATINCRYPT.

[5]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[6]  Randall R. Stewart,et al.  Stream Control Transmission Protocol , 2000, RFC.

[7]  Adam Langley,et al.  Transport Layer Security (TLS) Snap Start , 2010 .

[8]  Dan Boneh,et al.  The Case for Prefetching and Prevalidating TLS Server Certificates , 2012, NDSS.

[9]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[10]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[11]  Collin Jackson,et al.  Forcehttps: protecting high-security web sites from network attacks , 2008, WWW.

[12]  Andrew Birrell,et al.  Implementing remote procedure calls , 1984, TOCS.

[13]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[14]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[15]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[16]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[17]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[18]  Brian Neil Levine,et al.  Inferring the source of encrypted HTTP connections , 2006, CCS '06.

[19]  Eric Rescorla,et al.  Datagram Transport Layer Security Version 1.2 , 2012, RFC.

[20]  Jock D. Mackinlay,et al.  The information visualizer, an information workspace , 1991, CHI.

[21]  Clay Shields,et al.  What do we mean by Network Denial of Service , 2002 .

[22]  Peter Schwabe,et al.  NEON Crypto , 2012, CHES.

[23]  Sally Floyd,et al.  Congestion Control Principles , 2000, RFC.

[24]  Angelos D. Keromytis,et al.  The STRONGMAN architecture , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[25]  Jon A. Solworth,et al.  sayI : Trusted User Authentication at Internet Scale , 2013 .

[26]  S. Schoen Packet Forgery By ISPs : A Report On The Comcast Affair , 2007 .

[27]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[28]  Elaine B. Barker Recommendation for Key Management - Part 1 General , 2014 .

[29]  Mark Handley,et al.  The Case for Ubiquitous Transport-Level Encryption , 2010, USENIX Security Symposium.

[30]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[31]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[32]  Bryan Ford,et al.  Structured streams: a new transport abstraction , 2007, SIGCOMM '07.

[33]  Jon A. Solworth,et al.  Digital identity security architecture in Ethos , 2011, DIM '11.

[34]  Jon A. Solworth,et al.  Simple-to-use, Secure-by-design Networking in Ethos , 2013 .

[35]  Bryan Ford Directions in Internet Transport Evolution , 2008 .

[36]  Ari Juels,et al.  $evwu Dfw , 1998 .

[37]  Angelos D. Keromytis,et al.  Just fast keying: Key agreement in a hostile internet , 2004, TSEC.

[38]  Jun Murai,et al.  Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications , 2007, SIGCOMM 2007.

[39]  Yuchung Cheng,et al.  TCP fast open , 2011, CoNEXT '11.

[40]  Marco de Vivo,et al.  Internet vulnerabilities related to TCP/IP and T/TCP , 1999, CCRV.

[41]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[42]  Thomas Weigold,et al.  Secure Internet banking authentication , 2006, IEEE Security & Privacy.

[43]  Vincent Rijmen,et al.  The eSTREAM Portfolio , 2008 .

[44]  J Gettys,et al.  Bufferbloat: Dark Buffers in the Internet , 2011, IEEE Internet Computing.

[45]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[46]  Julien Freudiger,et al.  The Inconvenient Truth about Web Certificates , 2011, WEIS.

[47]  櫻井 幸一,et al.  BS-5-7 Preliminary Insight into Distributed SSH Brute Force Attacks , 2008 .

[48]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[49]  Kenneth G. Paterson,et al.  Non-Interactive Key Exchange , 2012, IACR Cryptol. ePrint Arch..

[50]  Katerina J. Argyraki,et al.  Loss and Delay Accountability for the Internet , 2007, 2007 IEEE International Conference on Network Protocols.

[51]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[52]  Vern Paxson,et al.  Detecting Forged TCP Reset Packets , 2009, NDSS.

[53]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[54]  Martín Abadi,et al.  Authentication in the Taos operating system , 1994, TOCS.

[55]  James E. White A high-level framework for network-based resource sharing , 1976, AFIPS '76.

[56]  Jon A. Solworth,et al.  Authentication in Ethos , 2013 .

[57]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[58]  David A. McGrew,et al.  An Interface and Algorithms for Authenticated Encryption , 2008, RFC.

[59]  Krishna P. Gummadi,et al.  King: estimating latency between arbitrary internet end hosts , 2002, IMW '02.

[60]  Paul Francis,et al.  The IP Network Address Translator (NAT) , 1994, RFC.