Untitled

MinimaLT: Minimal-latency Networking Through Better Security

W. Michael Petullo Xu Zhang Jon A. Solworth Daniel J. Bernstein Tanja Lange

mike@flyn.org xzhang54@uic.edu solworth@rites.uic.edu djb@cr.yp.to tanja@hyperelliptic.orgUniversity of Illinois at Chicago TU EindhovenUSA Netherlands

ABSTRACT

Minimal Latency Tunneling (

MinimaLT

) is a new net-work protocol that provides ubiquitous encryption for max-imal confidentiality, including protecting packet headers.

MinimaLT

provides server and user authentication, exten-sive Denial-of-Service protections, and IP mobility while ap-proaching perfect forward secrecy. We describe the proto-col, demonstrate its performance relative to TLS and unen-crypted TCP/IP, and analyze its protections, including itsresilience against DoS attacks [56]. By exploiting the prop-erties of its cryptographic protections,

MinimaLT

is able toeliminate three-way handshakes and thus create connectionsfaster than unencrypted TCP/IP.

1 Introduction

Our goal is to protect

all 

networking against eavesdropping,modification, and, to the extent possible, Denial of Ser-vice (DoS). To achieve this goal, networking must protectprivacy, perform well, provide strong (i.e., cryptographic)authentication, and be easy to configure. These needs arenot met by existing protocols.Hardware and software improvements have eliminated his-torical cryptographic performance bottlenecks. Now, strongsymmetric encryption can be performed on a single CPUcore at Gb/s rates [45], even on resource-constrained mobiledevices [13]. Public-key cryptography, once so agonizinglyslow that systems would try to simulate it with symmetrickey cryptography [43], is now performed at tens of thousandsof operations per second on commodity CPUs. But one per-formance parameter is a fundamental limitation—networklatency [33]. Latency is critical for users [58]. For example,Google found that a 500ms latency increase resulted in a25% dropoff in page searches, and studies have shown thatuser experience degrades when interfaces incur latencies assmall as 100ms [17]. This has prompted several efforts toreduce TCP and TLS latency [18, 46, 44, 53, 59].We describe here

MinimaLT

, a secure network protocolwhich delivers protected data on the first packet of a typ-ical client-server connection.

MinimaLT

provides substan-tial protections and is extraordinarily simple to configureand use. In particular, it provides cryptographic authenti-cation of servers and users; encryption of communication;simplicity of protocol, implementation, and configuration;clean IP-address mobility; and DoS protections.

MinimaLT

’s design intentionally crosses network layers.It does so for two reasons: First, security problems oftenoccur in the seams between layers. For example, TransportLayer Security (TLS) is unable to protect against attacks onTCP/IP headers due to its layering; RST and sequence num-ber attacks interrupt TLS connections in such a way that isdifficult to correct or even detect [23, 4, 62]. Second, multi-layer design enables

MinimaLT

to improve performance.Particularly challenging has been to provide Perfect For-ward Secrecy (PFS) at low latency. PFS means that evenan attacker who captures network traffic and later obtainsall long-term private keys cannot decrypt past packets oridentify the parties involved in communication. Tradition-ally, using Diffie-Hellman key exchange (DH) to achievePFS requires a round trip before sending any sensitivedata.

MinimaLT

eliminates this roundtrip, instead re-ceiving the server’s ephemeral key during a directory ser-vice lookup (

§

4.3.1). To establish connection liveness—necessary only if the connection is inactive and the serveris running out of memory—we invert the normal mandatorystart-of-connection handshake and replace it with an only-when-needed server-originated handshake (

§

4.3.4). Elimi-nating roundtrips makes

MinimaLT

faster than unencrypted TCP/IP at establishing connections 

.A second challenge is to make connections portableacross IP addresses to better support mobile computing.

MinimaLT

allows you to start a connection from home,travel to work, and continue to use that connection. Thisavoids application recovery overhead and lost work for op-erations which would otherwise be interrupted by a move.

MinimaLT

IP mobility does not require intermediary hostsor redirects, allowing it to integrate cleanly into protocolprocessing (

§

4.3.3). To provide better privacy,

MinimaLT

blinds third parties to IP-address portability to prevent link-ing a connection across different IP addresses.A third challenge is DoS. A single host cannot thwart anattacker with overwhelming resources [36], but

MinimaLT

protects against attackers with fewer resources. In particu-lar,

MinimaLT

dynamically increases the ratio of client (i.e.,attacker) to server resources needed for a successful attack.

MinimaLT

deploys a variety of defenses to maintain propor-tional resource usage between a client and server (

§

5.3).A fourth challenge is authentication and authorization.Experience indicates that network-based password authen-tication is fraught with security problems [34, 57, 47, 16],and that cryptographic authentication is needed. Ourauthentication framework supports both identified andnon-identified (pseudonym) users (

§

4.1.1). We designed

MinimaLT

to integrate into systems with strong authoriza-tion controls.To meet these challenges, we have done a clean-slate de-sign, starting from User Datagram Protocol (UDP), andconcurrently considering multiple network layers. We foundan unexpected synergy between speed and security. The rea-son that the Internet uses higher-latency protocols is that,historically, low-latency protocols such as T/TCP have al-lowed such severe attacks [18] as to make them undeployable.It turns out that providing strong authentication elsewherein the protocol stops all such attacks without adding latency.In short,

MinimaLT

provides the features of TCP/IP (re-liability, flow control, and congestion control), and addsin encryption, authentication, clean IP mobility, and DoSprotections, all while preserving PFS and reducing latencycosts. We describe

MinimaLT

and its implementation here.In

§

2 we describe related work,

§

3 describes our threatmodel,

§

4 describes the design, and

§

5 provides an evalu-