research-article

Open access

MinimaLT: minimal-latency networking through better security

Authors:

W. Michael Petullo,

Jon A. Solworth,

Daniel J. Bernstein, and

Tanja LangeAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

Pages 425 - 438

https://doi.org/10.1145/2508859.2516737

Published: 04 November 2013 Publication History

Abstract

MinimaLT is a new network protocol that provides ubiquitous encryption for maximal confidentiality, including protecting packet headers. MinimaLT provides server and user authentication, extensive Denial-of-Service protections, privacy-preserving IP mobility, and fast key erasure. We describe the protocol, demonstrate its performance relative to TLS and unencrypted TCP/IP, and analyze its protections, including its resilience against DoS attacks. By exploiting the properties of its cryptographic protections, MinimaLT is able to eliminate three way handshakes and thus create connections faster than unencrypted TCP/IP.

References

[1]

W. Aiello, S. M. Bellovin, M. Blaze, R. Canetti, J. Ioannidis, A. D. Keromytis, and O. Reingold. Just Fast Keying: Key agreement in a hostile Internet. ACM Trans. Inf. Syst. Secur., 7(2):242--273, May 2004.

Digital Library

[2]

N. AlFardan and K. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, pages 526--540, Washington, DC, USA, May 2013. IEEE Computer Society Press.

Digital Library

[3]

K. J. Argyraki, P. Maniatis, O. Irzak, S. Ashish, and S. Shenker. Loss and delay accountability for the internet. In Proceedings of the 2007 International Conference on Network Protocols, pages 194--205, Washington, DC, USA, 2007. IEEE Computer Society Press.

[4]

E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid. Recommendation for key management--Part 1: General (revised). US National Institute of Standards and Technology, Mar. 2007. http://csrc.nist.gov/publications/nistpubs/800--57/sp800--57-Part1-revised2_Mar08--2007.pdf (accessed Aug 26, 2013).

Digital Library

[5]

D. J. Bernstein and T. Lange. eBACS: ECRYPT Benchmarking of Cryptographic Systems. http://bench.cr.yp.to/ (accessed Aug 26, 2013).

[6]

D. J. Bernstein, T. Lange, and P. Schwabe. NaCl: Networking and cryptography library. http://nacl.cr.yp.to/ (accessed Aug 26, 2013).

[7]

D. J. Bernstein, T. Lange, and P. Schwabe. The security impact of a new cryptographic library. In International Conference on Cryptology and Information Security in Latin America, volume 7533, pages 159--176. Springer, 2012.

Digital Library

[8]

D. J. Bernstein and P. Schwabe. NEON crypto. In Workshop on Cryptographic Hardware and Embedded Systems, volume 7428, pages 320--339. Springer, 2012.

Digital Library

[9]

A. Birrell and B. J. Nelson. Implementing remote procedure calls. ACM Transactions on Computer Systems, 2(1):39--59, Feb. 1984.

Digital Library

[10]

A. Bittau, M. Hamburg, M. Handley, D. Mazières, and D. Boneh. The case for ubiquitous transport-level encryption. In Proceedings of the the 19th USENIX Security Symposium, Berkeley, CA, USA, Aug. 2010. USENIX Association.

Digital Library

[11]

J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 553--567, Washington, DC, USA, May 2012. IEEE Computer Society Press.

[12]

S. K. Card, G. G. Robertson, and J. D. Mackinlay. The information visualizer, an information workspace. In Proceedings of the 1991 Conference on Human Factors in Computing Systems, pages 181--188, New York, NY, USA, Apr. 1991. ACM.

Digital Library

[13]

L. Constantin. Facebook to roll out HTTPS by default to all users, Nov. 2012. http://www.computerworld.com/s/article/9233897/Facebook_to_roll_out_HTTPS_by_default_to_all_users (accessed Aug 26, 2013).

[14]

M. de Vivo, G. O. de Vivo, R. Koeneke, and G. Isern. Internet vulnerabilities related to TCP/IP and T/TCP. SIGCOMM Comput. Commun. Rev., 29(1):81--85, Jan. 1999.

Digital Library

[15]

T. Dierks and C. Allen. RFC 2246: The TLS protocol version 1, Jan. 1999. Status: PROPOSED STANDARD.

Digital Library

[16]

R. Dingledine, N. Mathewson, and P. F. Syverson. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium, pages 303--320, Berkeley, CA, USA, Aug. 2004. USENIX Association.

Digital Library

[17]

T. Duong and J. Rizzo. Here come the øplus ninjas. In Ekoparty Security Conference, 2011.

[18]

P. Eckersley, F. von Lohmann, and S. Schoen. Packet forgery by ISPs: A report on the Comcast affair. Electronic Frontier Foundation, Nov. 2007. https://www.eff.org/files/eff_comcast_report.pdf (accessed Aug 26, 2013).

[19]

K. Egevang and P. Francis. RFC 1631: The IP network address translator (NAT), May 1994. Status: INFORMATIONAL.

Digital Library

[20]

Electronic Frontier Foundation. HTTPS everywhere. https://www.eff.org/https-everywhere (accessed Aug 26, 2013).

[21]

S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumg\"artner, and B. Freisleben. Why Eve and Mallory love Android: an analysis of Android SSL (in)security. In Proceedings of the 19th ACM Conference on Computer and Communications Security, pages 50--61, New York, NY, USA, 2012. ACM.

Digital Library

[22]

S. Floyd. RFC 2914: Congestion control principles, Sept. 2000. Status: INFORMATIONAL.

Digital Library

[23]

B. Ford. Directions in Internet transport evolution. IETF Journal, 3(3):29--32, Dec. 2007.

[24]

B. Ford. Structured streams: a new transport abstraction. In Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, pages 361--372, New York, NY, USA, 2007. ACM.

Digital Library

[25]

E. S. Freire, D. Hofheinz, E. Kiltz, and K. G. Paterson. Non-interactive key exchange. In PKC 2013, volume 7778, pages 254--271. Springer, 2013.

[26]

M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: validating SSL certificates in non-browser software. In Proceedings of the 19th ACM Conference on Computer and Communications Security, pages 38--49, New York, NY, USA, 2012. ACM.

Digital Library

[27]

J. Gettys and K. Nichols. Bufferbloat: dark buffers in the internet. Commun. ACM, 55(1):57--65, Jan. 2012.

Digital Library

[28]

P. K. Gummadi, S. Saroiu, and S. D. Gribble. King: estimating latency between arbitrary Internet end hosts. In Proceedings of the 2nd Workshop on Internet Measurement, pages 5--18, New York, NY, USA, 2002. ACM.

Digital Library

[29]

A. Hiltgen, T. Kramp, and T. Weigold. Secure Internet banking authentication. IEEE Security Privacy, 4(2):21--29, March--April 2006.

Digital Library

[30]

J. Ioannidis and S. M. Bellovin. Implementing pushback: Router-based defense against DDoS attacks. In Proceedings of the 9th Network and Distributed System Security Symposium, Reston, VA, USA, Feb. 2002. The Internet Society.

[31]

T. Jaeger, K. Butler, D. H. King, S. Hallyn, J. Latten, and X. Zhang. Leveraging IPsec for mandatory access control across systems. In Proceedings of the 2nd ACM conference on Computer and Communications Security, New York, NY, USA, Aug. 2006. ACM.

[32]

T. Jager, F. Kohlar, S. Sch\"age, and J. Schwenk. On the security of TLS-DHE in the standard model. In Crypto 2012, volume 7417, pages 273--293. Springer, 2012.

[33]

A. Juels and J. G. Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of the 6th Network and Distributed System Security Symposium, Reston, VA, USA, Feb. 1999. The Internet Society.

[34]

C. Kaufman. RFC 4306: Internet key exchange (IKEv2) protocol, Dec. 2005. Status: PROPOSED STANDARD.

[35]

A. D. Keromytis, S. Ioannidis, M. B. Greenwald, and J. M. Smith. The STRONGMAN architecture. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition, volume 1, pages 178--188, 2003.

[36]

B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in distributed systems: Theory and practice. ACM Transactions on Computing Systems, 10(4):265--310, Nov. 1992.

Digital Library

[37]

A. Langley. Transport Layer Security (TLS) Snap Start. Internet Engineering Task Force, June 2010. http://tools.ietf.org/html/draft-agl-tls-snapstart-00 (accessed Aug 26, 2013).

[38]

A. Langley. Forward secrecy for Google HTTPS, Nov. 2011. https://www.imperialviolet.org/2011/11/22/forwardsecret.html (accessed Aug 26, 2013).

[39]

A. Langley. How to botch TLS forward secrecy, June 2013. https://www.imperialviolet.org/2013/06/27/botchingpfs.html (accessed Aug 26, 2013).

[40]

A. Langley, N. Modadugu, and W.-T. Chang. Overclocking SSL. In Velocity: Web Performance and Operations Conference, Santa Clara, CA, June 2010. http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html (accessed Aug 26, 2013).

[41]

A. Langley, N. Modadugu, and B. Moeller. Transport Layer Security (TLS) False Start. Internet Engineering Task Force, June 2010. http://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00 (accessed Aug 26, 2013).

[42]

E. Le Malécot, Y. Hori, and K. Sakurai. Preliminary insight into distributed SSH brute force attacks. Proceedings of the IEICE General Conference, page 2, Mar. 2008.

[43]

M. Liberatore and B. N. Levine. Inferring the source of encrypted HTTP connections. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 255--263, New York, NY, USA, Oct. 2006. ACM.

Digital Library

[44]

P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pages 29--42, Berkeley, CA, June 2001. The USENIX Association.

Digital Library

[45]

D. McGrew. RFC 5116: An interface and algorithms for authenticated encryption, 2008. Status: PROPOSED STANDARD.

[46]

W. M. Petullo and J. A. Solworth. Authentication in Ethos. https://www.ethos-os.org/papers/, June 2013.

[47]

W. M. Petullo and J. A. Solworth. Simple-to-use, secure-by-design networking in Ethos. In Proceedings of the Sixth European Workshop on System Security, New York, NY, USA, Apr. 2013. ACM. https://www.ethos-os.org/papers/.

[48]

S. Radhakrishnan, Y. Cheng, J. Chu, A. Jain, and B. Raghavan. TCP fast open. In Proceedings of the 7th International Conference on Emerging Networking Experiments and Technologies, New York, NY, USA, 2011. ACM.

Digital Library

[49]

E. Rescorla and N. Modadugu. RFC 6347: Datagram transport layer security version 1.2, 2012. Status: PROPOSED STANDARD.

[50]

R. L. Rivest and B. Lampson. SDSI -- a simple distributed security infrastucture. Technical report, MIT, Apr. 1996.

[51]

S. Schillace. Default HTTPS access for Gmail, Jan. 2010. http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html (accessed Aug 26, 2013).

[52]

J. A. Solworth. The Ethos operating system. http://www.ethos-os.org.

[53]

J. A. Solworth and W. Fei. sayI: Trusted user authentication at Internet scale. https://www.ethos-os.org/papers/, Aug. 2013.

[54]

D. X. Song, D. Wagner, and X. Tian. Timing analysis of keystrokes and timing attacks on SSH. In Proceedings of the 10th USENIX Security Symposium, Berkeley, CA, USA, Aug. 2001. USENIX Association.

Digital Library

[55]

S. Souders. Velocity and the bottom line. O'Reilly Media, July 2009. http://programming.oreilly.com/2009/07/velocity-making-your-site-fast.html (accessed Aug 26, 2013).

[56]

E. Stark, L.-S. Huang, D. Israni, C. Jackson, and D. Boneh. The case for prefetching and prevalidating TLS server certificates. In Proceedings of the 19th Network and Distributed System Security Symposium, Reston, VA, USA, 2012. The Internet Society.

[57]

R. Stewart. RFC 4960: Stream Control Transmission Protocol, Sept. 2007. Status: PROPOSED STANDARD.

[58]

N. Vratonjic, J. Freudiger, V. Bindschaedler, and J.-P. Hubaux. The inconvenient truth about web certificates. In Proceedings of the 10th Workshop on the Economics of Information Security, June 2011.

[59]

N. Weaver, R. Sommer, and V. Paxson. Detecting forged TCP reset packets. In Proceedings of the 16th Network and Distributed Systems Security Symposium, Reston, VA, USA, Feb. 2009. The Internet Society.

[60]

J. E. White. A high-level framework for network-based resource sharing. In Proceedings of the 1976 National Computer Conference and Exposition, pages 561--570, New York, NY, USA, 1976. ACM.

Digital Library

[61]

E. Wobber, M. Abadi, M. Burrows, and B. Lampson. Authentication in the Taos operating system. In Proceedings of the 14th Symposium on Operating System Principles, pages 256--269, New York, NY, USA, 1993. ACM.

Digital Library

Cited By

Hall-Andersen MWong DSullivan NChator A(2018)nQUICProceedings of the Workshop on the Evolution, Performance, and Interoperability of QUIC10.1145/3284850.3284854(22-28)Online publication date: 4-Dec-2018
https://dl.acm.org/doi/10.1145/3284850.3284854
Kreutz DYu JEsteves-Verissimo PMagalhaes CRamos F(2018)The KISS Principle in Software-Defined Networking: A Framework for Secure CommunicationsIEEE Security & Privacy10.1109/MSP.2018.376171716:5(60-70)Online publication date: Sep-2018
https://doi.org/10.1109/MSP.2018.3761717
Firoozjaei MLee SKim H(2018)O$$^2$$2TR: Offline Off-the-Record (OTR) MessagingInformation Security Applications10.1007/978-3-319-93563-8_6(61-71)Online publication date: 23-Jun-2018
https://doi.org/10.1007/978-3-319-93563-8_6
Show More Cited By

Index Terms

MinimaLT: minimal-latency networking through better security
1. Networks
  1. Network protocols
    1. Network protocol design

Recommendations

On the Security of Some Password Authentication Protocols

In an internet environment, such as UNIX, a remote user has to obtain the access right from a server before doing any job. The procedure of obtaining acess right is called a user authentication protocol. User authentication via user memorable password ...
Read More
A novel solution for IP spoofing attacks
ISP'07: Proceedings of the 6th WSEAS international conference on Information security and privacy

IP spoofing is one of the most common forms of on-line disguise. Hackers have long employed the tactic of disguising their true identity. It exploits the security weaknesses in TCP/IP protocol suite. This paper evaluates basic techniques to exploit ...
Read More
Securing Memory Encryption and Authentication Against Side-Channel Attacks Using Unprotected Primitives
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Memory encryption is used in many devices to protect memory content from attackers with physical access to a device. However, many current memory encryption schemes can be broken using Differential Power Analysis (DPA). In this work, we present MEAS---...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

16
Total Citations
View Citations
1,167
Total Downloads

Downloads (Last 12 months)207
Downloads (Last 6 weeks)32

Other Metrics

View Author Metrics

Citations

Cited By

Hall-Andersen MWong DSullivan NChator A(2018)nQUICProceedings of the Workshop on the Evolution, Performance, and Interoperability of QUIC10.1145/3284850.3284854(22-28)Online publication date: 4-Dec-2018
https://dl.acm.org/doi/10.1145/3284850.3284854
Kreutz DYu JEsteves-Verissimo PMagalhaes CRamos F(2018)The KISS Principle in Software-Defined Networking: A Framework for Secure CommunicationsIEEE Security & Privacy10.1109/MSP.2018.376171716:5(60-70)Online publication date: Sep-2018
https://doi.org/10.1109/MSP.2018.3761717
Firoozjaei MLee SKim H(2018)O$$^2$$2TR: Offline Off-the-Record (OTR) MessagingInformation Security Applications10.1007/978-3-319-93563-8_6(61-71)Online publication date: 23-Jun-2018
https://doi.org/10.1007/978-3-319-93563-8_6
Rüth JBormann CHohlfeld OUhlig SMaennel O(2017)Large-scale scanning of TCP's initial windowProceedings of the 2017 Internet Measurement Conference10.1145/3131365.3131370(304-310)Online publication date: 1-Nov-2017
https://dl.acm.org/doi/10.1145/3131365.3131370
Langley ARiddoch AWilk AVicente AKrasic CZhang DYang FKouranov FSwett IIyengar JBailey JDorfman JRoskind JKulik JWestin PTenneti RShade RHamilton RVasiliev VChang WShi Z(2017)The QUIC Transport ProtocolProceedings of the Conference of the ACM Special Interest Group on Data Communication10.1145/3098822.3098842(183-196)Online publication date: 7-Aug-2017
https://dl.acm.org/doi/10.1145/3098822.3098842
Cui YLi TLiu CWang XKuhlewind M(2017)Innovating Transport with QUICIEEE Internet Computing10.1109/MIC.2017.4421:2(72-76)Online publication date: 1-Mar-2017
https://dl.acm.org/doi/10.1109/MIC.2017.44
Schulz TGolatowski FTimmermann D(2017)Evaluation of a formalized encryption library for safety-critical embedded systems2017 IEEE International Conference on Industrial Technology (ICIT)10.1109/ICIT.2017.7915525(1153-1158)Online publication date: Mar-2017
https://doi.org/10.1109/ICIT.2017.7915525
Fischlin MGunther F(2017)Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates2017 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP.2017.18(60-75)Online publication date: Apr-2017
https://doi.org/10.1109/EuroSP.2017.18
Günther FHale BJager TLauer S(2017)0-RTT Key Exchange with Full Forward SecrecyAdvances in Cryptology – EUROCRYPT 201710.1007/978-3-319-56617-7_18(519-548)Online publication date: 1-Apr-2017
https://doi.org/10.1007/978-3-319-56617-7_18
Lee TPappas CBarrera DSzalachowski PPerrig AMarkopoulou AFaloutsos MSekar VKostic D(2016)Source Accountability with Domain-brokered PrivacyProceedings of the 12th International on Conference on emerging Networking EXperiments and Technologies10.1145/2999572.2999581(345-358)Online publication date: 6-Dec-2016
https://dl.acm.org/doi/10.1145/2999572.2999581
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents