DIY Internet with
MinimaLT
Low-latency secure networking
JSConf.EU 2013
Andy Wingo
wingo@igalia.com
Compiler hacker at Igalia
Recently: ES6 generators in V8, SpiderMonkey
(sponsored by Bloomberg)
Not a cry...
You are here
Context: Militarization of daily life
Generals peeping on your web searches
Read the wrong things and they se...
what’s he building in there?
what’s he building in there?
He has subscriptions to those RSS feeds
And he’s been tweeting about MinimaLT
We’re in his ro...
Solution?
Smash the state!
Meanwhile, let’s not make it easy for the NSA
HTTPS vs...
Attack vectors:
❧ Cryptanalysis (RC4)
❧ MITM via rogue certificates (DigiNotar &c)
❧ Use JavaScript! CRIME, BE...
HTTPS vs...
Attack vectors:
❧ Cryptanalysis (RC4)
❧ MITM via rogue certificates (DigiNotar &c)
❧ Use JavaScript! CRIME, BE...
HTTPS vs HTTP
“Cryptography that is not actually used can be
viewed as the ultimate disaster” – DJB
competitions.cr.yp.to/...
HTTPS vs HTTP
“Cryptography that is not actually used can be
viewed as the ultimate disaster” – DJB
competitions.cr.yp.to/...
HTTPS vs HTTP
“Cryptography that is not actually used can be
viewed as the ultimate disaster” – DJB
competitions.cr.yp.to/...
HTTPS vs HTTP
“Cryptography that is not actually used can be
viewed as the ultimate disaster” – DJB
competitions.cr.yp.to/...
Anatomy of a GET
000.00

→ www.gnu.org

TCP

SYN

Visiting http://www.gnu.org/ over French
wired ADSL.
Anatomy of a GET
000.00
130.50

→ www.gnu.org
← www.gnu.org

TCP
TCP

SYN
SYN/ACK

130 ms RTT, ~65ms latency.
Remote serve...
Anatomy of a GET
000.00
130.50
130.78

→ www.gnu.org
← www.gnu.org
→ www.gnu.org

TCP
TCP
HTTP

The GET is delayed by 130 ...
Anatomy of a GET
000.00
130.50
130.78
278.00

→
←
→
←

www.gnu.org
www.gnu.org
www.gnu.org
www.gnu.org

TCP
TCP
HTTP
TCP

...
Anatomy of a GET
000.00
130.50
130.78
278.00
282.00

→
←
→
←
→

www.gnu.org
www.gnu.org
www.gnu.org
www.gnu.org
www.gnu.or...
Anatomy of a GET
000.00
130.50
130.78
278.00
282.00
410.71

→
←
→
←
→
←

www.gnu.org
www.gnu.org
www.gnu.org
www.gnu.org
w...
Anatomy of a GET
000.00
130.50
130.78
278.00
282.00
410.71
414.85

→
←
→
←
→
←
→

www.gnu.org
www.gnu.org
www.gnu.org
www....
HTTPS sadness
000.00

→ www.gnu.org

TCP

SYN
HTTPS sadness
000.00
129.91
130.46

→ www.gnu.org
← www.gnu.org
→ www.gnu.org

TCP
TCP
TLS

SYN
SYN/ACK
Client Hello
HTTPS sadness
000.00
129.91
130.46
266.13
267.08
267.73

→
←
→
←
←
→

www.gnu.org
www.gnu.org
www.gnu.org
www.gnu.org
www....
HTTPS sadness
000.00
129.91
130.46
266.13
267.08
267.73
449.06
449.10

→
←
→
←
←
→
←
→

www.gnu.org
www.gnu.org
www.gnu.or...
HTTPS sadness
000.00
129.91
130.46
266.13
267.08
267.73
449.06
449.10
580.28
583.72

→
←
→
←
←
→
←
→
←
→

www.gnu.org
www....
HTTPS sadness
000.00
129.91
130.46
266.13
267.08
267.73
449.06
449.10
580.28
583.72
764.97

→
←
→
←
←
→
←
→
←
→
←

www.gnu...
MinimaLT, a low-latency
networking protocol
“properly implemented, strong crypto”
... that connects faster than TCP
SYN/AC...
Properly implemented, strong
crypto
Uses high-level NaCl library from @hashbreaker
and @hyperelliptic
Avoids many HTTPS/TL...
Minimal latency
1 round trip if you need “DNS” lookup
0 otherwise
Persistent tunnels
Tunnels can migrate over IP changes –...
A protocol for today’s internet
UDP-based
Reliable: replaces TCP + TLS
Denial-of-Service (DoS) resistance
Low overhead, sc...
Tunnels and connections
Tunnels multiplex connections
Connection 0 is the control connection
❧ flow control
❧ connection c...
Wire protocol
c
l
e
a
r
c
y
p
h
e
r

+----------------------+
| Ethernet, IP, UDP
|
|----------------------|
| Tunnel ID, ...
Crypto
NaCl “box”:
+------------+ C'→S'
| Cyphertext |
n
+------------+

Tunnel ID (TID): a random 64-bit number,
provided...
How to get server’s public key?
TLS:
❧ Client knows address of DNS provider
❧ DNS gives server address (maybe)
❧ Client co...
How to get server’s public key?
MinimaLT:
❧ Client knows address, long-term key of
Directory Service
❧ Server registers ad...
Directory server protocol
At first lookup of any name, or at boot:
❧ 1 round-trip to fetch DS’s ephemeral key
To look up a...
Performance
The “expensive” part: establishing the shared
secret via Curve25519, which happens when
tunnels are created.
❧...
Denial-of-Service
Why is MinimaLT able to avoid 3-way
handshake?
❧ A server can slow down clients arbitrarily
using puzzle...
Amplification vs latency?
In general, response can be larger than the
request (e.g. HTTP GET)
Does the client IP (spoofabl...
Faster than TCP
0RT connects faster than TCP at any latency
above 0.5 ms (150 km)
Always faster than OpenSSL
At 64ms laten...
Project status
University of Illinois at Chicago research project
(Jon Solworth)
Very 2013
Ethos, new Xen-based OS
❧ Secur...
MinimaLT: remote IPC for
Ethos
res := <-Ipc("example.com", "http",
"GET", "/")
res := <-Ipc("example.com", "foo",
&Foo{bar...
And POSIX?
Ongoing work to make a shared library; expect
it out shortly
minimalt_connection*
minimalt_connect_and_write
(c...
And JavaScript?? :)
Upcoming: Libuv integration, and from there to
Node
❧ MinimaLT needs an event loop running,
somehow
Pu...
On the front lines
Bandwidth goes up, but latency stays the same.
There is demand for privacy at low latency:
demand for a...
Go forth and hack!
MinimaLT @ ACM CCS 2013 – Here (Berlin) in
Nov.
SYN/ACK – Just say no!
@andywingo for slides, upcoming ...
Upcoming SlideShare
Loading in …5
×

DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)

1,939 views

Published on

By Andy Wingo.

Refreshing your Twitter feed is such a drag over 3G, taking forever to connect and fetch those precious kilobytes. The reasons for this go deep into the architecture of the internet: making an HTTPS connection simply has terrible latency.

So let’s fix the internet! MinimaLT is an exciting new network protocol that connects faster than TCP, is more secure than TLS (crypto by DJ Bernstein), and allows mobile devices to keep connections open as they change IP addresses. This talk presents the MinimaLT protocol and a Node library that allows JS hackers to experimentally build a new Internet.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,939
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
3
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)

  1. 1. DIY Internet with MinimaLT Low-latency secure networking JSConf.EU 2013 Andy Wingo
  2. 2. wingo@igalia.com Compiler hacker at Igalia Recently: ES6 generators in V8, SpiderMonkey (sponsored by Bloomberg) Not a cryptographer This talk is for folks that deploy both endpoints, for cryptonerds, and for early-stage tinkerers
  3. 3. You are here Context: Militarization of daily life Generals peeping on your web searches Read the wrong things and they send the SWAT team
  4. 4. what’s he building in there?
  5. 5. what’s he building in there? He has subscriptions to those RSS feeds And he’s been tweeting about MinimaLT We’re in his router, and his mobile phone You won’t believe what we got from the drone What’s he building in there? What the hell is he building in there? We have a right to know
  6. 6. Solution? Smash the state! Meanwhile, let’s not make it easy for the NSA
  7. 7. HTTPS vs... Attack vectors: ❧ Cryptanalysis (RC4) ❧ MITM via rogue certificates (DigiNotar &c) ❧ Use JavaScript! CRIME, BEAST, ... ❧ Backdoors in TLS implementations (Windows?)
  8. 8. HTTPS vs... Attack vectors: ❧ Cryptanalysis (RC4) ❧ MITM via rogue certificates (DigiNotar &c) ❧ Use JavaScript! CRIME, BEAST, ... ❧ Backdoors in TLS implementations (Windows?) ❧ HTTP
  9. 9. HTTPS vs HTTP “Cryptography that is not actually used can be viewed as the ultimate disaster” – DJB competitions.cr.yp.to/disasters.html How many of you...
  10. 10. HTTPS vs HTTP “Cryptography that is not actually used can be viewed as the ultimate disaster” – DJB competitions.cr.yp.to/disasters.html How many of you... ❧ use EFF’s “HTTPS everywhere” extension?
  11. 11. HTTPS vs HTTP “Cryptography that is not actually used can be viewed as the ultimate disaster” – DJB competitions.cr.yp.to/disasters.html How many of you... ❧ use EFF’s “HTTPS everywhere” extension? ❧ never use plain HTTP with Google?
  12. 12. HTTPS vs HTTP “Cryptography that is not actually used can be viewed as the ultimate disaster” – DJB competitions.cr.yp.to/disasters.html How many of you... ❧ use EFF’s “HTTPS everywhere” extension? ❧ never use plain HTTP with Google? There is a reason for this
  13. 13. Anatomy of a GET 000.00 → www.gnu.org TCP SYN Visiting http://www.gnu.org/ over French wired ADSL.
  14. 14. Anatomy of a GET 000.00 130.50 → www.gnu.org ← www.gnu.org TCP TCP SYN SYN/ACK 130 ms RTT, ~65ms latency. Remote server hosted in Boston, ~4000 miles away. 4000 miles is 22 light-milliseconds.
  15. 15. Anatomy of a GET 000.00 130.50 130.78 → www.gnu.org ← www.gnu.org → www.gnu.org TCP TCP HTTP The GET is delayed by 130 ms. SYN SYN/ACK GET /
  16. 16. Anatomy of a GET 000.00 130.50 130.78 278.00 → ← → ← www.gnu.org www.gnu.org www.gnu.org www.gnu.org TCP TCP HTTP TCP SYN SYN/ACK GET / [begin] Begin receiving response. Early parsing.
  17. 17. Anatomy of a GET 000.00 130.50 130.78 278.00 282.00 → ← → ← → www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org TCP TCP HTTP TCP TCP SYN SYN/ACK GET / [begin] SYN x 3 Kick off more connections for parallel fetch.
  18. 18. Anatomy of a GET 000.00 130.50 130.78 278.00 282.00 410.71 → ← → ← → ← www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org TCP TCP HTTP TCP TCP HTTP SYN SYN/ACK GET / [begin] SYN x 3 200 OK Total: 7108 bytes over 411 milliseconds.
  19. 19. Anatomy of a GET 000.00 130.50 130.78 278.00 282.00 410.71 414.85 → ← → ← → ← → www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org TCP TCP HTTP TCP TCP HTTP TCP SYN SYN/ACK GET / [begin] SYN x 3 200 OK SYN/ACK x 3 Initial round-trip kills parallel fetch :-(
  20. 20. HTTPS sadness 000.00 → www.gnu.org TCP SYN
  21. 21. HTTPS sadness 000.00 129.91 130.46 → www.gnu.org ← www.gnu.org → www.gnu.org TCP TCP TLS SYN SYN/ACK Client Hello
  22. 22. HTTPS sadness 000.00 129.91 130.46 266.13 267.08 267.73 → ← → ← ← → www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org TCP TCP TLS TLS TLS TLS SYN SYN/ACK Client Hello Server Hello Certificate Key Exchange
  23. 23. HTTPS sadness 000.00 129.91 130.46 266.13 267.08 267.73 449.06 449.10 → ← → ← ← → ← → www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org TCP TCP TLS TLS TLS TLS TCP TLS SYN SYN/ACK Client Hello Server Hello Certificate Key Exchange ACK (???) Change Cipher
  24. 24. HTTPS sadness 000.00 129.91 130.46 266.13 267.08 267.73 449.06 449.10 580.28 583.72 → ← → ← ← → ← → ← → www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org TCP TCP TLS TLS TLS TLS TCP TLS TLS HTTPS SYN SYN/ACK Client Hello Server Hello Certificate Key Exchange ACK (???) Change Cipher Change Cipher GET /
  25. 25. HTTPS sadness 000.00 129.91 130.46 266.13 267.08 267.73 449.06 449.10 580.28 583.72 764.97 → ← → ← ← → ← → ← → ← www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org TCP TCP TLS TLS TLS TLS TCP TLS TLS HTTPS HTTPS ... and then the CSS, the JS, ... SYN SYN/ACK Client Hello Server Hello Certificate Key Exchange ACK (???) Change Cipher Change Cipher GET / 200 OK
  26. 26. MinimaLT, a low-latency networking protocol “properly implemented, strong crypto” ... that connects faster than TCP SYN/ACK – Just say no!
  27. 27. Properly implemented, strong crypto Uses high-level NaCl library from @hashbreaker and @hyperelliptic Avoids many HTTPS/TLS pitfalls ❧ Well-chosen cyphers ❧ Timing-independent implementation ❧ No plaintext (HTTP) mode MinimaLT adds forward secrecy
  28. 28. Minimal latency 1 round trip if you need “DNS” lookup 0 otherwise Persistent tunnels Tunnels can migrate over IP changes – invisible to applications
  29. 29. A protocol for today’s internet UDP-based Reliable: replaces TCP + TLS Denial-of-Service (DoS) resistance Low overhead, scales to tens of Gb/s
  30. 30. Tunnels and connections Tunnels multiplex connections Connection 0 is the control connection ❧ flow control ❧ connection creation ❧ authentication (client certs) Multiple connections can proceed concurrently QUIC more advanced here in some ways
  31. 31. Wire protocol c l e a r c y p h e r +----------------------+ | Ethernet, IP, UDP | |----------------------| | Tunnel ID, Nonce | |----------------------| | Ephemeral public key | |======================| | Checksum | |----------------------| | Seq, Ack | |----------------------| | Payload | | ... | 42 bytes 16 bytes 32 bytes (first) 16 bytes 8 bytes
  32. 32. Crypto NaCl “box”: +------------+ C'→S' | Cyphertext | n +------------+ Tunnel ID (TID): a random 64-bit number, provided by client when creating the tunnel After first packet, TID looks up C'→S': the shared secret Protocol to change TID and evolve shared secret for forward security
  33. 33. How to get server’s public key? TLS: ❧ Client knows address of DNS provider ❧ DNS gives server address (maybe) ❧ Client connects to server, server provides certificate ❧ Client verifies cert. using public key infrastructure (PKI)
  34. 34. How to get server’s public key? MinimaLT: ❧ Client knows address, long-term key of Directory Service ❧ Server registers address, port, long-term public key and ephemeral public key with DS ❧ Client asks DS for server info, trusts DS Servers could register info in DNS records with suitably low TTL (TBD)
  35. 35. Directory server protocol At first lookup of any name, or at boot: ❧ 1 round-trip to fetch DS’s ephemeral key To look up a name: ❧ 1 round-trip using fresh ephemeral client key, DS’s ephemeral key Authenticated and encrypted
  36. 36. Performance The “expensive” part: establishing the shared secret via Curve25519, which happens when tunnels are created. ❧ 8000 connections/s/core on modern x86 ❧ ~750 connections/s/core on modern ARM (estimate) Afterwards, MinimaLT can saturate Gb/s links
  37. 37. Denial-of-Service Why is MinimaLT able to avoid 3-way handshake? ❧ A server can slow down clients arbitrarily using puzzles ❧ Clients may have to “mine for bitcoins” ❧ Puzzles can be sent at any point (tunnel GC) ❧ Pre-RT responses should be smaller than requests (hello DNSSEC)
  38. 38. Amplification vs latency? In general, response can be larger than the request (e.g. HTTP GET) Does the client IP (spoofable cleartext) correspond to the client request (authenticated, tamper-proof)? One round trip seems needed in general :-( Mitigated by long-term tunnels, multiplexed connections No worse than TCP
  39. 39. Faster than TCP 0RT connects faster than TCP at any latency above 0.5 ms (150 km) Always faster than OpenSSL At 64ms latency: 130ms full connection, request, response vs 516ms for OpenSSL Compare to 278ms for HTTP Tor-friendly
  40. 40. Project status University of Illinois at Chicago research project (Jon Solworth) Very 2013 Ethos, new Xen-based OS ❧ Security-focused ❧ Typed filesystem, typed IPC ❧ Written in C and Go http://ethos-os.org/ W. Michael Petullo doing MinimaLT
  41. 41. MinimaLT: remote IPC for Ethos res := <-Ipc("example.com", "http", "GET", "/") res := <-Ipc("example.com", "foo", &Foo{bar:42, baz:"qux"})
  42. 42. And POSIX? Ongoing work to make a shared library; expect it out shortly minimalt_connection* minimalt_connect_and_write (char *host, char *service, uint8_t *data, size_t count); Probably not RPC-based – type tools are a mess
  43. 43. And JavaScript?? :) Upcoming: Libuv integration, and from there to Node ❧ MinimaLT needs an event loop running, somehow Pure-JS reliability layer? ❧ Experiments in congestion control
  44. 44. On the front lines Bandwidth goes up, but latency stays the same. There is demand for privacy at low latency: demand for a new protocol.
  45. 45. Go forth and hack! MinimaLT @ ACM CCS 2013 – Here (Berlin) in Nov. SYN/ACK – Just say no! @andywingo for slides, upcoming lib release

×